<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
4
5         Reviewed by Geoffrey Garen.
6
7         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
8         initializeLazyWriteBarrierFor* wrapper functions more sane. 
9
10         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
11         and index when triggering the WriteBarrier at the end of compilation. 
12
13         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
14         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
15         little extra work that really shouldn't have been its responsibility.
16
17         * dfg/DFGByteCodeParser.cpp:
18         (JSC::DFG::ByteCodeParser::addConstant):
19         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20         * dfg/DFGDesiredWriteBarriers.cpp:
21         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
22         (JSC::DFG::DesiredWriteBarrier::trigger):
23         * dfg/DFGDesiredWriteBarriers.h:
24         (JSC::DFG::DesiredWriteBarriers::add):
25         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
26         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
27         (JSC::DFG::initializeLazyWriteBarrierForConstant):
28         * dfg/DFGFixupPhase.cpp:
29         (JSC::DFG::FixupPhase::truncateConstantToInt32):
30         * dfg/DFGGraph.h:
31         (JSC::DFG::Graph::constantRegisterForConstant):
32
33 2013-08-20  Michael Saboff  <msaboff@apple.com>
34
35         https://bugs.webkit.org/show_bug.cgi?id=120075
36         REGRESSION (r128400): BBC4 website not displaying pictures
37
38         Reviewed by Oliver Hunt.
39
40         * runtime/RegExpMatchesArray.h:
41         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
42         so that the match results will be reified before any other modification to the results array.
43
44 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
45
46         Incorrect behavior on emscripten-compiled cube2hash
47         https://bugs.webkit.org/show_bug.cgi?id=120033
48
49         Reviewed by Mark Hahnenberg.
50         
51         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
52         then we should bail attempts to CSE.
53
54         * dfg/DFGCSEPhase.cpp:
55         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
56         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
57
58 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
59
60         https://bugs.webkit.org/show_bug.cgi?id=120073
61         Remove use of GOPD from JSFunction::defineProperty
62
63         Reviewed by Oliver Hunt.
64
65         Call getOwnPropertySlot to check for existing properties instead.
66
67         * runtime/JSFunction.cpp:
68         (JSC::JSFunction::defineOwnProperty):
69             - getOwnPropertyDescriptor -> getOwnPropertySlot
70
71 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
72
73         https://bugs.webkit.org/show_bug.cgi?id=120067
74         Remove getPropertyDescriptor
75
76         Reviewed by Oliver Hunt.
77
78         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
79         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
80
81         * runtime/JSObject.cpp:
82         * runtime/JSObject.h:
83             - remove getPropertyDescriptor
84         * runtime/ObjectPrototype.cpp:
85         (JSC::objectProtoFuncLookupGetter):
86         (JSC::objectProtoFuncLookupSetter):
87             - replace call to getPropertyDescriptor with getPropertySlot
88         * runtime/PropertyDescriptor.h:
89         * runtime/PropertySlot.h:
90         (JSC::PropertySlot::isAccessor):
91         (JSC::PropertySlot::isCacheableGetter):
92         (JSC::PropertySlot::getterSetter):
93             - rename isGetter() to isAccessor()
94
95 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
96
97         https://bugs.webkit.org/show_bug.cgi?id=120054
98         Remove some dead code following getOwnPropertyDescriptor cleanup
99
100         Reviewed by Oliver Hunt.
101
102         * runtime/Lookup.h:
103         (JSC::getStaticFunctionSlot):
104             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
105
106 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
107
108         https://bugs.webkit.org/show_bug.cgi?id=120052
109         Remove custom getOwnPropertyDescriptor for JSProxy
110
111         Reviewed by Geoff Garen.
112
113         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
114         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
115         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
116         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
117         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
118
119         * runtime/JSProxy.cpp:
120             - Remove custom getOwnPropertyDescriptor implementation.
121         * runtime/PropertyDescriptor.h:
122             - Modify own property access check to perform toThis conversion.
123
124 2013-08-20  Alex Christensen  <achristensen@apple.com>
125
126         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
127         https://bugs.webkit.org/show_bug.cgi?id=119512
128
129         Reviewed by Brent Fulgham.
130
131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
132         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
133         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
134         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
135         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
136         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
137         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
138         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
139
140 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
141
142         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
143
144         Reviewed by Allan Sandfeld Jensen.
145
146         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
147         instructions and two constants now DFG is enabled for sh4 architecture.
148         These missing ensureSpace calls lead to random crashes.
149
150         * assembler/MacroAssemblerSH4.h:
151         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
152
153 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
154
155         https://bugs.webkit.org/show_bug.cgi?id=120034
156         Remove custom getOwnPropertyDescriptor for global objects
157
158         Reviewed by Geoff Garen.
159
160         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
161
162         * runtime/JSGlobalObject.cpp:
163             - Remove custom getOwnPropertyDescriptor implementation.
164         * runtime/JSSymbolTableObject.h:
165         (JSC::symbolTableGet):
166             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
167         * runtime/PropertyDescriptor.h:
168             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
169         * runtime/PropertySlot.h:
170         (JSC::PropertySlot::setUndefined):
171             - This is used by WebCore when blocking access to properties on cross-frame access.
172               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
173
174 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
175
176         DFG should inline typedArray.byteOffset
177         https://bugs.webkit.org/show_bug.cgi?id=119962
178
179         Reviewed by Oliver Hunt.
180         
181         This adds a new node, GetTypedArrayByteOffset, which inlines
182         typedArray.byteOffset.
183         
184         Also, I improved a bunch of the clobbering logic related to typed arrays
185         and clobbering in general. For example, PutByOffset/PutStructure are not
186         clobber-world so they can be handled by most default cases in CSE. Also,
187         It's better to use the 'Class_field' notation for typed arrays now that
188         they no longer involve magical descriptor thingies.
