Remove bogus assertion.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-15  Oliver Hunt  <oliver@apple.com>
2
3         Remove bogus assertion.
4
5         RS=Filip Pizlo
6
7         * dfg/DFGAbstractInterpreterInlines.h:
8         (JSC::DFG::::executeEffects):
9
10 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
11
12         REGRESSION(r148790) Made 7 tests fail on x86 32bit
13         https://bugs.webkit.org/show_bug.cgi?id=114913
14
15         Reviewed by Filip Pizlo.
16
17         The X87 register was not freed before some calls. Instead
18         of inserting resetX87Registers to the last call sites,
19         the two X87 registers are now freed in every call.
20
21         * llint/LowLevelInterpreter32_64.asm:
22         * llint/LowLevelInterpreter64.asm:
23         * offlineasm/instructions.rb:
24         * offlineasm/x86.rb:
25
26 2013-08-14  Michael Saboff  <msaboff@apple.com>
27
28         Fixed jit on Win64.
29         https://bugs.webkit.org/show_bug.cgi?id=119601
30
31         Reviewed by Oliver Hunt.
32
33         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
34         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
35         * jit/SlowPathCall.h:
36         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
37
38 2013-08-14  Alex Christensen  <achristensen@apple.com>
39
40         Compile fix for Win64 with jit disabled.
41         https://bugs.webkit.org/show_bug.cgi?id=119804
42
43         Reviewed by Michael Saboff.
44
45         * offlineasm/cloop.rb: Added std:: before isnan.
46
47 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
48
49         DFG_JIT implementation for sh4 architecture.
50         https://bugs.webkit.org/show_bug.cgi?id=119737
51
52         Reviewed by Oliver Hunt.
53
54         * assembler/MacroAssemblerSH4.h:
55         (JSC::MacroAssemblerSH4::invert):
56         (JSC::MacroAssemblerSH4::add32):
57         (JSC::MacroAssemblerSH4::and32):
58         (JSC::MacroAssemblerSH4::lshift32):
59         (JSC::MacroAssemblerSH4::mul32):
60         (JSC::MacroAssemblerSH4::or32):
61         (JSC::MacroAssemblerSH4::rshift32):
62         (JSC::MacroAssemblerSH4::sub32):
63         (JSC::MacroAssemblerSH4::xor32):
64         (JSC::MacroAssemblerSH4::store32):
65         (JSC::MacroAssemblerSH4::swapDouble):
66         (JSC::MacroAssemblerSH4::storeDouble):
67         (JSC::MacroAssemblerSH4::subDouble):
68         (JSC::MacroAssemblerSH4::mulDouble):
69         (JSC::MacroAssemblerSH4::divDouble):
70         (JSC::MacroAssemblerSH4::negateDouble):
71         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
72         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
73         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
74         (JSC::MacroAssemblerSH4::swap):
75         (JSC::MacroAssemblerSH4::jump):
76         (JSC::MacroAssemblerSH4::branchNeg32):
77         (JSC::MacroAssemblerSH4::branchAdd32):
78         (JSC::MacroAssemblerSH4::branchMul32):
79         (JSC::MacroAssemblerSH4::urshift32):
80         * assembler/SH4Assembler.h:
81         (JSC::SH4Assembler::SH4Assembler):
82         (JSC::SH4Assembler::labelForWatchpoint):
83         (JSC::SH4Assembler::label):
84         (JSC::SH4Assembler::debugOffset):
85         * dfg/DFGAssemblyHelpers.h:
86         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
87         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
88         (JSC::DFG::AssemblyHelpers::debugCall):
89         * dfg/DFGCCallHelpers.h:
90         (JSC::DFG::CCallHelpers::setupArguments):
91         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
92         * dfg/DFGFPRInfo.h:
93         (JSC::DFG::FPRInfo::toRegister):
94         (JSC::DFG::FPRInfo::toIndex):
95         (JSC::DFG::FPRInfo::debugName):
96         * dfg/DFGGPRInfo.h:
97         (JSC::DFG::GPRInfo::toRegister):
98         (JSC::DFG::GPRInfo::toIndex):
99         (JSC::DFG::GPRInfo::debugName):
100         * dfg/DFGOperations.cpp:
101         * dfg/DFGSpeculativeJIT.h:
102         (JSC::DFG::SpeculativeJIT::callOperation):
103         * jit/JITStubs.h:
104         * jit/JITStubsSH4.h:
105
106 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
107
108         Unreviewed, fix build.
109
110         * API/JSValue.mm:
111         (isDate):
112         (isArray):
113         * API/JSWrapperMap.mm:
114         (tryUnwrapObjcObject):
115         * API/ObjCCallbackFunction.mm:
116         (tryUnwrapBlock):
117
118 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
119
120         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
121         https://bugs.webkit.org/show_bug.cgi?id=119770
122
123         Reviewed by Mark Hahnenberg.
124
125         * API/JSCallbackConstructor.cpp:
126         (JSC::JSCallbackConstructor::finishCreation):
127         * API/JSCallbackConstructor.h:
128         (JSC::JSCallbackConstructor::createStructure):
129         * API/JSCallbackFunction.cpp:
130         (JSC::JSCallbackFunction::finishCreation):
131         * API/JSCallbackFunction.h:
132         (JSC::JSCallbackFunction::createStructure):
133         * API/JSCallbackObject.cpp:
134         (JSC::::createStructure):
135         * API/JSCallbackObject.h:
136         (JSC::JSCallbackObject::visitChildren):
137         * API/JSCallbackObjectFunctions.h:
138         (JSC::::asCallbackObject):
139         (JSC::::finishCreation):
140         * API/JSObjectRef.cpp:
141         (JSObjectGetPrivate):
142         (JSObjectSetPrivate):
143         (JSObjectGetPrivateProperty):
144         (JSObjectSetPrivateProperty):
145         (JSObjectDeletePrivateProperty):
146         * API/JSValueRef.cpp:
147         (JSValueIsObjectOfClass):
148         * API/JSWeakObjectMapRefPrivate.cpp:
149         * API/ObjCCallbackFunction.h:
150         (JSC::ObjCCallbackFunction::createStructure):
151         * JSCTypedArrayStubs.h:
152         * bytecode/CallLinkStatus.cpp:
153         (JSC::CallLinkStatus::CallLinkStatus):
154         (JSC::CallLinkStatus::function):
155         (JSC::CallLinkStatus::internalFunction):
156         * bytecode/CodeBlock.h:
157         (JSC::baselineCodeBlockForInlineCallFrame):
158         * bytecode/SpeculatedType.cpp:
159         (JSC::speculationFromClassInfo):
160         * bytecode/UnlinkedCodeBlock.cpp:
161         (JSC::UnlinkedFunctionExecutable::visitChildren):
162         (JSC::UnlinkedCodeBlock::visitChildren):
163         (JSC::UnlinkedProgramCodeBlock::visitChildren):
164         * bytecode/UnlinkedCodeBlock.h:
165         (JSC::UnlinkedFunctionExecutable::createStructure):
166         (JSC::UnlinkedProgramCodeBlock::createStructure):
167         (JSC::UnlinkedEvalCodeBlock::createStructure):
168         (JSC::UnlinkedFunctionCodeBlock::createStructure):
169         * debugger/Debugger.cpp:
170         * debugger/DebuggerActivation.cpp:
171         (JSC::DebuggerActivation::visitChildren):
172         * debugger/DebuggerActivation.h:
173         (JSC::DebuggerActivation::createStructure):
174         * debugger/DebuggerCallFrame.cpp:
175         (JSC::DebuggerCallFrame::functionName):
176         * dfg/DFGAbstractInterpreterInlines.h:
177         (JSC::DFG::::executeEffects):
178         * dfg/DFGByteCodeParser.cpp:
179         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
180         (JSC::DFG::ByteCodeParser::parseBlock):
181         * dfg/DFGFixupPhase.cpp:
182         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
183         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
184         * dfg/DFGGraph.cpp:
185         (JSC::DFG::Graph::dump):
186         * dfg/DFGGraph.h:
187         (JSC::DFG::Graph::isInternalFunctionConstant):
188         * dfg/DFGOperations.cpp:
189         * dfg/DFGSpeculativeJIT.cpp:
190         (JSC::DFG::SpeculativeJIT::checkArray):
191         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
192         * dfg/DFGThunks.cpp:
193         (JSC::DFG::virtualForThunkGenerator):
194         * interpreter/Interpreter.cpp:
195         (JSC::loadVarargs):
196         * jsc.cpp:
197         (GlobalObject::createStructure):
198         * profiler/LegacyProfiler.cpp:
199         (JSC::LegacyProfiler::createCallIdentifier):
200         * runtime/Arguments.cpp:
201         (JSC::Arguments::visitChildren):
202         * runtime/Arguments.h:
203         (JSC::Arguments::createStructure):
204         (JSC::asArguments):
205         (JSC::Arguments::finishCreation):
206         * runtime/ArrayConstructor.cpp:
207         (JSC::arrayConstructorIsArray):
208         * runtime/ArrayConstructor.h:
209         (JSC::ArrayConstructor::createStructure):
210         * runtime/ArrayPrototype.cpp:
211         (JSC::ArrayPrototype::finishCreation):
212         (JSC::arrayProtoFuncConcat):
213         (JSC::attemptFastSort):
214         * runtime/ArrayPrototype.h:
215         (JSC::ArrayPrototype::createStructure):
216         * runtime/BooleanConstructor.h:
217         (JSC::BooleanConstructor::createStructure):
218         * runtime/BooleanObject.cpp:
219         (JSC::BooleanObject::finishCreation):
220         * runtime/BooleanObject.h:
221         (JSC::BooleanObject::createStructure):
222         (JSC::asBooleanObject):
223         * runtime/BooleanPrototype.cpp:
224         (JSC::BooleanPrototype::finishCreation):
225         (JSC::booleanProtoFuncToString):
226         (JSC::booleanProtoFuncValueOf):
227         * runtime/BooleanPrototype.h:
228         (JSC::BooleanPrototype::createStructure):
229         * runtime/DateConstructor.cpp:
230         (JSC::constructDate):
231         * runtime/DateConstructor.h:
232         (JSC::DateConstructor::createStructure):
233         * runtime/DateInstance.cpp:
234         (JSC::DateInstance::finishCreation):
235         * runtime/DateInstance.h:
236         (JSC::DateInstance::createStructure):
237         (JSC::asDateInstance):
238         * runtime/DatePrototype.cpp:
239         (JSC::formateDateInstance):
240         (JSC::DatePrototype::finishCreation):
241         (JSC::dateProtoFuncToISOString):
242         (JSC::dateProtoFuncToLocaleString):
243         (JSC::dateProtoFuncToLocaleDateString):
244         (JSC::dateProtoFuncToLocaleTimeString):
245         (JSC::dateProtoFuncGetTime):
246         (JSC::dateProtoFuncGetFullYear):
247         (JSC::dateProtoFuncGetUTCFullYear):
248         (JSC::dateProtoFuncGetMonth):
249         (JSC::dateProtoFuncGetUTCMonth):
250         (JSC::dateProtoFuncGetDate):
251         (JSC::dateProtoFuncGetUTCDate):
252         (JSC::dateProtoFuncGetDay):
253         (JSC::dateProtoFuncGetUTCDay):
254         (JSC::dateProtoFuncGetHours):
255         (JSC::dateProtoFuncGetUTCHours):
256         (JSC::dateProtoFuncGetMinutes):
257         (JSC::dateProtoFuncGetUTCMinutes):
258         (JSC::dateProtoFuncGetSeconds):
259         (JSC::dateProtoFuncGetUTCSeconds):
260         (JSC::dateProtoFuncGetMilliSeconds):
261         (JSC::dateProtoFuncGetUTCMilliseconds):
262         (JSC::dateProtoFuncGetTimezoneOffset):
263         (JSC::dateProtoFuncSetTime):
264         (JSC::setNewValueFromTimeArgs):
265         (JSC::setNewValueFromDateArgs):
266         (JSC::dateProtoFuncSetYear):
267         (JSC::dateProtoFuncGetYear):
268         * runtime/DatePrototype.h:
269         (JSC::DatePrototype::createStructure):
270         * runtime/Error.h:
271         (JSC::StrictModeTypeErrorFunction::createStructure):
272         * runtime/ErrorConstructor.h:
273         (JSC::ErrorConstructor::createStructure):
274         * runtime/ErrorInstance.cpp:
275         (JSC::ErrorInstance::finishCreation):
276         * runtime/ErrorInstance.h:
277         (JSC::ErrorInstance::createStructure):
278         * runtime/ErrorPrototype.cpp:
279         (JSC::ErrorPrototype::finishCreation):
280         * runtime/ErrorPrototype.h:
281         (JSC::ErrorPrototype::createStructure):
282         * runtime/ExceptionHelpers.cpp:
283         (JSC::isTerminatedExecutionException):
284         * runtime/ExceptionHelpers.h:
285         (JSC::TerminatedExecutionError::createStructure):
286         * runtime/Executable.cpp:
287         (JSC::EvalExecutable::visitChildren):
288         (JSC::ProgramExecutable::visitChildren):
289         (JSC::FunctionExecutable::visitChildren):
290         (JSC::ExecutableBase::hashFor):
291         * runtime/Executable.h:
292         (JSC::ExecutableBase::createStructure):
293         (JSC::NativeExecutable::createStructure):
294         (JSC::EvalExecutable::createStructure):
295         (JSC::ProgramExecutable::createStructure):
296         (JSC::FunctionExecutable::compileFor):
297         (JSC::FunctionExecutable::compileOptimizedFor):
298         (JSC::FunctionExecutable::createStructure):
299         * runtime/FunctionConstructor.h:
300         (JSC::FunctionConstructor::createStructure):
301         * runtime/FunctionPrototype.cpp:
302         (JSC::functionProtoFuncToString):
303         (JSC::functionProtoFuncApply):
304         (JSC::functionProtoFuncBind):
305         * runtime/FunctionPrototype.h:
306         (JSC::FunctionPrototype::createStructure):
307         * runtime/GetterSetter.cpp:
308         (JSC::GetterSetter::visitChildren):
309         * runtime/GetterSetter.h:
310         (JSC::GetterSetter::createStructure):
311         * runtime/InternalFunction.cpp:
312         (JSC::InternalFunction::finishCreation):
313         * runtime/InternalFunction.h:
314         (JSC::InternalFunction::createStructure):
315         (JSC::asInternalFunction):
316         * runtime/JSAPIValueWrapper.h:
317         (JSC::JSAPIValueWrapper::createStructure):
318         * runtime/JSActivation.cpp:
319         (JSC::JSActivation::visitChildren):
320         (JSC::JSActivation::argumentsGetter):
321         * runtime/JSActivation.h:
322         (JSC::JSActivation::createStructure):
323         (JSC::asActivation):
324         * runtime/JSArray.h:
325         (JSC::JSArray::createStructure):
326         (JSC::asArray):
327         (JSC::isJSArray):
328         * runtime/JSBoundFunction.cpp:
329         (JSC::JSBoundFunction::finishCreation):
330         (JSC::JSBoundFunction::visitChildren):
331         * runtime/JSBoundFunction.h:
332         (JSC::JSBoundFunction::createStructure):
333         * runtime/JSCJSValue.cpp:
334         (JSC::JSValue::dumpInContext):
335         * runtime/JSCJSValueInlines.h:
336         (JSC::JSValue::isFunction):
337         * runtime/JSCell.h:
338         (JSC::jsCast):
339         (JSC::jsDynamicCast):
340         * runtime/JSCellInlines.h:
341         (JSC::allocateCell):
342         * runtime/JSFunction.cpp:
343         (JSC::JSFunction::finishCreation):
344         (JSC::JSFunction::visitChildren):
345         (JSC::skipOverBoundFunctions):
346         (JSC::JSFunction::callerGetter):
347         * runtime/JSFunction.h:
348         (JSC::JSFunction::createStructure):
349         * runtime/JSGlobalObject.cpp:
350         (JSC::JSGlobalObject::visitChildren):
351         (JSC::slowValidateCell):
352         * runtime/JSGlobalObject.h:
353         (JSC::JSGlobalObject::createStructure):
354         * runtime/JSNameScope.cpp:
355         (JSC::JSNameScope::visitChildren):
356         * runtime/JSNameScope.h:
357         (JSC::JSNameScope::createStructure):
358         * runtime/JSNotAnObject.h:
359         (JSC::JSNotAnObject::createStructure):
360         * runtime/JSONObject.cpp:
361         (JSC::JSONObject::finishCreation):
362         (JSC::unwrapBoxedPrimitive):
363         (JSC::Stringifier::Stringifier):
364         (JSC::Stringifier::appendStringifiedValue):
365         (JSC::Stringifier::Holder::Holder):
366         (JSC::Walker::walk):
367         (JSC::JSONProtoFuncStringify):
368         * runtime/JSONObject.h:
369         (JSC::JSONObject::createStructure):
370         * runtime/JSObject.cpp:
371         (JSC::getCallableObjectSlow):
372         (JSC::JSObject::visitChildren):
373         (JSC::JSObject::copyBackingStore):
374         (JSC::JSFinalObject::visitChildren):
375         (JSC::JSObject::ensureInt32Slow):
376         (JSC::JSObject::ensureDoubleSlow):
377         (JSC::JSObject::ensureContiguousSlow):
378         (JSC::JSObject::ensureArrayStorageSlow):
379         * runtime/JSObject.h:
380         (JSC::JSObject::finishCreation):
381         (JSC::JSObject::createStructure):
382         (JSC::JSNonFinalObject::createStructure):
383         (JSC::JSFinalObject::createStructure):
384         (JSC::isJSFinalObject):
385         * runtime/JSPropertyNameIterator.cpp:
386         (JSC::JSPropertyNameIterator::visitChildren):
387         * runtime/JSPropertyNameIterator.h:
388         (JSC::JSPropertyNameIterator::createStructure):
389         * runtime/JSProxy.cpp:
390         (JSC::JSProxy::visitChildren):
391         * runtime/JSProxy.h:
392         (JSC::JSProxy::createStructure):
393         * runtime/JSScope.cpp:
394         (JSC::JSScope::visitChildren):
395         * runtime/JSSegmentedVariableObject.cpp:
396         (JSC::JSSegmentedVariableObject::visitChildren):
397         * runtime/JSString.h:
398         (JSC::JSString::createStructure):
399         (JSC::isJSString):
400         * runtime/JSSymbolTableObject.cpp:
401         (JSC::JSSymbolTableObject::visitChildren):
402         * runtime/JSVariableObject.h:
403         * runtime/JSWithScope.cpp:
404         (JSC::JSWithScope::visitChildren):
405         * runtime/JSWithScope.h:
406         (JSC::JSWithScope::createStructure):
407         * runtime/JSWrapperObject.cpp:
408         (JSC::JSWrapperObject::visitChildren):
409         * runtime/JSWrapperObject.h:
410         (JSC::JSWrapperObject::createStructure):
411         * runtime/MathObject.cpp:
412         (JSC::MathObject::finishCreation):
413         * runtime/MathObject.h:
414         (JSC::MathObject::createStructure):
415         * runtime/NameConstructor.h:
416         (JSC::NameConstructor::createStructure):
417         * runtime/NameInstance.h:
418         (JSC::NameInstance::createStructure):
419         (JSC::NameInstance::finishCreation):
420         * runtime/NamePrototype.cpp:
421         (JSC::NamePrototype::finishCreation):
422         (JSC::privateNameProtoFuncToString):
423         * runtime/NamePrototype.h:
424         (JSC::NamePrototype::createStructure):
425         * runtime/NativeErrorConstructor.cpp:
426         (JSC::NativeErrorConstructor::visitChildren):
427         * runtime/NativeErrorConstructor.h:
428         (JSC::NativeErrorConstructor::createStructure):
429         (JSC::NativeErrorConstructor::finishCreation):
430         * runtime/NumberConstructor.cpp:
431         (JSC::NumberConstructor::finishCreation):
432         * runtime/NumberConstructor.h:
433         (JSC::NumberConstructor::createStructure):
434         * runtime/NumberObject.cpp:
435         (JSC::NumberObject::finishCreation):
436         * runtime/NumberObject.h:
437         (JSC::NumberObject::createStructure):
438         * runtime/NumberPrototype.cpp:
439         (JSC::NumberPrototype::finishCreation):
440         * runtime/NumberPrototype.h:
441         (JSC::NumberPrototype::createStructure):
442         * runtime/ObjectConstructor.h:
443         (JSC::ObjectConstructor::createStructure):
444         * runtime/ObjectPrototype.cpp:
445         (JSC::ObjectPrototype::finishCreation):
446         * runtime/ObjectPrototype.h:
447         (JSC::ObjectPrototype::createStructure):
448         * runtime/PropertyMapHashTable.h:
449         (JSC::PropertyTable::createStructure):
450         * runtime/PropertyTable.cpp:
451         (JSC::PropertyTable::visitChildren):
452         * runtime/RegExp.h:
453         (JSC::RegExp::createStructure):
454         * runtime/RegExpConstructor.cpp:
455         (JSC::RegExpConstructor::finishCreation):
456         (JSC::RegExpConstructor::visitChildren):
457         (JSC::constructRegExp):
458         * runtime/RegExpConstructor.h:
459         (JSC::RegExpConstructor::createStructure):
460         (JSC::asRegExpConstructor):
461         * runtime/RegExpMatchesArray.cpp:
462         (JSC::RegExpMatchesArray::visitChildren):
463         * runtime/RegExpMatchesArray.h:
464         (JSC::RegExpMatchesArray::createStructure):
465         * runtime/RegExpObject.cpp:
466         (JSC::RegExpObject::finishCreation):
467         (JSC::RegExpObject::visitChildren):
468         * runtime/RegExpObject.h:
469         (JSC::RegExpObject::createStructure):
470         (JSC::asRegExpObject):
471         * runtime/RegExpPrototype.cpp:
472         (JSC::regExpProtoFuncTest):
473         (JSC::regExpProtoFuncExec):
474         (JSC::regExpProtoFuncCompile):
475         (JSC::regExpProtoFuncToString):
476         * runtime/RegExpPrototype.h:
477         (JSC::RegExpPrototype::createStructure):
478         * runtime/SparseArrayValueMap.cpp:
479         (JSC::SparseArrayValueMap::createStructure):
480         * runtime/SparseArrayValueMap.h:
481         * runtime/StrictEvalActivation.h:
482         (JSC::StrictEvalActivation::createStructure):
483         * runtime/StringConstructor.h:
484         (JSC::StringConstructor::createStructure):
485         * runtime/StringObject.cpp:
486         (JSC::StringObject::finishCreation):
487         * runtime/StringObject.h:
488         (JSC::StringObject::createStructure):
489         (JSC::asStringObject):
490         * runtime/StringPrototype.cpp:
491         (JSC::StringPrototype::finishCreation):
492         (JSC::stringProtoFuncReplace):
493         (JSC::stringProtoFuncToString):
494         (JSC::stringProtoFuncMatch):
495         (JSC::stringProtoFuncSearch):
496         (JSC::stringProtoFuncSplit):
497         * runtime/StringPrototype.h:
498         (JSC::StringPrototype::createStructure):
499         * runtime/Structure.cpp:
500         (JSC::Structure::Structure):
501         (JSC::Structure::materializePropertyMap):
502         (JSC::Structure::get):
503         (JSC::Structure::visitChildren):
504         * runtime/Structure.h:
505         (JSC::Structure::typeInfo):
506         (JSC::Structure::previousID):
507         (JSC::Structure::outOfLineSize):
508         (JSC::Structure::totalStorageCapacity):
509         (JSC::Structure::materializePropertyMapIfNecessary):
510         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
511         * runtime/StructureChain.cpp:
512         (JSC::StructureChain::visitChildren):
513         * runtime/StructureChain.h:
514         (JSC::StructureChain::createStructure):
515         * runtime/StructureInlines.h:
516         (JSC::Structure::get):
517         * runtime/StructureRareData.cpp:
518         (JSC::StructureRareData::createStructure):
519         (JSC::StructureRareData::visitChildren):
520         * runtime/StructureRareData.h:
521         * runtime/SymbolTable.h:
522         (JSC::SharedSymbolTable::createStructure):
523         * runtime/VM.cpp:
524         (JSC::VM::VM):
525         (JSC::StackPreservingRecompiler::operator()):
526         (JSC::VM::releaseExecutableMemory):
527         * runtime/WriteBarrier.h:
528         (JSC::validateCell):
529         * testRegExp.cpp:
530         (GlobalObject::createStructure):
