Windows build fix attempt after r154629.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Windows build fix attempt after r154629.
4
5         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6
7 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
8
9         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
10         https://bugs.webkit.org/show_bug.cgi?id=120278
11
12         Reviewed by Geoffrey Garen.
13
14         * runtime/JSObject.cpp:
15         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
16
17 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
18
19         Fix indention of Executable.h.
20
21         Rubber stamped by Mark Hahnenberg.
22
23         * runtime/Executable.h:
24
25 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
26
27         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
28         https://bugs.webkit.org/show_bug.cgi?id=120314
29
30         Reviewed by Darin Adler.
31
32         Currently with the way that defineProperty works, we leave a stray low bit set in 
33         PropertyDescriptor::m_attributes in the following code:
34
35         var o = {};
36         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
37         
38         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
39         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
40         but only the top three bits mean anything. Even in the case above, the top three bits are set 
41         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
42
43         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
44         framework's public C API, it's safer to just change how we calculate the default value, which is
45         where the weirdness was originating from in the first place.
46
47         * runtime/PropertyDescriptor.cpp:
48
49 2013-08-24  Sam Weinig  <sam@webkit.org>
50
51         Add support for Promises
52         https://bugs.webkit.org/show_bug.cgi?id=120260
53
54         Reviewed by Darin Adler.
55
56         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
57         - Despite Promises being defined in the DOM, the implementation is being put in JSC
58           in preparation for the Promises eventually being defined in ECMAScript.
59
60         * CMakeLists.txt:
61         * DerivedSources.make:
62         * DerivedSources.pri:
63         * GNUmakefile.list.am:
64         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
65         * JavaScriptCore.xcodeproj/project.pbxproj:
66         * Target.pri:
67         Add new files.
68
69         * jsc.cpp:
70         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
71         you can't quite use Promises with with the command line tool yet.
72     
73         * interpreter/CallFrame.h:
74         (JSC::ExecState::promisePrototypeTable):
75         (JSC::ExecState::promiseConstructorTable):
76         (JSC::ExecState::promiseResolverPrototypeTable):
77         * runtime/VM.cpp:
78         (JSC::VM::VM):
79         (JSC::VM::~VM):
80         * runtime/VM.h:
81         Add supporting code for the new static lookup tables.
82
83         * runtime/CommonIdentifiers.h:
84         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
85
86         * runtime/JSGlobalObject.cpp:
87         (JSC::JSGlobalObject::reset):
88         (JSC::JSGlobalObject::visitChildren):
89         Add supporting code Promise and PromiseResolver's constructors and structures.
90
91         * runtime/JSGlobalObject.h:
92         (JSC::TaskContext::~TaskContext):
93         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
94
95         (JSC::JSGlobalObject::promisePrototype):
96         (JSC::JSGlobalObject::promiseResolverPrototype):
97         (JSC::JSGlobalObject::promiseStructure):
98         (JSC::JSGlobalObject::promiseResolverStructure):
99         (JSC::JSGlobalObject::promiseCallbackStructure):
100         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
101         Add supporting code Promise and PromiseResolver's constructors and structures.
102
103         * runtime/JSPromise.cpp: Added.
104         * runtime/JSPromise.h: Added.
105         * runtime/JSPromiseCallback.cpp: Added.
106         * runtime/JSPromiseCallback.h: Added.
107         * runtime/JSPromiseConstructor.cpp: Added.
108         * runtime/JSPromiseConstructor.h: Added.
109         * runtime/JSPromisePrototype.cpp: Added.
110         * runtime/JSPromisePrototype.h: Added.
111         * runtime/JSPromiseResolver.cpp: Added.
112         * runtime/JSPromiseResolver.h: Added.
113         * runtime/JSPromiseResolverConstructor.cpp: Added.
114         * runtime/JSPromiseResolverConstructor.h: Added.
115         * runtime/JSPromiseResolverPrototype.cpp: Added.
116         * runtime/JSPromiseResolverPrototype.h: Added.
117         Add Promise implementation.
118
119 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
120
121         Plenty of -Wcast-align warnings in KeywordLookup.h
122         https://bugs.webkit.org/show_bug.cgi?id=120316
123
124         Reviewed by Darin Adler.
125
126         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
127         the character pointers to types of larger size. This avoids spewing lots of warnings
128         in the KeywordLookup.h header when compiling with the -Wcast-align option.
129
130 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
131
132         RegExpMatchesArray should not call [[put]]
133         https://bugs.webkit.org/show_bug.cgi?id=120317
134
135         Reviewed by Oliver Hunt.
136
137         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
138         property called index or input to either of these prototypes will result in broken behavior.
139
140         * runtime/RegExpMatchesArray.cpp:
141         (JSC::RegExpMatchesArray::reifyAllProperties):
142             - put -> putDirect
143
144 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
145
146         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
147         https://bugs.webkit.org/show_bug.cgi?id=120228
148
149         Reviewed by Oliver Hunt.
150         
151         It turns out that there were three problems:
152         
153         - Using jsNumber() meant that we were converting doubles to integers and then
154           possibly back again whenever doing a set() between floating point arrays.
155         
156         - Slow-path accesses to double typed arrays were slower than necessary because
157           of the to-int conversion attempt.
158         
159         - The use of JSValue as an intermediate for converting between differen types
160           in typedArray.set() resulted in worse code than I had previously expected.
161         
162         This patch solves the problem by using template double-dispatch to ensure that
163         that C++ compiler sees the simplest possible combination of casts between any
164         combination of typed array types, while still preserving JS and typed array
165         conversion semantics. Conversions are done as follows:
166         
167             SourceAdaptor::convertTo<TargetAdaptor>(value)
168         
169         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
170         with one method for each of int32_t, uint32_t, and double. This means that the
171         C++ compiler will at worst see a widening cast to one of those types followed
172         by a narrowing conversion (not necessarily a cast - may have clamping or the
173         JS toInt32() function).
174         
175         This change doesn't just affect typedArray.set(); it also affects slow-path
176         accesses to typed arrays as well. This patch also adds a bunch of new test
177         coverage.
178         
179         This change is a ~50% speed-up on typedArray.set() involving floating point
180         types.
181
182         * GNUmakefile.list.am:
183         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
184         * JavaScriptCore.xcodeproj/project.pbxproj:
185         * runtime/GenericTypedArrayView.h:
186         (JSC::GenericTypedArrayView::set):
187         * runtime/JSDataViewPrototype.cpp:
188         (JSC::setData):
189         * runtime/JSGenericTypedArrayView.h:
190         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
191         (JSC::JSGenericTypedArrayView::setIndexQuickly):
192         * runtime/JSGenericTypedArrayViewInlines.h:
193         (JSC::::setWithSpecificType):
194         (JSC::::set):
195         * runtime/ToNativeFromValue.h: Added.
196         (JSC::toNativeFromValue):
197         * runtime/TypedArrayAdaptors.h:
198         (JSC::IntegralTypedArrayAdaptor::toJSValue):
199         (JSC::IntegralTypedArrayAdaptor::toDouble):
200         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
201         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
202         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
203         (JSC::IntegralTypedArrayAdaptor::convertTo):
204         (JSC::FloatTypedArrayAdaptor::toJSValue):
205         (JSC::FloatTypedArrayAdaptor::toDouble):
206         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
207         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
208         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
209         (JSC::FloatTypedArrayAdaptor::convertTo):
210         (JSC::Uint8ClampedAdaptor::toJSValue):
211         (JSC::Uint8ClampedAdaptor::toDouble):
212         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
213         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
214         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
215         (JSC::Uint8ClampedAdaptor::convertTo):
216
217 2013-08-24  Dan Bernstein  <mitz@apple.com>
218
219         [mac] link against libz in a more civilized manner
220         https://bugs.webkit.org/show_bug.cgi?id=120258
221
222         Reviewed by Darin Adler.
223
224         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
225         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
226         Link Binary With Libraries build phase.
227
228 2013-08-23  Laszlo Papp  <lpapp@kde.org>
229
230         Failure building with python3
231         https://bugs.webkit.org/show_bug.cgi?id=106645
232
233         Reviewed by Benjamin Poulain.
234
235         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
236         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
237
238         * disassembler/udis86/itab.py:
239         (UdItabGenerator.genInsnTable):
240         * disassembler/udis86/ud_opcode.py:
241         (UdOpcodeTables.print_table):
242         * disassembler/udis86/ud_optable.py:
243         (UdOptableXmlParser.parseDef):
244         (UdOptableXmlParser.parse):
245         (printFn):
246
247 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
248
249         Incorrect TypedArray#set behavior
250         https://bugs.webkit.org/show_bug.cgi?id=83818
251
252         Reviewed by Oliver Hunt and Mark Hahnenberg.
253         
254         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
255         not smart enough to figure out optimal versions for *all* of the cases. But I
256         did come up with optimal implementations for most of the cases, and I wrote
257         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
258         enough to write optimal code for.
259
260         * runtime/JSArrayBufferView.h:
261         (JSC::JSArrayBufferView::hasArrayBuffer):
262         * runtime/JSArrayBufferViewInlines.h:
263         (JSC::JSArrayBufferView::buffer):
264         (JSC::JSArrayBufferView::existingBufferInButterfly):
265         (JSC::JSArrayBufferView::neuter):
266         (JSC::JSArrayBufferView::byteOffset):
267         * runtime/JSGenericTypedArrayView.h:
268         * runtime/JSGenericTypedArrayViewInlines.h:
269         (JSC::::setWithSpecificType):
270         (JSC::::set):
271         (JSC::::existingBuffer):
272
273 2013-08-23  Alex Christensen  <achristensen@apple.com>
274
275         Re-separating Win32 and Win64 builds.
276         https://bugs.webkit.org/show_bug.cgi?id=120178
277
278         Reviewed by Brent Fulgham.
279
280         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
281         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
282         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
283         Pass PlatformArchitecture as a command line parameter to bash scripts.
284         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
285         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
286         * JavaScriptCore.vcxproj/build-generated-files.sh:
287         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
288
289 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
290
291         build-jsc --ftl-jit should work
292         https://bugs.webkit.org/show_bug.cgi?id=120194
293
294         Reviewed by Oliver Hunt.
295
296         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
297         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
298         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
299         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
300         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
301         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
302
303 2013-08-23  Oliver Hunt  <oliver@apple.com>
304
305         Re-sort xcode project file
306
307         * JavaScriptCore.xcodeproj/project.pbxproj:
308
309 2013-08-23  Oliver Hunt  <oliver@apple.com>
310
311         Support in memory compression of rarely used data
312         https://bugs.webkit.org/show_bug.cgi?id=120143
313
314         Reviewed by Gavin Barraclough.
315
316         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
317
318         * Configurations/JavaScriptCore.xcconfig:
319         * bytecode/UnlinkedCodeBlock.cpp:
320         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
321         (JSC::UnlinkedCodeBlock::addExpressionInfo):
322         * bytecode/UnlinkedCodeBlock.h:
323
324 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
325
326         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
327         https://bugs.webkit.org/show_bug.cgi?id=120179
328
329         Reviewed by Geoffrey Garen.
330
331         There are many places in the code for JSObject and JSArray where they are manipulating their 
332         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
333         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
334         like it will make this dance even more intricate. To make everybody's lives easier we should use 
335         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
336         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
337         should not incur any additional overhead.
338
339         * heap/Heap.h:
340         * runtime/JSArray.cpp:
341         (JSC::JSArray::unshiftCountSlowCase):
342         * runtime/JSObject.cpp:
343         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
344         (JSC::JSObject::createInitialUndecided):
345         (JSC::JSObject::createInitialInt32):
346         (JSC::JSObject::createInitialDouble):
347         (JSC::JSObject::createInitialContiguous):
348         (JSC::JSObject::createArrayStorage):
349         (JSC::JSObject::convertUndecidedToArrayStorage):
350         (JSC::JSObject::convertInt32ToArrayStorage):
351         (JSC::JSObject::convertDoubleToArrayStorage):
352         (JSC::JSObject::convertContiguousToArrayStorage):
353         (JSC::JSObject::increaseVectorLength):
354         (JSC::JSObject::ensureLengthSlow):
355         * runtime/JSObject.h:
356         (JSC::JSObject::putDirectInternal):
357         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
358         (JSC::JSObject::putDirectWithoutTransition):
359
360 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
361
362         Update LLVM binary drops and scripts to the latest version from SVN
363         https://bugs.webkit.org/show_bug.cgi?id=120184
364
365         Reviewed by Mark Hahnenberg.
366
367         * dfg/DFGPlan.cpp:
368         (JSC::DFG::Plan::compileInThreadImpl):
369
370 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
371
372         Don't leak registers for redeclared variables
373         https://bugs.webkit.org/show_bug.cgi?id=120174
374
375         Reviewed by Geoff Garen.
376
377         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
378         Only allocate new registers when necessary.
379
380         No performance impact.
381
382         * interpreter/Interpreter.cpp:
383         (JSC::Interpreter::execute):
384         * runtime/Executable.cpp:
385         (JSC::ProgramExecutable::initializeGlobalProperties):
386             - Don't allocate the register here.
387         * runtime/JSGlobalObject.cpp:
388         (JSC::JSGlobalObject::addGlobalVar):
389             - Allocate the register here instead.
390
391 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
392
393         https://bugs.webkit.org/show_bug.cgi?id=120128
394         Remove putDirectVirtual
395
396         Unreviewed, checked in commented out code. :-(
397
398         * interpreter/Interpreter.cpp:
399         (JSC::Interpreter::execute):
400             - delete commented out code
401
402 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
403
404         Error.stack should not be enumerable
405         https://bugs.webkit.org/show_bug.cgi?id=120171
406
407         Reviewed by Oliver Hunt.
408
409         Breaks ECMA tests.
410
411         * runtime/ErrorInstance.cpp:
412         (JSC::ErrorInstance::finishCreation):
413             - None -> DontEnum
414
415 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
416
417         https://bugs.webkit.org/show_bug.cgi?id=120128
418         Remove putDirectVirtual
419
420         Reviewed by Sam Weinig.
421
422         This could most generously be described as 'vestigial'.
423         No performance impact.
424
425         * API/JSObjectRef.cpp:
426         (JSObjectSetProperty):
427             - changed to use defineOwnProperty
428         * debugger/DebuggerActivation.cpp:
429         * debugger/DebuggerActivation.h:
430             - remove putDirectVirtual
431         * interpreter/Interpreter.cpp:
432         (JSC::Interpreter::execute):
433             - changed to use defineOwnProperty
434         * runtime/ClassInfo.h:
435         * runtime/JSActivation.cpp:
436         * runtime/JSActivation.h:
437         * runtime/JSCell.cpp:
438         * runtime/JSCell.h:
439         * runtime/JSGlobalObject.cpp:
440         * runtime/JSGlobalObject.h:
441         * runtime/JSObject.cpp:
442         * runtime/JSObject.h:
443         * runtime/JSProxy.cpp:
444         * runtime/JSProxy.h:
445         * runtime/JSSymbolTableObject.cpp:
446         * runtime/JSSymbolTableObject.h:
447             - remove putDirectVirtual
448         * runtime/PropertyDescriptor.h:
449         (JSC::PropertyDescriptor::PropertyDescriptor):
450             - added constructor for convenience
451
452 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
453
454         errorDescriptionForValue() should not assume error value is an Object
455         https://bugs.webkit.org/show_bug.cgi?id=119812
456
457         Reviewed by Geoffrey Garen.
458
459         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
460         has no type, the function now returns the empty string. 
461         * runtime/ExceptionHelpers.cpp:
462         (JSC::errorDescriptionForValue):
463
464 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
465
466         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
467         https://bugs.webkit.org/show_bug.cgi?id=120107
468
469         Reviewed by Yong Li.
470
471         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
472
473         * dfg/DFGSpeculativeJIT.h:
474         (JSC::DFG::SpeculativeJIT::callOperation):
475
476 2013-08-21  Commit Queue  <commit-queue@webkit.org>
477
478         Unreviewed, rolling out r154416.
479         http://trac.webkit.org/changeset/154416
480         https://bugs.webkit.org/show_bug.cgi?id=120147
481
482         Broke Windows builds (Requested by rniwa on #webkit).
483
484         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
485         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
486         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
487         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
488         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
489         * JavaScriptCore.vcxproj/build-generated-files.sh:
490
491 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
492
493         Clarify var/const/function declaration
494         https://bugs.webkit.org/show_bug.cgi?id=120144
495
496         Reviewed by Sam Weinig.
497
498         Add methods to JSGlobalObject to declare vars, consts, and functions.
499
500         * runtime/Executable.cpp:
501         (JSC::ProgramExecutable::initializeGlobalProperties):
502         * runtime/Executable.h:
503             - Moved declaration code to JSGlobalObject
504         * runtime/JSGlobalObject.cpp:
505         (JSC::JSGlobalObject::addGlobalVar):
506             - internal implementation of addVar, addConst, addFunction
507         * runtime/JSGlobalObject.h:
508         (JSC::JSGlobalObject::addVar):
509         (JSC::JSGlobalObject::addConst):
510         (JSC::JSGlobalObject::addFunction):
511             - Added methods to declare vars, consts, and functions
512
513 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
514
515         https://bugs.webkit.org/show_bug.cgi?id=119900
516         Exception in global setter doesn't unwind correctly
517
518         Reviewed by Geoffrey Garen.
519
520         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
521
522         * jit/JITStubs.cpp:
523         (JSC::DEFINE_STUB_FUNCTION):
524
525 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
526
527         Rename/refactor setButterfly/setStructure
528         https://bugs.webkit.org/show_bug.cgi?id=120138
529
530         Reviewed by Geoffrey Garen.
531
532         setButterfly becomes setStructureAndButterfly.
533
534         Also removed the Butterfly* argument from setStructure and just implicitly
535         used m_butterfly internally since that's what every single client of setStructure
536         was doing already.
