DFG should inline typedArray.byteOffset
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG should inline typedArray.byteOffset
4         https://bugs.webkit.org/show_bug.cgi?id=119962
5
6         Reviewed by Oliver Hunt.
7         
8         This adds a new node, GetTypedArrayByteOffset, which inlines
9         typedArray.byteOffset.
10         
11         Also, I improved a bunch of the clobbering logic related to typed arrays
12         and clobbering in general. For example, PutByOffset/PutStructure are not
13         clobber-world so they can be handled by most default cases in CSE. Also,
14         It's better to use the 'Class_field' notation for typed arrays now that
15         they no longer involve magical descriptor thingies.
16
17         * bytecode/SpeculatedType.h:
18         * dfg/DFGAbstractHeap.h:
19         * dfg/DFGAbstractInterpreterInlines.h:
20         (JSC::DFG::::executeEffects):
21         * dfg/DFGArrayMode.h:
22         (JSC::DFG::neverNeedsStorage):
23         * dfg/DFGCSEPhase.cpp:
24         (JSC::DFG::CSEPhase::getByValLoadElimination):
25         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
26         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
27         (JSC::DFG::CSEPhase::checkArrayElimination):
28         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
29         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
30         (JSC::DFG::CSEPhase::performNodeCSE):
31         * dfg/DFGClobberize.h:
32         (JSC::DFG::clobberize):
33         * dfg/DFGFixupPhase.cpp:
34         (JSC::DFG::FixupPhase::fixupNode):
35         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
36         (JSC::DFG::FixupPhase::convertToGetArrayLength):
37         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
38         * dfg/DFGNodeType.h:
39         * dfg/DFGPredictionPropagationPhase.cpp:
40         (JSC::DFG::PredictionPropagationPhase::propagate):
41         * dfg/DFGSafeToExecute.h:
42         (JSC::DFG::safeToExecute):
43         * dfg/DFGSpeculativeJIT.cpp:
44         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
45         * dfg/DFGSpeculativeJIT.h:
46         * dfg/DFGSpeculativeJIT32_64.cpp:
47         (JSC::DFG::SpeculativeJIT::compile):
48         * dfg/DFGSpeculativeJIT64.cpp:
49         (JSC::DFG::SpeculativeJIT::compile):
50         * dfg/DFGTypeCheckHoistingPhase.cpp:
51         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
52         * runtime/ArrayBuffer.h:
53         (JSC::ArrayBuffer::offsetOfData):
54         * runtime/Butterfly.h:
55         (JSC::Butterfly::offsetOfArrayBuffer):
56         * runtime/IndexingHeader.h:
57         (JSC::IndexingHeader::offsetOfArrayBuffer):
58
59 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
60
61         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
62
63         Reviewed by Geoffrey Garen.
64
65         * dfg/DFGByteCodeParser.cpp:
66         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
67
68 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
69
70         https://bugs.webkit.org/show_bug.cgi?id=119995
71         Start removing custom implementations of getOwnPropertyDescriptor
72
73         Reviewed by Oliver Hunt.
74
75         This can now typically implemented in terms of getOwnPropertySlot.
76         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
77         Switch over most classes in JSC & the WebCore bindings generator to use this.
78
79         * API/JSCallbackObjectFunctions.h:
80         * debugger/DebuggerActivation.cpp:
81         * runtime/Arguments.cpp:
82         * runtime/ArrayConstructor.cpp:
83         * runtime/ArrayPrototype.cpp:
84         * runtime/BooleanPrototype.cpp:
85         * runtime/DateConstructor.cpp:
86         * runtime/DatePrototype.cpp:
87         * runtime/ErrorPrototype.cpp:
88         * runtime/JSActivation.cpp:
89         * runtime/JSArray.cpp:
90         * runtime/JSArrayBuffer.cpp:
91         * runtime/JSArrayBufferView.cpp:
92         * runtime/JSCell.cpp:
93         * runtime/JSDataView.cpp:
94         * runtime/JSDataViewPrototype.cpp:
95         * runtime/JSFunction.cpp:
96         * runtime/JSGenericTypedArrayViewInlines.h:
97         * runtime/JSNotAnObject.cpp:
98         * runtime/JSONObject.cpp:
99         * runtime/JSObject.cpp:
100         * runtime/NamePrototype.cpp:
101         * runtime/NumberConstructor.cpp:
102         * runtime/NumberPrototype.cpp:
103         * runtime/ObjectConstructor.cpp:
104             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
105         * runtime/PropertyDescriptor.h:
106             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
107         * runtime/PropertySlot.h:
108         (JSC::PropertySlot::isValue):
109         (JSC::PropertySlot::isGetter):
110         (JSC::PropertySlot::isCustom):
111         (JSC::PropertySlot::isCacheableValue):
112         (JSC::PropertySlot::isCacheableGetter):
113         (JSC::PropertySlot::isCacheableCustom):
114         (JSC::PropertySlot::attributes):
115         (JSC::PropertySlot::getterSetter):
116             - Add accessors necessary to convert PropertySlot to descriptor.
117         * runtime/RegExpConstructor.cpp:
118         * runtime/RegExpMatchesArray.cpp:
119         * runtime/RegExpMatchesArray.h:
120         * runtime/RegExpObject.cpp:
121         * runtime/RegExpPrototype.cpp:
122         * runtime/StringConstructor.cpp:
123         * runtime/StringObject.cpp:
124             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
125
126 2013-08-19  Michael Saboff  <msaboff@apple.com>
127
128         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
129
130         Reviewed by Sam Weinig.
131
132         * dfg/DFGSpeculativeJIT32_64.cpp:
133         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
134         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
135         all versions of fillSpeculateBoolean().
136
137 2013-08-19  Michael Saboff  <msaboff@apple.com>
138
139         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
140
141         Reviewed by Benjamin Poulain.
142
143         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
144         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
145
146         * assembler/MacroAssemblerX86Common.h:
147         (JSC::MacroAssemblerX86Common::branchTest32):
148
149 2013-08-16  Oliver Hunt  <oliver@apple.com>
150
151         <https://webkit.org/b/119860> Crash during exception unwinding
152
153         Reviewed by Filip Pizlo.
154
155         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
156         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
157
158         We need this so that Throw and ThrowReferenceError no longer need to be treated as
159         terminals and the subsequent flush keeps the activation (and other registers) live.
160
161         * dfg/DFGAbstractInterpreterInlines.h:
162         (JSC::DFG::::executeEffects):
163         * dfg/DFGByteCodeParser.cpp:
164         (JSC::DFG::ByteCodeParser::parseBlock):
165         * dfg/DFGClobberize.h:
166         (JSC::DFG::clobberize):
167         * dfg/DFGFixupPhase.cpp:
168         (JSC::DFG::FixupPhase::fixupNode):
169         * dfg/DFGNode.h:
170         (JSC::DFG::Node::isTerminal):
171         * dfg/DFGNodeType.h:
172         * dfg/DFGPredictionPropagationPhase.cpp:
173         (JSC::DFG::PredictionPropagationPhase::propagate):
174         * dfg/DFGSafeToExecute.h:
175         (JSC::DFG::safeToExecute):
176         * dfg/DFGSpeculativeJIT32_64.cpp:
177         (JSC::DFG::SpeculativeJIT::compile):
178         * dfg/DFGSpeculativeJIT64.cpp:
179         (JSC::DFG::SpeculativeJIT::compile):
180
181 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
182
183         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
184
185         Reviewed by Oliver Hunt.
186
187         Guard the compilation of these files only if DFG_JIT is enabled.
188
189         * dfg/DFGDesiredTransitions.cpp:
190         * dfg/DFGDesiredTransitions.h:
191         * dfg/DFGDesiredWeakReferences.cpp:
192         * dfg/DFGDesiredWeakReferences.h:
193         * dfg/DFGDesiredWriteBarriers.cpp:
194         * dfg/DFGDesiredWriteBarriers.h:
195
196 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
197
198         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
199         https://bugs.webkit.org/show_bug.cgi?id=119961
200
201         Reviewed by Mark Hahnenberg.
202
203         * dfg/DFGFixupPhase.cpp:
204         (JSC::DFG::FixupPhase::fixupNode):
205
206 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
207
208         https://bugs.webkit.org/show_bug.cgi?id=119972
209         Add attributes field to PropertySlot
210
211         Reviewed by Geoff Garen.
212
213         For all JSC types, this makes getOwnPropertyDescriptor redundant.
214         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
215         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
216
217         No performance impact.
218
219         * runtime/PropertySlot.h:
220         (JSC::PropertySlot::setValue):
221         (JSC::PropertySlot::setCustom):
222         (JSC::PropertySlot::setCacheableCustom):
223         (JSC::PropertySlot::setCustomIndex):
224         (JSC::PropertySlot::setGetterSlot):
225         (JSC::PropertySlot::setCacheableGetterSlot):
226             - These mathods now all require 'attributes'.
227         * runtime/JSObject.h:
228         (JSC::JSObject::getDirect):
229         (JSC::JSObject::getDirectOffset):
230         (JSC::JSObject::inlineGetOwnPropertySlot):
231             - Added variants of getDirect, getDirectOffset that return the attributes.
232         * API/JSCallbackObjectFunctions.h:
233         (JSC::::getOwnPropertySlot):
234         * runtime/Arguments.cpp:
235         (JSC::Arguments::getOwnPropertySlotByIndex):
236         (JSC::Arguments::getOwnPropertySlot):
237         * runtime/JSActivation.cpp:
238         (JSC::JSActivation::symbolTableGet):
239         (JSC::JSActivation::getOwnPropertySlot):
240         * runtime/JSArray.cpp:
241         (JSC::JSArray::getOwnPropertySlot):
242         * runtime/JSArrayBuffer.cpp:
243         (JSC::JSArrayBuffer::getOwnPropertySlot):
244         * runtime/JSArrayBufferView.cpp:
245         (JSC::JSArrayBufferView::getOwnPropertySlot):
246         * runtime/JSDataView.cpp:
247         (JSC::JSDataView::getOwnPropertySlot):
248         * runtime/JSFunction.cpp:
249         (JSC::JSFunction::getOwnPropertySlot):
250         * runtime/JSGenericTypedArrayViewInlines.h:
251         (JSC::::getOwnPropertySlot):
252         (JSC::::getOwnPropertySlotByIndex):
253         * runtime/JSObject.cpp:
254         (JSC::JSObject::getOwnPropertySlotByIndex):
255         (JSC::JSObject::fillGetterPropertySlot):
256         * runtime/JSString.h:
257         (JSC::JSString::getStringPropertySlot):
258         * runtime/JSSymbolTableObject.h:
259         (JSC::symbolTableGet):
260         * runtime/Lookup.cpp:
261         (JSC::setUpStaticFunctionSlot):
262         * runtime/Lookup.h:
263         (JSC::getStaticPropertySlot):
264         (JSC::getStaticPropertyDescriptor):
265         (JSC::getStaticValueSlot):
266         (JSC::getStaticValueDescriptor):
267         * runtime/RegExpObject.cpp:
268         (JSC::RegExpObject::getOwnPropertySlot):
269         * runtime/SparseArrayValueMap.cpp:
270         (JSC::SparseArrayEntry::get):
271             - Pass attributes to PropertySlot::set* methods.
272
273 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
274
275         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
276
277         Reviewed by Filip Pizlo.
278
279         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
280         Vector of WriteBarriers rather than the specific address. The fact that we were 
281         arbitrarily storing into a Vector's backing store for constants at the end of 
282         compilation after the Vector could have resized was causing crashes.
283
284         * bytecode/CodeBlock.h:
285         (JSC::CodeBlock::constants):
286         (JSC::CodeBlock::addConstantLazily):
287         * dfg/DFGByteCodeParser.cpp:
288         (JSC::DFG::ByteCodeParser::addConstant):
289         * dfg/DFGDesiredWriteBarriers.cpp:
290         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
291         (JSC::DFG::DesiredWriteBarrier::trigger):
292         (JSC::DFG::initializeLazyWriteBarrierForConstant):
293         * dfg/DFGDesiredWriteBarriers.h:
294         (JSC::DFG::DesiredWriteBarriers::add):
295         * dfg/DFGFixupPhase.cpp:
296         (JSC::DFG::FixupPhase::truncateConstantToInt32):
297         * dfg/DFGGraph.h:
298         (JSC::DFG::Graph::constantRegisterForConstant):
299
300 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
301
302         DFG should optimize typedArray.byteLength
303         https://bugs.webkit.org/show_bug.cgi?id=119909
304
305         Reviewed by Oliver Hunt.
306         
307         This adds typedArray.byteLength inlining to the DFG, and does so without changing
308         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
309         legal since the byteLength of a typed array cannot exceed
310         numeric_limits<int32_t>::max().
311
312         * bytecode/SpeculatedType.cpp:
313         (JSC::typedArrayTypeFromSpeculation):
314         * bytecode/SpeculatedType.h:
315         * dfg/DFGArrayMode.cpp:
316         (JSC::DFG::toArrayType):
317         * dfg/DFGArrayMode.h:
318         * dfg/DFGFixupPhase.cpp:
319         (JSC::DFG::FixupPhase::fixupNode):
320         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
321         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
322         (JSC::DFG::FixupPhase::convertToGetArrayLength):
323         (JSC::DFG::FixupPhase::prependGetArrayLength):
324         * dfg/DFGGraph.h:
325         (JSC::DFG::Graph::constantRegisterForConstant):
326         (JSC::DFG::Graph::convertToConstant):
327         * runtime/TypedArrayType.h:
328         (JSC::logElementSize):
329         (JSC::elementSize):
330
331 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
332
333         DFG optimizes out strict mode arguments tear off
334         https://bugs.webkit.org/show_bug.cgi?id=119504
335
336         Reviewed by Mark Hahnenberg and Oliver Hunt.
337         
338         Don't do the optimization for strict mode.
339
340         * dfg/DFGArgumentsSimplificationPhase.cpp:
341         (JSC::DFG::ArgumentsSimplificationPhase::run):
342         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
343
344 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
345
346         [JSC] x86: improve code generation for xxxTest32
347         https://bugs.webkit.org/show_bug.cgi?id=119876
348
349         Reviewed by Geoffrey Garen.
350
351         Try to use testb whenever possible when testing for an immediate value.
352
353         When the input is an address and an offset, we can tweak the mask
354         and offset to be able to generate testb for any byte of the mask.
355
356         When the input is a register, we can use testb if we are only interested
357         in testing the low bits.
358
359         * assembler/MacroAssemblerX86Common.h:
360         (JSC::MacroAssemblerX86Common::branchTest32):
361         (JSC::MacroAssemblerX86Common::test32):
362         (JSC::MacroAssemblerX86Common::generateTest32):
363
364 2013-08-16  Mark Lam  <mark.lam@apple.com>
365
366         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
367         error message that an object is not a constructor though it expects a function
368
369         Reviewed by Michael Saboff.
370
371         * jit/JITStubs.cpp:
372         (JSC::DEFINE_STUB_FUNCTION):
373
374 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
375
376         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
377         https://bugs.webkit.org/show_bug.cgi?id=119897
378
379         Reviewed by Oliver Hunt.
380         
381         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
382         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
383         to turn objects into dictionaries when you're storing using bracket syntax or using
384         eval is still in place.
385
386         * bytecode/CodeBlock.h:
387         (JSC::CodeBlock::putByIdContext):
388         * dfg/DFGOperations.cpp:
389         * jit/JITStubs.cpp:
390         (JSC::DEFINE_STUB_FUNCTION):
391         * llint/LLIntSlowPaths.cpp:
392         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
393         * runtime/JSObject.h:
394         (JSC::JSObject::putDirectInternal):
395         * runtime/PutPropertySlot.h:
396         (JSC::PutPropertySlot::PutPropertySlot):
397         (JSC::PutPropertySlot::context):
398         * runtime/Structure.cpp:
399         (JSC::Structure::addPropertyTransition):
400         * runtime/Structure.h:
401
402 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
403
404         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
405
406         Reviewed by Allan Sandfeld Jensen.
407
408         ctiVMHandleException must jump/return using register ra (r31).
409
410         * jit/JITStubsMIPS.h:
411
412 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
413
414         <https://webkit.org/b/119879> Fix sh4 build after r154156.
415
416         Reviewed by Allan Sandfeld Jensen.
417
418         Fix typo in JITStubsSH4.h file.
419
420         * jit/JITStubsSH4.h:
421
422 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
423
424         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
425
426         Reviewed by Oliver Hunt.
427
428         The concurrent compilation thread should interact minimally with the Heap, including not 
429         triggering WriteBarriers. This is a prerequisite for generational GC.
430
431         * JavaScriptCore.xcodeproj/project.pbxproj:
432         * bytecode/CodeBlock.cpp:
433         (JSC::CodeBlock::addOrFindConstant):
434         (JSC::CodeBlock::findConstant):
435         * bytecode/CodeBlock.h:
436         (JSC::CodeBlock::addConstantLazily):
437         * dfg/DFGByteCodeParser.cpp:
438         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
439         (JSC::DFG::ByteCodeParser::constantUndefined):
440         (JSC::DFG::ByteCodeParser::constantNull):
441         (JSC::DFG::ByteCodeParser::one):
442         (JSC::DFG::ByteCodeParser::constantNaN):
443         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
444         * dfg/DFGCommonData.cpp:
445         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
446         * dfg/DFGCommonData.h:
447         * dfg/DFGDesiredTransitions.cpp: Added.
448         (JSC::DFG::DesiredTransition::DesiredTransition):
449         (JSC::DFG::DesiredTransition::reallyAdd):
450         (JSC::DFG::DesiredTransitions::DesiredTransitions):
451         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
452         (JSC::DFG::DesiredTransitions::addLazily):
453         (JSC::DFG::DesiredTransitions::reallyAdd):
454         * dfg/DFGDesiredTransitions.h: Added.
455         * dfg/DFGDesiredWeakReferences.cpp: Added.
456         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
457         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
458         (JSC::DFG::DesiredWeakReferences::addLazily):
459         (JSC::DFG::DesiredWeakReferences::reallyAdd):
460         * dfg/DFGDesiredWeakReferences.h: Added.
461         * dfg/DFGDesiredWriteBarriers.cpp: Added.
462         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
463         (JSC::DFG::DesiredWriteBarrier::trigger):
464         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
465         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
466         (JSC::DFG::DesiredWriteBarriers::addImpl):
467         (JSC::DFG::DesiredWriteBarriers::trigger):
468         * dfg/DFGDesiredWriteBarriers.h: Added.
469         (JSC::DFG::DesiredWriteBarriers::add):
470         (JSC::DFG::initializeLazyWriteBarrier):
471         * dfg/DFGFixupPhase.cpp:
472         (JSC::DFG::FixupPhase::truncateConstantToInt32):
473         * dfg/DFGGraph.h:
474         (JSC::DFG::Graph::convertToConstant):
475         * dfg/DFGJITCompiler.h:
476         (JSC::DFG::JITCompiler::addWeakReference):
477         * dfg/DFGPlan.cpp:
478         (JSC::DFG::Plan::Plan):
479         (JSC::DFG::Plan::reallyAdd):
480         * dfg/DFGPlan.h:
481         * dfg/DFGSpeculativeJIT32_64.cpp:
482         (JSC::DFG::SpeculativeJIT::compile):
483         * dfg/DFGSpeculativeJIT64.cpp:
484         (JSC::DFG::SpeculativeJIT::compile):
485         * runtime/WriteBarrier.h:
486         (JSC::WriteBarrierBase::set):
487         (JSC::WriteBarrier::WriteBarrier):
488
489 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
490
491         Fix x86 32bits build after r154158
492
493         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
494
495 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
496
497         Build fix attempt after r154156.
498
499         * jit/JITStubs.cpp:
500         (JSC::cti_vm_handle_exception): encode!