531
532 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
533
534         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
535         https://bugs.webkit.org/show_bug.cgi?id=119762
536
537         Reviewed by Geoffrey Garen.
538
539         * heap/Heap.cpp:
540         (JSC::Heap::Heap):
541         (JSC::Heap::markRoots):
542         (JSC::Heap::collect):
543         * jsc.cpp:
544         (StopWatch::start):
545         (StopWatch::stop):
546         * testRegExp.cpp:
547         (StopWatch::start):
548         (StopWatch::stop):
549
550 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
551
552         [sh4] Prepare LLINT for DFG_JIT implementation.
553         https://bugs.webkit.org/show_bug.cgi?id=119755
554
555         Reviewed by Oliver Hunt.
556
557         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
558         * offlineasm/sh4.rb:
559             - Handle storeb opcode.
560             - Make relative jumps when possible using braf opcode.
561             - Update bmulio implementation to be consistent with baseline JIT.
562             - Remove useless code from leap opcode.
563             - Fix incorrect comment.
564
565 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
566
567         [sh4] Prepare baseline JIT for DFG_JIT implementation.
568         https://bugs.webkit.org/show_bug.cgi?id=119758
569
570         Reviewed by Oliver Hunt.
571
572         * assembler/MacroAssemblerSH4.h:
573             - Introduce a loadEffectiveAddress function to avoid code duplication.
574             - Add ASSERTs and clean code.
575         * assembler/SH4Assembler.h:
576             - Prepare DFG_JIT implementation.
577             - Add ASSERTs.
578         * jit/JITStubs.cpp:
579             - Add SH4 specific call for assertions.
580         * jit/JITStubs.h:
581             - Cosmetic change.
582         * jit/JITStubsSH4.h:
583             - Use constants to be more flexible with sh4 JIT stack frame.
584         * jit/JSInterfaceJIT.h:
585             - Cosmetic change.
586
587 2013-08-13  Oliver Hunt  <oliver@apple.com>
588
589         Harden executeConstruct against incorrect return types from host functions
590         https://bugs.webkit.org/show_bug.cgi?id=119757
591
592         Reviewed by Mark Hahnenberg.
593
594         Add logic to guard against bogus return types.  There doesn't seem to be any
595         class in webkit that does this wrong, but the typed array stubs in debug JSC
596         do exhibit this bad behaviour.
597
598         * interpreter/Interpreter.cpp:
599         (JSC::Interpreter::executeConstruct):
600
601 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
602
603         [Qt] Fix C++11 build with gcc 4.4 and 4.5
604         https://bugs.webkit.org/show_bug.cgi?id=119736
605
606         Reviewed by Anders Carlsson.
607
608         Don't force C++11 mode off anymore.
609
610         * Target.pri:
611
612 2013-08-12  Oliver Hunt  <oliver@apple.com>
613
614         Remove CodeBlock's notion of adding identifiers entirely
615         https://bugs.webkit.org/show_bug.cgi?id=119708
616
617         Reviewed by Geoffrey Garen.
618
619         Remove addAdditionalIdentifier entirely, including the bogus assertion.
620         Move the addition of identifiers to DFGPlan::reallyAdd
621
622         * bytecode/CodeBlock.h:
623         * dfg/DFGDesiredIdentifiers.cpp:
624         (JSC::DFG::DesiredIdentifiers::reallyAdd):
625         * dfg/DFGDesiredIdentifiers.h:
626         * dfg/DFGPlan.cpp:
627         (JSC::DFG::Plan::reallyAdd):
628         (JSC::DFG::Plan::finalize):
629         * dfg/DFGPlan.h:
630
631 2013-08-12  Oliver Hunt  <oliver@apple.com>
632
633         Build fix
634
635         * runtime/JSCell.h:
636
637 2013-08-12  Oliver Hunt  <oliver@apple.com>
638
639         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
640         https://bugs.webkit.org/show_bug.cgi?id=119705
641
642         Reviewed by Geoffrey Garen.
643
644         Relatively trivial refactoring
645
646         * bytecode/CodeBlock.h:
647         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
648         (JSC::CodeBlock::addAdditionalIdentifier):
649         (JSC::CodeBlock::identifier):
650         (JSC::CodeBlock::numberOfIdentifiers):
651         * dfg/DFGCommonData.h:
652
653 2013-08-12  Oliver Hunt  <oliver@apple.com>
654
655         Stop making unnecessary copy of CodeBlock Identifier Vector
656         https://bugs.webkit.org/show_bug.cgi?id=119702
657
658         Reviewed by Michael Saboff.
659
660         Make CodeBlock simply use a separate Vector for additional Identifiers
661         and use the UnlinkedCodeBlock for the initial set of identifiers.
662
663         * bytecode/CodeBlock.cpp:
664         (JSC::CodeBlock::printGetByIdOp):
665         (JSC::dumpStructure):
666         (JSC::dumpChain):
667         (JSC::CodeBlock::printGetByIdCacheStatus):
668         (JSC::CodeBlock::printPutByIdOp):
669         (JSC::CodeBlock::dumpBytecode):
670         (JSC::CodeBlock::CodeBlock):
671         (JSC::CodeBlock::shrinkToFit):
672         * bytecode/CodeBlock.h:
673         (JSC::CodeBlock::numberOfIdentifiers):
674         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
675         (JSC::CodeBlock::addAdditionalIdentifier):
676         (JSC::CodeBlock::identifier):
677         * dfg/DFGDesiredIdentifiers.cpp:
678         (JSC::DFG::DesiredIdentifiers::reallyAdd):
679         * jit/JIT.h:
680         * jit/JITOpcodes.cpp:
681         (JSC::JIT::emitSlow_op_get_arguments_length):
682         * jit/JITPropertyAccess.cpp:
683         (JSC::JIT::emit_op_get_by_id):
684         (JSC::JIT::compileGetByIdHotPath):
685         (JSC::JIT::emitSlow_op_get_by_id):
686         (JSC::JIT::compileGetByIdSlowCase):
687         (JSC::JIT::emitSlow_op_put_by_id):
688         * jit/JITPropertyAccess32_64.cpp:
689         (JSC::JIT::emit_op_get_by_id):
690         (JSC::JIT::compileGetByIdHotPath):
691         (JSC::JIT::compileGetByIdSlowCase):
692         * jit/JITStubs.cpp:
693         (JSC::DEFINE_STUB_FUNCTION):
694         * llint/LLIntSlowPaths.cpp:
695         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
696
697 2013-08-08  Mark Lam  <mark.lam@apple.com>
698
699         Restoring use of StackIterator instead of Interpreter::getStacktrace().
700         https://bugs.webkit.org/show_bug.cgi?id=119575.
701
702         Reviewed by Oliver Hunt.
703
704         * interpreter/Interpreter.h:
705         - Made getStackTrace() private.
706         * interpreter/StackIterator.cpp:
707         (JSC::StackIterator::StackIterator):
708         (JSC::StackIterator::numberOfFrames):
709         - Computes the number of frames by iterating through the whole stack
710           from the starting frame. The iterator will save its current frame
711           position before counting the frames, and then restoring it after
712           the counting.
713         (JSC::StackIterator::gotoFrameAtIndex):
714         (JSC::StackIterator::gotoNextFrame):
715         (JSC::StackIterator::resetIterator):
716         - Points the iterator to the starting frame.
717         * interpreter/StackIteratorPrivate.h:
718
719 2013-08-08  Mark Lam  <mark.lam@apple.com>
720
721         Moved ErrorConstructor and NativeErrorConstructor helper functions into
722         the Interpreter class.
723         https://bugs.webkit.org/show_bug.cgi?id=119576.
724
725         Reviewed by Oliver Hunt.
726
727         This change is needed to prepare for making Interpreter::getStackTrace()
728         private. It does not change the behavior of the code, only the lexical
729         scoping.
730
731         * interpreter/Interpreter.h:
732         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
733         * runtime/ErrorConstructor.cpp:
734         (JSC::Interpreter::constructWithErrorConstructor):
735         (JSC::ErrorConstructor::getConstructData):
736         (JSC::Interpreter::callErrorConstructor):
737         (JSC::ErrorConstructor::getCallData):
738         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
739           directly. So, we moved the helper functions into the Interpreter
740           class.
741         * runtime/NativeErrorConstructor.cpp:
742         (JSC::Interpreter::constructWithNativeErrorConstructor):
743         (JSC::NativeErrorConstructor::getConstructData):
744         (JSC::Interpreter::callNativeErrorConstructor):
745         (JSC::NativeErrorConstructor::getCallData):
746         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
747           directly. So, we moved the helper functions into the Interpreter
748           class.
749
750 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
751
752         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
753         https://bugs.webkit.org/show_bug.cgi?id=119555
754
755         Reviewed by Geoffrey Garen.
756
757         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
758         This was causing crashes on maps.google.com in 32-bit debug builds.
759
760         * dfg/DFGSpeculativeJIT32_64.cpp:
761         (JSC::DFG::SpeculativeJIT::compile):
762
763 2013-08-06  Michael Saboff  <msaboff@apple.com>
764
765         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
766         https://bugs.webkit.org/show_bug.cgi?id=119405
767
768         Reviewed by Geoffrey Garen.
769
770         * dfg/DFGSpeculativeJIT.cpp:
771         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
772         ourselves to save a register and then load from it.
773
774 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
775
776         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
777         https://bugs.webkit.org/show_bug.cgi?id=119528
778
779         Reviewed by Geoffrey Garen.
780
781         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
782         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
783         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
784         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
785         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
786
787         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
788
789         * bytecode/CodeBlock.cpp:
790         (JSC::CodeBlock::finalizeUnconditionally):
791         * dfg/DFGDriver.cpp:
792         (JSC::DFG::compile):
793         * dfg/DFGFixupPhase.cpp:
794         (JSC::DFG::FixupPhase::fixupNode):
795         * dfg/DFGGraph.cpp:
796         (JSC::DFG::Graph::dump):
797         * dfg/DFGSpeculativeJIT64.cpp:
798         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
799         * runtime/JSObject.h:
800         (JSC::JSObject::getIndexQuickly):
801         (JSC::JSObject::tryGetIndexQuickly):
802
803 2013-08-08  Stephanie Lewis  <slewis@apple.com>
804
805         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
806
807         Unreviewed.
808
809         Ensure llint symbols are in source order.
810
811         * JavaScriptCore.order:
812
813 2013-08-06  Mark Lam  <mark.lam@apple.com>
814
815         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
816         https://bugs.webkit.org/show_bug.cgi?id=119532.
817
818         Reviewed by Oliver Hunt.
819
820         * parser/Parser.cpp:
821         (JSC::::Parser):
822         - Just need to initialize the Parser's JSTokenLocation's initial line and
823           startOffset as well during Parser construction.
824
825 2013-08-06  Stephanie Lewis  <slewis@apple.com>
826
827         Update Order Files for Safari
828         <rdar://problem/14517392>
829
830         Unreviewed.
831
832         * JavaScriptCore.order:
833
834 2013-08-04  Sam Weinig  <sam@webkit.org>
835
836         Remove support for HTML5 MicroData
837         https://bugs.webkit.org/show_bug.cgi?id=119480
838
839         Reviewed by Anders Carlsson.
840
841         * Configurations/FeatureDefines.xcconfig:
842
843 2013-08-05  Oliver Hunt  <oliver@apple.com>
844
845         Delay Arguments creation in strict mode
846         https://bugs.webkit.org/show_bug.cgi?id=119505
847
848         Reviewed by Geoffrey Garen.
849
850         Make use of the write tracking performed by the parser to
851         allow us to know if we're modifying the parameters to a function.
852         Then use that information to make strict mode function opt out
853         of eager arguments creation.
854
855         * bytecompiler/BytecodeGenerator.cpp:
856         (JSC::BytecodeGenerator::BytecodeGenerator):
857         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
858         (JSC::BytecodeGenerator::emitReturn):
859         * bytecompiler/BytecodeGenerator.h:
860         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
861         * parser/Nodes.h:
862         (JSC::ScopeNode::modifiesParameter):
863         * parser/Parser.cpp:
864         (JSC::::parseInner):
865         * parser/Parser.h:
866         (JSC::Scope::declareParameter):
867         (JSC::Scope::getCapturedVariables):
868         (JSC::Parser::declareWrite):
869         * parser/ParserModes.h:
870
871 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
872
873         Remove useless code from COMPILER(RVCT) JITStubs
874         https://bugs.webkit.org/show_bug.cgi?id=119521
875
876         Reviewed by Geoffrey Garen.
877
878         * jit/JITStubsARMv7.h:
879         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
880         (JSC::ctiOpThrowNotCaught): Ditto.
