DFG_JIT implementation for sh4 architecture.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2
3         DFG_JIT implementation for sh4 architecture.
4         https://bugs.webkit.org/show_bug.cgi?id=119737
5
6         Reviewed by Oliver Hunt.
7
8         * assembler/MacroAssemblerSH4.h:
9         (JSC::MacroAssemblerSH4::invert):
10         (JSC::MacroAssemblerSH4::add32):
11         (JSC::MacroAssemblerSH4::and32):
12         (JSC::MacroAssemblerSH4::lshift32):
13         (JSC::MacroAssemblerSH4::mul32):
14         (JSC::MacroAssemblerSH4::or32):
15         (JSC::MacroAssemblerSH4::rshift32):
16         (JSC::MacroAssemblerSH4::sub32):
17         (JSC::MacroAssemblerSH4::xor32):
18         (JSC::MacroAssemblerSH4::store32):
19         (JSC::MacroAssemblerSH4::swapDouble):
20         (JSC::MacroAssemblerSH4::storeDouble):
21         (JSC::MacroAssemblerSH4::subDouble):
22         (JSC::MacroAssemblerSH4::mulDouble):
23         (JSC::MacroAssemblerSH4::divDouble):
24         (JSC::MacroAssemblerSH4::negateDouble):
25         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
26         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
27         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
28         (JSC::MacroAssemblerSH4::swap):
29         (JSC::MacroAssemblerSH4::jump):
30         (JSC::MacroAssemblerSH4::branchNeg32):
31         (JSC::MacroAssemblerSH4::branchAdd32):
32         (JSC::MacroAssemblerSH4::branchMul32):
33         (JSC::MacroAssemblerSH4::urshift32):
34         * assembler/SH4Assembler.h:
35         (JSC::SH4Assembler::SH4Assembler):
36         (JSC::SH4Assembler::labelForWatchpoint):
37         (JSC::SH4Assembler::label):
38         (JSC::SH4Assembler::debugOffset):
39         * dfg/DFGAssemblyHelpers.h:
40         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
41         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
42         (JSC::DFG::AssemblyHelpers::debugCall):
43         * dfg/DFGCCallHelpers.h:
44         (JSC::DFG::CCallHelpers::setupArguments):
45         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
46         * dfg/DFGFPRInfo.h:
47         (JSC::DFG::FPRInfo::toRegister):
48         (JSC::DFG::FPRInfo::toIndex):
49         (JSC::DFG::FPRInfo::debugName):
50         * dfg/DFGGPRInfo.h:
51         (JSC::DFG::GPRInfo::toRegister):
52         (JSC::DFG::GPRInfo::toIndex):
53         (JSC::DFG::GPRInfo::debugName):
54         * dfg/DFGOperations.cpp:
55         * dfg/DFGSpeculativeJIT.h:
56         (JSC::DFG::SpeculativeJIT::callOperation):
57         * jit/JITStubs.h:
58         * jit/JITStubsSH4.h:
59
60 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
61
62         Unreviewed, fix build.
63
64         * API/JSValue.mm:
65         (isDate):
66         (isArray):
67         * API/JSWrapperMap.mm:
68         (tryUnwrapObjcObject):
69         * API/ObjCCallbackFunction.mm:
70         (tryUnwrapBlock):
71
72 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
73
74         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
75         https://bugs.webkit.org/show_bug.cgi?id=119770
76
77         Reviewed by Mark Hahnenberg.
78
79         * API/JSCallbackConstructor.cpp:
80         (JSC::JSCallbackConstructor::finishCreation):
81         * API/JSCallbackConstructor.h:
82         (JSC::JSCallbackConstructor::createStructure):
83         * API/JSCallbackFunction.cpp:
84         (JSC::JSCallbackFunction::finishCreation):
85         * API/JSCallbackFunction.h:
86         (JSC::JSCallbackFunction::createStructure):
87         * API/JSCallbackObject.cpp:
88         (JSC::::createStructure):
89         * API/JSCallbackObject.h:
90         (JSC::JSCallbackObject::visitChildren):
91         * API/JSCallbackObjectFunctions.h:
92         (JSC::::asCallbackObject):
93         (JSC::::finishCreation):
94         * API/JSObjectRef.cpp:
95         (JSObjectGetPrivate):
96         (JSObjectSetPrivate):
97         (JSObjectGetPrivateProperty):
98         (JSObjectSetPrivateProperty):
99         (JSObjectDeletePrivateProperty):
100         * API/JSValueRef.cpp:
101         (JSValueIsObjectOfClass):
102         * API/JSWeakObjectMapRefPrivate.cpp:
103         * API/ObjCCallbackFunction.h:
104         (JSC::ObjCCallbackFunction::createStructure):
105         * JSCTypedArrayStubs.h:
106         * bytecode/CallLinkStatus.cpp:
107         (JSC::CallLinkStatus::CallLinkStatus):
108         (JSC::CallLinkStatus::function):
109         (JSC::CallLinkStatus::internalFunction):
110         * bytecode/CodeBlock.h:
111         (JSC::baselineCodeBlockForInlineCallFrame):
112         * bytecode/SpeculatedType.cpp:
113         (JSC::speculationFromClassInfo):
114         * bytecode/UnlinkedCodeBlock.cpp:
115         (JSC::UnlinkedFunctionExecutable::visitChildren):
116         (JSC::UnlinkedCodeBlock::visitChildren):
117         (JSC::UnlinkedProgramCodeBlock::visitChildren):
118         * bytecode/UnlinkedCodeBlock.h:
119         (JSC::UnlinkedFunctionExecutable::createStructure):
120         (JSC::UnlinkedProgramCodeBlock::createStructure):
121         (JSC::UnlinkedEvalCodeBlock::createStructure):
122         (JSC::UnlinkedFunctionCodeBlock::createStructure):
123         * debugger/Debugger.cpp:
124         * debugger/DebuggerActivation.cpp:
125         (JSC::DebuggerActivation::visitChildren):
126         * debugger/DebuggerActivation.h:
127         (JSC::DebuggerActivation::createStructure):
128         * debugger/DebuggerCallFrame.cpp:
129         (JSC::DebuggerCallFrame::functionName):
130         * dfg/DFGAbstractInterpreterInlines.h:
131         (JSC::DFG::::executeEffects):
132         * dfg/DFGByteCodeParser.cpp:
133         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
134         (JSC::DFG::ByteCodeParser::parseBlock):
135         * dfg/DFGFixupPhase.cpp:
136         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
137         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
138         * dfg/DFGGraph.cpp:
139         (JSC::DFG::Graph::dump):
140         * dfg/DFGGraph.h:
141         (JSC::DFG::Graph::isInternalFunctionConstant):
142         * dfg/DFGOperations.cpp:
143         * dfg/DFGSpeculativeJIT.cpp:
144         (JSC::DFG::SpeculativeJIT::checkArray):
145         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
146         * dfg/DFGThunks.cpp:
147         (JSC::DFG::virtualForThunkGenerator):
148         * interpreter/Interpreter.cpp:
149         (JSC::loadVarargs):
150         * jsc.cpp:
151         (GlobalObject::createStructure):
152         * profiler/LegacyProfiler.cpp:
153         (JSC::LegacyProfiler::createCallIdentifier):
154         * runtime/Arguments.cpp:
155         (JSC::Arguments::visitChildren):
156         * runtime/Arguments.h:
157         (JSC::Arguments::createStructure):
158         (JSC::asArguments):
159         (JSC::Arguments::finishCreation):
160         * runtime/ArrayConstructor.cpp:
161         (JSC::arrayConstructorIsArray):
162         * runtime/ArrayConstructor.h:
163         (JSC::ArrayConstructor::createStructure):
164         * runtime/ArrayPrototype.cpp:
165         (JSC::ArrayPrototype::finishCreation):
166         (JSC::arrayProtoFuncConcat):
167         (JSC::attemptFastSort):
168         * runtime/ArrayPrototype.h:
169         (JSC::ArrayPrototype::createStructure):
170         * runtime/BooleanConstructor.h:
171         (JSC::BooleanConstructor::createStructure):
172         * runtime/BooleanObject.cpp:
173         (JSC::BooleanObject::finishCreation):
174         * runtime/BooleanObject.h:
175         (JSC::BooleanObject::createStructure):
176         (JSC::asBooleanObject):
177         * runtime/BooleanPrototype.cpp:
178         (JSC::BooleanPrototype::finishCreation):
179         (JSC::booleanProtoFuncToString):
180         (JSC::booleanProtoFuncValueOf):
181         * runtime/BooleanPrototype.h:
182         (JSC::BooleanPrototype::createStructure):
183         * runtime/DateConstructor.cpp:
184         (JSC::constructDate):
185         * runtime/DateConstructor.h:
186         (JSC::DateConstructor::createStructure):
187         * runtime/DateInstance.cpp:
188         (JSC::DateInstance::finishCreation):
189         * runtime/DateInstance.h:
190         (JSC::DateInstance::createStructure):
191         (JSC::asDateInstance):
192         * runtime/DatePrototype.cpp:
193         (JSC::formateDateInstance):
194         (JSC::DatePrototype::finishCreation):
195         (JSC::dateProtoFuncToISOString):
196         (JSC::dateProtoFuncToLocaleString):
197         (JSC::dateProtoFuncToLocaleDateString):
198         (JSC::dateProtoFuncToLocaleTimeString):
199         (JSC::dateProtoFuncGetTime):
200         (JSC::dateProtoFuncGetFullYear):
201         (JSC::dateProtoFuncGetUTCFullYear):
202         (JSC::dateProtoFuncGetMonth):
203         (JSC::dateProtoFuncGetUTCMonth):
204         (JSC::dateProtoFuncGetDate):
205         (JSC::dateProtoFuncGetUTCDate):
206         (JSC::dateProtoFuncGetDay):
207         (JSC::dateProtoFuncGetUTCDay):
208         (JSC::dateProtoFuncGetHours):
209         (JSC::dateProtoFuncGetUTCHours):
210         (JSC::dateProtoFuncGetMinutes):
211         (JSC::dateProtoFuncGetUTCMinutes):
212         (JSC::dateProtoFuncGetSeconds):
213         (JSC::dateProtoFuncGetUTCSeconds):
214         (JSC::dateProtoFuncGetMilliSeconds):
215         (JSC::dateProtoFuncGetUTCMilliseconds):
216         (JSC::dateProtoFuncGetTimezoneOffset):
217         (JSC::dateProtoFuncSetTime):
218         (JSC::setNewValueFromTimeArgs):
219         (JSC::setNewValueFromDateArgs):
220         (JSC::dateProtoFuncSetYear):
221         (JSC::dateProtoFuncGetYear):
222         * runtime/DatePrototype.h:
223         (JSC::DatePrototype::createStructure):
224         * runtime/Error.h:
225         (JSC::StrictModeTypeErrorFunction::createStructure):
226         * runtime/ErrorConstructor.h:
227         (JSC::ErrorConstructor::createStructure):
228         * runtime/ErrorInstance.cpp:
229         (JSC::ErrorInstance::finishCreation):
230         * runtime/ErrorInstance.h:
231         (JSC::ErrorInstance::createStructure):
232         * runtime/ErrorPrototype.cpp:
233         (JSC::ErrorPrototype::finishCreation):
234         * runtime/ErrorPrototype.h:
235         (JSC::ErrorPrototype::createStructure):
236         * runtime/ExceptionHelpers.cpp:
237         (JSC::isTerminatedExecutionException):
238         * runtime/ExceptionHelpers.h:
239         (JSC::TerminatedExecutionError::createStructure):
240         * runtime/Executable.cpp:
241         (JSC::EvalExecutable::visitChildren):
242         (JSC::ProgramExecutable::visitChildren):
243         (JSC::FunctionExecutable::visitChildren):
244         (JSC::ExecutableBase::hashFor):
245         * runtime/Executable.h:
246         (JSC::ExecutableBase::createStructure):
247         (JSC::NativeExecutable::createStructure):
248         (JSC::EvalExecutable::createStructure):
249         (JSC::ProgramExecutable::createStructure):
250         (JSC::FunctionExecutable::compileFor):
251         (JSC::FunctionExecutable::compileOptimizedFor):
252         (JSC::FunctionExecutable::createStructure):
253         * runtime/FunctionConstructor.h:
254         (JSC::FunctionConstructor::createStructure):
255         * runtime/FunctionPrototype.cpp:
256         (JSC::functionProtoFuncToString):
257         (JSC::functionProtoFuncApply):
258         (JSC::functionProtoFuncBind):
259         * runtime/FunctionPrototype.h:
260         (JSC::FunctionPrototype::createStructure):
261         * runtime/GetterSetter.cpp:
262         (JSC::GetterSetter::visitChildren):
263         * runtime/GetterSetter.h:
264         (JSC::GetterSetter::createStructure):
265         * runtime/InternalFunction.cpp:
266         (JSC::InternalFunction::finishCreation):
267         * runtime/InternalFunction.h:
268         (JSC::InternalFunction::createStructure):
269         (JSC::asInternalFunction):
270         * runtime/JSAPIValueWrapper.h:
271         (JSC::JSAPIValueWrapper::createStructure):
272         * runtime/JSActivation.cpp:
273         (JSC::JSActivation::visitChildren):
274         (JSC::JSActivation::argumentsGetter):
275         * runtime/JSActivation.h:
276         (JSC::JSActivation::createStructure):
277         (JSC::asActivation):
278         * runtime/JSArray.h:
279         (JSC::JSArray::createStructure):
280         (JSC::asArray):
281         (JSC::isJSArray):
282         * runtime/JSBoundFunction.cpp:
283         (JSC::JSBoundFunction::finishCreation):
284         (JSC::JSBoundFunction::visitChildren):
285         * runtime/JSBoundFunction.h:
286         (JSC::JSBoundFunction::createStructure):
287         * runtime/JSCJSValue.cpp:
288         (JSC::JSValue::dumpInContext):
289         * runtime/JSCJSValueInlines.h:
290         (JSC::JSValue::isFunction):
291         * runtime/JSCell.h:
292         (JSC::jsCast):
293         (JSC::jsDynamicCast):
294         * runtime/JSCellInlines.h:
295         (JSC::allocateCell):
296         * runtime/JSFunction.cpp:
297         (JSC::JSFunction::finishCreation):
298         (JSC::JSFunction::visitChildren):
299         (JSC::skipOverBoundFunctions):
300         (JSC::JSFunction::callerGetter):
301         * runtime/JSFunction.h:
302         (JSC::JSFunction::createStructure):
303         * runtime/JSGlobalObject.cpp:
304         (JSC::JSGlobalObject::visitChildren):
305         (JSC::slowValidateCell):
306         * runtime/JSGlobalObject.h:
307         (JSC::JSGlobalObject::createStructure):
308         * runtime/JSNameScope.cpp:
309         (JSC::JSNameScope::visitChildren):
310         * runtime/JSNameScope.h:
311         (JSC::JSNameScope::createStructure):
312         * runtime/JSNotAnObject.h:
313         (JSC::JSNotAnObject::createStructure):
314         * runtime/JSONObject.cpp:
315         (JSC::JSONObject::finishCreation):
316         (JSC::unwrapBoxedPrimitive):
317         (JSC::Stringifier::Stringifier):
318         (JSC::Stringifier::appendStringifiedValue):
319         (JSC::Stringifier::Holder::Holder):
320         (JSC::Walker::walk):
321         (JSC::JSONProtoFuncStringify):
322         * runtime/JSONObject.h:
323         (JSC::JSONObject::createStructure):
324         * runtime/JSObject.cpp:
325         (JSC::getCallableObjectSlow):
326         (JSC::JSObject::visitChildren):
327         (JSC::JSObject::copyBackingStore):
328         (JSC::JSFinalObject::visitChildren):
329         (JSC::JSObject::ensureInt32Slow):
330         (JSC::JSObject::ensureDoubleSlow):
331         (JSC::JSObject::ensureContiguousSlow):
332         (JSC::JSObject::ensureArrayStorageSlow):
333         * runtime/JSObject.h:
334         (JSC::JSObject::finishCreation):
335         (JSC::JSObject::createStructure):
336         (JSC::JSNonFinalObject::createStructure):
337         (JSC::JSFinalObject::createStructure):
338         (JSC::isJSFinalObject):
339         * runtime/JSPropertyNameIterator.cpp:
340         (JSC::JSPropertyNameIterator::visitChildren):
341         * runtime/JSPropertyNameIterator.h:
342         (JSC::JSPropertyNameIterator::createStructure):
343         * runtime/JSProxy.cpp:
344         (JSC::JSProxy::visitChildren):
345         * runtime/JSProxy.h:
346         (JSC::JSProxy::createStructure):
347         * runtime/JSScope.cpp:
348         (JSC::JSScope::visitChildren):
349         * runtime/JSSegmentedVariableObject.cpp:
350         (JSC::JSSegmentedVariableObject::visitChildren):
351         * runtime/JSString.h:
352         (JSC::JSString::createStructure):
353         (JSC::isJSString):
354         * runtime/JSSymbolTableObject.cpp:
355         (JSC::JSSymbolTableObject::visitChildren):
356         * runtime/JSVariableObject.h:
357         * runtime/JSWithScope.cpp:
358         (JSC::JSWithScope::visitChildren):
359         * runtime/JSWithScope.h:
360         (JSC::JSWithScope::createStructure):
361         * runtime/JSWrapperObject.cpp:
362         (JSC::JSWrapperObject::visitChildren):
363         * runtime/JSWrapperObject.h:
364         (JSC::JSWrapperObject::createStructure):
365         * runtime/MathObject.cpp:
366         (JSC::MathObject::finishCreation):
367         * runtime/MathObject.h:
368         (JSC::MathObject::createStructure):
369         * runtime/NameConstructor.h:
370         (JSC::NameConstructor::createStructure):
371         * runtime/NameInstance.h:
372         (JSC::NameInstance::createStructure):
373         (JSC::NameInstance::finishCreation):
374         * runtime/NamePrototype.cpp:
375         (JSC::NamePrototype::finishCreation):
376         (JSC::privateNameProtoFuncToString):
377         * runtime/NamePrototype.h:
378         (JSC::NamePrototype::createStructure):
379         * runtime/NativeErrorConstructor.cpp:
380         (JSC::NativeErrorConstructor::visitChildren):
381         * runtime/NativeErrorConstructor.h:
382         (JSC::NativeErrorConstructor::createStructure):
383         (JSC::NativeErrorConstructor::finishCreation):
384         * runtime/NumberConstructor.cpp:
385         (JSC::NumberConstructor::finishCreation):
386         * runtime/NumberConstructor.h:
387         (JSC::NumberConstructor::createStructure):
388         * runtime/NumberObject.cpp:
389         (JSC::NumberObject::finishCreation):
390         * runtime/NumberObject.h:
391         (JSC::NumberObject::createStructure):
392         * runtime/NumberPrototype.cpp:
393         (JSC::NumberPrototype::finishCreation):
394         * runtime/NumberPrototype.h:
395         (JSC::NumberPrototype::createStructure):
396         * runtime/ObjectConstructor.h:
397         (JSC::ObjectConstructor::createStructure):
398         * runtime/ObjectPrototype.cpp:
399         (JSC::ObjectPrototype::finishCreation):
400         * runtime/ObjectPrototype.h:
401         (JSC::ObjectPrototype::createStructure):
402         * runtime/PropertyMapHashTable.h:
403         (JSC::PropertyTable::createStructure):
404         * runtime/PropertyTable.cpp:
405         (JSC::PropertyTable::visitChildren):
406         * runtime/RegExp.h:
407         (JSC::RegExp::createStructure):
408         * runtime/RegExpConstructor.cpp:
409         (JSC::RegExpConstructor::finishCreation):
410         (JSC::RegExpConstructor::visitChildren):
411         (JSC::constructRegExp):
412         * runtime/RegExpConstructor.h:
413         (JSC::RegExpConstructor::createStructure):
414         (JSC::asRegExpConstructor):
415         * runtime/RegExpMatchesArray.cpp:
416         (JSC::RegExpMatchesArray::visitChildren):
417         * runtime/RegExpMatchesArray.h:
418         (JSC::RegExpMatchesArray::createStructure):
419         * runtime/RegExpObject.cpp:
420         (JSC::RegExpObject::finishCreation):
421         (JSC::RegExpObject::visitChildren):
422         * runtime/RegExpObject.h:
423         (JSC::RegExpObject::createStructure):
424         (JSC::asRegExpObject):
425         * runtime/RegExpPrototype.cpp:
426         (JSC::regExpProtoFuncTest):
427         (JSC::regExpProtoFuncExec):
428         (JSC::regExpProtoFuncCompile):
429         (JSC::regExpProtoFuncToString):
430         * runtime/RegExpPrototype.h:
431         (JSC::RegExpPrototype::createStructure):
432         * runtime/SparseArrayValueMap.cpp:
433         (JSC::SparseArrayValueMap::createStructure):
434         * runtime/SparseArrayValueMap.h:
435         * runtime/StrictEvalActivation.h:
436         (JSC::StrictEvalActivation::createStructure):
437         * runtime/StringConstructor.h:
438         (JSC::StringConstructor::createStructure):
439         * runtime/StringObject.cpp:
440         (JSC::StringObject::finishCreation):
441         * runtime/StringObject.h:
442         (JSC::StringObject::createStructure):
443         (JSC::asStringObject):
444         * runtime/StringPrototype.cpp:
445         (JSC::StringPrototype::finishCreation):
446         (JSC::stringProtoFuncReplace):
447         (JSC::stringProtoFuncToString):
448         (JSC::stringProtoFuncMatch):
449         (JSC::stringProtoFuncSearch):
450         (JSC::stringProtoFuncSplit):
451         * runtime/StringPrototype.h:
452         (JSC::StringPrototype::createStructure):
453         * runtime/Structure.cpp:
454         (JSC::Structure::Structure):
455         (JSC::Structure::materializePropertyMap):
456         (JSC::Structure::get):
457         (JSC::Structure::visitChildren):
458         * runtime/Structure.h:
459         (JSC::Structure::typeInfo):
460         (JSC::Structure::previousID):
461         (JSC::Structure::outOfLineSize):
462         (JSC::Structure::totalStorageCapacity):
463         (JSC::Structure::materializePropertyMapIfNecessary):
464         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
465         * runtime/StructureChain.cpp:
466         (JSC::StructureChain::visitChildren):
467         * runtime/StructureChain.h:
468         (JSC::StructureChain::createStructure):
469         * runtime/StructureInlines.h:
470         (JSC::Structure::get):
471         * runtime/StructureRareData.cpp:
472         (JSC::StructureRareData::createStructure):
473         (JSC::StructureRareData::visitChildren):
474         * runtime/StructureRareData.h:
475         * runtime/SymbolTable.h:
476         (JSC::SharedSymbolTable::createStructure):
477         * runtime/VM.cpp:
478         (JSC::VM::VM):
479         (JSC::StackPreservingRecompiler::operator()):
480         (JSC::VM::releaseExecutableMemory):
481         * runtime/WriteBarrier.h:
482         (JSC::validateCell):
483         * testRegExp.cpp:
484         (GlobalObject::createStructure):