501
502 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
503
504         [JSC] x86: Use inc and dec when possible
505         https://bugs.webkit.org/show_bug.cgi?id=119831
506
507         Reviewed by Geoffrey Garen.
508
509         When incrementing or decrementing by an immediate of 1, use the insctructions
510         inc and dec instead of add and sub.
511         The instructions have good timing and their encoding is smaller.
512
513         * assembler/MacroAssemblerX86Common.h:
514         (JSC::MacroAssemblerX86_64::add32):
515         (JSC::MacroAssemblerX86_64::sub32):
516         * assembler/MacroAssemblerX86_64.h:
517         (JSC::MacroAssemblerX86_64::add64):
518         (JSC::MacroAssemblerX86_64::sub64):
519         * assembler/X86Assembler.h:
520         (JSC::X86Assembler::dec_r):
521         (JSC::X86Assembler::decq_r):
522         (JSC::X86Assembler::inc_r):
523         (JSC::X86Assembler::incq_r):
524
525 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
526
527         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
528         https://bugs.webkit.org/show_bug.cgi?id=119874
529
530         Reviewed by Oliver Hunt and Mark Hahnenberg.
531         
532         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
533         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
534         sometimes for typed array length accesses, and the FixupPhase assuming that a
535         ForceExit ArrayMode means that it should continue using a generic GetById.
536
537         This fixes the confusion.
538
539         * dfg/DFGFixupPhase.cpp:
540         (JSC::DFG::FixupPhase::fixupNode):
541
542 2013-08-15  Mark Lam  <mark.lam@apple.com>
543
544         Fix crash when performing activation tearoff.
545         https://bugs.webkit.org/show_bug.cgi?id=119848
546
547         Reviewed by Oliver Hunt.
548
549         The activation tearoff crash was due to a bug in the baseline JIT.
550         If we have a scenario where the a baseline JIT frame calls a LLINT
551         frame, an exception may be thrown while in the LLINT.
552
553         Interpreter::throwException() which handles the exception will unwind
554         all frames until it finds a catcher or sees a host frame. When we
555         return from the LLINT to the baseline JIT code, the baseline JIT code
556         errorneously sets topCallFrame to the value in its call frame register,
557         and starts unwinding the stack frames that have already been unwound.
558
559         The fix is:
560         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
561            This is a more accurate description of what this runtime function
562            is supposed to do i.e. it handles the exception which include doing
563            nothing (if there are no more frames to unwind).
564         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
565            set on it.
566         3. Reloading the call frame register from topCallFrame when we're
567            returning from a callee and detect exception handling in progress.
568
569         * interpreter/Interpreter.cpp:
570         (JSC::Interpreter::unwindCallFrame):
571         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
572         (JSC::Interpreter::getStackTrace):
573         * interpreter/Interpreter.h:
574         (JSC::TopCallFrameSetter::TopCallFrameSetter):
575         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
576         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
577         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
578         * jit/JIT.h:
579         * jit/JITExceptions.cpp:
580         (JSC::uncaughtExceptionHandler):
581         - Convenience function to get the handler for uncaught exceptions.
582         * jit/JITExceptions.h:
583         * jit/JITInlines.h:
584         (JSC::JIT::reloadCallFrameFromTopCallFrame):
585         * jit/JITOpcodes32_64.cpp:
586         (JSC::JIT::privateCompileCTINativeCall):
587         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
588         * jit/JITStubs.cpp:
589         (JSC::throwExceptionFromOpCall):
590         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
591         (JSC::cti_vm_handle_exception):
592         - Check for the case when there are no more frames to unwind.
593         * jit/JITStubs.h:
594         * jit/JITStubsARM.h:
595         * jit/JITStubsARMv7.h:
596         * jit/JITStubsMIPS.h:
597         * jit/JITStubsSH4.h:
598         * jit/JITStubsX86.h:
599         * jit/JITStubsX86_64.h:
600         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
601         * jit/SlowPathCall.h:
602         (JSC::JITSlowPathCall::call):
603         - reload cfr from topcallFrame when handling an exception.
604         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
605         * jit/ThunkGenerators.cpp:
606         (JSC::nativeForGenerator):
607         * llint/LowLevelInterpreter32_64.asm:
608         * llint/LowLevelInterpreter64.asm:
609         - reload cfr from topcallFrame when handling an exception.
610         * runtime/VM.cpp:
611         (JSC::VM::VM):
612         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
613
614 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
615
616         Remove some code duplication.
617         
618         Rubber stamped by Mark Hahnenberg.
619
620         * runtime/JSDataViewPrototype.cpp:
621         (JSC::getData):
622         (JSC::setData):
623
624 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
625
626         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
627         https://bugs.webkit.org/show_bug.cgi?id=119794
628
629         Reviewed by Filip Pizlo.
630
631         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
632
633         * dfg/DFGUseKind.h:
634         (JSC::DFG::isNumerical):
635         (JSC::DFG::isDouble):
636
637 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
638
639         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
640
641         Rubber stamped by Oliver Hunt.
642         
643         This was causing some test crashes for me.
644
645         * dfg/DFGCapabilities.cpp:
646         (JSC::DFG::capabilityLevel):
647
648 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
649
650         [Windows] Clear up improper export declaration.
651
652         * runtime/ArrayBufferView.h:
653
654 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
655
656         Unreviewed, remove some unnecessary periods from exceptions.
657
658         * runtime/JSDataViewPrototype.cpp:
659         (JSC::getData):
660         (JSC::setData):
661
662 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
663
664         Unreviewed, fix 32-bit build.
665
666         * dfg/DFGSpeculativeJIT32_64.cpp:
667         (JSC::DFG::SpeculativeJIT::compile):
668
669 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
670
671         Typed arrays should be rewritten
672         https://bugs.webkit.org/show_bug.cgi?id=119064
673
674         Reviewed by Oliver Hunt.
675         
676         Typed arrays were previously deficient in several major ways:
677         
678         - They were defined separately in WebCore and in the jsc shell. The two
679           implementations were different, and the jsc shell one was basically wrong.
680           The WebCore one was quite awful, also.
681         
682         - Typed arrays were not visible to the JIT except through some weird hooks.
683           For example, the JIT could not ask "what is the Structure that this typed
684           array would have if I just allocated it from this global object". Also,
685           it was difficult to wire any of the typed array intrinsics, because most
686           of the functionality wasn't visible anywhere in JSC.
687         
688         - Typed array allocation was brain-dead. Allocating a typed array involved
689           two JS objects, two GC weak handles, and three malloc allocations.
690         
691         - Neutering. It involved keeping tabs on all native views but not the view
692           wrappers, even though the native views can autoneuter just by asking the
693           buffer if it was neutered anytime you touch them; while the JS view
694           wrappers are the ones that you really want to reach out to.
695         
696         - Common case-ing. Most typed arrays have one buffer and one view, and
697           usually nobody touches the buffer. Yet we created all of that stuff
698           anyway, using data structures optimized for the case where you had a lot
699           of views.
700         
701         - Semantic goofs. Typed arrays should, in the future, behave like ES
702           features rather than DOM features, for example when it comes to exceptions.
703           Firefox already does this and I agree with them.
704         
705         This patch cleanses our codebase of these sins:
706         
707         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
708           management of native references to buffers is left to WebCore.
709         
710         - Allocating a typed array requires either two GC allocations (a cell and a
711           copied storage vector) or one GC allocation, a malloc allocation, and a
712           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
713           latter). The latter is only used for oversize arrays. Remember that before
714           it was 7 allocations no matter what.
715         
716         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
717           mode/length, void* vector. Before it was a lot more than that - remember,
718           there were five additional objects that did absolutely nothing for anybody.
719         
720         - Native views aren't tracked by the buffer, or by the wrappers. They are
721           transient. In the future we'll probably switch to not even having them be
722           malloc'd.
723         
724         - Native array buffers have an efficient way of tracking all of their JS view
725           wrappers, both for neutering, and for lifecycle management. The GC
726           special-cases native array buffers. This saves a bunch of grief; for example
727           it means that a JS view wrapper can refer to its buffer via the butterfly,
728           which would be dead by the time we went to finalize.
729         
730         - Typed array semantics now match Firefox, which also happens to be where the
731           standards are going. The discussion on webkit-dev seemed to confirm that
732           Chrome is also heading in this direction. This includes making
733           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
734           ArrayBufferView as a JS-visible construct.
735         
736         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
737         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
738         further typed array optimizations in the JSC JITs, including inlining typed
739         array allocation, inlining more of the accessors, reducing the cost of type
740         checks, etc.
741         
742         An additional property of this patch is that typed arrays are mostly
743         implemented using templates. This deduplicates a bunch of code, but does mean
744         that we need some hacks for exporting s_info's of template classes. See
745         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
746         low-impact compared to code duplication.
747         
748         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
749
750         * CMakeLists.txt:
751         * DerivedSources.make:
752         * GNUmakefile.list.am:
753         * JSCTypedArrayStubs.h: Removed.
754         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
755         * JavaScriptCore.xcodeproj/project.pbxproj:
756         * Target.pri:
757         * bytecode/ByValInfo.h:
758         (JSC::hasOptimizableIndexingForClassInfo):
759         (JSC::jitArrayModeForClassInfo):
760         (JSC::typedArrayTypeForJITArrayMode):
761         * bytecode/SpeculatedType.cpp:
762         (JSC::speculationFromClassInfo):
763         * dfg/DFGArrayMode.cpp:
764         (JSC::DFG::toTypedArrayType):
765         * dfg/DFGArrayMode.h:
766         (JSC::DFG::ArrayMode::typedArrayType):
767         * dfg/DFGSpeculativeJIT.cpp:
768         (JSC::DFG::SpeculativeJIT::checkArray):
769         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
770         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
771         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
772         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
773         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
774         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
775         * dfg/DFGSpeculativeJIT.h:
776         * dfg/DFGSpeculativeJIT32_64.cpp:
777         (JSC::DFG::SpeculativeJIT::compile):
778         * dfg/DFGSpeculativeJIT64.cpp:
779         (JSC::DFG::SpeculativeJIT::compile):
780         * heap/CopyToken.h:
781         * heap/DeferGC.h:
782         (JSC::DeferGCForAWhile::DeferGCForAWhile):
783         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
784         * heap/GCIncomingRefCounted.h: Added.
785         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
786         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
787         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
788         (JSC::GCIncomingRefCounted::incomingReferenceAt):
789         (JSC::GCIncomingRefCounted::singletonFlag):
790         (JSC::GCIncomingRefCounted::hasVectorOfCells):
791         (JSC::GCIncomingRefCounted::hasAnyIncoming):
792         (JSC::GCIncomingRefCounted::hasSingleton):
793         (JSC::GCIncomingRefCounted::singleton):
794         (JSC::GCIncomingRefCounted::vectorOfCells):
795         * heap/GCIncomingRefCountedInlines.h: Added.
796         (JSC::::addIncomingReference):
797         (JSC::::filterIncomingReferences):
798         * heap/GCIncomingRefCountedSet.h: Added.
799         (JSC::GCIncomingRefCountedSet::size):
800         * heap/GCIncomingRefCountedSetInlines.h: Added.
801         (JSC::::GCIncomingRefCountedSet):
802         (JSC::::~GCIncomingRefCountedSet):
803         (JSC::::addReference):
804         (JSC::::sweep):
805         (JSC::::removeAll):
806         (JSC::::removeDead):
807         * heap/Heap.cpp:
808         (JSC::Heap::addReference):
809         (JSC::Heap::extraSize):
810         (JSC::Heap::size):
811         (JSC::Heap::capacity):
812         (JSC::Heap::collect):
813         (JSC::Heap::decrementDeferralDepth):
814         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
815         * heap/Heap.h:
816         * interpreter/CallFrame.h:
817         (JSC::ExecState::dataViewTable):
818         * jit/JIT.h:
819         * jit/JITPropertyAccess.cpp:
820         (JSC::JIT::privateCompileGetByVal):
821         (JSC::JIT::privateCompilePutByVal):
822         (JSC::JIT::emitIntTypedArrayGetByVal):
823         (JSC::JIT::emitFloatTypedArrayGetByVal):
824         (JSC::JIT::emitIntTypedArrayPutByVal):
825         (JSC::JIT::emitFloatTypedArrayPutByVal):
826         * jsc.cpp:
827         (GlobalObject::finishCreation):
828         * runtime/ArrayBuffer.cpp:
829         (JSC::ArrayBuffer::transfer):
830         * runtime/ArrayBuffer.h:
831         (JSC::ArrayBuffer::createAdopted):
832         (JSC::ArrayBuffer::ArrayBuffer):
833         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
834         (JSC::ArrayBuffer::pin):
835         (JSC::ArrayBuffer::unpin):
836         (JSC::ArrayBufferContents::tryAllocate):
837         * runtime/ArrayBufferView.cpp:
838         (JSC::ArrayBufferView::ArrayBufferView):
839         (JSC::ArrayBufferView::~ArrayBufferView):
840         (JSC::ArrayBufferView::setNeuterable):
841         * runtime/ArrayBufferView.h:
842         (JSC::ArrayBufferView::isNeutered):
843         (JSC::ArrayBufferView::buffer):
844         (JSC::ArrayBufferView::baseAddress):
845         (JSC::ArrayBufferView::byteOffset):
846         (JSC::ArrayBufferView::verifySubRange):
847         (JSC::ArrayBufferView::clampOffsetAndNumElements):
848         (JSC::ArrayBufferView::calculateOffsetAndLength):
849         * runtime/ClassInfo.h:
850         * runtime/CommonIdentifiers.h:
851         * runtime/DataView.cpp: Added.
852         (JSC::DataView::DataView):
853         (JSC::DataView::create):
854         (JSC::DataView::wrap):
855         * runtime/DataView.h: Added.
856         (JSC::DataView::byteLength):
857         (JSC::DataView::getType):
858         (JSC::DataView::get):
859         (JSC::DataView::set):
860         * runtime/Float32Array.h:
861         * runtime/Float64Array.h:
862         * runtime/GenericTypedArrayView.h: Added.
863         (JSC::GenericTypedArrayView::data):
864         (JSC::GenericTypedArrayView::set):
865         (JSC::GenericTypedArrayView::setRange):
866         (JSC::GenericTypedArrayView::zeroRange):
867         (JSC::GenericTypedArrayView::zeroFill):
868         (JSC::GenericTypedArrayView::length):
869         (JSC::GenericTypedArrayView::byteLength):
870         (JSC::GenericTypedArrayView::item):
871         (JSC::GenericTypedArrayView::checkInboundData):
872         (JSC::GenericTypedArrayView::getType):
873         * runtime/GenericTypedArrayViewInlines.h: Added.
874         (JSC::::GenericTypedArrayView):
875         (JSC::::create):
876         (JSC::::createUninitialized):
877         (JSC::::subarray):
878         (JSC::::wrap):
879         * runtime/IndexingHeader.h:
880         (JSC::IndexingHeader::arrayBuffer):
881         (JSC::IndexingHeader::setArrayBuffer):
882         * runtime/Int16Array.h:
883         * runtime/Int32Array.h:
884         * runtime/Int8Array.h:
885         * runtime/JSArrayBuffer.cpp: Added.
886         (JSC::JSArrayBuffer::JSArrayBuffer):
887         (JSC::JSArrayBuffer::finishCreation):
888         (JSC::JSArrayBuffer::create):
889         (JSC::JSArrayBuffer::createStructure):
890         (JSC::JSArrayBuffer::getOwnPropertySlot):
891         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
892         (JSC::JSArrayBuffer::put):
893         (JSC::JSArrayBuffer::defineOwnProperty):
894         (JSC::JSArrayBuffer::deleteProperty):
895         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
896         * runtime/JSArrayBuffer.h: Added.
897         (JSC::JSArrayBuffer::impl):
898         (JSC::toArrayBuffer):
899         * runtime/JSArrayBufferConstructor.cpp: Added.
900         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
901         (JSC::JSArrayBufferConstructor::finishCreation):
902         (JSC::JSArrayBufferConstructor::create):
903         (JSC::JSArrayBufferConstructor::createStructure):
904         (JSC::constructArrayBuffer):
905         (JSC::JSArrayBufferConstructor::getConstructData):
906         (JSC::JSArrayBufferConstructor::getCallData):
907         * runtime/JSArrayBufferConstructor.h: Added.
908         * runtime/JSArrayBufferPrototype.cpp: Added.
909         (JSC::arrayBufferProtoFuncSlice):
910         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
911         (JSC::JSArrayBufferPrototype::finishCreation):
912         (JSC::JSArrayBufferPrototype::create):
913         (JSC::JSArrayBufferPrototype::createStructure):
914         * runtime/JSArrayBufferPrototype.h: Added.
915         * runtime/JSArrayBufferView.cpp: Added.
916         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
917         (JSC::JSArrayBufferView::JSArrayBufferView):
918         (JSC::JSArrayBufferView::finishCreation):
919         (JSC::JSArrayBufferView::getOwnPropertySlot):
920         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
921         (JSC::JSArrayBufferView::put):
922         (JSC::JSArrayBufferView::defineOwnProperty):
923         (JSC::JSArrayBufferView::deleteProperty):
924         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
925         (JSC::JSArrayBufferView::finalize):
926         * runtime/JSArrayBufferView.h: Added.
927         (JSC::JSArrayBufferView::sizeOf):
928         (JSC::JSArrayBufferView::ConstructionContext::operator!):
929         (JSC::JSArrayBufferView::ConstructionContext::structure):
930         (JSC::JSArrayBufferView::ConstructionContext::vector):
931         (JSC::JSArrayBufferView::ConstructionContext::length):
932         (JSC::JSArrayBufferView::ConstructionContext::mode):
933         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
934         (JSC::JSArrayBufferView::mode):
935         (JSC::JSArrayBufferView::vector):
936         (JSC::JSArrayBufferView::length):
937         (JSC::JSArrayBufferView::offsetOfVector):
938         (JSC::JSArrayBufferView::offsetOfLength):
939         (JSC::JSArrayBufferView::offsetOfMode):
940         * runtime/JSArrayBufferViewInlines.h: Added.
941         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
942         (JSC::JSArrayBufferView::buffer):
943         (JSC::JSArrayBufferView::impl):
944         (JSC::JSArrayBufferView::neuter):
945         (JSC::JSArrayBufferView::byteOffset):
946         * runtime/JSCell.cpp:
947         (JSC::JSCell::slowDownAndWasteMemory):
948         (JSC::JSCell::getTypedArrayImpl):
949         * runtime/JSCell.h:
950         * runtime/JSDataView.cpp: Added.
951         (JSC::JSDataView::JSDataView):
952         (JSC::JSDataView::create):
953         (JSC::JSDataView::createUninitialized):
954         (JSC::JSDataView::set):
955         (JSC::JSDataView::typedImpl):
956         (JSC::JSDataView::getOwnPropertySlot):
957         (JSC::JSDataView::getOwnPropertyDescriptor):
958         (JSC::JSDataView::slowDownAndWasteMemory):
959         (JSC::JSDataView::getTypedArrayImpl):
960         (JSC::JSDataView::createStructure):
961         * runtime/JSDataView.h: Added.
962         * runtime/JSDataViewPrototype.cpp: Added.
963         (JSC::JSDataViewPrototype::JSDataViewPrototype):
964         (JSC::JSDataViewPrototype::create):
965         (JSC::JSDataViewPrototype::createStructure):
966         (JSC::JSDataViewPrototype::getOwnPropertySlot):
967         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
968         (JSC::getData):
969         (JSC::setData):
970         (JSC::dataViewProtoFuncGetInt8):
971         (JSC::dataViewProtoFuncGetInt16):
972         (JSC::dataViewProtoFuncGetInt32):
973         (JSC::dataViewProtoFuncGetUint8):
974         (JSC::dataViewProtoFuncGetUint16):
975         (JSC::dataViewProtoFuncGetUint32):
976         (JSC::dataViewProtoFuncGetFloat32):
977         (JSC::dataViewProtoFuncGetFloat64):
978         (JSC::dataViewProtoFuncSetInt8):
979         (JSC::dataViewProtoFuncSetInt16):
980         (JSC::dataViewProtoFuncSetInt32):
981         (JSC::dataViewProtoFuncSetUint8):
982         (JSC::dataViewProtoFuncSetUint16):
983         (JSC::dataViewProtoFuncSetUint32):
984         (JSC::dataViewProtoFuncSetFloat32):
985         (JSC::dataViewProtoFuncSetFloat64):
986         * runtime/JSDataViewPrototype.h: Added.
