<https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2
3         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
4
5         Reviewed by Allan Sandfeld Jensen.
6
7         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
8         instructions and two constants now DFG is enabled for sh4 architecture.
9         These missing ensureSpace calls lead to random crashes.
10
11         * assembler/MacroAssemblerSH4.h:
12         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
13
14 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
15
16         https://bugs.webkit.org/show_bug.cgi?id=120034
17         Remove custom getOwnPropertyDescriptor for global objects
18
19         Reviewed by Geoff Garen.
20
21         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
22
23         * runtime/JSGlobalObject.cpp:
24             - Remove custom getOwnPropertyDescriptor implementation.
25         * runtime/JSSymbolTableObject.h:
26         (JSC::symbolTableGet):
27             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
28         * runtime/PropertyDescriptor.h:
29             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
30         * runtime/PropertySlot.h:
31         (JSC::PropertySlot::setUndefined):
32             - This is used by WebCore when blocking access to properties on cross-frame access.
33               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
34
35 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
36
37         DFG should inline typedArray.byteOffset
38         https://bugs.webkit.org/show_bug.cgi?id=119962
39
40         Reviewed by Oliver Hunt.
41         
42         This adds a new node, GetTypedArrayByteOffset, which inlines
43         typedArray.byteOffset.
44         
45         Also, I improved a bunch of the clobbering logic related to typed arrays
46         and clobbering in general. For example, PutByOffset/PutStructure are not
47         clobber-world so they can be handled by most default cases in CSE. Also,
48         It's better to use the 'Class_field' notation for typed arrays now that
49         they no longer involve magical descriptor thingies.
50
51         * bytecode/SpeculatedType.h:
52         * dfg/DFGAbstractHeap.h:
53         * dfg/DFGAbstractInterpreterInlines.h:
54         (JSC::DFG::::executeEffects):
55         * dfg/DFGArrayMode.h:
56         (JSC::DFG::neverNeedsStorage):
57         * dfg/DFGCSEPhase.cpp:
58         (JSC::DFG::CSEPhase::getByValLoadElimination):
59         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
60         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
61         (JSC::DFG::CSEPhase::checkArrayElimination):
62         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
63         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
64         (JSC::DFG::CSEPhase::performNodeCSE):
65         * dfg/DFGClobberize.h:
66         (JSC::DFG::clobberize):
67         * dfg/DFGFixupPhase.cpp:
68         (JSC::DFG::FixupPhase::fixupNode):
69         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
70         (JSC::DFG::FixupPhase::convertToGetArrayLength):
71         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
72         * dfg/DFGNodeType.h:
73         * dfg/DFGPredictionPropagationPhase.cpp:
74         (JSC::DFG::PredictionPropagationPhase::propagate):
75         * dfg/DFGSafeToExecute.h:
76         (JSC::DFG::safeToExecute):
77         * dfg/DFGSpeculativeJIT.cpp:
78         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
79         * dfg/DFGSpeculativeJIT.h:
80         * dfg/DFGSpeculativeJIT32_64.cpp:
81         (JSC::DFG::SpeculativeJIT::compile):
82         * dfg/DFGSpeculativeJIT64.cpp:
83         (JSC::DFG::SpeculativeJIT::compile):
84         * dfg/DFGTypeCheckHoistingPhase.cpp:
85         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
86         * runtime/ArrayBuffer.h:
87         (JSC::ArrayBuffer::offsetOfData):
88         * runtime/Butterfly.h:
89         (JSC::Butterfly::offsetOfArrayBuffer):
90         * runtime/IndexingHeader.h:
91         (JSC::IndexingHeader::offsetOfArrayBuffer):
92
93 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
94
95         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
96
97         Reviewed by Geoffrey Garen.
98
99         * dfg/DFGByteCodeParser.cpp:
100         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
101
102 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
103
104         https://bugs.webkit.org/show_bug.cgi?id=119995
105         Start removing custom implementations of getOwnPropertyDescriptor
106
107         Reviewed by Oliver Hunt.
108
109         This can now typically implemented in terms of getOwnPropertySlot.
110         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
111         Switch over most classes in JSC & the WebCore bindings generator to use this.
112
113         * API/JSCallbackObjectFunctions.h:
114         * debugger/DebuggerActivation.cpp:
115         * runtime/Arguments.cpp:
116         * runtime/ArrayConstructor.cpp:
117         * runtime/ArrayPrototype.cpp:
118         * runtime/BooleanPrototype.cpp:
119         * runtime/DateConstructor.cpp:
120         * runtime/DatePrototype.cpp:
121         * runtime/ErrorPrototype.cpp:
122         * runtime/JSActivation.cpp:
123         * runtime/JSArray.cpp:
124         * runtime/JSArrayBuffer.cpp:
125         * runtime/JSArrayBufferView.cpp:
126         * runtime/JSCell.cpp:
127         * runtime/JSDataView.cpp:
128         * runtime/JSDataViewPrototype.cpp:
129         * runtime/JSFunction.cpp:
130         * runtime/JSGenericTypedArrayViewInlines.h:
131         * runtime/JSNotAnObject.cpp:
132         * runtime/JSONObject.cpp:
133         * runtime/JSObject.cpp:
134         * runtime/NamePrototype.cpp:
135         * runtime/NumberConstructor.cpp:
136         * runtime/NumberPrototype.cpp:
137         * runtime/ObjectConstructor.cpp:
138             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
139         * runtime/PropertyDescriptor.h:
140             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
141         * runtime/PropertySlot.h:
142         (JSC::PropertySlot::isValue):
143         (JSC::PropertySlot::isGetter):
144         (JSC::PropertySlot::isCustom):
145         (JSC::PropertySlot::isCacheableValue):
146         (JSC::PropertySlot::isCacheableGetter):
147         (JSC::PropertySlot::isCacheableCustom):
148         (JSC::PropertySlot::attributes):
149         (JSC::PropertySlot::getterSetter):
150             - Add accessors necessary to convert PropertySlot to descriptor.
151         * runtime/RegExpConstructor.cpp:
152         * runtime/RegExpMatchesArray.cpp:
153         * runtime/RegExpMatchesArray.h:
154         * runtime/RegExpObject.cpp:
155         * runtime/RegExpPrototype.cpp:
156         * runtime/StringConstructor.cpp:
157         * runtime/StringObject.cpp:
158             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
159
160 2013-08-19  Michael Saboff  <msaboff@apple.com>
161
162         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
163
164         Reviewed by Sam Weinig.
165
166         * dfg/DFGSpeculativeJIT32_64.cpp:
167         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
168         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
169         all versions of fillSpeculateBoolean().
170
171 2013-08-19  Michael Saboff  <msaboff@apple.com>
172
173         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
174
175         Reviewed by Benjamin Poulain.
176
177         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
178         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
179
180         * assembler/MacroAssemblerX86Common.h:
181         (JSC::MacroAssemblerX86Common::branchTest32):
182
183 2013-08-16  Oliver Hunt  <oliver@apple.com>
184
185         <https://webkit.org/b/119860> Crash during exception unwinding
186
187         Reviewed by Filip Pizlo.
188
189         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
190         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
191
192         We need this so that Throw and ThrowReferenceError no longer need to be treated as
193         terminals and the subsequent flush keeps the activation (and other registers) live.
194
195         * dfg/DFGAbstractInterpreterInlines.h:
196         (JSC::DFG::::executeEffects):
197         * dfg/DFGByteCodeParser.cpp:
198         (JSC::DFG::ByteCodeParser::parseBlock):
199         * dfg/DFGClobberize.h:
200         (JSC::DFG::clobberize):
201         * dfg/DFGFixupPhase.cpp:
202         (JSC::DFG::FixupPhase::fixupNode):
203         * dfg/DFGNode.h:
204         (JSC::DFG::Node::isTerminal):
205         * dfg/DFGNodeType.h:
206         * dfg/DFGPredictionPropagationPhase.cpp:
207         (JSC::DFG::PredictionPropagationPhase::propagate):
208         * dfg/DFGSafeToExecute.h:
209         (JSC::DFG::safeToExecute):
210         * dfg/DFGSpeculativeJIT32_64.cpp:
211         (JSC::DFG::SpeculativeJIT::compile):
212         * dfg/DFGSpeculativeJIT64.cpp:
213         (JSC::DFG::SpeculativeJIT::compile):
214
215 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
216
217         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
218
219         Reviewed by Oliver Hunt.
220
221         Guard the compilation of these files only if DFG_JIT is enabled.
222
223         * dfg/DFGDesiredTransitions.cpp:
224         * dfg/DFGDesiredTransitions.h:
225         * dfg/DFGDesiredWeakReferences.cpp:
226         * dfg/DFGDesiredWeakReferences.h:
227         * dfg/DFGDesiredWriteBarriers.cpp:
228         * dfg/DFGDesiredWriteBarriers.h:
229
230 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
231
232         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
233         https://bugs.webkit.org/show_bug.cgi?id=119961
234
235         Reviewed by Mark Hahnenberg.
236
237         * dfg/DFGFixupPhase.cpp:
238         (JSC::DFG::FixupPhase::fixupNode):
239
240 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
241
242         https://bugs.webkit.org/show_bug.cgi?id=119972
243         Add attributes field to PropertySlot
244
245         Reviewed by Geoff Garen.
246
247         For all JSC types, this makes getOwnPropertyDescriptor redundant.
248         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
249         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
250
251         No performance impact.
252
253         * runtime/PropertySlot.h:
254         (JSC::PropertySlot::setValue):
255         (JSC::PropertySlot::setCustom):
256         (JSC::PropertySlot::setCacheableCustom):
257         (JSC::PropertySlot::setCustomIndex):
258         (JSC::PropertySlot::setGetterSlot):
259         (JSC::PropertySlot::setCacheableGetterSlot):
260             - These mathods now all require 'attributes'.
261         * runtime/JSObject.h:
262         (JSC::JSObject::getDirect):
263         (JSC::JSObject::getDirectOffset):
264         (JSC::JSObject::inlineGetOwnPropertySlot):
265             - Added variants of getDirect, getDirectOffset that return the attributes.
266         * API/JSCallbackObjectFunctions.h:
267         (JSC::::getOwnPropertySlot):
268         * runtime/Arguments.cpp:
269         (JSC::Arguments::getOwnPropertySlotByIndex):
270         (JSC::Arguments::getOwnPropertySlot):
271         * runtime/JSActivation.cpp:
272         (JSC::JSActivation::symbolTableGet):
273         (JSC::JSActivation::getOwnPropertySlot):
274         * runtime/JSArray.cpp:
275         (JSC::JSArray::getOwnPropertySlot):
276         * runtime/JSArrayBuffer.cpp:
277         (JSC::JSArrayBuffer::getOwnPropertySlot):
278         * runtime/JSArrayBufferView.cpp:
279         (JSC::JSArrayBufferView::getOwnPropertySlot):
280         * runtime/JSDataView.cpp:
281         (JSC::JSDataView::getOwnPropertySlot):
282         * runtime/JSFunction.cpp:
283         (JSC::JSFunction::getOwnPropertySlot):
284         * runtime/JSGenericTypedArrayViewInlines.h:
285         (JSC::::getOwnPropertySlot):
286         (JSC::::getOwnPropertySlotByIndex):
287         * runtime/JSObject.cpp:
288         (JSC::JSObject::getOwnPropertySlotByIndex):
289         (JSC::JSObject::fillGetterPropertySlot):
290         * runtime/JSString.h:
291         (JSC::JSString::getStringPropertySlot):
292         * runtime/JSSymbolTableObject.h:
293         (JSC::symbolTableGet):
294         * runtime/Lookup.cpp:
295         (JSC::setUpStaticFunctionSlot):
296         * runtime/Lookup.h:
297         (JSC::getStaticPropertySlot):
298         (JSC::getStaticPropertyDescriptor):
299         (JSC::getStaticValueSlot):
300         (JSC::getStaticValueDescriptor):
301         * runtime/RegExpObject.cpp:
302         (JSC::RegExpObject::getOwnPropertySlot):
303         * runtime/SparseArrayValueMap.cpp:
304         (JSC::SparseArrayEntry::get):
305             - Pass attributes to PropertySlot::set* methods.
306
307 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
308
309         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
310
311         Reviewed by Filip Pizlo.
312
313         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
314         Vector of WriteBarriers rather than the specific address. The fact that we were 
315         arbitrarily storing into a Vector's backing store for constants at the end of 
316         compilation after the Vector could have resized was causing crashes.
317
318         * bytecode/CodeBlock.h:
319         (JSC::CodeBlock::constants):
320         (JSC::CodeBlock::addConstantLazily):
321         * dfg/DFGByteCodeParser.cpp:
322         (JSC::DFG::ByteCodeParser::addConstant):
323         * dfg/DFGDesiredWriteBarriers.cpp:
324         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
325         (JSC::DFG::DesiredWriteBarrier::trigger):
326         (JSC::DFG::initializeLazyWriteBarrierForConstant):
327         * dfg/DFGDesiredWriteBarriers.h:
328         (JSC::DFG::DesiredWriteBarriers::add):
329         * dfg/DFGFixupPhase.cpp:
330         (JSC::DFG::FixupPhase::truncateConstantToInt32):
331         * dfg/DFGGraph.h:
332         (JSC::DFG::Graph::constantRegisterForConstant):
333
334 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
335
336         DFG should optimize typedArray.byteLength
337         https://bugs.webkit.org/show_bug.cgi?id=119909
338
339         Reviewed by Oliver Hunt.
340         
341         This adds typedArray.byteLength inlining to the DFG, and does so without changing
342         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
343         legal since the byteLength of a typed array cannot exceed
344         numeric_limits<int32_t>::max().
345
346         * bytecode/SpeculatedType.cpp:
347         (JSC::typedArrayTypeFromSpeculation):
348         * bytecode/SpeculatedType.h:
349         * dfg/DFGArrayMode.cpp:
350         (JSC::DFG::toArrayType):
351         * dfg/DFGArrayMode.h:
352         * dfg/DFGFixupPhase.cpp:
353         (JSC::DFG::FixupPhase::fixupNode):
354         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
355         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
356         (JSC::DFG::FixupPhase::convertToGetArrayLength):
357         (JSC::DFG::FixupPhase::prependGetArrayLength):
358         * dfg/DFGGraph.h:
359         (JSC::DFG::Graph::constantRegisterForConstant):
360         (JSC::DFG::Graph::convertToConstant):
361         * runtime/TypedArrayType.h:
362         (JSC::logElementSize):
363         (JSC::elementSize):
364
365 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
366
367         DFG optimizes out strict mode arguments tear off
368         https://bugs.webkit.org/show_bug.cgi?id=119504
369
370         Reviewed by Mark Hahnenberg and Oliver Hunt.
371         
372         Don't do the optimization for strict mode.
373
374         * dfg/DFGArgumentsSimplificationPhase.cpp:
375         (JSC::DFG::ArgumentsSimplificationPhase::run):
376         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
377
378 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
379
380         [JSC] x86: improve code generation for xxxTest32
381         https://bugs.webkit.org/show_bug.cgi?id=119876
382
383         Reviewed by Geoffrey Garen.
384
385         Try to use testb whenever possible when testing for an immediate value.
386
387         When the input is an address and an offset, we can tweak the mask
388         and offset to be able to generate testb for any byte of the mask.
389
390         When the input is a register, we can use testb if we are only interested
391         in testing the low bits.
392
393         * assembler/MacroAssemblerX86Common.h:
394         (JSC::MacroAssemblerX86Common::branchTest32):
395         (JSC::MacroAssemblerX86Common::test32):
396         (JSC::MacroAssemblerX86Common::generateTest32):
397
398 2013-08-16  Mark Lam  <mark.lam@apple.com>
399
400         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
401         error message that an object is not a constructor though it expects a function
402
403         Reviewed by Michael Saboff.
404
405         * jit/JITStubs.cpp:
406         (JSC::DEFINE_STUB_FUNCTION):
407
408 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
409
410         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
411         https://bugs.webkit.org/show_bug.cgi?id=119897
412
413         Reviewed by Oliver Hunt.
414         
415         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
416         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
417         to turn objects into dictionaries when you're storing using bracket syntax or using
418         eval is still in place.
419
420         * bytecode/CodeBlock.h:
421         (JSC::CodeBlock::putByIdContext):
422         * dfg/DFGOperations.cpp:
423         * jit/JITStubs.cpp:
424         (JSC::DEFINE_STUB_FUNCTION):
425         * llint/LLIntSlowPaths.cpp:
426         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
427         * runtime/JSObject.h:
428         (JSC::JSObject::putDirectInternal):
429         * runtime/PutPropertySlot.h:
430         (JSC::PutPropertySlot::PutPropertySlot):
431         (JSC::PutPropertySlot::context):
432         * runtime/Structure.cpp:
433         (JSC::Structure::addPropertyTransition):
434         * runtime/Structure.h:
435
436 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
437
438         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
439
440         Reviewed by Allan Sandfeld Jensen.
441
442         ctiVMHandleException must jump/return using register ra (r31).
443
444         * jit/JITStubsMIPS.h:
445
446 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
447
448         <https://webkit.org/b/119879> Fix sh4 build after r154156.
449
450         Reviewed by Allan Sandfeld Jensen.
451
452         Fix typo in JITStubsSH4.h file.
453
454         * jit/JITStubsSH4.h:
455
456 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
457
458         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
459
460         Reviewed by Oliver Hunt.
461
462         The concurrent compilation thread should interact minimally with the Heap, including not 
463         triggering WriteBarriers. This is a prerequisite for generational GC.
464
465         * JavaScriptCore.xcodeproj/project.pbxproj:
466         * bytecode/CodeBlock.cpp:
467         (JSC::CodeBlock::addOrFindConstant):
468         (JSC::CodeBlock::findConstant):
469         * bytecode/CodeBlock.h:
470         (JSC::CodeBlock::addConstantLazily):
471         * dfg/DFGByteCodeParser.cpp:
472         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
473         (JSC::DFG::ByteCodeParser::constantUndefined):
474         (JSC::DFG::ByteCodeParser::constantNull):
475         (JSC::DFG::ByteCodeParser::one):
476         (JSC::DFG::ByteCodeParser::constantNaN):
477         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
478         * dfg/DFGCommonData.cpp:
479         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
480         * dfg/DFGCommonData.h:
481         * dfg/DFGDesiredTransitions.cpp: Added.
482         (JSC::DFG::DesiredTransition::DesiredTransition):
483         (JSC::DFG::DesiredTransition::reallyAdd):
484         (JSC::DFG::DesiredTransitions::DesiredTransitions):
485         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
486         (JSC::DFG::DesiredTransitions::addLazily):
487         (JSC::DFG::DesiredTransitions::reallyAdd):
488         * dfg/DFGDesiredTransitions.h: Added.
489         * dfg/DFGDesiredWeakReferences.cpp: Added.
490         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
491         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
492         (JSC::DFG::DesiredWeakReferences::addLazily):
493         (JSC::DFG::DesiredWeakReferences::reallyAdd):
494         * dfg/DFGDesiredWeakReferences.h: Added.
495         * dfg/DFGDesiredWriteBarriers.cpp: Added.
496         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
497         (JSC::DFG::DesiredWriteBarrier::trigger):
498         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
499         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
500         (JSC::DFG::DesiredWriteBarriers::addImpl):
501         (JSC::DFG::DesiredWriteBarriers::trigger):
502         * dfg/DFGDesiredWriteBarriers.h: Added.