881
882 2013-07-23  David Farler  <dfarler@apple.com>
883
884         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
885         https://bugs.webkit.org/show_bug.cgi?id=117762
886
887         Reviewed by Mark Rowe.
888
889         * Configurations/DebugRelease.xcconfig:
890         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
891         * Configurations/JavaScriptCore.xcconfig:
892         Add ASAN_OTHER_LDFLAGS.
893         * Configurations/ToolExecutable.xcconfig:
894         Don't use ASAN for build tools.
895
896 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
897
898         Build fix for ARM MSVC after r153222 and r153648.
899
900         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
901
902 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
903
904         Build fix for ARM MSVC after r150109.
905
906         Read the stub template from a header files instead of the JITStubs.cpp.
907
908         * CMakeLists.txt:
909         * DerivedSources.pri:
910         * create_jit_stubs:
911
912 2013-08-05  Oliver Hunt  <oliver@apple.com>
913
914         Move TypedArray implementation into JSC
915         https://bugs.webkit.org/show_bug.cgi?id=119489
916
917         Reviewed by Filip Pizlo.
918
919         Move TypedArray implementation into JSC in advance of re-implementation
920
921         * GNUmakefile.list.am:
922         * JSCTypedArrayStubs.h:
923         * JavaScriptCore.xcodeproj/project.pbxproj:
924         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
925         (JSC::ArrayBuffer::transfer):
926         (JSC::ArrayBuffer::addView):
927         (JSC::ArrayBuffer::removeView):
928         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
929         (JSC::ArrayBufferContents::ArrayBufferContents):
930         (JSC::ArrayBufferContents::data):
931         (JSC::ArrayBufferContents::sizeInBytes):
932         (JSC::ArrayBufferContents::transfer):
933         (JSC::ArrayBufferContents::copyTo):
934         (JSC::ArrayBuffer::isNeutered):
935         (JSC::ArrayBuffer::~ArrayBuffer):
936         (JSC::ArrayBuffer::clampValue):
937         (JSC::ArrayBuffer::create):
938         (JSC::ArrayBuffer::createUninitialized):
939         (JSC::ArrayBuffer::ArrayBuffer):
940         (JSC::ArrayBuffer::data):
941         (JSC::ArrayBuffer::byteLength):
942         (JSC::ArrayBuffer::slice):
943         (JSC::ArrayBuffer::sliceImpl):
944         (JSC::ArrayBuffer::clampIndex):
945         (JSC::ArrayBufferContents::tryAllocate):
946         (JSC::ArrayBufferContents::~ArrayBufferContents):
947         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
948         (JSC::ArrayBufferView::ArrayBufferView):
949         (JSC::ArrayBufferView::~ArrayBufferView):
950         (JSC::ArrayBufferView::neuter):
951         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
952         (JSC::ArrayBufferView::buffer):
953         (JSC::ArrayBufferView::baseAddress):
954         (JSC::ArrayBufferView::byteOffset):
955         (JSC::ArrayBufferView::setNeuterable):
956         (JSC::ArrayBufferView::isNeuterable):
957         (JSC::ArrayBufferView::verifySubRange):
958         (JSC::ArrayBufferView::clampOffsetAndNumElements):
959         (JSC::ArrayBufferView::setImpl):
960         (JSC::ArrayBufferView::setRangeImpl):
961         (JSC::ArrayBufferView::zeroRangeImpl):
962         (JSC::ArrayBufferView::calculateOffsetAndLength):
963         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
964         (JSC::Float32Array::set):
965         (JSC::Float32Array::getType):
966         (JSC::Float32Array::create):
967         (JSC::Float32Array::createUninitialized):
968         (JSC::Float32Array::Float32Array):
969         (JSC::Float32Array::subarray):
970         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
971         (JSC::Float64Array::set):
972         (JSC::Float64Array::getType):
973         (JSC::Float64Array::create):
974         (JSC::Float64Array::createUninitialized):
975         (JSC::Float64Array::Float64Array):
976         (JSC::Float64Array::subarray):
977         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
978         (JSC::Int16Array::getType):
979         (JSC::Int16Array::create):
980         (JSC::Int16Array::createUninitialized):
981         (JSC::Int16Array::Int16Array):
982         (JSC::Int16Array::subarray):
983         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
984         (JSC::Int32Array::getType):
985         (JSC::Int32Array::create):
986         (JSC::Int32Array::createUninitialized):
987         (JSC::Int32Array::Int32Array):
988         (JSC::Int32Array::subarray):
989         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
990         (JSC::Int8Array::getType):
991         (JSC::Int8Array::create):
992         (JSC::Int8Array::createUninitialized):
993         (JSC::Int8Array::Int8Array):
994         (JSC::Int8Array::subarray):
995         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
996         (JSC::IntegralTypedArrayBase::set):
997         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
998         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
999         (JSC::TypedArrayBase::data):
1000         (JSC::TypedArrayBase::set):
1001         (JSC::TypedArrayBase::setRange):
1002         (JSC::TypedArrayBase::zeroRange):
1003         (JSC::TypedArrayBase::length):
1004         (JSC::TypedArrayBase::byteLength):
1005         (JSC::TypedArrayBase::item):
1006         (JSC::TypedArrayBase::checkInboundData):
1007         (JSC::TypedArrayBase::TypedArrayBase):
1008         (JSC::TypedArrayBase::create):
1009         (JSC::TypedArrayBase::createUninitialized):
1010         (JSC::TypedArrayBase::subarrayImpl):
1011         (JSC::TypedArrayBase::neuter):
1012         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1013         (JSC::Uint16Array::getType):
1014         (JSC::Uint16Array::create):
1015         (JSC::Uint16Array::createUninitialized):
1016         (JSC::Uint16Array::Uint16Array):
1017         (JSC::Uint16Array::subarray):
1018         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1019         (JSC::Uint32Array::getType):
1020         (JSC::Uint32Array::create):
1021         (JSC::Uint32Array::createUninitialized):
1022         (JSC::Uint32Array::Uint32Array):
1023         (JSC::Uint32Array::subarray):
1024         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1025         (JSC::Uint8Array::getType):
1026         (JSC::Uint8Array::create):
1027         (JSC::Uint8Array::createUninitialized):
1028         (JSC::Uint8Array::Uint8Array):
1029         (JSC::Uint8Array::subarray):
1030         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1031         (JSC::Uint8ClampedArray::getType):
1032         (JSC::Uint8ClampedArray::create):
1033         (JSC::Uint8ClampedArray::createUninitialized):
1034         (JSC::Uint8ClampedArray::zeroFill):
1035         (JSC::Uint8ClampedArray::set):
1036         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1037         (JSC::Uint8ClampedArray::subarray):
1038         * runtime/VM.h:
1039
1040 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1041
1042         Copied space should be able to handle more than one copied backing store per JSCell
1043         https://bugs.webkit.org/show_bug.cgi?id=119471
1044
1045         Reviewed by Mark Hahnenberg.
1046         
1047         This allows a cell to call copyLater() multiple times for multiple different
1048         backing stores, and then have copyBackingStore() called exactly once for each
1049         of those. A token tells it which backing store to copy. All backing stores
1050         must be named using the CopyToken, an enumeration which currently cannot
1051         exceed eight entries.
1052         
1053         When copyBackingStore() is called, it's up to the callee to (a) use the token
1054         to decide what to copy and (b) call its base class's copyBackingStore() in
1055         case the base class had something that needed copying. The only exception is
1056         that JSCell never asks anything to be copied, and so if your base is JSCell
1057         then you don't have to do anything.
1058
1059         * GNUmakefile.list.am:
1060         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1061         * JavaScriptCore.xcodeproj/project.pbxproj:
1062         * heap/CopiedBlock.h:
1063         * heap/CopiedBlockInlines.h:
1064         (JSC::CopiedBlock::reportLiveBytes):
1065         * heap/CopyToken.h: Added.
1066         * heap/CopyVisitor.cpp:
1067         (JSC::CopyVisitor::copyFromShared):
1068         * heap/CopyVisitor.h:
1069         * heap/CopyVisitorInlines.h:
1070         (JSC::CopyVisitor::visitItem):
1071         * heap/CopyWorkList.h:
1072         (JSC::CopyWorklistItem::CopyWorklistItem):
1073         (JSC::CopyWorklistItem::cell):
1074         (JSC::CopyWorklistItem::token):
1075         (JSC::CopyWorkListSegment::get):
1076         (JSC::CopyWorkListSegment::append):
1077         (JSC::CopyWorkListSegment::data):
1078         (JSC::CopyWorkListIterator::get):
1079         (JSC::CopyWorkListIterator::operator*):
1080         (JSC::CopyWorkListIterator::operator->):
1081         (JSC::CopyWorkList::append):
1082         * heap/SlotVisitor.h:
1083         * heap/SlotVisitorInlines.h:
1084         (JSC::SlotVisitor::copyLater):
1085         * runtime/ClassInfo.h:
1086         * runtime/JSCell.cpp:
1087         (JSC::JSCell::copyBackingStore):
1088         * runtime/JSCell.h:
1089         * runtime/JSObject.cpp:
1090         (JSC::JSObject::visitButterfly):
1091         (JSC::JSObject::copyBackingStore):
1092         * runtime/JSObject.h:
1093
1094 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1095
1096         [Automake] Define ENABLE_JIT through the Autoconf header
1097         https://bugs.webkit.org/show_bug.cgi?id=119445
1098
1099         Reviewed by Martin Robinson.
1100
1101         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1102
1103 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1104
1105         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1106         https://bugs.webkit.org/show_bug.cgi?id=119470
1107
1108         Reviewed by Oliver Hunt.
1109         
1110         Structure can still tell you if the object "could" (in the conservative sense)
1111         have an indexing header; that's used by the compiler.
1112         
1113         Most of the time if you want to know if there's an indexing header, you ask the
1114         JSObject.
1115         
1116         In some cases, the JSObject wants to know if it would have an indexing header if
1117         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1118
1119         * dfg/DFGRepatch.cpp:
1120         (JSC::DFG::tryCachePutByID):
1121         (JSC::DFG::tryBuildPutByIdList):
1122         * dfg/DFGSpeculativeJIT.cpp:
1123         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1124         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1125         * runtime/ButterflyInlines.h:
1126         (JSC::Butterfly::create):
1127         (JSC::Butterfly::growPropertyStorage):
1128         (JSC::Butterfly::growArrayRight):
1129         (JSC::Butterfly::resizeArray):
1130         * runtime/JSObject.cpp:
1131         (JSC::JSObject::copyButterfly):
1132         (JSC::JSObject::visitButterfly):
1133         * runtime/JSObject.h:
1134         (JSC::JSObject::hasIndexingHeader):
1135         (JSC::JSObject::setButterfly):
1136         * runtime/Structure.h:
1137         (JSC::Structure::couldHaveIndexingHeader):
1138         (JSC::Structure::hasIndexingHeader):
1139
1140 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1141
1142         Give the error object's stack property accessor attributes.
1143         https://bugs.webkit.org/show_bug.cgi?id=119404
1144
1145         Reviewed by Geoffrey Garen.
1146         
1147         Changed the attributes of error object's stack property to allow developers to write
1148         and delete the stack property. This will match the functionality of Chrome. Firefox  
1149         allows developers to write the error's stack, but not delete it. 
1150
1151         * interpreter/Interpreter.cpp:
1152         (JSC::Interpreter::addStackTraceIfNecessary):
1153         * runtime/ErrorInstance.cpp:
1154         (JSC::ErrorInstance::finishCreation):
1155
1156 2013-08-02  Oliver Hunt  <oliver@apple.com>
1157
1158         Incorrect type speculation reported by ToPrimitive
1159         https://bugs.webkit.org/show_bug.cgi?id=119458
1160
1161         Reviewed by Mark Hahnenberg.
1162
1163         Make sure that we report the correct type possibilities for the output
1164         from ToPrimitive
1165
1166         * dfg/DFGAbstractInterpreterInlines.h:
1167         (JSC::DFG::::executeEffects):
1168
1169 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1170
1171         Remove no-arguments constructor to PropertySlot
1172         https://bugs.webkit.org/show_bug.cgi?id=119460
1173
1174         Reviewed by Geoff Garen.
1175
1176         This constructor was unsafe if getValue is subsequently called,
1177         and the property is a getter. Simplest to just remove it.
1178
1179         * runtime/Arguments.cpp:
1180         (JSC::Arguments::defineOwnProperty):
1181         * runtime/JSActivation.cpp:
1182         (JSC::JSActivation::getOwnPropertyDescriptor):
1183         * runtime/JSFunction.cpp:
1184         (JSC::JSFunction::getOwnPropertyDescriptor):
1185         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1186         (JSC::JSFunction::put):
1187         (JSC::JSFunction::defineOwnProperty):
1188         * runtime/JSGlobalObject.cpp:
1189         (JSC::JSGlobalObject::defineOwnProperty):
1190         * runtime/JSGlobalObject.h:
1191         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1192         * runtime/JSNameScope.cpp:
1193         (JSC::JSNameScope::put):
1194         * runtime/JSONObject.cpp:
1195         (JSC::Stringifier::Holder::appendNextProperty):
1196         (JSC::Walker::walk):
1197         * runtime/JSObject.cpp:
1198         (JSC::JSObject::hasProperty):
1199         (JSC::JSObject::hasOwnProperty):
1200         (JSC::JSObject::reifyStaticFunctionsForDelete):
1201         * runtime/Lookup.h:
1202         (JSC::getStaticPropertyDescriptor):
1203         (JSC::getStaticFunctionDescriptor):
1204         (JSC::getStaticValueDescriptor):
1205         * runtime/ObjectConstructor.cpp:
1206         (JSC::defineProperties):
1207         * runtime/PropertySlot.h:
1208
1209 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1210
1211         DFG validation can cause assertion failures due to dumping
1212         https://bugs.webkit.org/show_bug.cgi?id=119456
1213
1214         Reviewed by Geoffrey Garen.
1215
1216         * bytecode/CodeBlock.cpp:
1217         (JSC::CodeBlock::hasHash):
1218         (JSC::CodeBlock::isSafeToComputeHash):
1219         (JSC::CodeBlock::hash):
1220         (JSC::CodeBlock::dumpAssumingJITType):
1221         * bytecode/CodeBlock.h:
1222
1223 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1224
1225         Have vm's exceptionStack match java's vm's exceptionStack.
1226         https://bugs.webkit.org/show_bug.cgi?id=119362
1227
1228         Reviewed by Geoffrey Garen.
1229         
1230         The error object's stack is only updated if it does not exist yet. This matches 
1231         the functionality of other browsers, and Java VMs. 
1232
1233         * interpreter/Interpreter.cpp:
1234         (JSC::Interpreter::addStackTraceIfNecessary):
1235         (JSC::Interpreter::throwException):
1236         * runtime/VM.cpp:
1237         (JSC::VM::clearExceptionStack):
1238         * runtime/VM.h:
1239         (JSC::VM::lastExceptionStack):
1240
1241 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1242
1243         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1244         https://bugs.webkit.org/show_bug.cgi?id=119447
1245
1246         Reviewed by Geoffrey Garen.
1247
1248         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1249         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1250         r153583 (sh4) and r153648 (ARM).
1251
1252         * jit/JITStubsMIPS.h:
1253
1254 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1255
1256         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1257         https://bugs.webkit.org/show_bug.cgi?id=119422
1258
1259         Reviewed by Oliver Hunt.
1260         
1261         This simplifies some code and also allows Structure to claim that an object
1262         has an indexing header even if it doesn't have indexed properties.
1263         
1264         I also changed some calls to use hasIndexedProperties() since in some cases,
1265         that's what we actually meant. Currently the two are synonyms.
1266
1267         * dfg/DFGRepatch.cpp:
1268         (JSC::DFG::tryCachePutByID):
1269         (JSC::DFG::tryBuildPutByIdList):
1270         * dfg/DFGSpeculativeJIT.cpp:
1271         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1272         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1273         * runtime/ButterflyInlines.h:
1274         (JSC::Butterfly::create):
1275         (JSC::Butterfly::growPropertyStorage):
1276         (JSC::Butterfly::growArrayRight):
1277         (JSC::Butterfly::resizeArray):
1278         * runtime/IndexingType.h:
1279         * runtime/JSObject.cpp:
1280         (JSC::JSObject::copyButterfly):
1281         (JSC::JSObject::visitButterfly):
1282         (JSC::JSObject::setPrototype):
1283         * runtime/JSObject.h:
1284         (JSC::JSObject::setButterfly):
1285         * runtime/JSPropertyNameIterator.cpp:
1286         (JSC::JSPropertyNameIterator::create):
1287         * runtime/Structure.h:
1288         (JSC::Structure::hasIndexingHeader):
1289
1290 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1291
1292         REGRESSION: ARM still crashes after change set r153612.
1293         https://bugs.webkit.org/show_bug.cgi?id=119433
1294
1295         Reviewed by Michael Saboff.
1296
1297         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1298         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1299         for sh4 architecture.
1300
1301         * jit/JITStubsARM.h:
1302         * jit/JITStubsARMv7.h:
1303
1304 2013-08-02  Michael Saboff  <msaboff@apple.com>
1305
1306         REGRESSION(r153612): It made jsc and layout tests crash
1307         https://bugs.webkit.org/show_bug.cgi?id=119440
1308
1309         Reviewed by Csaba Osztrogonác.
1310
1311         Made the changes if changeset r153612 only apply to 32 bit builds.
1312
1313         * jit/JITExceptions.cpp:
1314         * jit/JITExceptions.h:
1315         * jit/JITStubs.cpp:
1316         (JSC::cti_vm_throw_slowpath):
1317         * jit/JITStubs.h:
1318
1319 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1320
1321         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1322
1323         * CMakeLists.txt:
1324
1325 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1326
1327         [Forms: color] <input type='color'> popover color well implementation
1328         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1329
1330         Reviewed by Benjamin Poulain.
1331
1332         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1333
1334 2013-08-01  Oliver Hunt  <oliver@apple.com>
1335
1336         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1337         https://bugs.webkit.org/show_bug.cgi?id=119408
1338
1339         Reviewed by Filip Pizlo.
1340
1341         Construct ToString and Phantom nodes in advance of MakeRope
1342         nodes to ensure that ordering is ensured, and correct values
1343         will be reified on OSR exit.
1344
1345         * dfg/DFGByteCodeParser.cpp:
1346         (JSC::DFG::ByteCodeParser::parseBlock):
1347
1348 2013-08-01  Michael Saboff  <msaboff@apple.com>
1349
1350         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1351         https://bugs.webkit.org/show_bug.cgi?id=119140
1352
1353         Reviewed by Filip Pizlo.
1354
1355         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1356
1357         * jit/JITExceptions.cpp:
1358         (JSC::encode):
1359         * jit/JITExceptions.h:
1360         * jit/JITStubs.cpp:
1361         (JSC::cti_vm_throw_slowpath):
1362         * jit/JITStubs.h:
1363
1364 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1365
1366         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1367         https://bugs.webkit.org/show_bug.cgi?id=119391
1368
1369         Reviewed by Csaba Osztrogonác.
1370
1371         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1372             - Call frame is in r14 register.
1373             - Do not restore registers from JIT stack frame here.
1374
1375 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1376
1377         More cleanup in PropertySlot
1378         https://bugs.webkit.org/show_bug.cgi?id=119359
1379
1380         Reviewed by Geoff Garen.
1381
1382         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1383         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1384
1385         * dfg/DFGRepatch.cpp:
1386         (JSC::DFG::tryCacheGetByID):
1387         (JSC::DFG::tryBuildGetByIDList):
1388             - No need to ASSERT slotBase is an object.
1389         * jit/JITStubs.cpp:
1390         (JSC::tryCacheGetByID):
1391         (JSC::DEFINE_STUB_FUNCTION):
1392             - No need to ASSERT slotBase is an object.
1393         * runtime/JSObject.cpp:
1394         (JSC::JSObject::getOwnPropertySlotByIndex):
1395         (JSC::JSObject::fillGetterPropertySlot):
1396             - Pass an object through to setGetterSlot.
1397         * runtime/JSObject.h:
1398         (JSC::PropertySlot::getValue):
1399             - Moved from PropertySlot (need to know anout JSObject).
1400         * runtime/PropertySlot.cpp:
1401         (JSC::PropertySlot::functionGetter):
1402             - update per member name changes
1403         * runtime/PropertySlot.h:
1404         (JSC::PropertySlot::PropertySlot):
1405             - Argument to constructor set to 'thisValue'.
1406         (JSC::PropertySlot::slotBase):
1407             - This returns a JSObject*.
1408         (JSC::PropertySlot::setValue):
1409         (JSC::PropertySlot::setCustom):
1410         (JSC::PropertySlot::setCacheableCustom):
1411         (JSC::PropertySlot::setCustomIndex):
1412         (JSC::PropertySlot::setGetterSlot):
1413         (JSC::PropertySlot::setCacheableGetterSlot):
1414             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1415         * runtime/SparseArrayValueMap.cpp:
1416         (JSC::SparseArrayEntry::get):
1417             - Pass an object through to setGetterSlot.
1418         * runtime/SparseArrayValueMap.h:
1419             - Pass an object through to setGetterSlot.
1420
1421 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1422
1423         Reduce JSC API static value setter/getter overhead.
1424         https://bugs.webkit.org/show_bug.cgi?id=119277
1425
1426         Reviewed by Geoffrey Garen.
1427
1428         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1429         need to get called every time when set or get the static value.