189
190         * bytecode/SpeculatedType.h:
191         * dfg/DFGAbstractHeap.h:
192         * dfg/DFGAbstractInterpreterInlines.h:
193         (JSC::DFG::::executeEffects):
194         * dfg/DFGArrayMode.h:
195         (JSC::DFG::neverNeedsStorage):
196         * dfg/DFGCSEPhase.cpp:
197         (JSC::DFG::CSEPhase::getByValLoadElimination):
198         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
199         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
200         (JSC::DFG::CSEPhase::checkArrayElimination):
201         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
202         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
203         (JSC::DFG::CSEPhase::performNodeCSE):
204         * dfg/DFGClobberize.h:
205         (JSC::DFG::clobberize):
206         * dfg/DFGFixupPhase.cpp:
207         (JSC::DFG::FixupPhase::fixupNode):
208         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
209         (JSC::DFG::FixupPhase::convertToGetArrayLength):
210         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
211         * dfg/DFGNodeType.h:
212         * dfg/DFGPredictionPropagationPhase.cpp:
213         (JSC::DFG::PredictionPropagationPhase::propagate):
214         * dfg/DFGSafeToExecute.h:
215         (JSC::DFG::safeToExecute):
216         * dfg/DFGSpeculativeJIT.cpp:
217         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
218         * dfg/DFGSpeculativeJIT.h:
219         * dfg/DFGSpeculativeJIT32_64.cpp:
220         (JSC::DFG::SpeculativeJIT::compile):
221         * dfg/DFGSpeculativeJIT64.cpp:
222         (JSC::DFG::SpeculativeJIT::compile):
223         * dfg/DFGTypeCheckHoistingPhase.cpp:
224         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
225         * runtime/ArrayBuffer.h:
226         (JSC::ArrayBuffer::offsetOfData):
227         * runtime/Butterfly.h:
228         (JSC::Butterfly::offsetOfArrayBuffer):
229         * runtime/IndexingHeader.h:
230         (JSC::IndexingHeader::offsetOfArrayBuffer):
231
232 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
233
234         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
235
236         Reviewed by Geoffrey Garen.
237
238         * dfg/DFGByteCodeParser.cpp:
239         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
240
241 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
242
243         https://bugs.webkit.org/show_bug.cgi?id=119995
244         Start removing custom implementations of getOwnPropertyDescriptor
245
246         Reviewed by Oliver Hunt.
247
248         This can now typically implemented in terms of getOwnPropertySlot.
249         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
250         Switch over most classes in JSC & the WebCore bindings generator to use this.
251
252         * API/JSCallbackObjectFunctions.h:
253         * debugger/DebuggerActivation.cpp:
254         * runtime/Arguments.cpp:
255         * runtime/ArrayConstructor.cpp:
256         * runtime/ArrayPrototype.cpp:
257         * runtime/BooleanPrototype.cpp:
258         * runtime/DateConstructor.cpp:
259         * runtime/DatePrototype.cpp:
260         * runtime/ErrorPrototype.cpp:
261         * runtime/JSActivation.cpp:
262         * runtime/JSArray.cpp:
263         * runtime/JSArrayBuffer.cpp:
264         * runtime/JSArrayBufferView.cpp:
265         * runtime/JSCell.cpp:
266         * runtime/JSDataView.cpp:
267         * runtime/JSDataViewPrototype.cpp:
268         * runtime/JSFunction.cpp:
269         * runtime/JSGenericTypedArrayViewInlines.h:
270         * runtime/JSNotAnObject.cpp:
271         * runtime/JSONObject.cpp:
272         * runtime/JSObject.cpp:
273         * runtime/NamePrototype.cpp:
274         * runtime/NumberConstructor.cpp:
275         * runtime/NumberPrototype.cpp:
276         * runtime/ObjectConstructor.cpp:
277             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
278         * runtime/PropertyDescriptor.h:
279             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
280         * runtime/PropertySlot.h:
281         (JSC::PropertySlot::isValue):
282         (JSC::PropertySlot::isGetter):
283         (JSC::PropertySlot::isCustom):
284         (JSC::PropertySlot::isCacheableValue):
285         (JSC::PropertySlot::isCacheableGetter):
286         (JSC::PropertySlot::isCacheableCustom):
287         (JSC::PropertySlot::attributes):
288         (JSC::PropertySlot::getterSetter):
289             - Add accessors necessary to convert PropertySlot to descriptor.
290         * runtime/RegExpConstructor.cpp:
291         * runtime/RegExpMatchesArray.cpp:
292         * runtime/RegExpMatchesArray.h:
293         * runtime/RegExpObject.cpp:
294         * runtime/RegExpPrototype.cpp:
295         * runtime/StringConstructor.cpp:
296         * runtime/StringObject.cpp:
297             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
298
299 2013-08-19  Michael Saboff  <msaboff@apple.com>
300
301         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
302
303         Reviewed by Sam Weinig.
304
305         * dfg/DFGSpeculativeJIT32_64.cpp:
306         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
307         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
308         all versions of fillSpeculateBoolean().
309
310 2013-08-19  Michael Saboff  <msaboff@apple.com>
311
312         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
313
314         Reviewed by Benjamin Poulain.
315
316         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
317         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
318
319         * assembler/MacroAssemblerX86Common.h:
320         (JSC::MacroAssemblerX86Common::branchTest32):
321
322 2013-08-16  Oliver Hunt  <oliver@apple.com>
323
324         <https://webkit.org/b/119860> Crash during exception unwinding
325
326         Reviewed by Filip Pizlo.
327
328         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
329         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
330
331         We need this so that Throw and ThrowReferenceError no longer need to be treated as
332         terminals and the subsequent flush keeps the activation (and other registers) live.