503         (JSC::DFG::DesiredWriteBarriers::add):
504         (JSC::DFG::initializeLazyWriteBarrier):
505         * dfg/DFGFixupPhase.cpp:
506         (JSC::DFG::FixupPhase::truncateConstantToInt32):
507         * dfg/DFGGraph.h:
508         (JSC::DFG::Graph::convertToConstant):
509         * dfg/DFGJITCompiler.h:
510         (JSC::DFG::JITCompiler::addWeakReference):
511         * dfg/DFGPlan.cpp:
512         (JSC::DFG::Plan::Plan):
513         (JSC::DFG::Plan::reallyAdd):
514         * dfg/DFGPlan.h:
515         * dfg/DFGSpeculativeJIT32_64.cpp:
516         (JSC::DFG::SpeculativeJIT::compile):
517         * dfg/DFGSpeculativeJIT64.cpp:
518         (JSC::DFG::SpeculativeJIT::compile):
519         * runtime/WriteBarrier.h:
520         (JSC::WriteBarrierBase::set):
521         (JSC::WriteBarrier::WriteBarrier):
522
523 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
524
525         Fix x86 32bits build after r154158
526
527         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
528
529 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
530
531         Build fix attempt after r154156.
532
533         * jit/JITStubs.cpp:
534         (JSC::cti_vm_handle_exception): encode!
535
536 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
537
538         [JSC] x86: Use inc and dec when possible
539         https://bugs.webkit.org/show_bug.cgi?id=119831
540
541         Reviewed by Geoffrey Garen.
542
543         When incrementing or decrementing by an immediate of 1, use the insctructions
544         inc and dec instead of add and sub.
545         The instructions have good timing and their encoding is smaller.
546
547         * assembler/MacroAssemblerX86Common.h:
548         (JSC::MacroAssemblerX86_64::add32):
549         (JSC::MacroAssemblerX86_64::sub32):
550         * assembler/MacroAssemblerX86_64.h:
551         (JSC::MacroAssemblerX86_64::add64):
552         (JSC::MacroAssemblerX86_64::sub64):
553         * assembler/X86Assembler.h:
554         (JSC::X86Assembler::dec_r):
555         (JSC::X86Assembler::decq_r):
556         (JSC::X86Assembler::inc_r):
557         (JSC::X86Assembler::incq_r):
558
559 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
560
561         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
562         https://bugs.webkit.org/show_bug.cgi?id=119874
563
564         Reviewed by Oliver Hunt and Mark Hahnenberg.
565         
566         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
567         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
568         sometimes for typed array length accesses, and the FixupPhase assuming that a
569         ForceExit ArrayMode means that it should continue using a generic GetById.
570
571         This fixes the confusion.
572
573         * dfg/DFGFixupPhase.cpp:
574         (JSC::DFG::FixupPhase::fixupNode):
575
576 2013-08-15  Mark Lam  <mark.lam@apple.com>
577
578         Fix crash when performing activation tearoff.
579         https://bugs.webkit.org/show_bug.cgi?id=119848
580
581         Reviewed by Oliver Hunt.
582
583         The activation tearoff crash was due to a bug in the baseline JIT.
584         If we have a scenario where the a baseline JIT frame calls a LLINT
585         frame, an exception may be thrown while in the LLINT.
586
587         Interpreter::throwException() which handles the exception will unwind
588         all frames until it finds a catcher or sees a host frame. When we
589         return from the LLINT to the baseline JIT code, the baseline JIT code
590         errorneously sets topCallFrame to the value in its call frame register,
591         and starts unwinding the stack frames that have already been unwound.
592
593         The fix is:
594         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
595            This is a more accurate description of what this runtime function
596            is supposed to do i.e. it handles the exception which include doing
597            nothing (if there are no more frames to unwind).
598         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
599            set on it.
600         3. Reloading the call frame register from topCallFrame when we're
601            returning from a callee and detect exception handling in progress.
602
603         * interpreter/Interpreter.cpp:
604         (JSC::Interpreter::unwindCallFrame):
605         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
606         (JSC::Interpreter::getStackTrace):
607         * interpreter/Interpreter.h:
608         (JSC::TopCallFrameSetter::TopCallFrameSetter):
609         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
610         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
611         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
612         * jit/JIT.h:
613         * jit/JITExceptions.cpp:
614         (JSC::uncaughtExceptionHandler):
615         - Convenience function to get the handler for uncaught exceptions.
616         * jit/JITExceptions.h:
617         * jit/JITInlines.h:
618         (JSC::JIT::reloadCallFrameFromTopCallFrame):
619         * jit/JITOpcodes32_64.cpp:
620         (JSC::JIT::privateCompileCTINativeCall):
621         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
622         * jit/JITStubs.cpp:
623         (JSC::throwExceptionFromOpCall):
624         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
625         (JSC::cti_vm_handle_exception):
626         - Check for the case when there are no more frames to unwind.
627         * jit/JITStubs.h:
628         * jit/JITStubsARM.h:
629         * jit/JITStubsARMv7.h:
630         * jit/JITStubsMIPS.h:
631         * jit/JITStubsSH4.h:
632         * jit/JITStubsX86.h:
633         * jit/JITStubsX86_64.h:
634         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
635         * jit/SlowPathCall.h:
636         (JSC::JITSlowPathCall::call):
637         - reload cfr from topcallFrame when handling an exception.
638         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
639         * jit/ThunkGenerators.cpp:
640         (JSC::nativeForGenerator):
641         * llint/LowLevelInterpreter32_64.asm:
642         * llint/LowLevelInterpreter64.asm:
643         - reload cfr from topcallFrame when handling an exception.
644         * runtime/VM.cpp:
645         (JSC::VM::VM):
646         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
647
648 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
649
650         Remove some code duplication.
651         
652         Rubber stamped by Mark Hahnenberg.
653
654         * runtime/JSDataViewPrototype.cpp:
655         (JSC::getData):
656         (JSC::setData):
657
658 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
659
660         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
661         https://bugs.webkit.org/show_bug.cgi?id=119794
662
663         Reviewed by Filip Pizlo.
664
665         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
666
667         * dfg/DFGUseKind.h:
668         (JSC::DFG::isNumerical):
669         (JSC::DFG::isDouble):
670
671 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
672
673         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
674
675         Rubber stamped by Oliver Hunt.
676         
677         This was causing some test crashes for me.
678
679         * dfg/DFGCapabilities.cpp:
680         (JSC::DFG::capabilityLevel):
681
682 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
683
684         [Windows] Clear up improper export declaration.
685
686         * runtime/ArrayBufferView.h:
687
688 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
689
690         Unreviewed, remove some unnecessary periods from exceptions.
691
692         * runtime/JSDataViewPrototype.cpp:
693         (JSC::getData):
694         (JSC::setData):
695
696 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
697
698         Unreviewed, fix 32-bit build.
699
700         * dfg/DFGSpeculativeJIT32_64.cpp:
701         (JSC::DFG::SpeculativeJIT::compile):
702
703 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
704
705         Typed arrays should be rewritten
706         https://bugs.webkit.org/show_bug.cgi?id=119064
707
708         Reviewed by Oliver Hunt.
709         
710         Typed arrays were previously deficient in several major ways:
711         
712         - They were defined separately in WebCore and in the jsc shell. The two
713           implementations were different, and the jsc shell one was basically wrong.
714           The WebCore one was quite awful, also.
715         
716         - Typed arrays were not visible to the JIT except through some weird hooks.
717           For example, the JIT could not ask "what is the Structure that this typed
718           array would have if I just allocated it from this global object". Also,
719           it was difficult to wire any of the typed array intrinsics, because most
720           of the functionality wasn't visible anywhere in JSC.
721         
722         - Typed array allocation was brain-dead. Allocating a typed array involved
723           two JS objects, two GC weak handles, and three malloc allocations.
724         
725         - Neutering. It involved keeping tabs on all native views but not the view
726           wrappers, even though the native views can autoneuter just by asking the
727           buffer if it was neutered anytime you touch them; while the JS view
728           wrappers are the ones that you really want to reach out to.
729         
730         - Common case-ing. Most typed arrays have one buffer and one view, and
731           usually nobody touches the buffer. Yet we created all of that stuff
732           anyway, using data structures optimized for the case where you had a lot
733           of views.
734         
735         - Semantic goofs. Typed arrays should, in the future, behave like ES
736           features rather than DOM features, for example when it comes to exceptions.
737           Firefox already does this and I agree with them.
738         
739         This patch cleanses our codebase of these sins:
740         
741         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
742           management of native references to buffers is left to WebCore.
743         
744         - Allocating a typed array requires either two GC allocations (a cell and a
745           copied storage vector) or one GC allocation, a malloc allocation, and a
746           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
747           latter). The latter is only used for oversize arrays. Remember that before
748           it was 7 allocations no matter what.
749         
750         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
751           mode/length, void* vector. Before it was a lot more than that - remember,
752           there were five additional objects that did absolutely nothing for anybody.
753         
754         - Native views aren't tracked by the buffer, or by the wrappers. They are
755           transient. In the future we'll probably switch to not even having them be
756           malloc'd.
757         
758         - Native array buffers have an efficient way of tracking all of their JS view
759           wrappers, both for neutering, and for lifecycle management. The GC
760           special-cases native array buffers. This saves a bunch of grief; for example
761           it means that a JS view wrapper can refer to its buffer via the butterfly,
762           which would be dead by the time we went to finalize.
763         
764         - Typed array semantics now match Firefox, which also happens to be where the
765           standards are going. The discussion on webkit-dev seemed to confirm that
766           Chrome is also heading in this direction. This includes making
767           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
768           ArrayBufferView as a JS-visible construct.
769         
770         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
771         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
772         further typed array optimizations in the JSC JITs, including inlining typed
773         array allocation, inlining more of the accessors, reducing the cost of type
774         checks, etc.
775         
776         An additional property of this patch is that typed arrays are mostly
777         implemented using templates. This deduplicates a bunch of code, but does mean
778         that we need some hacks for exporting s_info's of template classes. See
779         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
780         low-impact compared to code duplication.
781         
782         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
783
784         * CMakeLists.txt:
785         * DerivedSources.make:
786         * GNUmakefile.list.am:
787         * JSCTypedArrayStubs.h: Removed.
788         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
789         * JavaScriptCore.xcodeproj/project.pbxproj:
790         * Target.pri:
791         * bytecode/ByValInfo.h:
792         (JSC::hasOptimizableIndexingForClassInfo):
793         (JSC::jitArrayModeForClassInfo):
794         (JSC::typedArrayTypeForJITArrayMode):
795         * bytecode/SpeculatedType.cpp:
796         (JSC::speculationFromClassInfo):
797         * dfg/DFGArrayMode.cpp:
798         (JSC::DFG::toTypedArrayType):
799         * dfg/DFGArrayMode.h:
800         (JSC::DFG::ArrayMode::typedArrayType):
801         * dfg/DFGSpeculativeJIT.cpp:
802         (JSC::DFG::SpeculativeJIT::checkArray):
803         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
804         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
805         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
806         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
807         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
808         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
809         * dfg/DFGSpeculativeJIT.h:
810         * dfg/DFGSpeculativeJIT32_64.cpp:
811         (JSC::DFG::SpeculativeJIT::compile):
812         * dfg/DFGSpeculativeJIT64.cpp:
813         (JSC::DFG::SpeculativeJIT::compile):
814         * heap/CopyToken.h:
815         * heap/DeferGC.h:
816         (JSC::DeferGCForAWhile::DeferGCForAWhile):
817         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
818         * heap/GCIncomingRefCounted.h: Added.
819         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
820         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
821         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
822         (JSC::GCIncomingRefCounted::incomingReferenceAt):
823         (JSC::GCIncomingRefCounted::singletonFlag):
824         (JSC::GCIncomingRefCounted::hasVectorOfCells):
825         (JSC::GCIncomingRefCounted::hasAnyIncoming):
826         (JSC::GCIncomingRefCounted::hasSingleton):
827         (JSC::GCIncomingRefCounted::singleton):
828         (JSC::GCIncomingRefCounted::vectorOfCells):
829         * heap/GCIncomingRefCountedInlines.h: Added.
830         (JSC::::addIncomingReference):
831         (JSC::::filterIncomingReferences):
832         * heap/GCIncomingRefCountedSet.h: Added.
833         (JSC::GCIncomingRefCountedSet::size):
834         * heap/GCIncomingRefCountedSetInlines.h: Added.
835         (JSC::::GCIncomingRefCountedSet):
836         (JSC::::~GCIncomingRefCountedSet):
837         (JSC::::addReference):
838         (JSC::::sweep):
839         (JSC::::removeAll):
840         (JSC::::removeDead):
841         * heap/Heap.cpp:
842         (JSC::Heap::addReference):
843         (JSC::Heap::extraSize):
844         (JSC::Heap::size):
845         (JSC::Heap::capacity):
846         (JSC::Heap::collect):
847         (JSC::Heap::decrementDeferralDepth):
848         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
849         * heap/Heap.h:
850         * interpreter/CallFrame.h:
851         (JSC::ExecState::dataViewTable):
852         * jit/JIT.h:
853         * jit/JITPropertyAccess.cpp:
854         (JSC::JIT::privateCompileGetByVal):
855         (JSC::JIT::privateCompilePutByVal):
856         (JSC::JIT::emitIntTypedArrayGetByVal):
857         (JSC::JIT::emitFloatTypedArrayGetByVal):
858         (JSC::JIT::emitIntTypedArrayPutByVal):
859         (JSC::JIT::emitFloatTypedArrayPutByVal):
860         * jsc.cpp:
861         (GlobalObject::finishCreation):
862         * runtime/ArrayBuffer.cpp:
863         (JSC::ArrayBuffer::transfer):
864         * runtime/ArrayBuffer.h:
865         (JSC::ArrayBuffer::createAdopted):
866         (JSC::ArrayBuffer::ArrayBuffer):
867         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
868         (JSC::ArrayBuffer::pin):
869         (JSC::ArrayBuffer::unpin):
870         (JSC::ArrayBufferContents::tryAllocate):
871         * runtime/ArrayBufferView.cpp:
872         (JSC::ArrayBufferView::ArrayBufferView):
873         (JSC::ArrayBufferView::~ArrayBufferView):
874         (JSC::ArrayBufferView::setNeuterable):
875         * runtime/ArrayBufferView.h:
876         (JSC::ArrayBufferView::isNeutered):
877         (JSC::ArrayBufferView::buffer):
878         (JSC::ArrayBufferView::baseAddress):
879         (JSC::ArrayBufferView::byteOffset):
880         (JSC::ArrayBufferView::verifySubRange):
881         (JSC::ArrayBufferView::clampOffsetAndNumElements):
882         (JSC::ArrayBufferView::calculateOffsetAndLength):
883         * runtime/ClassInfo.h:
884         * runtime/CommonIdentifiers.h:
885         * runtime/DataView.cpp: Added.
886         (JSC::DataView::DataView):
887         (JSC::DataView::create):
888         (JSC::DataView::wrap):
889         * runtime/DataView.h: Added.
890         (JSC::DataView::byteLength):
891         (JSC::DataView::getType):
892         (JSC::DataView::get):
893         (JSC::DataView::set):
894         * runtime/Float32Array.h:
895         * runtime/Float64Array.h:
896         * runtime/GenericTypedArrayView.h: Added.
897         (JSC::GenericTypedArrayView::data):
898         (JSC::GenericTypedArrayView::set):
899         (JSC::GenericTypedArrayView::setRange):
900         (JSC::GenericTypedArrayView::zeroRange):
901         (JSC::GenericTypedArrayView::zeroFill):
902         (JSC::GenericTypedArrayView::length):
903         (JSC::GenericTypedArrayView::byteLength):
904         (JSC::GenericTypedArrayView::item):
905         (JSC::GenericTypedArrayView::checkInboundData):
906         (JSC::GenericTypedArrayView::getType):
907         * runtime/GenericTypedArrayViewInlines.h: Added.
908         (JSC::::GenericTypedArrayView):
909         (JSC::::create):
910         (JSC::::createUninitialized):
911         (JSC::::subarray):
912         (JSC::::wrap):
913         * runtime/IndexingHeader.h:
914         (JSC::IndexingHeader::arrayBuffer):
915         (JSC::IndexingHeader::setArrayBuffer):
916         * runtime/Int16Array.h:
917         * runtime/Int32Array.h:
918         * runtime/Int8Array.h:
919         * runtime/JSArrayBuffer.cpp: Added.
920         (JSC::JSArrayBuffer::JSArrayBuffer):
921         (JSC::JSArrayBuffer::finishCreation):
922         (JSC::JSArrayBuffer::create):
923         (JSC::JSArrayBuffer::createStructure):
924         (JSC::JSArrayBuffer::getOwnPropertySlot):
925         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
926         (JSC::JSArrayBuffer::put):
927         (JSC::JSArrayBuffer::defineOwnProperty):
928         (JSC::JSArrayBuffer::deleteProperty):
929         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
930         * runtime/JSArrayBuffer.h: Added.
931         (JSC::JSArrayBuffer::impl):
932         (JSC::toArrayBuffer):
933         * runtime/JSArrayBufferConstructor.cpp: Added.
934         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
935         (JSC::JSArrayBufferConstructor::finishCreation):
936         (JSC::JSArrayBufferConstructor::create):
937         (JSC::JSArrayBufferConstructor::createStructure):
938         (JSC::constructArrayBuffer):
939         (JSC::JSArrayBufferConstructor::getConstructData):
940         (JSC::JSArrayBufferConstructor::getCallData):
941         * runtime/JSArrayBufferConstructor.h: Added.
942         * runtime/JSArrayBufferPrototype.cpp: Added.
943         (JSC::arrayBufferProtoFuncSlice):
944         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
945         (JSC::JSArrayBufferPrototype::finishCreation):
946         (JSC::JSArrayBufferPrototype::create):
947         (JSC::JSArrayBufferPrototype::createStructure):
948         * runtime/JSArrayBufferPrototype.h: Added.
949         * runtime/JSArrayBufferView.cpp: Added.
950         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
951         (JSC::JSArrayBufferView::JSArrayBufferView):
952         (JSC::JSArrayBufferView::finishCreation):
953         (JSC::JSArrayBufferView::getOwnPropertySlot):
954         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
955         (JSC::JSArrayBufferView::put):
956         (JSC::JSArrayBufferView::defineOwnProperty):
957         (JSC::JSArrayBufferView::deleteProperty):
958         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
959         (JSC::JSArrayBufferView::finalize):
960         * runtime/JSArrayBufferView.h: Added.
961         (JSC::JSArrayBufferView::sizeOf):
962         (JSC::JSArrayBufferView::ConstructionContext::operator!):
963         (JSC::JSArrayBufferView::ConstructionContext::structure):
964         (JSC::JSArrayBufferView::ConstructionContext::vector):
965         (JSC::JSArrayBufferView::ConstructionContext::length):
966         (JSC::JSArrayBufferView::ConstructionContext::mode):
967         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
968         (JSC::JSArrayBufferView::mode):
969         (JSC::JSArrayBufferView::vector):
970         (JSC::JSArrayBufferView::length):
971         (JSC::JSArrayBufferView::offsetOfVector):
972         (JSC::JSArrayBufferView::offsetOfLength):
973         (JSC::JSArrayBufferView::offsetOfMode):
974         * runtime/JSArrayBufferViewInlines.h: Added.
975         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
976         (JSC::JSArrayBufferView::buffer):
977         (JSC::JSArrayBufferView::impl):
978         (JSC::JSArrayBufferView::neuter):
979         (JSC::JSArrayBufferView::byteOffset):
980         * runtime/JSCell.cpp:
981         (JSC::JSCell::slowDownAndWasteMemory):
982         (JSC::JSCell::getTypedArrayImpl):
983         * runtime/JSCell.h:
984         * runtime/JSDataView.cpp: Added.