987         * runtime/JSFloat32Array.h: Added.
988         * runtime/JSFloat64Array.h: Added.
989         * runtime/JSGenericTypedArrayView.h: Added.
990         (JSC::JSGenericTypedArrayView::byteLength):
991         (JSC::JSGenericTypedArrayView::byteSize):
992         (JSC::JSGenericTypedArrayView::typedVector):
993         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
994         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
995         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
996         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
997         (JSC::JSGenericTypedArrayView::getIndexQuickly):
998         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
999         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1000         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1001         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1002         (JSC::JSGenericTypedArrayView::typedImpl):
1003         (JSC::JSGenericTypedArrayView::createStructure):
1004         (JSC::JSGenericTypedArrayView::info):
1005         (JSC::toNativeTypedView):
1006         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1007         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1008         (JSC::::JSGenericTypedArrayViewConstructor):
1009         (JSC::::finishCreation):
1010         (JSC::::create):
1011         (JSC::::createStructure):
1012         (JSC::constructGenericTypedArrayView):
1013         (JSC::::getConstructData):
1014         (JSC::::getCallData):
1015         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1016         (JSC::::JSGenericTypedArrayView):
1017         (JSC::::create):
1018         (JSC::::createUninitialized):
1019         (JSC::::validateRange):
1020         (JSC::::setWithSpecificType):
1021         (JSC::::set):
1022         (JSC::::getOwnPropertySlot):
1023         (JSC::::getOwnPropertyDescriptor):
1024         (JSC::::put):
1025         (JSC::::defineOwnProperty):
1026         (JSC::::deleteProperty):
1027         (JSC::::getOwnPropertySlotByIndex):
1028         (JSC::::putByIndex):
1029         (JSC::::deletePropertyByIndex):
1030         (JSC::::getOwnNonIndexPropertyNames):
1031         (JSC::::getOwnPropertyNames):
1032         (JSC::::visitChildren):
1033         (JSC::::copyBackingStore):
1034         (JSC::::slowDownAndWasteMemory):
1035         (JSC::::getTypedArrayImpl):
1036         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1037         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1038         (JSC::genericTypedArrayViewProtoFuncSet):
1039         (JSC::genericTypedArrayViewProtoFuncSubarray):
1040         (JSC::::JSGenericTypedArrayViewPrototype):
1041         (JSC::::finishCreation):
1042         (JSC::::create):
1043         (JSC::::createStructure):
1044         * runtime/JSGlobalObject.cpp:
1045         (JSC::JSGlobalObject::reset):
1046         (JSC::JSGlobalObject::visitChildren):
1047         * runtime/JSGlobalObject.h:
1048         (JSC::JSGlobalObject::arrayBufferPrototype):
1049         (JSC::JSGlobalObject::arrayBufferStructure):
1050         (JSC::JSGlobalObject::typedArrayStructure):
1051         * runtime/JSInt16Array.h: Added.
1052         * runtime/JSInt32Array.h: Added.
1053         * runtime/JSInt8Array.h: Added.
1054         * runtime/JSTypedArrayConstructors.cpp: Added.
1055         * runtime/JSTypedArrayConstructors.h: Added.
1056         * runtime/JSTypedArrayPrototypes.cpp: Added.
1057         * runtime/JSTypedArrayPrototypes.h: Added.
1058         * runtime/JSTypedArrays.cpp: Added.
1059         * runtime/JSTypedArrays.h: Added.
1060         * runtime/JSUint16Array.h: Added.
1061         * runtime/JSUint32Array.h: Added.
1062         * runtime/JSUint8Array.h: Added.
1063         * runtime/JSUint8ClampedArray.h: Added.
1064         * runtime/Operations.h:
1065         * runtime/Options.h:
1066         * runtime/SimpleTypedArrayController.cpp: Added.
1067         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1068         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1069         (JSC::SimpleTypedArrayController::toJS):
1070         * runtime/SimpleTypedArrayController.h: Added.
1071         * runtime/Structure.h:
1072         (JSC::Structure::couldHaveIndexingHeader):
1073         * runtime/StructureInlines.h:
1074         (JSC::Structure::hasIndexingHeader):
1075         * runtime/TypedArrayAdaptors.h: Added.
1076         (JSC::IntegralTypedArrayAdaptor::toNative):
1077         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1078         (JSC::IntegralTypedArrayAdaptor::toDouble):
1079         (JSC::FloatTypedArrayAdaptor::toNative):
1080         (JSC::FloatTypedArrayAdaptor::toJSValue):
1081         (JSC::FloatTypedArrayAdaptor::toDouble):
1082         (JSC::Uint8ClampedAdaptor::toNative):
1083         (JSC::Uint8ClampedAdaptor::toJSValue):
1084         (JSC::Uint8ClampedAdaptor::toDouble):
1085         (JSC::Uint8ClampedAdaptor::clamp):
1086         * runtime/TypedArrayController.cpp: Added.
1087         (JSC::TypedArrayController::TypedArrayController):
1088         (JSC::TypedArrayController::~TypedArrayController):
1089         * runtime/TypedArrayController.h: Added.
1090         * runtime/TypedArrayDescriptor.h: Removed.
1091         * runtime/TypedArrayInlines.h: Added.
1092         * runtime/TypedArrayType.cpp: Added.
1093         (JSC::classInfoForType):
1094         (WTF::printInternal):
1095         * runtime/TypedArrayType.h: Added.
1096         (JSC::toIndex):
1097         (JSC::isTypedView):
1098         (JSC::elementSize):
1099         (JSC::isInt):
1100         (JSC::isFloat):
1101         (JSC::isSigned):
1102         (JSC::isClamped):
1103         * runtime/TypedArrays.h: Added.
1104         * runtime/Uint16Array.h:
1105         * runtime/Uint32Array.h:
1106         * runtime/Uint8Array.h:
1107         * runtime/Uint8ClampedArray.h:
1108         * runtime/VM.cpp:
1109         (JSC::VM::VM):
1110         (JSC::VM::~VM):
1111         * runtime/VM.h:
1112
1113 2013-08-15  Oliver Hunt  <oliver@apple.com>
1114
1115         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1116
1117         Reviewed by Filip Pizlo.
1118
1119         Make sure dfgCapabilities doesn't report a Dynamic put as
1120         being compilable when we don't actually support it.  
1121
1122         * bytecode/CodeBlock.cpp:
1123         (JSC::CodeBlock::dumpBytecode):
1124         * dfg/DFGCapabilities.cpp:
1125         (JSC::DFG::capabilityLevel):
1126
1127 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1128
1129         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1130         https://bugs.webkit.org/show_bug.cgi?id=119847
1131
1132         Reviewed by Oliver Hunt.
1133
1134         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1135         * runtime/ArrayBufferView.h: Ditto.
1136
1137 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1138
1139         https://bugs.webkit.org/show_bug.cgi?id=119843
1140         PropertySlot::setValue is ambiguous
1141
1142         Reviewed by Geoff Garen.
1143
1144         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1145         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1146         Unify on always providing the object, and remove the version that just takes a value.
1147         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1148         Provide a version of setValue that takes a JSString as the owner of the property.
1149         We won't store this, but it makes it clear that this interface should only be used from JSString.
1150
1151         * API/JSCallbackObjectFunctions.h:
1152         (JSC::::getOwnPropertySlot):
1153         * JSCTypedArrayStubs.h:
1154         * runtime/Arguments.cpp:
1155         (JSC::Arguments::getOwnPropertySlotByIndex):
1156         (JSC::Arguments::getOwnPropertySlot):
1157         * runtime/JSActivation.cpp:
1158         (JSC::JSActivation::symbolTableGet):
1159         (JSC::JSActivation::getOwnPropertySlot):
1160         * runtime/JSArray.cpp:
1161         (JSC::JSArray::getOwnPropertySlot):
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::getOwnPropertySlotByIndex):
1164         * runtime/JSString.h:
1165         (JSC::JSString::getStringPropertySlot):
1166         * runtime/JSSymbolTableObject.h:
1167         (JSC::symbolTableGet):
1168         * runtime/SparseArrayValueMap.cpp:
1169         (JSC::SparseArrayEntry::get):
1170             - Pass object containing property to PropertySlot::setValue
1171         * runtime/PropertySlot.h:
1172         (JSC::PropertySlot::setValue):
1173             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1174         (JSC::PropertySlot::setUndefined):
1175             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1176
1177 2013-08-15  Oliver Hunt  <oliver@apple.com>
1178
1179         Remove bogus assertion.
1180
1181         RS=Filip Pizlo
1182
1183         * dfg/DFGAbstractInterpreterInlines.h:
1184         (JSC::DFG::::executeEffects):
1185
1186 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1187
1188         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1189         https://bugs.webkit.org/show_bug.cgi?id=114913
1190
1191         Reviewed by Filip Pizlo.
1192
1193         The X87 register was not freed before some calls. Instead
1194         of inserting resetX87Registers to the last call sites,
1195         the two X87 registers are now freed in every call.
1196
1197         * llint/LowLevelInterpreter32_64.asm:
1198         * llint/LowLevelInterpreter64.asm:
1199         * offlineasm/instructions.rb:
1200         * offlineasm/x86.rb:
1201
1202 2013-08-14  Michael Saboff  <msaboff@apple.com>
1203
1204         Fixed jit on Win64.
1205         https://bugs.webkit.org/show_bug.cgi?id=119601
1206
1207         Reviewed by Oliver Hunt.
1208
1209         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1210         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1211         * jit/SlowPathCall.h:
1212         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1213
1214 2013-08-14  Alex Christensen  <achristensen@apple.com>
1215
1216         Compile fix for Win64 with jit disabled.
1217         https://bugs.webkit.org/show_bug.cgi?id=119804
1218
1219         Reviewed by Michael Saboff.
1220
1221         * offlineasm/cloop.rb: Added std:: before isnan.
1222
1223 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1224
1225         DFG_JIT implementation for sh4 architecture.
1226         https://bugs.webkit.org/show_bug.cgi?id=119737
1227
1228         Reviewed by Oliver Hunt.
1229
1230         * assembler/MacroAssemblerSH4.h:
1231         (JSC::MacroAssemblerSH4::invert):
1232         (JSC::MacroAssemblerSH4::add32):
1233         (JSC::MacroAssemblerSH4::and32):
1234         (JSC::MacroAssemblerSH4::lshift32):
1235         (JSC::MacroAssemblerSH4::mul32):
1236         (JSC::MacroAssemblerSH4::or32):
1237         (JSC::MacroAssemblerSH4::rshift32):
1238         (JSC::MacroAssemblerSH4::sub32):
1239         (JSC::MacroAssemblerSH4::xor32):
1240         (JSC::MacroAssemblerSH4::store32):
1241         (JSC::MacroAssemblerSH4::swapDouble):
1242         (JSC::MacroAssemblerSH4::storeDouble):
1243         (JSC::MacroAssemblerSH4::subDouble):
1244         (JSC::MacroAssemblerSH4::mulDouble):
1245         (JSC::MacroAssemblerSH4::divDouble):
1246         (JSC::MacroAssemblerSH4::negateDouble):
1247         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1248         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1249         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1250         (JSC::MacroAssemblerSH4::swap):
1251         (JSC::MacroAssemblerSH4::jump):
1252         (JSC::MacroAssemblerSH4::branchNeg32):
1253         (JSC::MacroAssemblerSH4::branchAdd32):
1254         (JSC::MacroAssemblerSH4::branchMul32):
1255         (JSC::MacroAssemblerSH4::urshift32):
1256         * assembler/SH4Assembler.h:
1257         (JSC::SH4Assembler::SH4Assembler):
1258         (JSC::SH4Assembler::labelForWatchpoint):
1259         (JSC::SH4Assembler::label):
1260         (JSC::SH4Assembler::debugOffset):
1261         * dfg/DFGAssemblyHelpers.h:
1262         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1263         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1264         (JSC::DFG::AssemblyHelpers::debugCall):
1265         * dfg/DFGCCallHelpers.h:
1266         (JSC::DFG::CCallHelpers::setupArguments):
1267         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1268         * dfg/DFGFPRInfo.h:
1269         (JSC::DFG::FPRInfo::toRegister):
1270         (JSC::DFG::FPRInfo::toIndex):
1271         (JSC::DFG::FPRInfo::debugName):
1272         * dfg/DFGGPRInfo.h:
1273         (JSC::DFG::GPRInfo::toRegister):
1274         (JSC::DFG::GPRInfo::toIndex):
1275         (JSC::DFG::GPRInfo::debugName):
1276         * dfg/DFGOperations.cpp:
1277         * dfg/DFGSpeculativeJIT.h:
1278         (JSC::DFG::SpeculativeJIT::callOperation):
1279         * jit/JITStubs.h:
1280         * jit/JITStubsSH4.h:
1281
1282 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1283
1284         Unreviewed, fix build.
1285
1286         * API/JSValue.mm:
1287         (isDate):
1288         (isArray):
1289         * API/JSWrapperMap.mm:
1290         (tryUnwrapObjcObject):
1291         * API/ObjCCallbackFunction.mm:
1292         (tryUnwrapBlock):
1293
1294 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1295
1296         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1297         https://bugs.webkit.org/show_bug.cgi?id=119770
1298
1299         Reviewed by Mark Hahnenberg.
1300
1301         * API/JSCallbackConstructor.cpp:
1302         (JSC::JSCallbackConstructor::finishCreation):
1303         * API/JSCallbackConstructor.h:
1304         (JSC::JSCallbackConstructor::createStructure):
1305         * API/JSCallbackFunction.cpp:
1306         (JSC::JSCallbackFunction::finishCreation):
1307         * API/JSCallbackFunction.h:
1308         (JSC::JSCallbackFunction::createStructure):
1309         * API/JSCallbackObject.cpp:
1310         (JSC::::createStructure):
1311         * API/JSCallbackObject.h:
1312         (JSC::JSCallbackObject::visitChildren):
1313         * API/JSCallbackObjectFunctions.h:
1314         (JSC::::asCallbackObject):
1315         (JSC::::finishCreation):
1316         * API/JSObjectRef.cpp:
1317         (JSObjectGetPrivate):
1318         (JSObjectSetPrivate):
1319         (JSObjectGetPrivateProperty):
1320         (JSObjectSetPrivateProperty):
1321         (JSObjectDeletePrivateProperty):
1322         * API/JSValueRef.cpp:
1323         (JSValueIsObjectOfClass):
1324         * API/JSWeakObjectMapRefPrivate.cpp:
1325         * API/ObjCCallbackFunction.h:
1326         (JSC::ObjCCallbackFunction::createStructure):
1327         * JSCTypedArrayStubs.h:
1328         * bytecode/CallLinkStatus.cpp:
1329         (JSC::CallLinkStatus::CallLinkStatus):
1330         (JSC::CallLinkStatus::function):
1331         (JSC::CallLinkStatus::internalFunction):
1332         * bytecode/CodeBlock.h:
1333         (JSC::baselineCodeBlockForInlineCallFrame):
1334         * bytecode/SpeculatedType.cpp:
1335         (JSC::speculationFromClassInfo):
1336         * bytecode/UnlinkedCodeBlock.cpp:
1337         (JSC::UnlinkedFunctionExecutable::visitChildren):
1338         (JSC::UnlinkedCodeBlock::visitChildren):
1339         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1340         * bytecode/UnlinkedCodeBlock.h:
1341         (JSC::UnlinkedFunctionExecutable::createStructure):
1342         (JSC::UnlinkedProgramCodeBlock::createStructure):
1343         (JSC::UnlinkedEvalCodeBlock::createStructure):
1344         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1345         * debugger/Debugger.cpp:
1346         * debugger/DebuggerActivation.cpp:
1347         (JSC::DebuggerActivation::visitChildren):
1348         * debugger/DebuggerActivation.h:
1349         (JSC::DebuggerActivation::createStructure):
1350         * debugger/DebuggerCallFrame.cpp:
1351         (JSC::DebuggerCallFrame::functionName):
1352         * dfg/DFGAbstractInterpreterInlines.h:
1353         (JSC::DFG::::executeEffects):
1354         * dfg/DFGByteCodeParser.cpp:
1355         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1356         (JSC::DFG::ByteCodeParser::parseBlock):
1357         * dfg/DFGFixupPhase.cpp:
1358         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1359         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1360         * dfg/DFGGraph.cpp:
1361         (JSC::DFG::Graph::dump):
1362         * dfg/DFGGraph.h:
1363         (JSC::DFG::Graph::isInternalFunctionConstant):
1364         * dfg/DFGOperations.cpp:
1365         * dfg/DFGSpeculativeJIT.cpp:
1366         (JSC::DFG::SpeculativeJIT::checkArray):
1367         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1368         * dfg/DFGThunks.cpp:
1369         (JSC::DFG::virtualForThunkGenerator):
1370         * interpreter/Interpreter.cpp:
1371         (JSC::loadVarargs):
1372         * jsc.cpp:
1373         (GlobalObject::createStructure):
1374         * profiler/LegacyProfiler.cpp:
1375         (JSC::LegacyProfiler::createCallIdentifier):
1376         * runtime/Arguments.cpp:
1377         (JSC::Arguments::visitChildren):
1378         * runtime/Arguments.h:
1379         (JSC::Arguments::createStructure):
1380         (JSC::asArguments):
1381         (JSC::Arguments::finishCreation):
1382         * runtime/ArrayConstructor.cpp:
1383         (JSC::arrayConstructorIsArray):
1384         * runtime/ArrayConstructor.h:
1385         (JSC::ArrayConstructor::createStructure):
1386         * runtime/ArrayPrototype.cpp:
1387         (JSC::ArrayPrototype::finishCreation):
1388         (JSC::arrayProtoFuncConcat):
1389         (JSC::attemptFastSort):
1390         * runtime/ArrayPrototype.h:
1391         (JSC::ArrayPrototype::createStructure):
1392         * runtime/BooleanConstructor.h:
1393         (JSC::BooleanConstructor::createStructure):
1394         * runtime/BooleanObject.cpp:
1395         (JSC::BooleanObject::finishCreation):
1396         * runtime/BooleanObject.h:
1397         (JSC::BooleanObject::createStructure):
1398         (JSC::asBooleanObject):
1399         * runtime/BooleanPrototype.cpp:
1400         (JSC::BooleanPrototype::finishCreation):
1401         (JSC::booleanProtoFuncToString):
1402         (JSC::booleanProtoFuncValueOf):
1403         * runtime/BooleanPrototype.h:
1404         (JSC::BooleanPrototype::createStructure):
1405         * runtime/DateConstructor.cpp:
1406         (JSC::constructDate):