485
486 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
487
488         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
489         https://bugs.webkit.org/show_bug.cgi?id=119762
490
491         Reviewed by Geoffrey Garen.
492
493         * heap/Heap.cpp:
494         (JSC::Heap::Heap):
495         (JSC::Heap::markRoots):
496         (JSC::Heap::collect):
497         * jsc.cpp:
498         (StopWatch::start):
499         (StopWatch::stop):
500         * testRegExp.cpp:
501         (StopWatch::start):
502         (StopWatch::stop):
503
504 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
505
506         [sh4] Prepare LLINT for DFG_JIT implementation.
507         https://bugs.webkit.org/show_bug.cgi?id=119755
508
509         Reviewed by Oliver Hunt.
510
511         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
512         * offlineasm/sh4.rb:
513             - Handle storeb opcode.
514             - Make relative jumps when possible using braf opcode.
515             - Update bmulio implementation to be consistent with baseline JIT.
516             - Remove useless code from leap opcode.
517             - Fix incorrect comment.
518
519 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
520
521         [sh4] Prepare baseline JIT for DFG_JIT implementation.
522         https://bugs.webkit.org/show_bug.cgi?id=119758
523
524         Reviewed by Oliver Hunt.
525
526         * assembler/MacroAssemblerSH4.h:
527             - Introduce a loadEffectiveAddress function to avoid code duplication.
528             - Add ASSERTs and clean code.
529         * assembler/SH4Assembler.h:
530             - Prepare DFG_JIT implementation.
531             - Add ASSERTs.
532         * jit/JITStubs.cpp:
533             - Add SH4 specific call for assertions.
534         * jit/JITStubs.h:
535             - Cosmetic change.
536         * jit/JITStubsSH4.h:
537             - Use constants to be more flexible with sh4 JIT stack frame.
538         * jit/JSInterfaceJIT.h:
539             - Cosmetic change.
540
541 2013-08-13  Oliver Hunt  <oliver@apple.com>
542
543         Harden executeConstruct against incorrect return types from host functions
544         https://bugs.webkit.org/show_bug.cgi?id=119757
545
546         Reviewed by Mark Hahnenberg.
547
548         Add logic to guard against bogus return types.  There doesn't seem to be any
549         class in webkit that does this wrong, but the typed array stubs in debug JSC
550         do exhibit this bad behaviour.
551
552         * interpreter/Interpreter.cpp:
553         (JSC::Interpreter::executeConstruct):
554
555 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
556
557         [Qt] Fix C++11 build with gcc 4.4 and 4.5
558         https://bugs.webkit.org/show_bug.cgi?id=119736
559
560         Reviewed by Anders Carlsson.
561
562         Don't force C++11 mode off anymore.
563
564         * Target.pri:
565
566 2013-08-12  Oliver Hunt  <oliver@apple.com>
567
568         Remove CodeBlock's notion of adding identifiers entirely
569         https://bugs.webkit.org/show_bug.cgi?id=119708
570
571         Reviewed by Geoffrey Garen.
572
573         Remove addAdditionalIdentifier entirely, including the bogus assertion.
574         Move the addition of identifiers to DFGPlan::reallyAdd
575
576         * bytecode/CodeBlock.h:
577         * dfg/DFGDesiredIdentifiers.cpp:
578         (JSC::DFG::DesiredIdentifiers::reallyAdd):
579         * dfg/DFGDesiredIdentifiers.h:
580         * dfg/DFGPlan.cpp:
581         (JSC::DFG::Plan::reallyAdd):
582         (JSC::DFG::Plan::finalize):
583         * dfg/DFGPlan.h:
584
585 2013-08-12  Oliver Hunt  <oliver@apple.com>
586
587         Build fix
588
589         * runtime/JSCell.h:
590
591 2013-08-12  Oliver Hunt  <oliver@apple.com>
592
593         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
594         https://bugs.webkit.org/show_bug.cgi?id=119705
595
596         Reviewed by Geoffrey Garen.
597
598         Relatively trivial refactoring
599
600         * bytecode/CodeBlock.h:
601         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
602         (JSC::CodeBlock::addAdditionalIdentifier):
603         (JSC::CodeBlock::identifier):
604         (JSC::CodeBlock::numberOfIdentifiers):
605         * dfg/DFGCommonData.h:
606
607 2013-08-12  Oliver Hunt  <oliver@apple.com>
608
609         Stop making unnecessary copy of CodeBlock Identifier Vector
610         https://bugs.webkit.org/show_bug.cgi?id=119702
611
612         Reviewed by Michael Saboff.
613
614         Make CodeBlock simply use a separate Vector for additional Identifiers
615         and use the UnlinkedCodeBlock for the initial set of identifiers.
616
617         * bytecode/CodeBlock.cpp:
618         (JSC::CodeBlock::printGetByIdOp):
619         (JSC::dumpStructure):
620         (JSC::dumpChain):
621         (JSC::CodeBlock::printGetByIdCacheStatus):
622         (JSC::CodeBlock::printPutByIdOp):
623         (JSC::CodeBlock::dumpBytecode):
624         (JSC::CodeBlock::CodeBlock):
625         (JSC::CodeBlock::shrinkToFit):
626         * bytecode/CodeBlock.h:
627         (JSC::CodeBlock::numberOfIdentifiers):
628         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
629         (JSC::CodeBlock::addAdditionalIdentifier):
630         (JSC::CodeBlock::identifier):
631         * dfg/DFGDesiredIdentifiers.cpp:
632         (JSC::DFG::DesiredIdentifiers::reallyAdd):
633         * jit/JIT.h:
634         * jit/JITOpcodes.cpp:
635         (JSC::JIT::emitSlow_op_get_arguments_length):
636         * jit/JITPropertyAccess.cpp:
637         (JSC::JIT::emit_op_get_by_id):
638         (JSC::JIT::compileGetByIdHotPath):
639         (JSC::JIT::emitSlow_op_get_by_id):
640         (JSC::JIT::compileGetByIdSlowCase):
641         (JSC::JIT::emitSlow_op_put_by_id):
642         * jit/JITPropertyAccess32_64.cpp:
643         (JSC::JIT::emit_op_get_by_id):
644         (JSC::JIT::compileGetByIdHotPath):
645         (JSC::JIT::compileGetByIdSlowCase):
646         * jit/JITStubs.cpp:
647         (JSC::DEFINE_STUB_FUNCTION):
648         * llint/LLIntSlowPaths.cpp:
649         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
650
651 2013-08-08  Mark Lam  <mark.lam@apple.com>
652
653         Restoring use of StackIterator instead of Interpreter::getStacktrace().
654         https://bugs.webkit.org/show_bug.cgi?id=119575.
655
656         Reviewed by Oliver Hunt.
657
658         * interpreter/Interpreter.h:
659         - Made getStackTrace() private.
660         * interpreter/StackIterator.cpp:
661         (JSC::StackIterator::StackIterator):
662         (JSC::StackIterator::numberOfFrames):
663         - Computes the number of frames by iterating through the whole stack
664           from the starting frame. The iterator will save its current frame
665           position before counting the frames, and then restoring it after
666           the counting.
667         (JSC::StackIterator::gotoFrameAtIndex):
668         (JSC::StackIterator::gotoNextFrame):
669         (JSC::StackIterator::resetIterator):
670         - Points the iterator to the starting frame.
671         * interpreter/StackIteratorPrivate.h:
672
673 2013-08-08  Mark Lam  <mark.lam@apple.com>
674
675         Moved ErrorConstructor and NativeErrorConstructor helper functions into
676         the Interpreter class.
677         https://bugs.webkit.org/show_bug.cgi?id=119576.
678
679         Reviewed by Oliver Hunt.
680
681         This change is needed to prepare for making Interpreter::getStackTrace()
682         private. It does not change the behavior of the code, only the lexical
683         scoping.
684
685         * interpreter/Interpreter.h:
686         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
687         * runtime/ErrorConstructor.cpp:
688         (JSC::Interpreter::constructWithErrorConstructor):
689         (JSC::ErrorConstructor::getConstructData):
690         (JSC::Interpreter::callErrorConstructor):
691         (JSC::ErrorConstructor::getCallData):
692         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
693           directly. So, we moved the helper functions into the Interpreter
694           class.
695         * runtime/NativeErrorConstructor.cpp:
696         (JSC::Interpreter::constructWithNativeErrorConstructor):
697         (JSC::NativeErrorConstructor::getConstructData):
698         (JSC::Interpreter::callNativeErrorConstructor):
699         (JSC::NativeErrorConstructor::getCallData):
700         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
701           directly. So, we moved the helper functions into the Interpreter
702           class.
703
704 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
705
706         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
707         https://bugs.webkit.org/show_bug.cgi?id=119555
708
709         Reviewed by Geoffrey Garen.
710
711         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
712         This was causing crashes on maps.google.com in 32-bit debug builds.
713
714         * dfg/DFGSpeculativeJIT32_64.cpp:
715         (JSC::DFG::SpeculativeJIT::compile):
716
717 2013-08-06  Michael Saboff  <msaboff@apple.com>
718
719         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
720         https://bugs.webkit.org/show_bug.cgi?id=119405
721
722         Reviewed by Geoffrey Garen.
723
724         * dfg/DFGSpeculativeJIT.cpp:
725         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
726         ourselves to save a register and then load from it.
727
728 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
729
730         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
731         https://bugs.webkit.org/show_bug.cgi?id=119528
732
733         Reviewed by Geoffrey Garen.
734
735         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
736         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
737         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
738         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
739         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
740
741         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
742
743         * bytecode/CodeBlock.cpp:
744         (JSC::CodeBlock::finalizeUnconditionally):
745         * dfg/DFGDriver.cpp:
746         (JSC::DFG::compile):
747         * dfg/DFGFixupPhase.cpp:
748         (JSC::DFG::FixupPhase::fixupNode):
749         * dfg/DFGGraph.cpp:
750         (JSC::DFG::Graph::dump):
751         * dfg/DFGSpeculativeJIT64.cpp:
752         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
753         * runtime/JSObject.h:
754         (JSC::JSObject::getIndexQuickly):
755         (JSC::JSObject::tryGetIndexQuickly):
756
757 2013-08-08  Stephanie Lewis  <slewis@apple.com>
758
759         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
760
761         Unreviewed.
762
763         Ensure llint symbols are in source order.
764
765         * JavaScriptCore.order:
766
767 2013-08-06  Mark Lam  <mark.lam@apple.com>
768
769         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
770         https://bugs.webkit.org/show_bug.cgi?id=119532.
771
772         Reviewed by Oliver Hunt.
773
774         * parser/Parser.cpp:
775         (JSC::::Parser):
776         - Just need to initialize the Parser's JSTokenLocation's initial line and
777           startOffset as well during Parser construction.
778
779 2013-08-06  Stephanie Lewis  <slewis@apple.com>
780
781         Update Order Files for Safari
782         <rdar://problem/14517392>
783
784         Unreviewed.
785
786         * JavaScriptCore.order:
787
788 2013-08-04  Sam Weinig  <sam@webkit.org>
789
790         Remove support for HTML5 MicroData
791         https://bugs.webkit.org/show_bug.cgi?id=119480
792
793         Reviewed by Anders Carlsson.
794
795         * Configurations/FeatureDefines.xcconfig:
796
797 2013-08-05  Oliver Hunt  <oliver@apple.com>
798
799         Delay Arguments creation in strict mode
800         https://bugs.webkit.org/show_bug.cgi?id=119505
801
802         Reviewed by Geoffrey Garen.
803
804         Make use of the write tracking performed by the parser to
805         allow us to know if we're modifying the parameters to a function.
806         Then use that information to make strict mode function opt out
807         of eager arguments creation.
808
809         * bytecompiler/BytecodeGenerator.cpp:
810         (JSC::BytecodeGenerator::BytecodeGenerator):
811         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
812         (JSC::BytecodeGenerator::emitReturn):
813         * bytecompiler/BytecodeGenerator.h:
814         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
815         * parser/Nodes.h:
816         (JSC::ScopeNode::modifiesParameter):
817         * parser/Parser.cpp:
818         (JSC::::parseInner):
819         * parser/Parser.h:
820         (JSC::Scope::declareParameter):
821         (JSC::Scope::getCapturedVariables):
822         (JSC::Parser::declareWrite):
823         * parser/ParserModes.h:
824
825 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
826
827         Remove useless code from COMPILER(RVCT) JITStubs
828         https://bugs.webkit.org/show_bug.cgi?id=119521
829
830         Reviewed by Geoffrey Garen.
831
832         * jit/JITStubsARMv7.h:
833         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
834         (JSC::ctiOpThrowNotCaught): Ditto.
835
836 2013-07-23  David Farler  <dfarler@apple.com>
837
838         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
839         https://bugs.webkit.org/show_bug.cgi?id=117762
840
841         Reviewed by Mark Rowe.
842
843         * Configurations/DebugRelease.xcconfig:
844         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
845         * Configurations/JavaScriptCore.xcconfig:
846         Add ASAN_OTHER_LDFLAGS.
847         * Configurations/ToolExecutable.xcconfig:
848         Don't use ASAN for build tools.
849
850 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
851
852         Build fix for ARM MSVC after r153222 and r153648.
853
854         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
855
856 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
857
858         Build fix for ARM MSVC after r150109.
859
860         Read the stub template from a header files instead of the JITStubs.cpp.
861
862         * CMakeLists.txt:
863         * DerivedSources.pri:
864         * create_jit_stubs:
865
866 2013-08-05  Oliver Hunt  <oliver@apple.com>
867
868         Move TypedArray implementation into JSC
869         https://bugs.webkit.org/show_bug.cgi?id=119489
870
871         Reviewed by Filip Pizlo.
872
873         Move TypedArray implementation into JSC in advance of re-implementation
874
875         * GNUmakefile.list.am:
876         * JSCTypedArrayStubs.h:
877         * JavaScriptCore.xcodeproj/project.pbxproj:
878         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
879         (JSC::ArrayBuffer::transfer):
880         (JSC::ArrayBuffer::addView):
881         (JSC::ArrayBuffer::removeView):
882         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
883         (JSC::ArrayBufferContents::ArrayBufferContents):
884         (JSC::ArrayBufferContents::data):
885         (JSC::ArrayBufferContents::sizeInBytes):
886         (JSC::ArrayBufferContents::transfer):
887         (JSC::ArrayBufferContents::copyTo):
888         (JSC::ArrayBuffer::isNeutered):
889         (JSC::ArrayBuffer::~ArrayBuffer):
890         (JSC::ArrayBuffer::clampValue):
891         (JSC::ArrayBuffer::create):
892         (JSC::ArrayBuffer::createUninitialized):
893         (JSC::ArrayBuffer::ArrayBuffer):
894         (JSC::ArrayBuffer::data):
895         (JSC::ArrayBuffer::byteLength):
896         (JSC::ArrayBuffer::slice):
897         (JSC::ArrayBuffer::sliceImpl):
898         (JSC::ArrayBuffer::clampIndex):
899         (JSC::ArrayBufferContents::tryAllocate):
900         (JSC::ArrayBufferContents::~ArrayBufferContents):
901         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
902         (JSC::ArrayBufferView::ArrayBufferView):
903         (JSC::ArrayBufferView::~ArrayBufferView):
904         (JSC::ArrayBufferView::neuter):
905         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
906         (JSC::ArrayBufferView::buffer):
907         (JSC::ArrayBufferView::baseAddress):
908         (JSC::ArrayBufferView::byteOffset):
909         (JSC::ArrayBufferView::setNeuterable):
910         (JSC::ArrayBufferView::isNeuterable):
911         (JSC::ArrayBufferView::verifySubRange):
912         (JSC::ArrayBufferView::clampOffsetAndNumElements):
913         (JSC::ArrayBufferView::setImpl):
914         (JSC::ArrayBufferView::setRangeImpl):
915         (JSC::ArrayBufferView::zeroRangeImpl):
916         (JSC::ArrayBufferView::calculateOffsetAndLength):
917         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
918         (JSC::Float32Array::set):
919         (JSC::Float32Array::getType):
920         (JSC::Float32Array::create):
921         (JSC::Float32Array::createUninitialized):
922         (JSC::Float32Array::Float32Array):
923         (JSC::Float32Array::subarray):
924         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
925         (JSC::Float64Array::set):
926         (JSC::Float64Array::getType):
927         (JSC::Float64Array::create):
928         (JSC::Float64Array::createUninitialized):
929         (JSC::Float64Array::Float64Array):
930         (JSC::Float64Array::subarray):
931         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
932         (JSC::Int16Array::getType):
933         (JSC::Int16Array::create):
934         (JSC::Int16Array::createUninitialized):
935         (JSC::Int16Array::Int16Array):
936         (JSC::Int16Array::subarray):
937         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
938         (JSC::Int32Array::getType):
939         (JSC::Int32Array::create):
940         (JSC::Int32Array::createUninitialized):
941         (JSC::Int32Array::Int32Array):
942         (JSC::Int32Array::subarray):
943         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
944         (JSC::Int8Array::getType):
945         (JSC::Int8Array::create):
946         (JSC::Int8Array::createUninitialized):
947         (JSC::Int8Array::Int8Array):
948         (JSC::Int8Array::subarray):
949         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
950         (JSC::IntegralTypedArrayBase::set):
951         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
952         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
953         (JSC::TypedArrayBase::data):
954         (JSC::TypedArrayBase::set):
955         (JSC::TypedArrayBase::setRange):
956         (JSC::TypedArrayBase::zeroRange):
957         (JSC::TypedArrayBase::length):
958         (JSC::TypedArrayBase::byteLength):
959         (JSC::TypedArrayBase::item):
960         (JSC::TypedArrayBase::checkInboundData):
961         (JSC::TypedArrayBase::TypedArrayBase):
962         (JSC::TypedArrayBase::create):
963         (JSC::TypedArrayBase::createUninitialized):
964         (JSC::TypedArrayBase::subarrayImpl):
965         (JSC::TypedArrayBase::neuter):
966         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
967         (JSC::Uint16Array::getType):
968         (JSC::Uint16Array::create):
969         (JSC::Uint16Array::createUninitialized):
970         (JSC::Uint16Array::Uint16Array):
971         (JSC::Uint16Array::subarray):
972         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
973         (JSC::Uint32Array::getType):
974         (JSC::Uint32Array::create):
975         (JSC::Uint32Array::createUninitialized):
976         (JSC::Uint32Array::Uint32Array):
977         (JSC::Uint32Array::subarray):
978         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
979         (JSC::Uint8Array::getType):
980         (JSC::Uint8Array::create):
981         (JSC::Uint8Array::createUninitialized):
982         (JSC::Uint8Array::Uint8Array):
983         (JSC::Uint8Array::subarray):
984         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
985         (JSC::Uint8ClampedArray::getType):
986         (JSC::Uint8ClampedArray::create):
987         (JSC::Uint8ClampedArray::createUninitialized):
988         (JSC::Uint8ClampedArray::zeroFill):
989         (JSC::Uint8ClampedArray::set):
990         (JSC::Uint8ClampedArray::Uint8ClampedArray):
991         (JSC::Uint8ClampedArray::subarray):
992         * runtime/VM.h:
993
994 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
995
996         Copied space should be able to handle more than one copied backing store per JSCell
997         https://bugs.webkit.org/show_bug.cgi?id=119471
998
999         Reviewed by Mark Hahnenberg.
1000         
1001         This allows a cell to call copyLater() multiple times for multiple different
1002         backing stores, and then have copyBackingStore() called exactly once for each
1003         of those. A token tells it which backing store to copy. All backing stores
1004         must be named using the CopyToken, an enumeration which currently cannot
1005         exceed eight entries.
1006         
1007         When copyBackingStore() is called, it's up to the callee to (a) use the token
1008         to decide what to copy and (b) call its base class's copyBackingStore() in
1009         case the base class had something that needed copying. The only exception is
1010         that JSCell never asks anything to be copied, and so if your base is JSCell
1011         then you don't have to do anything.
1012
1013         * GNUmakefile.list.am:
1014         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1015         * JavaScriptCore.xcodeproj/project.pbxproj:
1016         * heap/CopiedBlock.h:
1017         * heap/CopiedBlockInlines.h:
1018         (JSC::CopiedBlock::reportLiveBytes):
1019         * heap/CopyToken.h: Added.
1020         * heap/CopyVisitor.cpp:
1021         (JSC::CopyVisitor::copyFromShared):
1022         * heap/CopyVisitor.h:
1023         * heap/CopyVisitorInlines.h:
1024         (JSC::CopyVisitor::visitItem):
1025         * heap/CopyWorkList.h:
1026         (JSC::CopyWorklistItem::CopyWorklistItem):
1027         (JSC::CopyWorklistItem::cell):
1028         (JSC::CopyWorklistItem::token):
1029         (JSC::CopyWorkListSegment::get):
1030         (JSC::CopyWorkListSegment::append):
1031         (JSC::CopyWorkListSegment::data):
1032         (JSC::CopyWorkListIterator::get):
1033         (JSC::CopyWorkListIterator::operator*):
1034         (JSC::CopyWorkListIterator::operator->):
1035         (JSC::CopyWorkList::append):
1036         * heap/SlotVisitor.h:
1037         * heap/SlotVisitorInlines.h:
1038         (JSC::SlotVisitor::copyLater):
1039         * runtime/ClassInfo.h:
1040         * runtime/JSCell.cpp:
1041         (JSC::JSCell::copyBackingStore):
1042         * runtime/JSCell.h:
1043         * runtime/JSObject.cpp:
1044         (JSC::JSObject::visitButterfly):
1045         (JSC::JSObject::copyBackingStore):
1046         * runtime/JSObject.h:
1047
1048 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1049
1050         [Automake] Define ENABLE_JIT through the Autoconf header
1051         https://bugs.webkit.org/show_bug.cgi?id=119445
1052
1053         Reviewed by Martin Robinson.
1054
1055         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1056
1057 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1058
1059         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1060         https://bugs.webkit.org/show_bug.cgi?id=119470
1061
1062         Reviewed by Oliver Hunt.
1063         
1064         Structure can still tell you if the object "could" (in the conservative sense)
1065         have an indexing header; that's used by the compiler.
1066         
1067         Most of the time if you want to know if there's an indexing header, you ask the
1068         JSObject.
1069         
1070         In some cases, the JSObject wants to know if it would have an indexing header if
1071         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1072
1073         * dfg/DFGRepatch.cpp:
1074         (JSC::DFG::tryCachePutByID):
1075         (JSC::DFG::tryBuildPutByIdList):
1076         * dfg/DFGSpeculativeJIT.cpp:
1077         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1078         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1079         * runtime/ButterflyInlines.h:
1080         (JSC::Butterfly::create):
1081         (JSC::Butterfly::growPropertyStorage):
1082         (JSC::Butterfly::growArrayRight):
1083         (JSC::Butterfly::resizeArray):
1084         * runtime/JSObject.cpp:
1085         (JSC::JSObject::copyButterfly):
1086         (JSC::JSObject::visitButterfly):
1087         * runtime/JSObject.h:
1088         (JSC::JSObject::hasIndexingHeader):
1089         (JSC::JSObject::setButterfly):
1090         * runtime/Structure.h:
1091         (JSC::Structure::couldHaveIndexingHeader):
1092         (JSC::Structure::hasIndexingHeader):
1093
1094 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1095
1096         Give the error object's stack property accessor attributes.
1097         https://bugs.webkit.org/show_bug.cgi?id=119404
1098
1099         Reviewed by Geoffrey Garen.
1100         
1101         Changed the attributes of error object's stack property to allow developers to write
1102         and delete the stack property. This will match the functionality of Chrome. Firefox  
1103         allows developers to write the error's stack, but not delete it. 
1104
1105         * interpreter/Interpreter.cpp:
1106         (JSC::Interpreter::addStackTraceIfNecessary):
1107         * runtime/ErrorInstance.cpp:
1108         (JSC::ErrorInstance::finishCreation):
1109
1110 2013-08-02  Oliver Hunt  <oliver@apple.com>
1111
1112         Incorrect type speculation reported by ToPrimitive
1113         https://bugs.webkit.org/show_bug.cgi?id=119458
1114
1115         Reviewed by Mark Hahnenberg.
1116
1117         Make sure that we report the correct type possibilities for the output
1118         from ToPrimitive
1119
1120         * dfg/DFGAbstractInterpreterInlines.h:
1121         (JSC::DFG::::executeEffects):
1122
1123 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1124
1125         Remove no-arguments constructor to PropertySlot
1126         https://bugs.webkit.org/show_bug.cgi?id=119460
1127
1128         Reviewed by Geoff Garen.
1129
1130         This constructor was unsafe if getValue is subsequently called,
1131         and the property is a getter. Simplest to just remove it.
1132
1133         * runtime/Arguments.cpp:
1134         (JSC::Arguments::defineOwnProperty):
1135         * runtime/JSActivation.cpp:
1136         (JSC::JSActivation::getOwnPropertyDescriptor):
1137         * runtime/JSFunction.cpp:
1138         (JSC::JSFunction::getOwnPropertyDescriptor):
1139         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1140         (JSC::JSFunction::put):
1141         (JSC::JSFunction::defineOwnProperty):
1142         * runtime/JSGlobalObject.cpp:
1143         (JSC::JSGlobalObject::defineOwnProperty):
1144         * runtime/JSGlobalObject.h:
1145         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1146         * runtime/JSNameScope.cpp:
1147         (JSC::JSNameScope::put):
1148         * runtime/JSONObject.cpp:
1149         (JSC::Stringifier::Holder::appendNextProperty):
1150         (JSC::Walker::walk):
1151         * runtime/JSObject.cpp:
1152         (JSC::JSObject::hasProperty):
1153         (JSC::JSObject::hasOwnProperty):
1154         (JSC::JSObject::reifyStaticFunctionsForDelete):
1155         * runtime/Lookup.h:
1156         (JSC::getStaticPropertyDescriptor):
1157         (JSC::getStaticFunctionDescriptor):
1158         (JSC::getStaticValueDescriptor):
1159         * runtime/ObjectConstructor.cpp:
1160         (JSC::defineProperties):
1161         * runtime/PropertySlot.h:
1162
1163 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1164
1165         DFG validation can cause assertion failures due to dumping
1166         https://bugs.webkit.org/show_bug.cgi?id=119456
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         * bytecode/CodeBlock.cpp:
1171         (JSC::CodeBlock::hasHash):
1172         (JSC::CodeBlock::isSafeToComputeHash):
1173         (JSC::CodeBlock::hash):
1174         (JSC::CodeBlock::dumpAssumingJITType):
1175         * bytecode/CodeBlock.h:
1176
1177 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1178
1179         Have vm's exceptionStack match java's vm's exceptionStack.
1180         https://bugs.webkit.org/show_bug.cgi?id=119362
1181
1182         Reviewed by Geoffrey Garen.
1183         
1184         The error object's stack is only updated if it does not exist yet. This matches 
1185         the functionality of other browsers, and Java VMs. 
1186
1187         * interpreter/Interpreter.cpp:
1188         (JSC::Interpreter::addStackTraceIfNecessary):
1189         (JSC::Interpreter::throwException):
1190         * runtime/VM.cpp:
1191         (JSC::VM::clearExceptionStack):
1192         * runtime/VM.h:
1193         (JSC::VM::lastExceptionStack):
1194
1195 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1196
1197         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1198         https://bugs.webkit.org/show_bug.cgi?id=119447
1199
1200         Reviewed by Geoffrey Garen.
1201
1202         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1203         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1204         r153583 (sh4) and r153648 (ARM).
1205
1206         * jit/JITStubsMIPS.h:
1207
1208 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1209
1210         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1211         https://bugs.webkit.org/show_bug.cgi?id=119422
1212
1213         Reviewed by Oliver Hunt.
1214         
1215         This simplifies some code and also allows Structure to claim that an object
1216         has an indexing header even if it doesn't have indexed properties.
1217         
1218         I also changed some calls to use hasIndexedProperties() since in some cases,
1219         that's what we actually meant. Currently the two are synonyms.
1220
1221         * dfg/DFGRepatch.cpp:
1222         (JSC::DFG::tryCachePutByID):
1223         (JSC::DFG::tryBuildPutByIdList):
1224         * dfg/DFGSpeculativeJIT.cpp:
1225         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1226         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1227         * runtime/ButterflyInlines.h:
1228         (JSC::Butterfly::create):
1229         (JSC::Butterfly::growPropertyStorage):
1230         (JSC::Butterfly::growArrayRight):
1231         (JSC::Butterfly::resizeArray):
1232         * runtime/IndexingType.h:
1233         * runtime/JSObject.cpp:
1234         (JSC::JSObject::copyButterfly):
1235         (JSC::JSObject::visitButterfly):
1236         (JSC::JSObject::setPrototype):
1237         * runtime/JSObject.h:
1238         (JSC::JSObject::setButterfly):
1239         * runtime/JSPropertyNameIterator.cpp:
1240         (JSC::JSPropertyNameIterator::create):
1241         * runtime/Structure.h:
1242         (JSC::Structure::hasIndexingHeader):
1243
1244 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1245
1246         REGRESSION: ARM still crashes after change set r153612.
1247         https://bugs.webkit.org/show_bug.cgi?id=119433
1248
1249         Reviewed by Michael Saboff.
1250
1251         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1252         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1253         for sh4 architecture.
1254
1255         * jit/JITStubsARM.h:
1256         * jit/JITStubsARMv7.h:
1257
1258 2013-08-02  Michael Saboff  <msaboff@apple.com>
1259
1260         REGRESSION(r153612): It made jsc and layout tests crash
1261         https://bugs.webkit.org/show_bug.cgi?id=119440
1262
1263         Reviewed by Csaba Osztrogonác.
1264
1265         Made the changes if changeset r153612 only apply to 32 bit builds.
1266
1267         * jit/JITExceptions.cpp:
1268         * jit/JITExceptions.h:
1269         * jit/JITStubs.cpp:
1270         (JSC::cti_vm_throw_slowpath):
1271         * jit/JITStubs.h:
1272
1273 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1274
1275         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1276
1277         * CMakeLists.txt:
1278
1279 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1280
1281         [Forms: color] <input type='color'> popover color well implementation
1282         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1283
1284         Reviewed by Benjamin Poulain.
1285
1286         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1287
1288 2013-08-01  Oliver Hunt  <oliver@apple.com>
1289
1290         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1291         https://bugs.webkit.org/show_bug.cgi?id=119408
1292
1293         Reviewed by Filip Pizlo.
1294
1295         Construct ToString and Phantom nodes in advance of MakeRope
1296         nodes to ensure that ordering is ensured, and correct values
1297         will be reified on OSR exit.
1298
1299         * dfg/DFGByteCodeParser.cpp:
1300         (JSC::DFG::ByteCodeParser::parseBlock):
1301
1302 2013-08-01  Michael Saboff  <msaboff@apple.com>
1303
1304         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1305         https://bugs.webkit.org/show_bug.cgi?id=119140
1306
1307         Reviewed by Filip Pizlo.
1308
1309         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1310
1311         * jit/JITExceptions.cpp:
1312         (JSC::encode):
1313         * jit/JITExceptions.h:
1314         * jit/JITStubs.cpp:
1315         (JSC::cti_vm_throw_slowpath):
1316         * jit/JITStubs.h:
1317
1318 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1319
1320         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1321         https://bugs.webkit.org/show_bug.cgi?id=119391
1322
1323         Reviewed by Csaba Osztrogonác.
1324
1325         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1326             - Call frame is in r14 register.
1327             - Do not restore registers from JIT stack frame here.
1328
1329 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1330
1331         More cleanup in PropertySlot
1332         https://bugs.webkit.org/show_bug.cgi?id=119359
1333
1334         Reviewed by Geoff Garen.
1335
1336         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1337         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1338
1339         * dfg/DFGRepatch.cpp:
1340         (JSC::DFG::tryCacheGetByID):
1341         (JSC::DFG::tryBuildGetByIDList):
1342             - No need to ASSERT slotBase is an object.
1343         * jit/JITStubs.cpp:
1344         (JSC::tryCacheGetByID):
1345         (JSC::DEFINE_STUB_FUNCTION):
1346             - No need to ASSERT slotBase is an object.
1347         * runtime/JSObject.cpp:
1348         (JSC::JSObject::getOwnPropertySlotByIndex):
1349         (JSC::JSObject::fillGetterPropertySlot):
1350             - Pass an object through to setGetterSlot.
1351         * runtime/JSObject.h:
1352         (JSC::PropertySlot::getValue):
1353             - Moved from PropertySlot (need to know anout JSObject).
1354         * runtime/PropertySlot.cpp:
1355         (JSC::PropertySlot::functionGetter):
1356             - update per member name changes
1357         * runtime/PropertySlot.h:
1358         (JSC::PropertySlot::PropertySlot):
1359             - Argument to constructor set to 'thisValue'.
1360         (JSC::PropertySlot::slotBase):
1361             - This returns a JSObject*.
1362         (JSC::PropertySlot::setValue):
1363         (JSC::PropertySlot::setCustom):
1364         (JSC::PropertySlot::setCacheableCustom):
1365         (JSC::PropertySlot::setCustomIndex):
1366         (JSC::PropertySlot::setGetterSlot):
1367         (JSC::PropertySlot::setCacheableGetterSlot):
1368             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1369         * runtime/SparseArrayValueMap.cpp:
1370         (JSC::SparseArrayEntry::get):
1371             - Pass an object through to setGetterSlot.
1372         * runtime/SparseArrayValueMap.h:
1373             - Pass an object through to setGetterSlot.
1374
1375 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1376
1377         Reduce JSC API static value setter/getter overhead.
1378         https://bugs.webkit.org/show_bug.cgi?id=119277
1379
1380         Reviewed by Geoffrey Garen.
1381
1382         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1383         need to get called every time when set or get the static value.
1384
1385         * API/JSCallbackObjectFunctions.h:
1386         (JSC::::put):
1387         (JSC::::putByIndex):
1388         (JSC::::getStaticValue):
1389         * API/JSClassRef.cpp:
1390         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1391         * API/JSClassRef.h:
1392         (StaticValueEntry::StaticValueEntry):
1393
1394 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1395
1396         Use emptyString instead of String("")
1397         https://bugs.webkit.org/show_bug.cgi?id=119335
1398
1399         Reviewed by Darin Adler.
1400
1401         Use emptyString() instead of String("") because it is better style and
1402         faster. This is a followup to r116908, removing all occurrences of
1403         String("") from WebKit.
1404
1405         * runtime/RegExpConstructor.cpp:
1406         (JSC::constructRegExp):
1407         * runtime/RegExpPrototype.cpp:
1408         (JSC::regExpProtoFuncCompile):
1409         * runtime/StringPrototype.cpp:
1410         (JSC::stringProtoFuncMatch):
1411         (JSC::stringProtoFuncSearch):
1412
1413 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1414
1415         <input type=color> Mac UI behaviour
1416         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1417
1418         Reviewed by Brady Eidson.
1419
1420         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1421
1422 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1423
1424         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1425         https://bugs.webkit.org/show_bug.cgi?id=119349
1426
1427         Reviewed by Geoffrey Garen.
1428
1429         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1430         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1431         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1432         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1433         JIT then this resizing never happens and we crash at link time in the DFG.