985         (JSC::JSDataView::JSDataView):
986         (JSC::JSDataView::create):
987         (JSC::JSDataView::createUninitialized):
988         (JSC::JSDataView::set):
989         (JSC::JSDataView::typedImpl):
990         (JSC::JSDataView::getOwnPropertySlot):
991         (JSC::JSDataView::getOwnPropertyDescriptor):
992         (JSC::JSDataView::slowDownAndWasteMemory):
993         (JSC::JSDataView::getTypedArrayImpl):
994         (JSC::JSDataView::createStructure):
995         * runtime/JSDataView.h: Added.
996         * runtime/JSDataViewPrototype.cpp: Added.
997         (JSC::JSDataViewPrototype::JSDataViewPrototype):
998         (JSC::JSDataViewPrototype::create):
999         (JSC::JSDataViewPrototype::createStructure):
1000         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1001         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1002         (JSC::getData):
1003         (JSC::setData):
1004         (JSC::dataViewProtoFuncGetInt8):
1005         (JSC::dataViewProtoFuncGetInt16):
1006         (JSC::dataViewProtoFuncGetInt32):
1007         (JSC::dataViewProtoFuncGetUint8):
1008         (JSC::dataViewProtoFuncGetUint16):
1009         (JSC::dataViewProtoFuncGetUint32):
1010         (JSC::dataViewProtoFuncGetFloat32):
1011         (JSC::dataViewProtoFuncGetFloat64):
1012         (JSC::dataViewProtoFuncSetInt8):
1013         (JSC::dataViewProtoFuncSetInt16):
1014         (JSC::dataViewProtoFuncSetInt32):
1015         (JSC::dataViewProtoFuncSetUint8):
1016         (JSC::dataViewProtoFuncSetUint16):
1017         (JSC::dataViewProtoFuncSetUint32):
1018         (JSC::dataViewProtoFuncSetFloat32):
1019         (JSC::dataViewProtoFuncSetFloat64):
1020         * runtime/JSDataViewPrototype.h: Added.
1021         * runtime/JSFloat32Array.h: Added.
1022         * runtime/JSFloat64Array.h: Added.
1023         * runtime/JSGenericTypedArrayView.h: Added.
1024         (JSC::JSGenericTypedArrayView::byteLength):
1025         (JSC::JSGenericTypedArrayView::byteSize):
1026         (JSC::JSGenericTypedArrayView::typedVector):
1027         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1028         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1029         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1030         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1031         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1032         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1033         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1034         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1035         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1036         (JSC::JSGenericTypedArrayView::typedImpl):
1037         (JSC::JSGenericTypedArrayView::createStructure):
1038         (JSC::JSGenericTypedArrayView::info):
1039         (JSC::toNativeTypedView):
1040         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1041         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1042         (JSC::::JSGenericTypedArrayViewConstructor):
1043         (JSC::::finishCreation):
1044         (JSC::::create):
1045         (JSC::::createStructure):
1046         (JSC::constructGenericTypedArrayView):
1047         (JSC::::getConstructData):
1048         (JSC::::getCallData):
1049         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1050         (JSC::::JSGenericTypedArrayView):
1051         (JSC::::create):
1052         (JSC::::createUninitialized):
1053         (JSC::::validateRange):
1054         (JSC::::setWithSpecificType):
1055         (JSC::::set):
1056         (JSC::::getOwnPropertySlot):
1057         (JSC::::getOwnPropertyDescriptor):
1058         (JSC::::put):
1059         (JSC::::defineOwnProperty):
1060         (JSC::::deleteProperty):
1061         (JSC::::getOwnPropertySlotByIndex):
1062         (JSC::::putByIndex):
1063         (JSC::::deletePropertyByIndex):
1064         (JSC::::getOwnNonIndexPropertyNames):
1065         (JSC::::getOwnPropertyNames):
1066         (JSC::::visitChildren):
1067         (JSC::::copyBackingStore):
1068         (JSC::::slowDownAndWasteMemory):
1069         (JSC::::getTypedArrayImpl):
1070         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1071         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1072         (JSC::genericTypedArrayViewProtoFuncSet):
1073         (JSC::genericTypedArrayViewProtoFuncSubarray):
1074         (JSC::::JSGenericTypedArrayViewPrototype):
1075         (JSC::::finishCreation):
1076         (JSC::::create):
1077         (JSC::::createStructure):
1078         * runtime/JSGlobalObject.cpp:
1079         (JSC::JSGlobalObject::reset):
1080         (JSC::JSGlobalObject::visitChildren):
1081         * runtime/JSGlobalObject.h:
1082         (JSC::JSGlobalObject::arrayBufferPrototype):
1083         (JSC::JSGlobalObject::arrayBufferStructure):
1084         (JSC::JSGlobalObject::typedArrayStructure):
1085         * runtime/JSInt16Array.h: Added.
1086         * runtime/JSInt32Array.h: Added.
1087         * runtime/JSInt8Array.h: Added.
1088         * runtime/JSTypedArrayConstructors.cpp: Added.
1089         * runtime/JSTypedArrayConstructors.h: Added.
1090         * runtime/JSTypedArrayPrototypes.cpp: Added.
1091         * runtime/JSTypedArrayPrototypes.h: Added.
1092         * runtime/JSTypedArrays.cpp: Added.
1093         * runtime/JSTypedArrays.h: Added.
1094         * runtime/JSUint16Array.h: Added.
1095         * runtime/JSUint32Array.h: Added.
1096         * runtime/JSUint8Array.h: Added.
1097         * runtime/JSUint8ClampedArray.h: Added.
1098         * runtime/Operations.h:
1099         * runtime/Options.h:
1100         * runtime/SimpleTypedArrayController.cpp: Added.
1101         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1102         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1103         (JSC::SimpleTypedArrayController::toJS):
1104         * runtime/SimpleTypedArrayController.h: Added.
1105         * runtime/Structure.h:
1106         (JSC::Structure::couldHaveIndexingHeader):
1107         * runtime/StructureInlines.h:
1108         (JSC::Structure::hasIndexingHeader):
1109         * runtime/TypedArrayAdaptors.h: Added.
1110         (JSC::IntegralTypedArrayAdaptor::toNative):
1111         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1112         (JSC::IntegralTypedArrayAdaptor::toDouble):
1113         (JSC::FloatTypedArrayAdaptor::toNative):
1114         (JSC::FloatTypedArrayAdaptor::toJSValue):
1115         (JSC::FloatTypedArrayAdaptor::toDouble):
1116         (JSC::Uint8ClampedAdaptor::toNative):
1117         (JSC::Uint8ClampedAdaptor::toJSValue):
1118         (JSC::Uint8ClampedAdaptor::toDouble):
1119         (JSC::Uint8ClampedAdaptor::clamp):
1120         * runtime/TypedArrayController.cpp: Added.
1121         (JSC::TypedArrayController::TypedArrayController):
1122         (JSC::TypedArrayController::~TypedArrayController):
1123         * runtime/TypedArrayController.h: Added.
1124         * runtime/TypedArrayDescriptor.h: Removed.
1125         * runtime/TypedArrayInlines.h: Added.
1126         * runtime/TypedArrayType.cpp: Added.
1127         (JSC::classInfoForType):
1128         (WTF::printInternal):
1129         * runtime/TypedArrayType.h: Added.
1130         (JSC::toIndex):
1131         (JSC::isTypedView):
1132         (JSC::elementSize):
1133         (JSC::isInt):
1134         (JSC::isFloat):
1135         (JSC::isSigned):
1136         (JSC::isClamped):
1137         * runtime/TypedArrays.h: Added.
1138         * runtime/Uint16Array.h:
1139         * runtime/Uint32Array.h:
1140         * runtime/Uint8Array.h:
1141         * runtime/Uint8ClampedArray.h:
1142         * runtime/VM.cpp:
1143         (JSC::VM::VM):
1144         (JSC::VM::~VM):
1145         * runtime/VM.h:
1146
1147 2013-08-15  Oliver Hunt  <oliver@apple.com>
1148
1149         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1150
1151         Reviewed by Filip Pizlo.
1152
1153         Make sure dfgCapabilities doesn't report a Dynamic put as
1154         being compilable when we don't actually support it.  
1155
1156         * bytecode/CodeBlock.cpp:
1157         (JSC::CodeBlock::dumpBytecode):
1158         * dfg/DFGCapabilities.cpp:
1159         (JSC::DFG::capabilityLevel):
1160
1161 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1162
1163         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1164         https://bugs.webkit.org/show_bug.cgi?id=119847
1165
1166         Reviewed by Oliver Hunt.
1167
1168         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1169         * runtime/ArrayBufferView.h: Ditto.
1170
1171 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1172
1173         https://bugs.webkit.org/show_bug.cgi?id=119843
1174         PropertySlot::setValue is ambiguous
1175
1176         Reviewed by Geoff Garen.
1177
1178         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1179         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1180         Unify on always providing the object, and remove the version that just takes a value.
1181         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1182         Provide a version of setValue that takes a JSString as the owner of the property.
1183         We won't store this, but it makes it clear that this interface should only be used from JSString.
1184
1185         * API/JSCallbackObjectFunctions.h:
1186         (JSC::::getOwnPropertySlot):
1187         * JSCTypedArrayStubs.h:
1188         * runtime/Arguments.cpp:
1189         (JSC::Arguments::getOwnPropertySlotByIndex):
1190         (JSC::Arguments::getOwnPropertySlot):
1191         * runtime/JSActivation.cpp:
1192         (JSC::JSActivation::symbolTableGet):
1193         (JSC::JSActivation::getOwnPropertySlot):
1194         * runtime/JSArray.cpp:
1195         (JSC::JSArray::getOwnPropertySlot):
1196         * runtime/JSObject.cpp:
1197         (JSC::JSObject::getOwnPropertySlotByIndex):
1198         * runtime/JSString.h:
1199         (JSC::JSString::getStringPropertySlot):
1200         * runtime/JSSymbolTableObject.h:
1201         (JSC::symbolTableGet):
1202         * runtime/SparseArrayValueMap.cpp:
1203         (JSC::SparseArrayEntry::get):
1204             - Pass object containing property to PropertySlot::setValue
1205         * runtime/PropertySlot.h:
1206         (JSC::PropertySlot::setValue):
1207             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1208         (JSC::PropertySlot::setUndefined):
1209             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1210
1211 2013-08-15  Oliver Hunt  <oliver@apple.com>
1212
1213         Remove bogus assertion.
1214
1215         RS=Filip Pizlo
1216
1217         * dfg/DFGAbstractInterpreterInlines.h:
1218         (JSC::DFG::::executeEffects):
1219
1220 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1221
1222         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1223         https://bugs.webkit.org/show_bug.cgi?id=114913
1224
1225         Reviewed by Filip Pizlo.
1226
1227         The X87 register was not freed before some calls. Instead
1228         of inserting resetX87Registers to the last call sites,
1229         the two X87 registers are now freed in every call.
1230
1231         * llint/LowLevelInterpreter32_64.asm:
1232         * llint/LowLevelInterpreter64.asm:
1233         * offlineasm/instructions.rb:
1234         * offlineasm/x86.rb:
1235
1236 2013-08-14  Michael Saboff  <msaboff@apple.com>
1237
1238         Fixed jit on Win64.
1239         https://bugs.webkit.org/show_bug.cgi?id=119601
1240
1241         Reviewed by Oliver Hunt.
1242
1243         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1244         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1245         * jit/SlowPathCall.h:
1246         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1247
1248 2013-08-14  Alex Christensen  <achristensen@apple.com>
1249
1250         Compile fix for Win64 with jit disabled.
1251         https://bugs.webkit.org/show_bug.cgi?id=119804
1252
1253         Reviewed by Michael Saboff.
1254
1255         * offlineasm/cloop.rb: Added std:: before isnan.
1256
1257 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1258
1259         DFG_JIT implementation for sh4 architecture.
1260         https://bugs.webkit.org/show_bug.cgi?id=119737
1261
1262         Reviewed by Oliver Hunt.
1263
1264         * assembler/MacroAssemblerSH4.h:
1265         (JSC::MacroAssemblerSH4::invert):
1266         (JSC::MacroAssemblerSH4::add32):
1267         (JSC::MacroAssemblerSH4::and32):
1268         (JSC::MacroAssemblerSH4::lshift32):
1269         (JSC::MacroAssemblerSH4::mul32):
1270         (JSC::MacroAssemblerSH4::or32):
1271         (JSC::MacroAssemblerSH4::rshift32):
1272         (JSC::MacroAssemblerSH4::sub32):
1273         (JSC::MacroAssemblerSH4::xor32):
1274         (JSC::MacroAssemblerSH4::store32):
1275         (JSC::MacroAssemblerSH4::swapDouble):
1276         (JSC::MacroAssemblerSH4::storeDouble):
1277         (JSC::MacroAssemblerSH4::subDouble):
1278         (JSC::MacroAssemblerSH4::mulDouble):
1279         (JSC::MacroAssemblerSH4::divDouble):
1280         (JSC::MacroAssemblerSH4::negateDouble):
1281         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1282         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1283         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1284         (JSC::MacroAssemblerSH4::swap):
1285         (JSC::MacroAssemblerSH4::jump):
1286         (JSC::MacroAssemblerSH4::branchNeg32):
1287         (JSC::MacroAssemblerSH4::branchAdd32):
1288         (JSC::MacroAssemblerSH4::branchMul32):
1289         (JSC::MacroAssemblerSH4::urshift32):
1290         * assembler/SH4Assembler.h:
1291         (JSC::SH4Assembler::SH4Assembler):
1292         (JSC::SH4Assembler::labelForWatchpoint):
1293         (JSC::SH4Assembler::label):
1294         (JSC::SH4Assembler::debugOffset):
1295         * dfg/DFGAssemblyHelpers.h:
1296         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1297         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1298         (JSC::DFG::AssemblyHelpers::debugCall):
1299         * dfg/DFGCCallHelpers.h:
1300         (JSC::DFG::CCallHelpers::setupArguments):
1301         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1302         * dfg/DFGFPRInfo.h:
1303         (JSC::DFG::FPRInfo::toRegister):
1304         (JSC::DFG::FPRInfo::toIndex):
1305         (JSC::DFG::FPRInfo::debugName):
1306         * dfg/DFGGPRInfo.h:
1307         (JSC::DFG::GPRInfo::toRegister):
1308         (JSC::DFG::GPRInfo::toIndex):
1309         (JSC::DFG::GPRInfo::debugName):
1310         * dfg/DFGOperations.cpp:
1311         * dfg/DFGSpeculativeJIT.h:
1312         (JSC::DFG::SpeculativeJIT::callOperation):
1313         * jit/JITStubs.h:
1314         * jit/JITStubsSH4.h:
1315
1316 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1317
1318         Unreviewed, fix build.
1319
1320         * API/JSValue.mm:
1321         (isDate):
1322         (isArray):
1323         * API/JSWrapperMap.mm:
1324         (tryUnwrapObjcObject):
1325         * API/ObjCCallbackFunction.mm:
1326         (tryUnwrapBlock):
1327
1328 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1329
1330         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1331         https://bugs.webkit.org/show_bug.cgi?id=119770