333
334         * dfg/DFGAbstractInterpreterInlines.h:
335         (JSC::DFG::::executeEffects):
336         * dfg/DFGByteCodeParser.cpp:
337         (JSC::DFG::ByteCodeParser::parseBlock):
338         * dfg/DFGClobberize.h:
339         (JSC::DFG::clobberize):
340         * dfg/DFGFixupPhase.cpp:
341         (JSC::DFG::FixupPhase::fixupNode):
342         * dfg/DFGNode.h:
343         (JSC::DFG::Node::isTerminal):
344         * dfg/DFGNodeType.h:
345         * dfg/DFGPredictionPropagationPhase.cpp:
346         (JSC::DFG::PredictionPropagationPhase::propagate):
347         * dfg/DFGSafeToExecute.h:
348         (JSC::DFG::safeToExecute):
349         * dfg/DFGSpeculativeJIT32_64.cpp:
350         (JSC::DFG::SpeculativeJIT::compile):
351         * dfg/DFGSpeculativeJIT64.cpp:
352         (JSC::DFG::SpeculativeJIT::compile):
353
354 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
355
356         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
357
358         Reviewed by Oliver Hunt.
359
360         Guard the compilation of these files only if DFG_JIT is enabled.
361
362         * dfg/DFGDesiredTransitions.cpp:
363         * dfg/DFGDesiredTransitions.h:
364         * dfg/DFGDesiredWeakReferences.cpp:
365         * dfg/DFGDesiredWeakReferences.h:
366         * dfg/DFGDesiredWriteBarriers.cpp:
367         * dfg/DFGDesiredWriteBarriers.h:
368
369 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
370
371         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
372         https://bugs.webkit.org/show_bug.cgi?id=119961
373
374         Reviewed by Mark Hahnenberg.
375
376         * dfg/DFGFixupPhase.cpp:
377         (JSC::DFG::FixupPhase::fixupNode):
378
379 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
380
381         https://bugs.webkit.org/show_bug.cgi?id=119972
382         Add attributes field to PropertySlot
383
384         Reviewed by Geoff Garen.
385
386         For all JSC types, this makes getOwnPropertyDescriptor redundant.
387         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
388         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
389
390         No performance impact.
391
392         * runtime/PropertySlot.h:
393         (JSC::PropertySlot::setValue):
394         (JSC::PropertySlot::setCustom):
395         (JSC::PropertySlot::setCacheableCustom):
396         (JSC::PropertySlot::setCustomIndex):
397         (JSC::PropertySlot::setGetterSlot):
398         (JSC::PropertySlot::setCacheableGetterSlot):
399             - These mathods now all require 'attributes'.
400         * runtime/JSObject.h:
401         (JSC::JSObject::getDirect):
402         (JSC::JSObject::getDirectOffset):
403         (JSC::JSObject::inlineGetOwnPropertySlot):
404             - Added variants of getDirect, getDirectOffset that return the attributes.
405         * API/JSCallbackObjectFunctions.h:
406         (JSC::::getOwnPropertySlot):
407         * runtime/Arguments.cpp:
408         (JSC::Arguments::getOwnPropertySlotByIndex):
409         (JSC::Arguments::getOwnPropertySlot):
410         * runtime/JSActivation.cpp:
411         (JSC::JSActivation::symbolTableGet):
412         (JSC::JSActivation::getOwnPropertySlot):
413         * runtime/JSArray.cpp:
414         (JSC::JSArray::getOwnPropertySlot):
415         * runtime/JSArrayBuffer.cpp:
416         (JSC::JSArrayBuffer::getOwnPropertySlot):
417         * runtime/JSArrayBufferView.cpp:
418         (JSC::JSArrayBufferView::getOwnPropertySlot):
419         * runtime/JSDataView.cpp:
420         (JSC::JSDataView::getOwnPropertySlot):
421         * runtime/JSFunction.cpp:
422         (JSC::JSFunction::getOwnPropertySlot):
423         * runtime/JSGenericTypedArrayViewInlines.h:
424         (JSC::::getOwnPropertySlot):
425         (JSC::::getOwnPropertySlotByIndex):
426         * runtime/JSObject.cpp:
427         (JSC::JSObject::getOwnPropertySlotByIndex):
428         (JSC::JSObject::fillGetterPropertySlot):
429         * runtime/JSString.h:
430         (JSC::JSString::getStringPropertySlot):
431         * runtime/JSSymbolTableObject.h:
432         (JSC::symbolTableGet):
433         * runtime/Lookup.cpp:
434         (JSC::setUpStaticFunctionSlot):
435         * runtime/Lookup.h:
436         (JSC::getStaticPropertySlot):
437         (JSC::getStaticPropertyDescriptor):
438         (JSC::getStaticValueSlot):
439         (JSC::getStaticValueDescriptor):
440         * runtime/RegExpObject.cpp:
441         (JSC::RegExpObject::getOwnPropertySlot):
442         * runtime/SparseArrayValueMap.cpp:
443         (JSC::SparseArrayEntry::get):
444             - Pass attributes to PropertySlot::set* methods.
445
446 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
447
448         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
449
450         Reviewed by Filip Pizlo.
451
452         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
453         Vector of WriteBarriers rather than the specific address. The fact that we were 
454         arbitrarily storing into a Vector's backing store for constants at the end of 
455         compilation after the Vector could have resized was causing crashes.
456
457         * bytecode/CodeBlock.h:
458         (JSC::CodeBlock::constants):
459         (JSC::CodeBlock::addConstantLazily):
460         * dfg/DFGByteCodeParser.cpp:
461         (JSC::DFG::ByteCodeParser::addConstant):
462         * dfg/DFGDesiredWriteBarriers.cpp:
463         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
464         (JSC::DFG::DesiredWriteBarrier::trigger):
465         (JSC::DFG::initializeLazyWriteBarrierForConstant):
466         * dfg/DFGDesiredWriteBarriers.h:
467         (JSC::DFG::DesiredWriteBarriers::add):
468         * dfg/DFGFixupPhase.cpp:
469         (JSC::DFG::FixupPhase::truncateConstantToInt32):
470         * dfg/DFGGraph.h:
471         (JSC::DFG::Graph::constantRegisterForConstant):
472
473 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
474
475         DFG should optimize typedArray.byteLength
476         https://bugs.webkit.org/show_bug.cgi?id=119909
477
478         Reviewed by Oliver Hunt.
479         
480         This adds typedArray.byteLength inlining to the DFG, and does so without changing
481         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
482         legal since the byteLength of a typed array cannot exceed
483         numeric_limits<int32_t>::max().