537
538         * jit/JITStubs.cpp:
539         (JSC::DEFINE_STUB_FUNCTION):
540         * runtime/JSObject.cpp:
541         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
542         (JSC::JSObject::createInitialUndecided):
543         (JSC::JSObject::createInitialInt32):
544         (JSC::JSObject::createInitialDouble):
545         (JSC::JSObject::createInitialContiguous):
546         (JSC::JSObject::createArrayStorage):
547         (JSC::JSObject::convertUndecidedToInt32):
548         (JSC::JSObject::convertUndecidedToDouble):
549         (JSC::JSObject::convertUndecidedToContiguous):
550         (JSC::JSObject::convertUndecidedToArrayStorage):
551         (JSC::JSObject::convertInt32ToDouble):
552         (JSC::JSObject::convertInt32ToContiguous):
553         (JSC::JSObject::convertInt32ToArrayStorage):
554         (JSC::JSObject::genericConvertDoubleToContiguous):
555         (JSC::JSObject::convertDoubleToArrayStorage):
556         (JSC::JSObject::convertContiguousToArrayStorage):
557         (JSC::JSObject::switchToSlowPutArrayStorage):
558         (JSC::JSObject::setPrototype):
559         (JSC::JSObject::putDirectAccessor):
560         (JSC::JSObject::seal):
561         (JSC::JSObject::freeze):
562         (JSC::JSObject::preventExtensions):
563         (JSC::JSObject::reifyStaticFunctionsForDelete):
564         (JSC::JSObject::removeDirect):
565         * runtime/JSObject.h:
566         (JSC::JSObject::setStructureAndButterfly):
567         (JSC::JSObject::setStructure):
568         (JSC::JSObject::putDirectInternal):
569         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
570         (JSC::JSObject::putDirectWithoutTransition):
571         * runtime/Structure.cpp:
572         (JSC::Structure::flattenDictionaryStructure):
573
574 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
575
576         https://bugs.webkit.org/show_bug.cgi?id=120127
577         Remove JSObject::propertyIsEnumerable
578
579         Unreviewed typo fix
580
581         * runtime/JSObject.h:
582             - fix typo
583
584 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
585
586         https://bugs.webkit.org/show_bug.cgi?id=120139
587         PropertyDescriptor argument to define methods should be const
588
589         Rubber stamped by Sam Weinig.
590
591         This should never be modified, and this way we can use rvalues.
592
593         * debugger/DebuggerActivation.cpp:
594         (JSC::DebuggerActivation::defineOwnProperty):
595         * debugger/DebuggerActivation.h:
596         * runtime/Arguments.cpp:
597         (JSC::Arguments::defineOwnProperty):
598         * runtime/Arguments.h:
599         * runtime/ClassInfo.h:
600         * runtime/JSArray.cpp:
601         (JSC::JSArray::defineOwnProperty):
602         * runtime/JSArray.h:
603         * runtime/JSArrayBuffer.cpp:
604         (JSC::JSArrayBuffer::defineOwnProperty):
605         * runtime/JSArrayBuffer.h:
606         * runtime/JSArrayBufferView.cpp:
607         (JSC::JSArrayBufferView::defineOwnProperty):
608         * runtime/JSArrayBufferView.h:
609         * runtime/JSCell.cpp:
610         (JSC::JSCell::defineOwnProperty):
611         * runtime/JSCell.h:
612         * runtime/JSFunction.cpp:
613         (JSC::JSFunction::defineOwnProperty):
614         * runtime/JSFunction.h:
615         * runtime/JSGenericTypedArrayView.h:
616         * runtime/JSGenericTypedArrayViewInlines.h:
617         (JSC::::defineOwnProperty):
618         * runtime/JSGlobalObject.cpp:
619         (JSC::JSGlobalObject::defineOwnProperty):
620         * runtime/JSGlobalObject.h:
621         * runtime/JSObject.cpp:
622         (JSC::JSObject::putIndexedDescriptor):
623         (JSC::JSObject::defineOwnIndexedProperty):
624         (JSC::putDescriptor):
625         (JSC::JSObject::defineOwnNonIndexProperty):
626         (JSC::JSObject::defineOwnProperty):
627         * runtime/JSObject.h:
628         * runtime/JSProxy.cpp:
629         (JSC::JSProxy::defineOwnProperty):
630         * runtime/JSProxy.h:
631         * runtime/RegExpMatchesArray.h:
632         (JSC::RegExpMatchesArray::defineOwnProperty):
633         * runtime/RegExpObject.cpp:
634         (JSC::RegExpObject::defineOwnProperty):
635         * runtime/RegExpObject.h:
636         * runtime/StringObject.cpp:
637         (JSC::StringObject::defineOwnProperty):
638         * runtime/StringObject.h:
639             - make PropertyDescriptor const
640
641 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
642
643         REGRESSION: Crash under JITCompiler::link while loading Gmail
644         https://bugs.webkit.org/show_bug.cgi?id=119872
645
646         Reviewed by Mark Hahnenberg.
647         
648         Apparently, unsigned + signed = unsigned. Work around it with a cast.
649
650         * dfg/DFGByteCodeParser.cpp:
651         (JSC::DFG::ByteCodeParser::parseBlock):
652
653 2013-08-21  Alex Christensen  <achristensen@apple.com>
654
655         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
656
657         Reviewed by Brent Fulgham.
658
659         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
660         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
661         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
662         Pass PlatformArchitecture as a command line parameter to bash scripts.
663         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
664         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
665         * JavaScriptCore.vcxproj/build-generated-files.sh:
666         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
667
668 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
669
670         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
671         https://bugs.webkit.org/show_bug.cgi?id=120099
672
673         Reviewed by Mark Hahnenberg.
674         
675         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
676         JSDataView may have ordinary JS indexed properties.
677
678         * runtime/ClassInfo.h:
679         * runtime/JSArrayBufferView.cpp:
680         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
681         (JSC::JSArrayBufferView::finishCreation):
682         * runtime/JSArrayBufferView.h:
683         (JSC::hasArrayBuffer):
684         * runtime/JSArrayBufferViewInlines.h:
685         (JSC::JSArrayBufferView::buffer):
686         (JSC::JSArrayBufferView::neuter):
687         (JSC::JSArrayBufferView::byteOffset):
688         * runtime/JSCell.cpp:
689         (JSC::JSCell::slowDownAndWasteMemory):
690         * runtime/JSCell.h:
691         * runtime/JSDataView.cpp:
692         (JSC::JSDataView::JSDataView):
693         (JSC::JSDataView::create):
694         (JSC::JSDataView::slowDownAndWasteMemory):
695         * runtime/JSDataView.h:
696         (JSC::JSDataView::buffer):
697         * runtime/JSGenericTypedArrayView.h:
698         * runtime/JSGenericTypedArrayViewInlines.h:
699         (JSC::::visitChildren):
700         (JSC::::slowDownAndWasteMemory):
701
702 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
703
704         Remove incorrect ASSERT from CopyVisitor::visitItem
705
706         Rubber stamped by Filip Pizlo.
707
708         * heap/CopyVisitorInlines.h:
709         (JSC::CopyVisitor::visitItem):
710
711 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
712
713         https://bugs.webkit.org/show_bug.cgi?id=120127
714         Remove JSObject::propertyIsEnumerable
715
716         Reviewed by Sam Weinig.
717
718         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
719
720         * runtime/JSObject.cpp:
721         * runtime/JSObject.h:
722             - remove propertyIsEnumerable
723         * runtime/ObjectPrototype.cpp:
724         (JSC::objectProtoFuncPropertyIsEnumerable):
725             - Move implementation here using getOwnPropertyDescriptor directly.
726
727 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
728
729         DFG should inline new typedArray()
730         https://bugs.webkit.org/show_bug.cgi?id=120022
731
732         Reviewed by Oliver Hunt.
733         
734         Adds inlining of typed array allocations in the DFG. Any operation of the
735         form:
736         
737             new foo(blah)
738         
739         or:
740         
741             foo(blah)
742         
743         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
744         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
745         is predicted integer, we generate inline code for an allocation. Otherwise
746         it turns into a call to an operation that behaves like the constructor would
747         if it was passed one argument (i.e. it may wrap a buffer or it may create a
748         copy or another array, or it may allocate an array of that length).
749
750         * bytecode/SpeculatedType.cpp:
751         (JSC::speculationFromTypedArrayType):
752         (JSC::speculationFromClassInfo):
753         * bytecode/SpeculatedType.h:
754         * dfg/DFGAbstractInterpreterInlines.h:
755         (JSC::DFG::::executeEffects):
756         * dfg/DFGBackwardsPropagationPhase.cpp:
757         (JSC::DFG::BackwardsPropagationPhase::propagate):
758         * dfg/DFGByteCodeParser.cpp:
759         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
760         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
761         * dfg/DFGCCallHelpers.h:
762         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
763         * dfg/DFGCSEPhase.cpp:
764         (JSC::DFG::CSEPhase::putStructureStoreElimination):
765         * dfg/DFGClobberize.h:
766         (JSC::DFG::clobberize):
767         * dfg/DFGFixupPhase.cpp:
768         (JSC::DFG::FixupPhase::fixupNode):
769         * dfg/DFGGraph.cpp:
770         (JSC::DFG::Graph::dump):
771         * dfg/DFGNode.h:
772         (JSC::DFG::Node::hasTypedArrayType):
773         (JSC::DFG::Node::typedArrayType):
774         * dfg/DFGNodeType.h:
775         * dfg/DFGOperations.cpp:
776         (JSC::DFG::newTypedArrayWithSize):
777         (JSC::DFG::newTypedArrayWithOneArgument):
778         * dfg/DFGOperations.h:
779         (JSC::DFG::operationNewTypedArrayWithSizeForType):
780         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
781         * dfg/DFGPredictionPropagationPhase.cpp:
782         (JSC::DFG::PredictionPropagationPhase::propagate):
783         * dfg/DFGSafeToExecute.h:
784         (JSC::DFG::safeToExecute):
785         * dfg/DFGSpeculativeJIT.cpp:
786         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
787         * dfg/DFGSpeculativeJIT.h:
788         (JSC::DFG::SpeculativeJIT::callOperation):
789         * dfg/DFGSpeculativeJIT32_64.cpp:
790         (JSC::DFG::SpeculativeJIT::compile):
791         * dfg/DFGSpeculativeJIT64.cpp:
792         (JSC::DFG::SpeculativeJIT::compile):
793         * jit/JITOpcodes.cpp:
794         (JSC::JIT::emit_op_new_object):
795         * jit/JITOpcodes32_64.cpp:
796         (JSC::JIT::emit_op_new_object):
797         * runtime/JSArray.h:
798         (JSC::JSArray::allocationSize):
799         * runtime/JSArrayBufferView.h:
800         (JSC::JSArrayBufferView::allocationSize):
801         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
802         (JSC::constructGenericTypedArrayView):
803         * runtime/JSObject.h:
804         (JSC::JSFinalObject::allocationSize):
805         * runtime/TypedArrayType.cpp:
806         (JSC::constructorClassInfoForType):
807         * runtime/TypedArrayType.h:
808         (JSC::indexToTypedArrayType):
809
810 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
811
812         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
813
814         Reviewed by Geoffrey Garen.
815
816         * dfg/DFGOperations.h:
817
818 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
819
820         https://bugs.webkit.org/show_bug.cgi?id=120093
821         Remove getOwnPropertyDescriptor trap
822
823         Reviewed by Geoff Garen.
824
825         All implementations of this method are now called via the method table, and equivalent in behaviour.
826         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
827
828         * API/JSCallbackObject.h:
829         * API/JSCallbackObjectFunctions.h:
830         * debugger/DebuggerActivation.cpp:
831         * debugger/DebuggerActivation.h:
832         * runtime/Arguments.cpp:
833         * runtime/Arguments.h:
834         * runtime/ArrayConstructor.cpp:
835         * runtime/ArrayConstructor.h:
836         * runtime/ArrayPrototype.cpp:
837         * runtime/ArrayPrototype.h:
838         * runtime/BooleanPrototype.cpp:
839         * runtime/BooleanPrototype.h:
840             - remove getOwnPropertyDescriptor
841         * runtime/ClassInfo.h:
842             - remove getOwnPropertyDescriptor from MethodTable
843         * runtime/DateConstructor.cpp:
844         * runtime/DateConstructor.h:
845         * runtime/DatePrototype.cpp:
846         * runtime/DatePrototype.h:
847         * runtime/ErrorPrototype.cpp:
848         * runtime/ErrorPrototype.h:
849         * runtime/JSActivation.cpp:
850         * runtime/JSActivation.h:
851         * runtime/JSArray.cpp:
852         * runtime/JSArray.h:
853         * runtime/JSArrayBuffer.cpp:
854         * runtime/JSArrayBuffer.h:
855         * runtime/JSArrayBufferView.cpp:
856         * runtime/JSArrayBufferView.h:
857         * runtime/JSCell.cpp:
858         * runtime/JSCell.h:
859         * runtime/JSDataView.cpp:
860         * runtime/JSDataView.h:
861         * runtime/JSDataViewPrototype.cpp:
862         * runtime/JSDataViewPrototype.h:
863         * runtime/JSFunction.cpp:
864         * runtime/JSFunction.h:
865         * runtime/JSGenericTypedArrayView.h:
866         * runtime/JSGenericTypedArrayViewInlines.h:
867         * runtime/JSGlobalObject.cpp:
868         * runtime/JSGlobalObject.h:
869         * runtime/JSNotAnObject.cpp:
870         * runtime/JSNotAnObject.h:
871         * runtime/JSONObject.cpp:
872         * runtime/JSONObject.h:
873             - remove getOwnPropertyDescriptor
874         * runtime/JSObject.cpp:
875         (JSC::JSObject::propertyIsEnumerable):
876             - switch to call new getOwnPropertyDescriptor member function
877         (JSC::JSObject::getOwnPropertyDescriptor):
878             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
879         (JSC::JSObject::defineOwnNonIndexProperty):
880             - switch to call new getOwnPropertyDescriptor member function
881         * runtime/JSObject.h:
882         * runtime/JSProxy.cpp:
883         * runtime/JSProxy.h:
884         * runtime/NamePrototype.cpp:
885         * runtime/NamePrototype.h:
886         * runtime/NumberConstructor.cpp:
887         * runtime/NumberConstructor.h:
888         * runtime/NumberPrototype.cpp:
889         * runtime/NumberPrototype.h:
890             - remove getOwnPropertyDescriptor
891         * runtime/ObjectConstructor.cpp:
892         (JSC::objectConstructorGetOwnPropertyDescriptor):
893         (JSC::objectConstructorSeal):
894         (JSC::objectConstructorFreeze):
895         (JSC::objectConstructorIsSealed):
896         (JSC::objectConstructorIsFrozen):
897             - switch to call new getOwnPropertyDescriptor member function
898         * runtime/ObjectConstructor.h:
899             - remove getOwnPropertyDescriptor
900         * runtime/PropertyDescriptor.h:
901             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
902         * runtime/RegExpConstructor.cpp:
903         * runtime/RegExpConstructor.h:
904         * runtime/RegExpMatchesArray.cpp:
905         * runtime/RegExpMatchesArray.h:
906         * runtime/RegExpObject.cpp:
907         * runtime/RegExpObject.h:
908         * runtime/RegExpPrototype.cpp:
909         * runtime/RegExpPrototype.h:
910         * runtime/StringConstructor.cpp:
911         * runtime/StringConstructor.h:
912         * runtime/StringObject.cpp:
913         * runtime/StringObject.h:
914             - remove getOwnPropertyDescriptor
915
916 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
917
918         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
919
920         Reviewed by Oliver Hunt.
921
922         When we flatten an object in dictionary mode, we compact its properties. If the object 
923         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
924         compaction its properties fit inline, the object's Structure "forgets" that the object 
925         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
926         with bytes = 0, which causes all sorts of badness in CopiedSpace.
927
928         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
929         Butterfly pointer so that the GC doesn't get confused later.
930
931         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
932         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
933         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
934         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
935
936         * heap/SlotVisitorInlines.h:
937         (JSC::SlotVisitor::copyLater):
938         * runtime/JSObject.cpp:
939         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
940         (JSC::JSObject::convertUndecidedToInt32):
941         (JSC::JSObject::convertUndecidedToDouble):
942         (JSC::JSObject::convertUndecidedToContiguous):
943         (JSC::JSObject::convertInt32ToDouble):
944         (JSC::JSObject::convertInt32ToContiguous):
945         (JSC::JSObject::genericConvertDoubleToContiguous):
946         (JSC::JSObject::switchToSlowPutArrayStorage):
947         (JSC::JSObject::setPrototype):
948         (JSC::JSObject::putDirectAccessor):
949         (JSC::JSObject::seal):
950         (JSC::JSObject::freeze):
951         (JSC::JSObject::preventExtensions):
952         (JSC::JSObject::reifyStaticFunctionsForDelete):
953         (JSC::JSObject::removeDirect):
954         * runtime/JSObject.h:
955         (JSC::JSObject::setButterfly):
956         (JSC::JSObject::putDirectInternal):
957         (JSC::JSObject::setStructure):
958         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
959         * runtime/Structure.cpp:
960         (JSC::Structure::flattenDictionaryStructure):
961
962 2013-08-20  Alex Christensen  <achristensen@apple.com>
963
964         Compile fix for Win64 after r154156.
965
966         Rubber stamped by Oliver Hunt.
967
968         * jit/JITStubsMSVC64.asm:
969         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
970         cti_vm_throw_slowpath to cti_vm_handle_exception.
971
972 2013-08-20  Alex Christensen  <achristensen@apple.com>
973
974         <https://webkit.org/b/120076> More work towards a Win64 build
975
976         Reviewed by Brent Fulgham.
977
978         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
979         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
980         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
981         * JavaScriptCore.vcxproj/copy-files.cmd:
982         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
983         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
984         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
985
986 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
987
988         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
989
990         Reviewed by Geoffrey Garen.
991
992         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
993         initializeLazyWriteBarrierFor* wrapper functions more sane. 
994
995         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
996         and index when triggering the WriteBarrier at the end of compilation. 
997
998         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
999         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
1000         little extra work that really shouldn't have been its responsibility.
1001
1002         * dfg/DFGByteCodeParser.cpp:
1003         (JSC::DFG::ByteCodeParser::addConstant):
1004         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1005         * dfg/DFGDesiredWriteBarriers.cpp:
1006         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1007         (JSC::DFG::DesiredWriteBarrier::trigger):
1008         * dfg/DFGDesiredWriteBarriers.h:
1009         (JSC::DFG::DesiredWriteBarriers::add):
1010         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1011         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1012         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1013         * dfg/DFGFixupPhase.cpp:
1014         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1015         * dfg/DFGGraph.h:
1016         (JSC::DFG::Graph::constantRegisterForConstant):
1017
1018 2013-08-20  Michael Saboff  <msaboff@apple.com>
1019
1020         https://bugs.webkit.org/show_bug.cgi?id=120075
1021         REGRESSION (r128400): BBC4 website not displaying pictures
1022
1023         Reviewed by Oliver Hunt.
1024
1025         * runtime/RegExpMatchesArray.h:
1026         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1027         so that the match results will be reified before any other modification to the results array.
1028
1029 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
1030
1031         Incorrect behavior on emscripten-compiled cube2hash
1032         https://bugs.webkit.org/show_bug.cgi?id=120033
1033
1034         Reviewed by Mark Hahnenberg.
1035         
1036         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1037         then we should bail attempts to CSE.
1038
1039         * dfg/DFGCSEPhase.cpp:
1040         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1041         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1042
1043 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1044
1045         https://bugs.webkit.org/show_bug.cgi?id=120073
1046         Remove use of GOPD from JSFunction::defineProperty
1047
1048         Reviewed by Oliver Hunt.
1049
1050         Call getOwnPropertySlot to check for existing properties instead.
1051
1052         * runtime/JSFunction.cpp:
1053         (JSC::JSFunction::defineOwnProperty):
1054             - getOwnPropertyDescriptor -> getOwnPropertySlot
1055
1056 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1057
1058         https://bugs.webkit.org/show_bug.cgi?id=120067
1059         Remove getPropertyDescriptor
1060
1061         Reviewed by Oliver Hunt.
1062
1063         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1064         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1065
1066         * runtime/JSObject.cpp:
1067         * runtime/JSObject.h:
1068             - remove getPropertyDescriptor
1069         * runtime/ObjectPrototype.cpp:
1070         (JSC::objectProtoFuncLookupGetter):
1071         (JSC::objectProtoFuncLookupSetter):
1072             - replace call to getPropertyDescriptor with getPropertySlot
1073         * runtime/PropertyDescriptor.h:
1074         * runtime/PropertySlot.h:
1075         (JSC::PropertySlot::isAccessor):
1076         (JSC::PropertySlot::isCacheableGetter):
1077         (JSC::PropertySlot::getterSetter):
1078             - rename isGetter() to isAccessor()
1079
1080 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1081
1082         https://bugs.webkit.org/show_bug.cgi?id=120054
1083         Remove some dead code following getOwnPropertyDescriptor cleanup
1084
1085         Reviewed by Oliver Hunt.
1086
1087         * runtime/Lookup.h:
1088         (JSC::getStaticFunctionSlot):
1089             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1090
1091 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1092
1093         https://bugs.webkit.org/show_bug.cgi?id=120052
1094         Remove custom getOwnPropertyDescriptor for JSProxy
1095
1096         Reviewed by Geoff Garen.
1097
1098         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1099         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1100         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1101         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1102         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1103
1104         * runtime/JSProxy.cpp:
1105             - Remove custom getOwnPropertyDescriptor implementation.
1106         * runtime/PropertyDescriptor.h:
1107             - Modify own property access check to perform toThis conversion.