1332
1333         Reviewed by Mark Hahnenberg.
1334
1335         * API/JSCallbackConstructor.cpp:
1336         (JSC::JSCallbackConstructor::finishCreation):
1337         * API/JSCallbackConstructor.h:
1338         (JSC::JSCallbackConstructor::createStructure):
1339         * API/JSCallbackFunction.cpp:
1340         (JSC::JSCallbackFunction::finishCreation):
1341         * API/JSCallbackFunction.h:
1342         (JSC::JSCallbackFunction::createStructure):
1343         * API/JSCallbackObject.cpp:
1344         (JSC::::createStructure):
1345         * API/JSCallbackObject.h:
1346         (JSC::JSCallbackObject::visitChildren):
1347         * API/JSCallbackObjectFunctions.h:
1348         (JSC::::asCallbackObject):
1349         (JSC::::finishCreation):
1350         * API/JSObjectRef.cpp:
1351         (JSObjectGetPrivate):
1352         (JSObjectSetPrivate):
1353         (JSObjectGetPrivateProperty):
1354         (JSObjectSetPrivateProperty):
1355         (JSObjectDeletePrivateProperty):
1356         * API/JSValueRef.cpp:
1357         (JSValueIsObjectOfClass):
1358         * API/JSWeakObjectMapRefPrivate.cpp:
1359         * API/ObjCCallbackFunction.h:
1360         (JSC::ObjCCallbackFunction::createStructure):
1361         * JSCTypedArrayStubs.h:
1362         * bytecode/CallLinkStatus.cpp:
1363         (JSC::CallLinkStatus::CallLinkStatus):
1364         (JSC::CallLinkStatus::function):
1365         (JSC::CallLinkStatus::internalFunction):
1366         * bytecode/CodeBlock.h:
1367         (JSC::baselineCodeBlockForInlineCallFrame):
1368         * bytecode/SpeculatedType.cpp:
1369         (JSC::speculationFromClassInfo):
1370         * bytecode/UnlinkedCodeBlock.cpp:
1371         (JSC::UnlinkedFunctionExecutable::visitChildren):
1372         (JSC::UnlinkedCodeBlock::visitChildren):
1373         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1374         * bytecode/UnlinkedCodeBlock.h:
1375         (JSC::UnlinkedFunctionExecutable::createStructure):
1376         (JSC::UnlinkedProgramCodeBlock::createStructure):
1377         (JSC::UnlinkedEvalCodeBlock::createStructure):
1378         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1379         * debugger/Debugger.cpp:
1380         * debugger/DebuggerActivation.cpp:
1381         (JSC::DebuggerActivation::visitChildren):
1382         * debugger/DebuggerActivation.h:
1383         (JSC::DebuggerActivation::createStructure):
1384         * debugger/DebuggerCallFrame.cpp:
1385         (JSC::DebuggerCallFrame::functionName):
1386         * dfg/DFGAbstractInterpreterInlines.h:
1387         (JSC::DFG::::executeEffects):
1388         * dfg/DFGByteCodeParser.cpp:
1389         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1390         (JSC::DFG::ByteCodeParser::parseBlock):
1391         * dfg/DFGFixupPhase.cpp:
1392         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1393         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1394         * dfg/DFGGraph.cpp:
1395         (JSC::DFG::Graph::dump):
1396         * dfg/DFGGraph.h:
1397         (JSC::DFG::Graph::isInternalFunctionConstant):
1398         * dfg/DFGOperations.cpp:
1399         * dfg/DFGSpeculativeJIT.cpp:
1400         (JSC::DFG::SpeculativeJIT::checkArray):
1401         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1402         * dfg/DFGThunks.cpp:
1403         (JSC::DFG::virtualForThunkGenerator):
1404         * interpreter/Interpreter.cpp:
1405         (JSC::loadVarargs):
1406         * jsc.cpp:
1407         (GlobalObject::createStructure):
1408         * profiler/LegacyProfiler.cpp:
1409         (JSC::LegacyProfiler::createCallIdentifier):
1410         * runtime/Arguments.cpp:
1411         (JSC::Arguments::visitChildren):
1412         * runtime/Arguments.h:
1413         (JSC::Arguments::createStructure):
1414         (JSC::asArguments):
1415         (JSC::Arguments::finishCreation):
1416         * runtime/ArrayConstructor.cpp:
1417         (JSC::arrayConstructorIsArray):
1418         * runtime/ArrayConstructor.h:
1419         (JSC::ArrayConstructor::createStructure):
1420         * runtime/ArrayPrototype.cpp:
1421         (JSC::ArrayPrototype::finishCreation):
1422         (JSC::arrayProtoFuncConcat):
1423         (JSC::attemptFastSort):
1424         * runtime/ArrayPrototype.h:
1425         (JSC::ArrayPrototype::createStructure):
1426         * runtime/BooleanConstructor.h:
1427         (JSC::BooleanConstructor::createStructure):
1428         * runtime/BooleanObject.cpp:
1429         (JSC::BooleanObject::finishCreation):
1430         * runtime/BooleanObject.h:
1431         (JSC::BooleanObject::createStructure):
1432         (JSC::asBooleanObject):
1433         * runtime/BooleanPrototype.cpp:
1434         (JSC::BooleanPrototype::finishCreation):
1435         (JSC::booleanProtoFuncToString):
1436         (JSC::booleanProtoFuncValueOf):
1437         * runtime/BooleanPrototype.h:
1438         (JSC::BooleanPrototype::createStructure):
1439         * runtime/DateConstructor.cpp:
1440         (JSC::constructDate):
1441         * runtime/DateConstructor.h:
1442         (JSC::DateConstructor::createStructure):
1443         * runtime/DateInstance.cpp:
1444         (JSC::DateInstance::finishCreation):
1445         * runtime/DateInstance.h:
1446         (JSC::DateInstance::createStructure):
1447         (JSC::asDateInstance):
1448         * runtime/DatePrototype.cpp:
1449         (JSC::formateDateInstance):
1450         (JSC::DatePrototype::finishCreation):
1451         (JSC::dateProtoFuncToISOString):
1452         (JSC::dateProtoFuncToLocaleString):
1453         (JSC::dateProtoFuncToLocaleDateString):
1454         (JSC::dateProtoFuncToLocaleTimeString):
1455         (JSC::dateProtoFuncGetTime):
1456         (JSC::dateProtoFuncGetFullYear):
1457         (JSC::dateProtoFuncGetUTCFullYear):
1458         (JSC::dateProtoFuncGetMonth):
1459         (JSC::dateProtoFuncGetUTCMonth):
1460         (JSC::dateProtoFuncGetDate):
1461         (JSC::dateProtoFuncGetUTCDate):
1462         (JSC::dateProtoFuncGetDay):
1463         (JSC::dateProtoFuncGetUTCDay):
1464         (JSC::dateProtoFuncGetHours):
1465         (JSC::dateProtoFuncGetUTCHours):
1466         (JSC::dateProtoFuncGetMinutes):
1467         (JSC::dateProtoFuncGetUTCMinutes):
1468         (JSC::dateProtoFuncGetSeconds):
1469         (JSC::dateProtoFuncGetUTCSeconds):
1470         (JSC::dateProtoFuncGetMilliSeconds):
1471         (JSC::dateProtoFuncGetUTCMilliseconds):
1472         (JSC::dateProtoFuncGetTimezoneOffset):
1473         (JSC::dateProtoFuncSetTime):
1474         (JSC::setNewValueFromTimeArgs):
1475         (JSC::setNewValueFromDateArgs):
1476         (JSC::dateProtoFuncSetYear):
1477         (JSC::dateProtoFuncGetYear):
1478         * runtime/DatePrototype.h:
1479         (JSC::DatePrototype::createStructure):
1480         * runtime/Error.h:
1481         (JSC::StrictModeTypeErrorFunction::createStructure):
1482         * runtime/ErrorConstructor.h:
1483         (JSC::ErrorConstructor::createStructure):
1484         * runtime/ErrorInstance.cpp:
1485         (JSC::ErrorInstance::finishCreation):
1486         * runtime/ErrorInstance.h:
1487         (JSC::ErrorInstance::createStructure):
1488         * runtime/ErrorPrototype.cpp:
1489         (JSC::ErrorPrototype::finishCreation):
1490         * runtime/ErrorPrototype.h:
1491         (JSC::ErrorPrototype::createStructure):
1492         * runtime/ExceptionHelpers.cpp:
1493         (JSC::isTerminatedExecutionException):
1494         * runtime/ExceptionHelpers.h:
1495         (JSC::TerminatedExecutionError::createStructure):
1496         * runtime/Executable.cpp:
1497         (JSC::EvalExecutable::visitChildren):
1498         (JSC::ProgramExecutable::visitChildren):
1499         (JSC::FunctionExecutable::visitChildren):
1500         (JSC::ExecutableBase::hashFor):
1501         * runtime/Executable.h:
1502         (JSC::ExecutableBase::createStructure):
1503         (JSC::NativeExecutable::createStructure):
1504         (JSC::EvalExecutable::createStructure):
1505         (JSC::ProgramExecutable::createStructure):
1506         (JSC::FunctionExecutable::compileFor):
1507         (JSC::FunctionExecutable::compileOptimizedFor):
1508         (JSC::FunctionExecutable::createStructure):
1509         * runtime/FunctionConstructor.h:
1510         (JSC::FunctionConstructor::createStructure):
1511         * runtime/FunctionPrototype.cpp:
1512         (JSC::functionProtoFuncToString):
1513         (JSC::functionProtoFuncApply):
1514         (JSC::functionProtoFuncBind):
1515         * runtime/FunctionPrototype.h:
1516         (JSC::FunctionPrototype::createStructure):
1517         * runtime/GetterSetter.cpp:
1518         (JSC::GetterSetter::visitChildren):
1519         * runtime/GetterSetter.h:
1520         (JSC::GetterSetter::createStructure):
1521         * runtime/InternalFunction.cpp:
1522         (JSC::InternalFunction::finishCreation):
1523         * runtime/InternalFunction.h:
1524         (JSC::InternalFunction::createStructure):
1525         (JSC::asInternalFunction):
1526         * runtime/JSAPIValueWrapper.h:
1527         (JSC::JSAPIValueWrapper::createStructure):
1528         * runtime/JSActivation.cpp:
1529         (JSC::JSActivation::visitChildren):
1530         (JSC::JSActivation::argumentsGetter):
1531         * runtime/JSActivation.h:
1532         (JSC::JSActivation::createStructure):
1533         (JSC::asActivation):
1534         * runtime/JSArray.h:
1535         (JSC::JSArray::createStructure):
1536         (JSC::asArray):
1537         (JSC::isJSArray):
1538         * runtime/JSBoundFunction.cpp:
1539         (JSC::JSBoundFunction::finishCreation):
1540         (JSC::JSBoundFunction::visitChildren):
1541         * runtime/JSBoundFunction.h:
1542         (JSC::JSBoundFunction::createStructure):
1543         * runtime/JSCJSValue.cpp:
1544         (JSC::JSValue::dumpInContext):
1545         * runtime/JSCJSValueInlines.h:
1546         (JSC::JSValue::isFunction):
1547         * runtime/JSCell.h:
1548         (JSC::jsCast):
1549         (JSC::jsDynamicCast):
1550         * runtime/JSCellInlines.h:
1551         (JSC::allocateCell):
1552         * runtime/JSFunction.cpp:
1553         (JSC::JSFunction::finishCreation):
1554         (JSC::JSFunction::visitChildren):
1555         (JSC::skipOverBoundFunctions):
1556         (JSC::JSFunction::callerGetter):
1557         * runtime/JSFunction.h:
1558         (JSC::JSFunction::createStructure):
1559         * runtime/JSGlobalObject.cpp:
1560         (JSC::JSGlobalObject::visitChildren):
1561         (JSC::slowValidateCell):
1562         * runtime/JSGlobalObject.h:
1563         (JSC::JSGlobalObject::createStructure):
1564         * runtime/JSNameScope.cpp:
1565         (JSC::JSNameScope::visitChildren):
1566         * runtime/JSNameScope.h:
1567         (JSC::JSNameScope::createStructure):
1568         * runtime/JSNotAnObject.h:
1569         (JSC::JSNotAnObject::createStructure):
1570         * runtime/JSONObject.cpp:
1571         (JSC::JSONObject::finishCreation):
1572         (JSC::unwrapBoxedPrimitive):
1573         (JSC::Stringifier::Stringifier):
1574         (JSC::Stringifier::appendStringifiedValue):
1575         (JSC::Stringifier::Holder::Holder):
1576         (JSC::Walker::walk):
1577         (JSC::JSONProtoFuncStringify):
1578         * runtime/JSONObject.h:
1579         (JSC::JSONObject::createStructure):
1580         * runtime/JSObject.cpp:
1581         (JSC::getCallableObjectSlow):
1582         (JSC::JSObject::visitChildren):
1583         (JSC::JSObject::copyBackingStore):
1584         (JSC::JSFinalObject::visitChildren):
1585         (JSC::JSObject::ensureInt32Slow):
1586         (JSC::JSObject::ensureDoubleSlow):
1587         (JSC::JSObject::ensureContiguousSlow):
1588         (JSC::JSObject::ensureArrayStorageSlow):
1589         * runtime/JSObject.h:
1590         (JSC::JSObject::finishCreation):
1591         (JSC::JSObject::createStructure):
1592         (JSC::JSNonFinalObject::createStructure):
1593         (JSC::JSFinalObject::createStructure):
1594         (JSC::isJSFinalObject):
1595         * runtime/JSPropertyNameIterator.cpp:
1596         (JSC::JSPropertyNameIterator::visitChildren):
1597         * runtime/JSPropertyNameIterator.h:
1598         (JSC::JSPropertyNameIterator::createStructure):
1599         * runtime/JSProxy.cpp:
1600         (JSC::JSProxy::visitChildren):
1601         * runtime/JSProxy.h:
1602         (JSC::JSProxy::createStructure):
1603         * runtime/JSScope.cpp:
1604         (JSC::JSScope::visitChildren):
1605         * runtime/JSSegmentedVariableObject.cpp:
1606         (JSC::JSSegmentedVariableObject::visitChildren):
1607         * runtime/JSString.h:
1608         (JSC::JSString::createStructure):
1609         (JSC::isJSString):
1610         * runtime/JSSymbolTableObject.cpp:
1611         (JSC::JSSymbolTableObject::visitChildren):
1612         * runtime/JSVariableObject.h:
1613         * runtime/JSWithScope.cpp:
1614         (JSC::JSWithScope::visitChildren):
1615         * runtime/JSWithScope.h:
1616         (JSC::JSWithScope::createStructure):
1617         * runtime/JSWrapperObject.cpp:
1618         (JSC::JSWrapperObject::visitChildren):
1619         * runtime/JSWrapperObject.h:
1620         (JSC::JSWrapperObject::createStructure):
1621         * runtime/MathObject.cpp:
1622         (JSC::MathObject::finishCreation):
1623         * runtime/MathObject.h:
1624         (JSC::MathObject::createStructure):
1625         * runtime/NameConstructor.h:
1626         (JSC::NameConstructor::createStructure):
1627         * runtime/NameInstance.h:
1628         (JSC::NameInstance::createStructure):
1629         (JSC::NameInstance::finishCreation):
1630         * runtime/NamePrototype.cpp:
1631         (JSC::NamePrototype::finishCreation):
1632         (JSC::privateNameProtoFuncToString):
1633         * runtime/NamePrototype.h:
1634         (JSC::NamePrototype::createStructure):
1635         * runtime/NativeErrorConstructor.cpp:
1636         (JSC::NativeErrorConstructor::visitChildren):
1637         * runtime/NativeErrorConstructor.h:
1638         (JSC::NativeErrorConstructor::createStructure):
1639         (JSC::NativeErrorConstructor::finishCreation):
1640         * runtime/NumberConstructor.cpp:
1641         (JSC::NumberConstructor::finishCreation):
1642         * runtime/NumberConstructor.h:
1643         (JSC::NumberConstructor::createStructure):
1644         * runtime/NumberObject.cpp:
1645         (JSC::NumberObject::finishCreation):
1646         * runtime/NumberObject.h:
1647         (JSC::NumberObject::createStructure):
1648         * runtime/NumberPrototype.cpp:
1649         (JSC::NumberPrototype::finishCreation):
1650         * runtime/NumberPrototype.h:
1651         (JSC::NumberPrototype::createStructure):
1652         * runtime/ObjectConstructor.h:
1653         (JSC::ObjectConstructor::createStructure):
1654         * runtime/ObjectPrototype.cpp:
1655         (JSC::ObjectPrototype::finishCreation):
1656         * runtime/ObjectPrototype.h:
1657         (JSC::ObjectPrototype::createStructure):
1658         * runtime/PropertyMapHashTable.h:
1659         (JSC::PropertyTable::createStructure):
1660         * runtime/PropertyTable.cpp:
1661         (JSC::PropertyTable::visitChildren):
1662         * runtime/RegExp.h:
1663         (JSC::RegExp::createStructure):
1664         * runtime/RegExpConstructor.cpp:
1665         (JSC::RegExpConstructor::finishCreation):
1666         (JSC::RegExpConstructor::visitChildren):
1667         (JSC::constructRegExp):
1668         * runtime/RegExpConstructor.h:
1669         (JSC::RegExpConstructor::createStructure):
1670         (JSC::asRegExpConstructor):
1671         * runtime/RegExpMatchesArray.cpp:
1672         (JSC::RegExpMatchesArray::visitChildren):
1673         * runtime/RegExpMatchesArray.h:
1674         (JSC::RegExpMatchesArray::createStructure):
1675         * runtime/RegExpObject.cpp:
1676         (JSC::RegExpObject::finishCreation):
1677         (JSC::RegExpObject::visitChildren):
1678         * runtime/RegExpObject.h:
1679         (JSC::RegExpObject::createStructure):
1680         (JSC::asRegExpObject):
1681         * runtime/RegExpPrototype.cpp:
1682         (JSC::regExpProtoFuncTest):
1683         (JSC::regExpProtoFuncExec):
1684         (JSC::regExpProtoFuncCompile):
1685         (JSC::regExpProtoFuncToString):
1686         * runtime/RegExpPrototype.h:
1687         (JSC::RegExpPrototype::createStructure):
1688         * runtime/SparseArrayValueMap.cpp:
1689         (JSC::SparseArrayValueMap::createStructure):
1690         * runtime/SparseArrayValueMap.h:
1691         * runtime/StrictEvalActivation.h:
1692         (JSC::StrictEvalActivation::createStructure):
1693         * runtime/StringConstructor.h:
1694         (JSC::StringConstructor::createStructure):
1695         * runtime/StringObject.cpp:
1696         (JSC::StringObject::finishCreation):
1697         * runtime/StringObject.h:
1698         (JSC::StringObject::createStructure):
1699         (JSC::asStringObject):
1700         * runtime/StringPrototype.cpp:
1701         (JSC::StringPrototype::finishCreation):
1702         (JSC::stringProtoFuncReplace):
1703         (JSC::stringProtoFuncToString):
1704         (JSC::stringProtoFuncMatch):
1705         (JSC::stringProtoFuncSearch):
1706         (JSC::stringProtoFuncSplit):
1707         * runtime/StringPrototype.h:
1708         (JSC::StringPrototype::createStructure):
1709         * runtime/Structure.cpp:
1710         (JSC::Structure::Structure):
1711         (JSC::Structure::materializePropertyMap):
1712         (JSC::Structure::get):
1713         (JSC::Structure::visitChildren):
1714         * runtime/Structure.h:
1715         (JSC::Structure::typeInfo):
1716         (JSC::Structure::previousID):
1717         (JSC::Structure::outOfLineSize):
1718         (JSC::Structure::totalStorageCapacity):
1719         (JSC::Structure::materializePropertyMapIfNecessary):
1720         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1721         * runtime/StructureChain.cpp:
1722         (JSC::StructureChain::visitChildren):
1723         * runtime/StructureChain.h:
1724         (JSC::StructureChain::createStructure):
1725         * runtime/StructureInlines.h:
1726         (JSC::Structure::get):
1727         * runtime/StructureRareData.cpp:
1728         (JSC::StructureRareData::createStructure):
1729         (JSC::StructureRareData::visitChildren):
1730         * runtime/StructureRareData.h:
1731         * runtime/SymbolTable.h:
1732         (JSC::SharedSymbolTable::createStructure):
1733         * runtime/VM.cpp:
1734         (JSC::VM::VM):
1735         (JSC::StackPreservingRecompiler::operator()):
1736         (JSC::VM::releaseExecutableMemory):
1737         * runtime/WriteBarrier.h:
1738         (JSC::validateCell):
1739         * testRegExp.cpp:
1740         (GlobalObject::createStructure):
1741
1742 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1743
1744         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1745         https://bugs.webkit.org/show_bug.cgi?id=119762
1746
1747         Reviewed by Geoffrey Garen.
1748
1749         * heap/Heap.cpp:
1750         (JSC::Heap::Heap):
1751         (JSC::Heap::markRoots):
1752         (JSC::Heap::collect):
1753         * jsc.cpp:
1754         (StopWatch::start):
1755         (StopWatch::stop):
1756         * testRegExp.cpp:
1757         (StopWatch::start):
1758         (StopWatch::stop):
1759
1760 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1761
1762         [sh4] Prepare LLINT for DFG_JIT implementation.
1763         https://bugs.webkit.org/show_bug.cgi?id=119755
1764
1765         Reviewed by Oliver Hunt.
1766
1767         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1768         * offlineasm/sh4.rb:
1769             - Handle storeb opcode.
1770             - Make relative jumps when possible using braf opcode.
1771             - Update bmulio implementation to be consistent with baseline JIT.
1772             - Remove useless code from leap opcode.
1773             - Fix incorrect comment.
1774
1775 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1776
1777         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1778         https://bugs.webkit.org/show_bug.cgi?id=119758
1779
1780         Reviewed by Oliver Hunt.
1781
1782         * assembler/MacroAssemblerSH4.h:
1783             - Introduce a loadEffectiveAddress function to avoid code duplication.
1784             - Add ASSERTs and clean code.
1785         * assembler/SH4Assembler.h:
1786             - Prepare DFG_JIT implementation.
1787             - Add ASSERTs.
1788         * jit/JITStubs.cpp:
1789             - Add SH4 specific call for assertions.
1790         * jit/JITStubs.h:
1791             - Cosmetic change.
1792         * jit/JITStubsSH4.h:
1793             - Use constants to be more flexible with sh4 JIT stack frame.
1794         * jit/JSInterfaceJIT.h:
1795             - Cosmetic change.
1796
1797 2013-08-13  Oliver Hunt  <oliver@apple.com>
1798
1799         Harden executeConstruct against incorrect return types from host functions
1800         https://bugs.webkit.org/show_bug.cgi?id=119757
1801
1802         Reviewed by Mark Hahnenberg.
1803
1804         Add logic to guard against bogus return types.  There doesn't seem to be any
1805         class in webkit that does this wrong, but the typed array stubs in debug JSC
1806         do exhibit this bad behaviour.
1807
1808         * interpreter/Interpreter.cpp:
1809         (JSC::Interpreter::executeConstruct):
1810
1811 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1812
1813         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1814         https://bugs.webkit.org/show_bug.cgi?id=119736
1815
1816         Reviewed by Anders Carlsson.
1817
1818         Don't force C++11 mode off anymore.
1819
1820         * Target.pri:
1821
1822 2013-08-12  Oliver Hunt  <oliver@apple.com>
1823
1824         Remove CodeBlock's notion of adding identifiers entirely
1825         https://bugs.webkit.org/show_bug.cgi?id=119708
1826
1827         Reviewed by Geoffrey Garen.
1828
1829         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1830         Move the addition of identifiers to DFGPlan::reallyAdd
1831
1832         * bytecode/CodeBlock.h:
1833         * dfg/DFGDesiredIdentifiers.cpp:
1834         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1835         * dfg/DFGDesiredIdentifiers.h:
1836         * dfg/DFGPlan.cpp:
1837         (JSC::DFG::Plan::reallyAdd):
1838         (JSC::DFG::Plan::finalize):
1839         * dfg/DFGPlan.h:
1840
1841 2013-08-12  Oliver Hunt  <oliver@apple.com>
1842
1843         Build fix
1844
1845         * runtime/JSCell.h:
1846
1847 2013-08-12  Oliver Hunt  <oliver@apple.com>
1848
1849         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1850         https://bugs.webkit.org/show_bug.cgi?id=119705
1851
1852         Reviewed by Geoffrey Garen.
1853
1854         Relatively trivial refactoring
1855
1856         * bytecode/CodeBlock.h:
1857         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1858         (JSC::CodeBlock::addAdditionalIdentifier):
1859         (JSC::CodeBlock::identifier):
1860         (JSC::CodeBlock::numberOfIdentifiers):
1861         * dfg/DFGCommonData.h:
1862
1863 2013-08-12  Oliver Hunt  <oliver@apple.com>
1864
1865         Stop making unnecessary copy of CodeBlock Identifier Vector
1866         https://bugs.webkit.org/show_bug.cgi?id=119702
1867
1868         Reviewed by Michael Saboff.
1869
1870         Make CodeBlock simply use a separate Vector for additional Identifiers
1871         and use the UnlinkedCodeBlock for the initial set of identifiers.