1434
1435         We can fix this by also doing the resize in the DFG to catch this case.
1436
1437         * dfg/DFGJITCompiler.cpp:
1438         (JSC::DFG::JITCompiler::link):
1439
1440 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1441
1442         Speculative Windows build fix.
1443
1444         Reviewed by NOBODY
1445
1446         * runtime/JSString.cpp:
1447         (JSC::JSRopeString::getIndexSlowCase):
1448         * runtime/JSString.h:
1449
1450 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1451
1452         Some cleanup in JSValue::get
1453         https://bugs.webkit.org/show_bug.cgi?id=119343
1454
1455         Reviewed by Geoff Garen.
1456
1457         JSValue::get is implemented to:
1458             1) Check if the value is a cell – if not, synthesize a prototype to search,
1459             2) call getOwnPropertySlot on the cell,
1460             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1461         By all rights this should crash when passed a string and accessing a property that does not exist, because
1462         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1463         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1464         prototype chain, and faking out a return value of undefined if no property is found.
1465
1466         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1467         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1468
1469         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1470         slots anyway.
1471
1472         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1473
1474 2013-07-31  Michael Saboff  <msaboff@apple.com>
1475
1476         [Win] JavaScript crash.
1477         https://bugs.webkit.org/show_bug.cgi?id=119339
1478
1479         Reviewed by Mark Hahnenberg.
1480
1481         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1482         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1483
1484 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1485
1486         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1487         https://bugs.webkit.org/show_bug.cgi?id=119281
1488
1489         Reviewed by Geoffrey Garen.
1490
1491         This leads to out of bounds accesses and subsequent crashes.
1492
1493         * dfg/DFGSpeculativeJIT.cpp:
1494         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1495         * dfg/DFGSpeculativeJIT64.cpp:
1496         (JSC::DFG::SpeculativeJIT::compile):
1497
1498 2013-07-30  Oliver Hunt  <oliver@apple.com>
1499
1500         Add an assertion to SpeculateCellOperand
1501         https://bugs.webkit.org/show_bug.cgi?id=119276
1502
1503         Reviewed by Michael Saboff.
1504
1505         More assertions are better
1506
1507         * dfg/DFGSpeculativeJIT64.cpp:
1508         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1509         (JSC::DFG::SpeculativeJIT::compile):
1510
1511 2013-07-30  Mark Lam  <mark.lam@apple.com>
1512
1513         Fix problems with divot and lineStart mismatches.
1514         https://bugs.webkit.org/show_bug.cgi?id=118662.
1515
1516         Reviewed by Oliver Hunt.
1517
1518         r152494 added the recording of lineStart values for divot positions.
1519         This is needed for the computation of column numbers. Similarly, it also
1520         added the recording of line numbers for the divot positions. One problem
1521         with the approach taken was that the line and lineStart values were
1522         recorded independently, and hence were not always guaranteed to be
1523         sampled at the same place that the divot position is recorded. This
1524         resulted in potential mismatches that cause some assertions to fail.
1525
1526         The solution is to introduce a JSTextPosition abstraction that records
1527         the divot position, line, and lineStart as a single quantity. Wherever
1528         we record the divot position as an unsigned int previously, we now record
1529         its JSTextPosition which captures all 3 values in one go. This ensures
1530         that the captured line and lineStart will always match the captured divot
1531         position.
1532
1533         * bytecompiler/BytecodeGenerator.cpp:
1534         (JSC::BytecodeGenerator::emitCall):
1535         (JSC::BytecodeGenerator::emitCallEval):
1536         (JSC::BytecodeGenerator::emitCallVarargs):
1537         (JSC::BytecodeGenerator::emitConstruct):
1538         (JSC::BytecodeGenerator::emitDebugHook):
1539         - Use JSTextPosition instead of passing line and lineStart explicitly.
1540         * bytecompiler/BytecodeGenerator.h:
1541         (JSC::BytecodeGenerator::emitExpressionInfo):
1542         - Use JSTextPosition instead of passing line and lineStart explicitly.
1543         * bytecompiler/NodesCodegen.cpp:
1544         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1545         (JSC::ResolveNode::emitBytecode):
1546         (JSC::BracketAccessorNode::emitBytecode):
1547         (JSC::DotAccessorNode::emitBytecode):
1548         (JSC::NewExprNode::emitBytecode):
1549         (JSC::EvalFunctionCallNode::emitBytecode):
1550         (JSC::FunctionCallValueNode::emitBytecode):
1551         (JSC::FunctionCallResolveNode::emitBytecode):
1552         (JSC::FunctionCallBracketNode::emitBytecode):
1553         (JSC::FunctionCallDotNode::emitBytecode):
1554         (JSC::CallFunctionCallDotNode::emitBytecode):
1555         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1556         (JSC::PostfixNode::emitResolve):
1557         (JSC::PostfixNode::emitBracket):
1558         (JSC::PostfixNode::emitDot):
1559         (JSC::DeleteResolveNode::emitBytecode):
1560         (JSC::DeleteBracketNode::emitBytecode):
1561         (JSC::DeleteDotNode::emitBytecode):
1562         (JSC::PrefixNode::emitResolve):
1563         (JSC::PrefixNode::emitBracket):
1564         (JSC::PrefixNode::emitDot):
1565         (JSC::UnaryOpNode::emitBytecode):
1566         (JSC::BinaryOpNode::emitStrcat):
1567         (JSC::BinaryOpNode::emitBytecode):
1568         (JSC::ThrowableBinaryOpNode::emitBytecode):
1569         (JSC::InstanceOfNode::emitBytecode):
1570         (JSC::emitReadModifyAssignment):
1571         (JSC::ReadModifyResolveNode::emitBytecode):
1572         (JSC::AssignResolveNode::emitBytecode):
1573         (JSC::AssignDotNode::emitBytecode):
1574         (JSC::ReadModifyDotNode::emitBytecode):
1575         (JSC::AssignBracketNode::emitBytecode):
1576         (JSC::ReadModifyBracketNode::emitBytecode):
1577         (JSC::ForInNode::emitBytecode):
1578         (JSC::WithNode::emitBytecode):
1579         (JSC::ThrowNode::emitBytecode):
1580         - Use JSTextPosition instead of passing line and lineStart explicitly.
1581         * parser/ASTBuilder.h:
1582         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1583         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1584         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1585         (JSC::ASTBuilder::createResolve):
1586         (JSC::ASTBuilder::createBracketAccess):
1587         (JSC::ASTBuilder::createDotAccess):
1588         (JSC::ASTBuilder::createRegExp):
1589         (JSC::ASTBuilder::createNewExpr):
1590         (JSC::ASTBuilder::createAssignResolve):
1591         (JSC::ASTBuilder::createExprStatement):
1592         (JSC::ASTBuilder::createForInLoop):
1593         (JSC::ASTBuilder::createReturnStatement):
1594         (JSC::ASTBuilder::createBreakStatement):
1595         (JSC::ASTBuilder::createContinueStatement):
1596         (JSC::ASTBuilder::createLabelStatement):
1597         (JSC::ASTBuilder::createWithStatement):
1598         (JSC::ASTBuilder::createThrowStatement):
1599         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1600         (JSC::ASTBuilder::appendUnaryToken):
1601         (JSC::ASTBuilder::unaryTokenStackLastStart):
1602         (JSC::ASTBuilder::assignmentStackAppend):
1603         (JSC::ASTBuilder::createAssignment):
1604         (JSC::ASTBuilder::setExceptionLocation):
1605         (JSC::ASTBuilder::makeDeleteNode):
1606         (JSC::ASTBuilder::makeFunctionCallNode):
1607         (JSC::ASTBuilder::makeBinaryNode):
1608         (JSC::ASTBuilder::makeAssignNode):
1609         (JSC::ASTBuilder::makePrefixNode):
1610         (JSC::ASTBuilder::makePostfixNode):
1611         - Use JSTextPosition instead of passing line and lineStart explicitly.
1612         * parser/Lexer.cpp:
1613         (JSC::::lex):
1614         - Added support for capturing the appropriate JSTextPositions instead
1615           of just the character offset.
1616         * parser/Lexer.h:
1617         (JSC::Lexer::currentPosition):
1618         (JSC::::lexExpectIdentifier):
1619         - Added support for capturing the appropriate JSTextPositions instead
1620           of just the character offset.
1621         * parser/NodeConstructors.h:
1622         (JSC::Node::Node):
1623         (JSC::ResolveNode::ResolveNode):
1624         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1625         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1626         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1627         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1628         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1629         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1630         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1631         (JSC::PostfixNode::PostfixNode):
1632         (JSC::DeleteResolveNode::DeleteResolveNode):
1633         (JSC::DeleteBracketNode::DeleteBracketNode):
1634         (JSC::DeleteDotNode::DeleteDotNode):
1635         (JSC::PrefixNode::PrefixNode):
1636         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1637         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1638         (JSC::AssignBracketNode::AssignBracketNode):
1639         (JSC::AssignDotNode::AssignDotNode):
1640         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1641         (JSC::AssignErrorNode::AssignErrorNode):
1642         (JSC::WithNode::WithNode):
1643         (JSC::ForInNode::ForInNode):
1644         - Use JSTextPosition instead of passing line and lineStart explicitly.
1645         * parser/Nodes.cpp:
1646         (JSC::StatementNode::setLoc):
1647         - Use JSTextPosition instead of passing line and lineStart explicitly.
1648         * parser/Nodes.h:
1649         (JSC::Node::lineNo):
1650         (JSC::Node::startOffset):
1651         (JSC::Node::lineStartOffset):
1652         (JSC::Node::position):
1653         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1654         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1655         (JSC::ThrowableExpressionData::divot):
1656         (JSC::ThrowableExpressionData::divotStart):
1657         (JSC::ThrowableExpressionData::divotEnd):
1658         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1659         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1660         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1661         (JSC::ThrowableSubExpressionData::subexpressionStart):
1662         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1663         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1664         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1665         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1666         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1667         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1668         - Use JSTextPosition instead of passing line and lineStart explicitly.
1669         * parser/Parser.cpp:
1670         (JSC::::Parser):
1671         (JSC::::parseInner):
1672         - Use JSTextPosition instead of passing line and lineStart explicitly.
1673         (JSC::::didFinishParsing):
1674         - Remove setting of m_lastLine value. We always pass in the value from
1675           m_lastLine anyway. So, this assignment is effectively a nop.
1676         (JSC::::parseVarDeclaration):
1677         (JSC::::parseVarDeclarationList):
1678         (JSC::::parseForStatement):
1679         (JSC::::parseBreakStatement):
1680         (JSC::::parseContinueStatement):
1681         (JSC::::parseReturnStatement):
1682         (JSC::::parseThrowStatement):
1683         (JSC::::parseWithStatement):
1684         (JSC::::parseTryStatement):
1685         (JSC::::parseBlockStatement):
1686         (JSC::::parseFunctionDeclaration):
1687         (JSC::LabelInfo::LabelInfo):
1688         (JSC::::parseExpressionOrLabelStatement):
1689         (JSC::::parseExpressionStatement):
1690         (JSC::::parseAssignmentExpression):
1691         (JSC::::parseBinaryExpression):
1692         (JSC::::parseProperty):
1693         (JSC::::parsePrimaryExpression):
1694         (JSC::::parseMemberExpression):
1695         (JSC::::parseUnaryExpression):
1696         - Use JSTextPosition instead of passing line and lineStart explicitly.
1697         * parser/Parser.h:
1698         (JSC::Parser::next):
1699         (JSC::Parser::nextExpectIdentifier):
1700         (JSC::Parser::getToken):
1701         (JSC::Parser::tokenStartPosition):
1702         (JSC::Parser::tokenEndPosition):
1703         (JSC::Parser::lastTokenEndPosition):
1704         (JSC::::parse):
1705         - Use JSTextPosition instead of passing line and lineStart explicitly.
1706         * parser/ParserTokens.h:
1707         (JSC::JSTextPosition::JSTextPosition):
1708         (JSC::JSTextPosition::operator+):
1709         (JSC::JSTextPosition::operator-):
1710         (JSC::JSTextPosition::operator int):
1711         - Added JSTextPosition.
1712         * parser/SyntaxChecker.h:
1713         (JSC::SyntaxChecker::makeFunctionCallNode):
1714         (JSC::SyntaxChecker::makeAssignNode):
1715         (JSC::SyntaxChecker::makePrefixNode):
1716         (JSC::SyntaxChecker::makePostfixNode):
1717         (JSC::SyntaxChecker::makeDeleteNode):
1718         (JSC::SyntaxChecker::createResolve):
1719         (JSC::SyntaxChecker::createBracketAccess):
1720         (JSC::SyntaxChecker::createDotAccess):
1721         (JSC::SyntaxChecker::createRegExp):
1722         (JSC::SyntaxChecker::createNewExpr):
1723         (JSC::SyntaxChecker::createAssignResolve):
1724         (JSC::SyntaxChecker::createForInLoop):
1725         (JSC::SyntaxChecker::createReturnStatement):
1726         (JSC::SyntaxChecker::createBreakStatement):
1727         (JSC::SyntaxChecker::createContinueStatement):
1728         (JSC::SyntaxChecker::createWithStatement):
1729         (JSC::SyntaxChecker::createLabelStatement):
1730         (JSC::SyntaxChecker::createThrowStatement):
1731         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1732         (JSC::SyntaxChecker::operatorStackPop):
1733         - Use JSTextPosition instead of passing line and lineStart explicitly.
1734
1735 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1736
1737         Unreviewed. Fix make distcheck.
1738
1739         * GNUmakefile.list.am: Add missing files to compilation.
1740         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1741         include FTL header files not included in the compilation.
1742         * dfg/DFGDriver.cpp: Ditto.
1743         * dfg/DFGPlan.cpp: Ditto.
1744
1745 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1746
1747         Eager stack trace for error objects.
1748         https://bugs.webkit.org/show_bug.cgi?id=118918
1749
1750         Reviewed by Geoffrey Garen.
1751         
1752         Chrome and Firefox give error objects the stack property and we wanted to match
1753         that functionality. This allows developers to see the stack without throwing an object.
1754
1755         * runtime/ErrorInstance.cpp:
1756         (JSC::ErrorInstance::finishCreation):
1757          For error objects that are not thrown as an exception, we pass the stackTrace in 
1758          as a parameter. This allows the error object to have the stack property.
1759         
1760         * interpreter/Interpreter.cpp:
1761         (JSC::stackTraceAsString):
1762         Helper function used to eliminate duplicate code.
1763
1764         (JSC::Interpreter::addStackTraceIfNecessary):
1765         When an error object is created by the user the vm->exceptionStack is not set.
1766         If the user throws this error object later the stack that is in the error object 
1767         may not be the correct stack for the throw, so when we set the vm->exception stack,
1768         the stack property on the error object is set as well.
1769         
1770         * runtime/ErrorConstructor.cpp:
1771         (JSC::constructWithErrorConstructor):
1772         (JSC::callErrorConstructor):
1773         * runtime/NativeErrorConstructor.cpp:
1774         (JSC::constructWithNativeErrorConstructor):
1775         (JSC::callNativeErrorConstructor):
1776         These functions indicate that the user created an error object. For all error objects 
1777         that the user explicitly creates, the topCallFrame is at a new frame created to 
1778         handle the user's call. In this case though, the error object needs the caller's 
1779         frame to create the stack trace correctly.
1780         
1781         * interpreter/Interpreter.h:
1782         * runtime/ErrorInstance.h:
1783         (JSC::ErrorInstance::create):
1784
1785 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1786
1787         Some cleanup in PropertySlot
1788         https://bugs.webkit.org/show_bug.cgi?id=119189
1789
1790         Reviewed by Geoff Garen.
1791
1792         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1793         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1794         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1795         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1796         (this is invalidOffset if not cacheable).
1797
1798             * Internally, always track the type of the property using an enum value, PropertyType.
1799             * Use m_offset to indicate cacheable.
1800             * Keep the external interface (CachedPropertyType) unchanged.
1801             * Better pack data into the m_data union.
1802
1803         Performance neutral.
1804
1805         * dfg/DFGRepatch.cpp:
1806         (JSC::DFG::tryCacheGetByID):
1807         (JSC::DFG::tryBuildGetByIDList):
1808             - cachedPropertyType() -> isCacheable*()
1809         * jit/JITPropertyAccess.cpp:
1810         (JSC::JIT::privateCompileGetByIdProto):
1811         (JSC::JIT::privateCompileGetByIdSelfList):
1812         (JSC::JIT::privateCompileGetByIdProtoList):
1813         (JSC::JIT::privateCompileGetByIdChainList):
1814         (JSC::JIT::privateCompileGetByIdChain):
1815             - cachedPropertyType() -> isCacheable*()
1816         * jit/JITPropertyAccess32_64.cpp:
1817         (JSC::JIT::privateCompileGetByIdProto):
1818         (JSC::JIT::privateCompileGetByIdSelfList):
1819         (JSC::JIT::privateCompileGetByIdProtoList):
1820         (JSC::JIT::privateCompileGetByIdChainList):
1821         (JSC::JIT::privateCompileGetByIdChain):
1822             - cachedPropertyType() -> isCacheable*()
1823         * jit/JITStubs.cpp:
1824         (JSC::tryCacheGetByID):
1825             - cachedPropertyType() -> isCacheable*()
1826         * llint/LLIntSlowPaths.cpp:
1827         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1828             - cachedPropertyType() -> isCacheable*()
1829         * runtime/PropertySlot.cpp:
1830         (JSC::PropertySlot::functionGetter):
1831             - refactoring described above.
1832         * runtime/PropertySlot.h:
1833         (JSC::PropertySlot::PropertySlot):
1834         (JSC::PropertySlot::getValue):
1835         (JSC::PropertySlot::isCacheable):
1836         (JSC::PropertySlot::isCacheableValue):
1837         (JSC::PropertySlot::isCacheableGetter):
1838         (JSC::PropertySlot::isCacheableCustom):
1839         (JSC::PropertySlot::cachedOffset):
1840         (JSC::PropertySlot::customGetter):
1841         (JSC::PropertySlot::setValue):
1842         (JSC::PropertySlot::setCustom):
1843         (JSC::PropertySlot::setCacheableCustom):
1844         (JSC::PropertySlot::setCustomIndex):
1845         (JSC::PropertySlot::setGetterSlot):
1846         (JSC::PropertySlot::setCacheableGetterSlot):
1847         (JSC::PropertySlot::setUndefined):
1848         (JSC::PropertySlot::slotBase):
1849         (JSC::PropertySlot::setBase):
1850             - refactoring described above.
1851
1852 2013-07-28  Oliver Hunt  <oliver@apple.com>
1853
1854         REGRESSION: Crash when opening Facebook.com
1855         https://bugs.webkit.org/show_bug.cgi?id=119155
1856
1857         Reviewed by Andreas Kling.
1858
1859         Scope nodes are always objects, so we should be using SpecObjectOther
1860         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1861         contradiction in the CFA, resulting in bogus codegen.
1862
1863         * dfg/DFGAbstractInterpreterInlines.h:
1864         (JSC::DFG::::executeEffects):
1865         * dfg/DFGPredictionPropagationPhase.cpp:
1866         (JSC::DFG::PredictionPropagationPhase::propagate):
1867
1868 2013-07-26  Oliver Hunt  <oliver@apple.com>
1869
1870         REGRESSION(FTL?): Crashes in plugin tests
1871         https://bugs.webkit.org/show_bug.cgi?id=119141
1872
1873         Reviewed by Michael Saboff.
1874
1875         Re-export getStackTrace
1876
1877         * interpreter/Interpreter.h:
1878
1879 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1880
1881         REGRESSION: Crash when opening a message on Gmail
1882         https://bugs.webkit.org/show_bug.cgi?id=119105
1883
1884         Reviewed by Oliver Hunt and Mark Hahnenberg.
1885         
1886         - GetById patching in the DFG needs to be more disciplined about how it derives the
1887           slow path.