1430
1431         * API/JSCallbackObjectFunctions.h:
1432         (JSC::::put):
1433         (JSC::::putByIndex):
1434         (JSC::::getStaticValue):
1435         * API/JSClassRef.cpp:
1436         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1437         * API/JSClassRef.h:
1438         (StaticValueEntry::StaticValueEntry):
1439
1440 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1441
1442         Use emptyString instead of String("")
1443         https://bugs.webkit.org/show_bug.cgi?id=119335
1444
1445         Reviewed by Darin Adler.
1446
1447         Use emptyString() instead of String("") because it is better style and
1448         faster. This is a followup to r116908, removing all occurrences of
1449         String("") from WebKit.
1450
1451         * runtime/RegExpConstructor.cpp:
1452         (JSC::constructRegExp):
1453         * runtime/RegExpPrototype.cpp:
1454         (JSC::regExpProtoFuncCompile):
1455         * runtime/StringPrototype.cpp:
1456         (JSC::stringProtoFuncMatch):
1457         (JSC::stringProtoFuncSearch):
1458
1459 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1460
1461         <input type=color> Mac UI behaviour
1462         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1463
1464         Reviewed by Brady Eidson.
1465
1466         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1467
1468 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1469
1470         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1471         https://bugs.webkit.org/show_bug.cgi?id=119349
1472
1473         Reviewed by Geoffrey Garen.
1474
1475         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1476         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1477         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1478         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1479         JIT then this resizing never happens and we crash at link time in the DFG.
1480
1481         We can fix this by also doing the resize in the DFG to catch this case.
1482
1483         * dfg/DFGJITCompiler.cpp:
1484         (JSC::DFG::JITCompiler::link):
1485
1486 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1487
1488         Speculative Windows build fix.
1489
1490         Reviewed by NOBODY
1491
1492         * runtime/JSString.cpp:
1493         (JSC::JSRopeString::getIndexSlowCase):
1494         * runtime/JSString.h:
1495
1496 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1497
1498         Some cleanup in JSValue::get
1499         https://bugs.webkit.org/show_bug.cgi?id=119343
1500
1501         Reviewed by Geoff Garen.
1502
1503         JSValue::get is implemented to:
1504             1) Check if the value is a cell – if not, synthesize a prototype to search,
1505             2) call getOwnPropertySlot on the cell,
1506             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1507         By all rights this should crash when passed a string and accessing a property that does not exist, because
1508         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1509         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1510         prototype chain, and faking out a return value of undefined if no property is found.
1511
1512         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1513         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1514
1515         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1516         slots anyway.
1517
1518         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1519
1520 2013-07-31  Michael Saboff  <msaboff@apple.com>
1521
1522         [Win] JavaScript crash.
1523         https://bugs.webkit.org/show_bug.cgi?id=119339
1524
1525         Reviewed by Mark Hahnenberg.
1526
1527         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1528         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1529
1530 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1531
1532         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1533         https://bugs.webkit.org/show_bug.cgi?id=119281
1534
1535         Reviewed by Geoffrey Garen.
1536
1537         This leads to out of bounds accesses and subsequent crashes.
1538
1539         * dfg/DFGSpeculativeJIT.cpp:
1540         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1541         * dfg/DFGSpeculativeJIT64.cpp:
1542         (JSC::DFG::SpeculativeJIT::compile):
1543
1544 2013-07-30  Oliver Hunt  <oliver@apple.com>
1545
1546         Add an assertion to SpeculateCellOperand
1547         https://bugs.webkit.org/show_bug.cgi?id=119276
1548
1549         Reviewed by Michael Saboff.
1550
1551         More assertions are better
1552
1553         * dfg/DFGSpeculativeJIT64.cpp:
1554         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1555         (JSC::DFG::SpeculativeJIT::compile):
1556
1557 2013-07-30  Mark Lam  <mark.lam@apple.com>
1558
1559         Fix problems with divot and lineStart mismatches.
1560         https://bugs.webkit.org/show_bug.cgi?id=118662.
1561
1562         Reviewed by Oliver Hunt.
1563
1564         r152494 added the recording of lineStart values for divot positions.
1565         This is needed for the computation of column numbers. Similarly, it also
1566         added the recording of line numbers for the divot positions. One problem
1567         with the approach taken was that the line and lineStart values were
1568         recorded independently, and hence were not always guaranteed to be
1569         sampled at the same place that the divot position is recorded. This
1570         resulted in potential mismatches that cause some assertions to fail.
1571
1572         The solution is to introduce a JSTextPosition abstraction that records
1573         the divot position, line, and lineStart as a single quantity. Wherever
1574         we record the divot position as an unsigned int previously, we now record
1575         its JSTextPosition which captures all 3 values in one go. This ensures
1576         that the captured line and lineStart will always match the captured divot
1577         position.
1578
1579         * bytecompiler/BytecodeGenerator.cpp:
1580         (JSC::BytecodeGenerator::emitCall):
1581         (JSC::BytecodeGenerator::emitCallEval):
1582         (JSC::BytecodeGenerator::emitCallVarargs):
1583         (JSC::BytecodeGenerator::emitConstruct):
1584         (JSC::BytecodeGenerator::emitDebugHook):
1585         - Use JSTextPosition instead of passing line and lineStart explicitly.
1586         * bytecompiler/BytecodeGenerator.h:
1587         (JSC::BytecodeGenerator::emitExpressionInfo):
1588         - Use JSTextPosition instead of passing line and lineStart explicitly.
1589         * bytecompiler/NodesCodegen.cpp:
1590         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1591         (JSC::ResolveNode::emitBytecode):
1592         (JSC::BracketAccessorNode::emitBytecode):
1593         (JSC::DotAccessorNode::emitBytecode):
1594         (JSC::NewExprNode::emitBytecode):
1595         (JSC::EvalFunctionCallNode::emitBytecode):
1596         (JSC::FunctionCallValueNode::emitBytecode):
1597         (JSC::FunctionCallResolveNode::emitBytecode):
1598         (JSC::FunctionCallBracketNode::emitBytecode):
1599         (JSC::FunctionCallDotNode::emitBytecode):
1600         (JSC::CallFunctionCallDotNode::emitBytecode):
1601         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1602         (JSC::PostfixNode::emitResolve):
1603         (JSC::PostfixNode::emitBracket):
1604         (JSC::PostfixNode::emitDot):
1605         (JSC::DeleteResolveNode::emitBytecode):
1606         (JSC::DeleteBracketNode::emitBytecode):
1607         (JSC::DeleteDotNode::emitBytecode):
1608         (JSC::PrefixNode::emitResolve):
1609         (JSC::PrefixNode::emitBracket):
1610         (JSC::PrefixNode::emitDot):
1611         (JSC::UnaryOpNode::emitBytecode):
1612         (JSC::BinaryOpNode::emitStrcat):
1613         (JSC::BinaryOpNode::emitBytecode):
1614         (JSC::ThrowableBinaryOpNode::emitBytecode):
1615         (JSC::InstanceOfNode::emitBytecode):
1616         (JSC::emitReadModifyAssignment):
1617         (JSC::ReadModifyResolveNode::emitBytecode):
1618         (JSC::AssignResolveNode::emitBytecode):
1619         (JSC::AssignDotNode::emitBytecode):
1620         (JSC::ReadModifyDotNode::emitBytecode):
1621         (JSC::AssignBracketNode::emitBytecode):
1622         (JSC::ReadModifyBracketNode::emitBytecode):
1623         (JSC::ForInNode::emitBytecode):
1624         (JSC::WithNode::emitBytecode):
1625         (JSC::ThrowNode::emitBytecode):
1626         - Use JSTextPosition instead of passing line and lineStart explicitly.
1627         * parser/ASTBuilder.h:
1628         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1629         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1630         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1631         (JSC::ASTBuilder::createResolve):
1632         (JSC::ASTBuilder::createBracketAccess):
1633         (JSC::ASTBuilder::createDotAccess):
1634         (JSC::ASTBuilder::createRegExp):
1635         (JSC::ASTBuilder::createNewExpr):
1636         (JSC::ASTBuilder::createAssignResolve):
1637         (JSC::ASTBuilder::createExprStatement):
1638         (JSC::ASTBuilder::createForInLoop):
1639         (JSC::ASTBuilder::createReturnStatement):
1640         (JSC::ASTBuilder::createBreakStatement):
1641         (JSC::ASTBuilder::createContinueStatement):
1642         (JSC::ASTBuilder::createLabelStatement):
1643         (JSC::ASTBuilder::createWithStatement):
1644         (JSC::ASTBuilder::createThrowStatement):
1645         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1646         (JSC::ASTBuilder::appendUnaryToken):
1647         (JSC::ASTBuilder::unaryTokenStackLastStart):
1648         (JSC::ASTBuilder::assignmentStackAppend):
1649         (JSC::ASTBuilder::createAssignment):
1650         (JSC::ASTBuilder::setExceptionLocation):
1651         (JSC::ASTBuilder::makeDeleteNode):
1652         (JSC::ASTBuilder::makeFunctionCallNode):
1653         (JSC::ASTBuilder::makeBinaryNode):
1654         (JSC::ASTBuilder::makeAssignNode):
1655         (JSC::ASTBuilder::makePrefixNode):
1656         (JSC::ASTBuilder::makePostfixNode):
1657         - Use JSTextPosition instead of passing line and lineStart explicitly.
1658         * parser/Lexer.cpp:
1659         (JSC::::lex):
1660         - Added support for capturing the appropriate JSTextPositions instead
1661           of just the character offset.
1662         * parser/Lexer.h:
1663         (JSC::Lexer::currentPosition):
1664         (JSC::::lexExpectIdentifier):
1665         - Added support for capturing the appropriate JSTextPositions instead
1666           of just the character offset.
1667         * parser/NodeConstructors.h:
1668         (JSC::Node::Node):
1669         (JSC::ResolveNode::ResolveNode):
1670         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1671         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1672         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1673         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1674         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1675         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1676         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1677         (JSC::PostfixNode::PostfixNode):
1678         (JSC::DeleteResolveNode::DeleteResolveNode):
1679         (JSC::DeleteBracketNode::DeleteBracketNode):
1680         (JSC::DeleteDotNode::DeleteDotNode):
1681         (JSC::PrefixNode::PrefixNode):
1682         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1683         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1684         (JSC::AssignBracketNode::AssignBracketNode):
1685         (JSC::AssignDotNode::AssignDotNode):
1686         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1687         (JSC::AssignErrorNode::AssignErrorNode):
1688         (JSC::WithNode::WithNode):
1689         (JSC::ForInNode::ForInNode):
1690         - Use JSTextPosition instead of passing line and lineStart explicitly.
1691         * parser/Nodes.cpp:
1692         (JSC::StatementNode::setLoc):
1693         - Use JSTextPosition instead of passing line and lineStart explicitly.
1694         * parser/Nodes.h:
1695         (JSC::Node::lineNo):
1696         (JSC::Node::startOffset):
1697         (JSC::Node::lineStartOffset):
1698         (JSC::Node::position):
1699         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1700         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1701         (JSC::ThrowableExpressionData::divot):
1702         (JSC::ThrowableExpressionData::divotStart):
1703         (JSC::ThrowableExpressionData::divotEnd):
1704         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1705         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1706         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1707         (JSC::ThrowableSubExpressionData::subexpressionStart):
1708         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1709         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1710         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1711         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1712         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1713         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1714         - Use JSTextPosition instead of passing line and lineStart explicitly.
1715         * parser/Parser.cpp:
1716         (JSC::::Parser):
1717         (JSC::::parseInner):
1718         - Use JSTextPosition instead of passing line and lineStart explicitly.
1719         (JSC::::didFinishParsing):
1720         - Remove setting of m_lastLine value. We always pass in the value from
1721           m_lastLine anyway. So, this assignment is effectively a nop.
1722         (JSC::::parseVarDeclaration):
1723         (JSC::::parseVarDeclarationList):
1724         (JSC::::parseForStatement):
1725         (JSC::::parseBreakStatement):
1726         (JSC::::parseContinueStatement):
1727         (JSC::::parseReturnStatement):
1728         (JSC::::parseThrowStatement):
1729         (JSC::::parseWithStatement):
1730         (JSC::::parseTryStatement):
1731         (JSC::::parseBlockStatement):
1732         (JSC::::parseFunctionDeclaration):
1733         (JSC::LabelInfo::LabelInfo):
1734         (JSC::::parseExpressionOrLabelStatement):
1735         (JSC::::parseExpressionStatement):
1736         (JSC::::parseAssignmentExpression):
1737         (JSC::::parseBinaryExpression):
1738         (JSC::::parseProperty):
1739         (JSC::::parsePrimaryExpression):
1740         (JSC::::parseMemberExpression):
1741         (JSC::::parseUnaryExpression):
1742         - Use JSTextPosition instead of passing line and lineStart explicitly.
1743         * parser/Parser.h:
1744         (JSC::Parser::next):
1745         (JSC::Parser::nextExpectIdentifier):
1746         (JSC::Parser::getToken):
1747         (JSC::Parser::tokenStartPosition):
1748         (JSC::Parser::tokenEndPosition):
1749         (JSC::Parser::lastTokenEndPosition):
1750         (JSC::::parse):
1751         - Use JSTextPosition instead of passing line and lineStart explicitly.
1752         * parser/ParserTokens.h:
1753         (JSC::JSTextPosition::JSTextPosition):
1754         (JSC::JSTextPosition::operator+):
1755         (JSC::JSTextPosition::operator-):
1756         (JSC::JSTextPosition::operator int):
1757         - Added JSTextPosition.
1758         * parser/SyntaxChecker.h:
1759         (JSC::SyntaxChecker::makeFunctionCallNode):
1760         (JSC::SyntaxChecker::makeAssignNode):
1761         (JSC::SyntaxChecker::makePrefixNode):
1762         (JSC::SyntaxChecker::makePostfixNode):
1763         (JSC::SyntaxChecker::makeDeleteNode):
1764         (JSC::SyntaxChecker::createResolve):
1765         (JSC::SyntaxChecker::createBracketAccess):
1766         (JSC::SyntaxChecker::createDotAccess):
1767         (JSC::SyntaxChecker::createRegExp):
1768         (JSC::SyntaxChecker::createNewExpr):
1769         (JSC::SyntaxChecker::createAssignResolve):
1770         (JSC::SyntaxChecker::createForInLoop):
1771         (JSC::SyntaxChecker::createReturnStatement):
1772         (JSC::SyntaxChecker::createBreakStatement):
1773         (JSC::SyntaxChecker::createContinueStatement):
1774         (JSC::SyntaxChecker::createWithStatement):
1775         (JSC::SyntaxChecker::createLabelStatement):
1776         (JSC::SyntaxChecker::createThrowStatement):
1777         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1778         (JSC::SyntaxChecker::operatorStackPop):
1779         - Use JSTextPosition instead of passing line and lineStart explicitly.
1780
1781 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1782
1783         Unreviewed. Fix make distcheck.
1784
1785         * GNUmakefile.list.am: Add missing files to compilation.
1786         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1787         include FTL header files not included in the compilation.
1788         * dfg/DFGDriver.cpp: Ditto.
1789         * dfg/DFGPlan.cpp: Ditto.
1790
1791 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1792
1793         Eager stack trace for error objects.
1794         https://bugs.webkit.org/show_bug.cgi?id=118918
1795
1796         Reviewed by Geoffrey Garen.
1797         
1798         Chrome and Firefox give error objects the stack property and we wanted to match
1799         that functionality. This allows developers to see the stack without throwing an object.
1800
1801         * runtime/ErrorInstance.cpp:
1802         (JSC::ErrorInstance::finishCreation):
1803          For error objects that are not thrown as an exception, we pass the stackTrace in 
1804          as a parameter. This allows the error object to have the stack property.
1805         
1806         * interpreter/Interpreter.cpp:
1807         (JSC::stackTraceAsString):
1808         Helper function used to eliminate duplicate code.
1809
1810         (JSC::Interpreter::addStackTraceIfNecessary):
1811         When an error object is created by the user the vm->exceptionStack is not set.
1812         If the user throws this error object later the stack that is in the error object 
1813         may not be the correct stack for the throw, so when we set the vm->exception stack,
1814         the stack property on the error object is set as well.
1815         
1816         * runtime/ErrorConstructor.cpp:
1817         (JSC::constructWithErrorConstructor):
1818         (JSC::callErrorConstructor):
1819         * runtime/NativeErrorConstructor.cpp:
1820         (JSC::constructWithNativeErrorConstructor):
1821         (JSC::callNativeErrorConstructor):
1822         These functions indicate that the user created an error object. For all error objects 
1823         that the user explicitly creates, the topCallFrame is at a new frame created to 
1824         handle the user's call. In this case though, the error object needs the caller's 
1825         frame to create the stack trace correctly.
1826         
1827         * interpreter/Interpreter.h:
1828         * runtime/ErrorInstance.h:
1829         (JSC::ErrorInstance::create):
1830
1831 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1832
1833         Some cleanup in PropertySlot
1834         https://bugs.webkit.org/show_bug.cgi?id=119189
1835
1836         Reviewed by Geoff Garen.
1837
1838         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1839         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1840         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1841         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1842         (this is invalidOffset if not cacheable).
1843
1844             * Internally, always track the type of the property using an enum value, PropertyType.
1845             * Use m_offset to indicate cacheable.
1846             * Keep the external interface (CachedPropertyType) unchanged.
1847             * Better pack data into the m_data union.
1848
1849         Performance neutral.
1850
1851         * dfg/DFGRepatch.cpp:
1852         (JSC::DFG::tryCacheGetByID):
1853         (JSC::DFG::tryBuildGetByIDList):
1854             - cachedPropertyType() -> isCacheable*()
1855         * jit/JITPropertyAccess.cpp:
1856         (JSC::JIT::privateCompileGetByIdProto):
1857         (JSC::JIT::privateCompileGetByIdSelfList):
1858         (JSC::JIT::privateCompileGetByIdProtoList):
1859         (JSC::JIT::privateCompileGetByIdChainList):
1860         (JSC::JIT::privateCompileGetByIdChain):
1861             - cachedPropertyType() -> isCacheable*()
1862         * jit/JITPropertyAccess32_64.cpp:
1863         (JSC::JIT::privateCompileGetByIdProto):
1864         (JSC::JIT::privateCompileGetByIdSelfList):
1865         (JSC::JIT::privateCompileGetByIdProtoList):
1866         (JSC::JIT::privateCompileGetByIdChainList):
1867         (JSC::JIT::privateCompileGetByIdChain):
1868             - cachedPropertyType() -> isCacheable*()
1869         * jit/JITStubs.cpp:
1870         (JSC::tryCacheGetByID):
1871             - cachedPropertyType() -> isCacheable*()
1872         * llint/LLIntSlowPaths.cpp:
1873         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1874             - cachedPropertyType() -> isCacheable*()
1875         * runtime/PropertySlot.cpp:
1876         (JSC::PropertySlot::functionGetter):
1877             - refactoring described above.