1872
1873         * bytecode/CodeBlock.cpp:
1874         (JSC::CodeBlock::printGetByIdOp):
1875         (JSC::dumpStructure):
1876         (JSC::dumpChain):
1877         (JSC::CodeBlock::printGetByIdCacheStatus):
1878         (JSC::CodeBlock::printPutByIdOp):
1879         (JSC::CodeBlock::dumpBytecode):
1880         (JSC::CodeBlock::CodeBlock):
1881         (JSC::CodeBlock::shrinkToFit):
1882         * bytecode/CodeBlock.h:
1883         (JSC::CodeBlock::numberOfIdentifiers):
1884         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1885         (JSC::CodeBlock::addAdditionalIdentifier):
1886         (JSC::CodeBlock::identifier):
1887         * dfg/DFGDesiredIdentifiers.cpp:
1888         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1889         * jit/JIT.h:
1890         * jit/JITOpcodes.cpp:
1891         (JSC::JIT::emitSlow_op_get_arguments_length):
1892         * jit/JITPropertyAccess.cpp:
1893         (JSC::JIT::emit_op_get_by_id):
1894         (JSC::JIT::compileGetByIdHotPath):
1895         (JSC::JIT::emitSlow_op_get_by_id):
1896         (JSC::JIT::compileGetByIdSlowCase):
1897         (JSC::JIT::emitSlow_op_put_by_id):
1898         * jit/JITPropertyAccess32_64.cpp:
1899         (JSC::JIT::emit_op_get_by_id):
1900         (JSC::JIT::compileGetByIdHotPath):
1901         (JSC::JIT::compileGetByIdSlowCase):
1902         * jit/JITStubs.cpp:
1903         (JSC::DEFINE_STUB_FUNCTION):
1904         * llint/LLIntSlowPaths.cpp:
1905         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1906
1907 2013-08-08  Mark Lam  <mark.lam@apple.com>
1908
1909         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1910         https://bugs.webkit.org/show_bug.cgi?id=119575.
1911
1912         Reviewed by Oliver Hunt.
1913
1914         * interpreter/Interpreter.h:
1915         - Made getStackTrace() private.
1916         * interpreter/StackIterator.cpp:
1917         (JSC::StackIterator::StackIterator):
1918         (JSC::StackIterator::numberOfFrames):
1919         - Computes the number of frames by iterating through the whole stack
1920           from the starting frame. The iterator will save its current frame
1921           position before counting the frames, and then restoring it after
1922           the counting.
1923         (JSC::StackIterator::gotoFrameAtIndex):
1924         (JSC::StackIterator::gotoNextFrame):
1925         (JSC::StackIterator::resetIterator):
1926         - Points the iterator to the starting frame.
1927         * interpreter/StackIteratorPrivate.h:
1928
1929 2013-08-08  Mark Lam  <mark.lam@apple.com>
1930
1931         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1932         the Interpreter class.
1933         https://bugs.webkit.org/show_bug.cgi?id=119576.
1934
1935         Reviewed by Oliver Hunt.
1936
1937         This change is needed to prepare for making Interpreter::getStackTrace()
1938         private. It does not change the behavior of the code, only the lexical
1939         scoping.
1940
1941         * interpreter/Interpreter.h:
1942         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1943         * runtime/ErrorConstructor.cpp:
1944         (JSC::Interpreter::constructWithErrorConstructor):
1945         (JSC::ErrorConstructor::getConstructData):
1946         (JSC::Interpreter::callErrorConstructor):
1947         (JSC::ErrorConstructor::getCallData):
1948         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1949           directly. So, we moved the helper functions into the Interpreter
1950           class.
1951         * runtime/NativeErrorConstructor.cpp:
1952         (JSC::Interpreter::constructWithNativeErrorConstructor):
1953         (JSC::NativeErrorConstructor::getConstructData):
1954         (JSC::Interpreter::callNativeErrorConstructor):
1955         (JSC::NativeErrorConstructor::getCallData):
1956         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1957           directly. So, we moved the helper functions into the Interpreter
1958           class.
1959
1960 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1961
1962         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1963         https://bugs.webkit.org/show_bug.cgi?id=119555
1964
1965         Reviewed by Geoffrey Garen.
1966
1967         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1968         This was causing crashes on maps.google.com in 32-bit debug builds.
1969
1970         * dfg/DFGSpeculativeJIT32_64.cpp:
1971         (JSC::DFG::SpeculativeJIT::compile):
1972
1973 2013-08-06  Michael Saboff  <msaboff@apple.com>
1974
1975         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1976         https://bugs.webkit.org/show_bug.cgi?id=119405
1977
1978         Reviewed by Geoffrey Garen.
1979
1980         * dfg/DFGSpeculativeJIT.cpp:
1981         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1982         ourselves to save a register and then load from it.
1983
1984 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1985
1986         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1987         https://bugs.webkit.org/show_bug.cgi?id=119528
1988
1989         Reviewed by Geoffrey Garen.
1990
1991         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1992         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1993         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1994         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1995         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1996
1997         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1998
1999         * bytecode/CodeBlock.cpp:
2000         (JSC::CodeBlock::finalizeUnconditionally):
2001         * dfg/DFGDriver.cpp:
2002         (JSC::DFG::compile):
2003         * dfg/DFGFixupPhase.cpp:
2004         (JSC::DFG::FixupPhase::fixupNode):
2005         * dfg/DFGGraph.cpp:
2006         (JSC::DFG::Graph::dump):
2007         * dfg/DFGSpeculativeJIT64.cpp:
2008         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2009         * runtime/JSObject.h:
2010         (JSC::JSObject::getIndexQuickly):
2011         (JSC::JSObject::tryGetIndexQuickly):
2012
2013 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2014
2015         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2016
2017         Unreviewed.
2018
2019         Ensure llint symbols are in source order.
2020
2021         * JavaScriptCore.order:
2022
2023 2013-08-06  Mark Lam  <mark.lam@apple.com>
2024
2025         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2026         https://bugs.webkit.org/show_bug.cgi?id=119532.
2027
2028         Reviewed by Oliver Hunt.
2029
2030         * parser/Parser.cpp:
2031         (JSC::::Parser):
2032         - Just need to initialize the Parser's JSTokenLocation's initial line and
2033           startOffset as well during Parser construction.
2034
2035 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2036
2037         Update Order Files for Safari
2038         <rdar://problem/14517392>
2039
2040         Unreviewed.
2041
2042         * JavaScriptCore.order:
2043
2044 2013-08-04  Sam Weinig  <sam@webkit.org>
2045
2046         Remove support for HTML5 MicroData
2047         https://bugs.webkit.org/show_bug.cgi?id=119480
2048
2049         Reviewed by Anders Carlsson.
2050
2051         * Configurations/FeatureDefines.xcconfig:
2052
2053 2013-08-05  Oliver Hunt  <oliver@apple.com>
2054
2055         Delay Arguments creation in strict mode
2056         https://bugs.webkit.org/show_bug.cgi?id=119505
2057
2058         Reviewed by Geoffrey Garen.
2059
2060         Make use of the write tracking performed by the parser to
2061         allow us to know if we're modifying the parameters to a function.
2062         Then use that information to make strict mode function opt out
2063         of eager arguments creation.
2064
2065         * bytecompiler/BytecodeGenerator.cpp:
2066         (JSC::BytecodeGenerator::BytecodeGenerator):
2067         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2068         (JSC::BytecodeGenerator::emitReturn):
2069         * bytecompiler/BytecodeGenerator.h:
2070         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2071         * parser/Nodes.h:
2072         (JSC::ScopeNode::modifiesParameter):
2073         * parser/Parser.cpp:
2074         (JSC::::parseInner):
2075         * parser/Parser.h:
2076         (JSC::Scope::declareParameter):
2077         (JSC::Scope::getCapturedVariables):
2078         (JSC::Parser::declareWrite):
2079         * parser/ParserModes.h:
2080
2081 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2082
2083         Remove useless code from COMPILER(RVCT) JITStubs
2084         https://bugs.webkit.org/show_bug.cgi?id=119521
2085
2086         Reviewed by Geoffrey Garen.
2087
2088         * jit/JITStubsARMv7.h:
2089         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2090         (JSC::ctiOpThrowNotCaught): Ditto.
2091
2092 2013-07-23  David Farler  <dfarler@apple.com>
2093
2094         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2095         https://bugs.webkit.org/show_bug.cgi?id=117762
2096
2097         Reviewed by Mark Rowe.
2098
2099         * Configurations/DebugRelease.xcconfig:
2100         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2101         * Configurations/JavaScriptCore.xcconfig:
2102         Add ASAN_OTHER_LDFLAGS.
2103         * Configurations/ToolExecutable.xcconfig:
2104         Don't use ASAN for build tools.
2105
2106 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2107
2108         Build fix for ARM MSVC after r153222 and r153648.
2109
2110         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2111
2112 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2113
2114         Build fix for ARM MSVC after r150109.
2115
2116         Read the stub template from a header files instead of the JITStubs.cpp.
2117
2118         * CMakeLists.txt:
2119         * DerivedSources.pri:
2120         * create_jit_stubs:
2121
2122 2013-08-05  Oliver Hunt  <oliver@apple.com>
2123
2124         Move TypedArray implementation into JSC
2125         https://bugs.webkit.org/show_bug.cgi?id=119489
2126
2127         Reviewed by Filip Pizlo.
2128
2129         Move TypedArray implementation into JSC in advance of re-implementation
2130
2131         * GNUmakefile.list.am:
2132         * JSCTypedArrayStubs.h:
2133         * JavaScriptCore.xcodeproj/project.pbxproj:
2134         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2135         (JSC::ArrayBuffer::transfer):
2136         (JSC::ArrayBuffer::addView):
2137         (JSC::ArrayBuffer::removeView):
2138         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2139         (JSC::ArrayBufferContents::ArrayBufferContents):
2140         (JSC::ArrayBufferContents::data):
2141         (JSC::ArrayBufferContents::sizeInBytes):
2142         (JSC::ArrayBufferContents::transfer):
2143         (JSC::ArrayBufferContents::copyTo):
2144         (JSC::ArrayBuffer::isNeutered):
2145         (JSC::ArrayBuffer::~ArrayBuffer):
2146         (JSC::ArrayBuffer::clampValue):
2147         (JSC::ArrayBuffer::create):
2148         (JSC::ArrayBuffer::createUninitialized):
2149         (JSC::ArrayBuffer::ArrayBuffer):
2150         (JSC::ArrayBuffer::data):
2151         (JSC::ArrayBuffer::byteLength):
2152         (JSC::ArrayBuffer::slice):
2153         (JSC::ArrayBuffer::sliceImpl):
2154         (JSC::ArrayBuffer::clampIndex):
2155         (JSC::ArrayBufferContents::tryAllocate):
2156         (JSC::ArrayBufferContents::~ArrayBufferContents):
2157         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2158         (JSC::ArrayBufferView::ArrayBufferView):
2159         (JSC::ArrayBufferView::~ArrayBufferView):
2160         (JSC::ArrayBufferView::neuter):
2161         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2162         (JSC::ArrayBufferView::buffer):
2163         (JSC::ArrayBufferView::baseAddress):
2164         (JSC::ArrayBufferView::byteOffset):
2165         (JSC::ArrayBufferView::setNeuterable):
2166         (JSC::ArrayBufferView::isNeuterable):
2167         (JSC::ArrayBufferView::verifySubRange):
2168         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2169         (JSC::ArrayBufferView::setImpl):
2170         (JSC::ArrayBufferView::setRangeImpl):
2171         (JSC::ArrayBufferView::zeroRangeImpl):
2172         (JSC::ArrayBufferView::calculateOffsetAndLength):
2173         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2174         (JSC::Float32Array::set):
2175         (JSC::Float32Array::getType):
2176         (JSC::Float32Array::create):
2177         (JSC::Float32Array::createUninitialized):
2178         (JSC::Float32Array::Float32Array):
2179         (JSC::Float32Array::subarray):
2180         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2181         (JSC::Float64Array::set):
2182         (JSC::Float64Array::getType):
2183         (JSC::Float64Array::create):
2184         (JSC::Float64Array::createUninitialized):
2185         (JSC::Float64Array::Float64Array):
2186         (JSC::Float64Array::subarray):
2187         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2188         (JSC::Int16Array::getType):
2189         (JSC::Int16Array::create):
2190         (JSC::Int16Array::createUninitialized):
2191         (JSC::Int16Array::Int16Array):
2192         (JSC::Int16Array::subarray):
2193         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2194         (JSC::Int32Array::getType):
2195         (JSC::Int32Array::create):
2196         (JSC::Int32Array::createUninitialized):
2197         (JSC::Int32Array::Int32Array):
2198         (JSC::Int32Array::subarray):
2199         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2200         (JSC::Int8Array::getType):
2201         (JSC::Int8Array::create):
2202         (JSC::Int8Array::createUninitialized):
2203         (JSC::Int8Array::Int8Array):
2204         (JSC::Int8Array::subarray):
2205         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2206         (JSC::IntegralTypedArrayBase::set):
2207         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2208         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2209         (JSC::TypedArrayBase::data):
2210         (JSC::TypedArrayBase::set):
2211         (JSC::TypedArrayBase::setRange):
2212         (JSC::TypedArrayBase::zeroRange):
2213         (JSC::TypedArrayBase::length):
2214         (JSC::TypedArrayBase::byteLength):
2215         (JSC::TypedArrayBase::item):
2216         (JSC::TypedArrayBase::checkInboundData):
2217         (JSC::TypedArrayBase::TypedArrayBase):
2218         (JSC::TypedArrayBase::create):
2219         (JSC::TypedArrayBase::createUninitialized):
2220         (JSC::TypedArrayBase::subarrayImpl):
2221         (JSC::TypedArrayBase::neuter):
2222         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2223         (JSC::Uint16Array::getType):
2224         (JSC::Uint16Array::create):
2225         (JSC::Uint16Array::createUninitialized):
2226         (JSC::Uint16Array::Uint16Array):
2227         (JSC::Uint16Array::subarray):
2228         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2229         (JSC::Uint32Array::getType):
2230         (JSC::Uint32Array::create):
2231         (JSC::Uint32Array::createUninitialized):
2232         (JSC::Uint32Array::Uint32Array):
2233         (JSC::Uint32Array::subarray):
2234         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2235         (JSC::Uint8Array::getType):
2236         (JSC::Uint8Array::create):
2237         (JSC::Uint8Array::createUninitialized):
2238         (JSC::Uint8Array::Uint8Array):
2239         (JSC::Uint8Array::subarray):
2240         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2241         (JSC::Uint8ClampedArray::getType):
2242         (JSC::Uint8ClampedArray::create):
2243         (JSC::Uint8ClampedArray::createUninitialized):
2244         (JSC::Uint8ClampedArray::zeroFill):
2245         (JSC::Uint8ClampedArray::set):
2246         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2247         (JSC::Uint8ClampedArray::subarray):
2248         * runtime/VM.h:
2249
2250 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2251
2252         Copied space should be able to handle more than one copied backing store per JSCell
2253         https://bugs.webkit.org/show_bug.cgi?id=119471
2254
2255         Reviewed by Mark Hahnenberg.
2256         
2257         This allows a cell to call copyLater() multiple times for multiple different
2258         backing stores, and then have copyBackingStore() called exactly once for each
2259         of those. A token tells it which backing store to copy. All backing stores
2260         must be named using the CopyToken, an enumeration which currently cannot
2261         exceed eight entries.
2262         
2263         When copyBackingStore() is called, it's up to the callee to (a) use the token
2264         to decide what to copy and (b) call its base class's copyBackingStore() in
2265         case the base class had something that needed copying. The only exception is
2266         that JSCell never asks anything to be copied, and so if your base is JSCell
2267         then you don't have to do anything.
2268
2269         * GNUmakefile.list.am:
2270         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2271         * JavaScriptCore.xcodeproj/project.pbxproj:
2272         * heap/CopiedBlock.h:
2273         * heap/CopiedBlockInlines.h:
2274         (JSC::CopiedBlock::reportLiveBytes):
2275         * heap/CopyToken.h: Added.
2276         * heap/CopyVisitor.cpp:
2277         (JSC::CopyVisitor::copyFromShared):
2278         * heap/CopyVisitor.h:
2279         * heap/CopyVisitorInlines.h:
2280         (JSC::CopyVisitor::visitItem):
2281         * heap/CopyWorkList.h:
2282         (JSC::CopyWorklistItem::CopyWorklistItem):
2283         (JSC::CopyWorklistItem::cell):
2284         (JSC::CopyWorklistItem::token):
2285         (JSC::CopyWorkListSegment::get):
2286         (JSC::CopyWorkListSegment::append):
2287         (JSC::CopyWorkListSegment::data):
2288         (JSC::CopyWorkListIterator::get):
2289         (JSC::CopyWorkListIterator::operator*):
2290         (JSC::CopyWorkListIterator::operator->):
2291         (JSC::CopyWorkList::append):
2292         * heap/SlotVisitor.h:
2293         * heap/SlotVisitorInlines.h:
2294         (JSC::SlotVisitor::copyLater):
2295         * runtime/ClassInfo.h:
2296         * runtime/JSCell.cpp:
2297         (JSC::JSCell::copyBackingStore):
2298         * runtime/JSCell.h:
2299         * runtime/JSObject.cpp:
2300         (JSC::JSObject::visitButterfly):
2301         (JSC::JSObject::copyBackingStore):
2302         * runtime/JSObject.h:
2303
2304 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2305
2306         [Automake] Define ENABLE_JIT through the Autoconf header
2307         https://bugs.webkit.org/show_bug.cgi?id=119445
2308
2309         Reviewed by Martin Robinson.
2310
2311         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2312
2313 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2314
2315         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2316         https://bugs.webkit.org/show_bug.cgi?id=119470
2317
2318         Reviewed by Oliver Hunt.
2319         
2320         Structure can still tell you if the object "could" (in the conservative sense)
2321         have an indexing header; that's used by the compiler.
2322         
2323         Most of the time if you want to know if there's an indexing header, you ask the
2324         JSObject.
2325         
2326         In some cases, the JSObject wants to know if it would have an indexing header if
2327         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2328
2329         * dfg/DFGRepatch.cpp:
2330         (JSC::DFG::tryCachePutByID):
2331         (JSC::DFG::tryBuildPutByIdList):
2332         * dfg/DFGSpeculativeJIT.cpp:
2333         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2334         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2335         * runtime/ButterflyInlines.h:
2336         (JSC::Butterfly::create):
2337         (JSC::Butterfly::growPropertyStorage):
2338         (JSC::Butterfly::growArrayRight):
2339         (JSC::Butterfly::resizeArray):
2340         * runtime/JSObject.cpp:
2341         (JSC::JSObject::copyButterfly):
2342         (JSC::JSObject::visitButterfly):
2343         * runtime/JSObject.h:
2344         (JSC::JSObject::hasIndexingHeader):
2345         (JSC::JSObject::setButterfly):
2346         * runtime/Structure.h:
2347         (JSC::Structure::couldHaveIndexingHeader):
2348         (JSC::Structure::hasIndexingHeader):
2349
2350 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2351
2352         Give the error object's stack property accessor attributes.
2353         https://bugs.webkit.org/show_bug.cgi?id=119404
2354
2355         Reviewed by Geoffrey Garen.
2356         
2357         Changed the attributes of error object's stack property to allow developers to write
2358         and delete the stack property. This will match the functionality of Chrome. Firefox  
2359         allows developers to write the error's stack, but not delete it. 