1888         
1889         - Fix some dumping code thread safety issues.
1890
1891         * bytecode/CallLinkStatus.cpp:
1892         (JSC::CallLinkStatus::dump):
1893         * bytecode/CodeBlock.cpp:
1894         (JSC::CodeBlock::dumpBytecode):
1895         * dfg/DFGRepatch.cpp:
1896         (JSC::DFG::getPolymorphicStructureList):
1897         (JSC::DFG::tryBuildGetByIDList):
1898
1899 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
1900
1901         [mips] Fix LLINT build for mips backend
1902         https://bugs.webkit.org/show_bug.cgi?id=119152
1903
1904         Reviewed by Oliver Hunt.
1905
1906         * offlineasm/mips.rb:
1907
1908 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1909
1910         Setting a large numeric property on an object causes it to allocate a huge backing store
1911         https://bugs.webkit.org/show_bug.cgi?id=118914
1912
1913         Reviewed by Geoffrey Garen.
1914
1915         There are two distinct actions that we're trying to optimize for:
1916
1917         new Array(100000);
1918
1919         and:
1920
1921         a = [];
1922         a[100000] = 42;
1923         
1924         In the first case, the programmer has indicated that they expect this Array to be very big, 
1925         so they should get a contiguous array up until some threshold, above which we perform density 
1926         calculations to see if it is indeed dense enough to warrant being contiguous.
1927         
1928         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
1929         we should be more conservative and assume it should be sparse until we've proven otherwise.
1930         
1931         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
1932         between them for the purposes of not over-allocating large backing stores like we see on 
1933         http://www.peekanalytics.com/burgerjoints/
1934         
1935         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
1936         introduce a new heuristic for the second case. If we are putting to an index above a certain 
1937         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
1938         map instead. So for example, in the second case above the empty array has a blank indexing 
1939         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1940
1941         This fix is ~800x speedup on the accompanying regression test :-o
1942
1943         * runtime/ArrayConventions.h:
1944         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1945         * runtime/JSObject.cpp:
1946         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1947         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1948         (JSC::JSObject::putByIndexBeyondVectorLength):
1949         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1950
1951 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1952
1953         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
1954         https://bugs.webkit.org/show_bug.cgi?id=119148
1955
1956         Reviewed by Csaba Osztrogonác.
1957
1958         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
1959         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
1960         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
1961         code duplication.
1962
1963 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1964
1965         REGRESSION(FTL): Crash in sh4 baseline JIT.
1966         https://bugs.webkit.org/show_bug.cgi?id=119138
1967
1968         Reviewed by Csaba Osztrogonác.
1969
1970         This crash is due to incomplete report of r150146 and r148474.
1971
1972         * jit/JITStubsSH4.h:
1973
1974 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
1975
1976         Unreviewed.
1977
1978         * Target.pri: Adding missing DFG files to the Qt build.
1979
1980 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
1981
1982         GTK and Qt buildfix after the intrusive win buildfix r153360.
1983
1984         * GNUmakefile.list.am:
1985         * Target.pri:
1986
1987 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1988
1989         Unreviewed, fix build break after r153360.
1990
1991         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
1992
1993 2013-07-25  Roger Fong  <roger_fong@apple.com>
1994
1995         Unreviewed build fix, AppleWin port.
1996
1997         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1998         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1999         * JavaScriptCore.vcxproj/copy-files.cmd:
2000
2001 2013-07-25  Roger Fong  <roger_fong@apple.com>
2002
2003         Unreviewed. Followup to r153360.
2004
2005         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2006         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2007
2008 2013-07-25  Michael Saboff  <msaboff@apple.com>
2009
2010         [Windows] Speculative build fix.
2011
2012         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2013         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2014
2015         * JavaScriptCore.xcodeproj/project.pbxproj:
2016         * llint/LLIntExceptions.cpp:
2017         * llint/LLIntExceptions.h:
2018         * llint/LLIntSlowPaths.cpp:
2019         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2020         * runtime/CommonSlowPaths.cpp:
2021         (JSC::SLOW_PATH_DECL):
2022         * runtime/CommonSlowPathsExceptions.cpp: Added.
2023         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2024         * runtime/CommonSlowPathsExceptions.h: Added.
2025
2026 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2027
2028         [Windows] Unreviewed build fix.
2029
2030         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2031         parser/SourceCode.h,.cpp.
2032         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2033
2034 2013-07-25  Anders Carlsson  <andersca@apple.com>
2035
2036         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2037         https://bugs.webkit.org/show_bug.cgi?id=119108
2038
2039         Reviewed by Mark Hahnenberg.
2040
2041         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2042
2043         * heap/CopiedSpace.cpp:
2044         (JSC::CopiedSpace::tryAllocateSlowCase):
2045         * heap/Heap.cpp:
2046         (JSC::Heap::protect):
2047         (JSC::Heap::unprotect):
2048         (JSC::Heap::collect):
2049         * heap/MarkedAllocator.cpp:
2050         (JSC::MarkedAllocator::allocateSlowCase):
2051         * runtime/JSGlobalObject.cpp:
2052         (JSC::JSGlobalObject::init):
2053         * runtime/VM.h:
2054         (JSC::VM::currentThreadIsHoldingAPILock):
2055
2056 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2057
2058         REGRESSION(FTL): Most layout tests crashes
2059         https://bugs.webkit.org/show_bug.cgi?id=119089
2060
2061         Reviewed by Oliver Hunt.
2062
2063         * runtime/ExecutionHarness.h:
2064         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2065         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2066         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2067         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2068         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2069         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2070
2071 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2072
2073         [Windows] Unreviewed build fix.
2074
2075         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2076         include path.
2077
2078 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2079
2080         [Windows] Unreviewed build fix.
2081
2082         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2083         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2084         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2085
2086 2013-07-25  Oliver Hunt  <oliver@apple.com>
2087
2088         Make all jit & non-jit combos build cleanly
2089         https://bugs.webkit.org/show_bug.cgi?id=119102
2090
2091         Reviewed by Anders Carlsson.
2092
2093         * bytecode/CodeBlock.cpp:
2094         (JSC::CodeBlock::counterValueForOptimizeSoon):
2095         * bytecode/CodeBlock.h:
2096         (JSC::CodeBlock::optimizeAfterWarmUp):
2097         (JSC::CodeBlock::numberOfDFGCompiles):
2098
2099 2013-07-25  Oliver Hunt  <oliver@apple.com>
2100
2101         32 bit portion of load validation logic
2102         https://bugs.webkit.org/show_bug.cgi?id=118878
2103
2104         Reviewed by NOBODY (Build fix).
2105
2106         * dfg/DFGSpeculativeJIT32_64.cpp:
2107         (JSC::DFG::SpeculativeJIT::compile):
2108
2109 2013-07-25  Oliver Hunt  <oliver@apple.com>
2110
2111         More 32bit build fixes
2112
2113         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2114
2115         * API/APICallbackFunction.h:
2116         (JSC::APICallbackFunction::call):
2117         * bytecode/CodeBlock.cpp:
2118         * runtime/Structure.cpp:
2119
2120 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2121
2122         Optimize the thread locks for API Shims
2123         https://bugs.webkit.org/show_bug.cgi?id=118573
2124
2125         Reviewed by Geoffrey Garen.
2126
2127         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2128         only used by WebCore's main thread).
2129
2130         * API/APIShims.h:
2131         (JSC::APIEntryShim::APIEntryShim):
2132         (JSC::APICallbackShim::APICallbackShim):
2133         * runtime/JSLock.cpp:
2134         (JSC::JSLockHolder::JSLockHolder):
2135         (JSC::JSLockHolder::init):
2136         (JSC::JSLockHolder::~JSLockHolder):
2137         (JSC::JSLock::DropAllLocks::DropAllLocks):
2138         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2139         * runtime/VM.cpp:
2140         (JSC::VM::VM):
2141         * runtime/VM.h:
2142
2143 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2144
2145         Unreviewed build fix after r153218.
2146
2147         Broke the EFL port build with gcc 4.7.
2148
2149         * interpreter/StackIterator.cpp:
2150         (JSC::printif):
2151
2152 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2153
2154         Build fix: add missing #include.
2155         https://bugs.webkit.org/show_bug.cgi?id=119087
2156
2157         Reviewed by Allan Sandfeld Jensen.
2158
2159         * bytecode/ArrayProfile.cpp:
2160
2161 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2162
2163         Unreviewed, build fix on the EFL port.
2164
2165         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2166
2167 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2168
2169         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2170         https://bugs.webkit.org/show_bug.cgi?id=119083
2171
2172         Reviewed by Allan Sandfeld Jensen.
2173
2174         * assembler/MacroAssemblerSH4.h:
2175         (JSC::MacroAssemblerSH4::store8):
2176
2177 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2178
2179         [Qt] Fix test build after FTL upstream
2180
2181         Unreviewed build fix.
2182
2183         * Target.pri:
2184
2185 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2186
2187         [Qt] Build fix after FTL.
2188
2189         Un Reviewed build fix.
2190
2191         * Target.pri:
2192         * interpreter/StackIterator.cpp:
2193         (JSC::StackIterator::Frame::print):
2194
2195 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2196
2197         Unreviewed build fix after FTL upstream.
2198
2199         * dfg/DFGWorklist.cpp:
2200         (JSC::DFG::Worklist::~Worklist):
2201
2202 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2203
2204         Unreviewed, build fix on the EFL port.
2205
2206         * CMakeLists.txt:
2207         Added SourceCode.cpp and removed BlackBerry file.
2208         * jit/JITCode.h:
2209         (JSC::JITCode::nextTierJIT):
2210         Fixed to build break because of -Werror=return-type
2211         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2212         * runtime/JSScope.h:
2213         (JSC::makeType):
2214         Fixed to build break because of -Werror=return-type
2215
2216 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2217
2218         Unreviewed build fixing after FTL upstream.
2219
2220         * runtime/Executable.cpp:
2221         (JSC::FunctionExecutable::produceCodeBlockFor):
2222
2223 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2224
2225         Add missing implementation of bxxxnz in sh4 LLINT.
2226         https://bugs.webkit.org/show_bug.cgi?id=119079
2227
2228         Reviewed by Allan Sandfeld Jensen.
2229
2230         * offlineasm/sh4.rb:
2231
2232 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2233
2234         Unreviewed, build fix on the Qt port.
2235
2236         * Target.pri: Add additional build files for the FTL.
2237
2238 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2239
2240         Unreviewed buildfix after FTL upstream..
2241
2242         * interpreter/StackIterator.cpp:
2243         (JSC::StackIterator::Frame::codeType):
2244         (JSC::StackIterator::Frame::functionName):
2245         (JSC::StackIterator::Frame::sourceURL):
2246         (JSC::StackIterator::Frame::logicalFrame):
2247
2248 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2249
2250         Unreviewed.
2251
2252         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2253         method is not left undefined, causing build failures on (at least) the GTK port.
2254
2255 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2256
2257         Unreviewed, further build fixing on the GTK port.
2258
2259         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2260
2261 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2262
2263         Unreviewed GTK build fixing.
2264
2265         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2266         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2267
2268 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2269
2270         Buildfix after this error:
2271         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2272
2273         * dfg/DFGPlan.cpp:
2274         (JSC::DFG::Plan::compileInThread):
2275
2276 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2277
2278         One more buildfix after FTL upstream.
2279
2280         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2281
2282         * dfg/DFGLazyJSValue.cpp:
2283         (JSC::DFG::LazyJSValue::getValue):
2284         (JSC::DFG::LazyJSValue::strictEqual):
2285
2286 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2287
2288         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2289         https://bugs.webkit.org/show_bug.cgi?id=119076
2290
2291         Reviewed by Allan Sandfeld Jensen.
2292
2293         * offlineasm/mips.rb:
2294         * offlineasm/sh4.rb:
2295
2296 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2297
2298         Unreviewed GTK build fix.
2299
2300         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2301
2302 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2303
2304         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2305         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2306
2307         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2308
2309 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2310
2311         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2312
2313         * GNUmakefile.am:
2314         * GNUmakefile.list.am:
2315
2316 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2317
2318         Unreviewed buildfix after FTL upstream.
2319
2320         * runtime/JSScope.h:
2321         (JSC::needsVarInjectionChecks):
2322
2323 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2324
2325         One more fix after FTL upstream.
2326
2327         * Target.pri:
2328         * bytecode/CodeBlock.h:
2329         * bytecode/GetByIdStatus.h:
2330         (JSC::GetByIdStatus::GetByIdStatus):
2331
2332 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2333
2334         Unreviewed buildfix after FTL upstream.
2335
2336         Add ftl directory as include path.
2337
2338         * CMakeLists.txt:
2339         * JavaScriptCore.pri:
2340
2341 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2342
2343         Unreviewed buildfix after FTL upstream for non C++11 builds.
2344
2345         * interpreter/CallFrame.h:
2346         * interpreter/StackIteratorPrivate.h:
2347         (JSC::StackIterator::end):
2348
2349 2013-07-24  Oliver Hunt  <oliver@apple.com>
2350
2351         Endeavour to fix CMakelist builds
2352
2353         * CMakeLists.txt:
2354
2355 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2356
2357         fourthTier: DFG IR dumps should be easier to read
2358         https://bugs.webkit.org/show_bug.cgi?id=119050
2359
2360         Reviewed by Mark Hahnenberg.
2361         
2362         Added a DumpContext that includes support for printing an endnote
2363         that describes all structures in full, while the main flow of the
2364         dump just uses made-up names for the structures. This is helpful
2365         since Structure::dump() may print a lot. The stuff it prints is
2366         useful, but if it's all inline with the surrounding thing you're        
2367         dumping (often, a node in the DFG), then you get a ridiculously
2368         long print-out. All classes that dump structures (including
2369         Structure itself) now have dumpInContext() methods that use
2370         inContext() for dumping anything that might transitively print a
2371         structure. If Structure::dumpInContext() is called with a NULL
2372         context, it just uses dump() like before. Hence you don't have to
2373         know anything about DumpContext unless you want to.
2374         
2375         inContext(*structure, context) dumps something like %B4:Array,
2376         and the endnote will have something like:
2377         
2378             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2379         
2380         where B4 is the inferred name that StringHashDumpContext came up
2381         with.
2382         
2383         Also shortened a bunch of other dumps, removing information that
2384         isn't so important.
2385         
2386         * JavaScriptCore.xcodeproj/project.pbxproj:
2387         * bytecode/ArrayProfile.cpp:
2388         (JSC::dumpArrayModes):
2389         * bytecode/CodeBlockHash.cpp:
2390         (JSC):
2391         (JSC::CodeBlockHash::CodeBlockHash):
2392         (JSC::CodeBlockHash::dump):
2393         * bytecode/CodeOrigin.cpp:
2394         (JSC::CodeOrigin::dumpInContext):
2395         (JSC):
2396         (JSC::InlineCallFrame::dumpInContext):
2397         (JSC::InlineCallFrame::dump):
2398         * bytecode/CodeOrigin.h:
2399         (CodeOrigin):
2400         (InlineCallFrame):
2401         * bytecode/Operands.h:
2402         (JSC::OperandValueTraits::isEmptyForDump):
2403         (Operands):
2404         (JSC::Operands::dump):
2405         (JSC):
2406         * bytecode/OperandsInlines.h: Added.
2407         (JSC):
2408         (JSC::::dumpInContext):
2409         * bytecode/StructureSet.h:
2410         (JSC::StructureSet::dumpInContext):
2411         (JSC::StructureSet::dump):
2412         (StructureSet):
2413         * dfg/DFGAbstractValue.cpp:
2414         (JSC::DFG::AbstractValue::dump):
2415         (DFG):
2416         (JSC::DFG::AbstractValue::dumpInContext):
2417         * dfg/DFGAbstractValue.h:
2418         (JSC::DFG::AbstractValue::operator!):
2419         (AbstractValue):
2420         * dfg/DFGCFAPhase.cpp:
2421         (JSC::DFG::CFAPhase::performBlockCFA):
2422         * dfg/DFGCommon.cpp:
2423         * dfg/DFGCommon.h:
2424         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2425         * dfg/DFGDisassembler.cpp:
2426         (JSC::DFG::Disassembler::createDumpList):
2427         * dfg/DFGDisassembler.h:
2428         (Disassembler):
2429         * dfg/DFGFlushFormat.h:
2430         (WTF::inContext):
2431         (WTF):
2432         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2433         * dfg/DFGGraph.cpp:
2434         (JSC::DFG::Graph::dumpCodeOrigin):
2435         (JSC::DFG::Graph::dump):
2436         (JSC::DFG::Graph::dumpBlockHeader):
2437         * dfg/DFGGraph.h:
2438         (Graph):
2439         * dfg/DFGLazyJSValue.cpp:
2440         (JSC::DFG::LazyJSValue::dumpInContext):
2441         (JSC::DFG::LazyJSValue::dump):
2442         (DFG):
2443         * dfg/DFGLazyJSValue.h:
2444         (LazyJSValue):
2445         * dfg/DFGNode.h:
2446         (JSC::DFG::nodeMapDump):
2447         (WTF::inContext):
2448         (WTF):
2449         * dfg/DFGOSRExitCompiler32_64.cpp:
2450         (JSC::DFG::OSRExitCompiler::compileExit):
2451         * dfg/DFGOSRExitCompiler64.cpp:
2452         (JSC::DFG::OSRExitCompiler::compileExit):
2453         * dfg/DFGStructureAbstractValue.h:
2454         (JSC::DFG::StructureAbstractValue::dumpInContext):
2455         (JSC::DFG::StructureAbstractValue::dump):
2456         (StructureAbstractValue):
2457         * ftl/FTLExitValue.cpp:
2458         (JSC::FTL::ExitValue::dumpInContext):
2459         (JSC::FTL::ExitValue::dump):
2460         (FTL):
2461         * ftl/FTLExitValue.h:
2462         (ExitValue):
2463         * ftl/FTLLowerDFGToLLVM.cpp:
2464         * ftl/FTLValueSource.cpp:
2465         (JSC::FTL::ValueSource::dumpInContext):
2466         (FTL):
2467         * ftl/FTLValueSource.h:
2468         (ValueSource):
2469         * runtime/DumpContext.cpp: Added.
2470         (JSC):
2471         (JSC::DumpContext::DumpContext):
2472         (JSC::DumpContext::~DumpContext):
2473         (JSC::DumpContext::isEmpty):
2474         (JSC::DumpContext::dump):
2475         * runtime/DumpContext.h: Added.
2476         (JSC):
2477         (DumpContext):
2478         * runtime/JSCJSValue.cpp:
2479         (JSC::JSValue::dump):
2480         (JSC):
2481         (JSC::JSValue::dumpInContext):
2482         * runtime/JSCJSValue.h:
2483         (JSC):
2484         (JSValue):
2485         * runtime/Structure.cpp:
2486         (JSC::Structure::dumpInContext):
2487         (JSC):
2488         (JSC::Structure::dumpBrief):
2489         (JSC::Structure::dumpContextHeader):
2490         * runtime/Structure.h:
2491         (JSC):
2492         (Structure):
2493
2494 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2495
2496         fourthTier: DFG should do a high-level LICM before going to FTL
2497         https://bugs.webkit.org/show_bug.cgi?id=118749
2498
2499         Reviewed by Oliver Hunt.
2500         
2501         Implements LICM hoisting for nodes that never write anything and never read
2502         things that are clobbered by the loop. There are some other preconditions for
2503         hoisting, see DFGLICMPhase.cpp.