1878         * runtime/PropertySlot.h:
1879         (JSC::PropertySlot::PropertySlot):
1880         (JSC::PropertySlot::getValue):
1881         (JSC::PropertySlot::isCacheable):
1882         (JSC::PropertySlot::isCacheableValue):
1883         (JSC::PropertySlot::isCacheableGetter):
1884         (JSC::PropertySlot::isCacheableCustom):
1885         (JSC::PropertySlot::cachedOffset):
1886         (JSC::PropertySlot::customGetter):
1887         (JSC::PropertySlot::setValue):
1888         (JSC::PropertySlot::setCustom):
1889         (JSC::PropertySlot::setCacheableCustom):
1890         (JSC::PropertySlot::setCustomIndex):
1891         (JSC::PropertySlot::setGetterSlot):
1892         (JSC::PropertySlot::setCacheableGetterSlot):
1893         (JSC::PropertySlot::setUndefined):
1894         (JSC::PropertySlot::slotBase):
1895         (JSC::PropertySlot::setBase):
1896             - refactoring described above.
1897
1898 2013-07-28  Oliver Hunt  <oliver@apple.com>
1899
1900         REGRESSION: Crash when opening Facebook.com
1901         https://bugs.webkit.org/show_bug.cgi?id=119155
1902
1903         Reviewed by Andreas Kling.
1904
1905         Scope nodes are always objects, so we should be using SpecObjectOther
1906         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1907         contradiction in the CFA, resulting in bogus codegen.
1908
1909         * dfg/DFGAbstractInterpreterInlines.h:
1910         (JSC::DFG::::executeEffects):
1911         * dfg/DFGPredictionPropagationPhase.cpp:
1912         (JSC::DFG::PredictionPropagationPhase::propagate):
1913
1914 2013-07-26  Oliver Hunt  <oliver@apple.com>
1915
1916         REGRESSION(FTL?): Crashes in plugin tests
1917         https://bugs.webkit.org/show_bug.cgi?id=119141
1918
1919         Reviewed by Michael Saboff.
1920
1921         Re-export getStackTrace
1922
1923         * interpreter/Interpreter.h:
1924
1925 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1926
1927         REGRESSION: Crash when opening a message on Gmail
1928         https://bugs.webkit.org/show_bug.cgi?id=119105
1929
1930         Reviewed by Oliver Hunt and Mark Hahnenberg.
1931         
1932         - GetById patching in the DFG needs to be more disciplined about how it derives the
1933           slow path.
1934         
1935         - Fix some dumping code thread safety issues.
1936
1937         * bytecode/CallLinkStatus.cpp:
1938         (JSC::CallLinkStatus::dump):
1939         * bytecode/CodeBlock.cpp:
1940         (JSC::CodeBlock::dumpBytecode):
1941         * dfg/DFGRepatch.cpp:
1942         (JSC::DFG::getPolymorphicStructureList):
1943         (JSC::DFG::tryBuildGetByIDList):
1944
1945 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
1946
1947         [mips] Fix LLINT build for mips backend
1948         https://bugs.webkit.org/show_bug.cgi?id=119152
1949
1950         Reviewed by Oliver Hunt.
1951
1952         * offlineasm/mips.rb:
1953
1954 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1955
1956         Setting a large numeric property on an object causes it to allocate a huge backing store
1957         https://bugs.webkit.org/show_bug.cgi?id=118914
1958
1959         Reviewed by Geoffrey Garen.
1960
1961         There are two distinct actions that we're trying to optimize for:
1962
1963         new Array(100000);
1964
1965         and:
1966
1967         a = [];
1968         a[100000] = 42;
1969         
1970         In the first case, the programmer has indicated that they expect this Array to be very big, 
1971         so they should get a contiguous array up until some threshold, above which we perform density 
1972         calculations to see if it is indeed dense enough to warrant being contiguous.
1973         
1974         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
1975         we should be more conservative and assume it should be sparse until we've proven otherwise.
1976         
1977         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
1978         between them for the purposes of not over-allocating large backing stores like we see on 
1979         http://www.peekanalytics.com/burgerjoints/
1980         
1981         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
1982         introduce a new heuristic for the second case. If we are putting to an index above a certain 
1983         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
1984         map instead. So for example, in the second case above the empty array has a blank indexing 
1985         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1986
1987         This fix is ~800x speedup on the accompanying regression test :-o
1988
1989         * runtime/ArrayConventions.h:
1990         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1991         * runtime/JSObject.cpp:
1992         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1993         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1994         (JSC::JSObject::putByIndexBeyondVectorLength):
1995         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1996
1997 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1998
1999         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2000         https://bugs.webkit.org/show_bug.cgi?id=119148
2001
2002         Reviewed by Csaba Osztrogonác.
2003
2004         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2005         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2006         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2007         code duplication.
2008
2009 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2010
2011         REGRESSION(FTL): Crash in sh4 baseline JIT.
2012         https://bugs.webkit.org/show_bug.cgi?id=119138
2013
2014         Reviewed by Csaba Osztrogonác.
2015
2016         This crash is due to incomplete report of r150146 and r148474.
2017
2018         * jit/JITStubsSH4.h:
2019
2020 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2021
2022         Unreviewed.
2023
2024         * Target.pri: Adding missing DFG files to the Qt build.
2025
2026 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2027
2028         GTK and Qt buildfix after the intrusive win buildfix r153360.
2029
2030         * GNUmakefile.list.am:
2031         * Target.pri:
2032
2033 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2034
2035         Unreviewed, fix build break after r153360.
2036
2037         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2038
2039 2013-07-25  Roger Fong  <roger_fong@apple.com>
2040
2041         Unreviewed build fix, AppleWin port.
2042
2043         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2044         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2045         * JavaScriptCore.vcxproj/copy-files.cmd:
2046
2047 2013-07-25  Roger Fong  <roger_fong@apple.com>
2048
2049         Unreviewed. Followup to r153360.
2050
2051         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2052         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2053
2054 2013-07-25  Michael Saboff  <msaboff@apple.com>
2055
2056         [Windows] Speculative build fix.
2057
2058         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2059         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2060
2061         * JavaScriptCore.xcodeproj/project.pbxproj:
2062         * llint/LLIntExceptions.cpp:
2063         * llint/LLIntExceptions.h:
2064         * llint/LLIntSlowPaths.cpp:
2065         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2066         * runtime/CommonSlowPaths.cpp:
2067         (JSC::SLOW_PATH_DECL):
2068         * runtime/CommonSlowPathsExceptions.cpp: Added.
2069         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2070         * runtime/CommonSlowPathsExceptions.h: Added.
2071
2072 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2073
2074         [Windows] Unreviewed build fix.
2075
2076         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2077         parser/SourceCode.h,.cpp.
2078         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2079
2080 2013-07-25  Anders Carlsson  <andersca@apple.com>
2081
2082         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2083         https://bugs.webkit.org/show_bug.cgi?id=119108
2084
2085         Reviewed by Mark Hahnenberg.
2086
2087         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2088
2089         * heap/CopiedSpace.cpp:
2090         (JSC::CopiedSpace::tryAllocateSlowCase):
2091         * heap/Heap.cpp:
2092         (JSC::Heap::protect):
2093         (JSC::Heap::unprotect):
2094         (JSC::Heap::collect):
2095         * heap/MarkedAllocator.cpp:
2096         (JSC::MarkedAllocator::allocateSlowCase):
2097         * runtime/JSGlobalObject.cpp:
2098         (JSC::JSGlobalObject::init):
2099         * runtime/VM.h:
2100         (JSC::VM::currentThreadIsHoldingAPILock):
2101
2102 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2103
2104         REGRESSION(FTL): Most layout tests crashes
2105         https://bugs.webkit.org/show_bug.cgi?id=119089
2106
2107         Reviewed by Oliver Hunt.
2108
2109         * runtime/ExecutionHarness.h:
2110         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2111         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2112         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2113         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2114         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2115         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2116
2117 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2118
2119         [Windows] Unreviewed build fix.
2120
2121         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2122         include path.
2123
2124 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2125
2126         [Windows] Unreviewed build fix.
2127
2128         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2129         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2130         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2131
2132 2013-07-25  Oliver Hunt  <oliver@apple.com>
2133
2134         Make all jit & non-jit combos build cleanly
2135         https://bugs.webkit.org/show_bug.cgi?id=119102
2136
2137         Reviewed by Anders Carlsson.
2138
2139         * bytecode/CodeBlock.cpp:
2140         (JSC::CodeBlock::counterValueForOptimizeSoon):
2141         * bytecode/CodeBlock.h:
2142         (JSC::CodeBlock::optimizeAfterWarmUp):
2143         (JSC::CodeBlock::numberOfDFGCompiles):
2144
2145 2013-07-25  Oliver Hunt  <oliver@apple.com>
2146
2147         32 bit portion of load validation logic
2148         https://bugs.webkit.org/show_bug.cgi?id=118878
2149
2150         Reviewed by NOBODY (Build fix).
2151
2152         * dfg/DFGSpeculativeJIT32_64.cpp:
2153         (JSC::DFG::SpeculativeJIT::compile):
2154
2155 2013-07-25  Oliver Hunt  <oliver@apple.com>
2156
2157         More 32bit build fixes
2158
2159         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2160
2161         * API/APICallbackFunction.h:
2162         (JSC::APICallbackFunction::call):
2163         * bytecode/CodeBlock.cpp:
2164         * runtime/Structure.cpp:
2165
2166 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2167
2168         Optimize the thread locks for API Shims
2169         https://bugs.webkit.org/show_bug.cgi?id=118573
2170
2171         Reviewed by Geoffrey Garen.
2172
2173         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2174         only used by WebCore's main thread).
2175
2176         * API/APIShims.h:
2177         (JSC::APIEntryShim::APIEntryShim):
2178         (JSC::APICallbackShim::APICallbackShim):
2179         * runtime/JSLock.cpp:
2180         (JSC::JSLockHolder::JSLockHolder):
2181         (JSC::JSLockHolder::init):
2182         (JSC::JSLockHolder::~JSLockHolder):
2183         (JSC::JSLock::DropAllLocks::DropAllLocks):
2184         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2185         * runtime/VM.cpp:
2186         (JSC::VM::VM):
2187         * runtime/VM.h:
2188
2189 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2190
2191         Unreviewed build fix after r153218.
2192
2193         Broke the EFL port build with gcc 4.7.
2194
2195         * interpreter/StackIterator.cpp:
2196         (JSC::printif):
2197
2198 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2199
2200         Build fix: add missing #include.
2201         https://bugs.webkit.org/show_bug.cgi?id=119087
2202
2203         Reviewed by Allan Sandfeld Jensen.
2204
2205         * bytecode/ArrayProfile.cpp:
2206
2207 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2208
2209         Unreviewed, build fix on the EFL port.
2210
2211         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2212
2213 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2214
2215         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2216         https://bugs.webkit.org/show_bug.cgi?id=119083
2217
2218         Reviewed by Allan Sandfeld Jensen.
2219
2220         * assembler/MacroAssemblerSH4.h:
2221         (JSC::MacroAssemblerSH4::store8):
2222
2223 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2224
2225         [Qt] Fix test build after FTL upstream
2226
2227         Unreviewed build fix.
2228
2229         * Target.pri:
2230
2231 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2232
2233         [Qt] Build fix after FTL.
2234
2235         Un Reviewed build fix.
2236
2237         * Target.pri:
2238         * interpreter/StackIterator.cpp:
2239         (JSC::StackIterator::Frame::print):
2240
2241 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2242
2243         Unreviewed build fix after FTL upstream.
2244
2245         * dfg/DFGWorklist.cpp:
2246         (JSC::DFG::Worklist::~Worklist):
2247
2248 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2249
2250         Unreviewed, build fix on the EFL port.
2251
2252         * CMakeLists.txt:
2253         Added SourceCode.cpp and removed BlackBerry file.
2254         * jit/JITCode.h:
2255         (JSC::JITCode::nextTierJIT):
2256         Fixed to build break because of -Werror=return-type
2257         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2258         * runtime/JSScope.h:
2259         (JSC::makeType):
2260         Fixed to build break because of -Werror=return-type
2261
2262 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2263
2264         Unreviewed build fixing after FTL upstream.
2265
2266         * runtime/Executable.cpp:
2267         (JSC::FunctionExecutable::produceCodeBlockFor):
2268
2269 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2270
2271         Add missing implementation of bxxxnz in sh4 LLINT.
2272         https://bugs.webkit.org/show_bug.cgi?id=119079
2273
2274         Reviewed by Allan Sandfeld Jensen.
2275
2276         * offlineasm/sh4.rb:
2277
2278 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2279
2280         Unreviewed, build fix on the Qt port.
2281
2282         * Target.pri: Add additional build files for the FTL.
2283
2284 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2285
2286         Unreviewed buildfix after FTL upstream..
2287
2288         * interpreter/StackIterator.cpp:
2289         (JSC::StackIterator::Frame::codeType):
2290         (JSC::StackIterator::Frame::functionName):
2291         (JSC::StackIterator::Frame::sourceURL):
2292         (JSC::StackIterator::Frame::logicalFrame):
2293
2294 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2295
2296         Unreviewed.
2297
2298         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2299         method is not left undefined, causing build failures on (at least) the GTK port.
2300
2301 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2302
2303         Unreviewed, further build fixing on the GTK port.
2304
2305         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2306
2307 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2308
2309         Unreviewed GTK build fixing.
2310
2311         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2312         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2313
2314 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2315
2316         Buildfix after this error:
2317         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2318
2319         * dfg/DFGPlan.cpp:
2320         (JSC::DFG::Plan::compileInThread):
2321
2322 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2323
2324         One more buildfix after FTL upstream.
2325
2326         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2327
2328         * dfg/DFGLazyJSValue.cpp:
2329         (JSC::DFG::LazyJSValue::getValue):
2330         (JSC::DFG::LazyJSValue::strictEqual):
2331
2332 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2333
2334         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2335         https://bugs.webkit.org/show_bug.cgi?id=119076
2336
2337         Reviewed by Allan Sandfeld Jensen.
2338
2339         * offlineasm/mips.rb:
2340         * offlineasm/sh4.rb:
2341
2342 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2343
2344         Unreviewed GTK build fix.
2345
2346         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2347
2348 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2349
2350         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2351         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2352
2353         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2354
2355 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2356
2357         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2358
2359         * GNUmakefile.am:
2360         * GNUmakefile.list.am:
2361
2362 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2363
2364         Unreviewed buildfix after FTL upstream.
2365
2366         * runtime/JSScope.h:
2367         (JSC::needsVarInjectionChecks):
2368
2369 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2370
2371         One more fix after FTL upstream.
2372
2373         * Target.pri:
2374         * bytecode/CodeBlock.h:
2375         * bytecode/GetByIdStatus.h:
2376         (JSC::GetByIdStatus::GetByIdStatus):
2377
2378 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2379
2380         Unreviewed buildfix after FTL upstream.
2381
2382         Add ftl directory as include path.
2383
2384         * CMakeLists.txt:
2385         * JavaScriptCore.pri:
2386
2387 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2388
2389         Unreviewed buildfix after FTL upstream for non C++11 builds.
2390
2391         * interpreter/CallFrame.h:
2392         * interpreter/StackIteratorPrivate.h:
2393         (JSC::StackIterator::end):
2394
2395 2013-07-24  Oliver Hunt  <oliver@apple.com>
2396
2397         Endeavour to fix CMakelist builds
2398
2399         * CMakeLists.txt:
2400
2401 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2402
2403         fourthTier: DFG IR dumps should be easier to read
2404         https://bugs.webkit.org/show_bug.cgi?id=119050
2405
2406         Reviewed by Mark Hahnenberg.
2407         
2408         Added a DumpContext that includes support for printing an endnote
2409         that describes all structures in full, while the main flow of the
2410         dump just uses made-up names for the structures. This is helpful
2411         since Structure::dump() may print a lot. The stuff it prints is
2412         useful, but if it's all inline with the surrounding thing you're        
2413         dumping (often, a node in the DFG), then you get a ridiculously
2414         long print-out. All classes that dump structures (including
2415         Structure itself) now have dumpInContext() methods that use
2416         inContext() for dumping anything that might transitively print a
2417         structure. If Structure::dumpInContext() is called with a NULL
2418         context, it just uses dump() like before. Hence you don't have to
2419         know anything about DumpContext unless you want to.
2420         
2421         inContext(*structure, context) dumps something like %B4:Array,
2422         and the endnote will have something like:
2423         
2424             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2425         
2426         where B4 is the inferred name that StringHashDumpContext came up
2427         with.
2428         
2429         Also shortened a bunch of other dumps, removing information that
2430         isn't so important.
2431         
2432         * JavaScriptCore.xcodeproj/project.pbxproj:
2433         * bytecode/ArrayProfile.cpp:
2434         (JSC::dumpArrayModes):
2435         * bytecode/CodeBlockHash.cpp:
2436         (JSC):
2437         (JSC::CodeBlockHash::CodeBlockHash):
2438         (JSC::CodeBlockHash::dump):
2439         * bytecode/CodeOrigin.cpp:
2440         (JSC::CodeOrigin::dumpInContext):
2441         (JSC):
2442         (JSC::InlineCallFrame::dumpInContext):
2443         (JSC::InlineCallFrame::dump):
2444         * bytecode/CodeOrigin.h:
2445         (CodeOrigin):
2446         (InlineCallFrame):
2447         * bytecode/Operands.h:
2448         (JSC::OperandValueTraits::isEmptyForDump):
2449         (Operands):
2450         (JSC::Operands::dump):
2451         (JSC):
2452         * bytecode/OperandsInlines.h: Added.
2453         (JSC):
2454         (JSC::::dumpInContext):
2455         * bytecode/StructureSet.h:
2456         (JSC::StructureSet::dumpInContext):
2457         (JSC::StructureSet::dump):
2458         (StructureSet):
2459         * dfg/DFGAbstractValue.cpp:
2460         (JSC::DFG::AbstractValue::dump):
2461         (DFG):
2462         (JSC::DFG::AbstractValue::dumpInContext):
2463         * dfg/DFGAbstractValue.h:
2464         (JSC::DFG::AbstractValue::operator!):
2465         (AbstractValue):
2466         * dfg/DFGCFAPhase.cpp:
2467         (JSC::DFG::CFAPhase::performBlockCFA):
2468         * dfg/DFGCommon.cpp:
2469         * dfg/DFGCommon.h:
2470         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2471         * dfg/DFGDisassembler.cpp:
2472         (JSC::DFG::Disassembler::createDumpList):
2473         * dfg/DFGDisassembler.h:
2474         (Disassembler):
2475         * dfg/DFGFlushFormat.h:
2476         (WTF::inContext):
2477         (WTF):
2478         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2479         * dfg/DFGGraph.cpp:
2480         (JSC::DFG::Graph::dumpCodeOrigin):
2481         (JSC::DFG::Graph::dump):
2482         (JSC::DFG::Graph::dumpBlockHeader):
2483         * dfg/DFGGraph.h:
2484         (Graph):
2485         * dfg/DFGLazyJSValue.cpp:
2486         (JSC::DFG::LazyJSValue::dumpInContext):
2487         (JSC::DFG::LazyJSValue::dump):
2488         (DFG):
2489         * dfg/DFGLazyJSValue.h:
2490         (LazyJSValue):
2491         * dfg/DFGNode.h:
2492         (JSC::DFG::nodeMapDump):
2493         (WTF::inContext):
2494         (WTF):
2495         * dfg/DFGOSRExitCompiler32_64.cpp:
2496         (JSC::DFG::OSRExitCompiler::compileExit):
2497         * dfg/DFGOSRExitCompiler64.cpp:
2498         (JSC::DFG::OSRExitCompiler::compileExit):
2499         * dfg/DFGStructureAbstractValue.h:
2500         (JSC::DFG::StructureAbstractValue::dumpInContext):
2501         (JSC::DFG::StructureAbstractValue::dump):
2502         (StructureAbstractValue):
2503         * ftl/FTLExitValue.cpp:
2504         (JSC::FTL::ExitValue::dumpInContext):
2505         (JSC::FTL::ExitValue::dump):
2506         (FTL):
2507         * ftl/FTLExitValue.h:
2508         (ExitValue):
2509         * ftl/FTLLowerDFGToLLVM.cpp:
2510         * ftl/FTLValueSource.cpp:
2511         (JSC::FTL::ValueSource::dumpInContext):
2512         (FTL):
2513         * ftl/FTLValueSource.h:
2514         (ValueSource):
2515         * runtime/DumpContext.cpp: Added.