1108
1109 2013-08-20  Alex Christensen  <achristensen@apple.com>
1110
1111         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1112         https://bugs.webkit.org/show_bug.cgi?id=119512
1113
1114         Reviewed by Brent Fulgham.
1115
1116         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1117         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1118         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1119         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1120         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1121         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1122         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1123         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1124
1125 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
1126
1127         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1128
1129         Reviewed by Allan Sandfeld Jensen.
1130
1131         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1132         instructions and two constants now DFG is enabled for sh4 architecture.
1133         These missing ensureSpace calls lead to random crashes.
1134
1135         * assembler/MacroAssemblerSH4.h:
1136         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1137
1138 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
1139
1140         https://bugs.webkit.org/show_bug.cgi?id=120034
1141         Remove custom getOwnPropertyDescriptor for global objects
1142
1143         Reviewed by Geoff Garen.
1144
1145         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1146
1147         * runtime/JSGlobalObject.cpp:
1148             - Remove custom getOwnPropertyDescriptor implementation.
1149         * runtime/JSSymbolTableObject.h:
1150         (JSC::symbolTableGet):
1151             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1152         * runtime/PropertyDescriptor.h:
1153             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1154         * runtime/PropertySlot.h:
1155         (JSC::PropertySlot::setUndefined):
1156             - This is used by WebCore when blocking access to properties on cross-frame access.
1157               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1158
1159 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1160
1161         DFG should inline typedArray.byteOffset
1162         https://bugs.webkit.org/show_bug.cgi?id=119962
1163
1164         Reviewed by Oliver Hunt.
1165         
1166         This adds a new node, GetTypedArrayByteOffset, which inlines
1167         typedArray.byteOffset.
1168         
1169         Also, I improved a bunch of the clobbering logic related to typed arrays
1170         and clobbering in general. For example, PutByOffset/PutStructure are not
1171         clobber-world so they can be handled by most default cases in CSE. Also,
1172         It's better to use the 'Class_field' notation for typed arrays now that
1173         they no longer involve magical descriptor thingies.
1174
1175         * bytecode/SpeculatedType.h:
1176         * dfg/DFGAbstractHeap.h:
1177         * dfg/DFGAbstractInterpreterInlines.h:
1178         (JSC::DFG::::executeEffects):
1179         * dfg/DFGArrayMode.h:
1180         (JSC::DFG::neverNeedsStorage):
1181         * dfg/DFGCSEPhase.cpp:
1182         (JSC::DFG::CSEPhase::getByValLoadElimination):
1183         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1184         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1185         (JSC::DFG::CSEPhase::checkArrayElimination):
1186         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1187         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
1188         (JSC::DFG::CSEPhase::performNodeCSE):
1189         * dfg/DFGClobberize.h:
1190         (JSC::DFG::clobberize):
1191         * dfg/DFGFixupPhase.cpp:
1192         (JSC::DFG::FixupPhase::fixupNode):
1193         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1194         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1195         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1196         * dfg/DFGNodeType.h:
1197         * dfg/DFGPredictionPropagationPhase.cpp:
1198         (JSC::DFG::PredictionPropagationPhase::propagate):
1199         * dfg/DFGSafeToExecute.h:
1200         (JSC::DFG::safeToExecute):
1201         * dfg/DFGSpeculativeJIT.cpp:
1202         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1203         * dfg/DFGSpeculativeJIT.h:
1204         * dfg/DFGSpeculativeJIT32_64.cpp:
1205         (JSC::DFG::SpeculativeJIT::compile):
1206         * dfg/DFGSpeculativeJIT64.cpp:
1207         (JSC::DFG::SpeculativeJIT::compile):
1208         * dfg/DFGTypeCheckHoistingPhase.cpp:
1209         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1210         * runtime/ArrayBuffer.h:
1211         (JSC::ArrayBuffer::offsetOfData):
1212         * runtime/Butterfly.h:
1213         (JSC::Butterfly::offsetOfArrayBuffer):
1214         * runtime/IndexingHeader.h:
1215         (JSC::IndexingHeader::offsetOfArrayBuffer):
1216
1217 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
1218
1219         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
1220
1221         Reviewed by Geoffrey Garen.
1222
1223         * dfg/DFGByteCodeParser.cpp:
1224         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1225
1226 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1227
1228         https://bugs.webkit.org/show_bug.cgi?id=119995
1229         Start removing custom implementations of getOwnPropertyDescriptor
1230
1231         Reviewed by Oliver Hunt.
1232
1233         This can now typically implemented in terms of getOwnPropertySlot.
1234         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
1235         Switch over most classes in JSC & the WebCore bindings generator to use this.
1236
1237         * API/JSCallbackObjectFunctions.h:
1238         * debugger/DebuggerActivation.cpp:
1239         * runtime/Arguments.cpp:
1240         * runtime/ArrayConstructor.cpp:
1241         * runtime/ArrayPrototype.cpp:
1242         * runtime/BooleanPrototype.cpp:
1243         * runtime/DateConstructor.cpp:
1244         * runtime/DatePrototype.cpp:
1245         * runtime/ErrorPrototype.cpp:
1246         * runtime/JSActivation.cpp:
1247         * runtime/JSArray.cpp:
1248         * runtime/JSArrayBuffer.cpp:
1249         * runtime/JSArrayBufferView.cpp:
1250         * runtime/JSCell.cpp:
1251         * runtime/JSDataView.cpp:
1252         * runtime/JSDataViewPrototype.cpp:
1253         * runtime/JSFunction.cpp:
1254         * runtime/JSGenericTypedArrayViewInlines.h:
1255         * runtime/JSNotAnObject.cpp:
1256         * runtime/JSONObject.cpp:
1257         * runtime/JSObject.cpp:
1258         * runtime/NamePrototype.cpp:
1259         * runtime/NumberConstructor.cpp:
1260         * runtime/NumberPrototype.cpp:
1261         * runtime/ObjectConstructor.cpp:
1262             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1263         * runtime/PropertyDescriptor.h:
1264             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
1265         * runtime/PropertySlot.h:
1266         (JSC::PropertySlot::isValue):
1267         (JSC::PropertySlot::isGetter):
1268         (JSC::PropertySlot::isCustom):
1269         (JSC::PropertySlot::isCacheableValue):
1270         (JSC::PropertySlot::isCacheableGetter):
1271         (JSC::PropertySlot::isCacheableCustom):
1272         (JSC::PropertySlot::attributes):
1273         (JSC::PropertySlot::getterSetter):
1274             - Add accessors necessary to convert PropertySlot to descriptor.
1275         * runtime/RegExpConstructor.cpp:
1276         * runtime/RegExpMatchesArray.cpp:
1277         * runtime/RegExpMatchesArray.h:
1278         * runtime/RegExpObject.cpp:
1279         * runtime/RegExpPrototype.cpp:
1280         * runtime/StringConstructor.cpp:
1281         * runtime/StringObject.cpp:
1282             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1283
1284 2013-08-19  Michael Saboff  <msaboff@apple.com>
1285
1286         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
1287
1288         Reviewed by Sam Weinig.
1289
1290         * dfg/DFGSpeculativeJIT32_64.cpp:
1291         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1292         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1293         all versions of fillSpeculateBoolean().
1294
1295 2013-08-19  Michael Saboff  <msaboff@apple.com>
1296
1297         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1298
1299         Reviewed by Benjamin Poulain.
1300
1301         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1302         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1303
1304         * assembler/MacroAssemblerX86Common.h:
1305         (JSC::MacroAssemblerX86Common::branchTest32):
1306
1307 2013-08-16  Oliver Hunt  <oliver@apple.com>
1308
1309         <https://webkit.org/b/119860> Crash during exception unwinding
1310
1311         Reviewed by Filip Pizlo.
1312
1313         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1314         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1315
1316         We need this so that Throw and ThrowReferenceError no longer need to be treated as
1317         terminals and the subsequent flush keeps the activation (and other registers) live.
1318
1319         * dfg/DFGAbstractInterpreterInlines.h:
1320         (JSC::DFG::::executeEffects):
1321         * dfg/DFGByteCodeParser.cpp:
1322         (JSC::DFG::ByteCodeParser::parseBlock):
1323         * dfg/DFGClobberize.h:
1324         (JSC::DFG::clobberize):
1325         * dfg/DFGFixupPhase.cpp:
1326         (JSC::DFG::FixupPhase::fixupNode):
1327         * dfg/DFGNode.h:
1328         (JSC::DFG::Node::isTerminal):
1329         * dfg/DFGNodeType.h:
1330         * dfg/DFGPredictionPropagationPhase.cpp:
1331         (JSC::DFG::PredictionPropagationPhase::propagate):
1332         * dfg/DFGSafeToExecute.h:
1333         (JSC::DFG::safeToExecute):
1334         * dfg/DFGSpeculativeJIT32_64.cpp:
1335         (JSC::DFG::SpeculativeJIT::compile):
1336         * dfg/DFGSpeculativeJIT64.cpp:
1337         (JSC::DFG::SpeculativeJIT::compile):
1338
1339 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
1340
1341         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1342
1343         Reviewed by Oliver Hunt.
1344
1345         Guard the compilation of these files only if DFG_JIT is enabled.
1346
1347         * dfg/DFGDesiredTransitions.cpp:
1348         * dfg/DFGDesiredTransitions.h:
1349         * dfg/DFGDesiredWeakReferences.cpp:
1350         * dfg/DFGDesiredWeakReferences.h:
1351         * dfg/DFGDesiredWriteBarriers.cpp:
1352         * dfg/DFGDesiredWriteBarriers.h:
1353
1354 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
1355
1356         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
1357         https://bugs.webkit.org/show_bug.cgi?id=119961
1358
1359         Reviewed by Mark Hahnenberg.
1360
1361         * dfg/DFGFixupPhase.cpp:
1362         (JSC::DFG::FixupPhase::fixupNode):
1363
1364 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
1365
1366         https://bugs.webkit.org/show_bug.cgi?id=119972
1367         Add attributes field to PropertySlot
1368
1369         Reviewed by Geoff Garen.
1370
1371         For all JSC types, this makes getOwnPropertyDescriptor redundant.
1372         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1373         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1374
1375         No performance impact.
1376
1377         * runtime/PropertySlot.h:
1378         (JSC::PropertySlot::setValue):
1379         (JSC::PropertySlot::setCustom):
1380         (JSC::PropertySlot::setCacheableCustom):
1381         (JSC::PropertySlot::setCustomIndex):
1382         (JSC::PropertySlot::setGetterSlot):
1383         (JSC::PropertySlot::setCacheableGetterSlot):
1384             - These mathods now all require 'attributes'.
1385         * runtime/JSObject.h:
1386         (JSC::JSObject::getDirect):
1387         (JSC::JSObject::getDirectOffset):
1388         (JSC::JSObject::inlineGetOwnPropertySlot):
1389             - Added variants of getDirect, getDirectOffset that return the attributes.
1390         * API/JSCallbackObjectFunctions.h:
1391         (JSC::::getOwnPropertySlot):
1392         * runtime/Arguments.cpp:
1393         (JSC::Arguments::getOwnPropertySlotByIndex):
1394         (JSC::Arguments::getOwnPropertySlot):
1395         * runtime/JSActivation.cpp:
1396         (JSC::JSActivation::symbolTableGet):
1397         (JSC::JSActivation::getOwnPropertySlot):
1398         * runtime/JSArray.cpp:
1399         (JSC::JSArray::getOwnPropertySlot):
1400         * runtime/JSArrayBuffer.cpp:
1401         (JSC::JSArrayBuffer::getOwnPropertySlot):
1402         * runtime/JSArrayBufferView.cpp:
1403         (JSC::JSArrayBufferView::getOwnPropertySlot):
1404         * runtime/JSDataView.cpp:
1405         (JSC::JSDataView::getOwnPropertySlot):
1406         * runtime/JSFunction.cpp:
1407         (JSC::JSFunction::getOwnPropertySlot):
1408         * runtime/JSGenericTypedArrayViewInlines.h:
1409         (JSC::::getOwnPropertySlot):
1410         (JSC::::getOwnPropertySlotByIndex):
1411         * runtime/JSObject.cpp:
1412         (JSC::JSObject::getOwnPropertySlotByIndex):
1413         (JSC::JSObject::fillGetterPropertySlot):
1414         * runtime/JSString.h:
1415         (JSC::JSString::getStringPropertySlot):
1416         * runtime/JSSymbolTableObject.h:
1417         (JSC::symbolTableGet):
1418         * runtime/Lookup.cpp:
1419         (JSC::setUpStaticFunctionSlot):
1420         * runtime/Lookup.h:
1421         (JSC::getStaticPropertySlot):
1422         (JSC::getStaticPropertyDescriptor):
1423         (JSC::getStaticValueSlot):
1424         (JSC::getStaticValueDescriptor):
1425         * runtime/RegExpObject.cpp:
1426         (JSC::RegExpObject::getOwnPropertySlot):
1427         * runtime/SparseArrayValueMap.cpp:
1428         (JSC::SparseArrayEntry::get):
1429             - Pass attributes to PropertySlot::set* methods.
1430
1431 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1432
1433         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1434
1435         Reviewed by Filip Pizlo.
1436
1437         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1438         Vector of WriteBarriers rather than the specific address. The fact that we were 
1439         arbitrarily storing into a Vector's backing store for constants at the end of 
1440         compilation after the Vector could have resized was causing crashes.
1441
1442         * bytecode/CodeBlock.h:
1443         (JSC::CodeBlock::constants):
1444         (JSC::CodeBlock::addConstantLazily):
1445         * dfg/DFGByteCodeParser.cpp:
1446         (JSC::DFG::ByteCodeParser::addConstant):
1447         * dfg/DFGDesiredWriteBarriers.cpp:
1448         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1449         (JSC::DFG::DesiredWriteBarrier::trigger):
1450         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1451         * dfg/DFGDesiredWriteBarriers.h:
1452         (JSC::DFG::DesiredWriteBarriers::add):
1453         * dfg/DFGFixupPhase.cpp:
1454         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1455         * dfg/DFGGraph.h:
1456         (JSC::DFG::Graph::constantRegisterForConstant):
1457
1458 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1459
1460         DFG should optimize typedArray.byteLength
1461         https://bugs.webkit.org/show_bug.cgi?id=119909
1462
1463         Reviewed by Oliver Hunt.
1464         
1465         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1466         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1467         legal since the byteLength of a typed array cannot exceed
1468         numeric_limits<int32_t>::max().
1469
1470         * bytecode/SpeculatedType.cpp:
1471         (JSC::typedArrayTypeFromSpeculation):
1472         * bytecode/SpeculatedType.h:
1473         * dfg/DFGArrayMode.cpp:
1474         (JSC::DFG::toArrayType):
1475         * dfg/DFGArrayMode.h:
1476         * dfg/DFGFixupPhase.cpp:
1477         (JSC::DFG::FixupPhase::fixupNode):
1478         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1479         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1480         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1481         (JSC::DFG::FixupPhase::prependGetArrayLength):
1482         * dfg/DFGGraph.h:
1483         (JSC::DFG::Graph::constantRegisterForConstant):
1484         (JSC::DFG::Graph::convertToConstant):
1485         * runtime/TypedArrayType.h:
1486         (JSC::logElementSize):
1487         (JSC::elementSize):
1488
1489 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1490
1491         DFG optimizes out strict mode arguments tear off
1492         https://bugs.webkit.org/show_bug.cgi?id=119504
1493
1494         Reviewed by Mark Hahnenberg and Oliver Hunt.
1495         
1496         Don't do the optimization for strict mode.
1497
1498         * dfg/DFGArgumentsSimplificationPhase.cpp:
1499         (JSC::DFG::ArgumentsSimplificationPhase::run):
1500         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1501
1502 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1503
1504         [JSC] x86: improve code generation for xxxTest32
1505         https://bugs.webkit.org/show_bug.cgi?id=119876
1506
1507         Reviewed by Geoffrey Garen.
1508
1509         Try to use testb whenever possible when testing for an immediate value.
1510
1511         When the input is an address and an offset, we can tweak the mask
1512         and offset to be able to generate testb for any byte of the mask.
1513
1514         When the input is a register, we can use testb if we are only interested
1515         in testing the low bits.
1516
1517         * assembler/MacroAssemblerX86Common.h:
1518         (JSC::MacroAssemblerX86Common::branchTest32):
1519         (JSC::MacroAssemblerX86Common::test32):
1520         (JSC::MacroAssemblerX86Common::generateTest32):
1521
1522 2013-08-16  Mark Lam  <mark.lam@apple.com>
1523
1524         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1525         error message that an object is not a constructor though it expects a function
1526
1527         Reviewed by Michael Saboff.
1528
1529         * jit/JITStubs.cpp:
1530         (JSC::DEFINE_STUB_FUNCTION):
1531
1532 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1533
1534         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1535         https://bugs.webkit.org/show_bug.cgi?id=119897
1536
1537         Reviewed by Oliver Hunt.
1538         
1539         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1540         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1541         to turn objects into dictionaries when you're storing using bracket syntax or using
1542         eval is still in place.
1543
1544         * bytecode/CodeBlock.h:
1545         (JSC::CodeBlock::putByIdContext):
1546         * dfg/DFGOperations.cpp:
1547         * jit/JITStubs.cpp:
1548         (JSC::DEFINE_STUB_FUNCTION):
1549         * llint/LLIntSlowPaths.cpp:
1550         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1551         * runtime/JSObject.h:
1552         (JSC::JSObject::putDirectInternal):
1553         * runtime/PutPropertySlot.h:
1554         (JSC::PutPropertySlot::PutPropertySlot):
1555         (JSC::PutPropertySlot::context):
1556         * runtime/Structure.cpp:
1557         (JSC::Structure::addPropertyTransition):
1558         * runtime/Structure.h:
1559
1560 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1561
1562         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1563
1564         Reviewed by Allan Sandfeld Jensen.
1565
1566         ctiVMHandleException must jump/return using register ra (r31).
1567
1568         * jit/JITStubsMIPS.h:
1569
1570 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1571
1572         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1573
1574         Reviewed by Allan Sandfeld Jensen.
1575
1576         Fix typo in JITStubsSH4.h file.
1577
1578         * jit/JITStubsSH4.h:
1579
1580 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1581
1582         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1583
1584         Reviewed by Oliver Hunt.
1585
1586         The concurrent compilation thread should interact minimally with the Heap, including not 
1587         triggering WriteBarriers. This is a prerequisite for generational GC.
1588
1589         * JavaScriptCore.xcodeproj/project.pbxproj:
1590         * bytecode/CodeBlock.cpp:
1591         (JSC::CodeBlock::addOrFindConstant):
1592         (JSC::CodeBlock::findConstant):
1593         * bytecode/CodeBlock.h:
1594         (JSC::CodeBlock::addConstantLazily):
1595         * dfg/DFGByteCodeParser.cpp:
1596         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1597         (JSC::DFG::ByteCodeParser::constantUndefined):
1598         (JSC::DFG::ByteCodeParser::constantNull):
1599         (JSC::DFG::ByteCodeParser::one):
1600         (JSC::DFG::ByteCodeParser::constantNaN):
1601         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1602         * dfg/DFGCommonData.cpp:
1603         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1604         * dfg/DFGCommonData.h:
1605         * dfg/DFGDesiredTransitions.cpp: Added.
1606         (JSC::DFG::DesiredTransition::DesiredTransition):
1607         (JSC::DFG::DesiredTransition::reallyAdd):
1608         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1609         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1610         (JSC::DFG::DesiredTransitions::addLazily):
1611         (JSC::DFG::DesiredTransitions::reallyAdd):
1612         * dfg/DFGDesiredTransitions.h: Added.
1613         * dfg/DFGDesiredWeakReferences.cpp: Added.
1614         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1615         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1616         (JSC::DFG::DesiredWeakReferences::addLazily):
1617         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1618         * dfg/DFGDesiredWeakReferences.h: Added.