2504
2505         Also did a few fixes:
2506         
2507         - ClobberSet::add was failing to switch Super entries to Direct entries in
2508           some cases.
2509         
2510         - DFGClobberize.cpp needed to #include "Operations.h".
2511         
2512         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2513         
2514         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2515           Knowing the indexInBlock is an optional optimization that all other clients
2516           of AI still opt into, but LICM doesn't.
2517         
2518         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2519
2520         * JavaScriptCore.xcodeproj/project.pbxproj:
2521         * dfg/DFGAbstractInterpreter.h:
2522         (AbstractInterpreter):
2523         * dfg/DFGAbstractInterpreterInlines.h:
2524         (JSC::DFG::::executeEffects):
2525         (JSC::DFG::::execute):
2526         (DFG):
2527         (JSC::DFG::::clobberWorld):
2528         (JSC::DFG::::clobberStructures):
2529         * dfg/DFGAtTailAbstractState.cpp: Added.
2530         (DFG):
2531         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2532         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2533         (JSC::DFG::AtTailAbstractState::createValueForNode):
2534         (JSC::DFG::AtTailAbstractState::forNode):
2535         * dfg/DFGAtTailAbstractState.h: Added.
2536         (DFG):
2537         (AtTailAbstractState):
2538         (JSC::DFG::AtTailAbstractState::initializeTo):
2539         (JSC::DFG::AtTailAbstractState::forNode):
2540         (JSC::DFG::AtTailAbstractState::variables):
2541         (JSC::DFG::AtTailAbstractState::block):
2542         (JSC::DFG::AtTailAbstractState::isValid):
2543         (JSC::DFG::AtTailAbstractState::setDidClobber):
2544         (JSC::DFG::AtTailAbstractState::setIsValid):
2545         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2546         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2547         (JSC::DFG::AtTailAbstractState::haveStructures):
2548         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2549         * dfg/DFGBasicBlock.h:
2550         (JSC::DFG::BasicBlock::insertBeforeLast):
2551         * dfg/DFGBasicBlockInlines.h:
2552         (DFG):
2553         * dfg/DFGClobberSet.cpp:
2554         (JSC::DFG::ClobberSet::add):
2555         (JSC::DFG::ClobberSet::addAll):
2556         * dfg/DFGClobberize.cpp:
2557         (JSC::DFG::doesWrites):
2558         * dfg/DFGClobberize.h:
2559         (DFG):
2560         * dfg/DFGDCEPhase.cpp:
2561         (JSC::DFG::DCEPhase::DCEPhase):
2562         (JSC::DFG::DCEPhase::run):
2563         (JSC::DFG::DCEPhase::fixupBlock):
2564         (DCEPhase):
2565         * dfg/DFGEdgeDominates.h: Added.
2566         (DFG):
2567         (EdgeDominates):
2568         (JSC::DFG::EdgeDominates::EdgeDominates):
2569         (JSC::DFG::EdgeDominates::operator()):
2570         (JSC::DFG::EdgeDominates::result):
2571         (JSC::DFG::edgesDominate):
2572         * dfg/DFGFixupPhase.cpp:
2573         (JSC::DFG::FixupPhase::fixupNode):
2574         (JSC::DFG::FixupPhase::checkArray):
2575         * dfg/DFGLICMPhase.cpp: Added.
2576         (LICMPhase):
2577         (JSC::DFG::LICMPhase::LICMPhase):
2578         (JSC::DFG::LICMPhase::run):
2579         (JSC::DFG::LICMPhase::attemptHoist):
2580         (DFG):
2581         (JSC::DFG::performLICM):
2582         * dfg/DFGLICMPhase.h: Added.
2583         (DFG):
2584         * dfg/DFGPlan.cpp:
2585         (JSC::DFG::Plan::compileInThreadImpl):
2586
2587 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2588
2589         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2590         https://bugs.webkit.org/show_bug.cgi?id=118910
2591
2592         Reviewed by Sam Weinig.
2593         
2594         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2595         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2596         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2597         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2598         create them all up front). FTL AbstractHeaps also don't actually give you the
2599         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2600         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2601         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2602         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2603         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2604         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2605         payload is the direct subtype of its corresponding TOP Kind).
2606         
2607         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2608         clobbered. It represents the set that results from unifying a bunch of
2609         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2610         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2611         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2612         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2613         member is equal to it, or if any of its ancestors are equal to a direct member.
2614         
2615         Example #1:
2616         
2617             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2618               is a subtype of Variables, which is a subtype of World.
2619             - You query Variables. I.e. Variables with a TOP payload, which is the
2620               supertype of Variables(X) for any X, and a subtype of World.
2621             
2622             The set will have Variables(5) as a direct member, and Variables and World as
2623             super members. The Variables query will immediately return true, because
2624             Variables is indeed a super member.
2625         
2626         Example #2:
2627         
2628             - I add Variables(5)
2629             - You query NamedProperties
2630             
2631             NamedProperties is not a member at all (neither direct or super). We next
2632             query World. World is a member, but it's a super member, so we return false.
2633         
2634         Example #3:
2635         
2636             - I add Variables
2637             - You query Variables(5)
2638             
2639             The set will have Variables as a direct member, and World as a super member.
2640             The Variables(5) query will not find Variables(5) in the set, but then it
2641             will query Variables. Variables is a direct member, so we return true.
2642         
2643         Example #4:
2644         
2645             - I add Variables
2646             - You query NamedProperties(5)
2647             
2648             Neither NamedProperties nor NamedProperties(5) are members. We next query
2649             World. World is a member, but it's a super member, so we return false.
2650         
2651         Overlap queries require that either the heap being queried is in the set (either
2652         direct or super), or that one of its ancestors is a direct member. Another way to
2653         think about how this works is that two heaps A and B are said to overlap if
2654         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2655         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2656         heaps and answers the question, "is any member in the set an ancestor (i.e.
2657         supertype) of some other heap". We would have the set contain the heaps themselves,
2658         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2659         chain of A, and repeatedly querying its membership in the set. This is what the
2660         "direct" members of our set do. Now consider the other part, where we want to ask if
2661         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2662         would implement this by implementing set.add(B) as adding not just B but also all of
2663         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2664         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2665         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2666         heap" question. ClobberSet does this, but combines the two sets into a single
2667         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2668         supertype set and the subtype set; if it's false then it's only a member of one of
2669         them.
2670         
2671         Finally, this adds a functorized clobberize() method that adds the read and write
2672         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2673         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2674         are also provided. This allows you to say things like:
2675         
2676             ClobberSet set;
2677             addWrites(graph, node1, set);
2678             if (readsOverlap(graph, node2, set))
2679                 // We know that node1 may write to something that node2 may read from.
2680         
2681         Currently this facility is only used to improve graph dumping, but it will be
2682         instrumental in both LICM and GVN. In the future, I want to completely kill the
2683         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2684         of accomplishing almost exactly what AbstractHeap gives you.
2685
2686         * JavaScriptCore.xcodeproj/project.pbxproj:
2687         * dfg/DFGAbstractHeap.cpp: Added.
2688         (DFG):
2689         (JSC::DFG::AbstractHeap::Payload::dump):
2690         (JSC::DFG::AbstractHeap::dump):
2691         (WTF):
2692         (WTF::printInternal):
2693         * dfg/DFGAbstractHeap.h: Added.
2694         (DFG):
2695         (AbstractHeap):
2696         (Payload):
2697         (JSC::DFG::AbstractHeap::Payload::Payload):
2698         (JSC::DFG::AbstractHeap::Payload::top):
2699         (JSC::DFG::AbstractHeap::Payload::isTop):
2700         (JSC::DFG::AbstractHeap::Payload::value):
2701         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2702         (JSC::DFG::AbstractHeap::Payload::operator==):
2703         (JSC::DFG::AbstractHeap::Payload::operator!=):
2704         (JSC::DFG::AbstractHeap::Payload::operator<):
2705         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2706         (JSC::DFG::AbstractHeap::Payload::overlaps):
2707         (JSC::DFG::AbstractHeap::AbstractHeap):
2708         (JSC::DFG::AbstractHeap::operator!):
2709         (JSC::DFG::AbstractHeap::kind):
2710         (JSC::DFG::AbstractHeap::payload):
2711         (JSC::DFG::AbstractHeap::isDisjoint):
2712         (JSC::DFG::AbstractHeap::overlaps):
2713         (JSC::DFG::AbstractHeap::supertype):
2714         (JSC::DFG::AbstractHeap::hash):
2715         (JSC::DFG::AbstractHeap::operator==):
2716         (JSC::DFG::AbstractHeap::operator!=):
2717         (JSC::DFG::AbstractHeap::operator<):
2718         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2719         (JSC::DFG::AbstractHeap::payloadImpl):
2720         (JSC::DFG::AbstractHeap::encode):
2721         (JSC::DFG::AbstractHeapHash::hash):
2722         (JSC::DFG::AbstractHeapHash::equal):
2723         (AbstractHeapHash):
2724         (WTF):
2725         * dfg/DFGClobberSet.cpp: Added.
2726         (DFG):
2727         (JSC::DFG::ClobberSet::ClobberSet):
2728         (JSC::DFG::ClobberSet::~ClobberSet):
2729         (JSC::DFG::ClobberSet::add):
2730         (JSC::DFG::ClobberSet::addAll):
2731         (JSC::DFG::ClobberSet::contains):
2732         (JSC::DFG::ClobberSet::overlaps):
2733         (JSC::DFG::ClobberSet::clear):
2734         (JSC::DFG::ClobberSet::direct):
2735         (JSC::DFG::ClobberSet::super):
2736         (JSC::DFG::ClobberSet::dump):
2737         (JSC::DFG::ClobberSet::setOf):
2738         (JSC::DFG::addReads):
2739         (JSC::DFG::addWrites):
2740         (JSC::DFG::addReadsAndWrites):
2741         (JSC::DFG::readsOverlap):
2742         (JSC::DFG::writesOverlap):
2743         * dfg/DFGClobberSet.h: Added.
2744         (DFG):
2745         (ClobberSet):
2746         (JSC::DFG::ClobberSet::isEmpty):
2747         (ClobberSetAdd):
2748         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2749         (JSC::DFG::ClobberSetAdd::operator()):
2750         (ClobberSetOverlaps):
2751         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2752         (JSC::DFG::ClobberSetOverlaps::operator()):
2753         (JSC::DFG::ClobberSetOverlaps::result):
2754         * dfg/DFGClobberize.cpp: Added.
2755         (DFG):
2756         (JSC::DFG::didWrites):
2757         * dfg/DFGClobberize.h: Added.
2758         (DFG):
2759         (JSC::DFG::clobberize):
2760         (NoOpClobberize):
2761         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2762         (JSC::DFG::NoOpClobberize::operator()):
2763         (CheckClobberize):
2764         (JSC::DFG::CheckClobberize::CheckClobberize):
2765         (JSC::DFG::CheckClobberize::operator()):
2766         (JSC::DFG::CheckClobberize::result):
2767         * dfg/DFGGraph.cpp:
2768         (JSC::DFG::Graph::dump):
2769
2770 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2771
2772         fourthTier: It should be easy to figure out which blocks nodes belong to
2773         https://bugs.webkit.org/show_bug.cgi?id=118957
2774
2775         Reviewed by Sam Weinig.
2776
2777         * dfg/DFGGraph.cpp:
2778         (DFG):
2779         (JSC::DFG::Graph::initializeNodeOwners):
2780         * dfg/DFGGraph.h:
2781         (Graph):
2782         * dfg/DFGNode.h:
2783
2784 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2785
2786         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2787         https://bugs.webkit.org/show_bug.cgi?id=118956
2788
2789         Reviewed by Sam Weinig.
2790         
2791         We had two way of expressing that something exits forward: the NodeExitsForward
2792         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2793         makes it just be a flag.
2794
2795         * dfg/DFGAbstractInterpreterInlines.h:
2796         (JSC::DFG::::executeEffects):
2797         * dfg/DFGArgumentsSimplificationPhase.cpp:
2798         (JSC::DFG::ArgumentsSimplificationPhase::run):
2799         * dfg/DFGCSEPhase.cpp:
2800         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2801         (JSC::DFG::CSEPhase::checkStructureElimination):
2802         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2803         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2804         (JSC::DFG::CSEPhase::checkArrayElimination):
2805         (JSC::DFG::CSEPhase::performNodeCSE):
2806         * dfg/DFGConstantFoldingPhase.cpp:
2807         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2808         * dfg/DFGFixupPhase.cpp:
2809         (JSC::DFG::FixupPhase::fixupNode):
2810         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2811         * dfg/DFGMinifiedNode.h:
2812         (JSC::DFG::belongsInMinifiedGraph):
2813         (JSC::DFG::MinifiedNode::hasChild):
2814         * dfg/DFGNode.h:
2815         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2816         (JSC::DFG::Node::hasStructureSet):
2817         (JSC::DFG::Node::hasStructure):
2818         (JSC::DFG::Node::hasArrayMode):
2819         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2820         * dfg/DFGNodeType.h:
2821         (DFG):
2822         (JSC::DFG::needsOSRForwardRewiring):
2823         * dfg/DFGPredictionPropagationPhase.cpp:
2824         (JSC::DFG::PredictionPropagationPhase::propagate):
2825         * dfg/DFGSafeToExecute.h:
2826         (JSC::DFG::safeToExecute):
2827         * dfg/DFGSpeculativeJIT.cpp:
2828         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2829         * dfg/DFGSpeculativeJIT32_64.cpp:
2830         (JSC::DFG::SpeculativeJIT::compile):
2831         * dfg/DFGSpeculativeJIT64.cpp:
2832         (JSC::DFG::SpeculativeJIT::compile):
2833         * dfg/DFGTypeCheckHoistingPhase.cpp:
2834         (JSC::DFG::TypeCheckHoistingPhase::run):
2835         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2836         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2837         * dfg/DFGVariableEventStream.cpp:
2838         (JSC::DFG::VariableEventStream::reconstruct):
2839         * ftl/FTLCapabilities.cpp:
2840         (JSC::FTL::canCompile):
2841         * ftl/FTLLowerDFGToLLVM.cpp:
2842         (JSC::FTL::LowerDFGToLLVM::compileNode):
2843         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2844
2845 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2846
2847         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2848         https://bugs.webkit.org/show_bug.cgi?id=118946
2849
2850         Reviewed by Geoffrey Garen.
2851         
2852         We want to decouple the exit target code origin of a node from the code origin
2853         for all other purposes. The purposes of code origins are:
2854         
2855         - Where the node will exit, if it exits. The exit target should be consistent with
2856           the surrounding nodes, in that if you just looked at the code origins of nodes in
2857           the graph, they would be consistent with the code origins in bytecode. This is
2858           necessary for live-at-bytecode analyses to work, and to preserve the original
2859           bytecode semantics when exiting.
2860         
2861         - What kind of code the node came from, for semantics thingies. For example, we
2862           might use the code origin to find the node's global object for doing an original
2863           array check. Or we might use it to determine if the code is in strict mode. Or
2864           other similar things. When we use the code origin in this way, we're basically
2865           using it as a way of describing the node's meta-data without putting it into the
2866           node directly, to save space. In the absurd extreme you could imagine nodes not
2867           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2868           what bytecode the node originated from. We won't do that, but you can think of
2869           this use of code origins as just a way of compressing meta-data.
2870         
2871         - What code origin we should supply profiling to, if we exit. This is closely
2872           related to the semantics thingies, in that the exit profiling is a persistent
2873           kind of semantic meta-data that survives between recompiles, and the only way to
2874           do that is to ascribe it to the original bytecode via the code origin.
2875         
2876         If we hoist a node, we need to change the exit target code origin, but we must not
2877         change the code origin for other purposes. The best way to do this is to decouple
2878         the two kinds of code origin.
2879         
2880         OSR exit data structures already do this, because they may edit the exit target
2881         code origin while keeping the code origin for profiling intact. This happens for
2882         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2883         That's what this patch does.
2884
2885         * dfg/DFGNode.h:
2886         (JSC::DFG::Node::Node):
2887         (Node):
2888         * dfg/DFGOSRExit.cpp:
2889         (JSC::DFG::OSRExit::OSRExit):
2890         * dfg/DFGOSRExitBase.h:
2891         (JSC::DFG::OSRExitBase::OSRExitBase):
2892         * dfg/DFGSpeculativeJIT.cpp:
2893         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2894         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2895         * dfg/DFGSpeculativeJIT.h:
2896         (SpeculativeJIT):
2897         * ftl/FTLLowerDFGToLLVM.cpp:
2898         (JSC::FTL::LowerDFGToLLVM::compileNode):
2899         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2900         (LowerDFGToLLVM):
2901         * ftl/FTLOSRExit.cpp:
2902         (JSC::FTL::OSRExit::OSRExit):
2903         * ftl/FTLOSRExit.h:
2904         (OSRExit):
2905
2906 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2907
2908         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2909         https://bugs.webkit.org/show_bug.cgi?id=118866
2910
2911         Reviewed by Sam Weinig.
2912         
2913         Adds a safeToExecute() method that takes a node and an abstract state and tells you
2914         if the node will run without crashing under that state.
2915
2916         * JavaScriptCore.xcodeproj/project.pbxproj:
2917         * bytecode/CodeBlock.cpp:
2918         (JSC::CodeBlock::CodeBlock):
2919         * dfg/DFGCFAPhase.cpp:
2920         (CFAPhase):
2921         (JSC::DFG::CFAPhase::CFAPhase):
2922         (JSC::DFG::CFAPhase::run):
2923         (JSC::DFG::CFAPhase::performBlockCFA):
2924         (JSC::DFG::CFAPhase::performForwardCFA):
2925         * dfg/DFGSafeToExecute.h: Added.
2926         (DFG):
2927         (SafeToExecuteEdge):
2928         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2929         (JSC::DFG::SafeToExecuteEdge::operator()):
2930         (JSC::DFG::SafeToExecuteEdge::result):
2931         (JSC::DFG::safeToExecute):
2932         * dfg/DFGStructureAbstractValue.h:
2933         (JSC::DFG::StructureAbstractValue::isValidOffset):
2934         (StructureAbstractValue):
2935         * runtime/Options.h:
2936         (JSC):
2937
2938 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2939
2940         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2941         https://bugs.webkit.org/show_bug.cgi?id=118948
2942
2943         Reviewed by Sam Weinig.
2944         
2945         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2946           This allows doing "what if" experiments with IR generation, even if the generated IR
2947           can't yet execute.
2948         
2949         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2950           off-ramp.
2951
2952         * JavaScriptCore.xcodeproj/project.pbxproj:
2953         * dfg/DFGPlan.cpp:
2954         (JSC::DFG::Plan::compileInThreadImpl):
2955         * ftl/FTLFail.cpp: Added.
2956         (FTL):
2957         (JSC::FTL::fail):
2958         * ftl/FTLFail.h: Added.
2959         (FTL):
2960         * ftl/FTLIntrinsicRepository.h:
2961         (FTL):
2962         * ftl/FTLLowerDFGToLLVM.cpp:
2963         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2964         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
2965         * runtime/Options.h:
2966         (JSC):
2967
2968 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2969
2970         fourthTier: StringObjectUse uses structures, and CSE should know that
2971         https://bugs.webkit.org/show_bug.cgi?id=118940
2972
2973         Reviewed by Geoffrey Garen.
2974         
2975         This is asymptomatic right now, but we should fix it.
2976
2977         * JavaScriptCore.xcodeproj/project.pbxproj:
2978         * dfg/DFGCSEPhase.cpp:
2979         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2980         * dfg/DFGEdgeUsesStructure.h: Added.