1407         * runtime/DateConstructor.h:
1408         (JSC::DateConstructor::createStructure):
1409         * runtime/DateInstance.cpp:
1410         (JSC::DateInstance::finishCreation):
1411         * runtime/DateInstance.h:
1412         (JSC::DateInstance::createStructure):
1413         (JSC::asDateInstance):
1414         * runtime/DatePrototype.cpp:
1415         (JSC::formateDateInstance):
1416         (JSC::DatePrototype::finishCreation):
1417         (JSC::dateProtoFuncToISOString):
1418         (JSC::dateProtoFuncToLocaleString):
1419         (JSC::dateProtoFuncToLocaleDateString):
1420         (JSC::dateProtoFuncToLocaleTimeString):
1421         (JSC::dateProtoFuncGetTime):
1422         (JSC::dateProtoFuncGetFullYear):
1423         (JSC::dateProtoFuncGetUTCFullYear):
1424         (JSC::dateProtoFuncGetMonth):
1425         (JSC::dateProtoFuncGetUTCMonth):
1426         (JSC::dateProtoFuncGetDate):
1427         (JSC::dateProtoFuncGetUTCDate):
1428         (JSC::dateProtoFuncGetDay):
1429         (JSC::dateProtoFuncGetUTCDay):
1430         (JSC::dateProtoFuncGetHours):
1431         (JSC::dateProtoFuncGetUTCHours):
1432         (JSC::dateProtoFuncGetMinutes):
1433         (JSC::dateProtoFuncGetUTCMinutes):
1434         (JSC::dateProtoFuncGetSeconds):
1435         (JSC::dateProtoFuncGetUTCSeconds):
1436         (JSC::dateProtoFuncGetMilliSeconds):
1437         (JSC::dateProtoFuncGetUTCMilliseconds):
1438         (JSC::dateProtoFuncGetTimezoneOffset):
1439         (JSC::dateProtoFuncSetTime):
1440         (JSC::setNewValueFromTimeArgs):
1441         (JSC::setNewValueFromDateArgs):
1442         (JSC::dateProtoFuncSetYear):
1443         (JSC::dateProtoFuncGetYear):
1444         * runtime/DatePrototype.h:
1445         (JSC::DatePrototype::createStructure):
1446         * runtime/Error.h:
1447         (JSC::StrictModeTypeErrorFunction::createStructure):
1448         * runtime/ErrorConstructor.h:
1449         (JSC::ErrorConstructor::createStructure):
1450         * runtime/ErrorInstance.cpp:
1451         (JSC::ErrorInstance::finishCreation):
1452         * runtime/ErrorInstance.h:
1453         (JSC::ErrorInstance::createStructure):
1454         * runtime/ErrorPrototype.cpp:
1455         (JSC::ErrorPrototype::finishCreation):
1456         * runtime/ErrorPrototype.h:
1457         (JSC::ErrorPrototype::createStructure):
1458         * runtime/ExceptionHelpers.cpp:
1459         (JSC::isTerminatedExecutionException):
1460         * runtime/ExceptionHelpers.h:
1461         (JSC::TerminatedExecutionError::createStructure):
1462         * runtime/Executable.cpp:
1463         (JSC::EvalExecutable::visitChildren):
1464         (JSC::ProgramExecutable::visitChildren):
1465         (JSC::FunctionExecutable::visitChildren):
1466         (JSC::ExecutableBase::hashFor):
1467         * runtime/Executable.h:
1468         (JSC::ExecutableBase::createStructure):
1469         (JSC::NativeExecutable::createStructure):
1470         (JSC::EvalExecutable::createStructure):
1471         (JSC::ProgramExecutable::createStructure):
1472         (JSC::FunctionExecutable::compileFor):
1473         (JSC::FunctionExecutable::compileOptimizedFor):
1474         (JSC::FunctionExecutable::createStructure):
1475         * runtime/FunctionConstructor.h:
1476         (JSC::FunctionConstructor::createStructure):
1477         * runtime/FunctionPrototype.cpp:
1478         (JSC::functionProtoFuncToString):
1479         (JSC::functionProtoFuncApply):
1480         (JSC::functionProtoFuncBind):
1481         * runtime/FunctionPrototype.h:
1482         (JSC::FunctionPrototype::createStructure):
1483         * runtime/GetterSetter.cpp:
1484         (JSC::GetterSetter::visitChildren):
1485         * runtime/GetterSetter.h:
1486         (JSC::GetterSetter::createStructure):
1487         * runtime/InternalFunction.cpp:
1488         (JSC::InternalFunction::finishCreation):
1489         * runtime/InternalFunction.h:
1490         (JSC::InternalFunction::createStructure):
1491         (JSC::asInternalFunction):
1492         * runtime/JSAPIValueWrapper.h:
1493         (JSC::JSAPIValueWrapper::createStructure):
1494         * runtime/JSActivation.cpp:
1495         (JSC::JSActivation::visitChildren):
1496         (JSC::JSActivation::argumentsGetter):
1497         * runtime/JSActivation.h:
1498         (JSC::JSActivation::createStructure):
1499         (JSC::asActivation):
1500         * runtime/JSArray.h:
1501         (JSC::JSArray::createStructure):
1502         (JSC::asArray):
1503         (JSC::isJSArray):
1504         * runtime/JSBoundFunction.cpp:
1505         (JSC::JSBoundFunction::finishCreation):
1506         (JSC::JSBoundFunction::visitChildren):
1507         * runtime/JSBoundFunction.h:
1508         (JSC::JSBoundFunction::createStructure):
1509         * runtime/JSCJSValue.cpp:
1510         (JSC::JSValue::dumpInContext):
1511         * runtime/JSCJSValueInlines.h:
1512         (JSC::JSValue::isFunction):
1513         * runtime/JSCell.h:
1514         (JSC::jsCast):
1515         (JSC::jsDynamicCast):
1516         * runtime/JSCellInlines.h:
1517         (JSC::allocateCell):
1518         * runtime/JSFunction.cpp:
1519         (JSC::JSFunction::finishCreation):
1520         (JSC::JSFunction::visitChildren):
1521         (JSC::skipOverBoundFunctions):
1522         (JSC::JSFunction::callerGetter):
1523         * runtime/JSFunction.h:
1524         (JSC::JSFunction::createStructure):
1525         * runtime/JSGlobalObject.cpp:
1526         (JSC::JSGlobalObject::visitChildren):
1527         (JSC::slowValidateCell):
1528         * runtime/JSGlobalObject.h:
1529         (JSC::JSGlobalObject::createStructure):
1530         * runtime/JSNameScope.cpp:
1531         (JSC::JSNameScope::visitChildren):
1532         * runtime/JSNameScope.h:
1533         (JSC::JSNameScope::createStructure):
1534         * runtime/JSNotAnObject.h:
1535         (JSC::JSNotAnObject::createStructure):
1536         * runtime/JSONObject.cpp:
1537         (JSC::JSONObject::finishCreation):
1538         (JSC::unwrapBoxedPrimitive):
1539         (JSC::Stringifier::Stringifier):
1540         (JSC::Stringifier::appendStringifiedValue):
1541         (JSC::Stringifier::Holder::Holder):
1542         (JSC::Walker::walk):
1543         (JSC::JSONProtoFuncStringify):
1544         * runtime/JSONObject.h:
1545         (JSC::JSONObject::createStructure):
1546         * runtime/JSObject.cpp:
1547         (JSC::getCallableObjectSlow):
1548         (JSC::JSObject::visitChildren):
1549         (JSC::JSObject::copyBackingStore):
1550         (JSC::JSFinalObject::visitChildren):
1551         (JSC::JSObject::ensureInt32Slow):
1552         (JSC::JSObject::ensureDoubleSlow):
1553         (JSC::JSObject::ensureContiguousSlow):
1554         (JSC::JSObject::ensureArrayStorageSlow):
1555         * runtime/JSObject.h:
1556         (JSC::JSObject::finishCreation):
1557         (JSC::JSObject::createStructure):
1558         (JSC::JSNonFinalObject::createStructure):
1559         (JSC::JSFinalObject::createStructure):
1560         (JSC::isJSFinalObject):
1561         * runtime/JSPropertyNameIterator.cpp:
1562         (JSC::JSPropertyNameIterator::visitChildren):
1563         * runtime/JSPropertyNameIterator.h:
1564         (JSC::JSPropertyNameIterator::createStructure):
1565         * runtime/JSProxy.cpp:
1566         (JSC::JSProxy::visitChildren):
1567         * runtime/JSProxy.h:
1568         (JSC::JSProxy::createStructure):
1569         * runtime/JSScope.cpp:
1570         (JSC::JSScope::visitChildren):
1571         * runtime/JSSegmentedVariableObject.cpp:
1572         (JSC::JSSegmentedVariableObject::visitChildren):
1573         * runtime/JSString.h:
1574         (JSC::JSString::createStructure):
1575         (JSC::isJSString):
1576         * runtime/JSSymbolTableObject.cpp:
1577         (JSC::JSSymbolTableObject::visitChildren):
1578         * runtime/JSVariableObject.h:
1579         * runtime/JSWithScope.cpp:
1580         (JSC::JSWithScope::visitChildren):
1581         * runtime/JSWithScope.h:
1582         (JSC::JSWithScope::createStructure):
1583         * runtime/JSWrapperObject.cpp:
1584         (JSC::JSWrapperObject::visitChildren):
1585         * runtime/JSWrapperObject.h:
1586         (JSC::JSWrapperObject::createStructure):
1587         * runtime/MathObject.cpp:
1588         (JSC::MathObject::finishCreation):
1589         * runtime/MathObject.h:
1590         (JSC::MathObject::createStructure):
1591         * runtime/NameConstructor.h:
1592         (JSC::NameConstructor::createStructure):
1593         * runtime/NameInstance.h:
1594         (JSC::NameInstance::createStructure):
1595         (JSC::NameInstance::finishCreation):
1596         * runtime/NamePrototype.cpp:
1597         (JSC::NamePrototype::finishCreation):
1598         (JSC::privateNameProtoFuncToString):
1599         * runtime/NamePrototype.h:
1600         (JSC::NamePrototype::createStructure):
1601         * runtime/NativeErrorConstructor.cpp:
1602         (JSC::NativeErrorConstructor::visitChildren):
1603         * runtime/NativeErrorConstructor.h:
1604         (JSC::NativeErrorConstructor::createStructure):
1605         (JSC::NativeErrorConstructor::finishCreation):
1606         * runtime/NumberConstructor.cpp:
1607         (JSC::NumberConstructor::finishCreation):
1608         * runtime/NumberConstructor.h:
1609         (JSC::NumberConstructor::createStructure):
1610         * runtime/NumberObject.cpp:
1611         (JSC::NumberObject::finishCreation):
1612         * runtime/NumberObject.h:
1613         (JSC::NumberObject::createStructure):
1614         * runtime/NumberPrototype.cpp:
1615         (JSC::NumberPrototype::finishCreation):
1616         * runtime/NumberPrototype.h:
1617         (JSC::NumberPrototype::createStructure):
1618         * runtime/ObjectConstructor.h:
1619         (JSC::ObjectConstructor::createStructure):
1620         * runtime/ObjectPrototype.cpp:
1621         (JSC::ObjectPrototype::finishCreation):
1622         * runtime/ObjectPrototype.h:
1623         (JSC::ObjectPrototype::createStructure):
1624         * runtime/PropertyMapHashTable.h:
1625         (JSC::PropertyTable::createStructure):
1626         * runtime/PropertyTable.cpp:
1627         (JSC::PropertyTable::visitChildren):
1628         * runtime/RegExp.h:
1629         (JSC::RegExp::createStructure):
1630         * runtime/RegExpConstructor.cpp:
1631         (JSC::RegExpConstructor::finishCreation):
1632         (JSC::RegExpConstructor::visitChildren):
1633         (JSC::constructRegExp):
1634         * runtime/RegExpConstructor.h:
1635         (JSC::RegExpConstructor::createStructure):
1636         (JSC::asRegExpConstructor):
1637         * runtime/RegExpMatchesArray.cpp:
1638         (JSC::RegExpMatchesArray::visitChildren):
1639         * runtime/RegExpMatchesArray.h:
1640         (JSC::RegExpMatchesArray::createStructure):
1641         * runtime/RegExpObject.cpp:
1642         (JSC::RegExpObject::finishCreation):
1643         (JSC::RegExpObject::visitChildren):
1644         * runtime/RegExpObject.h:
1645         (JSC::RegExpObject::createStructure):
1646         (JSC::asRegExpObject):
1647         * runtime/RegExpPrototype.cpp:
1648         (JSC::regExpProtoFuncTest):
1649         (JSC::regExpProtoFuncExec):
1650         (JSC::regExpProtoFuncCompile):
1651         (JSC::regExpProtoFuncToString):
1652         * runtime/RegExpPrototype.h:
1653         (JSC::RegExpPrototype::createStructure):
1654         * runtime/SparseArrayValueMap.cpp:
1655         (JSC::SparseArrayValueMap::createStructure):
1656         * runtime/SparseArrayValueMap.h:
1657         * runtime/StrictEvalActivation.h:
1658         (JSC::StrictEvalActivation::createStructure):
1659         * runtime/StringConstructor.h:
1660         (JSC::StringConstructor::createStructure):
1661         * runtime/StringObject.cpp:
1662         (JSC::StringObject::finishCreation):
1663         * runtime/StringObject.h:
1664         (JSC::StringObject::createStructure):
1665         (JSC::asStringObject):
1666         * runtime/StringPrototype.cpp:
1667         (JSC::StringPrototype::finishCreation):
1668         (JSC::stringProtoFuncReplace):
1669         (JSC::stringProtoFuncToString):
1670         (JSC::stringProtoFuncMatch):
1671         (JSC::stringProtoFuncSearch):
1672         (JSC::stringProtoFuncSplit):
1673         * runtime/StringPrototype.h:
1674         (JSC::StringPrototype::createStructure):
1675         * runtime/Structure.cpp:
1676         (JSC::Structure::Structure):
1677         (JSC::Structure::materializePropertyMap):
1678         (JSC::Structure::get):
1679         (JSC::Structure::visitChildren):
1680         * runtime/Structure.h:
1681         (JSC::Structure::typeInfo):
1682         (JSC::Structure::previousID):
1683         (JSC::Structure::outOfLineSize):
1684         (JSC::Structure::totalStorageCapacity):
1685         (JSC::Structure::materializePropertyMapIfNecessary):
1686         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1687         * runtime/StructureChain.cpp:
1688         (JSC::StructureChain::visitChildren):
1689         * runtime/StructureChain.h:
1690         (JSC::StructureChain::createStructure):
1691         * runtime/StructureInlines.h:
1692         (JSC::Structure::get):
1693         * runtime/StructureRareData.cpp:
1694         (JSC::StructureRareData::createStructure):
1695         (JSC::StructureRareData::visitChildren):
1696         * runtime/StructureRareData.h:
1697         * runtime/SymbolTable.h:
1698         (JSC::SharedSymbolTable::createStructure):
1699         * runtime/VM.cpp:
1700         (JSC::VM::VM):
1701         (JSC::StackPreservingRecompiler::operator()):
1702         (JSC::VM::releaseExecutableMemory):
1703         * runtime/WriteBarrier.h:
1704         (JSC::validateCell):
1705         * testRegExp.cpp:
1706         (GlobalObject::createStructure):
1707
1708 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1709
1710         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1711         https://bugs.webkit.org/show_bug.cgi?id=119762
1712
1713         Reviewed by Geoffrey Garen.
1714
1715         * heap/Heap.cpp:
1716         (JSC::Heap::Heap):
1717         (JSC::Heap::markRoots):
1718         (JSC::Heap::collect):
1719         * jsc.cpp:
1720         (StopWatch::start):
1721         (StopWatch::stop):
1722         * testRegExp.cpp:
1723         (StopWatch::start):
1724         (StopWatch::stop):
1725
1726 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1727
1728         [sh4] Prepare LLINT for DFG_JIT implementation.
1729         https://bugs.webkit.org/show_bug.cgi?id=119755
1730
1731         Reviewed by Oliver Hunt.
1732
1733         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1734         * offlineasm/sh4.rb:
1735             - Handle storeb opcode.
1736             - Make relative jumps when possible using braf opcode.
1737             - Update bmulio implementation to be consistent with baseline JIT.
1738             - Remove useless code from leap opcode.
1739             - Fix incorrect comment.
1740
1741 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1742
1743         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1744         https://bugs.webkit.org/show_bug.cgi?id=119758
1745
1746         Reviewed by Oliver Hunt.
1747
1748         * assembler/MacroAssemblerSH4.h:
1749             - Introduce a loadEffectiveAddress function to avoid code duplication.
1750             - Add ASSERTs and clean code.
1751         * assembler/SH4Assembler.h:
1752             - Prepare DFG_JIT implementation.
1753             - Add ASSERTs.
1754         * jit/JITStubs.cpp:
1755             - Add SH4 specific call for assertions.
1756         * jit/JITStubs.h:
1757             - Cosmetic change.
1758         * jit/JITStubsSH4.h:
1759             - Use constants to be more flexible with sh4 JIT stack frame.
1760         * jit/JSInterfaceJIT.h:
1761             - Cosmetic change.
1762
1763 2013-08-13  Oliver Hunt  <oliver@apple.com>
1764
1765         Harden executeConstruct against incorrect return types from host functions
1766         https://bugs.webkit.org/show_bug.cgi?id=119757
1767
1768         Reviewed by Mark Hahnenberg.
1769
1770         Add logic to guard against bogus return types.  There doesn't seem to be any
1771         class in webkit that does this wrong, but the typed array stubs in debug JSC
1772         do exhibit this bad behaviour.
1773
1774         * interpreter/Interpreter.cpp:
1775         (JSC::Interpreter::executeConstruct):
1776
1777 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1778
1779         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1780         https://bugs.webkit.org/show_bug.cgi?id=119736
1781
1782         Reviewed by Anders Carlsson.
1783
1784         Don't force C++11 mode off anymore.
1785
1786         * Target.pri:
1787
1788 2013-08-12  Oliver Hunt  <oliver@apple.com>
1789
1790         Remove CodeBlock's notion of adding identifiers entirely
1791         https://bugs.webkit.org/show_bug.cgi?id=119708
1792
1793         Reviewed by Geoffrey Garen.
1794
1795         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1796         Move the addition of identifiers to DFGPlan::reallyAdd
1797
1798         * bytecode/CodeBlock.h:
1799         * dfg/DFGDesiredIdentifiers.cpp:
1800         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1801         * dfg/DFGDesiredIdentifiers.h:
1802         * dfg/DFGPlan.cpp:
1803         (JSC::DFG::Plan::reallyAdd):
1804         (JSC::DFG::Plan::finalize):
1805         * dfg/DFGPlan.h:
1806
1807 2013-08-12  Oliver Hunt  <oliver@apple.com>
1808
1809         Build fix
1810
1811         * runtime/JSCell.h:
1812
1813 2013-08-12  Oliver Hunt  <oliver@apple.com>
1814
1815         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1816         https://bugs.webkit.org/show_bug.cgi?id=119705
1817
1818         Reviewed by Geoffrey Garen.
1819
1820         Relatively trivial refactoring
1821
1822         * bytecode/CodeBlock.h:
1823         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1824         (JSC::CodeBlock::addAdditionalIdentifier):
1825         (JSC::CodeBlock::identifier):
1826         (JSC::CodeBlock::numberOfIdentifiers):
1827         * dfg/DFGCommonData.h:
1828
1829 2013-08-12  Oliver Hunt  <oliver@apple.com>
1830
1831         Stop making unnecessary copy of CodeBlock Identifier Vector
1832         https://bugs.webkit.org/show_bug.cgi?id=119702
1833
1834         Reviewed by Michael Saboff.
1835
1836         Make CodeBlock simply use a separate Vector for additional Identifiers
1837         and use the UnlinkedCodeBlock for the initial set of identifiers.