2516         (JSC):
2517         (JSC::DumpContext::DumpContext):
2518         (JSC::DumpContext::~DumpContext):
2519         (JSC::DumpContext::isEmpty):
2520         (JSC::DumpContext::dump):
2521         * runtime/DumpContext.h: Added.
2522         (JSC):
2523         (DumpContext):
2524         * runtime/JSCJSValue.cpp:
2525         (JSC::JSValue::dump):
2526         (JSC):
2527         (JSC::JSValue::dumpInContext):
2528         * runtime/JSCJSValue.h:
2529         (JSC):
2530         (JSValue):
2531         * runtime/Structure.cpp:
2532         (JSC::Structure::dumpInContext):
2533         (JSC):
2534         (JSC::Structure::dumpBrief):
2535         (JSC::Structure::dumpContextHeader):
2536         * runtime/Structure.h:
2537         (JSC):
2538         (Structure):
2539
2540 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2541
2542         fourthTier: DFG should do a high-level LICM before going to FTL
2543         https://bugs.webkit.org/show_bug.cgi?id=118749
2544
2545         Reviewed by Oliver Hunt.
2546         
2547         Implements LICM hoisting for nodes that never write anything and never read
2548         things that are clobbered by the loop. There are some other preconditions for
2549         hoisting, see DFGLICMPhase.cpp.
2550
2551         Also did a few fixes:
2552         
2553         - ClobberSet::add was failing to switch Super entries to Direct entries in
2554           some cases.
2555         
2556         - DFGClobberize.cpp needed to #include "Operations.h".
2557         
2558         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2559         
2560         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2561           Knowing the indexInBlock is an optional optimization that all other clients
2562           of AI still opt into, but LICM doesn't.
2563         
2564         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2565
2566         * JavaScriptCore.xcodeproj/project.pbxproj:
2567         * dfg/DFGAbstractInterpreter.h:
2568         (AbstractInterpreter):
2569         * dfg/DFGAbstractInterpreterInlines.h:
2570         (JSC::DFG::::executeEffects):
2571         (JSC::DFG::::execute):
2572         (DFG):
2573         (JSC::DFG::::clobberWorld):
2574         (JSC::DFG::::clobberStructures):
2575         * dfg/DFGAtTailAbstractState.cpp: Added.
2576         (DFG):
2577         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2578         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2579         (JSC::DFG::AtTailAbstractState::createValueForNode):
2580         (JSC::DFG::AtTailAbstractState::forNode):
2581         * dfg/DFGAtTailAbstractState.h: Added.
2582         (DFG):
2583         (AtTailAbstractState):
2584         (JSC::DFG::AtTailAbstractState::initializeTo):
2585         (JSC::DFG::AtTailAbstractState::forNode):
2586         (JSC::DFG::AtTailAbstractState::variables):
2587         (JSC::DFG::AtTailAbstractState::block):
2588         (JSC::DFG::AtTailAbstractState::isValid):
2589         (JSC::DFG::AtTailAbstractState::setDidClobber):
2590         (JSC::DFG::AtTailAbstractState::setIsValid):
2591         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2592         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2593         (JSC::DFG::AtTailAbstractState::haveStructures):
2594         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2595         * dfg/DFGBasicBlock.h:
2596         (JSC::DFG::BasicBlock::insertBeforeLast):
2597         * dfg/DFGBasicBlockInlines.h:
2598         (DFG):
2599         * dfg/DFGClobberSet.cpp:
2600         (JSC::DFG::ClobberSet::add):
2601         (JSC::DFG::ClobberSet::addAll):
2602         * dfg/DFGClobberize.cpp:
2603         (JSC::DFG::doesWrites):
2604         * dfg/DFGClobberize.h:
2605         (DFG):
2606         * dfg/DFGDCEPhase.cpp:
2607         (JSC::DFG::DCEPhase::DCEPhase):
2608         (JSC::DFG::DCEPhase::run):
2609         (JSC::DFG::DCEPhase::fixupBlock):
2610         (DCEPhase):
2611         * dfg/DFGEdgeDominates.h: Added.
2612         (DFG):
2613         (EdgeDominates):
2614         (JSC::DFG::EdgeDominates::EdgeDominates):
2615         (JSC::DFG::EdgeDominates::operator()):
2616         (JSC::DFG::EdgeDominates::result):
2617         (JSC::DFG::edgesDominate):
2618         * dfg/DFGFixupPhase.cpp:
2619         (JSC::DFG::FixupPhase::fixupNode):
2620         (JSC::DFG::FixupPhase::checkArray):
2621         * dfg/DFGLICMPhase.cpp: Added.
2622         (LICMPhase):
2623         (JSC::DFG::LICMPhase::LICMPhase):
2624         (JSC::DFG::LICMPhase::run):
2625         (JSC::DFG::LICMPhase::attemptHoist):
2626         (DFG):
2627         (JSC::DFG::performLICM):
2628         * dfg/DFGLICMPhase.h: Added.
2629         (DFG):
2630         * dfg/DFGPlan.cpp:
2631         (JSC::DFG::Plan::compileInThreadImpl):
2632
2633 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2634
2635         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2636         https://bugs.webkit.org/show_bug.cgi?id=118910
2637
2638         Reviewed by Sam Weinig.
2639         
2640         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2641         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2642         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2643         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2644         create them all up front). FTL AbstractHeaps also don't actually give you the
2645         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2646         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2647         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2648         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2649         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2650         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2651         payload is the direct subtype of its corresponding TOP Kind).
2652         
2653         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2654         clobbered. It represents the set that results from unifying a bunch of
2655         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2656         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2657         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2658         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2659         member is equal to it, or if any of its ancestors are equal to a direct member.
2660         
2661         Example #1:
2662         
2663             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2664               is a subtype of Variables, which is a subtype of World.
2665             - You query Variables. I.e. Variables with a TOP payload, which is the
2666               supertype of Variables(X) for any X, and a subtype of World.
2667             
2668             The set will have Variables(5) as a direct member, and Variables and World as
2669             super members. The Variables query will immediately return true, because
2670             Variables is indeed a super member.
2671         
2672         Example #2:
2673         
2674             - I add Variables(5)
2675             - You query NamedProperties
2676             
2677             NamedProperties is not a member at all (neither direct or super). We next
2678             query World. World is a member, but it's a super member, so we return false.
2679         
2680         Example #3:
2681         
2682             - I add Variables
2683             - You query Variables(5)
2684             
2685             The set will have Variables as a direct member, and World as a super member.
2686             The Variables(5) query will not find Variables(5) in the set, but then it
2687             will query Variables. Variables is a direct member, so we return true.
2688         
2689         Example #4:
2690         
2691             - I add Variables
2692             - You query NamedProperties(5)
2693             
2694             Neither NamedProperties nor NamedProperties(5) are members. We next query
2695             World. World is a member, but it's a super member, so we return false.
2696         
2697         Overlap queries require that either the heap being queried is in the set (either
2698         direct or super), or that one of its ancestors is a direct member. Another way to
2699         think about how this works is that two heaps A and B are said to overlap if
2700         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2701         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2702         heaps and answers the question, "is any member in the set an ancestor (i.e.
2703         supertype) of some other heap". We would have the set contain the heaps themselves,
2704         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2705         chain of A, and repeatedly querying its membership in the set. This is what the
2706         "direct" members of our set do. Now consider the other part, where we want to ask if
2707         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2708         would implement this by implementing set.add(B) as adding not just B but also all of
2709         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2710         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2711         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2712         heap" question. ClobberSet does this, but combines the two sets into a single
2713         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2714         supertype set and the subtype set; if it's false then it's only a member of one of
2715         them.
2716         
2717         Finally, this adds a functorized clobberize() method that adds the read and write
2718         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2719         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2720         are also provided. This allows you to say things like:
2721         
2722             ClobberSet set;
2723             addWrites(graph, node1, set);
2724             if (readsOverlap(graph, node2, set))
2725                 // We know that node1 may write to something that node2 may read from.
2726         
2727         Currently this facility is only used to improve graph dumping, but it will be
2728         instrumental in both LICM and GVN. In the future, I want to completely kill the
2729         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2730         of accomplishing almost exactly what AbstractHeap gives you.
2731
2732         * JavaScriptCore.xcodeproj/project.pbxproj:
2733         * dfg/DFGAbstractHeap.cpp: Added.
2734         (DFG):
2735         (JSC::DFG::AbstractHeap::Payload::dump):
2736         (JSC::DFG::AbstractHeap::dump):
2737         (WTF):
2738         (WTF::printInternal):
2739         * dfg/DFGAbstractHeap.h: Added.
2740         (DFG):
2741         (AbstractHeap):
2742         (Payload):
2743         (JSC::DFG::AbstractHeap::Payload::Payload):
2744         (JSC::DFG::AbstractHeap::Payload::top):
2745         (JSC::DFG::AbstractHeap::Payload::isTop):
2746         (JSC::DFG::AbstractHeap::Payload::value):
2747         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2748         (JSC::DFG::AbstractHeap::Payload::operator==):
2749         (JSC::DFG::AbstractHeap::Payload::operator!=):
2750         (JSC::DFG::AbstractHeap::Payload::operator<):
2751         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2752         (JSC::DFG::AbstractHeap::Payload::overlaps):
2753         (JSC::DFG::AbstractHeap::AbstractHeap):
2754         (JSC::DFG::AbstractHeap::operator!):
2755         (JSC::DFG::AbstractHeap::kind):
2756         (JSC::DFG::AbstractHeap::payload):
2757         (JSC::DFG::AbstractHeap::isDisjoint):
2758         (JSC::DFG::AbstractHeap::overlaps):
2759         (JSC::DFG::AbstractHeap::supertype):
2760         (JSC::DFG::AbstractHeap::hash):
2761         (JSC::DFG::AbstractHeap::operator==):
2762         (JSC::DFG::AbstractHeap::operator!=):
2763         (JSC::DFG::AbstractHeap::operator<):
2764         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2765         (JSC::DFG::AbstractHeap::payloadImpl):
2766         (JSC::DFG::AbstractHeap::encode):
2767         (JSC::DFG::AbstractHeapHash::hash):
2768         (JSC::DFG::AbstractHeapHash::equal):
2769         (AbstractHeapHash):
2770         (WTF):
2771         * dfg/DFGClobberSet.cpp: Added.
2772         (DFG):
2773         (JSC::DFG::ClobberSet::ClobberSet):
2774         (JSC::DFG::ClobberSet::~ClobberSet):
2775         (JSC::DFG::ClobberSet::add):
2776         (JSC::DFG::ClobberSet::addAll):
2777         (JSC::DFG::ClobberSet::contains):
2778         (JSC::DFG::ClobberSet::overlaps):
2779         (JSC::DFG::ClobberSet::clear):
2780         (JSC::DFG::ClobberSet::direct):
2781         (JSC::DFG::ClobberSet::super):
2782         (JSC::DFG::ClobberSet::dump):
2783         (JSC::DFG::ClobberSet::setOf):
2784         (JSC::DFG::addReads):
2785         (JSC::DFG::addWrites):
2786         (JSC::DFG::addReadsAndWrites):
2787         (JSC::DFG::readsOverlap):
2788         (JSC::DFG::writesOverlap):
2789         * dfg/DFGClobberSet.h: Added.
2790         (DFG):
2791         (ClobberSet):
2792         (JSC::DFG::ClobberSet::isEmpty):
2793         (ClobberSetAdd):
2794         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2795         (JSC::DFG::ClobberSetAdd::operator()):
2796         (ClobberSetOverlaps):
2797         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2798         (JSC::DFG::ClobberSetOverlaps::operator()):
2799         (JSC::DFG::ClobberSetOverlaps::result):
2800         * dfg/DFGClobberize.cpp: Added.
2801         (DFG):
2802         (JSC::DFG::didWrites):
2803         * dfg/DFGClobberize.h: Added.
2804         (DFG):
2805         (JSC::DFG::clobberize):
2806         (NoOpClobberize):
2807         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2808         (JSC::DFG::NoOpClobberize::operator()):
2809         (CheckClobberize):
2810         (JSC::DFG::CheckClobberize::CheckClobberize):
2811         (JSC::DFG::CheckClobberize::operator()):
2812         (JSC::DFG::CheckClobberize::result):
2813         * dfg/DFGGraph.cpp:
2814         (JSC::DFG::Graph::dump):
2815
2816 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2817
2818         fourthTier: It should be easy to figure out which blocks nodes belong to
2819         https://bugs.webkit.org/show_bug.cgi?id=118957
2820
2821         Reviewed by Sam Weinig.
2822
2823         * dfg/DFGGraph.cpp:
2824         (DFG):
2825         (JSC::DFG::Graph::initializeNodeOwners):
2826         * dfg/DFGGraph.h:
2827         (Graph):
2828         * dfg/DFGNode.h:
2829
2830 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2831
2832         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2833         https://bugs.webkit.org/show_bug.cgi?id=118956
2834
2835         Reviewed by Sam Weinig.
2836         
2837         We had two way of expressing that something exits forward: the NodeExitsForward
2838         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2839         makes it just be a flag.
2840
2841         * dfg/DFGAbstractInterpreterInlines.h:
2842         (JSC::DFG::::executeEffects):
2843         * dfg/DFGArgumentsSimplificationPhase.cpp:
2844         (JSC::DFG::ArgumentsSimplificationPhase::run):
2845         * dfg/DFGCSEPhase.cpp:
2846         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2847         (JSC::DFG::CSEPhase::checkStructureElimination):
2848         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2849         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2850         (JSC::DFG::CSEPhase::checkArrayElimination):
2851         (JSC::DFG::CSEPhase::performNodeCSE):
2852         * dfg/DFGConstantFoldingPhase.cpp:
2853         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2854         * dfg/DFGFixupPhase.cpp:
2855         (JSC::DFG::FixupPhase::fixupNode):
2856         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2857         * dfg/DFGMinifiedNode.h:
2858         (JSC::DFG::belongsInMinifiedGraph):
2859         (JSC::DFG::MinifiedNode::hasChild):
2860         * dfg/DFGNode.h:
2861         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2862         (JSC::DFG::Node::hasStructureSet):
2863         (JSC::DFG::Node::hasStructure):
2864         (JSC::DFG::Node::hasArrayMode):
2865         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2866         * dfg/DFGNodeType.h:
2867         (DFG):
2868         (JSC::DFG::needsOSRForwardRewiring):
2869         * dfg/DFGPredictionPropagationPhase.cpp:
2870         (JSC::DFG::PredictionPropagationPhase::propagate):
2871         * dfg/DFGSafeToExecute.h:
2872         (JSC::DFG::safeToExecute):
2873         * dfg/DFGSpeculativeJIT.cpp:
2874         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2875         * dfg/DFGSpeculativeJIT32_64.cpp:
2876         (JSC::DFG::SpeculativeJIT::compile):
2877         * dfg/DFGSpeculativeJIT64.cpp:
2878         (JSC::DFG::SpeculativeJIT::compile):
2879         * dfg/DFGTypeCheckHoistingPhase.cpp:
2880         (JSC::DFG::TypeCheckHoistingPhase::run):
2881         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2882         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2883         * dfg/DFGVariableEventStream.cpp:
2884         (JSC::DFG::VariableEventStream::reconstruct):
2885         * ftl/FTLCapabilities.cpp:
2886         (JSC::FTL::canCompile):
2887         * ftl/FTLLowerDFGToLLVM.cpp:
2888         (JSC::FTL::LowerDFGToLLVM::compileNode):
2889         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2890
2891 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2892
2893         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2894         https://bugs.webkit.org/show_bug.cgi?id=118946
2895
2896         Reviewed by Geoffrey Garen.
2897         
2898         We want to decouple the exit target code origin of a node from the code origin
2899         for all other purposes. The purposes of code origins are:
2900         
2901         - Where the node will exit, if it exits. The exit target should be consistent with
2902           the surrounding nodes, in that if you just looked at the code origins of nodes in
2903           the graph, they would be consistent with the code origins in bytecode. This is
2904           necessary for live-at-bytecode analyses to work, and to preserve the original
2905           bytecode semantics when exiting.
2906         
2907         - What kind of code the node came from, for semantics thingies. For example, we
2908           might use the code origin to find the node's global object for doing an original
2909           array check. Or we might use it to determine if the code is in strict mode. Or
2910           other similar things. When we use the code origin in this way, we're basically
2911           using it as a way of describing the node's meta-data without putting it into the
2912           node directly, to save space. In the absurd extreme you could imagine nodes not
2913           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2914           what bytecode the node originated from. We won't do that, but you can think of
2915           this use of code origins as just a way of compressing meta-data.
2916         
2917         - What code origin we should supply profiling to, if we exit. This is closely
2918           related to the semantics thingies, in that the exit profiling is a persistent
2919           kind of semantic meta-data that survives between recompiles, and the only way to
2920           do that is to ascribe it to the original bytecode via the code origin.
2921         
2922         If we hoist a node, we need to change the exit target code origin, but we must not
2923         change the code origin for other purposes. The best way to do this is to decouple
2924         the two kinds of code origin.
2925         
2926         OSR exit data structures already do this, because they may edit the exit target
2927         code origin while keeping the code origin for profiling intact. This happens for
2928         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2929         That's what this patch does.
2930
2931         * dfg/DFGNode.h:
2932         (JSC::DFG::Node::Node):
2933         (Node):
2934         * dfg/DFGOSRExit.cpp:
2935         (JSC::DFG::OSRExit::OSRExit):
2936         * dfg/DFGOSRExitBase.h:
2937         (JSC::DFG::OSRExitBase::OSRExitBase):
2938         * dfg/DFGSpeculativeJIT.cpp:
2939         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2940         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2941         * dfg/DFGSpeculativeJIT.h:
2942         (SpeculativeJIT):
2943         * ftl/FTLLowerDFGToLLVM.cpp:
2944         (JSC::FTL::LowerDFGToLLVM::compileNode):
2945         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2946         (LowerDFGToLLVM):
2947         * ftl/FTLOSRExit.cpp:
2948         (JSC::FTL::OSRExit::OSRExit):
2949         * ftl/FTLOSRExit.h:
2950         (OSRExit):
2951
2952 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2953
2954         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2955         https://bugs.webkit.org/show_bug.cgi?id=118866
2956
2957         Reviewed by Sam Weinig.
2958         
2959         Adds a safeToExecute() method that takes a node and an abstract state and tells you
2960         if the node will run without crashing under that state.
2961
2962         * JavaScriptCore.xcodeproj/project.pbxproj:
2963         * bytecode/CodeBlock.cpp:
2964         (JSC::CodeBlock::CodeBlock):
2965         * dfg/DFGCFAPhase.cpp:
2966         (CFAPhase):
2967         (JSC::DFG::CFAPhase::CFAPhase):
2968         (JSC::DFG::CFAPhase::run):
2969         (JSC::DFG::CFAPhase::performBlockCFA):
2970         (JSC::DFG::CFAPhase::performForwardCFA):
2971         * dfg/DFGSafeToExecute.h: Added.