2360
2361         * interpreter/Interpreter.cpp:
2362         (JSC::Interpreter::addStackTraceIfNecessary):
2363         * runtime/ErrorInstance.cpp:
2364         (JSC::ErrorInstance::finishCreation):
2365
2366 2013-08-02  Oliver Hunt  <oliver@apple.com>
2367
2368         Incorrect type speculation reported by ToPrimitive
2369         https://bugs.webkit.org/show_bug.cgi?id=119458
2370
2371         Reviewed by Mark Hahnenberg.
2372
2373         Make sure that we report the correct type possibilities for the output
2374         from ToPrimitive
2375
2376         * dfg/DFGAbstractInterpreterInlines.h:
2377         (JSC::DFG::::executeEffects):
2378
2379 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2380
2381         Remove no-arguments constructor to PropertySlot
2382         https://bugs.webkit.org/show_bug.cgi?id=119460
2383
2384         Reviewed by Geoff Garen.
2385
2386         This constructor was unsafe if getValue is subsequently called,
2387         and the property is a getter. Simplest to just remove it.
2388
2389         * runtime/Arguments.cpp:
2390         (JSC::Arguments::defineOwnProperty):
2391         * runtime/JSActivation.cpp:
2392         (JSC::JSActivation::getOwnPropertyDescriptor):
2393         * runtime/JSFunction.cpp:
2394         (JSC::JSFunction::getOwnPropertyDescriptor):
2395         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2396         (JSC::JSFunction::put):
2397         (JSC::JSFunction::defineOwnProperty):
2398         * runtime/JSGlobalObject.cpp:
2399         (JSC::JSGlobalObject::defineOwnProperty):
2400         * runtime/JSGlobalObject.h:
2401         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2402         * runtime/JSNameScope.cpp:
2403         (JSC::JSNameScope::put):
2404         * runtime/JSONObject.cpp:
2405         (JSC::Stringifier::Holder::appendNextProperty):
2406         (JSC::Walker::walk):
2407         * runtime/JSObject.cpp:
2408         (JSC::JSObject::hasProperty):
2409         (JSC::JSObject::hasOwnProperty):
2410         (JSC::JSObject::reifyStaticFunctionsForDelete):
2411         * runtime/Lookup.h:
2412         (JSC::getStaticPropertyDescriptor):
2413         (JSC::getStaticFunctionDescriptor):
2414         (JSC::getStaticValueDescriptor):
2415         * runtime/ObjectConstructor.cpp:
2416         (JSC::defineProperties):
2417         * runtime/PropertySlot.h:
2418
2419 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2420
2421         DFG validation can cause assertion failures due to dumping
2422         https://bugs.webkit.org/show_bug.cgi?id=119456
2423
2424         Reviewed by Geoffrey Garen.
2425
2426         * bytecode/CodeBlock.cpp:
2427         (JSC::CodeBlock::hasHash):
2428         (JSC::CodeBlock::isSafeToComputeHash):
2429         (JSC::CodeBlock::hash):
2430         (JSC::CodeBlock::dumpAssumingJITType):
2431         * bytecode/CodeBlock.h:
2432
2433 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2434
2435         Have vm's exceptionStack match java's vm's exceptionStack.
2436         https://bugs.webkit.org/show_bug.cgi?id=119362
2437
2438         Reviewed by Geoffrey Garen.
2439         
2440         The error object's stack is only updated if it does not exist yet. This matches 
2441         the functionality of other browsers, and Java VMs. 
2442
2443         * interpreter/Interpreter.cpp:
2444         (JSC::Interpreter::addStackTraceIfNecessary):
2445         (JSC::Interpreter::throwException):
2446         * runtime/VM.cpp:
2447         (JSC::VM::clearExceptionStack):
2448         * runtime/VM.h:
2449         (JSC::VM::lastExceptionStack):
2450
2451 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2452
2453         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2454         https://bugs.webkit.org/show_bug.cgi?id=119447
2455
2456         Reviewed by Geoffrey Garen.
2457
2458         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2459         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2460         r153583 (sh4) and r153648 (ARM).
2461
2462         * jit/JITStubsMIPS.h:
2463
2464 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2465
2466         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2467         https://bugs.webkit.org/show_bug.cgi?id=119422
2468
2469         Reviewed by Oliver Hunt.
2470         
2471         This simplifies some code and also allows Structure to claim that an object
2472         has an indexing header even if it doesn't have indexed properties.
2473         
2474         I also changed some calls to use hasIndexedProperties() since in some cases,
2475         that's what we actually meant. Currently the two are synonyms.
2476
2477         * dfg/DFGRepatch.cpp:
2478         (JSC::DFG::tryCachePutByID):
2479         (JSC::DFG::tryBuildPutByIdList):
2480         * dfg/DFGSpeculativeJIT.cpp:
2481         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2482         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2483         * runtime/ButterflyInlines.h:
2484         (JSC::Butterfly::create):
2485         (JSC::Butterfly::growPropertyStorage):
2486         (JSC::Butterfly::growArrayRight):
2487         (JSC::Butterfly::resizeArray):
2488         * runtime/IndexingType.h:
2489         * runtime/JSObject.cpp:
2490         (JSC::JSObject::copyButterfly):
2491         (JSC::JSObject::visitButterfly):
2492         (JSC::JSObject::setPrototype):
2493         * runtime/JSObject.h:
2494         (JSC::JSObject::setButterfly):
2495         * runtime/JSPropertyNameIterator.cpp:
2496         (JSC::JSPropertyNameIterator::create):
2497         * runtime/Structure.h:
2498         (JSC::Structure::hasIndexingHeader):
2499
2500 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2501
2502         REGRESSION: ARM still crashes after change set r153612.
2503         https://bugs.webkit.org/show_bug.cgi?id=119433
2504
2505         Reviewed by Michael Saboff.
2506
2507         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2508         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2509         for sh4 architecture.
2510
2511         * jit/JITStubsARM.h:
2512         * jit/JITStubsARMv7.h:
2513
2514 2013-08-02  Michael Saboff  <msaboff@apple.com>
2515
2516         REGRESSION(r153612): It made jsc and layout tests crash
2517         https://bugs.webkit.org/show_bug.cgi?id=119440
2518
2519         Reviewed by Csaba Osztrogonác.
2520
2521         Made the changes if changeset r153612 only apply to 32 bit builds.
2522
2523         * jit/JITExceptions.cpp:
2524         * jit/JITExceptions.h:
2525         * jit/JITStubs.cpp:
2526         (JSC::cti_vm_throw_slowpath):
2527         * jit/JITStubs.h:
2528
2529 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2530
2531         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2532
2533         * CMakeLists.txt:
2534
2535 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2536
2537         [Forms: color] <input type='color'> popover color well implementation
2538         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2539
2540         Reviewed by Benjamin Poulain.
2541
2542         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2543
2544 2013-08-01  Oliver Hunt  <oliver@apple.com>
2545
2546         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2547         https://bugs.webkit.org/show_bug.cgi?id=119408
2548
2549         Reviewed by Filip Pizlo.
2550
2551         Construct ToString and Phantom nodes in advance of MakeRope
2552         nodes to ensure that ordering is ensured, and correct values
2553         will be reified on OSR exit.
2554
2555         * dfg/DFGByteCodeParser.cpp:
2556         (JSC::DFG::ByteCodeParser::parseBlock):
2557
2558 2013-08-01  Michael Saboff  <msaboff@apple.com>
2559
2560         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2561         https://bugs.webkit.org/show_bug.cgi?id=119140
2562
2563         Reviewed by Filip Pizlo.
2564
2565         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2566
2567         * jit/JITExceptions.cpp:
2568         (JSC::encode):
2569         * jit/JITExceptions.h:
2570         * jit/JITStubs.cpp:
2571         (JSC::cti_vm_throw_slowpath):
2572         * jit/JITStubs.h:
2573
2574 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2575
2576         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2577         https://bugs.webkit.org/show_bug.cgi?id=119391
2578
2579         Reviewed by Csaba Osztrogonác.
2580
2581         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2582             - Call frame is in r14 register.
2583             - Do not restore registers from JIT stack frame here.
2584
2585 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2586
2587         More cleanup in PropertySlot
2588         https://bugs.webkit.org/show_bug.cgi?id=119359
2589
2590         Reviewed by Geoff Garen.
2591
2592         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2593         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2594
2595         * dfg/DFGRepatch.cpp:
2596         (JSC::DFG::tryCacheGetByID):
2597         (JSC::DFG::tryBuildGetByIDList):
2598             - No need to ASSERT slotBase is an object.
2599         * jit/JITStubs.cpp:
2600         (JSC::tryCacheGetByID):
2601         (JSC::DEFINE_STUB_FUNCTION):
2602             - No need to ASSERT slotBase is an object.
2603         * runtime/JSObject.cpp:
2604         (JSC::JSObject::getOwnPropertySlotByIndex):
2605         (JSC::JSObject::fillGetterPropertySlot):
2606             - Pass an object through to setGetterSlot.
2607         * runtime/JSObject.h:
2608         (JSC::PropertySlot::getValue):
2609             - Moved from PropertySlot (need to know anout JSObject).
2610         * runtime/PropertySlot.cpp:
2611         (JSC::PropertySlot::functionGetter):
2612             - update per member name changes
2613         * runtime/PropertySlot.h:
2614         (JSC::PropertySlot::PropertySlot):
2615             - Argument to constructor set to 'thisValue'.
2616         (JSC::PropertySlot::slotBase):
2617             - This returns a JSObject*.
2618         (JSC::PropertySlot::setValue):
2619         (JSC::PropertySlot::setCustom):
2620         (JSC::PropertySlot::setCacheableCustom):
2621         (JSC::PropertySlot::setCustomIndex):
2622         (JSC::PropertySlot::setGetterSlot):
2623         (JSC::PropertySlot::setCacheableGetterSlot):
2624             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2625         * runtime/SparseArrayValueMap.cpp:
2626         (JSC::SparseArrayEntry::get):
2627             - Pass an object through to setGetterSlot.
2628         * runtime/SparseArrayValueMap.h:
2629             - Pass an object through to setGetterSlot.
2630
2631 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2632
2633         Reduce JSC API static value setter/getter overhead.
2634         https://bugs.webkit.org/show_bug.cgi?id=119277
2635
2636         Reviewed by Geoffrey Garen.
2637
2638         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2639         need to get called every time when set or get the static value.
2640
2641         * API/JSCallbackObjectFunctions.h:
2642         (JSC::::put):
2643         (JSC::::putByIndex):
2644         (JSC::::getStaticValue):
2645         * API/JSClassRef.cpp:
2646         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2647         * API/JSClassRef.h:
2648         (StaticValueEntry::StaticValueEntry):
2649
2650 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2651
2652         Use emptyString instead of String("")
2653         https://bugs.webkit.org/show_bug.cgi?id=119335
2654
2655         Reviewed by Darin Adler.
2656
2657         Use emptyString() instead of String("") because it is better style and
2658         faster. This is a followup to r116908, removing all occurrences of
2659         String("") from WebKit.
2660
2661         * runtime/RegExpConstructor.cpp:
2662         (JSC::constructRegExp):
2663         * runtime/RegExpPrototype.cpp:
2664         (JSC::regExpProtoFuncCompile):
2665         * runtime/StringPrototype.cpp:
2666         (JSC::stringProtoFuncMatch):
2667         (JSC::stringProtoFuncSearch):
2668
2669 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2670
2671         <input type=color> Mac UI behaviour
2672         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2673
2674         Reviewed by Brady Eidson.
2675
2676         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2677
2678 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2679
2680         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2681         https://bugs.webkit.org/show_bug.cgi?id=119349
2682
2683         Reviewed by Geoffrey Garen.
2684
2685         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2686         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2687         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2688         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2689         JIT then this resizing never happens and we crash at link time in the DFG.
2690
2691         We can fix this by also doing the resize in the DFG to catch this case.
2692
2693         * dfg/DFGJITCompiler.cpp:
2694         (JSC::DFG::JITCompiler::link):
2695
2696 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2697
2698         Speculative Windows build fix.
2699
2700         Reviewed by NOBODY
2701
2702         * runtime/JSString.cpp:
2703         (JSC::JSRopeString::getIndexSlowCase):
2704         * runtime/JSString.h:
2705
2706 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2707
2708         Some cleanup in JSValue::get
2709         https://bugs.webkit.org/show_bug.cgi?id=119343
2710
2711         Reviewed by Geoff Garen.
2712
2713         JSValue::get is implemented to:
2714             1) Check if the value is a cell – if not, synthesize a prototype to search,
2715             2) call getOwnPropertySlot on the cell,
2716             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2717         By all rights this should crash when passed a string and accessing a property that does not exist, because
2718         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2719         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2720         prototype chain, and faking out a return value of undefined if no property is found.
2721
2722         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2723         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2724
2725         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2726         slots anyway.
2727
2728         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2729
2730 2013-07-31  Michael Saboff  <msaboff@apple.com>
2731
2732         [Win] JavaScript crash.
2733         https://bugs.webkit.org/show_bug.cgi?id=119339
2734
2735         Reviewed by Mark Hahnenberg.
2736
2737         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2738         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2739
2740 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2741
2742         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2743         https://bugs.webkit.org/show_bug.cgi?id=119281
2744
2745         Reviewed by Geoffrey Garen.
2746
2747         This leads to out of bounds accesses and subsequent crashes.
2748
2749         * dfg/DFGSpeculativeJIT.cpp:
2750         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2751         * dfg/DFGSpeculativeJIT64.cpp:
2752         (JSC::DFG::SpeculativeJIT::compile):
2753
2754 2013-07-30  Oliver Hunt  <oliver@apple.com>
2755
2756         Add an assertion to SpeculateCellOperand
2757         https://bugs.webkit.org/show_bug.cgi?id=119276
2758
2759         Reviewed by Michael Saboff.
2760
2761         More assertions are better
2762
2763         * dfg/DFGSpeculativeJIT64.cpp:
2764         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2765         (JSC::DFG::SpeculativeJIT::compile):
2766
2767 2013-07-30  Mark Lam  <mark.lam@apple.com>
2768
2769         Fix problems with divot and lineStart mismatches.
2770         https://bugs.webkit.org/show_bug.cgi?id=118662.
2771
2772         Reviewed by Oliver Hunt.
2773
2774         r152494 added the recording of lineStart values for divot positions.
2775         This is needed for the computation of column numbers. Similarly, it also
2776         added the recording of line numbers for the divot positions. One problem
2777         with the approach taken was that the line and lineStart values were
2778         recorded independently, and hence were not always guaranteed to be
2779         sampled at the same place that the divot position is recorded. This
2780         resulted in potential mismatches that cause some assertions to fail.
2781
2782         The solution is to introduce a JSTextPosition abstraction that records
2783         the divot position, line, and lineStart as a single quantity. Wherever
2784         we record the divot position as an unsigned int previously, we now record
2785         its JSTextPosition which captures all 3 values in one go. This ensures
2786         that the captured line and lineStart will always match the captured divot
2787         position.
2788
2789         * bytecompiler/BytecodeGenerator.cpp:
2790         (JSC::BytecodeGenerator::emitCall):
2791         (JSC::BytecodeGenerator::emitCallEval):
2792         (JSC::BytecodeGenerator::emitCallVarargs):
2793         (JSC::BytecodeGenerator::emitConstruct):
2794         (JSC::BytecodeGenerator::emitDebugHook):
2795         - Use JSTextPosition instead of passing line and lineStart explicitly.
2796         * bytecompiler/BytecodeGenerator.h:
2797         (JSC::BytecodeGenerator::emitExpressionInfo):
2798         - Use JSTextPosition instead of passing line and lineStart explicitly.
2799         * bytecompiler/NodesCodegen.cpp:
2800         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2801         (JSC::ResolveNode::emitBytecode):
2802         (JSC::BracketAccessorNode::emitBytecode):
2803         (JSC::DotAccessorNode::emitBytecode):
2804         (JSC::NewExprNode::emitBytecode):
2805         (JSC::EvalFunctionCallNode::emitBytecode):
2806         (JSC::FunctionCallValueNode::emitBytecode):
2807         (JSC::FunctionCallResolveNode::emitBytecode):
2808         (JSC::FunctionCallBracketNode::emitBytecode):
2809         (JSC::FunctionCallDotNode::emitBytecode):
2810         (JSC::CallFunctionCallDotNode::emitBytecode):
2811         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2812         (JSC::PostfixNode::emitResolve):
2813         (JSC::PostfixNode::emitBracket):
2814         (JSC::PostfixNode::emitDot):
2815         (JSC::DeleteResolveNode::emitBytecode):
2816         (JSC::DeleteBracketNode::emitBytecode):
2817         (JSC::DeleteDotNode::emitBytecode):
2818         (JSC::PrefixNode::emitResolve):
2819         (JSC::PrefixNode::emitBracket):
2820         (JSC::PrefixNode::emitDot):
2821         (JSC::UnaryOpNode::emitBytecode):
2822         (JSC::BinaryOpNode::emitStrcat):
2823         (JSC::BinaryOpNode::emitBytecode):
2824         (JSC::ThrowableBinaryOpNode::emitBytecode):
2825         (JSC::InstanceOfNode::emitBytecode):
2826         (JSC::emitReadModifyAssignment):
2827         (JSC::ReadModifyResolveNode::emitBytecode):
2828         (JSC::AssignResolveNode::emitBytecode):
2829         (JSC::AssignDotNode::emitBytecode):
2830         (JSC::ReadModifyDotNode::emitBytecode):
2831         (JSC::AssignBracketNode::emitBytecode):
2832         (JSC::ReadModifyBracketNode::emitBytecode):
2833         (JSC::ForInNode::emitBytecode):
2834         (JSC::WithNode::emitBytecode):
2835         (JSC::ThrowNode::emitBytecode):
2836         - Use JSTextPosition instead of passing line and lineStart explicitly.
2837         * parser/ASTBuilder.h:
2838         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2839         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2840         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2841         (JSC::ASTBuilder::createResolve):
2842         (JSC::ASTBuilder::createBracketAccess):
2843         (JSC::ASTBuilder::createDotAccess):
2844         (JSC::ASTBuilder::createRegExp):
2845         (JSC::ASTBuilder::createNewExpr):
2846         (JSC::ASTBuilder::createAssignResolve):
2847         (JSC::ASTBuilder::createExprStatement):
2848         (JSC::ASTBuilder::createForInLoop):
2849         (JSC::ASTBuilder::createReturnStatement):
2850         (JSC::ASTBuilder::createBreakStatement):
2851         (JSC::ASTBuilder::createContinueStatement):
2852         (JSC::ASTBuilder::createLabelStatement):
2853         (JSC::ASTBuilder::createWithStatement):
2854         (JSC::ASTBuilder::createThrowStatement):
2855         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2856         (JSC::ASTBuilder::appendUnaryToken):
2857         (JSC::ASTBuilder::unaryTokenStackLastStart):
2858         (JSC::ASTBuilder::assignmentStackAppend):
2859         (JSC::ASTBuilder::createAssignment):
2860         (JSC::ASTBuilder::setExceptionLocation):
2861         (JSC::ASTBuilder::makeDeleteNode):
2862         (JSC::ASTBuilder::makeFunctionCallNode):
2863         (JSC::ASTBuilder::makeBinaryNode):
2864         (JSC::ASTBuilder::makeAssignNode):
2865         (JSC::ASTBuilder::makePrefixNode):
2866         (JSC::ASTBuilder::makePostfixNode):
2867         - Use JSTextPosition instead of passing line and lineStart explicitly.