1838
1839         * bytecode/CodeBlock.cpp:
1840         (JSC::CodeBlock::printGetByIdOp):
1841         (JSC::dumpStructure):
1842         (JSC::dumpChain):
1843         (JSC::CodeBlock::printGetByIdCacheStatus):
1844         (JSC::CodeBlock::printPutByIdOp):
1845         (JSC::CodeBlock::dumpBytecode):
1846         (JSC::CodeBlock::CodeBlock):
1847         (JSC::CodeBlock::shrinkToFit):
1848         * bytecode/CodeBlock.h:
1849         (JSC::CodeBlock::numberOfIdentifiers):
1850         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1851         (JSC::CodeBlock::addAdditionalIdentifier):
1852         (JSC::CodeBlock::identifier):
1853         * dfg/DFGDesiredIdentifiers.cpp:
1854         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1855         * jit/JIT.h:
1856         * jit/JITOpcodes.cpp:
1857         (JSC::JIT::emitSlow_op_get_arguments_length):
1858         * jit/JITPropertyAccess.cpp:
1859         (JSC::JIT::emit_op_get_by_id):
1860         (JSC::JIT::compileGetByIdHotPath):
1861         (JSC::JIT::emitSlow_op_get_by_id):
1862         (JSC::JIT::compileGetByIdSlowCase):
1863         (JSC::JIT::emitSlow_op_put_by_id):
1864         * jit/JITPropertyAccess32_64.cpp:
1865         (JSC::JIT::emit_op_get_by_id):
1866         (JSC::JIT::compileGetByIdHotPath):
1867         (JSC::JIT::compileGetByIdSlowCase):
1868         * jit/JITStubs.cpp:
1869         (JSC::DEFINE_STUB_FUNCTION):
1870         * llint/LLIntSlowPaths.cpp:
1871         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1872
1873 2013-08-08  Mark Lam  <mark.lam@apple.com>
1874
1875         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1876         https://bugs.webkit.org/show_bug.cgi?id=119575.
1877
1878         Reviewed by Oliver Hunt.
1879
1880         * interpreter/Interpreter.h:
1881         - Made getStackTrace() private.
1882         * interpreter/StackIterator.cpp:
1883         (JSC::StackIterator::StackIterator):
1884         (JSC::StackIterator::numberOfFrames):
1885         - Computes the number of frames by iterating through the whole stack
1886           from the starting frame. The iterator will save its current frame
1887           position before counting the frames, and then restoring it after
1888           the counting.
1889         (JSC::StackIterator::gotoFrameAtIndex):
1890         (JSC::StackIterator::gotoNextFrame):
1891         (JSC::StackIterator::resetIterator):
1892         - Points the iterator to the starting frame.
1893         * interpreter/StackIteratorPrivate.h:
1894
1895 2013-08-08  Mark Lam  <mark.lam@apple.com>
1896
1897         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1898         the Interpreter class.
1899         https://bugs.webkit.org/show_bug.cgi?id=119576.
1900
1901         Reviewed by Oliver Hunt.
1902
1903         This change is needed to prepare for making Interpreter::getStackTrace()
1904         private. It does not change the behavior of the code, only the lexical
1905         scoping.
1906
1907         * interpreter/Interpreter.h:
1908         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1909         * runtime/ErrorConstructor.cpp:
1910         (JSC::Interpreter::constructWithErrorConstructor):
1911         (JSC::ErrorConstructor::getConstructData):
1912         (JSC::Interpreter::callErrorConstructor):
1913         (JSC::ErrorConstructor::getCallData):
1914         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1915           directly. So, we moved the helper functions into the Interpreter
1916           class.
1917         * runtime/NativeErrorConstructor.cpp:
1918         (JSC::Interpreter::constructWithNativeErrorConstructor):
1919         (JSC::NativeErrorConstructor::getConstructData):
1920         (JSC::Interpreter::callNativeErrorConstructor):
1921         (JSC::NativeErrorConstructor::getCallData):
1922         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1923           directly. So, we moved the helper functions into the Interpreter
1924           class.
1925
1926 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1927
1928         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1929         https://bugs.webkit.org/show_bug.cgi?id=119555
1930
1931         Reviewed by Geoffrey Garen.
1932
1933         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1934         This was causing crashes on maps.google.com in 32-bit debug builds.
1935
1936         * dfg/DFGSpeculativeJIT32_64.cpp:
1937         (JSC::DFG::SpeculativeJIT::compile):
1938
1939 2013-08-06  Michael Saboff  <msaboff@apple.com>
1940
1941         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1942         https://bugs.webkit.org/show_bug.cgi?id=119405
1943
1944         Reviewed by Geoffrey Garen.
1945
1946         * dfg/DFGSpeculativeJIT.cpp:
1947         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1948         ourselves to save a register and then load from it.
1949
1950 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1951
1952         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1953         https://bugs.webkit.org/show_bug.cgi?id=119528
1954
1955         Reviewed by Geoffrey Garen.
1956
1957         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1958         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1959         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1960         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1961         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1962
1963         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1964
1965         * bytecode/CodeBlock.cpp:
1966         (JSC::CodeBlock::finalizeUnconditionally):
1967         * dfg/DFGDriver.cpp:
1968         (JSC::DFG::compile):
1969         * dfg/DFGFixupPhase.cpp:
1970         (JSC::DFG::FixupPhase::fixupNode):
1971         * dfg/DFGGraph.cpp:
1972         (JSC::DFG::Graph::dump):
1973         * dfg/DFGSpeculativeJIT64.cpp:
1974         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1975         * runtime/JSObject.h:
1976         (JSC::JSObject::getIndexQuickly):
1977         (JSC::JSObject::tryGetIndexQuickly):
1978
1979 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1980
1981         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1982
1983         Unreviewed.
1984
1985         Ensure llint symbols are in source order.
1986
1987         * JavaScriptCore.order:
1988
1989 2013-08-06  Mark Lam  <mark.lam@apple.com>
1990
1991         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1992         https://bugs.webkit.org/show_bug.cgi?id=119532.
1993
1994         Reviewed by Oliver Hunt.
1995
1996         * parser/Parser.cpp:
1997         (JSC::::Parser):
1998         - Just need to initialize the Parser's JSTokenLocation's initial line and
1999           startOffset as well during Parser construction.
2000
2001 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2002
2003         Update Order Files for Safari
2004         <rdar://problem/14517392>
2005
2006         Unreviewed.
2007
2008         * JavaScriptCore.order:
2009
2010 2013-08-04  Sam Weinig  <sam@webkit.org>
2011
2012         Remove support for HTML5 MicroData
2013         https://bugs.webkit.org/show_bug.cgi?id=119480
2014
2015         Reviewed by Anders Carlsson.
2016
2017         * Configurations/FeatureDefines.xcconfig:
2018
2019 2013-08-05  Oliver Hunt  <oliver@apple.com>
2020
2021         Delay Arguments creation in strict mode
2022         https://bugs.webkit.org/show_bug.cgi?id=119505
2023
2024         Reviewed by Geoffrey Garen.
2025
2026         Make use of the write tracking performed by the parser to
2027         allow us to know if we're modifying the parameters to a function.
2028         Then use that information to make strict mode function opt out
2029         of eager arguments creation.
2030
2031         * bytecompiler/BytecodeGenerator.cpp:
2032         (JSC::BytecodeGenerator::BytecodeGenerator):
2033         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2034         (JSC::BytecodeGenerator::emitReturn):
2035         * bytecompiler/BytecodeGenerator.h:
2036         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2037         * parser/Nodes.h:
2038         (JSC::ScopeNode::modifiesParameter):
2039         * parser/Parser.cpp:
2040         (JSC::::parseInner):
2041         * parser/Parser.h:
2042         (JSC::Scope::declareParameter):
2043         (JSC::Scope::getCapturedVariables):
2044         (JSC::Parser::declareWrite):
2045         * parser/ParserModes.h:
2046
2047 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2048
2049         Remove useless code from COMPILER(RVCT) JITStubs
2050         https://bugs.webkit.org/show_bug.cgi?id=119521
2051
2052         Reviewed by Geoffrey Garen.
2053
2054         * jit/JITStubsARMv7.h:
2055         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2056         (JSC::ctiOpThrowNotCaught): Ditto.
2057
2058 2013-07-23  David Farler  <dfarler@apple.com>
2059
2060         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2061         https://bugs.webkit.org/show_bug.cgi?id=117762
2062
2063         Reviewed by Mark Rowe.
2064
2065         * Configurations/DebugRelease.xcconfig:
2066         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2067         * Configurations/JavaScriptCore.xcconfig:
2068         Add ASAN_OTHER_LDFLAGS.
2069         * Configurations/ToolExecutable.xcconfig:
2070         Don't use ASAN for build tools.
2071
2072 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2073
2074         Build fix for ARM MSVC after r153222 and r153648.
2075
2076         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2077
2078 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2079
2080         Build fix for ARM MSVC after r150109.
2081
2082         Read the stub template from a header files instead of the JITStubs.cpp.
2083
2084         * CMakeLists.txt:
2085         * DerivedSources.pri:
2086         * create_jit_stubs:
2087
2088 2013-08-05  Oliver Hunt  <oliver@apple.com>
2089
2090         Move TypedArray implementation into JSC
2091         https://bugs.webkit.org/show_bug.cgi?id=119489
2092
2093         Reviewed by Filip Pizlo.
2094
2095         Move TypedArray implementation into JSC in advance of re-implementation
2096
2097         * GNUmakefile.list.am:
2098         * JSCTypedArrayStubs.h:
2099         * JavaScriptCore.xcodeproj/project.pbxproj:
2100         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2101         (JSC::ArrayBuffer::transfer):
2102         (JSC::ArrayBuffer::addView):
2103         (JSC::ArrayBuffer::removeView):
2104         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2105         (JSC::ArrayBufferContents::ArrayBufferContents):
2106         (JSC::ArrayBufferContents::data):
2107         (JSC::ArrayBufferContents::sizeInBytes):
2108         (JSC::ArrayBufferContents::transfer):
2109         (JSC::ArrayBufferContents::copyTo):
2110         (JSC::ArrayBuffer::isNeutered):
2111         (JSC::ArrayBuffer::~ArrayBuffer):
2112         (JSC::ArrayBuffer::clampValue):
2113         (JSC::ArrayBuffer::create):
2114         (JSC::ArrayBuffer::createUninitialized):
2115         (JSC::ArrayBuffer::ArrayBuffer):
2116         (JSC::ArrayBuffer::data):
2117         (JSC::ArrayBuffer::byteLength):
2118         (JSC::ArrayBuffer::slice):
2119         (JSC::ArrayBuffer::sliceImpl):
2120         (JSC::ArrayBuffer::clampIndex):
2121         (JSC::ArrayBufferContents::tryAllocate):
2122         (JSC::ArrayBufferContents::~ArrayBufferContents):
2123         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2124         (JSC::ArrayBufferView::ArrayBufferView):
2125         (JSC::ArrayBufferView::~ArrayBufferView):
2126         (JSC::ArrayBufferView::neuter):
2127         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2128         (JSC::ArrayBufferView::buffer):
2129         (JSC::ArrayBufferView::baseAddress):
2130         (JSC::ArrayBufferView::byteOffset):
2131         (JSC::ArrayBufferView::setNeuterable):
2132         (JSC::ArrayBufferView::isNeuterable):
2133         (JSC::ArrayBufferView::verifySubRange):
2134         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2135         (JSC::ArrayBufferView::setImpl):
2136         (JSC::ArrayBufferView::setRangeImpl):
2137         (JSC::ArrayBufferView::zeroRangeImpl):
2138         (JSC::ArrayBufferView::calculateOffsetAndLength):
2139         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2140         (JSC::Float32Array::set):
2141         (JSC::Float32Array::getType):
2142         (JSC::Float32Array::create):
2143         (JSC::Float32Array::createUninitialized):
2144         (JSC::Float32Array::Float32Array):
2145         (JSC::Float32Array::subarray):
2146         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2147         (JSC::Float64Array::set):
2148         (JSC::Float64Array::getType):
2149         (JSC::Float64Array::create):
2150         (JSC::Float64Array::createUninitialized):
2151         (JSC::Float64Array::Float64Array):
2152         (JSC::Float64Array::subarray):
2153         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2154         (JSC::Int16Array::getType):
2155         (JSC::Int16Array::create):
2156         (JSC::Int16Array::createUninitialized):
2157         (JSC::Int16Array::Int16Array):
2158         (JSC::Int16Array::subarray):
2159         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2160         (JSC::Int32Array::getType):
2161         (JSC::Int32Array::create):
2162         (JSC::Int32Array::createUninitialized):
2163         (JSC::Int32Array::Int32Array):
2164         (JSC::Int32Array::subarray):
2165         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2166         (JSC::Int8Array::getType):
2167         (JSC::Int8Array::create):
2168         (JSC::Int8Array::createUninitialized):
2169         (JSC::Int8Array::Int8Array):
2170         (JSC::Int8Array::subarray):
2171         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2172         (JSC::IntegralTypedArrayBase::set):
2173         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2174         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2175         (JSC::TypedArrayBase::data):
2176         (JSC::TypedArrayBase::set):
2177         (JSC::TypedArrayBase::setRange):
2178         (JSC::TypedArrayBase::zeroRange):
2179         (JSC::TypedArrayBase::length):
2180         (JSC::TypedArrayBase::byteLength):
2181         (JSC::TypedArrayBase::item):
2182         (JSC::TypedArrayBase::checkInboundData):
2183         (JSC::TypedArrayBase::TypedArrayBase):
2184         (JSC::TypedArrayBase::create):
2185         (JSC::TypedArrayBase::createUninitialized):
2186         (JSC::TypedArrayBase::subarrayImpl):
2187         (JSC::TypedArrayBase::neuter):
2188         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2189         (JSC::Uint16Array::getType):
2190         (JSC::Uint16Array::create):
2191         (JSC::Uint16Array::createUninitialized):
2192         (JSC::Uint16Array::Uint16Array):
2193         (JSC::Uint16Array::subarray):
2194         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2195         (JSC::Uint32Array::getType):
2196         (JSC::Uint32Array::create):
2197         (JSC::Uint32Array::createUninitialized):
2198         (JSC::Uint32Array::Uint32Array):
2199         (JSC::Uint32Array::subarray):
2200         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2201         (JSC::Uint8Array::getType):
2202         (JSC::Uint8Array::create):
2203         (JSC::Uint8Array::createUninitialized):
2204         (JSC::Uint8Array::Uint8Array):
2205         (JSC::Uint8Array::subarray):
2206         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2207         (JSC::Uint8ClampedArray::getType):
2208         (JSC::Uint8ClampedArray::create):
2209         (JSC::Uint8ClampedArray::createUninitialized):
2210         (JSC::Uint8ClampedArray::zeroFill):
2211         (JSC::Uint8ClampedArray::set):
2212         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2213         (JSC::Uint8ClampedArray::subarray):
2214         * runtime/VM.h:
2215
2216 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2217
2218         Copied space should be able to handle more than one copied backing store per JSCell
2219         https://bugs.webkit.org/show_bug.cgi?id=119471
2220
2221         Reviewed by Mark Hahnenberg.
2222         
2223         This allows a cell to call copyLater() multiple times for multiple different
2224         backing stores, and then have copyBackingStore() called exactly once for each
2225         of those. A token tells it which backing store to copy. All backing stores
2226         must be named using the CopyToken, an enumeration which currently cannot
2227         exceed eight entries.
2228         
2229         When copyBackingStore() is called, it's up to the callee to (a) use the token
2230         to decide what to copy and (b) call its base class's copyBackingStore() in
2231         case the base class had something that needed copying. The only exception is
2232         that JSCell never asks anything to be copied, and so if your base is JSCell
2233         then you don't have to do anything.
2234
2235         * GNUmakefile.list.am:
2236         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2237         * JavaScriptCore.xcodeproj/project.pbxproj:
2238         * heap/CopiedBlock.h:
2239         * heap/CopiedBlockInlines.h:
2240         (JSC::CopiedBlock::reportLiveBytes):
2241         * heap/CopyToken.h: Added.
2242         * heap/CopyVisitor.cpp:
2243         (JSC::CopyVisitor::copyFromShared):
2244         * heap/CopyVisitor.h:
2245         * heap/CopyVisitorInlines.h:
2246         (JSC::CopyVisitor::visitItem):
2247         * heap/CopyWorkList.h:
2248         (JSC::CopyWorklistItem::CopyWorklistItem):
2249         (JSC::CopyWorklistItem::cell):
2250         (JSC::CopyWorklistItem::token):
2251         (JSC::CopyWorkListSegment::get):
2252         (JSC::CopyWorkListSegment::append):
2253         (JSC::CopyWorkListSegment::data):
2254         (JSC::CopyWorkListIterator::get):
2255         (JSC::CopyWorkListIterator::operator*):
2256         (JSC::CopyWorkListIterator::operator->):
2257         (JSC::CopyWorkList::append):
2258         * heap/SlotVisitor.h:
2259         * heap/SlotVisitorInlines.h:
2260         (JSC::SlotVisitor::copyLater):
2261         * runtime/ClassInfo.h:
2262         * runtime/JSCell.cpp:
2263         (JSC::JSCell::copyBackingStore):
2264         * runtime/JSCell.h:
2265         * runtime/JSObject.cpp:
2266         (JSC::JSObject::visitButterfly):
2267         (JSC::JSObject::copyBackingStore):
2268         * runtime/JSObject.h:
2269
2270 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2271
2272         [Automake] Define ENABLE_JIT through the Autoconf header
2273         https://bugs.webkit.org/show_bug.cgi?id=119445
2274
2275         Reviewed by Martin Robinson.
2276
2277         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2278
2279 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2280
2281         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2282         https://bugs.webkit.org/show_bug.cgi?id=119470
2283
2284         Reviewed by Oliver Hunt.
2285         
2286         Structure can still tell you if the object "could" (in the conservative sense)
2287         have an indexing header; that's used by the compiler.
2288         
2289         Most of the time if you want to know if there's an indexing header, you ask the
2290         JSObject.
2291         
2292         In some cases, the JSObject wants to know if it would have an indexing header if
2293         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2294
2295         * dfg/DFGRepatch.cpp:
2296         (JSC::DFG::tryCachePutByID):
2297         (JSC::DFG::tryBuildPutByIdList):
2298         * dfg/DFGSpeculativeJIT.cpp:
2299         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2300         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2301         * runtime/ButterflyInlines.h:
2302         (JSC::Butterfly::create):
2303         (JSC::Butterfly::growPropertyStorage):
2304         (JSC::Butterfly::growArrayRight):
2305         (JSC::Butterfly::resizeArray):
2306         * runtime/JSObject.cpp:
2307         (JSC::JSObject::copyButterfly):
2308         (JSC::JSObject::visitButterfly):
2309         * runtime/JSObject.h:
2310         (JSC::JSObject::hasIndexingHeader):
2311         (JSC::JSObject::setButterfly):
2312         * runtime/Structure.h:
2313         (JSC::Structure::couldHaveIndexingHeader):
2314         (JSC::Structure::hasIndexingHeader):
2315
2316 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2317
2318         Give the error object's stack property accessor attributes.
2319         https://bugs.webkit.org/show_bug.cgi?id=119404
2320
2321         Reviewed by Geoffrey Garen.
2322         
2323         Changed the attributes of error object's stack property to allow developers to write
2324         and delete the stack property. This will match the functionality of Chrome. Firefox  
2325         allows developers to write the error's stack, but not delete it. 
2326
2327         * interpreter/Interpreter.cpp:
2328         (JSC::Interpreter::addStackTraceIfNecessary):
2329         * runtime/ErrorInstance.cpp:
2330         (JSC::ErrorInstance::finishCreation):
2331
2332 2013-08-02  Oliver Hunt  <oliver@apple.com>
2333
2334         Incorrect type speculation reported by ToPrimitive
2335         https://bugs.webkit.org/show_bug.cgi?id=119458
2336
2337         Reviewed by Mark Hahnenberg.
2338
2339         Make sure that we report the correct type possibilities for the output
2340         from ToPrimitive
2341
2342         * dfg/DFGAbstractInterpreterInlines.h:
2343         (JSC::DFG::::executeEffects):
2344
2345 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2346
2347         Remove no-arguments constructor to PropertySlot
2348         https://bugs.webkit.org/show_bug.cgi?id=119460
2349
2350         Reviewed by Geoff Garen.
2351
2352         This constructor was unsafe if getValue is subsequently called,
2353         and the property is a getter. Simplest to just remove it.