1619         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1620         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1621         (JSC::DFG::DesiredWriteBarrier::trigger):
1622         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1623         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1624         (JSC::DFG::DesiredWriteBarriers::addImpl):
1625         (JSC::DFG::DesiredWriteBarriers::trigger):
1626         * dfg/DFGDesiredWriteBarriers.h: Added.
1627         (JSC::DFG::DesiredWriteBarriers::add):
1628         (JSC::DFG::initializeLazyWriteBarrier):
1629         * dfg/DFGFixupPhase.cpp:
1630         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1631         * dfg/DFGGraph.h:
1632         (JSC::DFG::Graph::convertToConstant):
1633         * dfg/DFGJITCompiler.h:
1634         (JSC::DFG::JITCompiler::addWeakReference):
1635         * dfg/DFGPlan.cpp:
1636         (JSC::DFG::Plan::Plan):
1637         (JSC::DFG::Plan::reallyAdd):
1638         * dfg/DFGPlan.h:
1639         * dfg/DFGSpeculativeJIT32_64.cpp:
1640         (JSC::DFG::SpeculativeJIT::compile):
1641         * dfg/DFGSpeculativeJIT64.cpp:
1642         (JSC::DFG::SpeculativeJIT::compile):
1643         * runtime/WriteBarrier.h:
1644         (JSC::WriteBarrierBase::set):
1645         (JSC::WriteBarrier::WriteBarrier):
1646
1647 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1648
1649         Fix x86 32bits build after r154158
1650
1651         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1652
1653 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1654
1655         Build fix attempt after r154156.
1656
1657         * jit/JITStubs.cpp:
1658         (JSC::cti_vm_handle_exception): encode!
1659
1660 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1661
1662         [JSC] x86: Use inc and dec when possible
1663         https://bugs.webkit.org/show_bug.cgi?id=119831
1664
1665         Reviewed by Geoffrey Garen.
1666
1667         When incrementing or decrementing by an immediate of 1, use the insctructions
1668         inc and dec instead of add and sub.
1669         The instructions have good timing and their encoding is smaller.
1670
1671         * assembler/MacroAssemblerX86Common.h:
1672         (JSC::MacroAssemblerX86_64::add32):
1673         (JSC::MacroAssemblerX86_64::sub32):
1674         * assembler/MacroAssemblerX86_64.h:
1675         (JSC::MacroAssemblerX86_64::add64):
1676         (JSC::MacroAssemblerX86_64::sub64):
1677         * assembler/X86Assembler.h:
1678         (JSC::X86Assembler::dec_r):
1679         (JSC::X86Assembler::decq_r):
1680         (JSC::X86Assembler::inc_r):
1681         (JSC::X86Assembler::incq_r):
1682
1683 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1684
1685         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1686         https://bugs.webkit.org/show_bug.cgi?id=119874
1687
1688         Reviewed by Oliver Hunt and Mark Hahnenberg.
1689         
1690         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1691         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1692         sometimes for typed array length accesses, and the FixupPhase assuming that a
1693         ForceExit ArrayMode means that it should continue using a generic GetById.
1694
1695         This fixes the confusion.
1696
1697         * dfg/DFGFixupPhase.cpp:
1698         (JSC::DFG::FixupPhase::fixupNode):
1699
1700 2013-08-15  Mark Lam  <mark.lam@apple.com>
1701
1702         Fix crash when performing activation tearoff.
1703         https://bugs.webkit.org/show_bug.cgi?id=119848
1704
1705         Reviewed by Oliver Hunt.
1706
1707         The activation tearoff crash was due to a bug in the baseline JIT.
1708         If we have a scenario where the a baseline JIT frame calls a LLINT
1709         frame, an exception may be thrown while in the LLINT.
1710
1711         Interpreter::throwException() which handles the exception will unwind
1712         all frames until it finds a catcher or sees a host frame. When we
1713         return from the LLINT to the baseline JIT code, the baseline JIT code
1714         errorneously sets topCallFrame to the value in its call frame register,
1715         and starts unwinding the stack frames that have already been unwound.
1716
1717         The fix is:
1718         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1719            This is a more accurate description of what this runtime function
1720            is supposed to do i.e. it handles the exception which include doing
1721            nothing (if there are no more frames to unwind).
1722         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1723            set on it.
1724         3. Reloading the call frame register from topCallFrame when we're
1725            returning from a callee and detect exception handling in progress.
1726
1727         * interpreter/Interpreter.cpp:
1728         (JSC::Interpreter::unwindCallFrame):
1729         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1730         (JSC::Interpreter::getStackTrace):
1731         * interpreter/Interpreter.h:
1732         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1733         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1734         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1735         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1736         * jit/JIT.h:
1737         * jit/JITExceptions.cpp:
1738         (JSC::uncaughtExceptionHandler):
1739         - Convenience function to get the handler for uncaught exceptions.
1740         * jit/JITExceptions.h:
1741         * jit/JITInlines.h:
1742         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1743         * jit/JITOpcodes32_64.cpp:
1744         (JSC::JIT::privateCompileCTINativeCall):
1745         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1746         * jit/JITStubs.cpp:
1747         (JSC::throwExceptionFromOpCall):
1748         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1749         (JSC::cti_vm_handle_exception):
1750         - Check for the case when there are no more frames to unwind.
1751         * jit/JITStubs.h:
1752         * jit/JITStubsARM.h:
1753         * jit/JITStubsARMv7.h:
1754         * jit/JITStubsMIPS.h:
1755         * jit/JITStubsSH4.h:
1756         * jit/JITStubsX86.h:
1757         * jit/JITStubsX86_64.h:
1758         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1759         * jit/SlowPathCall.h:
1760         (JSC::JITSlowPathCall::call):
1761         - reload cfr from topcallFrame when handling an exception.
1762         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1763         * jit/ThunkGenerators.cpp:
1764         (JSC::nativeForGenerator):
1765         * llint/LowLevelInterpreter32_64.asm:
1766         * llint/LowLevelInterpreter64.asm:
1767         - reload cfr from topcallFrame when handling an exception.
1768         * runtime/VM.cpp:
1769         (JSC::VM::VM):
1770         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1771
1772 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1773
1774         Remove some code duplication.
1775         
1776         Rubber stamped by Mark Hahnenberg.
1777
1778         * runtime/JSDataViewPrototype.cpp:
1779         (JSC::getData):
1780         (JSC::setData):
1781
1782 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1783
1784         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1785         https://bugs.webkit.org/show_bug.cgi?id=119794
1786
1787         Reviewed by Filip Pizlo.
1788
1789         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1790
1791         * dfg/DFGUseKind.h:
1792         (JSC::DFG::isNumerical):
1793         (JSC::DFG::isDouble):
1794
1795 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1796
1797         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1798
1799         Rubber stamped by Oliver Hunt.
1800         
1801         This was causing some test crashes for me.
1802
1803         * dfg/DFGCapabilities.cpp:
1804         (JSC::DFG::capabilityLevel):
1805
1806 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1807
1808         [Windows] Clear up improper export declaration.
1809
1810         * runtime/ArrayBufferView.h:
1811
1812 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1813
1814         Unreviewed, remove some unnecessary periods from exceptions.
1815
1816         * runtime/JSDataViewPrototype.cpp:
1817         (JSC::getData):
1818         (JSC::setData):
1819
1820 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1821
1822         Unreviewed, fix 32-bit build.
1823
1824         * dfg/DFGSpeculativeJIT32_64.cpp:
1825         (JSC::DFG::SpeculativeJIT::compile):
1826
1827 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1828
1829         Typed arrays should be rewritten
1830         https://bugs.webkit.org/show_bug.cgi?id=119064
1831
1832         Reviewed by Oliver Hunt.
1833         
1834         Typed arrays were previously deficient in several major ways:
1835         
1836         - They were defined separately in WebCore and in the jsc shell. The two
1837           implementations were different, and the jsc shell one was basically wrong.
1838           The WebCore one was quite awful, also.
1839         
1840         - Typed arrays were not visible to the JIT except through some weird hooks.
1841           For example, the JIT could not ask "what is the Structure that this typed
1842           array would have if I just allocated it from this global object". Also,
1843           it was difficult to wire any of the typed array intrinsics, because most
1844           of the functionality wasn't visible anywhere in JSC.
1845         
1846         - Typed array allocation was brain-dead. Allocating a typed array involved
1847           two JS objects, two GC weak handles, and three malloc allocations.
1848         
1849         - Neutering. It involved keeping tabs on all native views but not the view
1850           wrappers, even though the native views can autoneuter just by asking the
1851           buffer if it was neutered anytime you touch them; while the JS view
1852           wrappers are the ones that you really want to reach out to.
1853         
1854         - Common case-ing. Most typed arrays have one buffer and one view, and
1855           usually nobody touches the buffer. Yet we created all of that stuff
1856           anyway, using data structures optimized for the case where you had a lot
1857           of views.
1858         
1859         - Semantic goofs. Typed arrays should, in the future, behave like ES
1860           features rather than DOM features, for example when it comes to exceptions.
1861           Firefox already does this and I agree with them.
1862         
1863         This patch cleanses our codebase of these sins:
1864         
1865         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1866           management of native references to buffers is left to WebCore.
1867         
1868         - Allocating a typed array requires either two GC allocations (a cell and a
1869           copied storage vector) or one GC allocation, a malloc allocation, and a
1870           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1871           latter). The latter is only used for oversize arrays. Remember that before
1872           it was 7 allocations no matter what.
1873         
1874         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1875           mode/length, void* vector. Before it was a lot more than that - remember,
1876           there were five additional objects that did absolutely nothing for anybody.
1877         
1878         - Native views aren't tracked by the buffer, or by the wrappers. They are
1879           transient. In the future we'll probably switch to not even having them be
1880           malloc'd.
1881         
1882         - Native array buffers have an efficient way of tracking all of their JS view
1883           wrappers, both for neutering, and for lifecycle management. The GC
1884           special-cases native array buffers. This saves a bunch of grief; for example
1885           it means that a JS view wrapper can refer to its buffer via the butterfly,
1886           which would be dead by the time we went to finalize.
1887         
1888         - Typed array semantics now match Firefox, which also happens to be where the
1889           standards are going. The discussion on webkit-dev seemed to confirm that
1890           Chrome is also heading in this direction. This includes making
1891           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1892           ArrayBufferView as a JS-visible construct.
1893         
1894         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1895         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1896         further typed array optimizations in the JSC JITs, including inlining typed
1897         array allocation, inlining more of the accessors, reducing the cost of type
1898         checks, etc.
1899         
1900         An additional property of this patch is that typed arrays are mostly
1901         implemented using templates. This deduplicates a bunch of code, but does mean
1902         that we need some hacks for exporting s_info's of template classes. See
1903         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1904         low-impact compared to code duplication.
1905         
1906         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1907
1908         * CMakeLists.txt:
1909         * DerivedSources.make:
1910         * GNUmakefile.list.am:
1911         * JSCTypedArrayStubs.h: Removed.
1912         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1913         * JavaScriptCore.xcodeproj/project.pbxproj:
1914         * Target.pri:
1915         * bytecode/ByValInfo.h:
1916         (JSC::hasOptimizableIndexingForClassInfo):
1917         (JSC::jitArrayModeForClassInfo):
1918         (JSC::typedArrayTypeForJITArrayMode):
1919         * bytecode/SpeculatedType.cpp:
1920         (JSC::speculationFromClassInfo):
1921         * dfg/DFGArrayMode.cpp:
1922         (JSC::DFG::toTypedArrayType):
1923         * dfg/DFGArrayMode.h:
1924         (JSC::DFG::ArrayMode::typedArrayType):
1925         * dfg/DFGSpeculativeJIT.cpp:
1926         (JSC::DFG::SpeculativeJIT::checkArray):
1927         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1928         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1929         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1930         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1931         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1932         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1933         * dfg/DFGSpeculativeJIT.h:
1934         * dfg/DFGSpeculativeJIT32_64.cpp:
1935         (JSC::DFG::SpeculativeJIT::compile):
1936         * dfg/DFGSpeculativeJIT64.cpp:
1937         (JSC::DFG::SpeculativeJIT::compile):
1938         * heap/CopyToken.h:
1939         * heap/DeferGC.h:
1940         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1941         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1942         * heap/GCIncomingRefCounted.h: Added.
1943         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1944         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1945         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1946         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1947         (JSC::GCIncomingRefCounted::singletonFlag):
1948         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1949         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1950         (JSC::GCIncomingRefCounted::hasSingleton):
1951         (JSC::GCIncomingRefCounted::singleton):
1952         (JSC::GCIncomingRefCounted::vectorOfCells):
1953         * heap/GCIncomingRefCountedInlines.h: Added.
1954         (JSC::::addIncomingReference):
1955         (JSC::::filterIncomingReferences):
1956         * heap/GCIncomingRefCountedSet.h: Added.
1957         (JSC::GCIncomingRefCountedSet::size):
1958         * heap/GCIncomingRefCountedSetInlines.h: Added.
1959         (JSC::::GCIncomingRefCountedSet):
1960         (JSC::::~GCIncomingRefCountedSet):
1961         (JSC::::addReference):
1962         (JSC::::sweep):
1963         (JSC::::removeAll):
1964         (JSC::::removeDead):
1965         * heap/Heap.cpp:
1966         (JSC::Heap::addReference):
1967         (JSC::Heap::extraSize):
1968         (JSC::Heap::size):
1969         (JSC::Heap::capacity):
1970         (JSC::Heap::collect):
1971         (JSC::Heap::decrementDeferralDepth):
1972         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1973         * heap/Heap.h:
1974         * interpreter/CallFrame.h:
1975         (JSC::ExecState::dataViewTable):
1976         * jit/JIT.h:
1977         * jit/JITPropertyAccess.cpp:
1978         (JSC::JIT::privateCompileGetByVal):
1979         (JSC::JIT::privateCompilePutByVal):
1980         (JSC::JIT::emitIntTypedArrayGetByVal):
1981         (JSC::JIT::emitFloatTypedArrayGetByVal):
1982         (JSC::JIT::emitIntTypedArrayPutByVal):
1983         (JSC::JIT::emitFloatTypedArrayPutByVal):
1984         * jsc.cpp:
1985         (GlobalObject::finishCreation):
1986         * runtime/ArrayBuffer.cpp:
1987         (JSC::ArrayBuffer::transfer):
1988         * runtime/ArrayBuffer.h:
1989         (JSC::ArrayBuffer::createAdopted):
1990         (JSC::ArrayBuffer::ArrayBuffer):
1991         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1992         (JSC::ArrayBuffer::pin):
1993         (JSC::ArrayBuffer::unpin):
1994         (JSC::ArrayBufferContents::tryAllocate):
1995         * runtime/ArrayBufferView.cpp:
1996         (JSC::ArrayBufferView::ArrayBufferView):
1997         (JSC::ArrayBufferView::~ArrayBufferView):
1998         (JSC::ArrayBufferView::setNeuterable):
1999         * runtime/ArrayBufferView.h:
2000         (JSC::ArrayBufferView::isNeutered):
2001         (JSC::ArrayBufferView::buffer):
2002         (JSC::ArrayBufferView::baseAddress):
2003         (JSC::ArrayBufferView::byteOffset):
2004         (JSC::ArrayBufferView::verifySubRange):
2005         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2006         (JSC::ArrayBufferView::calculateOffsetAndLength):
2007         * runtime/ClassInfo.h:
2008         * runtime/CommonIdentifiers.h:
2009         * runtime/DataView.cpp: Added.
2010         (JSC::DataView::DataView):
2011         (JSC::DataView::create):
2012         (JSC::DataView::wrap):
2013         * runtime/DataView.h: Added.
2014         (JSC::DataView::byteLength):
2015         (JSC::DataView::getType):
2016         (JSC::DataView::get):
2017         (JSC::DataView::set):
2018         * runtime/Float32Array.h:
2019         * runtime/Float64Array.h:
2020         * runtime/GenericTypedArrayView.h: Added.
2021         (JSC::GenericTypedArrayView::data):
2022         (JSC::GenericTypedArrayView::set):
2023         (JSC::GenericTypedArrayView::setRange):
2024         (JSC::GenericTypedArrayView::zeroRange):
2025         (JSC::GenericTypedArrayView::zeroFill):
2026         (JSC::GenericTypedArrayView::length):
2027         (JSC::GenericTypedArrayView::byteLength):
2028         (JSC::GenericTypedArrayView::item):
2029         (JSC::GenericTypedArrayView::checkInboundData):
2030         (JSC::GenericTypedArrayView::getType):
2031         * runtime/GenericTypedArrayViewInlines.h: Added.
2032         (JSC::::GenericTypedArrayView):
2033         (JSC::::create):
2034         (JSC::::createUninitialized):
2035         (JSC::::subarray):
2036         (JSC::::wrap):
2037         * runtime/IndexingHeader.h:
2038         (JSC::IndexingHeader::arrayBuffer):
2039         (JSC::IndexingHeader::setArrayBuffer):
2040         * runtime/Int16Array.h:
2041         * runtime/Int32Array.h:
2042         * runtime/Int8Array.h:
2043         * runtime/JSArrayBuffer.cpp: Added.
2044         (JSC::JSArrayBuffer::JSArrayBuffer):
2045         (JSC::JSArrayBuffer::finishCreation):
2046         (JSC::JSArrayBuffer::create):
2047         (JSC::JSArrayBuffer::createStructure):
2048         (JSC::JSArrayBuffer::getOwnPropertySlot):
2049         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2050         (JSC::JSArrayBuffer::put):
2051         (JSC::JSArrayBuffer::defineOwnProperty):
2052         (JSC::JSArrayBuffer::deleteProperty):
2053         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2054         * runtime/JSArrayBuffer.h: Added.
2055         (JSC::JSArrayBuffer::impl):
2056         (JSC::toArrayBuffer):
2057         * runtime/JSArrayBufferConstructor.cpp: Added.
2058         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2059         (JSC::JSArrayBufferConstructor::finishCreation):
2060         (JSC::JSArrayBufferConstructor::create):
2061         (JSC::JSArrayBufferConstructor::createStructure):
2062         (JSC::constructArrayBuffer):
2063         (JSC::JSArrayBufferConstructor::getConstructData):
2064         (JSC::JSArrayBufferConstructor::getCallData):
2065         * runtime/JSArrayBufferConstructor.h: Added.
2066         * runtime/JSArrayBufferPrototype.cpp: Added.
2067         (JSC::arrayBufferProtoFuncSlice):
2068         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2069         (JSC::JSArrayBufferPrototype::finishCreation):
2070         (JSC::JSArrayBufferPrototype::create):
2071         (JSC::JSArrayBufferPrototype::createStructure):
2072         * runtime/JSArrayBufferPrototype.h: Added.
2073         * runtime/JSArrayBufferView.cpp: Added.
2074         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2075         (JSC::JSArrayBufferView::JSArrayBufferView):
2076         (JSC::JSArrayBufferView::finishCreation):
2077         (JSC::JSArrayBufferView::getOwnPropertySlot):
2078         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2079         (JSC::JSArrayBufferView::put):
2080         (JSC::JSArrayBufferView::defineOwnProperty):
2081         (JSC::JSArrayBufferView::deleteProperty):
2082         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2083         (JSC::JSArrayBufferView::finalize):
2084         * runtime/JSArrayBufferView.h: Added.
2085         (JSC::JSArrayBufferView::sizeOf):
2086         (JSC::JSArrayBufferView::ConstructionContext::operator!):
2087         (JSC::JSArrayBufferView::ConstructionContext::structure):
2088         (JSC::JSArrayBufferView::ConstructionContext::vector):
2089         (JSC::JSArrayBufferView::ConstructionContext::length):
2090         (JSC::JSArrayBufferView::ConstructionContext::mode):
2091         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2092         (JSC::JSArrayBufferView::mode):
2093         (JSC::JSArrayBufferView::vector):
2094         (JSC::JSArrayBufferView::length):
2095         (JSC::JSArrayBufferView::offsetOfVector):
2096         (JSC::JSArrayBufferView::offsetOfLength):
2097         (JSC::JSArrayBufferView::offsetOfMode):
2098         * runtime/JSArrayBufferViewInlines.h: Added.