2868         * parser/Lexer.cpp:
2869         (JSC::::lex):
2870         - Added support for capturing the appropriate JSTextPositions instead
2871           of just the character offset.
2872         * parser/Lexer.h:
2873         (JSC::Lexer::currentPosition):
2874         (JSC::::lexExpectIdentifier):
2875         - Added support for capturing the appropriate JSTextPositions instead
2876           of just the character offset.
2877         * parser/NodeConstructors.h:
2878         (JSC::Node::Node):
2879         (JSC::ResolveNode::ResolveNode):
2880         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2881         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2882         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2883         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2884         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2885         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2886         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2887         (JSC::PostfixNode::PostfixNode):
2888         (JSC::DeleteResolveNode::DeleteResolveNode):
2889         (JSC::DeleteBracketNode::DeleteBracketNode):
2890         (JSC::DeleteDotNode::DeleteDotNode):
2891         (JSC::PrefixNode::PrefixNode):
2892         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2893         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2894         (JSC::AssignBracketNode::AssignBracketNode):
2895         (JSC::AssignDotNode::AssignDotNode):
2896         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2897         (JSC::AssignErrorNode::AssignErrorNode):
2898         (JSC::WithNode::WithNode):
2899         (JSC::ForInNode::ForInNode):
2900         - Use JSTextPosition instead of passing line and lineStart explicitly.
2901         * parser/Nodes.cpp:
2902         (JSC::StatementNode::setLoc):
2903         - Use JSTextPosition instead of passing line and lineStart explicitly.
2904         * parser/Nodes.h:
2905         (JSC::Node::lineNo):
2906         (JSC::Node::startOffset):
2907         (JSC::Node::lineStartOffset):
2908         (JSC::Node::position):
2909         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2910         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2911         (JSC::ThrowableExpressionData::divot):
2912         (JSC::ThrowableExpressionData::divotStart):
2913         (JSC::ThrowableExpressionData::divotEnd):
2914         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2915         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2916         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2917         (JSC::ThrowableSubExpressionData::subexpressionStart):
2918         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2919         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2920         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2921         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2922         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2923         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2924         - Use JSTextPosition instead of passing line and lineStart explicitly.
2925         * parser/Parser.cpp:
2926         (JSC::::Parser):
2927         (JSC::::parseInner):
2928         - Use JSTextPosition instead of passing line and lineStart explicitly.
2929         (JSC::::didFinishParsing):
2930         - Remove setting of m_lastLine value. We always pass in the value from
2931           m_lastLine anyway. So, this assignment is effectively a nop.
2932         (JSC::::parseVarDeclaration):
2933         (JSC::::parseVarDeclarationList):
2934         (JSC::::parseForStatement):
2935         (JSC::::parseBreakStatement):
2936         (JSC::::parseContinueStatement):
2937         (JSC::::parseReturnStatement):
2938         (JSC::::parseThrowStatement):
2939         (JSC::::parseWithStatement):
2940         (JSC::::parseTryStatement):
2941         (JSC::::parseBlockStatement):
2942         (JSC::::parseFunctionDeclaration):
2943         (JSC::LabelInfo::LabelInfo):
2944         (JSC::::parseExpressionOrLabelStatement):
2945         (JSC::::parseExpressionStatement):
2946         (JSC::::parseAssignmentExpression):
2947         (JSC::::parseBinaryExpression):
2948         (JSC::::parseProperty):
2949         (JSC::::parsePrimaryExpression):
2950         (JSC::::parseMemberExpression):
2951         (JSC::::parseUnaryExpression):
2952         - Use JSTextPosition instead of passing line and lineStart explicitly.
2953         * parser/Parser.h:
2954         (JSC::Parser::next):
2955         (JSC::Parser::nextExpectIdentifier):
2956         (JSC::Parser::getToken):
2957         (JSC::Parser::tokenStartPosition):
2958         (JSC::Parser::tokenEndPosition):
2959         (JSC::Parser::lastTokenEndPosition):
2960         (JSC::::parse):
2961         - Use JSTextPosition instead of passing line and lineStart explicitly.
2962         * parser/ParserTokens.h:
2963         (JSC::JSTextPosition::JSTextPosition):
2964         (JSC::JSTextPosition::operator+):
2965         (JSC::JSTextPosition::operator-):
2966         (JSC::JSTextPosition::operator int):
2967         - Added JSTextPosition.
2968         * parser/SyntaxChecker.h:
2969         (JSC::SyntaxChecker::makeFunctionCallNode):
2970         (JSC::SyntaxChecker::makeAssignNode):
2971         (JSC::SyntaxChecker::makePrefixNode):
2972         (JSC::SyntaxChecker::makePostfixNode):
2973         (JSC::SyntaxChecker::makeDeleteNode):
2974         (JSC::SyntaxChecker::createResolve):
2975         (JSC::SyntaxChecker::createBracketAccess):
2976         (JSC::SyntaxChecker::createDotAccess):
2977         (JSC::SyntaxChecker::createRegExp):
2978         (JSC::SyntaxChecker::createNewExpr):
2979         (JSC::SyntaxChecker::createAssignResolve):
2980         (JSC::SyntaxChecker::createForInLoop):
2981         (JSC::SyntaxChecker::createReturnStatement):
2982         (JSC::SyntaxChecker::createBreakStatement):
2983         (JSC::SyntaxChecker::createContinueStatement):
2984         (JSC::SyntaxChecker::createWithStatement):
2985         (JSC::SyntaxChecker::createLabelStatement):
2986         (JSC::SyntaxChecker::createThrowStatement):
2987         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2988         (JSC::SyntaxChecker::operatorStackPop):
2989         - Use JSTextPosition instead of passing line and lineStart explicitly.
2990
2991 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2992
2993         Unreviewed. Fix make distcheck.
2994
2995         * GNUmakefile.list.am: Add missing files to compilation.
2996         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2997         include FTL header files not included in the compilation.
2998         * dfg/DFGDriver.cpp: Ditto.
2999         * dfg/DFGPlan.cpp: Ditto.
3000
3001 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3002
3003         Eager stack trace for error objects.
3004         https://bugs.webkit.org/show_bug.cgi?id=118918
3005
3006         Reviewed by Geoffrey Garen.
3007         
3008         Chrome and Firefox give error objects the stack property and we wanted to match
3009         that functionality. This allows developers to see the stack without throwing an object.
3010
3011         * runtime/ErrorInstance.cpp:
3012         (JSC::ErrorInstance::finishCreation):
3013          For error objects that are not thrown as an exception, we pass the stackTrace in 
3014          as a parameter. This allows the error object to have the stack property.
3015         
3016         * interpreter/Interpreter.cpp:
3017         (JSC::stackTraceAsString):
3018         Helper function used to eliminate duplicate code.
3019
3020         (JSC::Interpreter::addStackTraceIfNecessary):
3021         When an error object is created by the user the vm->exceptionStack is not set.
3022         If the user throws this error object later the stack that is in the error object 
3023         may not be the correct stack for the throw, so when we set the vm->exception stack,
3024         the stack property on the error object is set as well.
3025         
3026         * runtime/ErrorConstructor.cpp:
3027         (JSC::constructWithErrorConstructor):
3028         (JSC::callErrorConstructor):
3029         * runtime/NativeErrorConstructor.cpp:
3030         (JSC::constructWithNativeErrorConstructor):
3031         (JSC::callNativeErrorConstructor):
3032         These functions indicate that the user created an error object. For all error objects 
3033         that the user explicitly creates, the topCallFrame is at a new frame created to 
3034         handle the user's call. In this case though, the error object needs the caller's 
3035         frame to create the stack trace correctly.
3036         
3037         * interpreter/Interpreter.h:
3038         * runtime/ErrorInstance.h:
3039         (JSC::ErrorInstance::create):
3040
3041 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3042
3043         Some cleanup in PropertySlot
3044         https://bugs.webkit.org/show_bug.cgi?id=119189
3045
3046         Reviewed by Geoff Garen.
3047
3048         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3049         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3050         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3051         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3052         (this is invalidOffset if not cacheable).
3053
3054             * Internally, always track the type of the property using an enum value, PropertyType.
3055             * Use m_offset to indicate cacheable.
3056             * Keep the external interface (CachedPropertyType) unchanged.
3057             * Better pack data into the m_data union.
3058
3059         Performance neutral.
3060
3061         * dfg/DFGRepatch.cpp:
3062         (JSC::DFG::tryCacheGetByID):
3063         (JSC::DFG::tryBuildGetByIDList):
3064             - cachedPropertyType() -> isCacheable*()
3065         * jit/JITPropertyAccess.cpp:
3066         (JSC::JIT::privateCompileGetByIdProto):
3067         (JSC::JIT::privateCompileGetByIdSelfList):
3068         (JSC::JIT::privateCompileGetByIdProtoList):
3069         (JSC::JIT::privateCompileGetByIdChainList):
3070         (JSC::JIT::privateCompileGetByIdChain):
3071             - cachedPropertyType() -> isCacheable*()
3072         * jit/JITPropertyAccess32_64.cpp:
3073         (JSC::JIT::privateCompileGetByIdProto):
3074         (JSC::JIT::privateCompileGetByIdSelfList):
3075         (JSC::JIT::privateCompileGetByIdProtoList):
3076         (JSC::JIT::privateCompileGetByIdChainList):
3077         (JSC::JIT::privateCompileGetByIdChain):
3078             - cachedPropertyType() -> isCacheable*()
3079         * jit/JITStubs.cpp:
3080         (JSC::tryCacheGetByID):
3081             - cachedPropertyType() -> isCacheable*()
3082         * llint/LLIntSlowPaths.cpp:
3083         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3084             - cachedPropertyType() -> isCacheable*()
3085         * runtime/PropertySlot.cpp:
3086         (JSC::PropertySlot::functionGetter):
3087             - refactoring described above.
3088         * runtime/PropertySlot.h:
3089         (JSC::PropertySlot::PropertySlot):
3090         (JSC::PropertySlot::getValue):
3091         (JSC::PropertySlot::isCacheable):
3092         (JSC::PropertySlot::isCacheableValue):
3093         (JSC::PropertySlot::isCacheableGetter):
3094         (JSC::PropertySlot::isCacheableCustom):
3095         (JSC::PropertySlot::cachedOffset):
3096         (JSC::PropertySlot::customGetter):
3097         (JSC::PropertySlot::setValue):
3098         (JSC::PropertySlot::setCustom):
3099         (JSC::PropertySlot::setCacheableCustom):
3100         (JSC::PropertySlot::setCustomIndex):
3101         (JSC::PropertySlot::setGetterSlot):
3102         (JSC::PropertySlot::setCacheableGetterSlot):
3103         (JSC::PropertySlot::setUndefined):
3104         (JSC::PropertySlot::slotBase):
3105         (JSC::PropertySlot::setBase):
3106             - refactoring described above.
3107
3108 2013-07-28  Oliver Hunt  <oliver@apple.com>
3109
3110         REGRESSION: Crash when opening Facebook.com
3111         https://bugs.webkit.org/show_bug.cgi?id=119155
3112
3113         Reviewed by Andreas Kling.
3114
3115         Scope nodes are always objects, so we should be using SpecObjectOther
3116         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3117         contradiction in the CFA, resulting in bogus codegen.
3118
3119         * dfg/DFGAbstractInterpreterInlines.h:
3120         (JSC::DFG::::executeEffects):
3121         * dfg/DFGPredictionPropagationPhase.cpp:
3122         (JSC::DFG::PredictionPropagationPhase::propagate):
3123
3124 2013-07-26  Oliver Hunt  <oliver@apple.com>
3125
3126         REGRESSION(FTL?): Crashes in plugin tests
3127         https://bugs.webkit.org/show_bug.cgi?id=119141
3128
3129         Reviewed by Michael Saboff.
3130
3131         Re-export getStackTrace
3132
3133         * interpreter/Interpreter.h:
3134
3135 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3136
3137         REGRESSION: Crash when opening a message on Gmail
3138         https://bugs.webkit.org/show_bug.cgi?id=119105
3139
3140         Reviewed by Oliver Hunt and Mark Hahnenberg.
3141         
3142         - GetById patching in the DFG needs to be more disciplined about how it derives the
3143           slow path.
3144         
3145         - Fix some dumping code thread safety issues.
3146
3147         * bytecode/CallLinkStatus.cpp:
3148         (JSC::CallLinkStatus::dump):
3149         * bytecode/CodeBlock.cpp:
3150         (JSC::CodeBlock::dumpBytecode):
3151         * dfg/DFGRepatch.cpp:
3152         (JSC::DFG::getPolymorphicStructureList):
3153         (JSC::DFG::tryBuildGetByIDList):
3154
3155 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3156
3157         [mips] Fix LLINT build for mips backend
3158         https://bugs.webkit.org/show_bug.cgi?id=119152
3159
3160         Reviewed by Oliver Hunt.
3161
3162         * offlineasm/mips.rb:
3163
3164 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3165
3166         Setting a large numeric property on an object causes it to allocate a huge backing store
3167         https://bugs.webkit.org/show_bug.cgi?id=118914
3168
3169         Reviewed by Geoffrey Garen.
3170
3171         There are two distinct actions that we're trying to optimize for:
3172
3173         new Array(100000);
3174
3175         and:
3176
3177         a = [];
3178         a[100000] = 42;
3179         
3180         In the first case, the programmer has indicated that they expect this Array to be very big, 
3181         so they should get a contiguous array up until some threshold, above which we perform density 
3182         calculations to see if it is indeed dense enough to warrant being contiguous.
3183         
3184         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3185         we should be more conservative and assume it should be sparse until we've proven otherwise.
3186         
3187         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3188         between them for the purposes of not over-allocating large backing stores like we see on 
3189         http://www.peekanalytics.com/burgerjoints/
3190         
3191         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3192         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3193         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3194         map instead. So for example, in the second case above the empty array has a blank indexing 
3195         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3196
3197         This fix is ~800x speedup on the accompanying regression test :-o
3198
3199         * runtime/ArrayConventions.h:
3200         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3201         * runtime/JSObject.cpp:
3202         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3203         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3204         (JSC::JSObject::putByIndexBeyondVectorLength):
3205         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3206
3207 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3208
3209         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3210         https://bugs.webkit.org/show_bug.cgi?id=119148
3211
3212         Reviewed by Csaba Osztrogonác.
3213
3214         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3215         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3216         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3217         code duplication.
3218
3219 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3220
3221         REGRESSION(FTL): Crash in sh4 baseline JIT.
3222         https://bugs.webkit.org/show_bug.cgi?id=119138
3223
3224         Reviewed by Csaba Osztrogonác.
3225
3226         This crash is due to incomplete report of r150146 and r148474.
3227
3228         * jit/JITStubsSH4.h:
3229
3230 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3231
3232         Unreviewed.
3233
3234         * Target.pri: Adding missing DFG files to the Qt build.
3235
3236 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3237
3238         GTK and Qt buildfix after the intrusive win buildfix r153360.
3239
3240         * GNUmakefile.list.am:
3241         * Target.pri:
3242
3243 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3244
3245         Unreviewed, fix build break after r153360.
3246
3247         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3248
3249 2013-07-25  Roger Fong  <roger_fong@apple.com>
3250
3251         Unreviewed build fix, AppleWin port.
3252
3253         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3254         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3255         * JavaScriptCore.vcxproj/copy-files.cmd:
3256
3257 2013-07-25  Roger Fong  <roger_fong@apple.com>
3258
3259         Unreviewed. Followup to r153360.
3260
3261         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3262         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3263
3264 2013-07-25  Michael Saboff  <msaboff@apple.com>
3265
3266         [Windows] Speculative build fix.
3267
3268         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3269         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3270
3271         * JavaScriptCore.xcodeproj/project.pbxproj:
3272         * llint/LLIntExceptions.cpp:
3273         * llint/LLIntExceptions.h:
3274         * llint/LLIntSlowPaths.cpp:
3275         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3276         * runtime/CommonSlowPaths.cpp:
3277         (JSC::SLOW_PATH_DECL):
3278         * runtime/CommonSlowPathsExceptions.cpp: Added.
3279         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3280         * runtime/CommonSlowPathsExceptions.h: Added.
3281
3282 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3283
3284         [Windows] Unreviewed build fix.
3285
3286         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3287         parser/SourceCode.h,.cpp.
3288         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3289
3290 2013-07-25  Anders Carlsson  <andersca@apple.com>
3291
3292         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3293         https://bugs.webkit.org/show_bug.cgi?id=119108
3294
3295         Reviewed by Mark Hahnenberg.
3296
3297         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3298
3299         * heap/CopiedSpace.cpp:
3300         (JSC::CopiedSpace::tryAllocateSlowCase):
3301         * heap/Heap.cpp:
3302         (JSC::Heap::protect):
3303         (JSC::Heap::unprotect):
3304         (JSC::Heap::collect):
3305         * heap/MarkedAllocator.cpp:
3306         (JSC::MarkedAllocator::allocateSlowCase):
3307         * runtime/JSGlobalObject.cpp:
3308         (JSC::JSGlobalObject::init):
3309         * runtime/VM.h:
3310         (JSC::VM::currentThreadIsHoldingAPILock):
3311
3312 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3313
3314         REGRESSION(FTL): Most layout tests crashes
3315         https://bugs.webkit.org/show_bug.cgi?id=119089
3316
3317         Reviewed by Oliver Hunt.
3318
3319         * runtime/ExecutionHarness.h:
3320         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3321         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3322         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3323         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3324         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3325         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3326
3327 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3328
3329         [Windows] Unreviewed build fix.
3330
3331         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3332         include path.
3333
3334 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3335
3336         [Windows] Unreviewed build fix.
3337
3338         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3339         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3340         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3341
3342 2013-07-25  Oliver Hunt  <oliver@apple.com>
3343
3344         Make all jit & non-jit combos build cleanly
3345         https://bugs.webkit.org/show_bug.cgi?id=119102
3346
3347         Reviewed by Anders Carlsson.
3348
3349         * bytecode/CodeBlock.cpp:
3350         (JSC::CodeBlock::counterValueForOptimizeSoon):
3351         * bytecode/CodeBlock.h:
3352         (JSC::CodeBlock::optimizeAfterWarmUp):
3353         (JSC::CodeBlock::numberOfDFGCompiles):
3354
3355 2013-07-25  Oliver Hunt  <oliver@apple.com>
3356
3357         32 bit portion of load validation logic
3358         https://bugs.webkit.org/show_bug.cgi?id=118878
3359
3360         Reviewed by NOBODY (Build fix).
3361
3362         * dfg/DFGSpeculativeJIT32_64.cpp:
3363         (JSC::DFG::SpeculativeJIT::compile):
3364
3365 2013-07-25  Oliver Hunt  <oliver@apple.com>
3366
3367         More 32bit build fixes
3368
3369         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3370
3371         * API/APICallbackFunction.h:
3372         (JSC::APICallbackFunction::call):
3373         * bytecode/CodeBlock.cpp:
3374         * runtime/Structure.cpp:
3375
3376 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3377
3378         Optimize the thread locks for API Shims
3379         https://bugs.webkit.org/show_bug.cgi?id=118573
3380
3381         Reviewed by Geoffrey Garen.
3382
3383         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3384         only used by WebCore's main thread).