484
485         * bytecode/SpeculatedType.cpp:
486         (JSC::typedArrayTypeFromSpeculation):
487         * bytecode/SpeculatedType.h:
488         * dfg/DFGArrayMode.cpp:
489         (JSC::DFG::toArrayType):
490         * dfg/DFGArrayMode.h:
491         * dfg/DFGFixupPhase.cpp:
492         (JSC::DFG::FixupPhase::fixupNode):
493         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
494         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
495         (JSC::DFG::FixupPhase::convertToGetArrayLength):
496         (JSC::DFG::FixupPhase::prependGetArrayLength):
497         * dfg/DFGGraph.h:
498         (JSC::DFG::Graph::constantRegisterForConstant):
499         (JSC::DFG::Graph::convertToConstant):
500         * runtime/TypedArrayType.h:
501         (JSC::logElementSize):
502         (JSC::elementSize):
503
504 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
505
506         DFG optimizes out strict mode arguments tear off
507         https://bugs.webkit.org/show_bug.cgi?id=119504
508
509         Reviewed by Mark Hahnenberg and Oliver Hunt.
510         
511         Don't do the optimization for strict mode.
512
513         * dfg/DFGArgumentsSimplificationPhase.cpp:
514         (JSC::DFG::ArgumentsSimplificationPhase::run):
515         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
516
517 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
518
519         [JSC] x86: improve code generation for xxxTest32
520         https://bugs.webkit.org/show_bug.cgi?id=119876
521
522         Reviewed by Geoffrey Garen.
523
524         Try to use testb whenever possible when testing for an immediate value.
525
526         When the input is an address and an offset, we can tweak the mask
527         and offset to be able to generate testb for any byte of the mask.
528
529         When the input is a register, we can use testb if we are only interested
530         in testing the low bits.
531
532         * assembler/MacroAssemblerX86Common.h:
533         (JSC::MacroAssemblerX86Common::branchTest32):
534         (JSC::MacroAssemblerX86Common::test32):
535         (JSC::MacroAssemblerX86Common::generateTest32):
536
537 2013-08-16  Mark Lam  <mark.lam@apple.com>
538
539         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
540         error message that an object is not a constructor though it expects a function
541
542         Reviewed by Michael Saboff.
543
544         * jit/JITStubs.cpp:
545         (JSC::DEFINE_STUB_FUNCTION):
546
547 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
548
549         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
550         https://bugs.webkit.org/show_bug.cgi?id=119897
551
552         Reviewed by Oliver Hunt.
553         
554         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
555         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
556         to turn objects into dictionaries when you're storing using bracket syntax or using
557         eval is still in place.
558
559         * bytecode/CodeBlock.h:
560         (JSC::CodeBlock::putByIdContext):
561         * dfg/DFGOperations.cpp:
562         * jit/JITStubs.cpp:
563         (JSC::DEFINE_STUB_FUNCTION):
564         * llint/LLIntSlowPaths.cpp:
565         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
566         * runtime/JSObject.h:
567         (JSC::JSObject::putDirectInternal):
568         * runtime/PutPropertySlot.h:
569         (JSC::PutPropertySlot::PutPropertySlot):
570         (JSC::PutPropertySlot::context):
571         * runtime/Structure.cpp:
572         (JSC::Structure::addPropertyTransition):
573         * runtime/Structure.h:
574
575 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
576
577         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
578
579         Reviewed by Allan Sandfeld Jensen.
580
581         ctiVMHandleException must jump/return using register ra (r31).
582
583         * jit/JITStubsMIPS.h:
584
585 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
586
587         <https://webkit.org/b/119879> Fix sh4 build after r154156.
588
589         Reviewed by Allan Sandfeld Jensen.
590
591         Fix typo in JITStubsSH4.h file.
592
593         * jit/JITStubsSH4.h:
594
595 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
596
597         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
598
599         Reviewed by Oliver Hunt.
600
601         The concurrent compilation thread should interact minimally with the Heap, including not 
602         triggering WriteBarriers. This is a prerequisite for generational GC.
603
604         * JavaScriptCore.xcodeproj/project.pbxproj:
605         * bytecode/CodeBlock.cpp:
606         (JSC::CodeBlock::addOrFindConstant):
607         (JSC::CodeBlock::findConstant):
608         * bytecode/CodeBlock.h:
609         (JSC::CodeBlock::addConstantLazily):
610         * dfg/DFGByteCodeParser.cpp:
611         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
612         (JSC::DFG::ByteCodeParser::constantUndefined):
613         (JSC::DFG::ByteCodeParser::constantNull):
614         (JSC::DFG::ByteCodeParser::one):
615         (JSC::DFG::ByteCodeParser::constantNaN):
616         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
617         * dfg/DFGCommonData.cpp:
618         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
619         * dfg/DFGCommonData.h:
620         * dfg/DFGDesiredTransitions.cpp: Added.
621         (JSC::DFG::DesiredTransition::DesiredTransition):
622         (JSC::DFG::DesiredTransition::reallyAdd):
623         (JSC::DFG::DesiredTransitions::DesiredTransitions):
624         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
625         (JSC::DFG::DesiredTransitions::addLazily):
626         (JSC::DFG::DesiredTransitions::reallyAdd):
627         * dfg/DFGDesiredTransitions.h: Added.
628         * dfg/DFGDesiredWeakReferences.cpp: Added.