2354
2355         * runtime/Arguments.cpp:
2356         (JSC::Arguments::defineOwnProperty):
2357         * runtime/JSActivation.cpp:
2358         (JSC::JSActivation::getOwnPropertyDescriptor):
2359         * runtime/JSFunction.cpp:
2360         (JSC::JSFunction::getOwnPropertyDescriptor):
2361         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2362         (JSC::JSFunction::put):
2363         (JSC::JSFunction::defineOwnProperty):
2364         * runtime/JSGlobalObject.cpp:
2365         (JSC::JSGlobalObject::defineOwnProperty):
2366         * runtime/JSGlobalObject.h:
2367         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2368         * runtime/JSNameScope.cpp:
2369         (JSC::JSNameScope::put):
2370         * runtime/JSONObject.cpp:
2371         (JSC::Stringifier::Holder::appendNextProperty):
2372         (JSC::Walker::walk):
2373         * runtime/JSObject.cpp:
2374         (JSC::JSObject::hasProperty):
2375         (JSC::JSObject::hasOwnProperty):
2376         (JSC::JSObject::reifyStaticFunctionsForDelete):
2377         * runtime/Lookup.h:
2378         (JSC::getStaticPropertyDescriptor):
2379         (JSC::getStaticFunctionDescriptor):
2380         (JSC::getStaticValueDescriptor):
2381         * runtime/ObjectConstructor.cpp:
2382         (JSC::defineProperties):
2383         * runtime/PropertySlot.h:
2384
2385 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2386
2387         DFG validation can cause assertion failures due to dumping
2388         https://bugs.webkit.org/show_bug.cgi?id=119456
2389
2390         Reviewed by Geoffrey Garen.
2391
2392         * bytecode/CodeBlock.cpp:
2393         (JSC::CodeBlock::hasHash):
2394         (JSC::CodeBlock::isSafeToComputeHash):
2395         (JSC::CodeBlock::hash):
2396         (JSC::CodeBlock::dumpAssumingJITType):
2397         * bytecode/CodeBlock.h:
2398
2399 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2400
2401         Have vm's exceptionStack match java's vm's exceptionStack.
2402         https://bugs.webkit.org/show_bug.cgi?id=119362
2403
2404         Reviewed by Geoffrey Garen.
2405         
2406         The error object's stack is only updated if it does not exist yet. This matches 
2407         the functionality of other browsers, and Java VMs. 
2408
2409         * interpreter/Interpreter.cpp:
2410         (JSC::Interpreter::addStackTraceIfNecessary):
2411         (JSC::Interpreter::throwException):
2412         * runtime/VM.cpp:
2413         (JSC::VM::clearExceptionStack):
2414         * runtime/VM.h:
2415         (JSC::VM::lastExceptionStack):
2416
2417 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2418
2419         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2420         https://bugs.webkit.org/show_bug.cgi?id=119447
2421
2422         Reviewed by Geoffrey Garen.
2423
2424         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2425         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2426         r153583 (sh4) and r153648 (ARM).
2427
2428         * jit/JITStubsMIPS.h:
2429
2430 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2431
2432         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2433         https://bugs.webkit.org/show_bug.cgi?id=119422
2434
2435         Reviewed by Oliver Hunt.
2436         
2437         This simplifies some code and also allows Structure to claim that an object
2438         has an indexing header even if it doesn't have indexed properties.
2439         
2440         I also changed some calls to use hasIndexedProperties() since in some cases,
2441         that's what we actually meant. Currently the two are synonyms.
2442
2443         * dfg/DFGRepatch.cpp:
2444         (JSC::DFG::tryCachePutByID):
2445         (JSC::DFG::tryBuildPutByIdList):
2446         * dfg/DFGSpeculativeJIT.cpp:
2447         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2448         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2449         * runtime/ButterflyInlines.h:
2450         (JSC::Butterfly::create):
2451         (JSC::Butterfly::growPropertyStorage):
2452         (JSC::Butterfly::growArrayRight):
2453         (JSC::Butterfly::resizeArray):
2454         * runtime/IndexingType.h:
2455         * runtime/JSObject.cpp:
2456         (JSC::JSObject::copyButterfly):
2457         (JSC::JSObject::visitButterfly):
2458         (JSC::JSObject::setPrototype):
2459         * runtime/JSObject.h:
2460         (JSC::JSObject::setButterfly):
2461         * runtime/JSPropertyNameIterator.cpp:
2462         (JSC::JSPropertyNameIterator::create):
2463         * runtime/Structure.h:
2464         (JSC::Structure::hasIndexingHeader):
2465
2466 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2467
2468         REGRESSION: ARM still crashes after change set r153612.
2469         https://bugs.webkit.org/show_bug.cgi?id=119433
2470
2471         Reviewed by Michael Saboff.
2472
2473         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2474         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2475         for sh4 architecture.
2476
2477         * jit/JITStubsARM.h:
2478         * jit/JITStubsARMv7.h:
2479
2480 2013-08-02  Michael Saboff  <msaboff@apple.com>
2481
2482         REGRESSION(r153612): It made jsc and layout tests crash
2483         https://bugs.webkit.org/show_bug.cgi?id=119440
2484
2485         Reviewed by Csaba Osztrogonác.
2486
2487         Made the changes if changeset r153612 only apply to 32 bit builds.
2488
2489         * jit/JITExceptions.cpp:
2490         * jit/JITExceptions.h:
2491         * jit/JITStubs.cpp:
2492         (JSC::cti_vm_throw_slowpath):
2493         * jit/JITStubs.h:
2494
2495 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2496
2497         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2498
2499         * CMakeLists.txt:
2500
2501 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2502
2503         [Forms: color] <input type='color'> popover color well implementation
2504         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2505
2506         Reviewed by Benjamin Poulain.
2507
2508         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2509
2510 2013-08-01  Oliver Hunt  <oliver@apple.com>
2511
2512         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2513         https://bugs.webkit.org/show_bug.cgi?id=119408
2514
2515         Reviewed by Filip Pizlo.
2516
2517         Construct ToString and Phantom nodes in advance of MakeRope
2518         nodes to ensure that ordering is ensured, and correct values
2519         will be reified on OSR exit.
2520
2521         * dfg/DFGByteCodeParser.cpp:
2522         (JSC::DFG::ByteCodeParser::parseBlock):
2523
2524 2013-08-01  Michael Saboff  <msaboff@apple.com>
2525
2526         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2527         https://bugs.webkit.org/show_bug.cgi?id=119140
2528
2529         Reviewed by Filip Pizlo.
2530
2531         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2532
2533         * jit/JITExceptions.cpp:
2534         (JSC::encode):
2535         * jit/JITExceptions.h:
2536         * jit/JITStubs.cpp:
2537         (JSC::cti_vm_throw_slowpath):
2538         * jit/JITStubs.h:
2539
2540 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2541
2542         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2543         https://bugs.webkit.org/show_bug.cgi?id=119391
2544
2545         Reviewed by Csaba Osztrogonác.
2546
2547         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2548             - Call frame is in r14 register.
2549             - Do not restore registers from JIT stack frame here.
2550
2551 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2552
2553         More cleanup in PropertySlot
2554         https://bugs.webkit.org/show_bug.cgi?id=119359
2555
2556         Reviewed by Geoff Garen.
2557
2558         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2559         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2560
2561         * dfg/DFGRepatch.cpp:
2562         (JSC::DFG::tryCacheGetByID):
2563         (JSC::DFG::tryBuildGetByIDList):
2564             - No need to ASSERT slotBase is an object.
2565         * jit/JITStubs.cpp:
2566         (JSC::tryCacheGetByID):
2567         (JSC::DEFINE_STUB_FUNCTION):
2568             - No need to ASSERT slotBase is an object.
2569         * runtime/JSObject.cpp:
2570         (JSC::JSObject::getOwnPropertySlotByIndex):
2571         (JSC::JSObject::fillGetterPropertySlot):
2572             - Pass an object through to setGetterSlot.
2573         * runtime/JSObject.h:
2574         (JSC::PropertySlot::getValue):
2575             - Moved from PropertySlot (need to know anout JSObject).
2576         * runtime/PropertySlot.cpp:
2577         (JSC::PropertySlot::functionGetter):
2578             - update per member name changes
2579         * runtime/PropertySlot.h:
2580         (JSC::PropertySlot::PropertySlot):
2581             - Argument to constructor set to 'thisValue'.
2582         (JSC::PropertySlot::slotBase):
2583             - This returns a JSObject*.
2584         (JSC::PropertySlot::setValue):
2585         (JSC::PropertySlot::setCustom):
2586         (JSC::PropertySlot::setCacheableCustom):
2587         (JSC::PropertySlot::setCustomIndex):
2588         (JSC::PropertySlot::setGetterSlot):
2589         (JSC::PropertySlot::setCacheableGetterSlot):
2590             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2591         * runtime/SparseArrayValueMap.cpp:
2592         (JSC::SparseArrayEntry::get):
2593             - Pass an object through to setGetterSlot.
2594         * runtime/SparseArrayValueMap.h:
2595             - Pass an object through to setGetterSlot.
2596
2597 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2598
2599         Reduce JSC API static value setter/getter overhead.
2600         https://bugs.webkit.org/show_bug.cgi?id=119277
2601
2602         Reviewed by Geoffrey Garen.
2603
2604         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2605         need to get called every time when set or get the static value.
2606
2607         * API/JSCallbackObjectFunctions.h:
2608         (JSC::::put):
2609         (JSC::::putByIndex):
2610         (JSC::::getStaticValue):
2611         * API/JSClassRef.cpp:
2612         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2613         * API/JSClassRef.h:
2614         (StaticValueEntry::StaticValueEntry):
2615
2616 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2617
2618         Use emptyString instead of String("")
2619         https://bugs.webkit.org/show_bug.cgi?id=119335
2620
2621         Reviewed by Darin Adler.
2622
2623         Use emptyString() instead of String("") because it is better style and
2624         faster. This is a followup to r116908, removing all occurrences of
2625         String("") from WebKit.
2626
2627         * runtime/RegExpConstructor.cpp:
2628         (JSC::constructRegExp):
2629         * runtime/RegExpPrototype.cpp:
2630         (JSC::regExpProtoFuncCompile):
2631         * runtime/StringPrototype.cpp:
2632         (JSC::stringProtoFuncMatch):
2633         (JSC::stringProtoFuncSearch):
2634
2635 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2636
2637         <input type=color> Mac UI behaviour
2638         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2639
2640         Reviewed by Brady Eidson.
2641
2642         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2643
2644 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2645
2646         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2647         https://bugs.webkit.org/show_bug.cgi?id=119349
2648
2649         Reviewed by Geoffrey Garen.
2650
2651         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2652         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2653         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2654         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2655         JIT then this resizing never happens and we crash at link time in the DFG.
2656
2657         We can fix this by also doing the resize in the DFG to catch this case.
2658
2659         * dfg/DFGJITCompiler.cpp:
2660         (JSC::DFG::JITCompiler::link):
2661
2662 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2663
2664         Speculative Windows build fix.
2665
2666         Reviewed by NOBODY
2667
2668         * runtime/JSString.cpp:
2669         (JSC::JSRopeString::getIndexSlowCase):
2670         * runtime/JSString.h:
2671
2672 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2673
2674         Some cleanup in JSValue::get
2675         https://bugs.webkit.org/show_bug.cgi?id=119343
2676
2677         Reviewed by Geoff Garen.
2678
2679         JSValue::get is implemented to:
2680             1) Check if the value is a cell – if not, synthesize a prototype to search,
2681             2) call getOwnPropertySlot on the cell,
2682             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2683         By all rights this should crash when passed a string and accessing a property that does not exist, because
2684         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2685         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2686         prototype chain, and faking out a return value of undefined if no property is found.
2687
2688         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2689         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2690
2691         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2692         slots anyway.
2693
2694         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2695
2696 2013-07-31  Michael Saboff  <msaboff@apple.com>
2697
2698         [Win] JavaScript crash.
2699         https://bugs.webkit.org/show_bug.cgi?id=119339
2700
2701         Reviewed by Mark Hahnenberg.
2702
2703         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2704         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2705
2706 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2707
2708         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2709         https://bugs.webkit.org/show_bug.cgi?id=119281
2710
2711         Reviewed by Geoffrey Garen.
2712
2713         This leads to out of bounds accesses and subsequent crashes.
2714
2715         * dfg/DFGSpeculativeJIT.cpp:
2716         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2717         * dfg/DFGSpeculativeJIT64.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719
2720 2013-07-30  Oliver Hunt  <oliver@apple.com>
2721
2722         Add an assertion to SpeculateCellOperand
2723         https://bugs.webkit.org/show_bug.cgi?id=119276
2724
2725         Reviewed by Michael Saboff.
2726
2727         More assertions are better
2728
2729         * dfg/DFGSpeculativeJIT64.cpp:
2730         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2731         (JSC::DFG::SpeculativeJIT::compile):
2732
2733 2013-07-30  Mark Lam  <mark.lam@apple.com>
2734
2735         Fix problems with divot and lineStart mismatches.
2736         https://bugs.webkit.org/show_bug.cgi?id=118662.
2737
2738         Reviewed by Oliver Hunt.
2739
2740         r152494 added the recording of lineStart values for divot positions.
2741         This is needed for the computation of column numbers. Similarly, it also
2742         added the recording of line numbers for the divot positions. One problem
2743         with the approach taken was that the line and lineStart values were
2744         recorded independently, and hence were not always guaranteed to be
2745         sampled at the same place that the divot position is recorded. This
2746         resulted in potential mismatches that cause some assertions to fail.
2747
2748         The solution is to introduce a JSTextPosition abstraction that records
2749         the divot position, line, and lineStart as a single quantity. Wherever
2750         we record the divot position as an unsigned int previously, we now record
2751         its JSTextPosition which captures all 3 values in one go. This ensures
2752         that the captured line and lineStart will always match the captured divot
2753         position.
2754
2755         * bytecompiler/BytecodeGenerator.cpp:
2756         (JSC::BytecodeGenerator::emitCall):
2757         (JSC::BytecodeGenerator::emitCallEval):
2758         (JSC::BytecodeGenerator::emitCallVarargs):
2759         (JSC::BytecodeGenerator::emitConstruct):
2760         (JSC::BytecodeGenerator::emitDebugHook):
2761         - Use JSTextPosition instead of passing line and lineStart explicitly.
2762         * bytecompiler/BytecodeGenerator.h:
2763         (JSC::BytecodeGenerator::emitExpressionInfo):
2764         - Use JSTextPosition instead of passing line and lineStart explicitly.
2765         * bytecompiler/NodesCodegen.cpp:
2766         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2767         (JSC::ResolveNode::emitBytecode):
2768         (JSC::BracketAccessorNode::emitBytecode):
2769         (JSC::DotAccessorNode::emitBytecode):
2770         (JSC::NewExprNode::emitBytecode):
2771         (JSC::EvalFunctionCallNode::emitBytecode):
2772         (JSC::FunctionCallValueNode::emitBytecode):
2773         (JSC::FunctionCallResolveNode::emitBytecode):
2774         (JSC::FunctionCallBracketNode::emitBytecode):
2775         (JSC::FunctionCallDotNode::emitBytecode):
2776         (JSC::CallFunctionCallDotNode::emitBytecode):
2777         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2778         (JSC::PostfixNode::emitResolve):
2779         (JSC::PostfixNode::emitBracket):
2780         (JSC::PostfixNode::emitDot):
2781         (JSC::DeleteResolveNode::emitBytecode):
2782         (JSC::DeleteBracketNode::emitBytecode):
2783         (JSC::DeleteDotNode::emitBytecode):
2784         (JSC::PrefixNode::emitResolve):
2785         (JSC::PrefixNode::emitBracket):
2786         (JSC::PrefixNode::emitDot):
2787         (JSC::UnaryOpNode::emitBytecode):
2788         (JSC::BinaryOpNode::emitStrcat):
2789         (JSC::BinaryOpNode::emitBytecode):
2790         (JSC::ThrowableBinaryOpNode::emitBytecode):
2791         (JSC::InstanceOfNode::emitBytecode):
2792         (JSC::emitReadModifyAssignment):
2793         (JSC::ReadModifyResolveNode::emitBytecode):
2794         (JSC::AssignResolveNode::emitBytecode):
2795         (JSC::AssignDotNode::emitBytecode):
2796         (JSC::ReadModifyDotNode::emitBytecode):
2797         (JSC::AssignBracketNode::emitBytecode):
2798         (JSC::ReadModifyBracketNode::emitBytecode):
2799         (JSC::ForInNode::emitBytecode):
2800         (JSC::WithNode::emitBytecode):
2801         (JSC::ThrowNode::emitBytecode):
2802         - Use JSTextPosition instead of passing line and lineStart explicitly.
2803         * parser/ASTBuilder.h:
2804         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2805         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2806         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2807         (JSC::ASTBuilder::createResolve):
2808         (JSC::ASTBuilder::createBracketAccess):
2809         (JSC::ASTBuilder::createDotAccess):
2810         (JSC::ASTBuilder::createRegExp):
2811         (JSC::ASTBuilder::createNewExpr):
2812         (JSC::ASTBuilder::createAssignResolve):
2813         (JSC::ASTBuilder::createExprStatement):
2814         (JSC::ASTBuilder::createForInLoop):
2815         (JSC::ASTBuilder::createReturnStatement):
2816         (JSC::ASTBuilder::createBreakStatement):
2817         (JSC::ASTBuilder::createContinueStatement):
2818         (JSC::ASTBuilder::createLabelStatement):
2819         (JSC::ASTBuilder::createWithStatement):
2820         (JSC::ASTBuilder::createThrowStatement):
2821         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2822         (JSC::ASTBuilder::appendUnaryToken):
2823         (JSC::ASTBuilder::unaryTokenStackLastStart):
2824         (JSC::ASTBuilder::assignmentStackAppend):
2825         (JSC::ASTBuilder::createAssignment):
2826         (JSC::ASTBuilder::setExceptionLocation):
2827         (JSC::ASTBuilder::makeDeleteNode):
2828         (JSC::ASTBuilder::makeFunctionCallNode):
2829         (JSC::ASTBuilder::makeBinaryNode):
2830         (JSC::ASTBuilder::makeAssignNode):
2831         (JSC::ASTBuilder::makePrefixNode):
2832         (JSC::ASTBuilder::makePostfixNode):
2833         - Use JSTextPosition instead of passing line and lineStart explicitly.
2834         * parser/Lexer.cpp:
2835         (JSC::::lex):
2836         - Added support for capturing the appropriate JSTextPositions instead
2837           of just the character offset.
2838         * parser/Lexer.h:
2839         (JSC::Lexer::currentPosition):
2840         (JSC::::lexExpectIdentifier):
2841         - Added support for capturing the appropriate JSTextPositions instead
2842           of just the character offset.
2843         * parser/NodeConstructors.h:
2844         (JSC::Node::Node):
2845         (JSC::ResolveNode::ResolveNode):
2846         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2847         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2848         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2849         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2850         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2851         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2852         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2853         (JSC::PostfixNode::PostfixNode):
2854         (JSC::DeleteResolveNode::DeleteResolveNode):
2855         (JSC::DeleteBracketNode::DeleteBracketNode):
2856         (JSC::DeleteDotNode::DeleteDotNode):
2857         (JSC::PrefixNode::PrefixNode):
2858         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2859         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2860         (JSC::AssignBracketNode::AssignBracketNode):
2861         (JSC::AssignDotNode::AssignDotNode):
2862         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2863         (JSC::AssignErrorNode::AssignErrorNode):
2864         (JSC::WithNode::WithNode):
2865         (JSC::ForInNode::ForInNode):
2866         - Use JSTextPosition instead of passing line and lineStart explicitly.
2867         * parser/Nodes.cpp:
2868         (JSC::StatementNode::setLoc):
2869         - Use JSTextPosition instead of passing line and lineStart explicitly.