3385
3386         * API/APIShims.h:
3387         (JSC::APIEntryShim::APIEntryShim):
3388         (JSC::APICallbackShim::APICallbackShim):
3389         * runtime/JSLock.cpp:
3390         (JSC::JSLockHolder::JSLockHolder):
3391         (JSC::JSLockHolder::init):
3392         (JSC::JSLockHolder::~JSLockHolder):
3393         (JSC::JSLock::DropAllLocks::DropAllLocks):
3394         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3395         * runtime/VM.cpp:
3396         (JSC::VM::VM):
3397         * runtime/VM.h:
3398
3399 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3400
3401         Unreviewed build fix after r153218.
3402
3403         Broke the EFL port build with gcc 4.7.
3404
3405         * interpreter/StackIterator.cpp:
3406         (JSC::printif):
3407
3408 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3409
3410         Build fix: add missing #include.
3411         https://bugs.webkit.org/show_bug.cgi?id=119087
3412
3413         Reviewed by Allan Sandfeld Jensen.
3414
3415         * bytecode/ArrayProfile.cpp:
3416
3417 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3418
3419         Unreviewed, build fix on the EFL port.
3420
3421         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3422
3423 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3424
3425         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3426         https://bugs.webkit.org/show_bug.cgi?id=119083
3427
3428         Reviewed by Allan Sandfeld Jensen.
3429
3430         * assembler/MacroAssemblerSH4.h:
3431         (JSC::MacroAssemblerSH4::store8):
3432
3433 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3434
3435         [Qt] Fix test build after FTL upstream
3436
3437         Unreviewed build fix.
3438
3439         * Target.pri:
3440
3441 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3442
3443         [Qt] Build fix after FTL.
3444
3445         Un Reviewed build fix.
3446
3447         * Target.pri:
3448         * interpreter/StackIterator.cpp:
3449         (JSC::StackIterator::Frame::print):
3450
3451 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3452
3453         Unreviewed build fix after FTL upstream.
3454
3455         * dfg/DFGWorklist.cpp:
3456         (JSC::DFG::Worklist::~Worklist):
3457
3458 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3459
3460         Unreviewed, build fix on the EFL port.
3461
3462         * CMakeLists.txt:
3463         Added SourceCode.cpp and removed BlackBerry file.
3464         * jit/JITCode.h:
3465         (JSC::JITCode::nextTierJIT):
3466         Fixed to build break because of -Werror=return-type
3467         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3468         * runtime/JSScope.h:
3469         (JSC::makeType):
3470         Fixed to build break because of -Werror=return-type
3471
3472 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3473
3474         Unreviewed build fixing after FTL upstream.
3475
3476         * runtime/Executable.cpp:
3477         (JSC::FunctionExecutable::produceCodeBlockFor):
3478
3479 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3480
3481         Add missing implementation of bxxxnz in sh4 LLINT.
3482         https://bugs.webkit.org/show_bug.cgi?id=119079
3483
3484         Reviewed by Allan Sandfeld Jensen.
3485
3486         * offlineasm/sh4.rb:
3487
3488 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3489
3490         Unreviewed, build fix on the Qt port.
3491
3492         * Target.pri: Add additional build files for the FTL.
3493
3494 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3495
3496         Unreviewed buildfix after FTL upstream..
3497
3498         * interpreter/StackIterator.cpp:
3499         (JSC::StackIterator::Frame::codeType):
3500         (JSC::StackIterator::Frame::functionName):
3501         (JSC::StackIterator::Frame::sourceURL):
3502         (JSC::StackIterator::Frame::logicalFrame):
3503
3504 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3505
3506         Unreviewed.
3507
3508         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3509         method is not left undefined, causing build failures on (at least) the GTK port.
3510
3511 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3512
3513         Unreviewed, further build fixing on the GTK port.
3514
3515         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3516
3517 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3518
3519         Unreviewed GTK build fixing.
3520
3521         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3522         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3523
3524 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3525
3526         Buildfix after this error:
3527         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3528
3529         * dfg/DFGPlan.cpp:
3530         (JSC::DFG::Plan::compileInThread):
3531
3532 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3533
3534         One more buildfix after FTL upstream.
3535
3536         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3537
3538         * dfg/DFGLazyJSValue.cpp:
3539         (JSC::DFG::LazyJSValue::getValue):
3540         (JSC::DFG::LazyJSValue::strictEqual):
3541
3542 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3543
3544         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3545         https://bugs.webkit.org/show_bug.cgi?id=119076
3546
3547         Reviewed by Allan Sandfeld Jensen.
3548
3549         * offlineasm/mips.rb:
3550         * offlineasm/sh4.rb:
3551
3552 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3553
3554         Unreviewed GTK build fix.
3555
3556         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3557
3558 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3559
3560         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3561         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3562
3563         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3564
3565 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3566
3567         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3568
3569         * GNUmakefile.am:
3570         * GNUmakefile.list.am:
3571
3572 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3573
3574         Unreviewed buildfix after FTL upstream.
3575
3576         * runtime/JSScope.h:
3577         (JSC::needsVarInjectionChecks):
3578
3579 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3580
3581         One more fix after FTL upstream.
3582
3583         * Target.pri:
3584         * bytecode/CodeBlock.h:
3585         * bytecode/GetByIdStatus.h:
3586         (JSC::GetByIdStatus::GetByIdStatus):
3587
3588 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3589
3590         Unreviewed buildfix after FTL upstream.
3591
3592         Add ftl directory as include path.
3593
3594         * CMakeLists.txt:
3595         * JavaScriptCore.pri:
3596
3597 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3598
3599         Unreviewed buildfix after FTL upstream for non C++11 builds.
3600
3601         * interpreter/CallFrame.h:
3602         * interpreter/StackIteratorPrivate.h:
3603         (JSC::StackIterator::end):
3604
3605 2013-07-24  Oliver Hunt  <oliver@apple.com>
3606
3607         Endeavour to fix CMakelist builds
3608
3609         * CMakeLists.txt:
3610
3611 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3612
3613         fourthTier: DFG IR dumps should be easier to read
3614         https://bugs.webkit.org/show_bug.cgi?id=119050
3615
3616         Reviewed by Mark Hahnenberg.
3617         
3618         Added a DumpContext that includes support for printing an endnote
3619         that describes all structures in full, while the main flow of the
3620         dump just uses made-up names for the structures. This is helpful
3621         since Structure::dump() may print a lot. The stuff it prints is
3622         useful, but if it's all inline with the surrounding thing you're        
3623         dumping (often, a node in the DFG), then you get a ridiculously
3624         long print-out. All classes that dump structures (including
3625         Structure itself) now have dumpInContext() methods that use
3626         inContext() for dumping anything that might transitively print a
3627         structure. If Structure::dumpInContext() is called with a NULL
3628         context, it just uses dump() like before. Hence you don't have to
3629         know anything about DumpContext unless you want to.
3630         
3631         inContext(*structure, context) dumps something like %B4:Array,
3632         and the endnote will have something like:
3633         
3634             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3635         
3636         where B4 is the inferred name that StringHashDumpContext came up
3637         with.
3638         
3639         Also shortened a bunch of other dumps, removing information that
3640         isn't so important.
3641         
3642         * JavaScriptCore.xcodeproj/project.pbxproj:
3643         * bytecode/ArrayProfile.cpp:
3644         (JSC::dumpArrayModes):
3645         * bytecode/CodeBlockHash.cpp:
3646         (JSC):
3647         (JSC::CodeBlockHash::CodeBlockHash):
3648         (JSC::CodeBlockHash::dump):
3649         * bytecode/CodeOrigin.cpp:
3650         (JSC::CodeOrigin::dumpInContext):
3651         (JSC):
3652         (JSC::InlineCallFrame::dumpInContext):
3653         (JSC::InlineCallFrame::dump):
3654         * bytecode/CodeOrigin.h:
3655         (CodeOrigin):
3656         (InlineCallFrame):
3657         * bytecode/Operands.h:
3658         (JSC::OperandValueTraits::isEmptyForDump):
3659         (Operands):
3660         (JSC::Operands::dump):
3661         (JSC):
3662         * bytecode/OperandsInlines.h: Added.
3663         (JSC):
3664         (JSC::::dumpInContext):
3665         * bytecode/StructureSet.h:
3666         (JSC::StructureSet::dumpInContext):
3667         (JSC::StructureSet::dump):
3668         (StructureSet):
3669         * dfg/DFGAbstractValue.cpp:
3670         (JSC::DFG::AbstractValue::dump):
3671         (DFG):
3672         (JSC::DFG::AbstractValue::dumpInContext):
3673         * dfg/DFGAbstractValue.h:
3674         (JSC::DFG::AbstractValue::operator!):
3675         (AbstractValue):
3676         * dfg/DFGCFAPhase.cpp:
3677         (JSC::DFG::CFAPhase::performBlockCFA):
3678         * dfg/DFGCommon.cpp:
3679         * dfg/DFGCommon.h:
3680         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3681         * dfg/DFGDisassembler.cpp:
3682         (JSC::DFG::Disassembler::createDumpList):
3683         * dfg/DFGDisassembler.h:
3684         (Disassembler):
3685         * dfg/DFGFlushFormat.h:
3686         (WTF::inContext):
3687         (WTF):
3688         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3689         * dfg/DFGGraph.cpp:
3690         (JSC::DFG::Graph::dumpCodeOrigin):
3691         (JSC::DFG::Graph::dump):
3692         (JSC::DFG::Graph::dumpBlockHeader):
3693         * dfg/DFGGraph.h:
3694         (Graph):
3695         * dfg/DFGLazyJSValue.cpp:
3696         (JSC::DFG::LazyJSValue::dumpInContext):
3697         (JSC::DFG::LazyJSValue::dump):
3698         (DFG):
3699         * dfg/DFGLazyJSValue.h:
3700         (LazyJSValue):
3701         * dfg/DFGNode.h:
3702         (JSC::DFG::nodeMapDump):
3703         (WTF::inContext):
3704         (WTF):
3705         * dfg/DFGOSRExitCompiler32_64.cpp:
3706         (JSC::DFG::OSRExitCompiler::compileExit):
3707         * dfg/DFGOSRExitCompiler64.cpp:
3708         (JSC::DFG::OSRExitCompiler::compileExit):
3709         * dfg/DFGStructureAbstractValue.h:
3710         (JSC::DFG::StructureAbstractValue::dumpInContext):
3711         (JSC::DFG::StructureAbstractValue::dump):
3712         (StructureAbstractValue):
3713         * ftl/FTLExitValue.cpp:
3714         (JSC::FTL::ExitValue::dumpInContext):
3715         (JSC::FTL::ExitValue::dump):
3716         (FTL):
3717         * ftl/FTLExitValue.h:
3718         (ExitValue):
3719         * ftl/FTLLowerDFGToLLVM.cpp:
3720         * ftl/FTLValueSource.cpp:
3721         (JSC::FTL::ValueSource::dumpInContext):
3722         (FTL):
3723         * ftl/FTLValueSource.h:
3724         (ValueSource):
3725         * runtime/DumpContext.cpp: Added.
3726         (JSC):
3727         (JSC::DumpContext::DumpContext):
3728         (JSC::DumpContext::~DumpContext):
3729         (JSC::DumpContext::isEmpty):
3730         (JSC::DumpContext::dump):
3731         * runtime/DumpContext.h: Added.
3732         (JSC):
3733         (DumpContext):
3734         * runtime/JSCJSValue.cpp:
3735         (JSC::JSValue::dump):
3736         (JSC):
3737         (JSC::JSValue::dumpInContext):
3738         * runtime/JSCJSValue.h:
3739         (JSC):
3740         (JSValue):
3741         * runtime/Structure.cpp:
3742         (JSC::Structure::dumpInContext):
3743         (JSC):
3744         (JSC::Structure::dumpBrief):
3745         (JSC::Structure::dumpContextHeader):
3746         * runtime/Structure.h:
3747         (JSC):
3748         (Structure):
3749
3750 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3751
3752         fourthTier: DFG should do a high-level LICM before going to FTL
3753         https://bugs.webkit.org/show_bug.cgi?id=118749
3754
3755         Reviewed by Oliver Hunt.
3756         
3757         Implements LICM hoisting for nodes that never write anything and never read
3758         things that are clobbered by the loop. There are some other preconditions for
3759         hoisting, see DFGLICMPhase.cpp.
3760
3761         Also did a few fixes:
3762         
3763         - ClobberSet::add was failing to switch Super entries to Direct entries in
3764           some cases.
3765         
3766         - DFGClobberize.cpp needed to #include "Operations.h".
3767         
3768         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3769         
3770         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3771           Knowing the indexInBlock is an optional optimization that all other clients
3772           of AI still opt into, but LICM doesn't.
3773         
3774         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3775
3776         * JavaScriptCore.xcodeproj/project.pbxproj:
3777         * dfg/DFGAbstractInterpreter.h:
3778         (AbstractInterpreter):
3779         * dfg/DFGAbstractInterpreterInlines.h:
3780         (JSC::DFG::::executeEffects):
3781         (JSC::DFG::::execute):
3782         (DFG):
3783         (JSC::DFG::::clobberWorld):
3784         (JSC::DFG::::clobberStructures):
3785         * dfg/DFGAtTailAbstractState.cpp: Added.
3786         (DFG):
3787         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3788         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3789         (JSC::DFG::AtTailAbstractState::createValueForNode):
3790         (JSC::DFG::AtTailAbstractState::forNode):
3791         * dfg/DFGAtTailAbstractState.h: Added.
3792         (DFG):
3793         (AtTailAbstractState):
3794         (JSC::DFG::AtTailAbstractState::initializeTo):
3795         (JSC::DFG::AtTailAbstractState::forNode):
3796         (JSC::DFG::AtTailAbstractState::variables):
3797         (JSC::DFG::AtTailAbstractState::block):
3798         (JSC::DFG::AtTailAbstractState::isValid):
3799         (JSC::DFG::AtTailAbstractState::setDidClobber):
3800         (JSC::DFG::AtTailAbstractState::setIsValid):
3801         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3802         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3803         (JSC::DFG::AtTailAbstractState::haveStructures):
3804         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3805         * dfg/DFGBasicBlock.h:
3806         (JSC::DFG::BasicBlock::insertBeforeLast):
3807         * dfg/DFGBasicBlockInlines.h:
3808         (DFG):
3809         * dfg/DFGClobberSet.cpp:
3810         (JSC::DFG::ClobberSet::add):
3811         (JSC::DFG::ClobberSet::addAll):
3812         * dfg/DFGClobberize.cpp:
3813         (JSC::DFG::doesWrites):
3814         * dfg/DFGClobberize.h:
3815         (DFG):
3816         * dfg/DFGDCEPhase.cpp:
3817         (JSC::DFG::DCEPhase::DCEPhase):
3818         (JSC::DFG::DCEPhase::run):
3819         (JSC::DFG::DCEPhase::fixupBlock):
3820         (DCEPhase):
3821         * dfg/DFGEdgeDominates.h: Added.
3822         (DFG):
3823         (EdgeDominates):
3824         (JSC::DFG::EdgeDominates::EdgeDominates):
3825         (JSC::DFG::EdgeDominates::operator()):
3826         (JSC::DFG::EdgeDominates::result):
3827         (JSC::DFG::edgesDominate):
3828         * dfg/DFGFixupPhase.cpp:
3829         (JSC::DFG::FixupPhase::fixupNode):
3830         (JSC::DFG::FixupPhase::checkArray):
3831         * dfg/DFGLICMPhase.cpp: Added.
3832         (LICMPhase):
3833         (JSC::DFG::LICMPhase::LICMPhase):
3834         (JSC::DFG::LICMPhase::run):
3835         (JSC::DFG::LICMPhase::attemptHoist):
3836         (DFG):
3837         (JSC::DFG::performLICM):
3838         * dfg/DFGLICMPhase.h: Added.
3839         (DFG):
3840         * dfg/DFGPlan.cpp:
3841         (JSC::DFG::Plan::compileInThreadImpl):
3842
3843 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3844
3845         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3846         https://bugs.webkit.org/show_bug.cgi?id=118910
3847
3848         Reviewed by Sam Weinig.
3849         
3850         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3851         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3852         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3853         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3854         create them all up front). FTL AbstractHeaps also don't actually give you the
3855         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3856         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3857         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3858         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3859         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3860         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3861         payload is the direct subtype of its corresponding TOP Kind).
3862         
3863         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3864         clobbered. It represents the set that results from unifying a bunch of
3865         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3866         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3867         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3868         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3869         member is equal to it, or if any of its ancestors are equal to a direct member.
3870         
3871         Example #1:
3872         
3873             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3874               is a subtype of Variables, which is a subtype of World.
3875             - You query Variables. I.e. Variables with a TOP payload, which is the
3876               supertype of Variables(X) for any X, and a subtype of World.
3877             
3878             The set will have Variables(5) as a direct member, and Variables and World as
3879             super members. The Variables query will immediately return true, because
3880             Variables is indeed a super member.
3881         
3882         Example #2:
3883         
3884             - I add Variables(5)
3885             - You query NamedProperties
3886             
3887             NamedProperties is not a member at all (neither direct or super). We next
3888             query World. World is a member, but it's a super member, so we return false.
3889         
3890         Example #3:
3891         
3892             - I add Variables
3893             - You query Variables(5)
3894             
3895             The set will have Variables as a direct member, and World as a super member.
3896             The Variables(5) query will not find Variables(5) in the set, but then it
3897             will query Variables. Variables is a direct member, so we return true.
3898         
3899         Example #4:
3900         
3901             - I add Variables
3902             - You query NamedProperties(5)
3903             
3904             Neither NamedProperties nor NamedProperties(5) are members. We next query
3905             World. World is a member, but it's a super member, so we return false.
3906         
3907         Overlap queries require that either the heap being queried is in the set (either
3908         direct or super), or that one of its ancestors is a direct member. Another way to
3909         think about how this works is that two heaps A and B are said to overlap if
3910         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3911         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3912         heaps and answers the question, "is any member in the set an ancestor (i.e.
3913         supertype) of some other heap". We would have the set contain the heaps themselves,
3914         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3915         chain of A, and repeatedly querying its membership in the set. This is what the
3916         "direct" members of our set do. Now consider the other part, where we want to ask if
3917         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3918         would implement this by implementing set.add(B) as adding not just B but also all of
3919         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3920         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3921         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3922         heap" question. ClobberSet does this, but combines the two sets into a single
3923         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3924         supertype set and the subtype set; if it's false then it's only a member of one of
3925         them.
3926         
3927         Finally, this adds a functorized clobberize() method that adds the read and write
3928         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3929         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3930         are also provided. This allows you to say things like:
3931         
3932             ClobberSet set;
3933             addWrites(graph, node1, set);
3934             if (readsOverlap(graph, node2, set))
3935                 // We know that node1 may write to something that node2 may read from.
3936         
3937         Currently this facility is only used to improve graph dumping, but it will be
3938         instrumental in both LICM and GVN. In the future, I want to completely kill the
3939         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3940         of accomplishing almost exactly what AbstractHeap gives you.
3941
3942         * JavaScriptCore.xcodeproj/project.pbxproj:
3943         * dfg/DFGAbstractHeap.cpp: Added.
3944         (DFG):
3945         (JSC::DFG::AbstractHeap::Payload::dump):
3946         (JSC::DFG::AbstractHeap::dump):
3947         (WTF):
3948         (WTF::printInternal):
3949         * dfg/DFGAbstractHeap.h: Added.
3950         (DFG):
3951         (AbstractHeap):
3952         (Payload):
3953         (JSC::DFG::AbstractHeap::Payload::Payload):
3954         (JSC::DFG::AbstractHeap::Payload::top):
3955         (JSC::DFG::AbstractHeap::Payload::isTop):
3956         (JSC::DFG::AbstractHeap::Payload::value):
3957         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3958         (JSC::DFG::AbstractHeap::Payload::operator==):
3959         (JSC::DFG::AbstractHeap::Payload::operator!=):
3960         (JSC::DFG::AbstractHeap::Payload::operator<):