2099         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2100         (JSC::JSArrayBufferView::buffer):
2101         (JSC::JSArrayBufferView::impl):
2102         (JSC::JSArrayBufferView::neuter):
2103         (JSC::JSArrayBufferView::byteOffset):
2104         * runtime/JSCell.cpp:
2105         (JSC::JSCell::slowDownAndWasteMemory):
2106         (JSC::JSCell::getTypedArrayImpl):
2107         * runtime/JSCell.h:
2108         * runtime/JSDataView.cpp: Added.
2109         (JSC::JSDataView::JSDataView):
2110         (JSC::JSDataView::create):
2111         (JSC::JSDataView::createUninitialized):
2112         (JSC::JSDataView::set):
2113         (JSC::JSDataView::typedImpl):
2114         (JSC::JSDataView::getOwnPropertySlot):
2115         (JSC::JSDataView::getOwnPropertyDescriptor):
2116         (JSC::JSDataView::slowDownAndWasteMemory):
2117         (JSC::JSDataView::getTypedArrayImpl):
2118         (JSC::JSDataView::createStructure):
2119         * runtime/JSDataView.h: Added.
2120         * runtime/JSDataViewPrototype.cpp: Added.
2121         (JSC::JSDataViewPrototype::JSDataViewPrototype):
2122         (JSC::JSDataViewPrototype::create):
2123         (JSC::JSDataViewPrototype::createStructure):
2124         (JSC::JSDataViewPrototype::getOwnPropertySlot):
2125         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2126         (JSC::getData):
2127         (JSC::setData):
2128         (JSC::dataViewProtoFuncGetInt8):
2129         (JSC::dataViewProtoFuncGetInt16):
2130         (JSC::dataViewProtoFuncGetInt32):
2131         (JSC::dataViewProtoFuncGetUint8):
2132         (JSC::dataViewProtoFuncGetUint16):
2133         (JSC::dataViewProtoFuncGetUint32):
2134         (JSC::dataViewProtoFuncGetFloat32):
2135         (JSC::dataViewProtoFuncGetFloat64):
2136         (JSC::dataViewProtoFuncSetInt8):
2137         (JSC::dataViewProtoFuncSetInt16):
2138         (JSC::dataViewProtoFuncSetInt32):
2139         (JSC::dataViewProtoFuncSetUint8):
2140         (JSC::dataViewProtoFuncSetUint16):
2141         (JSC::dataViewProtoFuncSetUint32):
2142         (JSC::dataViewProtoFuncSetFloat32):
2143         (JSC::dataViewProtoFuncSetFloat64):
2144         * runtime/JSDataViewPrototype.h: Added.
2145         * runtime/JSFloat32Array.h: Added.
2146         * runtime/JSFloat64Array.h: Added.
2147         * runtime/JSGenericTypedArrayView.h: Added.
2148         (JSC::JSGenericTypedArrayView::byteLength):
2149         (JSC::JSGenericTypedArrayView::byteSize):
2150         (JSC::JSGenericTypedArrayView::typedVector):
2151         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2152         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2153         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2154         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2155         (JSC::JSGenericTypedArrayView::getIndexQuickly):
2156         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2157         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2158         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2159         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2160         (JSC::JSGenericTypedArrayView::typedImpl):
2161         (JSC::JSGenericTypedArrayView::createStructure):
2162         (JSC::JSGenericTypedArrayView::info):
2163         (JSC::toNativeTypedView):
2164         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
2165         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
2166         (JSC::::JSGenericTypedArrayViewConstructor):
2167         (JSC::::finishCreation):
2168         (JSC::::create):
2169         (JSC::::createStructure):
2170         (JSC::constructGenericTypedArrayView):
2171         (JSC::::getConstructData):
2172         (JSC::::getCallData):
2173         * runtime/JSGenericTypedArrayViewInlines.h: Added.
2174         (JSC::::JSGenericTypedArrayView):
2175         (JSC::::create):
2176         (JSC::::createUninitialized):
2177         (JSC::::validateRange):
2178         (JSC::::setWithSpecificType):
2179         (JSC::::set):
2180         (JSC::::getOwnPropertySlot):
2181         (JSC::::getOwnPropertyDescriptor):
2182         (JSC::::put):
2183         (JSC::::defineOwnProperty):
2184         (JSC::::deleteProperty):
2185         (JSC::::getOwnPropertySlotByIndex):
2186         (JSC::::putByIndex):
2187         (JSC::::deletePropertyByIndex):
2188         (JSC::::getOwnNonIndexPropertyNames):
2189         (JSC::::getOwnPropertyNames):
2190         (JSC::::visitChildren):
2191         (JSC::::copyBackingStore):
2192         (JSC::::slowDownAndWasteMemory):
2193         (JSC::::getTypedArrayImpl):
2194         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
2195         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
2196         (JSC::genericTypedArrayViewProtoFuncSet):
2197         (JSC::genericTypedArrayViewProtoFuncSubarray):
2198         (JSC::::JSGenericTypedArrayViewPrototype):
2199         (JSC::::finishCreation):
2200         (JSC::::create):
2201         (JSC::::createStructure):
2202         * runtime/JSGlobalObject.cpp:
2203         (JSC::JSGlobalObject::reset):
2204         (JSC::JSGlobalObject::visitChildren):
2205         * runtime/JSGlobalObject.h:
2206         (JSC::JSGlobalObject::arrayBufferPrototype):
2207         (JSC::JSGlobalObject::arrayBufferStructure):
2208         (JSC::JSGlobalObject::typedArrayStructure):
2209         * runtime/JSInt16Array.h: Added.
2210         * runtime/JSInt32Array.h: Added.
2211         * runtime/JSInt8Array.h: Added.
2212         * runtime/JSTypedArrayConstructors.cpp: Added.
2213         * runtime/JSTypedArrayConstructors.h: Added.
2214         * runtime/JSTypedArrayPrototypes.cpp: Added.
2215         * runtime/JSTypedArrayPrototypes.h: Added.
2216         * runtime/JSTypedArrays.cpp: Added.
2217         * runtime/JSTypedArrays.h: Added.
2218         * runtime/JSUint16Array.h: Added.
2219         * runtime/JSUint32Array.h: Added.
2220         * runtime/JSUint8Array.h: Added.
2221         * runtime/JSUint8ClampedArray.h: Added.
2222         * runtime/Operations.h:
2223         * runtime/Options.h:
2224         * runtime/SimpleTypedArrayController.cpp: Added.
2225         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
2226         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
2227         (JSC::SimpleTypedArrayController::toJS):
2228         * runtime/SimpleTypedArrayController.h: Added.
2229         * runtime/Structure.h:
2230         (JSC::Structure::couldHaveIndexingHeader):
2231         * runtime/StructureInlines.h:
2232         (JSC::Structure::hasIndexingHeader):
2233         * runtime/TypedArrayAdaptors.h: Added.
2234         (JSC::IntegralTypedArrayAdaptor::toNative):
2235         (JSC::IntegralTypedArrayAdaptor::toJSValue):
2236         (JSC::IntegralTypedArrayAdaptor::toDouble):
2237         (JSC::FloatTypedArrayAdaptor::toNative):
2238         (JSC::FloatTypedArrayAdaptor::toJSValue):
2239         (JSC::FloatTypedArrayAdaptor::toDouble):
2240         (JSC::Uint8ClampedAdaptor::toNative):
2241         (JSC::Uint8ClampedAdaptor::toJSValue):
2242         (JSC::Uint8ClampedAdaptor::toDouble):
2243         (JSC::Uint8ClampedAdaptor::clamp):
2244         * runtime/TypedArrayController.cpp: Added.
2245         (JSC::TypedArrayController::TypedArrayController):
2246         (JSC::TypedArrayController::~TypedArrayController):
2247         * runtime/TypedArrayController.h: Added.
2248         * runtime/TypedArrayDescriptor.h: Removed.
2249         * runtime/TypedArrayInlines.h: Added.
2250         * runtime/TypedArrayType.cpp: Added.
2251         (JSC::classInfoForType):
2252         (WTF::printInternal):
2253         * runtime/TypedArrayType.h: Added.
2254         (JSC::toIndex):
2255         (JSC::isTypedView):
2256         (JSC::elementSize):
2257         (JSC::isInt):
2258         (JSC::isFloat):
2259         (JSC::isSigned):
2260         (JSC::isClamped):
2261         * runtime/TypedArrays.h: Added.
2262         * runtime/Uint16Array.h:
2263         * runtime/Uint32Array.h:
2264         * runtime/Uint8Array.h:
2265         * runtime/Uint8ClampedArray.h:
2266         * runtime/VM.cpp:
2267         (JSC::VM::VM):
2268         (JSC::VM::~VM):
2269         * runtime/VM.h:
2270
2271 2013-08-15  Oliver Hunt  <oliver@apple.com>
2272
2273         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
2274
2275         Reviewed by Filip Pizlo.
2276
2277         Make sure dfgCapabilities doesn't report a Dynamic put as
2278         being compilable when we don't actually support it.  
2279
2280         * bytecode/CodeBlock.cpp:
2281         (JSC::CodeBlock::dumpBytecode):
2282         * dfg/DFGCapabilities.cpp:
2283         (JSC::DFG::capabilityLevel):
2284
2285 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2286
2287         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2288         https://bugs.webkit.org/show_bug.cgi?id=119847
2289
2290         Reviewed by Oliver Hunt.
2291
2292         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2293         * runtime/ArrayBufferView.h: Ditto.
2294
2295 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
2296
2297         https://bugs.webkit.org/show_bug.cgi?id=119843
2298         PropertySlot::setValue is ambiguous
2299
2300         Reviewed by Geoff Garen.
2301
2302         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2303         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2304         Unify on always providing the object, and remove the version that just takes a value.
2305         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2306         Provide a version of setValue that takes a JSString as the owner of the property.
2307         We won't store this, but it makes it clear that this interface should only be used from JSString.
2308
2309         * API/JSCallbackObjectFunctions.h:
2310         (JSC::::getOwnPropertySlot):
2311         * JSCTypedArrayStubs.h:
2312         * runtime/Arguments.cpp:
2313         (JSC::Arguments::getOwnPropertySlotByIndex):
2314         (JSC::Arguments::getOwnPropertySlot):
2315         * runtime/JSActivation.cpp:
2316         (JSC::JSActivation::symbolTableGet):
2317         (JSC::JSActivation::getOwnPropertySlot):
2318         * runtime/JSArray.cpp:
2319         (JSC::JSArray::getOwnPropertySlot):
2320         * runtime/JSObject.cpp:
2321         (JSC::JSObject::getOwnPropertySlotByIndex):
2322         * runtime/JSString.h:
2323         (JSC::JSString::getStringPropertySlot):
2324         * runtime/JSSymbolTableObject.h:
2325         (JSC::symbolTableGet):
2326         * runtime/SparseArrayValueMap.cpp:
2327         (JSC::SparseArrayEntry::get):
2328             - Pass object containing property to PropertySlot::setValue
2329         * runtime/PropertySlot.h:
2330         (JSC::PropertySlot::setValue):
2331             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2332         (JSC::PropertySlot::setUndefined):
2333             - removed setValue(JSValue), added setValue(JSString*, JSValue)
2334
2335 2013-08-15  Oliver Hunt  <oliver@apple.com>
2336
2337         Remove bogus assertion.
2338
2339         RS=Filip Pizlo
2340
2341         * dfg/DFGAbstractInterpreterInlines.h:
2342         (JSC::DFG::::executeEffects):
2343
2344 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2345
2346         REGRESSION(r148790) Made 7 tests fail on x86 32bit
2347         https://bugs.webkit.org/show_bug.cgi?id=114913
2348
2349         Reviewed by Filip Pizlo.
2350
2351         The X87 register was not freed before some calls. Instead
2352         of inserting resetX87Registers to the last call sites,
2353         the two X87 registers are now freed in every call.
2354
2355         * llint/LowLevelInterpreter32_64.asm:
2356         * llint/LowLevelInterpreter64.asm:
2357         * offlineasm/instructions.rb:
2358         * offlineasm/x86.rb:
2359
2360 2013-08-14  Michael Saboff  <msaboff@apple.com>
2361
2362         Fixed jit on Win64.
2363         https://bugs.webkit.org/show_bug.cgi?id=119601
2364
2365         Reviewed by Oliver Hunt.
2366
2367         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2368         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2369         * jit/SlowPathCall.h:
2370         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2371
2372 2013-08-14  Alex Christensen  <achristensen@apple.com>
2373
2374         Compile fix for Win64 with jit disabled.
2375         https://bugs.webkit.org/show_bug.cgi?id=119804
2376
2377         Reviewed by Michael Saboff.
2378
2379         * offlineasm/cloop.rb: Added std:: before isnan.
2380
2381 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
2382
2383         DFG_JIT implementation for sh4 architecture.
2384         https://bugs.webkit.org/show_bug.cgi?id=119737
2385
2386         Reviewed by Oliver Hunt.
2387
2388         * assembler/MacroAssemblerSH4.h:
2389         (JSC::MacroAssemblerSH4::invert):
2390         (JSC::MacroAssemblerSH4::add32):
2391         (JSC::MacroAssemblerSH4::and32):
2392         (JSC::MacroAssemblerSH4::lshift32):
2393         (JSC::MacroAssemblerSH4::mul32):
2394         (JSC::MacroAssemblerSH4::or32):
2395         (JSC::MacroAssemblerSH4::rshift32):
2396         (JSC::MacroAssemblerSH4::sub32):
2397         (JSC::MacroAssemblerSH4::xor32):
2398         (JSC::MacroAssemblerSH4::store32):
2399         (JSC::MacroAssemblerSH4::swapDouble):
2400         (JSC::MacroAssemblerSH4::storeDouble):
2401         (JSC::MacroAssemblerSH4::subDouble):
2402         (JSC::MacroAssemblerSH4::mulDouble):
2403         (JSC::MacroAssemblerSH4::divDouble):
2404         (JSC::MacroAssemblerSH4::negateDouble):
2405         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2406         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2407         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2408         (JSC::MacroAssemblerSH4::swap):
2409         (JSC::MacroAssemblerSH4::jump):
2410         (JSC::MacroAssemblerSH4::branchNeg32):
2411         (JSC::MacroAssemblerSH4::branchAdd32):
2412         (JSC::MacroAssemblerSH4::branchMul32):
2413         (JSC::MacroAssemblerSH4::urshift32):
2414         * assembler/SH4Assembler.h:
2415         (JSC::SH4Assembler::SH4Assembler):
2416         (JSC::SH4Assembler::labelForWatchpoint):
2417         (JSC::SH4Assembler::label):
2418         (JSC::SH4Assembler::debugOffset):
2419         * dfg/DFGAssemblyHelpers.h:
2420         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2421         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2422         (JSC::DFG::AssemblyHelpers::debugCall):
2423         * dfg/DFGCCallHelpers.h:
2424         (JSC::DFG::CCallHelpers::setupArguments):
2425         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2426         * dfg/DFGFPRInfo.h:
2427         (JSC::DFG::FPRInfo::toRegister):
2428         (JSC::DFG::FPRInfo::toIndex):
2429         (JSC::DFG::FPRInfo::debugName):
2430         * dfg/DFGGPRInfo.h:
2431         (JSC::DFG::GPRInfo::toRegister):
2432         (JSC::DFG::GPRInfo::toIndex):
2433         (JSC::DFG::GPRInfo::debugName):
2434         * dfg/DFGOperations.cpp:
2435         * dfg/DFGSpeculativeJIT.h:
2436         (JSC::DFG::SpeculativeJIT::callOperation):
2437         * jit/JITStubs.h:
2438         * jit/JITStubsSH4.h:
2439
2440 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2441
2442         Unreviewed, fix build.
2443
2444         * API/JSValue.mm:
2445         (isDate):
2446         (isArray):
2447         * API/JSWrapperMap.mm:
2448         (tryUnwrapObjcObject):
2449         * API/ObjCCallbackFunction.mm:
2450         (tryUnwrapBlock):
2451
2452 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2453
2454         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2455         https://bugs.webkit.org/show_bug.cgi?id=119770