2870         * parser/Nodes.h:
2871         (JSC::Node::lineNo):
2872         (JSC::Node::startOffset):
2873         (JSC::Node::lineStartOffset):
2874         (JSC::Node::position):
2875         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2876         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2877         (JSC::ThrowableExpressionData::divot):
2878         (JSC::ThrowableExpressionData::divotStart):
2879         (JSC::ThrowableExpressionData::divotEnd):
2880         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2881         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2882         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2883         (JSC::ThrowableSubExpressionData::subexpressionStart):
2884         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2885         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2886         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2887         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2888         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2889         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2890         - Use JSTextPosition instead of passing line and lineStart explicitly.
2891         * parser/Parser.cpp:
2892         (JSC::::Parser):
2893         (JSC::::parseInner):
2894         - Use JSTextPosition instead of passing line and lineStart explicitly.
2895         (JSC::::didFinishParsing):
2896         - Remove setting of m_lastLine value. We always pass in the value from
2897           m_lastLine anyway. So, this assignment is effectively a nop.
2898         (JSC::::parseVarDeclaration):
2899         (JSC::::parseVarDeclarationList):
2900         (JSC::::parseForStatement):
2901         (JSC::::parseBreakStatement):
2902         (JSC::::parseContinueStatement):
2903         (JSC::::parseReturnStatement):
2904         (JSC::::parseThrowStatement):
2905         (JSC::::parseWithStatement):
2906         (JSC::::parseTryStatement):
2907         (JSC::::parseBlockStatement):
2908         (JSC::::parseFunctionDeclaration):
2909         (JSC::LabelInfo::LabelInfo):
2910         (JSC::::parseExpressionOrLabelStatement):
2911         (JSC::::parseExpressionStatement):
2912         (JSC::::parseAssignmentExpression):
2913         (JSC::::parseBinaryExpression):
2914         (JSC::::parseProperty):
2915         (JSC::::parsePrimaryExpression):
2916         (JSC::::parseMemberExpression):
2917         (JSC::::parseUnaryExpression):
2918         - Use JSTextPosition instead of passing line and lineStart explicitly.
2919         * parser/Parser.h:
2920         (JSC::Parser::next):
2921         (JSC::Parser::nextExpectIdentifier):
2922         (JSC::Parser::getToken):
2923         (JSC::Parser::tokenStartPosition):
2924         (JSC::Parser::tokenEndPosition):
2925         (JSC::Parser::lastTokenEndPosition):
2926         (JSC::::parse):
2927         - Use JSTextPosition instead of passing line and lineStart explicitly.
2928         * parser/ParserTokens.h:
2929         (JSC::JSTextPosition::JSTextPosition):
2930         (JSC::JSTextPosition::operator+):
2931         (JSC::JSTextPosition::operator-):
2932         (JSC::JSTextPosition::operator int):
2933         - Added JSTextPosition.
2934         * parser/SyntaxChecker.h:
2935         (JSC::SyntaxChecker::makeFunctionCallNode):
2936         (JSC::SyntaxChecker::makeAssignNode):
2937         (JSC::SyntaxChecker::makePrefixNode):
2938         (JSC::SyntaxChecker::makePostfixNode):
2939         (JSC::SyntaxChecker::makeDeleteNode):
2940         (JSC::SyntaxChecker::createResolve):
2941         (JSC::SyntaxChecker::createBracketAccess):
2942         (JSC::SyntaxChecker::createDotAccess):
2943         (JSC::SyntaxChecker::createRegExp):
2944         (JSC::SyntaxChecker::createNewExpr):
2945         (JSC::SyntaxChecker::createAssignResolve):
2946         (JSC::SyntaxChecker::createForInLoop):
2947         (JSC::SyntaxChecker::createReturnStatement):
2948         (JSC::SyntaxChecker::createBreakStatement):
2949         (JSC::SyntaxChecker::createContinueStatement):
2950         (JSC::SyntaxChecker::createWithStatement):
2951         (JSC::SyntaxChecker::createLabelStatement):
2952         (JSC::SyntaxChecker::createThrowStatement):
2953         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2954         (JSC::SyntaxChecker::operatorStackPop):
2955         - Use JSTextPosition instead of passing line and lineStart explicitly.
2956
2957 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2958
2959         Unreviewed. Fix make distcheck.
2960
2961         * GNUmakefile.list.am: Add missing files to compilation.
2962         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2963         include FTL header files not included in the compilation.
2964         * dfg/DFGDriver.cpp: Ditto.
2965         * dfg/DFGPlan.cpp: Ditto.
2966
2967 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2968
2969         Eager stack trace for error objects.
2970         https://bugs.webkit.org/show_bug.cgi?id=118918
2971
2972         Reviewed by Geoffrey Garen.
2973         
2974         Chrome and Firefox give error objects the stack property and we wanted to match
2975         that functionality. This allows developers to see the stack without throwing an object.
2976
2977         * runtime/ErrorInstance.cpp:
2978         (JSC::ErrorInstance::finishCreation):
2979          For error objects that are not thrown as an exception, we pass the stackTrace in 
2980          as a parameter. This allows the error object to have the stack property.
2981         
2982         * interpreter/Interpreter.cpp:
2983         (JSC::stackTraceAsString):
2984         Helper function used to eliminate duplicate code.
2985
2986         (JSC::Interpreter::addStackTraceIfNecessary):
2987         When an error object is created by the user the vm->exceptionStack is not set.
2988         If the user throws this error object later the stack that is in the error object 
2989         may not be the correct stack for the throw, so when we set the vm->exception stack,
2990         the stack property on the error object is set as well.
2991         
2992         * runtime/ErrorConstructor.cpp:
2993         (JSC::constructWithErrorConstructor):
2994         (JSC::callErrorConstructor):
2995         * runtime/NativeErrorConstructor.cpp:
2996         (JSC::constructWithNativeErrorConstructor):
2997         (JSC::callNativeErrorConstructor):
2998         These functions indicate that the user created an error object. For all error objects 
2999         that the user explicitly creates, the topCallFrame is at a new frame created to 
3000         handle the user's call. In this case though, the error object needs the caller's 
3001         frame to create the stack trace correctly.
3002         
3003         * interpreter/Interpreter.h:
3004         * runtime/ErrorInstance.h:
3005         (JSC::ErrorInstance::create):
3006
3007 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3008
3009         Some cleanup in PropertySlot
3010         https://bugs.webkit.org/show_bug.cgi?id=119189
3011
3012         Reviewed by Geoff Garen.
3013
3014         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3015         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3016         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3017         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3018         (this is invalidOffset if not cacheable).
3019
3020             * Internally, always track the type of the property using an enum value, PropertyType.
3021             * Use m_offset to indicate cacheable.
3022             * Keep the external interface (CachedPropertyType) unchanged.
3023             * Better pack data into the m_data union.
3024
3025         Performance neutral.
3026
3027         * dfg/DFGRepatch.cpp:
3028         (JSC::DFG::tryCacheGetByID):
3029         (JSC::DFG::tryBuildGetByIDList):
3030             - cachedPropertyType() -> isCacheable*()
3031         * jit/JITPropertyAccess.cpp:
3032         (JSC::JIT::privateCompileGetByIdProto):
3033         (JSC::JIT::privateCompileGetByIdSelfList):
3034         (JSC::JIT::privateCompileGetByIdProtoList):
3035         (JSC::JIT::privateCompileGetByIdChainList):
3036         (JSC::JIT::privateCompileGetByIdChain):
3037             - cachedPropertyType() -> isCacheable*()
3038         * jit/JITPropertyAccess32_64.cpp:
3039         (JSC::JIT::privateCompileGetByIdProto):
3040         (JSC::JIT::privateCompileGetByIdSelfList):
3041         (JSC::JIT::privateCompileGetByIdProtoList):
3042         (JSC::JIT::privateCompileGetByIdChainList):
3043         (JSC::JIT::privateCompileGetByIdChain):
3044             - cachedPropertyType() -> isCacheable*()
3045         * jit/JITStubs.cpp:
3046         (JSC::tryCacheGetByID):
3047             - cachedPropertyType() -> isCacheable*()
3048         * llint/LLIntSlowPaths.cpp:
3049         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3050             - cachedPropertyType() -> isCacheable*()
3051         * runtime/PropertySlot.cpp:
3052         (JSC::PropertySlot::functionGetter):
3053             - refactoring described above.
3054         * runtime/PropertySlot.h:
3055         (JSC::PropertySlot::PropertySlot):
3056         (JSC::PropertySlot::getValue):
3057         (JSC::PropertySlot::isCacheable):
3058         (JSC::PropertySlot::isCacheableValue):
3059         (JSC::PropertySlot::isCacheableGetter):
3060         (JSC::PropertySlot::isCacheableCustom):
3061         (JSC::PropertySlot::cachedOffset):
3062         (JSC::PropertySlot::customGetter):
3063         (JSC::PropertySlot::setValue):
3064         (JSC::PropertySlot::setCustom):
3065         (JSC::PropertySlot::setCacheableCustom):
3066         (JSC::PropertySlot::setCustomIndex):
3067         (JSC::PropertySlot::setGetterSlot):
3068         (JSC::PropertySlot::setCacheableGetterSlot):
3069         (JSC::PropertySlot::setUndefined):
3070         (JSC::PropertySlot::slotBase):
3071         (JSC::PropertySlot::setBase):
3072             - refactoring described above.
3073
3074 2013-07-28  Oliver Hunt  <oliver@apple.com>
3075
3076         REGRESSION: Crash when opening Facebook.com
3077         https://bugs.webkit.org/show_bug.cgi?id=119155
3078
3079         Reviewed by Andreas Kling.
3080
3081         Scope nodes are always objects, so we should be using SpecObjectOther
3082         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3083         contradiction in the CFA, resulting in bogus codegen.
3084
3085         * dfg/DFGAbstractInterpreterInlines.h:
3086         (JSC::DFG::::executeEffects):
3087         * dfg/DFGPredictionPropagationPhase.cpp:
3088         (JSC::DFG::PredictionPropagationPhase::propagate):
3089
3090 2013-07-26  Oliver Hunt  <oliver@apple.com>
3091
3092         REGRESSION(FTL?): Crashes in plugin tests
3093         https://bugs.webkit.org/show_bug.cgi?id=119141
3094
3095         Reviewed by Michael Saboff.
3096
3097         Re-export getStackTrace
3098
3099         * interpreter/Interpreter.h:
3100
3101 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3102
3103         REGRESSION: Crash when opening a message on Gmail
3104         https://bugs.webkit.org/show_bug.cgi?id=119105
3105
3106         Reviewed by Oliver Hunt and Mark Hahnenberg.
3107         
3108         - GetById patching in the DFG needs to be more disciplined about how it derives the
3109           slow path.
3110         
3111         - Fix some dumping code thread safety issues.
3112
3113         * bytecode/CallLinkStatus.cpp:
3114         (JSC::CallLinkStatus::dump):
3115         * bytecode/CodeBlock.cpp:
3116         (JSC::CodeBlock::dumpBytecode):
3117         * dfg/DFGRepatch.cpp:
3118         (JSC::DFG::getPolymorphicStructureList):
3119         (JSC::DFG::tryBuildGetByIDList):
3120
3121 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3122
3123         [mips] Fix LLINT build for mips backend
3124         https://bugs.webkit.org/show_bug.cgi?id=119152
3125
3126         Reviewed by Oliver Hunt.
3127
3128         * offlineasm/mips.rb:
3129
3130 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3131
3132         Setting a large numeric property on an object causes it to allocate a huge backing store
3133         https://bugs.webkit.org/show_bug.cgi?id=118914
3134
3135         Reviewed by Geoffrey Garen.
3136
3137         There are two distinct actions that we're trying to optimize for:
3138
3139         new Array(100000);
3140
3141         and:
3142
3143         a = [];
3144         a[100000] = 42;
3145         
3146         In the first case, the programmer has indicated that they expect this Array to be very big, 
3147         so they should get a contiguous array up until some threshold, above which we perform density 
3148         calculations to see if it is indeed dense enough to warrant being contiguous.
3149         
3150         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3151         we should be more conservative and assume it should be sparse until we've proven otherwise.
3152         
3153         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3154         between them for the purposes of not over-allocating large backing stores like we see on 
3155         http://www.peekanalytics.com/burgerjoints/
3156         
3157         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3158         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3159         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3160         map instead. So for example, in the second case above the empty array has a blank indexing 
3161         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3162
3163         This fix is ~800x speedup on the accompanying regression test :-o
3164
3165         * runtime/ArrayConventions.h:
3166         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3167         * runtime/JSObject.cpp:
3168         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3169         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3170         (JSC::JSObject::putByIndexBeyondVectorLength):
3171         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3172
3173 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3174
3175         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3176         https://bugs.webkit.org/show_bug.cgi?id=119148
3177
3178         Reviewed by Csaba Osztrogonác.
3179
3180         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3181         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3182         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3183         code duplication.
3184
3185 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3186
3187         REGRESSION(FTL): Crash in sh4 baseline JIT.
3188         https://bugs.webkit.org/show_bug.cgi?id=119138
3189
3190         Reviewed by Csaba Osztrogonác.
3191
3192         This crash is due to incomplete report of r150146 and r148474.
3193
3194         * jit/JITStubsSH4.h:
3195
3196 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3197
3198         Unreviewed.
3199
3200         * Target.pri: Adding missing DFG files to the Qt build.
3201
3202 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3203
3204         GTK and Qt buildfix after the intrusive win buildfix r153360.
3205
3206         * GNUmakefile.list.am:
3207         * Target.pri:
3208
3209 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3210
3211         Unreviewed, fix build break after r153360.
3212
3213         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3214
3215 2013-07-25  Roger Fong  <roger_fong@apple.com>
3216
3217         Unreviewed build fix, AppleWin port.
3218
3219         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3220         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3221         * JavaScriptCore.vcxproj/copy-files.cmd:
3222
3223 2013-07-25  Roger Fong  <roger_fong@apple.com>
3224
3225         Unreviewed. Followup to r153360.
3226
3227         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3228         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3229
3230 2013-07-25  Michael Saboff  <msaboff@apple.com>
3231
3232         [Windows] Speculative build fix.
3233
3234         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3235         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3236
3237         * JavaScriptCore.xcodeproj/project.pbxproj:
3238         * llint/LLIntExceptions.cpp:
3239         * llint/LLIntExceptions.h:
3240         * llint/LLIntSlowPaths.cpp:
3241         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3242         * runtime/CommonSlowPaths.cpp:
3243         (JSC::SLOW_PATH_DECL):
3244         * runtime/CommonSlowPathsExceptions.cpp: Added.
3245         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3246         * runtime/CommonSlowPathsExceptions.h: Added.
3247
3248 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3249
3250         [Windows] Unreviewed build fix.
3251
3252         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3253         parser/SourceCode.h,.cpp.
3254         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3255
3256 2013-07-25  Anders Carlsson  <andersca@apple.com>
3257
3258         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3259         https://bugs.webkit.org/show_bug.cgi?id=119108
3260
3261         Reviewed by Mark Hahnenberg.
3262
3263         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3264
3265         * heap/CopiedSpace.cpp:
3266         (JSC::CopiedSpace::tryAllocateSlowCase):
3267         * heap/Heap.cpp:
3268         (JSC::Heap::protect):
3269         (JSC::Heap::unprotect):
3270         (JSC::Heap::collect):
3271         * heap/MarkedAllocator.cpp:
3272         (JSC::MarkedAllocator::allocateSlowCase):
3273         * runtime/JSGlobalObject.cpp:
3274         (JSC::JSGlobalObject::init):
3275         * runtime/VM.h:
3276         (JSC::VM::currentThreadIsHoldingAPILock):
3277
3278 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3279
3280         REGRESSION(FTL): Most layout tests crashes
3281         https://bugs.webkit.org/show_bug.cgi?id=119089
3282
3283         Reviewed by Oliver Hunt.
3284
3285         * runtime/ExecutionHarness.h:
3286         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3287         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3288         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3289         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3290         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3291         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3292
3293 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3294
3295         [Windows] Unreviewed build fix.
3296
3297         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3298         include path.
3299
3300 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3301
3302         [Windows] Unreviewed build fix.
3303
3304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3305         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3306         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3307
3308 2013-07-25  Oliver Hunt  <oliver@apple.com>
3309
3310         Make all jit & non-jit combos build cleanly
3311         https://bugs.webkit.org/show_bug.cgi?id=119102
3312
3313         Reviewed by Anders Carlsson.
3314
3315         * bytecode/CodeBlock.cpp:
3316         (JSC::CodeBlock::counterValueForOptimizeSoon):
3317         * bytecode/CodeBlock.h:
3318         (JSC::CodeBlock::optimizeAfterWarmUp):
3319         (JSC::CodeBlock::numberOfDFGCompiles):
3320
3321 2013-07-25  Oliver Hunt  <oliver@apple.com>
3322
3323         32 bit portion of load validation logic
3324         https://bugs.webkit.org/show_bug.cgi?id=118878
3325
3326         Reviewed by NOBODY (Build fix).
3327
3328         * dfg/DFGSpeculativeJIT32_64.cpp:
3329         (JSC::DFG::SpeculativeJIT::compile):
3330
3331 2013-07-25  Oliver Hunt  <oliver@apple.com>
3332
3333         More 32bit build fixes
3334
3335         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3336
3337         * API/APICallbackFunction.h:
3338         (JSC::APICallbackFunction::call):
3339         * bytecode/CodeBlock.cpp:
3340         * runtime/Structure.cpp:
3341
3342 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3343
3344         Optimize the thread locks for API Shims
3345         https://bugs.webkit.org/show_bug.cgi?id=118573
3346
3347         Reviewed by Geoffrey Garen.
3348
3349         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3350         only used by WebCore's main thread).
3351
3352         * API/APIShims.h:
3353         (JSC::APIEntryShim::APIEntryShim):
3354         (JSC::APICallbackShim::APICallbackShim):
3355         * runtime/JSLock.cpp:
3356         (JSC::JSLockHolder::JSLockHolder):
3357         (JSC::JSLockHolder::init):
3358         (JSC::JSLockHolder::~JSLockHolder):
3359         (JSC::JSLock::DropAllLocks::DropAllLocks):
3360         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3361         * runtime/VM.cpp:
3362         (JSC::VM::VM):
3363         * runtime/VM.h:
3364
3365 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3366
3367         Unreviewed build fix after r153218.
3368
3369         Broke the EFL port build with gcc 4.7.
3370
3371         * interpreter/StackIterator.cpp:
3372         (JSC::printif):
3373
3374 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3375
3376         Build fix: add missing #include.
3377         https://bugs.webkit.org/show_bug.cgi?id=119087
3378
3379         Reviewed by Allan Sandfeld Jensen.
3380
3381         * bytecode/ArrayProfile.cpp:
3382
3383 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3384
3385         Unreviewed, build fix on the EFL port.
3386
3387         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3388
3389 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3390
3391         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3392         https://bugs.webkit.org/show_bug.cgi?id=119083
3393
3394         Reviewed by Allan Sandfeld Jensen.
3395
3396         * assembler/MacroAssemblerSH4.h:
3397         (JSC::MacroAssemblerSH4::store8):
3398
3399 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3400
3401         [Qt] Fix test build after FTL upstream
3402
3403         Unreviewed build fix.
3404
3405         * Target.pri:
3406
3407 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3408
3409         [Qt] Build fix after FTL.