2972         (DFG):
2973         (SafeToExecuteEdge):
2974         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2975         (JSC::DFG::SafeToExecuteEdge::operator()):
2976         (JSC::DFG::SafeToExecuteEdge::result):
2977         (JSC::DFG::safeToExecute):
2978         * dfg/DFGStructureAbstractValue.h:
2979         (JSC::DFG::StructureAbstractValue::isValidOffset):
2980         (StructureAbstractValue):
2981         * runtime/Options.h:
2982         (JSC):
2983
2984 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2985
2986         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2987         https://bugs.webkit.org/show_bug.cgi?id=118948
2988
2989         Reviewed by Sam Weinig.
2990         
2991         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2992           This allows doing "what if" experiments with IR generation, even if the generated IR
2993           can't yet execute.
2994         
2995         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2996           off-ramp.
2997
2998         * JavaScriptCore.xcodeproj/project.pbxproj:
2999         * dfg/DFGPlan.cpp:
3000         (JSC::DFG::Plan::compileInThreadImpl):
3001         * ftl/FTLFail.cpp: Added.
3002         (FTL):
3003         (JSC::FTL::fail):
3004         * ftl/FTLFail.h: Added.
3005         (FTL):
3006         * ftl/FTLIntrinsicRepository.h:
3007         (FTL):
3008         * ftl/FTLLowerDFGToLLVM.cpp:
3009         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3010         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3011         * runtime/Options.h:
3012         (JSC):
3013
3014 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3015
3016         fourthTier: StringObjectUse uses structures, and CSE should know that
3017         https://bugs.webkit.org/show_bug.cgi?id=118940
3018
3019         Reviewed by Geoffrey Garen.
3020         
3021         This is asymptomatic right now, but we should fix it.
3022
3023         * JavaScriptCore.xcodeproj/project.pbxproj:
3024         * dfg/DFGCSEPhase.cpp:
3025         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3026         * dfg/DFGEdgeUsesStructure.h: Added.
3027         (DFG):
3028         (EdgeUsesStructure):
3029         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3030         (JSC::DFG::EdgeUsesStructure::operator()):
3031         (JSC::DFG::EdgeUsesStructure::result):
3032         (JSC::DFG::edgesUseStructure):
3033         * dfg/DFGUseKind.h:
3034         (DFG):
3035         (JSC::DFG::usesStructure):
3036
3037 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3038
3039         fourthTier: String GetByVal out-of-bounds handling is so wrong
3040         https://bugs.webkit.org/show_bug.cgi?id=118935
3041
3042         Reviewed by Geoffrey Garen.
3043         
3044         Bunch of String GetByVal out-of-bounds fixes:
3045         
3046         - Even if the string proto chain is sane, we need to watch out for negative
3047           indices. They may get values or call getters in the prototypes, since proto
3048           sanity doesn't check for negative indexed properties, as they are not
3049           technically indexed properties.
3050         
3051         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3052           given this information.
3053         
3054         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3055           given this information.
3056         
3057         Also fixed some other things:
3058         
3059         - If the DFG is disabled, the testRunner should pretend that we've done a
3060           bunch of DFG compiles. That's necessary to prevent the tests from timing
3061           out.
3062         
3063         - Disassembler shouldn't try to dump source code since it's not safe in the
3064           concurrent JIT.
3065
3066         * API/JSCTestRunnerUtils.cpp:
3067         (JSC::numberOfDFGCompiles):
3068         * JavaScriptCore.xcodeproj/project.pbxproj:
3069         * dfg/DFGAbstractInterpreterInlines.h:
3070         (JSC::DFG::::executeEffects):
3071         * dfg/DFGDisassembler.cpp:
3072         (JSC::DFG::Disassembler::dumpHeader):
3073         * dfg/DFGGraph.h:
3074         (JSC::DFG::Graph::byValIsPure):
3075         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3076         (DFG):
3077         (SaneStringGetByValSlowPathGenerator):
3078         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3079         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3080         * dfg/DFGSpeculativeJIT.cpp:
3081         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3082
3083 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3084
3085         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3086         https://bugs.webkit.org/show_bug.cgi?id=118911
3087
3088         Reviewed by Geoffrey Garen.
3089         
3090         We could also have a separate method like "willNotCrash(offset)", but that's not
3091         what isValidOffset() is intended to mean.
3092
3093         * runtime/Structure.h:
3094         (JSC::Structure::isValidOffset):
3095
3096 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3097
3098         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3099         https://bugs.webkit.org/show_bug.cgi?id=118878
3100
3101         Reviewed by Oliver Hunt.
3102         
3103         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3104           to load from an object of this structure, at this offset, would I commit suicide
3105           or would I get back some kind of value?"
3106         
3107         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3108           way from the start.
3109         
3110         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3111         
3112         - Make GetByOffset also reference the base object in addition to the butterfly.
3113         
3114         The future use of this power will be to answer questions like "If I hoisted this
3115         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3116         fine?"
3117         
3118         I don't currently plan to use this power to perform validation, since the CSE has
3119         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3120         remove - both in the case of StructureSets where size >= 2 and in the case of
3121         CheckStructures that match across PutStructures. At first I tried to write a
3122         validator that was aware of this, but the validation code got way too complicated
3123         and I started having nightmares of spurious assertion bugs being filed against me.
3124         
3125         This also changes some of the code for how we hash FunctionExecutable's for debug
3126         dumps, since that code still had some thread-safety issues. Basically, the
3127         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3128         that could transitively try to compute the hash from the source code. The source
3129         code is a string that may be lazily computed, and that involves all manner of thread
3130         unsafe things.
3131
3132         * bytecode/CodeOrigin.cpp:
3133         (JSC::InlineCallFrame::hash):
3134         * dfg/DFGAbstractInterpreterInlines.h:
3135         (JSC::DFG::::executeEffects):
3136         * dfg/DFGByteCodeParser.cpp:
3137         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3138         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3139         (JSC::DFG::ByteCodeParser::parseBlock):
3140         * dfg/DFGCFAPhase.cpp:
3141         (JSC::DFG::CFAPhase::performBlockCFA):
3142         * dfg/DFGConstantFoldingPhase.cpp:
3143         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3144         * dfg/DFGFixupPhase.cpp:
3145         (JSC::DFG::FixupPhase::fixupNode):
3146         * dfg/DFGGraph.h:
3147         (StorageAccessData):
3148         * dfg/DFGNode.h:
3149         (JSC::DFG::Node::convertToGetByOffset):
3150         * dfg/DFGSpeculativeJIT64.cpp:
3151         (JSC::DFG::SpeculativeJIT::compile):
3152         * ftl/FTLLowerDFGToLLVM.cpp:
3153         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3154         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3155         * runtime/FunctionExecutableDump.cpp:
3156         (JSC::FunctionExecutableDump::dump):
3157         * runtime/Structure.h:
3158         (Structure):
3159         (JSC::Structure::isValidOffset):
3160
3161 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3162
3163         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3164         https://bugs.webkit.org/show_bug.cgi?id=118880
3165
3166         Reviewed by Sam Weinig.
3167         
3168         It should be possible to have an AbstractState that is backed by a HashMap. But to
3169         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3170         the map, since otherwise the idiom of getting a reference to the AbstractValue
3171         returned by forNode() would cause really subtle memory corruption bugs.
3172
3173         * dfg/DFGAbstractInterpreterInlines.h:
3174         (JSC::DFG::::executeEffects):
3175         * dfg/DFGInPlaceAbstractState.h:
3176         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3177         (InPlaceAbstractState):
3178
3179 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3180
3181         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3182         https://bugs.webkit.org/show_bug.cgi?id=118835
3183
3184         Reviewed by Oliver Hunt.
3185         
3186         This separates AbstractState into two things:
3187         
3188         - InPlaceAbstractState, which can tell you the abstract state of anything you
3189           might care about, and uses the old AbstractState's algorithms and data
3190           structures for doing so.
3191         
3192         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3193           respect to an AbstractStateType. Currently we always use
3194           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3195           class that supports basic primitives like forNode() and variables().
3196         
3197         This is important because:
3198         
3199         - We want to hoist things out of loops.
3200
3201         - We don't know what things rely on what type checks.
3202
3203         - We only want to hoist type checks out of loops if they aren't clobbered.
3204
3205         - We may want to still hoist things that depended on those type checks, if it's
3206           safe to do those things based on the CFA state at the tail of the loop
3207           pre-header.
3208
3209         - We don't want things to rely on their type checks by way of a token, because
3210           that's just weird.
3211
3212         So, we want to be able to have a special form of the CFA that can
3213         incrementally update a basic block's state-at-tail, and we want to be able to
3214         do this for multiple blocks simultaneously. This requires *not* storing the
3215         per-node state in the nodes themselves, but instead using the at-tail HashMap
3216         directly.
3217
3218         Hence we need to have a way of making the abstract interpreter (i.e.
3219         AbstractState::execute) polymorphic with respect to state representation. Put
3220         another way, we need to separate the way that abstract state is represented
3221         from the way DFG IR is abstractly interpreted.
3222
3223         * JavaScriptCore.xcodeproj/project.pbxproj:
3224         * dfg/DFGAbstractInterpreter.h: Added.
3225         (DFG):
3226         (AbstractInterpreter):
3227         (JSC::DFG::AbstractInterpreter::forNode):
3228         (JSC::DFG::AbstractInterpreter::variables):
3229         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3230         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3231         (JSC::DFG::AbstractInterpreter::filter):
3232         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3233         (JSC::DFG::AbstractInterpreter::filterByValue):
3234         (JSC::DFG::AbstractInterpreter::trySetConstant):
3235         (JSC::DFG::AbstractInterpreter::filterByType):
3236         * dfg/DFGAbstractInterpreterInlines.h: Added.
3237         (DFG):
3238         (JSC::DFG::::AbstractInterpreter):
3239         (JSC::DFG::::~AbstractInterpreter):
3240         (JSC::DFG::::booleanResult):
3241         (JSC::DFG::::startExecuting):
3242         (JSC::DFG::::executeEdges):
3243         (JSC::DFG::::verifyEdge):
3244         (JSC::DFG::::verifyEdges):
3245         (JSC::DFG::::executeEffects):
3246         (JSC::DFG::::execute):
3247         (JSC::DFG::::clobberWorld):
3248         (JSC::DFG::::clobberCapturedVars):
3249         (JSC::DFG::::clobberStructures):
3250         (JSC::DFG::::dump):
3251         (JSC::DFG::::filter):
3252         (JSC::DFG::::filterArrayModes):
3253         (JSC::DFG::::filterByValue):
3254         * dfg/DFGAbstractState.cpp: Removed.
3255         * dfg/DFGAbstractState.h: Removed.
3256         * dfg/DFGArgumentsSimplificationPhase.cpp:
3257         * dfg/DFGCFAPhase.cpp:
3258         (JSC::DFG::CFAPhase::CFAPhase):
3259         (JSC::DFG::CFAPhase::performBlockCFA):
3260         (CFAPhase):
3261         * dfg/DFGCFGSimplificationPhase.cpp:
3262         * dfg/DFGConstantFoldingPhase.cpp:
3263         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3264         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3265         (ConstantFoldingPhase):
3266         * dfg/DFGInPlaceAbstractState.cpp: Added.
3267         (DFG):
3268         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3269         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3270         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3271         (JSC::DFG::setLiveValues):
3272         (JSC::DFG::InPlaceAbstractState::initialize):
3273         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3274         (JSC::DFG::InPlaceAbstractState::reset):
3275         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3276         (JSC::DFG::InPlaceAbstractState::merge):
3277         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3278         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3279         * dfg/DFGInPlaceAbstractState.h: Added.
3280         (DFG):
3281         (InPlaceAbstractState):
3282         (JSC::DFG::InPlaceAbstractState::forNode):
3283         (JSC::DFG::InPlaceAbstractState::variables):
3284         (JSC::DFG::InPlaceAbstractState::block):
3285         (JSC::DFG::InPlaceAbstractState::didClobber):
3286         (JSC::DFG::InPlaceAbstractState::isValid):
3287         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3288         (JSC::DFG::InPlaceAbstractState::setIsValid):
3289         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3290         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3291         (JSC::DFG::InPlaceAbstractState::haveStructures):
3292         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3293         * dfg/DFGMergeMode.h: Added.
3294         (DFG):
3295         * dfg/DFGSpeculativeJIT.cpp:
3296         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3297         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3298         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3299         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3300         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3301         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3302         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3303         * dfg/DFGSpeculativeJIT.h:
3304         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3305         (SpeculativeJIT):
3306         * dfg/DFGSpeculativeJIT32_64.cpp:
3307         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3308         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3309         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3310         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3311         * dfg/DFGSpeculativeJIT64.cpp:
3312         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3313         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3314         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3315         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3316         * ftl/FTLLowerDFGToLLVM.cpp:
3317         (FTL):
3318         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3319         (JSC::FTL::LowerDFGToLLVM::compileNode):
3320         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3321         (JSC::FTL::LowerDFGToLLVM::speculate):
3322         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3323         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3324         (LowerDFGToLLVM):
3325
3326 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3327
3328         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3329         https://bugs.webkit.org/show_bug.cgi?id=118867
3330
3331         Reviewed by Mark Hahnenberg.
3332         
3333         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3334         ArrayProfile.
3335
3336         It also makes it easier to ask any array-using node how to create its type check.
3337         
3338         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3339         an array profile, thinking that it was storing into a value profile. Reshuffling the
3340         fields in ArrayProfile revealed this.
3341
3342         * bytecode/ArrayProfile.cpp:
3343         (JSC::ArrayProfile::computeUpdatedPrediction):
3344         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3345         * bytecode/ArrayProfile.h:
3346         (JSC::ArrayProfile::ArrayProfile):
3347         (ArrayProfile):
3348         * bytecode/CodeBlock.cpp:
3349         (JSC::CodeBlock::updateAllArrayPredictions):
3350         (JSC::CodeBlock::updateAllPredictions):
3351         * bytecode/CodeBlock.h:
3352         (CodeBlock):
3353         (JSC::CodeBlock::updateAllArrayPredictions):
3354         * dfg/DFGArrayMode.h:
3355         (ArrayMode):
3356         * dfg/DFGByteCodeParser.cpp:
3357         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3358         (JSC::DFG::ByteCodeParser::parseBlock):
3359         * dfg/DFGFixupPhase.cpp:
3360         (JSC::DFG::FixupPhase::fixupNode):
3361         (FixupPhase):
3362         (JSC::DFG::FixupPhase::checkArray):
3363         (JSC::DFG::FixupPhase::blessArrayOperation):
3364         * llint/LowLevelInterpreter64.asm:
3365
3366 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3367
3368         fourthTier: CFA should consider live-at-head for clobbering and dumping
3369         https://bugs.webkit.org/show_bug.cgi?id=118857
3370
3371         Reviewed by Mark Hahnenberg.
3372         
3373         - clobberStructures() was not considering nodes live-at-head when in SSA
3374           form. This means it would fail to clobber some structures.
3375         
3376         - dump() was not considering nodes live-at-head when in SSA form. This
3377           means it wouldn't dump everything that you might be interested in.
3378         
3379         - AbstractState::m_currentNode is a useless variable and we should get
3380           rid of it.
3381
3382         * dfg/DFGAbstractState.cpp:
3383         (JSC::DFG::AbstractState::AbstractState):
3384         (JSC::DFG::AbstractState::beginBasicBlock):
3385         (JSC::DFG::AbstractState::reset):
3386         (JSC::DFG::AbstractState::startExecuting):
3387         (JSC::DFG::AbstractState::clobberStructures):
3388         (JSC::DFG::AbstractState::dump):
3389         * dfg/DFGAbstractState.h:
3390         (AbstractState):
3391
3392 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3393
3394         fourthTier: Add a phase to create loop pre-headers
3395         https://bugs.webkit.org/show_bug.cgi?id=118778
3396
3397         Reviewed by Oliver Hunt.
3398         
3399         Add a loop pre-header creation phase. Any loop that doesn't already have
3400         just one predecessor that isn't part of the loop has a pre-header
3401         prepended. All non-loop predecessors then jump to that pre-header.
3402         
3403         Also fix a handful of bugs:
3404         
3405         - DFG::Analysis should set m_valid before running the analysis, since that
3406           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3407           may be called by the analysis before the analysis completes. NaturalLoops
3408           does this with loopsOf().
3409         
3410         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3411           returning 0, since that'll happen if the block isn't in any loop.
3412         
3413         - Change BlockInsertionSet to dethread the graph, since anyone using it
3414           will want to do so.
3415         
3416         - Change dethreading to ignore SSA form graphs.
3417         
3418         This also adds NaturalLoops::belongsTo(), which I always used in the
3419         pre-header creation phase. I didn't end up using it but I'll probably use
3420         it in the near future.
3421         
3422         * JavaScriptCore.xcodeproj/project.pbxproj:
3423         * dfg/DFGAnalysis.h:
3424         (JSC::DFG::Analysis::computeIfNecessary):
3425         * dfg/DFGBlockInsertionSet.cpp:
3426         (JSC::DFG::BlockInsertionSet::execute):
3427         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3428         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3429         * dfg/DFGGraph.cpp:
3430         (JSC::DFG::Graph::dethread):
3431         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3432         (DFG):
3433         (LoopPreHeaderCreationPhase):
3434         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3435         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3436         (JSC::DFG::performLoopPreHeaderCreation):
3437         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3438         (DFG):
3439         * dfg/DFGNaturalLoops.h:
3440         (NaturalLoop):
3441         (JSC::DFG::NaturalLoops::headerOf):
3442         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3443         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3444         (JSC::DFG::NaturalLoops::belongsTo):
3445         (NaturalLoops):
3446         * dfg/DFGPlan.cpp:
3447         (JSC::DFG::Plan::compileInThreadImpl):
3448
3449 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3450
3451         fourthTier: Rationalize Node::replacement
3452         https://bugs.webkit.org/show_bug.cgi?id=118774
3453
3454         Reviewed by Oliver Hunt.
3455         
3456         - Clearing of replacements is now done in Graph::clearReplacements().
3457         
3458         - New nodes now have replacement set to 0.
3459         
3460         - Node::replacement is now part of a 'misc' union. I'll be putting at least
3461           one other field into that union as part of LICM work (see
3462           https://bugs.webkit.org/show_bug.cgi?id=118749).