2456
2457         Reviewed by Mark Hahnenberg.
2458
2459         * API/JSCallbackConstructor.cpp:
2460         (JSC::JSCallbackConstructor::finishCreation):
2461         * API/JSCallbackConstructor.h:
2462         (JSC::JSCallbackConstructor::createStructure):
2463         * API/JSCallbackFunction.cpp:
2464         (JSC::JSCallbackFunction::finishCreation):
2465         * API/JSCallbackFunction.h:
2466         (JSC::JSCallbackFunction::createStructure):
2467         * API/JSCallbackObject.cpp:
2468         (JSC::::createStructure):
2469         * API/JSCallbackObject.h:
2470         (JSC::JSCallbackObject::visitChildren):
2471         * API/JSCallbackObjectFunctions.h:
2472         (JSC::::asCallbackObject):
2473         (JSC::::finishCreation):
2474         * API/JSObjectRef.cpp:
2475         (JSObjectGetPrivate):
2476         (JSObjectSetPrivate):
2477         (JSObjectGetPrivateProperty):
2478         (JSObjectSetPrivateProperty):
2479         (JSObjectDeletePrivateProperty):
2480         * API/JSValueRef.cpp:
2481         (JSValueIsObjectOfClass):
2482         * API/JSWeakObjectMapRefPrivate.cpp:
2483         * API/ObjCCallbackFunction.h:
2484         (JSC::ObjCCallbackFunction::createStructure):
2485         * JSCTypedArrayStubs.h:
2486         * bytecode/CallLinkStatus.cpp:
2487         (JSC::CallLinkStatus::CallLinkStatus):
2488         (JSC::CallLinkStatus::function):
2489         (JSC::CallLinkStatus::internalFunction):
2490         * bytecode/CodeBlock.h:
2491         (JSC::baselineCodeBlockForInlineCallFrame):
2492         * bytecode/SpeculatedType.cpp:
2493         (JSC::speculationFromClassInfo):
2494         * bytecode/UnlinkedCodeBlock.cpp:
2495         (JSC::UnlinkedFunctionExecutable::visitChildren):
2496         (JSC::UnlinkedCodeBlock::visitChildren):
2497         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2498         * bytecode/UnlinkedCodeBlock.h:
2499         (JSC::UnlinkedFunctionExecutable::createStructure):
2500         (JSC::UnlinkedProgramCodeBlock::createStructure):
2501         (JSC::UnlinkedEvalCodeBlock::createStructure):
2502         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2503         * debugger/Debugger.cpp:
2504         * debugger/DebuggerActivation.cpp:
2505         (JSC::DebuggerActivation::visitChildren):
2506         * debugger/DebuggerActivation.h:
2507         (JSC::DebuggerActivation::createStructure):
2508         * debugger/DebuggerCallFrame.cpp:
2509         (JSC::DebuggerCallFrame::functionName):
2510         * dfg/DFGAbstractInterpreterInlines.h:
2511         (JSC::DFG::::executeEffects):
2512         * dfg/DFGByteCodeParser.cpp:
2513         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2514         (JSC::DFG::ByteCodeParser::parseBlock):
2515         * dfg/DFGFixupPhase.cpp:
2516         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2517         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2518         * dfg/DFGGraph.cpp:
2519         (JSC::DFG::Graph::dump):
2520         * dfg/DFGGraph.h:
2521         (JSC::DFG::Graph::isInternalFunctionConstant):
2522         * dfg/DFGOperations.cpp:
2523         * dfg/DFGSpeculativeJIT.cpp:
2524         (JSC::DFG::SpeculativeJIT::checkArray):
2525         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2526         * dfg/DFGThunks.cpp:
2527         (JSC::DFG::virtualForThunkGenerator):
2528         * interpreter/Interpreter.cpp:
2529         (JSC::loadVarargs):
2530         * jsc.cpp:
2531         (GlobalObject::createStructure):
2532         * profiler/LegacyProfiler.cpp:
2533         (JSC::LegacyProfiler::createCallIdentifier):
2534         * runtime/Arguments.cpp:
2535         (JSC::Arguments::visitChildren):
2536         * runtime/Arguments.h:
2537         (JSC::Arguments::createStructure):
2538         (JSC::asArguments):
2539         (JSC::Arguments::finishCreation):
2540         * runtime/ArrayConstructor.cpp:
2541         (JSC::arrayConstructorIsArray):
2542         * runtime/ArrayConstructor.h:
2543         (JSC::ArrayConstructor::createStructure):
2544         * runtime/ArrayPrototype.cpp:
2545         (JSC::ArrayPrototype::finishCreation):
2546         (JSC::arrayProtoFuncConcat):
2547         (JSC::attemptFastSort):
2548         * runtime/ArrayPrototype.h:
2549         (JSC::ArrayPrototype::createStructure):
2550         * runtime/BooleanConstructor.h:
2551         (JSC::BooleanConstructor::createStructure):
2552         * runtime/BooleanObject.cpp:
2553         (JSC::BooleanObject::finishCreation):
2554         * runtime/BooleanObject.h:
2555         (JSC::BooleanObject::createStructure):
2556         (JSC::asBooleanObject):
2557         * runtime/BooleanPrototype.cpp:
2558         (JSC::BooleanPrototype::finishCreation):
2559         (JSC::booleanProtoFuncToString):
2560         (JSC::booleanProtoFuncValueOf):
2561         * runtime/BooleanPrototype.h:
2562         (JSC::BooleanPrototype::createStructure):
2563         * runtime/DateConstructor.cpp:
2564         (JSC::constructDate):
2565         * runtime/DateConstructor.h:
2566         (JSC::DateConstructor::createStructure):
2567         * runtime/DateInstance.cpp:
2568         (JSC::DateInstance::finishCreation):
2569         * runtime/DateInstance.h:
2570         (JSC::DateInstance::createStructure):
2571         (JSC::asDateInstance):
2572         * runtime/DatePrototype.cpp:
2573         (JSC::formateDateInstance):
2574         (JSC::DatePrototype::finishCreation):
2575         (JSC::dateProtoFuncToISOString):
2576         (JSC::dateProtoFuncToLocaleString):
2577         (JSC::dateProtoFuncToLocaleDateString):
2578         (JSC::dateProtoFuncToLocaleTimeString):
2579         (JSC::dateProtoFuncGetTime):
2580         (JSC::dateProtoFuncGetFullYear):
2581         (JSC::dateProtoFuncGetUTCFullYear):
2582         (JSC::dateProtoFuncGetMonth):
2583         (JSC::dateProtoFuncGetUTCMonth):
2584         (JSC::dateProtoFuncGetDate):
2585         (JSC::dateProtoFuncGetUTCDate):
2586         (JSC::dateProtoFuncGetDay):
2587         (JSC::dateProtoFuncGetUTCDay):
2588         (JSC::dateProtoFuncGetHours):
2589         (JSC::dateProtoFuncGetUTCHours):
2590         (JSC::dateProtoFuncGetMinutes):
2591         (JSC::dateProtoFuncGetUTCMinutes):
2592         (JSC::dateProtoFuncGetSeconds):
2593         (JSC::dateProtoFuncGetUTCSeconds):
2594         (JSC::dateProtoFuncGetMilliSeconds):
2595         (JSC::dateProtoFuncGetUTCMilliseconds):
2596         (JSC::dateProtoFuncGetTimezoneOffset):
2597         (JSC::dateProtoFuncSetTime):
2598         (JSC::setNewValueFromTimeArgs):
2599         (JSC::setNewValueFromDateArgs):
2600         (JSC::dateProtoFuncSetYear):
2601         (JSC::dateProtoFuncGetYear):
2602         * runtime/DatePrototype.h:
2603         (JSC::DatePrototype::createStructure):
2604         * runtime/Error.h:
2605         (JSC::StrictModeTypeErrorFunction::createStructure):
2606         * runtime/ErrorConstructor.h:
2607         (JSC::ErrorConstructor::createStructure):
2608         * runtime/ErrorInstance.cpp:
2609         (JSC::ErrorInstance::finishCreation):
2610         * runtime/ErrorInstance.h:
2611         (JSC::ErrorInstance::createStructure):
2612         * runtime/ErrorPrototype.cpp:
2613         (JSC::ErrorPrototype::finishCreation):
2614         * runtime/ErrorPrototype.h:
2615         (JSC::ErrorPrototype::createStructure):
2616         * runtime/ExceptionHelpers.cpp:
2617         (JSC::isTerminatedExecutionException):
2618         * runtime/ExceptionHelpers.h:
2619         (JSC::TerminatedExecutionError::createStructure):
2620         * runtime/Executable.cpp:
2621         (JSC::EvalExecutable::visitChildren):
2622         (JSC::ProgramExecutable::visitChildren):
2623         (JSC::FunctionExecutable::visitChildren):
2624         (JSC::ExecutableBase::hashFor):
2625         * runtime/Executable.h:
2626         (JSC::ExecutableBase::createStructure):
2627         (JSC::NativeExecutable::createStructure):
2628         (JSC::EvalExecutable::createStructure):
2629         (JSC::ProgramExecutable::createStructure):
2630         (JSC::FunctionExecutable::compileFor):
2631         (JSC::FunctionExecutable::compileOptimizedFor):
2632         (JSC::FunctionExecutable::createStructure):
2633         * runtime/FunctionConstructor.h:
2634         (JSC::FunctionConstructor::createStructure):
2635         * runtime/FunctionPrototype.cpp:
2636         (JSC::functionProtoFuncToString):
2637         (JSC::functionProtoFuncApply):
2638         (JSC::functionProtoFuncBind):
2639         * runtime/FunctionPrototype.h:
2640         (JSC::FunctionPrototype::createStructure):
2641         * runtime/GetterSetter.cpp:
2642         (JSC::GetterSetter::visitChildren):
2643         * runtime/GetterSetter.h:
2644         (JSC::GetterSetter::createStructure):
2645         * runtime/InternalFunction.cpp:
2646         (JSC::InternalFunction::finishCreation):
2647         * runtime/InternalFunction.h:
2648         (JSC::InternalFunction::createStructure):
2649         (JSC::asInternalFunction):
2650         * runtime/JSAPIValueWrapper.h:
2651         (JSC::JSAPIValueWrapper::createStructure):
2652         * runtime/JSActivation.cpp:
2653         (JSC::JSActivation::visitChildren):
2654         (JSC::JSActivation::argumentsGetter):
2655         * runtime/JSActivation.h:
2656         (JSC::JSActivation::createStructure):
2657         (JSC::asActivation):
2658         * runtime/JSArray.h:
2659         (JSC::JSArray::createStructure):
2660         (JSC::asArray):
2661         (JSC::isJSArray):
2662         * runtime/JSBoundFunction.cpp:
2663         (JSC::JSBoundFunction::finishCreation):
2664         (JSC::JSBoundFunction::visitChildren):
2665         * runtime/JSBoundFunction.h:
2666         (JSC::JSBoundFunction::createStructure):
2667         * runtime/JSCJSValue.cpp:
2668         (JSC::JSValue::dumpInContext):
2669         * runtime/JSCJSValueInlines.h:
2670         (JSC::JSValue::isFunction):
2671         * runtime/JSCell.h:
2672         (JSC::jsCast):
2673         (JSC::jsDynamicCast):
2674         * runtime/JSCellInlines.h:
2675         (JSC::allocateCell):
2676         * runtime/JSFunction.cpp:
2677         (JSC::JSFunction::finishCreation):
2678         (JSC::JSFunction::visitChildren):
2679         (JSC::skipOverBoundFunctions):
2680         (JSC::JSFunction::callerGetter):
2681         * runtime/JSFunction.h:
2682         (JSC::JSFunction::createStructure):
2683         * runtime/JSGlobalObject.cpp:
2684         (JSC::JSGlobalObject::visitChildren):
2685         (JSC::slowValidateCell):
2686         * runtime/JSGlobalObject.h:
2687         (JSC::JSGlobalObject::createStructure):
2688         * runtime/JSNameScope.cpp:
2689         (JSC::JSNameScope::visitChildren):
2690         * runtime/JSNameScope.h:
2691         (JSC::JSNameScope::createStructure):
2692         * runtime/JSNotAnObject.h:
2693         (JSC::JSNotAnObject::createStructure):
2694         * runtime/JSONObject.cpp:
2695         (JSC::JSONObject::finishCreation):
2696         (JSC::unwrapBoxedPrimitive):
2697         (JSC::Stringifier::Stringifier):
2698         (JSC::Stringifier::appendStringifiedValue):
2699         (JSC::Stringifier::Holder::Holder):
2700         (JSC::Walker::walk):
2701         (JSC::JSONProtoFuncStringify):
2702         * runtime/JSONObject.h:
2703         (JSC::JSONObject::createStructure):
2704         * runtime/JSObject.cpp:
2705         (JSC::getCallableObjectSlow):
2706         (JSC::JSObject::visitChildren):
2707         (JSC::JSObject::copyBackingStore):
2708         (JSC::JSFinalObject::visitChildren):
2709         (JSC::JSObject::ensureInt32Slow):
2710         (JSC::JSObject::ensureDoubleSlow):
2711         (JSC::JSObject::ensureContiguousSlow):
2712         (JSC::JSObject::ensureArrayStorageSlow):
2713         * runtime/JSObject.h:
2714         (JSC::JSObject::finishCreation):
2715         (JSC::JSObject::createStructure):
2716         (JSC::JSNonFinalObject::createStructure):
2717         (JSC::JSFinalObject::createStructure):
2718         (JSC::isJSFinalObject):
2719         * runtime/JSPropertyNameIterator.cpp:
2720         (JSC::JSPropertyNameIterator::visitChildren):
2721         * runtime/JSPropertyNameIterator.h:
2722         (JSC::JSPropertyNameIterator::createStructure):
2723         * runtime/JSProxy.cpp:
2724         (JSC::JSProxy::visitChildren):
2725         * runtime/JSProxy.h:
2726         (JSC::JSProxy::createStructure):
2727         * runtime/JSScope.cpp:
2728         (JSC::JSScope::visitChildren):
2729         * runtime/JSSegmentedVariableObject.cpp:
2730         (JSC::JSSegmentedVariableObject::visitChildren):
2731         * runtime/JSString.h:
2732         (JSC::JSString::createStructure):
2733         (JSC::isJSString):
2734         * runtime/JSSymbolTableObject.cpp:
2735         (JSC::JSSymbolTableObject::visitChildren):
2736         * runtime/JSVariableObject.h:
2737         * runtime/JSWithScope.cpp:
2738         (JSC::JSWithScope::visitChildren):
2739         * runtime/JSWithScope.h:
2740         (JSC::JSWithScope::createStructure):
2741         * runtime/JSWrapperObject.cpp:
2742         (JSC::JSWrapperObject::visitChildren):
2743         * runtime/JSWrapperObject.h:
2744         (JSC::JSWrapperObject::createStructure):
2745         * runtime/MathObject.cpp:
2746         (JSC::MathObject::finishCreation):
2747         * runtime/MathObject.h:
2748         (JSC::MathObject::createStructure):
2749         * runtime/NameConstructor.h:
2750         (JSC::NameConstructor::createStructure):
2751         * runtime/NameInstance.h:
2752         (JSC::NameInstance::createStructure):
2753         (JSC::NameInstance::finishCreation):
2754         * runtime/NamePrototype.cpp:
2755         (JSC::NamePrototype::finishCreation):
2756         (JSC::privateNameProtoFuncToString):
2757         * runtime/NamePrototype.h:
2758         (JSC::NamePrototype::createStructure):
2759         * runtime/NativeErrorConstructor.cpp:
2760         (JSC::NativeErrorConstructor::visitChildren):
2761         * runtime/NativeErrorConstructor.h:
2762         (JSC::NativeErrorConstructor::createStructure):
2763         (JSC::NativeErrorConstructor::finishCreation):
2764         * runtime/NumberConstructor.cpp:
2765         (JSC::NumberConstructor::finishCreation):
2766         * runtime/NumberConstructor.h:
2767         (JSC::NumberConstructor::createStructure):
2768         * runtime/NumberObject.cpp:
2769         (JSC::NumberObject::finishCreation):
2770         * runtime/NumberObject.h:
2771         (JSC::NumberObject::createStructure):
2772         * runtime/NumberPrototype.cpp:
2773         (JSC::NumberPrototype::finishCreation):
2774         * runtime/NumberPrototype.h:
2775         (JSC::NumberPrototype::createStructure):
2776         * runtime/ObjectConstructor.h:
2777         (JSC::ObjectConstructor::createStructure):
2778         * runtime/ObjectPrototype.cpp:
2779         (JSC::ObjectPrototype::finishCreation):
2780         * runtime/ObjectPrototype.h:
2781         (JSC::ObjectPrototype::createStructure):
2782         * runtime/PropertyMapHashTable.h:
2783         (JSC::PropertyTable::createStructure):
2784         * runtime/PropertyTable.cpp:
2785         (JSC::PropertyTable::visitChildren):
2786         * runtime/RegExp.h:
2787         (JSC::RegExp::createStructure):
2788         * runtime/RegExpConstructor.cpp:
2789         (JSC::RegExpConstructor::finishCreation):
2790         (JSC::RegExpConstructor::visitChildren):
2791         (JSC::constructRegExp):
2792         * runtime/RegExpConstructor.h:
2793         (JSC::RegExpConstructor::createStructure):
2794         (JSC::asRegExpConstructor):
2795         * runtime/RegExpMatchesArray.cpp:
2796         (JSC::RegExpMatchesArray::visitChildren):
2797         * runtime/RegExpMatchesArray.h:
2798         (JSC::RegExpMatchesArray::createStructure):
2799         * runtime/RegExpObject.cpp:
2800         (JSC::RegExpObject::finishCreation):
2801         (JSC::RegExpObject::visitChildren):
2802         * runtime/RegExpObject.h:
2803         (JSC::RegExpObject::createStructure):
2804         (JSC::asRegExpObject):
2805         * runtime/RegExpPrototype.cpp:
2806         (JSC::regExpProtoFuncTest):
2807         (JSC::regExpProtoFuncExec):
2808         (JSC::regExpProtoFuncCompile):
2809         (JSC::regExpProtoFuncToString):
2810         * runtime/RegExpPrototype.h:
2811         (JSC::RegExpPrototype::createStructure):
2812         * runtime/SparseArrayValueMap.cpp:
2813         (JSC::SparseArrayValueMap::createStructure):
2814         * runtime/SparseArrayValueMap.h:
2815         * runtime/StrictEvalActivation.h:
2816         (JSC::StrictEvalActivation::createStructure):
2817         * runtime/StringConstructor.h:
2818         (JSC::StringConstructor::createStructure):
2819         * runtime/StringObject.cpp:
2820         (JSC::StringObject::finishCreation):
2821         * runtime/StringObject.h:
2822         (JSC::StringObject::createStructure):
2823         (JSC::asStringObject):
2824         * runtime/StringPrototype.cpp:
2825         (JSC::StringPrototype::finishCreation):
2826         (JSC::stringProtoFuncReplace):
2827         (JSC::stringProtoFuncToString):
2828         (JSC::stringProtoFuncMatch):
2829         (JSC::stringProtoFuncSearch):
2830         (JSC::stringProtoFuncSplit):
2831         * runtime/StringPrototype.h:
2832         (JSC::StringPrototype::createStructure):
2833         * runtime/Structure.cpp:
2834         (JSC::Structure::Structure):
2835         (JSC::Structure::materializePropertyMap):
2836         (JSC::Structure::get):
2837         (JSC::Structure::visitChildren):
2838         * runtime/Structure.h:
2839         (JSC::Structure::typeInfo):
2840         (JSC::Structure::previousID):
2841         (JSC::Structure::outOfLineSize):
2842         (JSC::Structure::totalStorageCapacity):
2843         (JSC::Structure::materializePropertyMapIfNecessary):
2844         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2845         * runtime/StructureChain.cpp:
2846         (JSC::StructureChain::visitChildren):
2847         * runtime/StructureChain.h:
2848         (JSC::StructureChain::createStructure):
2849         * runtime/StructureInlines.h:
2850         (JSC::Structure::get):
2851         * runtime/StructureRareData.cpp:
2852         (JSC::StructureRareData::createStructure):
2853         (JSC::StructureRareData::visitChildren):
2854         * runtime/StructureRareData.h:
2855         * runtime/SymbolTable.h:
2856         (JSC::SharedSymbolTable::createStructure):
2857         * runtime/VM.cpp:
2858         (JSC::VM::VM):
2859         (JSC::StackPreservingRecompiler::operator()):
2860         (JSC::VM::releaseExecutableMemory):
2861         * runtime/WriteBarrier.h:
2862         (JSC::validateCell):
2863         * testRegExp.cpp:
2864         (GlobalObject::createStructure):
2865
2866 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2867
2868         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2869         https://bugs.webkit.org/show_bug.cgi?id=119762
2870
2871         Reviewed by Geoffrey Garen.
2872
2873         * heap/Heap.cpp:
2874         (JSC::Heap::Heap):
2875         (JSC::Heap::markRoots):
2876         (JSC::Heap::collect):
2877         * jsc.cpp:
2878         (StopWatch::start):
2879         (StopWatch::stop):
2880         * testRegExp.cpp:
2881         (StopWatch::start):
2882         (StopWatch::stop):
2883
2884 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2885
2886         [sh4] Prepare LLINT for DFG_JIT implementation.
2887         https://bugs.webkit.org/show_bug.cgi?id=119755
2888
2889         Reviewed by Oliver Hunt.
2890
2891         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2892         * offlineasm/sh4.rb:
2893             - Handle storeb opcode.
2894             - Make relative jumps when possible using braf opcode.
2895             - Update bmulio implementation to be consistent with baseline JIT.
2896             - Remove useless code from leap opcode.
2897             - Fix incorrect comment.
2898
2899 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2900
2901         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2902         https://bugs.webkit.org/show_bug.cgi?id=119758
2903
2904         Reviewed by Oliver Hunt.
2905
2906         * assembler/MacroAssemblerSH4.h:
2907             - Introduce a loadEffectiveAddress function to avoid code duplication.
2908             - Add ASSERTs and clean code.
2909         * assembler/SH4Assembler.h:
2910             - Prepare DFG_JIT implementation.
2911             - Add ASSERTs.
2912         * jit/JITStubs.cpp:
2913             - Add SH4 specific call for assertions.
2914         * jit/JITStubs.h:
2915             - Cosmetic change.
2916         * jit/JITStubsSH4.h:
2917             - Use constants to be more flexible with sh4 JIT stack frame.
2918         * jit/JSInterfaceJIT.h:
2919             - Cosmetic change.
2920
2921 2013-08-13  Oliver Hunt  <oliver@apple.com>
2922
2923         Harden executeConstruct against incorrect return types from host functions
2924         https://bugs.webkit.org/show_bug.cgi?id=119757
2925
2926         Reviewed by Mark Hahnenberg.
2927
2928         Add logic to guard against bogus return types.  There doesn't seem to be any
2929         class in webkit that does this wrong, but the typed array stubs in debug JSC
2930         do exhibit this bad behaviour.