3410
3411         Un Reviewed build fix.
3412
3413         * Target.pri:
3414         * interpreter/StackIterator.cpp:
3415         (JSC::StackIterator::Frame::print):
3416
3417 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3418
3419         Unreviewed build fix after FTL upstream.
3420
3421         * dfg/DFGWorklist.cpp:
3422         (JSC::DFG::Worklist::~Worklist):
3423
3424 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3425
3426         Unreviewed, build fix on the EFL port.
3427
3428         * CMakeLists.txt:
3429         Added SourceCode.cpp and removed BlackBerry file.
3430         * jit/JITCode.h:
3431         (JSC::JITCode::nextTierJIT):
3432         Fixed to build break because of -Werror=return-type
3433         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3434         * runtime/JSScope.h:
3435         (JSC::makeType):
3436         Fixed to build break because of -Werror=return-type
3437
3438 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3439
3440         Unreviewed build fixing after FTL upstream.
3441
3442         * runtime/Executable.cpp:
3443         (JSC::FunctionExecutable::produceCodeBlockFor):
3444
3445 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3446
3447         Add missing implementation of bxxxnz in sh4 LLINT.
3448         https://bugs.webkit.org/show_bug.cgi?id=119079
3449
3450         Reviewed by Allan Sandfeld Jensen.
3451
3452         * offlineasm/sh4.rb:
3453
3454 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3455
3456         Unreviewed, build fix on the Qt port.
3457
3458         * Target.pri: Add additional build files for the FTL.
3459
3460 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3461
3462         Unreviewed buildfix after FTL upstream..
3463
3464         * interpreter/StackIterator.cpp:
3465         (JSC::StackIterator::Frame::codeType):
3466         (JSC::StackIterator::Frame::functionName):
3467         (JSC::StackIterator::Frame::sourceURL):
3468         (JSC::StackIterator::Frame::logicalFrame):
3469
3470 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3471
3472         Unreviewed.
3473
3474         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3475         method is not left undefined, causing build failures on (at least) the GTK port.
3476
3477 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3478
3479         Unreviewed, further build fixing on the GTK port.
3480
3481         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3482
3483 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3484
3485         Unreviewed GTK build fixing.
3486
3487         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3488         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3489
3490 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3491
3492         Buildfix after this error:
3493         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3494
3495         * dfg/DFGPlan.cpp:
3496         (JSC::DFG::Plan::compileInThread):
3497
3498 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3499
3500         One more buildfix after FTL upstream.
3501
3502         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3503
3504         * dfg/DFGLazyJSValue.cpp:
3505         (JSC::DFG::LazyJSValue::getValue):
3506         (JSC::DFG::LazyJSValue::strictEqual):
3507
3508 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3509
3510         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3511         https://bugs.webkit.org/show_bug.cgi?id=119076
3512
3513         Reviewed by Allan Sandfeld Jensen.
3514
3515         * offlineasm/mips.rb:
3516         * offlineasm/sh4.rb:
3517
3518 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3519
3520         Unreviewed GTK build fix.
3521
3522         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3523
3524 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3525
3526         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3527         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3528
3529         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3530
3531 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3532
3533         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3534
3535         * GNUmakefile.am:
3536         * GNUmakefile.list.am:
3537
3538 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3539
3540         Unreviewed buildfix after FTL upstream.
3541
3542         * runtime/JSScope.h:
3543         (JSC::needsVarInjectionChecks):
3544
3545 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3546
3547         One more fix after FTL upstream.
3548
3549         * Target.pri:
3550         * bytecode/CodeBlock.h:
3551         * bytecode/GetByIdStatus.h:
3552         (JSC::GetByIdStatus::GetByIdStatus):
3553
3554 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3555
3556         Unreviewed buildfix after FTL upstream.
3557
3558         Add ftl directory as include path.
3559
3560         * CMakeLists.txt:
3561         * JavaScriptCore.pri:
3562
3563 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3564
3565         Unreviewed buildfix after FTL upstream for non C++11 builds.
3566
3567         * interpreter/CallFrame.h:
3568         * interpreter/StackIteratorPrivate.h:
3569         (JSC::StackIterator::end):
3570
3571 2013-07-24  Oliver Hunt  <oliver@apple.com>
3572
3573         Endeavour to fix CMakelist builds
3574
3575         * CMakeLists.txt:
3576
3577 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3578
3579         fourthTier: DFG IR dumps should be easier to read
3580         https://bugs.webkit.org/show_bug.cgi?id=119050
3581
3582         Reviewed by Mark Hahnenberg.
3583         
3584         Added a DumpContext that includes support for printing an endnote
3585         that describes all structures in full, while the main flow of the
3586         dump just uses made-up names for the structures. This is helpful
3587         since Structure::dump() may print a lot. The stuff it prints is
3588         useful, but if it's all inline with the surrounding thing you're        
3589         dumping (often, a node in the DFG), then you get a ridiculously
3590         long print-out. All classes that dump structures (including
3591         Structure itself) now have dumpInContext() methods that use
3592         inContext() for dumping anything that might transitively print a
3593         structure. If Structure::dumpInContext() is called with a NULL
3594         context, it just uses dump() like before. Hence you don't have to
3595         know anything about DumpContext unless you want to.
3596         
3597         inContext(*structure, context) dumps something like %B4:Array,
3598         and the endnote will have something like:
3599         
3600             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3601         
3602         where B4 is the inferred name that StringHashDumpContext came up
3603         with.
3604         
3605         Also shortened a bunch of other dumps, removing information that
3606         isn't so important.
3607         
3608         * JavaScriptCore.xcodeproj/project.pbxproj:
3609         * bytecode/ArrayProfile.cpp:
3610         (JSC::dumpArrayModes):
3611         * bytecode/CodeBlockHash.cpp:
3612         (JSC):
3613         (JSC::CodeBlockHash::CodeBlockHash):
3614         (JSC::CodeBlockHash::dump):
3615         * bytecode/CodeOrigin.cpp:
3616         (JSC::CodeOrigin::dumpInContext):
3617         (JSC):
3618         (JSC::InlineCallFrame::dumpInContext):
3619         (JSC::InlineCallFrame::dump):
3620         * bytecode/CodeOrigin.h:
3621         (CodeOrigin):
3622         (InlineCallFrame):
3623         * bytecode/Operands.h:
3624         (JSC::OperandValueTraits::isEmptyForDump):
3625         (Operands):
3626         (JSC::Operands::dump):
3627         (JSC):
3628         * bytecode/OperandsInlines.h: Added.
3629         (JSC):
3630         (JSC::::dumpInContext):
3631         * bytecode/StructureSet.h:
3632         (JSC::StructureSet::dumpInContext):
3633         (JSC::StructureSet::dump):
3634         (StructureSet):
3635         * dfg/DFGAbstractValue.cpp:
3636         (JSC::DFG::AbstractValue::dump):
3637         (DFG):
3638         (JSC::DFG::AbstractValue::dumpInContext):
3639         * dfg/DFGAbstractValue.h:
3640         (JSC::DFG::AbstractValue::operator!):
3641         (AbstractValue):
3642         * dfg/DFGCFAPhase.cpp:
3643         (JSC::DFG::CFAPhase::performBlockCFA):
3644         * dfg/DFGCommon.cpp:
3645         * dfg/DFGCommon.h:
3646         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3647         * dfg/DFGDisassembler.cpp:
3648         (JSC::DFG::Disassembler::createDumpList):
3649         * dfg/DFGDisassembler.h:
3650         (Disassembler):
3651         * dfg/DFGFlushFormat.h:
3652         (WTF::inContext):
3653         (WTF):
3654         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3655         * dfg/DFGGraph.cpp:
3656         (JSC::DFG::Graph::dumpCodeOrigin):
3657         (JSC::DFG::Graph::dump):
3658         (JSC::DFG::Graph::dumpBlockHeader):
3659         * dfg/DFGGraph.h:
3660         (Graph):
3661         * dfg/DFGLazyJSValue.cpp:
3662         (JSC::DFG::LazyJSValue::dumpInContext):
3663         (JSC::DFG::LazyJSValue::dump):
3664         (DFG):
3665         * dfg/DFGLazyJSValue.h:
3666         (LazyJSValue):
3667         * dfg/DFGNode.h:
3668         (JSC::DFG::nodeMapDump):
3669         (WTF::inContext):
3670         (WTF):
3671         * dfg/DFGOSRExitCompiler32_64.cpp:
3672         (JSC::DFG::OSRExitCompiler::compileExit):
3673         * dfg/DFGOSRExitCompiler64.cpp:
3674         (JSC::DFG::OSRExitCompiler::compileExit):
3675         * dfg/DFGStructureAbstractValue.h:
3676         (JSC::DFG::StructureAbstractValue::dumpInContext):
3677         (JSC::DFG::StructureAbstractValue::dump):
3678         (StructureAbstractValue):
3679         * ftl/FTLExitValue.cpp:
3680         (JSC::FTL::ExitValue::dumpInContext):
3681         (JSC::FTL::ExitValue::dump):
3682         (FTL):
3683         * ftl/FTLExitValue.h:
3684         (ExitValue):
3685         * ftl/FTLLowerDFGToLLVM.cpp:
3686         * ftl/FTLValueSource.cpp:
3687         (JSC::FTL::ValueSource::dumpInContext):
3688         (FTL):
3689         * ftl/FTLValueSource.h:
3690         (ValueSource):
3691         * runtime/DumpContext.cpp: Added.
3692         (JSC):
3693         (JSC::DumpContext::DumpContext):
3694         (JSC::DumpContext::~DumpContext):
3695         (JSC::DumpContext::isEmpty):
3696         (JSC::DumpContext::dump):
3697         * runtime/DumpContext.h: Added.
3698         (JSC):
3699         (DumpContext):
3700         * runtime/JSCJSValue.cpp:
3701         (JSC::JSValue::dump):
3702         (JSC):
3703         (JSC::JSValue::dumpInContext):
3704         * runtime/JSCJSValue.h:
3705         (JSC):
3706         (JSValue):
3707         * runtime/Structure.cpp:
3708         (JSC::Structure::dumpInContext):
3709         (JSC):
3710         (JSC::Structure::dumpBrief):
3711         (JSC::Structure::dumpContextHeader):
3712         * runtime/Structure.h:
3713         (JSC):
3714         (Structure):
3715
3716 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3717
3718         fourthTier: DFG should do a high-level LICM before going to FTL
3719         https://bugs.webkit.org/show_bug.cgi?id=118749
3720
3721         Reviewed by Oliver Hunt.
3722         
3723         Implements LICM hoisting for nodes that never write anything and never read
3724         things that are clobbered by the loop. There are some other preconditions for
3725         hoisting, see DFGLICMPhase.cpp.
3726
3727         Also did a few fixes:
3728         
3729         - ClobberSet::add was failing to switch Super entries to Direct entries in
3730           some cases.
3731         
3732         - DFGClobberize.cpp needed to #include "Operations.h".
3733         
3734         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3735         
3736         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3737           Knowing the indexInBlock is an optional optimization that all other clients
3738           of AI still opt into, but LICM doesn't.
3739         
3740         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3741
3742         * JavaScriptCore.xcodeproj/project.pbxproj:
3743         * dfg/DFGAbstractInterpreter.h:
3744         (AbstractInterpreter):
3745         * dfg/DFGAbstractInterpreterInlines.h:
3746         (JSC::DFG::::executeEffects):
3747         (JSC::DFG::::execute):
3748         (DFG):
3749         (JSC::DFG::::clobberWorld):
3750         (JSC::DFG::::clobberStructures):
3751         * dfg/DFGAtTailAbstractState.cpp: Added.
3752         (DFG):
3753         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3754         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3755         (JSC::DFG::AtTailAbstractState::createValueForNode):
3756         (JSC::DFG::AtTailAbstractState::forNode):
3757         * dfg/DFGAtTailAbstractState.h: Added.
3758         (DFG):
3759         (AtTailAbstractState):
3760         (JSC::DFG::AtTailAbstractState::initializeTo):
3761         (JSC::DFG::AtTailAbstractState::forNode):
3762         (JSC::DFG::AtTailAbstractState::variables):
3763         (JSC::DFG::AtTailAbstractState::block):
3764         (JSC::DFG::AtTailAbstractState::isValid):
3765         (JSC::DFG::AtTailAbstractState::setDidClobber):
3766         (JSC::DFG::AtTailAbstractState::setIsValid):
3767         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3768         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3769         (JSC::DFG::AtTailAbstractState::haveStructures):
3770         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3771         * dfg/DFGBasicBlock.h:
3772         (JSC::DFG::BasicBlock::insertBeforeLast):
3773         * dfg/DFGBasicBlockInlines.h:
3774         (DFG):
3775         * dfg/DFGClobberSet.cpp:
3776         (JSC::DFG::ClobberSet::add):
3777         (JSC::DFG::ClobberSet::addAll):
3778         * dfg/DFGClobberize.cpp:
3779         (JSC::DFG::doesWrites):
3780         * dfg/DFGClobberize.h:
3781         (DFG):
3782         * dfg/DFGDCEPhase.cpp:
3783         (JSC::DFG::DCEPhase::DCEPhase):
3784         (JSC::DFG::DCEPhase::run):
3785         (JSC::DFG::DCEPhase::fixupBlock):
3786         (DCEPhase):
3787         * dfg/DFGEdgeDominates.h: Added.
3788         (DFG):
3789         (EdgeDominates):
3790         (JSC::DFG::EdgeDominates::EdgeDominates):
3791         (JSC::DFG::EdgeDominates::operator()):
3792         (JSC::DFG::EdgeDominates::result):
3793         (JSC::DFG::edgesDominate):
3794         * dfg/DFGFixupPhase.cpp:
3795         (JSC::DFG::FixupPhase::fixupNode):
3796         (JSC::DFG::FixupPhase::checkArray):
3797         * dfg/DFGLICMPhase.cpp: Added.
3798         (LICMPhase):
3799         (JSC::DFG::LICMPhase::LICMPhase):
3800         (JSC::DFG::LICMPhase::run):
3801         (JSC::DFG::LICMPhase::attemptHoist):
3802         (DFG):
3803         (JSC::DFG::performLICM):
3804         * dfg/DFGLICMPhase.h: Added.
3805         (DFG):
3806         * dfg/DFGPlan.cpp:
3807         (JSC::DFG::Plan::compileInThreadImpl):
3808
3809 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3810
3811         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3812         https://bugs.webkit.org/show_bug.cgi?id=118910
3813
3814         Reviewed by Sam Weinig.
3815         
3816         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3817         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3818         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3819         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3820         create them all up front). FTL AbstractHeaps also don't actually give you the
3821         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3822         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3823         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3824         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3825         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3826         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3827         payload is the direct subtype of its corresponding TOP Kind).
3828         
3829         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3830         clobbered. It represents the set that results from unifying a bunch of
3831         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3832         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3833         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3834         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3835         member is equal to it, or if any of its ancestors are equal to a direct member.
3836         
3837         Example #1:
3838         
3839             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3840               is a subtype of Variables, which is a subtype of World.
3841             - You query Variables. I.e. Variables with a TOP payload, which is the
3842               supertype of Variables(X) for any X, and a subtype of World.
3843             
3844             The set will have Variables(5) as a direct member, and Variables and World as
3845             super members. The Variables query will immediately return true, because
3846             Variables is indeed a super member.
3847         
3848         Example #2:
3849         
3850             - I add Variables(5)
3851             - You query NamedProperties
3852             
3853             NamedProperties is not a member at all (neither direct or super). We next
3854             query World. World is a member, but it's a super member, so we return false.
3855         
3856         Example #3:
3857         
3858             - I add Variables
3859             - You query Variables(5)
3860             
3861             The set will have Variables as a direct member, and World as a super member.
3862             The Variables(5) query will not find Variables(5) in the set, but then it
3863             will query Variables. Variables is a direct member, so we return true.
3864         
3865         Example #4:
3866         
3867             - I add Variables
3868             - You query NamedProperties(5)
3869             
3870             Neither NamedProperties nor NamedProperties(5) are members. We next query
3871             World. World is a member, but it's a super member, so we return false.
3872         
3873         Overlap queries require that either the heap being queried is in the set (either
3874         direct or super), or that one of its ancestors is a direct member. Another way to
3875         think about how this works is that two heaps A and B are said to overlap if
3876         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3877         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3878         heaps and answers the question, "is any member in the set an ancestor (i.e.
3879         supertype) of some other heap". We would have the set contain the heaps themselves,
3880         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3881         chain of A, and repeatedly querying its membership in the set. This is what the
3882         "direct" members of our set do. Now consider the other part, where we want to ask if
3883         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3884         would implement this by implementing set.add(B) as adding not just B but also all of
3885         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3886         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3887         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3888         heap" question. ClobberSet does this, but combines the two sets into a single
3889         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3890         supertype set and the subtype set; if it's false then it's only a member of one of
3891         them.
3892         
3893         Finally, this adds a functorized clobberize() method that adds the read and write
3894         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3895         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3896         are also provided. This allows you to say things like:
3897         
3898             ClobberSet set;
3899             addWrites(graph, node1, set);
3900             if (readsOverlap(graph, node2, set))
3901                 // We know that node1 may write to something that node2 may read from.
3902         
3903         Currently this facility is only used to improve graph dumping, but it will be
3904         instrumental in both LICM and GVN. In the future, I want to completely kill the
3905         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3906         of accomplishing almost exactly what AbstractHeap gives you.
3907
3908         * JavaScriptCore.xcodeproj/project.pbxproj:
3909         * dfg/DFGAbstractHeap.cpp: Added.
3910         (DFG):
3911         (JSC::DFG::AbstractHeap::Payload::dump):
3912         (JSC::DFG::AbstractHeap::dump):
3913         (WTF):
3914         (WTF::printInternal):
3915         * dfg/DFGAbstractHeap.h: Added.
3916         (DFG):
3917         (AbstractHeap):
3918         (Payload):
3919         (JSC::DFG::AbstractHeap::Payload::Payload):
3920         (JSC::DFG::AbstractHeap::Payload::top):
3921         (JSC::DFG::AbstractHeap::Payload::isTop):
3922         (JSC::DFG::AbstractHeap::Payload::value):
3923         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3924         (JSC::DFG::AbstractHeap::Payload::operator==):
3925         (JSC::DFG::AbstractHeap::Payload::operator!=):
3926         (JSC::DFG::AbstractHeap::Payload::operator<):
3927         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3928         (JSC::DFG::AbstractHeap::Payload::overlaps):
3929         (JSC::DFG::AbstractHeap::AbstractHeap):
3930         (JSC::DFG::AbstractHeap::operator!):
3931         (JSC::DFG::AbstractHeap::kind):
3932         (JSC::DFG::AbstractHeap::payload):
3933         (JSC::DFG::AbstractHeap::isDisjoint):
3934         (JSC::DFG::AbstractHeap::overlaps):
3935         (JSC::DFG::AbstractHeap::supertype):
3936         (JSC::DFG::AbstractHeap::hash):
3937         (JSC::DFG::AbstractHeap::operator==):
3938         (JSC::DFG::AbstractHeap::operator!=):
3939         (JSC::DFG::AbstractHeap::operator<):
3940         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3941         (JSC::DFG::AbstractHeap::payloadImpl):
3942         (JSC::DFG::AbstractHeap::encode):
3943         (JSC::DFG::AbstractHeapHash::hash):
3944         (JSC::DFG::AbstractHeapHash::equal):
3945         (AbstractHeapHash):
3946         (WTF):
3947         * dfg/DFGClobberSet.cpp: Added.
3948         (DFG):
3949         (JSC::DFG::ClobberSet::ClobberSet):
3950         (JSC::DFG::ClobberSet::~ClobberSet):
3951         (JSC::DFG::ClobberSet::add):
3952         (JSC::DFG::ClobberSet::addAll):
3953         (JSC::DFG::ClobberSet::contains):
3954         (JSC::DFG::ClobberSet::overlaps):
3955         (JSC::DFG::ClobberSet::clear):
3956         (JSC::DFG::ClobberSet::direct):
3957         (JSC::DFG::ClobberSet::super):
3958         (JSC::DFG::ClobberSet::dump):
3959         (JSC::DFG::ClobberSet::setOf):
3960         (JSC::DFG::addReads):
3961         (JSC::DFG::addWrites):
3962         (JSC::DFG::addReadsAndWrites):