3463
3464         * dfg/DFGCPSRethreadingPhase.cpp:
3465         (JSC::DFG::CPSRethreadingPhase::run):
3466         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3467         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3468         * dfg/DFGCSEPhase.cpp:
3469         (JSC::DFG::CSEPhase::run):
3470         (JSC::DFG::CSEPhase::setReplacement):
3471         (JSC::DFG::CSEPhase::performBlockCSE):
3472         * dfg/DFGGraph.cpp:
3473         (DFG):
3474         (JSC::DFG::Graph::clearReplacements):
3475         * dfg/DFGGraph.h:
3476         (JSC::DFG::Graph::performSubstitutionForEdge):
3477         (Graph):
3478         * dfg/DFGNode.h:
3479         (JSC::DFG::Node::Node):
3480         * dfg/DFGSSAConversionPhase.cpp:
3481         (JSC::DFG::SSAConversionPhase::run):
3482
3483 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3484
3485         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3486         https://bugs.webkit.org/show_bug.cgi?id=118750
3487
3488         Reviewed by Mark Hahnenberg.
3489
3490         * dfg/DFGBasicBlock.h:
3491         (BasicBlock):
3492         * dfg/DFGNaturalLoops.cpp:
3493         (JSC::DFG::NaturalLoops::compute):
3494         (JSC::DFG::NaturalLoops::loopsOf):
3495         * dfg/DFGNaturalLoops.h:
3496         (DFG):
3497         (JSC::DFG::NaturalLoop::NaturalLoop):
3498         (NaturalLoop):
3499         (JSC::DFG::NaturalLoop::index):
3500         (JSC::DFG::NaturalLoop::isOuterMostLoop):
3501         (JSC::DFG::NaturalLoop::addBlock):
3502         (JSC::DFG::NaturalLoops::headerOf):
3503         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3504         (NaturalLoops):
3505         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3506         * dfg/DFGPlan.cpp:
3507         (JSC::DFG::Plan::compileInThreadImpl):
3508
3509 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3510
3511         fourthTier: don't GC when shutting down the VM
3512         https://bugs.webkit.org/show_bug.cgi?id=118751
3513
3514         Reviewed by Mark Hahnenberg.
3515
3516         * heap/Heap.h:
3517         (Heap):
3518         * runtime/VM.cpp:
3519         (JSC::VM::~VM):
3520
3521 2013-07-12  Filip Pizlo  <fpizlo@apple.com>
3522
3523         fourthTier: DFG should have an SSA form for use by FTL
3524         https://bugs.webkit.org/show_bug.cgi?id=118338
3525
3526         Reviewed by Mark Hahnenberg.
3527         
3528         Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
3529         after breaking critical edges. The conversion algorithm follows Aycock and
3530         Horspool, and the SSA form itself follows something I've done before, where
3531         instead of having Phi functions specify input nodes corresponding to block
3532         predecessors, we instead have Upsilon functions in the predecessors that
3533         specify which value in that block goes into which subsequent Phi. Upsilons
3534         don't have to dominate Phis (usually they don't) and they correspond to a
3535         non-SSA "mov" into the Phi's "variable". This gives all of the good
3536         properties of SSA, while ensuring that a bunch of CFG transformations don't
3537         have to be SSA-aware.
3538         
3539         So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
3540         simplification is probably SSA-aware by default, though I haven't tried it.
3541         Constant folding probably needs a few tweaks, but is likely ready. Ditto
3542         for CSE, though it's not clear that we'd want to use block-local CSE when
3543         we could be doing GVN.
3544         
3545         Currently only the FTL can generate code from the SSA form, and there is no
3546         way to convert from SSA to ThreadedCPS or LoadStore. There probably will
3547         never be such a capability.
3548         
3549         In order to handle OSR exit state in the SSA, we place MovHints at Phi
3550         points. Other than that, you can reconstruct state-at-exit by forward
3551         propagating MovHints. Note that MovHint is the new SetLocal in SSA.
3552         SetLocal and GetLocal only survive into SSA if they are on captured
3553         variables, or in the case of flushes. A "live SetLocal" will be
3554         NodeMustGenerate and will always correspond to a flush. Computing the
3555         state-at-exit requires running SSA liveness analysis, OSR availability
3556         analysis, and flush liveness analysis. The FTL runs all of these prior to
3557         generating code. While OSR exit continues to be tricky, much of the logic
3558         is now factored into separate phases and the backend has to do less work
3559         to reason about what happened outside of the basic block that is being
3560         lowered.
3561         
3562         Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
3563         code in depth-first order, thus guaranteeing that a node will always be
3564         lowered (and hence have a LValue) before any of the blocks dominated by
3565         that node's block have code generated. For Upsilon/Phi, we just use
3566         alloca's. We could do something more clever there, but it's probably not
3567         worth it, at least not now.
3568         
3569         Finally, while the SSA form is currently only being converted to LLVM IR,
3570         there is nothing that prevents us from considering other backends in the
3571         future - with the caveat that this form is designed to be first lowered to
3572         a lower-level SSA before actual machine code generation commences. So we
3573         ought to either use LLVM (the intended path) or we will have to write our
3574         own SSA low-level backend.
3575         
3576         This runs all of the code that the FTL was known to run previously. No
3577         change in performance for now. But it does open some exciting
3578         possibilities!
3579
3580         * JavaScriptCore.xcodeproj/project.pbxproj:
3581         * bytecode/Operands.h:
3582         (JSC::OperandValueTraits::dump):
3583         (JSC::Operands::fill):
3584         (Operands):
3585         (JSC::Operands::clear):
3586         (JSC::Operands::operator==):
3587         * dfg/DFGAbstractState.cpp:
3588         (JSC::DFG::AbstractState::beginBasicBlock):
3589         (JSC::DFG::setLiveValues):
3590         (DFG):
3591         (JSC::DFG::AbstractState::initialize):
3592         (JSC::DFG::AbstractState::endBasicBlock):
3593         (JSC::DFG::AbstractState::executeEffects):
3594         (JSC::DFG::AbstractState::mergeStateAtTail):
3595         (JSC::DFG::AbstractState::merge):
3596         * dfg/DFGAbstractState.h:
3597         (AbstractState):
3598         * dfg/DFGAdjacencyList.h:
3599         (JSC::DFG::AdjacencyList::justOneChild):
3600         (AdjacencyList):
3601         * dfg/DFGBasicBlock.cpp: Added.
3602         (DFG):
3603         (JSC::DFG::BasicBlock::BasicBlock):
3604         (JSC::DFG::BasicBlock::~BasicBlock):
3605         (JSC::DFG::BasicBlock::ensureLocals):
3606         (JSC::DFG::BasicBlock::isInPhis):
3607         (JSC::DFG::BasicBlock::isInBlock):
3608         (JSC::DFG::BasicBlock::removePredecessor):
3609         (JSC::DFG::BasicBlock::replacePredecessor):
3610         (JSC::DFG::BasicBlock::dump):
3611         (JSC::DFG::BasicBlock::SSAData::SSAData):
3612         (JSC::DFG::BasicBlock::SSAData::~SSAData):
3613         * dfg/DFGBasicBlock.h:
3614         (BasicBlock):
3615         (JSC::DFG::BasicBlock::operator[]):
3616         (JSC::DFG::BasicBlock::successor):
3617         (JSC::DFG::BasicBlock::successorForCondition):
3618         (SSAData):
3619         * dfg/DFGBasicBlockInlines.h:
3620         (DFG):
3621         * dfg/DFGBlockInsertionSet.cpp: Added.
3622         (DFG):
3623         (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
3624         (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
3625         (JSC::DFG::BlockInsertionSet::insert):
3626         (JSC::DFG::BlockInsertionSet::insertBefore):
3627         (JSC::DFG::BlockInsertionSet::execute):
3628         * dfg/DFGBlockInsertionSet.h: Added.
3629         (DFG):
3630         (BlockInsertionSet):
3631         * dfg/DFGCFAPhase.cpp:
3632         (JSC::DFG::CFAPhase::run):
3633         * dfg/DFGCFGSimplificationPhase.cpp:
3634         * dfg/DFGCPSRethreadingPhase.cpp:
3635         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3636         * dfg/DFGCommon.cpp:
3637         (WTF::printInternal):
3638         * dfg/DFGCommon.h:
3639         (JSC::DFG::doesKill):
3640         (DFG):
3641         (JSC::DFG::killStatusForDoesKill):
3642         * dfg/DFGConstantFoldingPhase.cpp:
3643         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3644         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3645         * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
3646         (DFG):
3647         (CriticalEdgeBreakingPhase):
3648         (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
3649         (JSC::DFG::CriticalEdgeBreakingPhase::run):
3650         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3651         (JSC::DFG::performCriticalEdgeBreaking):
3652         * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
3653         (DFG):
3654         * dfg/DFGDCEPhase.cpp:
3655         (JSC::DFG::DCEPhase::run):
3656         (JSC::DFG::DCEPhase::findTypeCheckRoot):
3657         (JSC::DFG::DCEPhase::countNode):
3658         (DCEPhase):
3659         (JSC::DFG::DCEPhase::countEdge):
3660         (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
3661         * dfg/DFGDriver.cpp:
3662         (JSC::DFG::compile):
3663         * dfg/DFGEdge.cpp:
3664         (JSC::DFG::Edge::dump):
3665         * dfg/DFGEdge.h:
3666         (JSC::DFG::Edge::Edge):
3667         (JSC::DFG::Edge::setNode):
3668         (JSC::DFG::Edge::useKindUnchecked):
3669         (JSC::DFG::Edge::setUseKind):
3670         (JSC::DFG::Edge::setProofStatus):
3671         (JSC::DFG::Edge::willNotHaveCheck):
3672         (JSC::DFG::Edge::willHaveCheck):
3673         (Edge):
3674         (JSC::DFG::Edge::killStatusUnchecked):
3675         (JSC::DFG::Edge::killStatus):
3676         (JSC::DFG::Edge::setKillStatus):
3677         (JSC::DFG::Edge::doesKill):
3678         (JSC::DFG::Edge::doesNotKill):
3679         (JSC::DFG::Edge::shift):
3680         (JSC::DFG::Edge::makeWord):
3681         * dfg/DFGFixupPhase.cpp:
3682         (JSC::DFG::FixupPhase::fixupNode):
3683         * dfg/DFGFlushFormat.cpp: Added.
3684         (WTF):
3685         (WTF::printInternal):
3686         * dfg/DFGFlushFormat.h: Added.
3687         (DFG):
3688         (JSC::DFG::resultFor):
3689         (JSC::DFG::useKindFor):
3690         (WTF):
3691         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
3692         (DFG):
3693         (FlushLivenessAnalysisPhase):
3694         (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
3695         (JSC::DFG::FlushLivenessAnalysisPhase::run):
3696         (JSC::DFG::FlushLivenessAnalysisPhase::process):
3697         (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
3698         (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
3699         (JSC::DFG::performFlushLivenessAnalysis):
3700         * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
3701         (DFG):
3702         * dfg/DFGGraph.cpp:
3703         (JSC::DFG::Graph::dump):
3704         (JSC::DFG::Graph::dumpBlockHeader):
3705         (DFG):
3706         (JSC::DFG::Graph::addForDepthFirstSort):
3707         (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
3708         * dfg/DFGGraph.h:
3709         (JSC::DFG::Graph::convertToConstant):
3710         (JSC::DFG::Graph::valueProfileFor):
3711         (Graph):
3712         * dfg/DFGInsertionSet.h:
3713         (DFG):
3714         (JSC::DFG::InsertionSet::execute):
3715         * dfg/DFGLivenessAnalysisPhase.cpp: Added.
3716         (DFG):
3717         (LivenessAnalysisPhase):
3718         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
3719         (JSC::DFG::LivenessAnalysisPhase::run):
3720         (JSC::DFG::LivenessAnalysisPhase::process):
3721         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
3722         (JSC::DFG::performLivenessAnalysis):
3723         * dfg/DFGLivenessAnalysisPhase.h: Added.
3724         (DFG):
3725         * dfg/DFGNode.cpp:
3726         (JSC::DFG::Node::hasVariableAccessData):
3727         (DFG):
3728         * dfg/DFGNode.h:
3729         (DFG):
3730         (Node):
3731         (JSC::DFG::Node::hasLocal):
3732         (JSC::DFG::Node::variableAccessData):
3733         (JSC::DFG::Node::hasPhi):
3734         (JSC::DFG::Node::phi):
3735         (JSC::DFG::Node::takenBlock):
3736         (JSC::DFG::Node::notTakenBlock):
3737         (JSC::DFG::Node::successor):
3738         (JSC::DFG::Node::successorForCondition):
3739         (JSC::DFG::nodeComparator):
3740         (JSC::DFG::nodeListDump):
3741         (JSC::DFG::nodeMapDump):
3742         * dfg/DFGNodeFlags.cpp:
3743         (JSC::DFG::dumpNodeFlags):
3744         * dfg/DFGNodeType.h:
3745         (DFG):
3746         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
3747         (DFG):
3748         (OSRAvailabilityAnalysisPhase):
3749         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
3750         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3751         (JSC::DFG::performOSRAvailabilityAnalysis):
3752         * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
3753         (DFG):
3754         * dfg/DFGPlan.cpp:
3755         (JSC::DFG::Plan::compileInThreadImpl):
3756         * dfg/DFGPredictionInjectionPhase.cpp:
3757         (JSC::DFG::PredictionInjectionPhase::run):
3758         * dfg/DFGPredictionPropagationPhase.cpp:
3759         (JSC::DFG::PredictionPropagationPhase::propagate):
3760         * dfg/DFGSSAConversionPhase.cpp: Added.
3761         (DFG):
3762         (SSAConversionPhase):
3763         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3764         (JSC::DFG::SSAConversionPhase::run):
3765         (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
3766         (JSC::DFG::SSAConversionPhase::forwardPhi):
3767         (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
3768         (JSC::DFG::SSAConversionPhase::deduplicateChildren):
3769         (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
3770         (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
3771         (JSC::DFG::performSSAConversion):
3772         * dfg/DFGSSAConversionPhase.h: Added.
3773         (DFG):
3774         * dfg/DFGSpeculativeJIT32_64.cpp:
3775         (JSC::DFG::SpeculativeJIT::compile):
3776         * dfg/DFGSpeculativeJIT64.cpp:
3777         (JSC::DFG::SpeculativeJIT::compile):
3778         * dfg/DFGValidate.cpp:
3779         (JSC::DFG::Validate::validate):
3780         (Validate):
3781         (JSC::DFG::Validate::validateCPS):
3782         * dfg/DFGVariableAccessData.h:
3783         (JSC::DFG::VariableAccessData::flushFormat):
3784         (VariableAccessData):
3785         * ftl/FTLCapabilities.cpp:
3786         (JSC::FTL::canCompile):
3787         * ftl/FTLLowerDFGToLLVM.cpp:
3788         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3789         (JSC::FTL::LowerDFGToLLVM::lower):
3790         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3791         (JSC::FTL::LowerDFGToLLVM::compileBlock):
3792         (JSC::FTL::LowerDFGToLLVM::compileNode):
3793         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3794         (LowerDFGToLLVM):
3795         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3796         (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
3797         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3798         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3799         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3800         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3801         (JSC::FTL::LowerDFGToLLVM::compileAdd):
3802         (JSC::FTL::LowerDFGToLLVM::compileArithSub):
3803         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3804         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3805         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3806         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3807         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3808         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3809         (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
3810         (JSC::FTL::LowerDFGToLLVM::compileBitOr):
3811         (JSC::FTL::LowerDFGToLLVM::compileBitXor):
3812         (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
3813         (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
3814         (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
3815         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
3816         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
3817         (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
3818         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3819         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3820         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3821         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
3822         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
3823         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3824         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
3825         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
3826         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
3827         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
3828         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
3829         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3830         (JSC::FTL::LowerDFGToLLVM::speculateBackward):
3831         (JSC::FTL::LowerDFGToLLVM::lowInt32):
3832         (JSC::FTL::LowerDFGToLLVM::lowCell):
3833         (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3834         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3835         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3836         (JSC::FTL::LowerDFGToLLVM::lowStorage):
3837         (JSC::FTL::LowerDFGToLLVM::speculate):
3838         (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
3839         (JSC::FTL::LowerDFGToLLVM::isLive):
3840         (JSC::FTL::LowerDFGToLLVM::use):
3841         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
3842         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3843         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3844         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3845         (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
3846         (JSC::FTL::LowerDFGToLLVM::setInt32):
3847         (JSC::FTL::LowerDFGToLLVM::setJSValue):
3848         (JSC::FTL::LowerDFGToLLVM::setBoolean):
3849         (JSC::FTL::LowerDFGToLLVM::setStorage):
3850         (JSC::FTL::LowerDFGToLLVM::setDouble):
3851         (JSC::FTL::LowerDFGToLLVM::isValid):
3852         * ftl/FTLLoweredNodeValue.h: Added.
3853         (FTL):
3854         (LoweredNodeValue):
3855         (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
3856         (JSC::FTL::LoweredNodeValue::isSet):
3857         (JSC::FTL::LoweredNodeValue::operator!):
3858         (JSC::FTL::LoweredNodeValue::value):
3859         (JSC::FTL::LoweredNodeValue::block):
3860         * ftl/FTLValueFromBlock.h:
3861         (JSC::FTL::ValueFromBlock::ValueFromBlock):
3862         (ValueFromBlock):
3863         * ftl/FTLValueSource.cpp:
3864         (JSC::FTL::ValueSource::dump):
3865         * ftl/FTLValueSource.h:
3866
3867 2013-07-11  Mark Lam  <mark.lam@apple.com>
3868
3869         Resurrect the CLoop LLINT on the FTL branch.
3870         https://bugs.webkit.org/show_bug.cgi?id=118144.
3871
3872         Reviewed by Mark Hahnenberg.
3873
3874         * bytecode/CodeBlock.h:
3875         (JSC::CodeBlock::jitType):
3876           - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
3877         * bytecode/JumpTable.h:
3878         (JSC::SimpleJumpTable::clear):
3879         * interpreter/StackIterator.cpp:
3880         (JSC::StackIterator::Frame::bytecodeOffset):
3881         (JSC::StackIterator::Frame::print):
3882         * jit/JITCode.cpp:
3883         (JSC):
3884         * jit/JITExceptions.cpp:
3885         (JSC::getExceptionLocation):
3886         * llint/LowLevelInterpreter.cpp:
3887         * offlineasm/cloop.rb:
3888         * runtime/Structure.cpp:
3889
3890 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
3891
3892         NaturalLoops + Profiler = Crash
3893         https://bugs.webkit.org/show_bug.cgi?id=118486
3894
3895         Reviewed by Geoffrey Garen.
3896         
3897         I borked dominators in:
3898         http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
3899         
3900         This patch also adds some debug support, and fixes the loop that adds a block to
3901         an already-existing natural loop. Note that we currently don't take that path in
3902         most programs, but it will arise, for example if you use 'continue' - though you'd
3903         have to use it rather cleverly since the bytecode will not jump to the loop header
3904         in most uses of 'continue'.
3905
3906         * dfg/DFGDominators.cpp:
3907         (JSC::DFG::Dominators::dump):
3908         (DFG):
3909         * dfg/DFGDominators.h:
3910         (JSC::DFG::Dominators::dominates):
3911         (Dominators):
3912         * dfg/DFGNaturalLoops.cpp:
3913         (JSC::DFG::NaturalLoops::compute):
3914
3915 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
3916
3917         fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
3918         https://bugs.webkit.org/show_bug.cgi?id=118489
3919
3920         Reviewed by Mark Hahnenberg.
3921
3922         * bytecode/ArrayProfile.h:
3923         (JSC::arrayModesAreClearOrTop):
3924         (JSC):
3925         * dfg/DFGAbstractState.cpp:
3926         (JSC::DFG::AbstractState::beginBasicBlock):
3927         * dfg/DFGAbstractValue.h:
3928         (JSC::DFG::AbstractValue::hasClobberableState):
3929         (AbstractValue):
3930
3931 2013-07-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3932
3933         CheckArray should call the right version of filterArrayModes
3934         https://bugs.webkit.org/show_bug.cgi?id=118488
3935
3936         Reviewed by Filip Pizlo.
3937
3938         Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 
3939         the CFA to ignore when it sees a contradiction.
3940
3941         * dfg/DFGAbstractState.cpp:
3942         (JSC::DFG::AbstractState::executeEffects):
3943
3944 2013-07-07  Filip Pizlo  <fpizlo@apple.com>
3945
3946         fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
3947         https://bugs.webkit.org/show_bug.cgi?id=118452
3948
3949         Reviewed by Sam Weinig.
3950