629         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
630         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
631         (JSC::DFG::DesiredWeakReferences::addLazily):
632         (JSC::DFG::DesiredWeakReferences::reallyAdd):
633         * dfg/DFGDesiredWeakReferences.h: Added.
634         * dfg/DFGDesiredWriteBarriers.cpp: Added.
635         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
636         (JSC::DFG::DesiredWriteBarrier::trigger):
637         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
638         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
639         (JSC::DFG::DesiredWriteBarriers::addImpl):
640         (JSC::DFG::DesiredWriteBarriers::trigger):
641         * dfg/DFGDesiredWriteBarriers.h: Added.
642         (JSC::DFG::DesiredWriteBarriers::add):
643         (JSC::DFG::initializeLazyWriteBarrier):
644         * dfg/DFGFixupPhase.cpp:
645         (JSC::DFG::FixupPhase::truncateConstantToInt32):
646         * dfg/DFGGraph.h:
647         (JSC::DFG::Graph::convertToConstant):
648         * dfg/DFGJITCompiler.h:
649         (JSC::DFG::JITCompiler::addWeakReference):
650         * dfg/DFGPlan.cpp:
651         (JSC::DFG::Plan::Plan):
652         (JSC::DFG::Plan::reallyAdd):
653         * dfg/DFGPlan.h:
654         * dfg/DFGSpeculativeJIT32_64.cpp:
655         (JSC::DFG::SpeculativeJIT::compile):
656         * dfg/DFGSpeculativeJIT64.cpp:
657         (JSC::DFG::SpeculativeJIT::compile):
658         * runtime/WriteBarrier.h:
659         (JSC::WriteBarrierBase::set):
660         (JSC::WriteBarrier::WriteBarrier):
661
662 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
663
664         Fix x86 32bits build after r154158
665
666         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
667
668 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
669
670         Build fix attempt after r154156.
671
672         * jit/JITStubs.cpp:
673         (JSC::cti_vm_handle_exception): encode!
674
675 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
676
677         [JSC] x86: Use inc and dec when possible
678         https://bugs.webkit.org/show_bug.cgi?id=119831
679
680         Reviewed by Geoffrey Garen.
681
682         When incrementing or decrementing by an immediate of 1, use the insctructions
683         inc and dec instead of add and sub.
684         The instructions have good timing and their encoding is smaller.
685
686         * assembler/MacroAssemblerX86Common.h:
687         (JSC::MacroAssemblerX86_64::add32):
688         (JSC::MacroAssemblerX86_64::sub32):
689         * assembler/MacroAssemblerX86_64.h:
690         (JSC::MacroAssemblerX86_64::add64):
691         (JSC::MacroAssemblerX86_64::sub64):
692         * assembler/X86Assembler.h:
693         (JSC::X86Assembler::dec_r):
694         (JSC::X86Assembler::decq_r):
695         (JSC::X86Assembler::inc_r):
696         (JSC::X86Assembler::incq_r):
697
698 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
699
700         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
701         https://bugs.webkit.org/show_bug.cgi?id=119874
702
703         Reviewed by Oliver Hunt and Mark Hahnenberg.
704         
705         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
706         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
707         sometimes for typed array length accesses, and the FixupPhase assuming that a
708         ForceExit ArrayMode means that it should continue using a generic GetById.
709
710         This fixes the confusion.
711
712         * dfg/DFGFixupPhase.cpp:
713         (JSC::DFG::FixupPhase::fixupNode):
714
715 2013-08-15  Mark Lam  <mark.lam@apple.com>
716
717         Fix crash when performing activation tearoff.
718         https://bugs.webkit.org/show_bug.cgi?id=119848
719
720         Reviewed by Oliver Hunt.
721
722         The activation tearoff crash was due to a bug in the baseline JIT.
723         If we have a scenario where the a baseline JIT frame calls a LLINT
724         frame, an exception may be thrown while in the LLINT.
725
726         Interpreter::throwException() which handles the exception will unwind
727         all frames until it finds a catcher or sees a host frame. When we
728         return from the LLINT to the baseline JIT code, the baseline JIT code
729         errorneously sets topCallFrame to the value in its call frame register,
730         and starts unwinding the stack frames that have already been unwound.
731
732         The fix is:
733         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
734            This is a more accurate description of what this runtime function
735            is supposed to do i.e. it handles the exception which include doing
736            nothing (if there are no more frames to unwind).
737         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
738            set on it.
739         3. Reloading the call frame register from topCallFrame when we're
740            returning from a callee and detect exception handling in progress.
741
742         * interpreter/Interpreter.cpp:
743         (JSC::Interpreter::unwindCallFrame):
744         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
745         (JSC::Interpreter::getStackTrace):
746         * interpreter/Interpreter.h:
747         (JSC::TopCallFrameSetter::TopCallFrameSetter):
748         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
749         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
750         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
751         * jit/JIT.h:
752         * jit/JITExceptions.cpp:
753         (JSC::uncaughtExceptionHandler):
754         - Convenience function to get the handler for uncaught exceptions.
755         * jit/JITExceptions.h:
756         * jit/JITInlines.h:
757         (JSC::JIT::reloadCallFrameFromTopCallFrame):
758         * jit/JITOpcodes32_64.cpp:
759         (JSC::JIT::privateCompileCTINativeCall):
760         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
761         * jit/JITStubs.cpp:
762         (JSC::throwExceptionFromOpCall):
763         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
764         (JSC::cti_vm_handle_exception):
765         - Check for the case when there are no more frames to unwind.
766         * jit/JITStubs.h:
767         * jit/JITStubsARM.h:
768         * jit/JITStubsARMv7.h:
769         * jit/JITStubsMIPS.h:
770         * jit/JITStubsSH4.h:
771         * jit/JITStubsX86.h:
772         * jit/JITStubsX86_64.h:
773         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
774         * jit/SlowPathCall.h:
775         (JSC::JITSlowPathCall::call):
776         - reload cfr from topcallFrame when handling an exception.