2931
2932         * interpreter/Interpreter.cpp:
2933         (JSC::Interpreter::executeConstruct):
2934
2935 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2936
2937         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2938         https://bugs.webkit.org/show_bug.cgi?id=119736
2939
2940         Reviewed by Anders Carlsson.
2941
2942         Don't force C++11 mode off anymore.
2943
2944         * Target.pri:
2945
2946 2013-08-12  Oliver Hunt  <oliver@apple.com>
2947
2948         Remove CodeBlock's notion of adding identifiers entirely
2949         https://bugs.webkit.org/show_bug.cgi?id=119708
2950
2951         Reviewed by Geoffrey Garen.
2952
2953         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2954         Move the addition of identifiers to DFGPlan::reallyAdd
2955
2956         * bytecode/CodeBlock.h:
2957         * dfg/DFGDesiredIdentifiers.cpp:
2958         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2959         * dfg/DFGDesiredIdentifiers.h:
2960         * dfg/DFGPlan.cpp:
2961         (JSC::DFG::Plan::reallyAdd):
2962         (JSC::DFG::Plan::finalize):
2963         * dfg/DFGPlan.h:
2964
2965 2013-08-12  Oliver Hunt  <oliver@apple.com>
2966
2967         Build fix
2968
2969         * runtime/JSCell.h:
2970
2971 2013-08-12  Oliver Hunt  <oliver@apple.com>
2972
2973         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2974         https://bugs.webkit.org/show_bug.cgi?id=119705
2975
2976         Reviewed by Geoffrey Garen.
2977
2978         Relatively trivial refactoring
2979
2980         * bytecode/CodeBlock.h:
2981         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2982         (JSC::CodeBlock::addAdditionalIdentifier):
2983         (JSC::CodeBlock::identifier):
2984         (JSC::CodeBlock::numberOfIdentifiers):
2985         * dfg/DFGCommonData.h:
2986
2987 2013-08-12  Oliver Hunt  <oliver@apple.com>
2988
2989         Stop making unnecessary copy of CodeBlock Identifier Vector
2990         https://bugs.webkit.org/show_bug.cgi?id=119702
2991
2992         Reviewed by Michael Saboff.
2993
2994         Make CodeBlock simply use a separate Vector for additional Identifiers
2995         and use the UnlinkedCodeBlock for the initial set of identifiers.
2996
2997         * bytecode/CodeBlock.cpp:
2998         (JSC::CodeBlock::printGetByIdOp):
2999         (JSC::dumpStructure):
3000         (JSC::dumpChain):
3001         (JSC::CodeBlock::printGetByIdCacheStatus):
3002         (JSC::CodeBlock::printPutByIdOp):
3003         (JSC::CodeBlock::dumpBytecode):
3004         (JSC::CodeBlock::CodeBlock):
3005         (JSC::CodeBlock::shrinkToFit):
3006         * bytecode/CodeBlock.h:
3007         (JSC::CodeBlock::numberOfIdentifiers):
3008         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
3009         (JSC::CodeBlock::addAdditionalIdentifier):
3010         (JSC::CodeBlock::identifier):
3011         * dfg/DFGDesiredIdentifiers.cpp:
3012         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3013         * jit/JIT.h:
3014         * jit/JITOpcodes.cpp:
3015         (JSC::JIT::emitSlow_op_get_arguments_length):
3016         * jit/JITPropertyAccess.cpp:
3017         (JSC::JIT::emit_op_get_by_id):
3018         (JSC::JIT::compileGetByIdHotPath):
3019         (JSC::JIT::emitSlow_op_get_by_id):
3020         (JSC::JIT::compileGetByIdSlowCase):
3021         (JSC::JIT::emitSlow_op_put_by_id):
3022         * jit/JITPropertyAccess32_64.cpp:
3023         (JSC::JIT::emit_op_get_by_id):
3024         (JSC::JIT::compileGetByIdHotPath):
3025         (JSC::JIT::compileGetByIdSlowCase):
3026         * jit/JITStubs.cpp:
3027         (JSC::DEFINE_STUB_FUNCTION):
3028         * llint/LLIntSlowPaths.cpp:
3029         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3030
3031 2013-08-08  Mark Lam  <mark.lam@apple.com>
3032
3033         Restoring use of StackIterator instead of Interpreter::getStacktrace().
3034         https://bugs.webkit.org/show_bug.cgi?id=119575.
3035
3036         Reviewed by Oliver Hunt.
3037
3038         * interpreter/Interpreter.h:
3039         - Made getStackTrace() private.
3040         * interpreter/StackIterator.cpp:
3041         (JSC::StackIterator::StackIterator):
3042         (JSC::StackIterator::numberOfFrames):
3043         - Computes the number of frames by iterating through the whole stack
3044           from the starting frame. The iterator will save its current frame
3045           position before counting the frames, and then restoring it after
3046           the counting.
3047         (JSC::StackIterator::gotoFrameAtIndex):
3048         (JSC::StackIterator::gotoNextFrame):
3049         (JSC::StackIterator::resetIterator):
3050         - Points the iterator to the starting frame.
3051         * interpreter/StackIteratorPrivate.h:
3052
3053 2013-08-08  Mark Lam  <mark.lam@apple.com>
3054
3055         Moved ErrorConstructor and NativeErrorConstructor helper functions into
3056         the Interpreter class.
3057         https://bugs.webkit.org/show_bug.cgi?id=119576.
3058
3059         Reviewed by Oliver Hunt.
3060
3061         This change is needed to prepare for making Interpreter::getStackTrace()
3062         private. It does not change the behavior of the code, only the lexical
3063         scoping.
3064
3065         * interpreter/Interpreter.h:
3066         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
3067         * runtime/ErrorConstructor.cpp:
3068         (JSC::Interpreter::constructWithErrorConstructor):
3069         (JSC::ErrorConstructor::getConstructData):
3070         (JSC::Interpreter::callErrorConstructor):
3071         (JSC::ErrorConstructor::getCallData):
3072         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
3073           directly. So, we moved the helper functions into the Interpreter
3074           class.
3075         * runtime/NativeErrorConstructor.cpp:
3076         (JSC::Interpreter::constructWithNativeErrorConstructor):
3077         (JSC::NativeErrorConstructor::getConstructData):
3078         (JSC::Interpreter::callNativeErrorConstructor):
3079         (JSC::NativeErrorConstructor::getCallData):
3080         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
3081           directly. So, we moved the helper functions into the Interpreter
3082           class.
3083
3084 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3085
3086         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
3087         https://bugs.webkit.org/show_bug.cgi?id=119555
3088
3089         Reviewed by Geoffrey Garen.
3090
3091         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
3092         This was causing crashes on maps.google.com in 32-bit debug builds.
3093
3094         * dfg/DFGSpeculativeJIT32_64.cpp:
3095         (JSC::DFG::SpeculativeJIT::compile):
3096
3097 2013-08-06  Michael Saboff  <msaboff@apple.com>
3098
3099         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
3100         https://bugs.webkit.org/show_bug.cgi?id=119405
3101
3102         Reviewed by Geoffrey Garen.
3103
3104         * dfg/DFGSpeculativeJIT.cpp:
3105         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
3106         ourselves to save a register and then load from it.
3107
3108 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
3109
3110         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
3111         https://bugs.webkit.org/show_bug.cgi?id=119528
3112
3113         Reviewed by Geoffrey Garen.
3114
3115         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
3116         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
3117         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
3118         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
3119         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
3120
3121         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
3122
3123         * bytecode/CodeBlock.cpp:
3124         (JSC::CodeBlock::finalizeUnconditionally):
3125         * dfg/DFGDriver.cpp:
3126         (JSC::DFG::compile):
3127         * dfg/DFGFixupPhase.cpp:
3128         (JSC::DFG::FixupPhase::fixupNode):
3129         * dfg/DFGGraph.cpp:
3130         (JSC::DFG::Graph::dump):
3131         * dfg/DFGSpeculativeJIT64.cpp:
3132         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3133         * runtime/JSObject.h:
3134         (JSC::JSObject::getIndexQuickly):
3135         (JSC::JSObject::tryGetIndexQuickly):
3136
3137 2013-08-08  Stephanie Lewis  <slewis@apple.com>
3138
3139         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
3140
3141         Unreviewed.
3142
3143         Ensure llint symbols are in source order.
3144
3145         * JavaScriptCore.order:
3146
3147 2013-08-06  Mark Lam  <mark.lam@apple.com>
3148
3149         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
3150         https://bugs.webkit.org/show_bug.cgi?id=119532.
3151
3152         Reviewed by Oliver Hunt.
3153
3154         * parser/Parser.cpp:
3155         (JSC::::Parser):
3156         - Just need to initialize the Parser's JSTokenLocation's initial line and
3157           startOffset as well during Parser construction.
3158
3159 2013-08-06  Stephanie Lewis  <slewis@apple.com>
3160
3161         Update Order Files for Safari
3162         <rdar://problem/14517392>
3163
3164         Unreviewed.
3165
3166         * JavaScriptCore.order:
3167
3168 2013-08-04  Sam Weinig  <sam@webkit.org>
3169
3170         Remove support for HTML5 MicroData
3171         https://bugs.webkit.org/show_bug.cgi?id=119480
3172
3173         Reviewed by Anders Carlsson.
3174
3175         * Configurations/FeatureDefines.xcconfig:
3176
3177 2013-08-05  Oliver Hunt  <oliver@apple.com>
3178
3179         Delay Arguments creation in strict mode
3180         https://bugs.webkit.org/show_bug.cgi?id=119505
3181
3182         Reviewed by Geoffrey Garen.
3183
3184         Make use of the write tracking performed by the parser to
3185         allow us to know if we're modifying the parameters to a function.
3186         Then use that information to make strict mode function opt out
3187         of eager arguments creation.
3188
3189         * bytecompiler/BytecodeGenerator.cpp:
3190         (JSC::BytecodeGenerator::BytecodeGenerator):
3191         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3192         (JSC::BytecodeGenerator::emitReturn):
3193         * bytecompiler/BytecodeGenerator.h:
3194         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
3195         * parser/Nodes.h:
3196         (JSC::ScopeNode::modifiesParameter):
3197         * parser/Parser.cpp:
3198         (JSC::::parseInner):
3199         * parser/Parser.h:
3200         (JSC::Scope::declareParameter):
3201         (JSC::Scope::getCapturedVariables):
3202         (JSC::Parser::declareWrite):
3203         * parser/ParserModes.h:
3204
3205 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3206
3207         Remove useless code from COMPILER(RVCT) JITStubs
3208         https://bugs.webkit.org/show_bug.cgi?id=119521
3209
3210         Reviewed by Geoffrey Garen.
3211
3212         * jit/JITStubsARMv7.h:
3213         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
3214         (JSC::ctiOpThrowNotCaught): Ditto.
3215
3216 2013-07-23  David Farler  <dfarler@apple.com>
3217
3218         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
3219         https://bugs.webkit.org/show_bug.cgi?id=117762
3220
3221         Reviewed by Mark Rowe.
3222
3223         * Configurations/DebugRelease.xcconfig:
3224         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
3225         * Configurations/JavaScriptCore.xcconfig:
3226         Add ASAN_OTHER_LDFLAGS.
3227         * Configurations/ToolExecutable.xcconfig:
3228         Don't use ASAN for build tools.
3229
3230 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3231
3232         Build fix for ARM MSVC after r153222 and r153648.
3233
3234         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
3235
3236 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
3237
3238         Build fix for ARM MSVC after r150109.
3239
3240         Read the stub template from a header files instead of the JITStubs.cpp.
3241
3242         * CMakeLists.txt:
3243         * DerivedSources.pri:
3244         * create_jit_stubs:
3245
3246 2013-08-05  Oliver Hunt  <oliver@apple.com>
3247
3248         Move TypedArray implementation into JSC
3249         https://bugs.webkit.org/show_bug.cgi?id=119489
3250
3251         Reviewed by Filip Pizlo.
3252
3253         Move TypedArray implementation into JSC in advance of re-implementation
3254
3255         * GNUmakefile.list.am:
3256         * JSCTypedArrayStubs.h:
3257         * JavaScriptCore.xcodeproj/project.pbxproj:
3258         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
3259         (JSC::ArrayBuffer::transfer):
3260         (JSC::ArrayBuffer::addView):
3261         (JSC::ArrayBuffer::removeView):
3262         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
3263         (JSC::ArrayBufferContents::ArrayBufferContents):
3264         (JSC::ArrayBufferContents::data):
3265         (JSC::ArrayBufferContents::sizeInBytes):
3266         (JSC::ArrayBufferContents::transfer):
3267         (JSC::ArrayBufferContents::copyTo):
3268         (JSC::ArrayBuffer::isNeutered):
3269         (JSC::ArrayBuffer::~ArrayBuffer):
3270         (JSC::ArrayBuffer::clampValue):
3271         (JSC::ArrayBuffer::create):
3272         (JSC::ArrayBuffer::createUninitialized):
3273         (JSC::ArrayBuffer::ArrayBuffer):
3274         (JSC::ArrayBuffer::data):
3275         (JSC::ArrayBuffer::byteLength):
3276         (JSC::ArrayBuffer::slice):
3277         (JSC::ArrayBuffer::sliceImpl):
3278         (JSC::ArrayBuffer::clampIndex):
3279         (JSC::ArrayBufferContents::tryAllocate):
3280         (JSC::ArrayBufferContents::~ArrayBufferContents):
3281         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
3282         (JSC::ArrayBufferView::ArrayBufferView):
3283         (JSC::ArrayBufferView::~ArrayBufferView):
3284         (JSC::ArrayBufferView::neuter):
3285         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
3286         (JSC::ArrayBufferView::buffer):
3287         (JSC::ArrayBufferView::baseAddress):
3288         (JSC::ArrayBufferView::byteOffset):
3289         (JSC::ArrayBufferView::setNeuterable):
3290         (JSC::ArrayBufferView::isNeuterable):
3291         (JSC::ArrayBufferView::verifySubRange):
3292         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3293         (JSC::ArrayBufferView::setImpl):
3294         (JSC::ArrayBufferView::setRangeImpl):
3295         (JSC::ArrayBufferView::zeroRangeImpl):
3296         (JSC::ArrayBufferView::calculateOffsetAndLength):
3297         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
3298         (JSC::Float32Array::set):
3299         (JSC::Float32Array::getType):
3300         (JSC::Float32Array::create):
3301         (JSC::Float32Array::createUninitialized):
3302         (JSC::Float32Array::Float32Array):
3303         (JSC::Float32Array::subarray):
3304         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
3305         (JSC::Float64Array::set):
3306         (JSC::Float64Array::getType):
3307         (JSC::Float64Array::create):
3308         (JSC::Float64Array::createUninitialized):
3309         (JSC::Float64Array::Float64Array):
3310         (JSC::Float64Array::subarray):
3311         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
3312         (JSC::Int16Array::getType):
3313         (JSC::Int16Array::create):
3314         (JSC::Int16Array::createUninitialized):
3315         (JSC::Int16Array::Int16Array):
3316         (JSC::Int16Array::subarray):
3317         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
3318         (JSC::Int32Array::getType):
3319         (JSC::Int32Array::create):
3320         (JSC::Int32Array::createUninitialized):
3321         (JSC::Int32Array::Int32Array):
3322         (JSC::Int32Array::subarray):
3323         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
3324         (JSC::Int8Array::getType):
3325         (JSC::Int8Array::create):
3326         (JSC::Int8Array::createUninitialized):
3327         (JSC::Int8Array::Int8Array):
3328         (JSC::Int8Array::subarray):
3329         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
3330         (JSC::IntegralTypedArrayBase::set):
3331         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
3332         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
3333         (JSC::TypedArrayBase::data):
3334         (JSC::TypedArrayBase::set):
3335         (JSC::TypedArrayBase::setRange):
3336         (JSC::TypedArrayBase::zeroRange):
3337         (JSC::TypedArrayBase::length):
3338         (JSC::TypedArrayBase::byteLength):
3339         (JSC::TypedArrayBase::item):
3340         (JSC::TypedArrayBase::checkInboundData):
3341         (JSC::TypedArrayBase::TypedArrayBase):
3342         (JSC::TypedArrayBase::create):
3343         (JSC::TypedArrayBase::createUninitialized):
3344         (JSC::TypedArrayBase::subarrayImpl):
3345         (JSC::TypedArrayBase::neuter):
3346         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
3347         (JSC::Uint16Array::getType):
3348         (JSC::Uint16Array::create):
3349         (JSC::Uint16Array::createUninitialized):
3350         (JSC::Uint16Array::Uint16Array):
3351         (JSC::Uint16Array::subarray):
3352         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
3353         (JSC::Uint32Array::getType):
3354         (JSC::Uint32Array::create):
3355         (JSC::Uint32Array::createUninitialized):
3356         (JSC::Uint32Array::Uint32Array):
3357         (JSC::Uint32Array::subarray):
3358         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
3359         (JSC::Uint8Array::getType):
3360         (JSC::Uint8Array::create):
3361         (JSC::Uint8Array::createUninitialized):
3362         (JSC::Uint8Array::Uint8Array):
3363         (JSC::Uint8Array::subarray):
3364         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
3365         (JSC::Uint8ClampedArray::getType):
3366         (JSC::Uint8ClampedArray::create):
3367         (JSC::Uint8ClampedArray::createUninitialized):
3368         (JSC::Uint8ClampedArray::zeroFill):
3369         (JSC::Uint8ClampedArray::set):
3370         (JSC::Uint8ClampedArray::Uint8ClampedArray):
3371         (JSC::Uint8ClampedArray::subarray):
3372         * runtime/VM.h:
3373
3374 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3375
3376         Copied space should be able to handle more than one copied backing store per JSCell
3377         https://bugs.webkit.org/show_bug.cgi?id=119471
3378
3379         Reviewed by Mark Hahnenberg.
3380         
3381         This allows a cell to call copyLater() multiple times for multiple different
3382         backing stores, and then have copyBackingStore() called exactly once for each
3383         of those. A token tells it which backing store to copy. All backing stores
3384         must be named using the CopyToken, an enumeration which currently cannot
3385         exceed eight entries.
3386         
3387         When copyBackingStore() is called, it's up to the callee to (a) use the token
3388         to decide what to copy and (b) call its base class's copyBackingStore() in
3389         case the base class had something that needed copying. The only exception is
3390         that JSCell never asks anything to be copied, and so if your base is JSCell
3391         then you don't have to do anything.
3392
3393         * GNUmakefile.list.am:
3394         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3395         * JavaScriptCore.xcodeproj/project.pbxproj:
3396         * heap/CopiedBlock.h:
3397         * heap/CopiedBlockInlines.h:
3398         (JSC::CopiedBlock::reportLiveBytes):
3399         * heap/CopyToken.h: Added.
3400         * heap/CopyVisitor.cpp:
3401         (JSC::CopyVisitor::copyFromShared):
3402         * heap/CopyVisitor.h:
3403         * heap/CopyVisitorInlines.h:
3404         (JSC::CopyVisitor::visitItem):
3405         * heap/CopyWorkList.h:
3406         (JSC::CopyWorklistItem::CopyWorklistItem):
3407         (JSC::CopyWorklistItem::cell):
3408         (JSC::CopyWorklistItem::token):
3409         (JSC::CopyWorkListSegment::get):
3410         (JSC::CopyWorkListSegment::append):
3411         (JSC::CopyWorkListSegment::data):
3412         (JSC::CopyWorkListIterator::get):
3413         (JSC::CopyWorkListIterator::operator*):
3414         (JSC::CopyWorkListIterator::operator->):
3415         (JSC::CopyWorkList::append):
3416         * heap/SlotVisitor.h:
3417         * heap/SlotVisitorInlines.h:
3418         (JSC::SlotVisitor::copyLater):
3419         * runtime/ClassInfo.h:
3420         * runtime/JSCell.cpp:
3421         (JSC::JSCell::copyBackingStore):
3422         * runtime/JSCell.h:
3423         * runtime/JSObject.cpp:
3424         (JSC::JSObject::visitButterfly):
3425         (JSC::JSObject::copyBackingStore):
3426         * runtime/JSObject.h:
3427
3428 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
3429
3430         [Automake] Define ENABLE_JIT through the Autoconf header
3431         https://bugs.webkit.org/show_bug.cgi?id=119445
3432
3433         Reviewed by Martin Robinson.
3434
3435         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
3436
3437 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3438
3439         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
3440         https://bugs.webkit.org/show_bug.cgi?id=119470
3441
3442         Reviewed by Oliver Hunt.
3443         
3444         Structure can still tell you if the object "could" (in the conservative sense)
3445         have an indexing header; that's used by the compiler.