2981         (DFG):
2982         (EdgeUsesStructure):
2983         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
2984         (JSC::DFG::EdgeUsesStructure::operator()):
2985         (JSC::DFG::EdgeUsesStructure::result):
2986         (JSC::DFG::edgesUseStructure):
2987         * dfg/DFGUseKind.h:
2988         (DFG):
2989         (JSC::DFG::usesStructure):
2990
2991 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2992
2993         fourthTier: String GetByVal out-of-bounds handling is so wrong
2994         https://bugs.webkit.org/show_bug.cgi?id=118935
2995
2996         Reviewed by Geoffrey Garen.
2997         
2998         Bunch of String GetByVal out-of-bounds fixes:
2999         
3000         - Even if the string proto chain is sane, we need to watch out for negative
3001           indices. They may get values or call getters in the prototypes, since proto
3002           sanity doesn't check for negative indexed properties, as they are not
3003           technically indexed properties.
3004         
3005         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3006           given this information.
3007         
3008         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3009           given this information.
3010         
3011         Also fixed some other things:
3012         
3013         - If the DFG is disabled, the testRunner should pretend that we've done a
3014           bunch of DFG compiles. That's necessary to prevent the tests from timing
3015           out.
3016         
3017         - Disassembler shouldn't try to dump source code since it's not safe in the
3018           concurrent JIT.
3019
3020         * API/JSCTestRunnerUtils.cpp:
3021         (JSC::numberOfDFGCompiles):
3022         * JavaScriptCore.xcodeproj/project.pbxproj:
3023         * dfg/DFGAbstractInterpreterInlines.h:
3024         (JSC::DFG::::executeEffects):
3025         * dfg/DFGDisassembler.cpp:
3026         (JSC::DFG::Disassembler::dumpHeader):
3027         * dfg/DFGGraph.h:
3028         (JSC::DFG::Graph::byValIsPure):
3029         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3030         (DFG):
3031         (SaneStringGetByValSlowPathGenerator):
3032         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3033         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3034         * dfg/DFGSpeculativeJIT.cpp:
3035         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3036
3037 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3038
3039         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3040         https://bugs.webkit.org/show_bug.cgi?id=118911
3041
3042         Reviewed by Geoffrey Garen.
3043         
3044         We could also have a separate method like "willNotCrash(offset)", but that's not
3045         what isValidOffset() is intended to mean.
3046
3047         * runtime/Structure.h:
3048         (JSC::Structure::isValidOffset):
3049
3050 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3051
3052         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3053         https://bugs.webkit.org/show_bug.cgi?id=118878
3054
3055         Reviewed by Oliver Hunt.
3056         
3057         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3058           to load from an object of this structure, at this offset, would I commit suicide
3059           or would I get back some kind of value?"
3060         
3061         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3062           way from the start.
3063         
3064         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3065         
3066         - Make GetByOffset also reference the base object in addition to the butterfly.
3067         
3068         The future use of this power will be to answer questions like "If I hoisted this
3069         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3070         fine?"
3071         
3072         I don't currently plan to use this power to perform validation, since the CSE has
3073         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3074         remove - both in the case of StructureSets where size >= 2 and in the case of
3075         CheckStructures that match across PutStructures. At first I tried to write a
3076         validator that was aware of this, but the validation code got way too complicated
3077         and I started having nightmares of spurious assertion bugs being filed against me.
3078         
3079         This also changes some of the code for how we hash FunctionExecutable's for debug
3080         dumps, since that code still had some thread-safety issues. Basically, the
3081         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3082         that could transitively try to compute the hash from the source code. The source
3083         code is a string that may be lazily computed, and that involves all manner of thread
3084         unsafe things.
3085
3086         * bytecode/CodeOrigin.cpp:
3087         (JSC::InlineCallFrame::hash):
3088         * dfg/DFGAbstractInterpreterInlines.h:
3089         (JSC::DFG::::executeEffects):
3090         * dfg/DFGByteCodeParser.cpp:
3091         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3092         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3093         (JSC::DFG::ByteCodeParser::parseBlock):
3094         * dfg/DFGCFAPhase.cpp:
3095         (JSC::DFG::CFAPhase::performBlockCFA):
3096         * dfg/DFGConstantFoldingPhase.cpp:
3097         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3098         * dfg/DFGFixupPhase.cpp:
3099         (JSC::DFG::FixupPhase::fixupNode):
3100         * dfg/DFGGraph.h:
3101         (StorageAccessData):
3102         * dfg/DFGNode.h:
3103         (JSC::DFG::Node::convertToGetByOffset):
3104         * dfg/DFGSpeculativeJIT64.cpp:
3105         (JSC::DFG::SpeculativeJIT::compile):
3106         * ftl/FTLLowerDFGToLLVM.cpp:
3107         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3108         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3109         * runtime/FunctionExecutableDump.cpp:
3110         (JSC::FunctionExecutableDump::dump):
3111         * runtime/Structure.h:
3112         (Structure):
3113         (JSC::Structure::isValidOffset):
3114
3115 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3116
3117         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3118         https://bugs.webkit.org/show_bug.cgi?id=118880
3119
3120         Reviewed by Sam Weinig.
3121         
3122         It should be possible to have an AbstractState that is backed by a HashMap. But to
3123         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3124         the map, since otherwise the idiom of getting a reference to the AbstractValue
3125         returned by forNode() would cause really subtle memory corruption bugs.
3126
3127         * dfg/DFGAbstractInterpreterInlines.h:
3128         (JSC::DFG::::executeEffects):
3129         * dfg/DFGInPlaceAbstractState.h:
3130         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3131         (InPlaceAbstractState):
3132
3133 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3134
3135         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3136         https://bugs.webkit.org/show_bug.cgi?id=118835
3137
3138         Reviewed by Oliver Hunt.
3139         
3140         This separates AbstractState into two things:
3141         
3142         - InPlaceAbstractState, which can tell you the abstract state of anything you
3143           might care about, and uses the old AbstractState's algorithms and data
3144           structures for doing so.
3145         
3146         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3147           respect to an AbstractStateType. Currently we always use
3148           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3149           class that supports basic primitives like forNode() and variables().
3150         
3151         This is important because:
3152         
3153         - We want to hoist things out of loops.
3154
3155         - We don't know what things rely on what type checks.
3156
3157         - We only want to hoist type checks out of loops if they aren't clobbered.
3158
3159         - We may want to still hoist things that depended on those type checks, if it's
3160           safe to do those things based on the CFA state at the tail of the loop
3161           pre-header.
3162
3163         - We don't want things to rely on their type checks by way of a token, because
3164           that's just weird.
3165
3166         So, we want to be able to have a special form of the CFA that can
3167         incrementally update a basic block's state-at-tail, and we want to be able to
3168         do this for multiple blocks simultaneously. This requires *not* storing the
3169         per-node state in the nodes themselves, but instead using the at-tail HashMap
3170         directly.
3171
3172         Hence we need to have a way of making the abstract interpreter (i.e.
3173         AbstractState::execute) polymorphic with respect to state representation. Put
3174         another way, we need to separate the way that abstract state is represented
3175         from the way DFG IR is abstractly interpreted.
3176
3177         * JavaScriptCore.xcodeproj/project.pbxproj:
3178         * dfg/DFGAbstractInterpreter.h: Added.
3179         (DFG):
3180         (AbstractInterpreter):
3181         (JSC::DFG::AbstractInterpreter::forNode):
3182         (JSC::DFG::AbstractInterpreter::variables):
3183         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3184         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3185         (JSC::DFG::AbstractInterpreter::filter):
3186         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3187         (JSC::DFG::AbstractInterpreter::filterByValue):
3188         (JSC::DFG::AbstractInterpreter::trySetConstant):
3189         (JSC::DFG::AbstractInterpreter::filterByType):
3190         * dfg/DFGAbstractInterpreterInlines.h: Added.
3191         (DFG):
3192         (JSC::DFG::::AbstractInterpreter):
3193         (JSC::DFG::::~AbstractInterpreter):
3194         (JSC::DFG::::booleanResult):
3195         (JSC::DFG::::startExecuting):
3196         (JSC::DFG::::executeEdges):
3197         (JSC::DFG::::verifyEdge):
3198         (JSC::DFG::::verifyEdges):
3199         (JSC::DFG::::executeEffects):
3200         (JSC::DFG::::execute):
3201         (JSC::DFG::::clobberWorld):
3202         (JSC::DFG::::clobberCapturedVars):
3203         (JSC::DFG::::clobberStructures):
3204         (JSC::DFG::::dump):
3205         (JSC::DFG::::filter):
3206         (JSC::DFG::::filterArrayModes):
3207         (JSC::DFG::::filterByValue):
3208         * dfg/DFGAbstractState.cpp: Removed.
3209         * dfg/DFGAbstractState.h: Removed.
3210         * dfg/DFGArgumentsSimplificationPhase.cpp:
3211         * dfg/DFGCFAPhase.cpp:
3212         (JSC::DFG::CFAPhase::CFAPhase):
3213         (JSC::DFG::CFAPhase::performBlockCFA):
3214         (CFAPhase):
3215         * dfg/DFGCFGSimplificationPhase.cpp:
3216         * dfg/DFGConstantFoldingPhase.cpp:
3217         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3218         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3219         (ConstantFoldingPhase):
3220         * dfg/DFGInPlaceAbstractState.cpp: Added.
3221         (DFG):
3222         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3223         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3224         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3225         (JSC::DFG::setLiveValues):
3226         (JSC::DFG::InPlaceAbstractState::initialize):
3227         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3228         (JSC::DFG::InPlaceAbstractState::reset):
3229         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3230         (JSC::DFG::InPlaceAbstractState::merge):
3231         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3232         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3233         * dfg/DFGInPlaceAbstractState.h: Added.
3234         (DFG):
3235         (InPlaceAbstractState):
3236         (JSC::DFG::InPlaceAbstractState::forNode):
3237         (JSC::DFG::InPlaceAbstractState::variables):
3238         (JSC::DFG::InPlaceAbstractState::block):
3239         (JSC::DFG::InPlaceAbstractState::didClobber):
3240         (JSC::DFG::InPlaceAbstractState::isValid):
3241         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3242         (JSC::DFG::InPlaceAbstractState::setIsValid):
3243         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3244         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3245         (JSC::DFG::InPlaceAbstractState::haveStructures):
3246         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3247         * dfg/DFGMergeMode.h: Added.
3248         (DFG):
3249         * dfg/DFGSpeculativeJIT.cpp:
3250         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3251         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3252         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3253         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3254         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3255         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3256         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3257         * dfg/DFGSpeculativeJIT.h:
3258         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3259         (SpeculativeJIT):
3260         * dfg/DFGSpeculativeJIT32_64.cpp:
3261         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3262         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3263         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3264         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3265         * dfg/DFGSpeculativeJIT64.cpp:
3266         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3267         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3268         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3269         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3270         * ftl/FTLLowerDFGToLLVM.cpp:
3271         (FTL):
3272         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3273         (JSC::FTL::LowerDFGToLLVM::compileNode):
3274         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3275         (JSC::FTL::LowerDFGToLLVM::speculate):
3276         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3277         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3278         (LowerDFGToLLVM):
3279
3280 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3281
3282         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3283         https://bugs.webkit.org/show_bug.cgi?id=118867
3284
3285         Reviewed by Mark Hahnenberg.
3286         
3287         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3288         ArrayProfile.
3289
3290         It also makes it easier to ask any array-using node how to create its type check.
3291         
3292         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3293         an array profile, thinking that it was storing into a value profile. Reshuffling the
3294         fields in ArrayProfile revealed this.
3295
3296         * bytecode/ArrayProfile.cpp:
3297         (JSC::ArrayProfile::computeUpdatedPrediction):
3298         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3299         * bytecode/ArrayProfile.h:
3300         (JSC::ArrayProfile::ArrayProfile):
3301         (ArrayProfile):
3302         * bytecode/CodeBlock.cpp:
3303         (JSC::CodeBlock::updateAllArrayPredictions):
3304         (JSC::CodeBlock::updateAllPredictions):
3305         * bytecode/CodeBlock.h:
3306         (CodeBlock):
3307         (JSC::CodeBlock::updateAllArrayPredictions):
3308         * dfg/DFGArrayMode.h:
3309         (ArrayMode):
3310         * dfg/DFGByteCodeParser.cpp:
3311         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3312         (JSC::DFG::ByteCodeParser::parseBlock):
3313         * dfg/DFGFixupPhase.cpp:
3314         (JSC::DFG::FixupPhase::fixupNode):
3315         (FixupPhase):
3316         (JSC::DFG::FixupPhase::checkArray):
3317         (JSC::DFG::FixupPhase::blessArrayOperation):
3318         * llint/LowLevelInterpreter64.asm:
3319
3320 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3321
3322         fourthTier: CFA should consider live-at-head for clobbering and dumping
3323         https://bugs.webkit.org/show_bug.cgi?id=118857
3324
3325         Reviewed by Mark Hahnenberg.
3326         
3327         - clobberStructures() was not considering nodes live-at-head when in SSA
3328           form. This means it would fail to clobber some structures.
3329         
3330         - dump() was not considering nodes live-at-head when in SSA form. This
3331           means it wouldn't dump everything that you might be interested in.
3332         
3333         - AbstractState::m_currentNode is a useless variable and we should get
3334           rid of it.
3335
3336         * dfg/DFGAbstractState.cpp:
3337         (JSC::DFG::AbstractState::AbstractState):
3338         (JSC::DFG::AbstractState::beginBasicBlock):
3339         (JSC::DFG::AbstractState::reset):
3340         (JSC::DFG::AbstractState::startExecuting):
3341         (JSC::DFG::AbstractState::clobberStructures):
3342         (JSC::DFG::AbstractState::dump):
3343         * dfg/DFGAbstractState.h:
3344         (AbstractState):
3345
3346 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3347
3348         fourthTier: Add a phase to create loop pre-headers
3349         https://bugs.webkit.org/show_bug.cgi?id=118778
3350
3351         Reviewed by Oliver Hunt.
3352         
3353         Add a loop pre-header creation phase. Any loop that doesn't already have
3354         just one predecessor that isn't part of the loop has a pre-header
3355         prepended. All non-loop predecessors then jump to that pre-header.
3356         
3357         Also fix a handful of bugs:
3358         
3359         - DFG::Analysis should set m_valid before running the analysis, since that
3360           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3361           may be called by the analysis before the analysis completes. NaturalLoops
3362           does this with loopsOf().
3363         
3364         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3365           returning 0, since that'll happen if the block isn't in any loop.
3366         
3367         - Change BlockInsertionSet to dethread the graph, since anyone using it
3368           will want to do so.
3369         
3370         - Change dethreading to ignore SSA form graphs.
3371         
3372         This also adds NaturalLoops::belongsTo(), which I always used in the
3373         pre-header creation phase. I didn't end up using it but I'll probably use
3374         it in the near future.
3375         
3376         * JavaScriptCore.xcodeproj/project.pbxproj:
3377         * dfg/DFGAnalysis.h:
3378         (JSC::DFG::Analysis::computeIfNecessary):
3379         * dfg/DFGBlockInsertionSet.cpp:
3380         (JSC::DFG::BlockInsertionSet::execute):
3381         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3382         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3383         * dfg/DFGGraph.cpp:
3384         (JSC::DFG::Graph::dethread):
3385         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3386         (DFG):
3387         (LoopPreHeaderCreationPhase):
3388         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3389         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3390         (JSC::DFG::performLoopPreHeaderCreation):
3391         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3392         (DFG):
3393         * dfg/DFGNaturalLoops.h:
3394         (NaturalLoop):
3395         (JSC::DFG::NaturalLoops::headerOf):
3396         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3397         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3398         (JSC::DFG::NaturalLoops::belongsTo):
3399         (NaturalLoops):
3400         * dfg/DFGPlan.cpp:
3401         (JSC::DFG::Plan::compileInThreadImpl):
3402
3403 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3404
3405         fourthTier: Rationalize Node::replacement
3406         https://bugs.webkit.org/show_bug.cgi?id=118774
3407
3408         Reviewed by Oliver Hunt.
3409         
3410         - Clearing of replacements is now done in Graph::clearReplacements().
3411         
3412         - New nodes now have replacement set to 0.
3413         
3414         - Node::replacement is now part of a 'misc' union. I'll be putting at least
3415           one other field into that union as part of LICM work (see
3416           https://bugs.webkit.org/show_bug.cgi?id=118749).
3417
3418         * dfg/DFGCPSRethreadingPhase.cpp:
3419         (JSC::DFG::CPSRethreadingPhase::run):
3420         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3421         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3422         * dfg/DFGCSEPhase.cpp:
3423         (JSC::DFG::CSEPhase::run):
3424         (JSC::DFG::CSEPhase::setReplacement):
3425         (JSC::DFG::CSEPhase::performBlockCSE):
3426         * dfg/DFGGraph.cpp:
3427         (DFG):
3428         (JSC::DFG::Graph::clearReplacements):
3429         * dfg/DFGGraph.h:
3430         (JSC::DFG::Graph::performSubstitutionForEdge):
3431         (Graph):
3432         * dfg/DFGNode.h:
3433         (JSC::DFG::Node::Node):
3434         * dfg/DFGSSAConversionPhase.cpp:
3435         (JSC::DFG::SSAConversionPhase::run):
3436
3437 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3438
3439         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3440         https://bugs.webkit.org/show_bug.cgi?id=118750
3441
3442         Reviewed by Mark Hahnenberg.
3443
3444         * dfg/DFGBasicBlock.h:
3445         (BasicBlock):
3446         * dfg/DFGNaturalLoops.cpp:
3447         (JSC::DFG::NaturalLoops::compute):
3448         (JSC::DFG::NaturalLoops::loopsOf):
3449         * dfg/DFGNaturalLoops.h:
3450         (DFG):
3451         (JSC::DFG::NaturalLoop::NaturalLoop):
3452         (NaturalLoop):
3453         (JSC::DFG::NaturalLoop::index):
3454         (JSC::DFG::NaturalLoop::isOuterMostLoop):
3455         (JSC::DFG::NaturalLoop::addBlock):
3456         (JSC::DFG::NaturalLoops::headerOf):
3457         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3458         (NaturalLoops):
3459         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3460         * dfg/DFGPlan.cpp:
3461         (JSC::DFG::Plan::compileInThreadImpl):
3462
3463 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3464
3465         fourthTier: don't GC when shutting down the VM
3466         https://bugs.webkit.org/show_bug.cgi?id=118751
3467
3468         Reviewed by Mark Hahnenberg.
3469
3470         * heap/Heap.h:
3471         (Heap):
3472         * runtime/VM.cpp:
3473         (JSC::VM::~VM):
3474
3475 2013-07-12  Filip Pizlo  <fpizlo@apple.com>
3476
3477         fourthTier: DFG should have an SSA form for use by FTL
3478         https://bugs.webkit.org/show_bug.cgi?id=118338
3479
3480         Reviewed by Mark Hahnenberg.
3481         
3482         Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
3483         after breaking critical edges. The conversion algorithm follows Aycock and
3484         Horspool, and the SSA form itself follows something I've done before, where
3485         instead of having Phi functions specify input nodes corresponding to block
3486         predecessors, we instead have Upsilon functions in the predecessors that
3487         specify which value in that block goes into which subsequent Phi. Upsilons
3488         don't have to dominate Phis (usually they don't) and they correspond to a
3489         non-SSA "mov" into the Phi's "variable". This gives all of the good
3490         properties of SSA, while ensuring that a bunch of CFG transformations don't
3491         have to be SSA-aware.