777         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
778         * jit/ThunkGenerators.cpp:
779         (JSC::nativeForGenerator):
780         * llint/LowLevelInterpreter32_64.asm:
781         * llint/LowLevelInterpreter64.asm:
782         - reload cfr from topcallFrame when handling an exception.
783         * runtime/VM.cpp:
784         (JSC::VM::VM):
785         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
786
787 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
788
789         Remove some code duplication.
790         
791         Rubber stamped by Mark Hahnenberg.
792
793         * runtime/JSDataViewPrototype.cpp:
794         (JSC::getData):
795         (JSC::setData):
796
797 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
798
799         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
800         https://bugs.webkit.org/show_bug.cgi?id=119794
801
802         Reviewed by Filip Pizlo.
803
804         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
805
806         * dfg/DFGUseKind.h:
807         (JSC::DFG::isNumerical):
808         (JSC::DFG::isDouble):
809
810 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
811
812         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
813
814         Rubber stamped by Oliver Hunt.
815         
816         This was causing some test crashes for me.
817
818         * dfg/DFGCapabilities.cpp:
819         (JSC::DFG::capabilityLevel):
820
821 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
822
823         [Windows] Clear up improper export declaration.
824
825         * runtime/ArrayBufferView.h:
826
827 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
828
829         Unreviewed, remove some unnecessary periods from exceptions.
830
831         * runtime/JSDataViewPrototype.cpp:
832         (JSC::getData):
833         (JSC::setData):
834
835 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
836
837         Unreviewed, fix 32-bit build.
838
839         * dfg/DFGSpeculativeJIT32_64.cpp:
840         (JSC::DFG::SpeculativeJIT::compile):
841
842 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
843
844         Typed arrays should be rewritten
845         https://bugs.webkit.org/show_bug.cgi?id=119064
846
847         Reviewed by Oliver Hunt.
848         
849         Typed arrays were previously deficient in several major ways:
850         
851         - They were defined separately in WebCore and in the jsc shell. The two
852           implementations were different, and the jsc shell one was basically wrong.
853           The WebCore one was quite awful, also.
854         
855         - Typed arrays were not visible to the JIT except through some weird hooks.
856           For example, the JIT could not ask "what is the Structure that this typed
857           array would have if I just allocated it from this global object". Also,
858           it was difficult to wire any of the typed array intrinsics, because most
859           of the functionality wasn't visible anywhere in JSC.
860         
861         - Typed array allocation was brain-dead. Allocating a typed array involved
862           two JS objects, two GC weak handles, and three malloc allocations.
863         
864         - Neutering. It involved keeping tabs on all native views but not the view
865           wrappers, even though the native views can autoneuter just by asking the
866           buffer if it was neutered anytime you touch them; while the JS view
867           wrappers are the ones that you really want to reach out to.
868         
869         - Common case-ing. Most typed arrays have one buffer and one view, and
870           usually nobody touches the buffer. Yet we created all of that stuff
871           anyway, using data structures optimized for the case where you had a lot
872           of views.
873         
874         - Semantic goofs. Typed arrays should, in the future, behave like ES
875           features rather than DOM features, for example when it comes to exceptions.
876           Firefox already does this and I agree with them.
877         
878         This patch cleanses our codebase of these sins:
879         
880         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
881           management of native references to buffers is left to WebCore.
882         
883         - Allocating a typed array requires either two GC allocations (a cell and a
884           copied storage vector) or one GC allocation, a malloc allocation, and a
885           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
886           latter). The latter is only used for oversize arrays. Remember that before
887           it was 7 allocations no matter what.
888         
889         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
890           mode/length, void* vector. Before it was a lot more than that - remember,
891           there were five additional objects that did absolutely nothing for anybody.
892         
893         - Native views aren't tracked by the buffer, or by the wrappers. They are
894           transient. In the future we'll probably switch to not even having them be
895           malloc'd.
896         
897         - Native array buffers have an efficient way of tracking all of their JS view
898           wrappers, both for neutering, and for lifecycle management. The GC
899           special-cases native array buffers. This saves a bunch of grief; for example
900           it means that a JS view wrapper can refer to its buffer via the butterfly,
901           which would be dead by the time we went to finalize.
902         
903         - Typed array semantics now match Firefox, which also happens to be where the
904           standards are going. The discussion on webkit-dev seemed to confirm that
905           Chrome is also heading in this direction. This includes making
906           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
907           ArrayBufferView as a JS-visible construct.
908         
909         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
910         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
911         further typed array optimizations in the JSC JITs, including inlining typed
912         array allocation, inlining more of the accessors, reducing the cost of type
913         checks, etc.
914         
915         An additional property of this patch is that typed arrays are mostly
916         implemented using templates. This deduplicates a bunch of code, but does mean
917         that we need some hacks for exporting s_info's of template classes. See
918         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
919         low-impact compared to code duplication.
920         
921         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
922
923         * CMakeLists.txt:
924         * DerivedSources.make:
925         * GNUmakefile.list.am:
926         * JSCTypedArrayStubs.h: Removed.
927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929         * Target.pri:
930         * bytecode/ByValInfo.h:
931         (JSC::hasOptimizableIndexingForClassInfo):
932         (JSC::jitArrayModeForClassInfo):
933         (JSC::typedArrayTypeForJITArrayMode):
934         * bytecode/SpeculatedType.cpp:
935         (JSC::speculationFromClassInfo):
936         * dfg/DFGArrayMode.cpp:
937         (JSC::DFG::toTypedArrayType):
938         * dfg/DFGArrayMode.h:
939         (JSC::DFG::ArrayMode::typedArrayType):
940         * dfg/DFGSpeculativeJIT.cpp:
941         (JSC::DFG::SpeculativeJIT::checkArray):
942         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
943         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
944         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
945         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
946         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
947         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
948         * dfg/DFGSpeculativeJIT.h:
949         * dfg/DFGSpeculativeJIT32_64.cpp:
950         (JSC::DFG::SpeculativeJIT::compile):
951         * dfg/DFGSpeculativeJIT64.cpp:
952         (JSC::DFG::SpeculativeJIT::compile):
953         * heap/CopyToken.h:
954         * heap/DeferGC.h:
955         (JSC::DeferGCForAWhile::DeferGCForAWhile):
956         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
957         * heap/GCIncomingRefCounted.h: Added.