3446         
3447         Most of the time if you want to know if there's an indexing header, you ask the
3448         JSObject.
3449         
3450         In some cases, the JSObject wants to know if it would have an indexing header if
3451         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3452
3453         * dfg/DFGRepatch.cpp:
3454         (JSC::DFG::tryCachePutByID):
3455         (JSC::DFG::tryBuildPutByIdList):
3456         * dfg/DFGSpeculativeJIT.cpp:
3457         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3458         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3459         * runtime/ButterflyInlines.h:
3460         (JSC::Butterfly::create):
3461         (JSC::Butterfly::growPropertyStorage):
3462         (JSC::Butterfly::growArrayRight):
3463         (JSC::Butterfly::resizeArray):
3464         * runtime/JSObject.cpp:
3465         (JSC::JSObject::copyButterfly):
3466         (JSC::JSObject::visitButterfly):
3467         * runtime/JSObject.h:
3468         (JSC::JSObject::hasIndexingHeader):
3469         (JSC::JSObject::setButterfly):
3470         * runtime/Structure.h:
3471         (JSC::Structure::couldHaveIndexingHeader):
3472         (JSC::Structure::hasIndexingHeader):
3473
3474 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3475
3476         Give the error object's stack property accessor attributes.
3477         https://bugs.webkit.org/show_bug.cgi?id=119404
3478
3479         Reviewed by Geoffrey Garen.
3480         
3481         Changed the attributes of error object's stack property to allow developers to write
3482         and delete the stack property. This will match the functionality of Chrome. Firefox  
3483         allows developers to write the error's stack, but not delete it. 
3484
3485         * interpreter/Interpreter.cpp:
3486         (JSC::Interpreter::addStackTraceIfNecessary):
3487         * runtime/ErrorInstance.cpp:
3488         (JSC::ErrorInstance::finishCreation):
3489
3490 2013-08-02  Oliver Hunt  <oliver@apple.com>
3491
3492         Incorrect type speculation reported by ToPrimitive
3493         https://bugs.webkit.org/show_bug.cgi?id=119458
3494
3495         Reviewed by Mark Hahnenberg.
3496
3497         Make sure that we report the correct type possibilities for the output
3498         from ToPrimitive
3499
3500         * dfg/DFGAbstractInterpreterInlines.h:
3501         (JSC::DFG::::executeEffects):
3502
3503 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3504
3505         Remove no-arguments constructor to PropertySlot
3506         https://bugs.webkit.org/show_bug.cgi?id=119460
3507
3508         Reviewed by Geoff Garen.
3509
3510         This constructor was unsafe if getValue is subsequently called,
3511         and the property is a getter. Simplest to just remove it.
3512
3513         * runtime/Arguments.cpp:
3514         (JSC::Arguments::defineOwnProperty):
3515         * runtime/JSActivation.cpp:
3516         (JSC::JSActivation::getOwnPropertyDescriptor):
3517         * runtime/JSFunction.cpp:
3518         (JSC::JSFunction::getOwnPropertyDescriptor):
3519         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3520         (JSC::JSFunction::put):
3521         (JSC::JSFunction::defineOwnProperty):
3522         * runtime/JSGlobalObject.cpp:
3523         (JSC::JSGlobalObject::defineOwnProperty):
3524         * runtime/JSGlobalObject.h:
3525         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3526         * runtime/JSNameScope.cpp:
3527         (JSC::JSNameScope::put):
3528         * runtime/JSONObject.cpp:
3529         (JSC::Stringifier::Holder::appendNextProperty):
3530         (JSC::Walker::walk):
3531         * runtime/JSObject.cpp:
3532         (JSC::JSObject::hasProperty):
3533         (JSC::JSObject::hasOwnProperty):
3534         (JSC::JSObject::reifyStaticFunctionsForDelete):
3535         * runtime/Lookup.h:
3536         (JSC::getStaticPropertyDescriptor):
3537         (JSC::getStaticFunctionDescriptor):
3538         (JSC::getStaticValueDescriptor):
3539         * runtime/ObjectConstructor.cpp:
3540         (JSC::defineProperties):
3541         * runtime/PropertySlot.h:
3542
3543 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3544
3545         DFG validation can cause assertion failures due to dumping
3546         https://bugs.webkit.org/show_bug.cgi?id=119456
3547
3548         Reviewed by Geoffrey Garen.
3549
3550         * bytecode/CodeBlock.cpp:
3551         (JSC::CodeBlock::hasHash):
3552         (JSC::CodeBlock::isSafeToComputeHash):
3553         (JSC::CodeBlock::hash):
3554         (JSC::CodeBlock::dumpAssumingJITType):
3555         * bytecode/CodeBlock.h:
3556
3557 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3558
3559         Have vm's exceptionStack match java's vm's exceptionStack.
3560         https://bugs.webkit.org/show_bug.cgi?id=119362
3561
3562         Reviewed by Geoffrey Garen.
3563         
3564         The error object's stack is only updated if it does not exist yet. This matches 
3565         the functionality of other browsers, and Java VMs. 
3566
3567         * interpreter/Interpreter.cpp:
3568         (JSC::Interpreter::addStackTraceIfNecessary):
3569         (JSC::Interpreter::throwException):
3570         * runtime/VM.cpp:
3571         (JSC::VM::clearExceptionStack):
3572         * runtime/VM.h:
3573         (JSC::VM::lastExceptionStack):
3574
3575 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3576
3577         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3578         https://bugs.webkit.org/show_bug.cgi?id=119447
3579
3580         Reviewed by Geoffrey Garen.
3581
3582         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3583         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3584         r153583 (sh4) and r153648 (ARM).
3585
3586         * jit/JITStubsMIPS.h:
3587
3588 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3589
3590         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3591         https://bugs.webkit.org/show_bug.cgi?id=119422
3592
3593         Reviewed by Oliver Hunt.
3594         
3595         This simplifies some code and also allows Structure to claim that an object
3596         has an indexing header even if it doesn't have indexed properties.
3597         
3598         I also changed some calls to use hasIndexedProperties() since in some cases,
3599         that's what we actually meant. Currently the two are synonyms.
3600
3601         * dfg/DFGRepatch.cpp:
3602         (JSC::DFG::tryCachePutByID):
3603         (JSC::DFG::tryBuildPutByIdList):
3604         * dfg/DFGSpeculativeJIT.cpp:
3605         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3606         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3607         * runtime/ButterflyInlines.h:
3608         (JSC::Butterfly::create):
3609         (JSC::Butterfly::growPropertyStorage):
3610         (JSC::Butterfly::growArrayRight):
3611         (JSC::Butterfly::resizeArray):
3612         * runtime/IndexingType.h:
3613         * runtime/JSObject.cpp:
3614         (JSC::JSObject::copyButterfly):
3615         (JSC::JSObject::visitButterfly):
3616         (JSC::JSObject::setPrototype):
3617         * runtime/JSObject.h:
3618         (JSC::JSObject::setButterfly):
3619         * runtime/JSPropertyNameIterator.cpp:
3620         (JSC::JSPropertyNameIterator::create):
3621         * runtime/Structure.h:
3622         (JSC::Structure::hasIndexingHeader):
3623
3624 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3625
3626         REGRESSION: ARM still crashes after change set r153612.
3627         https://bugs.webkit.org/show_bug.cgi?id=119433
3628
3629         Reviewed by Michael Saboff.
3630
3631         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3632         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3633         for sh4 architecture.
3634
3635         * jit/JITStubsARM.h:
3636         * jit/JITStubsARMv7.h:
3637
3638 2013-08-02  Michael Saboff  <msaboff@apple.com>
3639
3640         REGRESSION(r153612): It made jsc and layout tests crash
3641         https://bugs.webkit.org/show_bug.cgi?id=119440
3642
3643         Reviewed by Csaba Osztrogonác.
3644
3645         Made the changes if changeset r153612 only apply to 32 bit builds.
3646
3647         * jit/JITExceptions.cpp:
3648         * jit/JITExceptions.h:
3649         * jit/JITStubs.cpp:
3650         (JSC::cti_vm_throw_slowpath):
3651         * jit/JITStubs.h:
3652
3653 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3654
3655         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3656
3657         * CMakeLists.txt:
3658
3659 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3660
3661         [Forms: color] <input type='color'> popover color well implementation
3662         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3663
3664         Reviewed by Benjamin Poulain.
3665
3666         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3667
3668 2013-08-01  Oliver Hunt  <oliver@apple.com>
3669
3670         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3671         https://bugs.webkit.org/show_bug.cgi?id=119408
3672
3673         Reviewed by Filip Pizlo.
3674
3675         Construct ToString and Phantom nodes in advance of MakeRope
3676         nodes to ensure that ordering is ensured, and correct values
3677         will be reified on OSR exit.
3678
3679         * dfg/DFGByteCodeParser.cpp:
3680         (JSC::DFG::ByteCodeParser::parseBlock):
3681
3682 2013-08-01  Michael Saboff  <msaboff@apple.com>
3683
3684         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3685         https://bugs.webkit.org/show_bug.cgi?id=119140
3686
3687         Reviewed by Filip Pizlo.
3688
3689         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3690
3691         * jit/JITExceptions.cpp:
3692         (JSC::encode):
3693         * jit/JITExceptions.h:
3694         * jit/JITStubs.cpp:
3695         (JSC::cti_vm_throw_slowpath):
3696         * jit/JITStubs.h:
3697
3698 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3699
3700         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3701         https://bugs.webkit.org/show_bug.cgi?id=119391
3702
3703         Reviewed by Csaba Osztrogonác.
3704
3705         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3706             - Call frame is in r14 register.
3707             - Do not restore registers from JIT stack frame here.
3708
3709 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3710
3711         More cleanup in PropertySlot
3712         https://bugs.webkit.org/show_bug.cgi?id=119359
3713
3714         Reviewed by Geoff Garen.
3715
3716         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3717         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3718
3719         * dfg/DFGRepatch.cpp:
3720         (JSC::DFG::tryCacheGetByID):
3721         (JSC::DFG::tryBuildGetByIDList):
3722             - No need to ASSERT slotBase is an object.
3723         * jit/JITStubs.cpp:
3724         (JSC::tryCacheGetByID):
3725         (JSC::DEFINE_STUB_FUNCTION):
3726             - No need to ASSERT slotBase is an object.
3727         * runtime/JSObject.cpp:
3728         (JSC::JSObject::getOwnPropertySlotByIndex):
3729         (JSC::JSObject::fillGetterPropertySlot):
3730             - Pass an object through to setGetterSlot.
3731         * runtime/JSObject.h:
3732         (JSC::PropertySlot::getValue):
3733             - Moved from PropertySlot (need to know anout JSObject).
3734         * runtime/PropertySlot.cpp:
3735         (JSC::PropertySlot::functionGetter):
3736             - update per member name changes
3737         * runtime/PropertySlot.h:
3738         (JSC::PropertySlot::PropertySlot):
3739             - Argument to constructor set to 'thisValue'.
3740         (JSC::PropertySlot::slotBase):
3741             - This returns a JSObject*.
3742         (JSC::PropertySlot::setValue):
3743         (JSC::PropertySlot::setCustom):
3744         (JSC::PropertySlot::setCacheableCustom):
3745         (JSC::PropertySlot::setCustomIndex):
3746         (JSC::PropertySlot::setGetterSlot):
3747         (JSC::PropertySlot::setCacheableGetterSlot):
3748             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3749         * runtime/SparseArrayValueMap.cpp:
3750         (JSC::SparseArrayEntry::get):
3751             - Pass an object through to setGetterSlot.
3752         * runtime/SparseArrayValueMap.h:
3753             - Pass an object through to setGetterSlot.
3754
3755 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3756
3757         Reduce JSC API static value setter/getter overhead.
3758         https://bugs.webkit.org/show_bug.cgi?id=119277
3759
3760         Reviewed by Geoffrey Garen.
3761
3762         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3763         need to get called every time when set or get the static value.
3764
3765         * API/JSCallbackObjectFunctions.h:
3766         (JSC::::put):
3767         (JSC::::putByIndex):
3768         (JSC::::getStaticValue):
3769         * API/JSClassRef.cpp:
3770         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3771         * API/JSClassRef.h:
3772         (StaticValueEntry::StaticValueEntry):
3773
3774 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3775
3776         Use emptyString instead of String("")
3777         https://bugs.webkit.org/show_bug.cgi?id=119335
3778
3779         Reviewed by Darin Adler.
3780
3781         Use emptyString() instead of String("") because it is better style and
3782         faster. This is a followup to r116908, removing all occurrences of
3783         String("") from WebKit.
3784
3785         * runtime/RegExpConstructor.cpp:
3786         (JSC::constructRegExp):
3787         * runtime/RegExpPrototype.cpp:
3788         (JSC::regExpProtoFuncCompile):
3789         * runtime/StringPrototype.cpp:
3790         (JSC::stringProtoFuncMatch):
3791         (JSC::stringProtoFuncSearch):
3792
3793 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3794
3795         <input type=color> Mac UI behaviour
3796         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3797
3798         Reviewed by Brady Eidson.
3799
3800         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3801
3802 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3803
3804         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3805         https://bugs.webkit.org/show_bug.cgi?id=119349
3806
3807         Reviewed by Geoffrey Garen.
3808
3809         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3810         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3811         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3812         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3813         JIT then this resizing never happens and we crash at link time in the DFG.
3814
3815         We can fix this by also doing the resize in the DFG to catch this case.
3816
3817         * dfg/DFGJITCompiler.cpp:
3818         (JSC::DFG::JITCompiler::link):
3819
3820 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3821
3822         Speculative Windows build fix.
3823
3824         Reviewed by NOBODY
3825
3826         * runtime/JSString.cpp:
3827         (JSC::JSRopeString::getIndexSlowCase):
3828         * runtime/JSString.h:
3829
3830 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3831
3832         Some cleanup in JSValue::get
3833         https://bugs.webkit.org/show_bug.cgi?id=119343
3834
3835         Reviewed by Geoff Garen.
3836
3837         JSValue::get is implemented to:
3838             1) Check if the value is a cell – if not, synthesize a prototype to search,
3839             2) call getOwnPropertySlot on the cell,
3840             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3841         By all rights this should crash when passed a string and accessing a property that does not exist, because
3842         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3843         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3844         prototype chain, and faking out a return value of undefined if no property is found.
3845
3846         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3847         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3848
3849         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3850         slots anyway.
3851
3852         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3853
3854 2013-07-31  Michael Saboff  <msaboff@apple.com>
3855
3856         [Win] JavaScript crash.
3857         https://bugs.webkit.org/show_bug.cgi?id=119339
3858
3859         Reviewed by Mark Hahnenberg.
3860
3861         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3862         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3863
3864 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3865
3866         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3867         https://bugs.webkit.org/show_bug.cgi?id=119281
3868
3869         Reviewed by Geoffrey Garen.
3870
3871         This leads to out of bounds accesses and subsequent crashes.
3872
3873         * dfg/DFGSpeculativeJIT.cpp:
3874         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3875         * dfg/DFGSpeculativeJIT64.cpp:
3876         (JSC::DFG::SpeculativeJIT::compile):
3877
3878 2013-07-30  Oliver Hunt  <oliver@apple.com>
3879
3880         Add an assertion to SpeculateCellOperand
3881         https://bugs.webkit.org/show_bug.cgi?id=119276
3882
3883         Reviewed by Michael Saboff.
3884
3885         More assertions are better
3886
3887         * dfg/DFGSpeculativeJIT64.cpp:
3888         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3889         (JSC::DFG::SpeculativeJIT::compile):
3890
3891 2013-07-30  Mark Lam  <mark.lam@apple.com>
3892
3893         Fix problems with divot and lineStart mismatches.
3894         https://bugs.webkit.org/show_bug.cgi?id=118662.
3895
3896         Reviewed by Oliver Hunt.
3897
3898         r152494 added the recording of lineStart values for divot positions.
3899         This is needed for the computation of column numbers. Similarly, it also
3900         added the recording of line numbers for the divot positions. One problem
3901         with the approach taken was that the line and lineStart values were
3902         recorded independently, and hence were not always guaranteed to be
3903         sampled at the same place that the divot position is recorded. This
3904         resulted in potential mismatches that cause some assertions to fail.
3905
3906         The solution is to introduce a JSTextPosition abstraction that records
3907         the divot position, line, and lineStart as a single quantity. Wherever
3908         we record the divot position as an unsigned int previously, we now record
3909         its JSTextPosition which captures all 3 values in one go. This ensures
3910         that the captured line and lineStart will always match the captured divot
3911         position.
3912
3913         * bytecompiler/BytecodeGenerator.cpp:
3914         (JSC::BytecodeGenerator::emitCall):
3915         (JSC::BytecodeGenerator::emitCallEval):
3916         (JSC::BytecodeGenerator::emitCallVarargs):
3917         (JSC::BytecodeGenerator::emitConstruct):
3918         (JSC::BytecodeGenerator::emitDebugHook):
3919         - Use JSTextPosition instead of passing line and lineStart explicitly.
3920         * bytecompiler/BytecodeGenerator.h:
3921         (JSC::BytecodeGenerator::emitExpressionInfo):
3922         - Use JSTextPosition instead of passing line and lineStart explicitly.
3923         * bytecompiler/NodesCodegen.cpp:
3924         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3925         (JSC::ResolveNode::emitBytecode):
3926         (JSC::BracketAccessorNode::emitBytecode):
3927         (JSC::DotAccessorNode::emitBytecode):
3928         (JSC::NewExprNode::emitBytecode):
3929         (JSC::EvalFunctionCallNode::emitBytecode):
3930         (JSC::FunctionCallValueNode::emitBytecode):
3931         (JSC::FunctionCallResolveNode::emitBytecode):
3932         (JSC::FunctionCallBracketNode::emitBytecode):
3933         (JSC::FunctionCallDotNode::emitBytecode):
3934         (JSC::CallFunctionCallDotNode::emitBytecode):
3935         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3936         (JSC::PostfixNode::emitResolve):
3937         (JSC::PostfixNode::emitBracket):
3938         (JSC::PostfixNode::emitDot):
3939         (JSC::DeleteResolveNode::emitBytecode):
3940         (JSC::DeleteBracketNode::emitBytecode):
3941         (JSC::DeleteDotNode::emitBytecode):
3942         (JSC::PrefixNode::emitResolve):
3943         (JSC::PrefixNode::emitBracket):
3944         (JSC::PrefixNode::emitDot):
3945         (JSC::UnaryOpNode::emitBytecode):
3946         (JSC::BinaryOpNode::emitStrcat):
3947         (JSC::BinaryOpNode::emitBytecode):
3948         (JSC::ThrowableBinaryOpNode::emitBytecode):
3949         (JSC::InstanceOfNode::emitBytecode):
3950         (JSC::emitReadModifyAssignment):
3951         (JSC::ReadModifyResolveNode::emitBytecode):
3952         (JSC::AssignResolveNode::emitBytecode):
3953         (JSC::AssignDotNode::emitBytecode):
3954         (JSC::ReadModifyDotNode::emitBytecode):
3955         (JSC::AssignBracketNode::emitBytecode):
3956         (JSC::ReadModifyBracketNode::emitBytecode):
3957         (JSC::ForInNode::emitBytecode):
3958         (JSC::WithNode::emitBytecode):
3959         (JSC::ThrowNode::emitBytecode):
3960         - Use JSTextPosition instead of passing line and lineStart explicitly.
3961         * parser/ASTBuilder.h:
3962         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3963   &nbs