3492         
3493         So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
3494         simplification is probably SSA-aware by default, though I haven't tried it.
3495         Constant folding probably needs a few tweaks, but is likely ready. Ditto
3496         for CSE, though it's not clear that we'd want to use block-local CSE when
3497         we could be doing GVN.
3498         
3499         Currently only the FTL can generate code from the SSA form, and there is no
3500         way to convert from SSA to ThreadedCPS or LoadStore. There probably will
3501         never be such a capability.
3502         
3503         In order to handle OSR exit state in the SSA, we place MovHints at Phi
3504         points. Other than that, you can reconstruct state-at-exit by forward
3505         propagating MovHints. Note that MovHint is the new SetLocal in SSA.
3506         SetLocal and GetLocal only survive into SSA if they are on captured
3507         variables, or in the case of flushes. A "live SetLocal" will be
3508         NodeMustGenerate and will always correspond to a flush. Computing the
3509         state-at-exit requires running SSA liveness analysis, OSR availability
3510         analysis, and flush liveness analysis. The FTL runs all of these prior to
3511         generating code. While OSR exit continues to be tricky, much of the logic
3512         is now factored into separate phases and the backend has to do less work
3513         to reason about what happened outside of the basic block that is being
3514         lowered.
3515         
3516         Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
3517         code in depth-first order, thus guaranteeing that a node will always be
3518         lowered (and hence have a LValue) before any of the blocks dominated by
3519         that node's block have code generated. For Upsilon/Phi, we just use
3520         alloca's. We could do something more clever there, but it's probably not
3521         worth it, at least not now.
3522         
3523         Finally, while the SSA form is currently only being converted to LLVM IR,
3524         there is nothing that prevents us from considering other backends in the
3525         future - with the caveat that this form is designed to be first lowered to
3526         a lower-level SSA before actual machine code generation commences. So we
3527         ought to either use LLVM (the intended path) or we will have to write our
3528         own SSA low-level backend.
3529         
3530         This runs all of the code that the FTL was known to run previously. No
3531         change in performance for now. But it does open some exciting
3532         possibilities!
3533
3534         * JavaScriptCore.xcodeproj/project.pbxproj:
3535         * bytecode/Operands.h:
3536         (JSC::OperandValueTraits::dump):
3537         (JSC::Operands::fill):
3538         (Operands):
3539         (JSC::Operands::clear):
3540         (JSC::Operands::operator==):
3541         * dfg/DFGAbstractState.cpp:
3542         (JSC::DFG::AbstractState::beginBasicBlock):
3543         (JSC::DFG::setLiveValues):
3544         (DFG):
3545         (JSC::DFG::AbstractState::initialize):
3546         (JSC::DFG::AbstractState::endBasicBlock):
3547         (JSC::DFG::AbstractState::executeEffects):
3548         (JSC::DFG::AbstractState::mergeStateAtTail):
3549         (JSC::DFG::AbstractState::merge):
3550         * dfg/DFGAbstractState.h:
3551         (AbstractState):
3552         * dfg/DFGAdjacencyList.h:
3553         (JSC::DFG::AdjacencyList::justOneChild):
3554         (AdjacencyList):
3555         * dfg/DFGBasicBlock.cpp: Added.
3556         (DFG):
3557         (JSC::DFG::BasicBlock::BasicBlock):
3558         (JSC::DFG::BasicBlock::~BasicBlock):
3559         (JSC::DFG::BasicBlock::ensureLocals):
3560         (JSC::DFG::BasicBlock::isInPhis):
3561         (JSC::DFG::BasicBlock::isInBlock):
3562         (JSC::DFG::BasicBlock::removePredecessor):
3563         (JSC::DFG::BasicBlock::replacePredecessor):
3564         (JSC::DFG::BasicBlock::dump):
3565         (JSC::DFG::BasicBlock::SSAData::SSAData):
3566         (JSC::DFG::BasicBlock::SSAData::~SSAData):
3567         * dfg/DFGBasicBlock.h:
3568         (BasicBlock):
3569         (JSC::DFG::BasicBlock::operator[]):
3570         (JSC::DFG::BasicBlock::successor):
3571         (JSC::DFG::BasicBlock::successorForCondition):
3572         (SSAData):
3573         * dfg/DFGBasicBlockInlines.h:
3574         (DFG):
3575         * dfg/DFGBlockInsertionSet.cpp: Added.
3576         (DFG):
3577         (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
3578         (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
3579         (JSC::DFG::BlockInsertionSet::insert):
3580         (JSC::DFG::BlockInsertionSet::insertBefore):
3581         (JSC::DFG::BlockInsertionSet::execute):
3582         * dfg/DFGBlockInsertionSet.h: Added.
3583         (DFG):
3584         (BlockInsertionSet):
3585         * dfg/DFGCFAPhase.cpp:
3586         (JSC::DFG::CFAPhase::run):
3587         * dfg/DFGCFGSimplificationPhase.cpp:
3588         * dfg/DFGCPSRethreadingPhase.cpp:
3589         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
3590         * dfg/DFGCommon.cpp:
3591         (WTF::printInternal):
3592         * dfg/DFGCommon.h:
3593         (JSC::DFG::doesKill):
3594         (DFG):
3595         (JSC::DFG::killStatusForDoesKill):
3596         * dfg/DFGConstantFoldingPhase.cpp:
3597         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3598         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3599         * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
3600         (DFG):
3601         (CriticalEdgeBreakingPhase):
3602         (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
3603         (JSC::DFG::CriticalEdgeBreakingPhase::run):
3604         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3605         (JSC::DFG::performCriticalEdgeBreaking):
3606         * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
3607         (DFG):
3608         * dfg/DFGDCEPhase.cpp:
3609         (JSC::DFG::DCEPhase::run):
3610         (JSC::DFG::DCEPhase::findTypeCheckRoot):
3611         (JSC::DFG::DCEPhase::countNode):
3612         (DCEPhase):
3613         (JSC::DFG::DCEPhase::countEdge):
3614         (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
3615         * dfg/DFGDriver.cpp:
3616         (JSC::DFG::compile):
3617         * dfg/DFGEdge.cpp:
3618         (JSC::DFG::Edge::dump):
3619         * dfg/DFGEdge.h:
3620         (JSC::DFG::Edge::Edge):
3621         (JSC::DFG::Edge::setNode):
3622         (JSC::DFG::Edge::useKindUnchecked):
3623         (JSC::DFG::Edge::setUseKind):
3624         (JSC::DFG::Edge::setProofStatus):
3625         (JSC::DFG::Edge::willNotHaveCheck):
3626         (JSC::DFG::Edge::willHaveCheck):
3627         (Edge):
3628         (JSC::DFG::Edge::killStatusUnchecked):
3629         (JSC::DFG::Edge::killStatus):
3630         (JSC::DFG::Edge::setKillStatus):
3631         (JSC::DFG::Edge::doesKill):
3632         (JSC::DFG::Edge::doesNotKill):
3633         (JSC::DFG::Edge::shift):
3634         (JSC::DFG::Edge::makeWord):
3635         * dfg/DFGFixupPhase.cpp:
3636         (JSC::DFG::FixupPhase::fixupNode):
3637         * dfg/DFGFlushFormat.cpp: Added.
3638         (WTF):
3639         (WTF::printInternal):
3640         * dfg/DFGFlushFormat.h: Added.
3641         (DFG):
3642         (JSC::DFG::resultFor):
3643         (JSC::DFG::useKindFor):
3644         (WTF):
3645         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
3646         (DFG):
3647         (FlushLivenessAnalysisPhase):
3648         (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
3649         (JSC::DFG::FlushLivenessAnalysisPhase::run):
3650         (JSC::DFG::FlushLivenessAnalysisPhase::process):
3651         (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
3652         (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
3653         (JSC::DFG::performFlushLivenessAnalysis):
3654         * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
3655         (DFG):
3656         * dfg/DFGGraph.cpp:
3657         (JSC::DFG::Graph::dump):
3658         (JSC::DFG::Graph::dumpBlockHeader):
3659         (DFG):
3660         (JSC::DFG::Graph::addForDepthFirstSort):
3661         (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
3662         * dfg/DFGGraph.h:
3663         (JSC::DFG::Graph::convertToConstant):
3664         (JSC::DFG::Graph::valueProfileFor):
3665         (Graph):
3666         * dfg/DFGInsertionSet.h:
3667         (DFG):
3668         (JSC::DFG::InsertionSet::execute):
3669         * dfg/DFGLivenessAnalysisPhase.cpp: Added.
3670         (DFG):
3671         (LivenessAnalysisPhase):
3672         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
3673         (JSC::DFG::LivenessAnalysisPhase::run):
3674         (JSC::DFG::LivenessAnalysisPhase::process):
3675         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
3676         (JSC::DFG::performLivenessAnalysis):
3677         * dfg/DFGLivenessAnalysisPhase.h: Added.
3678         (DFG):
3679         * dfg/DFGNode.cpp:
3680         (JSC::DFG::Node::hasVariableAccessData):
3681         (DFG):
3682         * dfg/DFGNode.h:
3683         (DFG):
3684         (Node):
3685         (JSC::DFG::Node::hasLocal):
3686         (JSC::DFG::Node::variableAccessData):
3687         (JSC::DFG::Node::hasPhi):
3688         (JSC::DFG::Node::phi):
3689         (JSC::DFG::Node::takenBlock):
3690         (JSC::DFG::Node::notTakenBlock):
3691         (JSC::DFG::Node::successor):
3692         (JSC::DFG::Node::successorForCondition):
3693         (JSC::DFG::nodeComparator):
3694         (JSC::DFG::nodeListDump):
3695         (JSC::DFG::nodeMapDump):
3696         * dfg/DFGNodeFlags.cpp:
3697         (JSC::DFG::dumpNodeFlags):
3698         * dfg/DFGNodeType.h:
3699         (DFG):
3700         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
3701         (DFG):
3702         (OSRAvailabilityAnalysisPhase):
3703         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
3704         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
3705         (JSC::DFG::performOSRAvailabilityAnalysis):
3706         * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
3707         (DFG):
3708         * dfg/DFGPlan.cpp:
3709         (JSC::DFG::Plan::compileInThreadImpl):
3710         * dfg/DFGPredictionInjectionPhase.cpp:
3711         (JSC::DFG::PredictionInjectionPhase::run):
3712         * dfg/DFGPredictionPropagationPhase.cpp:
3713         (JSC::DFG::PredictionPropagationPhase::propagate):
3714         * dfg/DFGSSAConversionPhase.cpp: Added.
3715         (DFG):
3716         (SSAConversionPhase):
3717         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3718         (JSC::DFG::SSAConversionPhase::run):
3719         (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
3720         (JSC::DFG::SSAConversionPhase::forwardPhi):
3721         (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
3722         (JSC::DFG::SSAConversionPhase::deduplicateChildren):
3723         (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
3724         (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
3725         (JSC::DFG::performSSAConversion):
3726         * dfg/DFGSSAConversionPhase.h: Added.
3727         (DFG):
3728         * dfg/DFGSpeculativeJIT32_64.cpp:
3729         (JSC::DFG::SpeculativeJIT::compile):
3730         * dfg/DFGSpeculativeJIT64.cpp:
3731         (JSC::DFG::SpeculativeJIT::compile):
3732         * dfg/DFGValidate.cpp:
3733         (JSC::DFG::Validate::validate):
3734         (Validate):
3735         (JSC::DFG::Validate::validateCPS):
3736         * dfg/DFGVariableAccessData.h:
3737         (JSC::DFG::VariableAccessData::flushFormat):
3738         (VariableAccessData):
3739         * ftl/FTLCapabilities.cpp:
3740         (JSC::FTL::canCompile):
3741         * ftl/FTLLowerDFGToLLVM.cpp:
3742         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3743         (JSC::FTL::LowerDFGToLLVM::lower):
3744         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
3745         (JSC::FTL::LowerDFGToLLVM::compileBlock):
3746         (JSC::FTL::LowerDFGToLLVM::compileNode):
3747         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
3748         (LowerDFGToLLVM):
3749         (JSC::FTL::LowerDFGToLLVM::compilePhi):
3750         (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
3751         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
3752         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3753         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
3754         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
3755         (JSC::FTL::LowerDFGToLLVM::compileAdd):
3756         (JSC::FTL::LowerDFGToLLVM::compileArithSub):
3757         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
3758         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
3759         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
3760         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
3761         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
3762         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
3763         (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
3764         (JSC::FTL::LowerDFGToLLVM::compileBitOr):
3765         (JSC::FTL::LowerDFGToLLVM::compileBitXor):
3766         (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
3767         (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
3768         (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
3769         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
3770         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
3771         (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
3772         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
3773         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
3774         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3775         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
3776         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
3777         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
3778         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
3779         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
3780         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
3781         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
3782         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
3783         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
3784         (JSC::FTL::LowerDFGToLLVM::speculateBackward):
3785         (JSC::FTL::LowerDFGToLLVM::lowInt32):
3786         (JSC::FTL::LowerDFGToLLVM::lowCell):
3787         (JSC::FTL::LowerDFGToLLVM::lowBoolean):
3788         (JSC::FTL::LowerDFGToLLVM::lowDouble):
3789         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
3790         (JSC::FTL::LowerDFGToLLVM::lowStorage):
3791         (JSC::FTL::LowerDFGToLLVM::speculate):
3792         (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
3793         (JSC::FTL::LowerDFGToLLVM::isLive):
3794         (JSC::FTL::LowerDFGToLLVM::use):
3795         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
3796         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3797         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3798         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3799         (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
3800         (JSC::FTL::LowerDFGToLLVM::setInt32):
3801         (JSC::FTL::LowerDFGToLLVM::setJSValue):
3802         (JSC::FTL::LowerDFGToLLVM::setBoolean):
3803         (JSC::FTL::LowerDFGToLLVM::setStorage):
3804         (JSC::FTL::LowerDFGToLLVM::setDouble):
3805         (JSC::FTL::LowerDFGToLLVM::isValid):
3806         * ftl/FTLLoweredNodeValue.h: Added.
3807         (FTL):
3808         (LoweredNodeValue):
3809         (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
3810         (JSC::FTL::LoweredNodeValue::isSet):
3811         (JSC::FTL::LoweredNodeValue::operator!):
3812         (JSC::FTL::LoweredNodeValue::value):
3813         (JSC::FTL::LoweredNodeValue::block):
3814         * ftl/FTLValueFromBlock.h:
3815         (JSC::FTL::ValueFromBlock::ValueFromBlock):
3816         (ValueFromBlock):
3817         * ftl/FTLValueSource.cpp:
3818         (JSC::FTL::ValueSource::dump):
3819         * ftl/FTLValueSource.h:
3820
3821 2013-07-11  Mark Lam  <mark.lam@apple.com>
3822
3823         Resurrect the CLoop LLINT on the FTL branch.
3824         https://bugs.webkit.org/show_bug.cgi?id=118144.
3825
3826         Reviewed by Mark Hahnenberg.
3827
3828         * bytecode/CodeBlock.h:
3829         (JSC::CodeBlock::jitType):
3830           - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
3831         * bytecode/JumpTable.h:
3832         (JSC::SimpleJumpTable::clear):
3833         * interpreter/StackIterator.cpp:
3834         (JSC::StackIterator::Frame::bytecodeOffset):
3835         (JSC::StackIterator::Frame::print):
3836         * jit/JITCode.cpp:
3837         (JSC):
3838         * jit/JITExceptions.cpp:
3839         (JSC::getExceptionLocation):
3840         * llint/LowLevelInterpreter.cpp:
3841         * offlineasm/cloop.rb:
3842         * runtime/Structure.cpp:
3843
3844 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
3845
3846         NaturalLoops + Profiler = Crash
3847         https://bugs.webkit.org/show_bug.cgi?id=118486
3848
3849         Reviewed by Geoffrey Garen.
3850         
3851         I borked dominators in:
3852         http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
3853         
3854         This patch also adds some debug support, and fixes the loop that adds a block to
3855         an already-existing natural loop. Note that we currently don't take that path in
3856         most programs, but it will arise, for example if you use 'continue' - though you'd
3857         have to use it rather cleverly since the bytecode will not jump to the loop header
3858         in most uses of 'continue'.
3859
3860         * dfg/DFGDominators.cpp:
3861         (JSC::DFG::Dominators::dump):
3862         (DFG):
3863         * dfg/DFGDominators.h:
3864         (JSC::DFG::Dominators::dominates):
3865         (Dominators):
3866         * dfg/DFGNaturalLoops.cpp:
3867         (JSC::DFG::NaturalLoops::compute):
3868
3869 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
3870
3871         fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
3872         https://bugs.webkit.org/show_bug.cgi?id=118489
3873
3874         Reviewed by Mark Hahnenberg.
3875
3876         * bytecode/ArrayProfile.h:
3877         (JSC::arrayModesAreClearOrTop):
3878         (JSC):
3879         * dfg/DFGAbstractState.cpp:
3880         (JSC::DFG::AbstractState::beginBasicBlock):
3881         * dfg/DFGAbstractValue.h:
3882         (JSC::DFG::AbstractValue::hasClobberableState):
3883         (AbstractValue):
3884
3885 2013-07-08  Mark Hahnenberg  <mhahnenberg@apple.com>
3886
3887         CheckArray should call the right version of filterArrayModes
3888         https://bugs.webkit.org/show_bug.cgi?id=118488
3889
3890         Reviewed by Filip Pizlo.
3891
3892         Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 
3893         the CFA to ignore when it sees a contradiction.
3894
3895         * dfg/DFGAbstractState.cpp:
3896         (JSC::DFG::AbstractState::executeEffects):
3897
3898 2013-07-07  Filip Pizlo  <fpizlo@apple.com>
3899
3900         fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
3901         https://bugs.webkit.org/show_bug.cgi?id=118452
3902
3903         Reviewed by Sam Weinig.
3904         
3905         Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
3906         resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
3907         holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
3908         clearAndDerefChild() was necessary back when we did eager reference counting. We
3909         don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
3910         any reference counting, so it was badly named to begin with.
3911
3912         * dfg/DFGAbstractState.cpp:
3913         (JSC::DFG::AbstractState::executeEffects):
3914         * dfg/DFGArgumentsSimplificationPhase.cpp:
3915         (JSC::DFG::ArgumentsSimplificationPhase::run):
3916         * dfg/DFGCPSRethreadingPhase.cpp:
3917         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3918         * dfg/DFGCSEPhase.cpp:
3919         (JSC::DFG::CSEPhase::performNodeCSE):
3920         * dfg/DFGFixupPhase.cpp:
3921         (JSC::DFG::FixupPhase::fixupNode):
3922         * dfg/DFGGraph.h:
3923         (Graph):
3924         * dfg/DFGNode.h:
3925         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3926         * dfg/DFGNodeType.h:
3927         (DFG):
3928         * dfg/DFGPredictionPropagationPhase.cpp:
3929         (JSC::DFG::PredictionPropagationPhase::propagate):
3930         * dfg/DFGSpeculativeJIT32_64.cpp:
3931         (JSC::DFG::SpeculativeJIT::compile):
3932         * dfg/DFGSpeculativeJIT64.cpp:
3933         (JSC::DFG::SpeculativeJIT::compile):
3934
3935 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
3936
3937         fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
3938         https://bugs.webkit.org/show_bug.cgi?id=118401
3939
3940         Reviewed by Sam Weinig.
3941         
3942         Add two new OSR exit modes, which are useful only for playing with compile times:
3943         
3944         - All OSR exits are llvm.trap().