958         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
959         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
960         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
961         (JSC::GCIncomingRefCounted::incomingReferenceAt):
962         (JSC::GCIncomingRefCounted::singletonFlag):
963         (JSC::GCIncomingRefCounted::hasVectorOfCells):
964         (JSC::GCIncomingRefCounted::hasAnyIncoming):
965         (JSC::GCIncomingRefCounted::hasSingleton):
966         (JSC::GCIncomingRefCounted::singleton):
967         (JSC::GCIncomingRefCounted::vectorOfCells):
968         * heap/GCIncomingRefCountedInlines.h: Added.
969         (JSC::::addIncomingReference):
970         (JSC::::filterIncomingReferences):
971         * heap/GCIncomingRefCountedSet.h: Added.
972         (JSC::GCIncomingRefCountedSet::size):
973         * heap/GCIncomingRefCountedSetInlines.h: Added.
974         (JSC::::GCIncomingRefCountedSet):
975         (JSC::::~GCIncomingRefCountedSet):
976         (JSC::::addReference):
977         (JSC::::sweep):
978         (JSC::::removeAll):
979         (JSC::::removeDead):
980         * heap/Heap.cpp:
981         (JSC::Heap::addReference):
982         (JSC::Heap::extraSize):
983         (JSC::Heap::size):
984         (JSC::Heap::capacity):
985         (JSC::Heap::collect):
986         (JSC::Heap::decrementDeferralDepth):
987         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
988         * heap/Heap.h:
989         * interpreter/CallFrame.h:
990         (JSC::ExecState::dataViewTable):
991         * jit/JIT.h:
992         * jit/JITPropertyAccess.cpp:
993         (JSC::JIT::privateCompileGetByVal):
994         (JSC::JIT::privateCompilePutByVal):
995         (JSC::JIT::emitIntTypedArrayGetByVal):
996         (JSC::JIT::emitFloatTypedArrayGetByVal):
997         (JSC::JIT::emitIntTypedArrayPutByVal):
998         (JSC::JIT::emitFloatTypedArrayPutByVal):
999         * jsc.cpp:
1000         (GlobalObject::finishCreation):
1001         * runtime/ArrayBuffer.cpp:
1002         (JSC::ArrayBuffer::transfer):
1003         * runtime/ArrayBuffer.h:
1004         (JSC::ArrayBuffer::createAdopted):
1005         (JSC::ArrayBuffer::ArrayBuffer):
1006         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1007         (JSC::ArrayBuffer::pin):
1008         (JSC::ArrayBuffer::unpin):
1009         (JSC::ArrayBufferContents::tryAllocate):
1010         * runtime/ArrayBufferView.cpp:
1011         (JSC::ArrayBufferView::ArrayBufferView):
1012         (JSC::ArrayBufferView::~ArrayBufferView):
1013         (JSC::ArrayBufferView::setNeuterable):
1014         * runtime/ArrayBufferView.h:
1015         (JSC::ArrayBufferView::isNeutered):
1016         (JSC::ArrayBufferView::buffer):
1017         (JSC::ArrayBufferView::baseAddress):
1018         (JSC::ArrayBufferView::byteOffset):
1019         (JSC::ArrayBufferView::verifySubRange):
1020         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1021         (JSC::ArrayBufferView::calculateOffsetAndLength):
1022         * runtime/ClassInfo.h:
1023         * runtime/CommonIdentifiers.h:
1024         * runtime/DataView.cpp: Added.
1025         (JSC::DataView::DataView):
1026         (JSC::DataView::create):
1027         (JSC::DataView::wrap):
1028         * runtime/DataView.h: Added.
1029         (JSC::DataView::byteLength):
1030         (JSC::DataView::getType):
1031         (JSC::DataView::get):
1032         (JSC::DataView::set):
1033         * runtime/Float32Array.h:
1034         * runtime/Float64Array.h:
1035         * runtime/GenericTypedArrayView.h: Added.
1036         (JSC::GenericTypedArrayView::data):
1037         (JSC::GenericTypedArrayView::set):
1038         (JSC::GenericTypedArrayView::setRange):
1039         (JSC::GenericTypedArrayView::zeroRange):
1040         (JSC::GenericTypedArrayView::zeroFill):
1041         (JSC::GenericTypedArrayView::length):
1042         (JSC::GenericTypedArrayView::byteLength):
1043         (JSC::GenericTypedArrayView::item):
1044         (JSC::GenericTypedArrayView::checkInboundData):
1045         (JSC::GenericTypedArrayView::getType):
1046         * runtime/GenericTypedArrayViewInlines.h: Added.
1047         (JSC::::GenericTypedArrayView):
1048         (JSC::::create):
1049         (JSC::::createUninitialized):
1050         (JSC::::subarray):
1051         (JSC::::wrap):
1052         * runtime/IndexingHeader.h:
1053         (JSC::IndexingHeader::arrayBuffer):
1054         (JSC::IndexingHeader::setArrayBuffer):
1055         * runtime/Int16Array.h:
1056         * runtime/Int32Array.h:
1057         * runtime/Int8Array.h:
1058         * runtime/JSArrayBuffer.cpp: Added.
1059         (JSC::JSArrayBuffer::JSArrayBuffer):
1060         (JSC::JSArrayBuffer::finishCreation):
1061         (JSC::JSArrayBuffer::create):
1062         (JSC::JSArrayBuffer::createStructure):
1063         (JSC::JSArrayBuffer::getOwnPropertySlot):
1064         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1065         (JSC::JSArrayBuffer::put):
1066         (JSC::JSArrayBuffer::defineOwnProperty):
1067         (JSC::JSArrayBuffer::deleteProperty):
1068         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1069         * runtime/JSArrayBuffer.h: Added.
1070         (JSC::JSArrayBuffer::impl):
1071         (JSC::toArrayBuffer):
1072         * runtime/JSArrayBufferConstructor.cpp: Added.
1073         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1074         (JSC::JSArrayBufferConstructor::finishCreation):
1075         (JSC::JSArrayBufferConstructor::create):
1076         (JSC::JSArrayBufferConstructor::createStructure):
1077         (JSC::constructArrayBuffer):
1078         (JSC::JSArrayBufferConstructor::getConstructData):
1079         (JSC::JSArrayBufferConstructor::getCallData):
1080         * runtime/JSArrayBufferConstructor.h: Added.
1081         * runtime/JSArrayBufferPrototype.cpp: Added.
1082         (JSC::arrayBufferProtoFuncSlice):
1083         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1084         (JSC::JSArrayBufferPrototype::finishCreation):
1085         (JSC::JSArrayBufferPrototype::create):
1086         (JSC::JSArrayBufferPrototype::createStructure):
1087         * runtime/JSArrayBufferPrototype.h: Added.
1088         * runtime/JSArrayBufferView.cpp: Added.
1089         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1090         (JSC::JSArrayBufferView::JSArrayBufferView):
1091         (JSC::JSArrayBufferView::finishCreation):
1092         (JSC::JSArrayBufferView::getOwnPropertySlot):
1093         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1094         (JSC::JSArrayBufferView::put):
1095         (JSC::JSArrayBufferView::defineOwnProperty):
1096         (JSC::JSArrayBufferView::deleteProperty):
1097         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1098         (JSC::JSArrayBufferView::finalize):
1099         * runtime/JSArrayBufferView.h: Added.
1100         (JSC::JSArrayBufferView::sizeOf):
1101         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1102         (JSC::JSArrayBufferView::ConstructionContext::structure):
1103         (JSC::JSArrayBufferView::ConstructionContext::vector):
1104         (JSC::JSArrayBufferView::ConstructionContext::length):
1105         (JSC::JSArrayBufferView::ConstructionContext::mode):
1106         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1107         (JSC::JSArrayBufferView::mode):
1108         (JSC::JSArrayBufferView::vector):
1109         (JSC::JSArrayBufferView::length):
1110         (JSC::JSArrayBufferView::offsetOfVector):
1111         (JSC::JSArrayBufferView::offsetOfLength):
1112         (JSC::JSArrayBufferView::offsetOfMode):
1113         * runtime/JSArrayBufferViewInlines.h: Added.
1114         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1115         (JSC::JSArrayBufferView::buffer):
1116         (JSC::JSArrayBufferView::impl):
1117         (JSC::JSArrayBufferView::neuter):
1118         (JSC::JSArrayBufferView::byteOffset):
1119         * runtime/JSCell.cpp:
1120         (JSC::JSCell::slowDownAndWasteMemory):
1121         (JSC::JSCell::getTypedArrayImpl):
1122         * runtime/JSCell.h:
1123         * runtime/JSDataView.cpp: Added.
1124         (JSC::JSDataView::JSDataView):
1125         (JSC::JSDataView::create):
1126         (JSC::JSDataView::createUninitialized):
1127         (JSC::JSDataView::set):
1128         (JSC::JSDataView::typedImpl):
1129         (JSC::JSDataView::getOwnPropertySlot):
1130         (JSC::JSDataView::getOwnPropertyDescriptor):
1131         (JSC::JSDataView::slowDownAndWasteMemory):
1132         (JSC::JSDataView::getTypedArrayImpl):
1133         (JSC::JSDataView::createStructure):
1134         * runtime/JSDataView.h: Added.
1135         * runtime/JSDataViewPrototype.cpp: Added.
1136         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1137         (JSC::JSDataViewPrototype::create):
1138         (JSC::JSDataViewPrototype::createStructure):
1139         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1140         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1141         (JSC::getData):
1142         (JSC::setData):
1143         (JSC::dataViewProtoFuncGetInt8):
1144         (JSC::dataViewProtoFuncGetInt16):
1145         (JSC::dataViewProtoFuncGetInt32):
1146         (JSC::dataViewProtoFuncGetUint8):
1147         (JSC::dataViewProtoFuncGetUint16):
1148         (JSC::dataViewProtoFuncGetUint32):
1149         (JSC::dataViewProtoFuncGetFloat32):
1150         (JSC::dataViewProtoFuncGetFloat64):
1151         (JSC::dataViewProtoFuncSetInt8):
1152         (JSC::dataViewProtoFuncSetInt16):
1153         (JSC::dataViewProtoFuncSetInt32):
1154         (JSC::dataViewProtoFuncSetUint8):
1155         (JSC::dataViewProtoFuncSetUint16):
1156         (JSC::dataViewProtoFuncSetUint32):
1157         (JSC::dataViewProtoFuncSetFloat32):
1158         (JSC::dataViewProtoFuncSetFloat64):
1159         * runtime/JSDataViewPrototype.h: Added.
1160         * runtime/JSFloat32Array.h: Added.
1161         * runtime/JSFloat64Array.h: Added.
1162         * runtime/JSGenericTypedArrayView.h: Added.
1163         (JSC::JSGenericTypedArrayView::byteLength):
1164         (JSC::JSGenericTypedArrayView::byteSize):
1165         (JSC::JSGenericTypedArrayView::typedVector):
1166         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1167         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1168         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1169         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1170         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1171         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1172         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1173         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1174         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1175         (JSC::JSGenericTypedArrayView::typedImpl):
1176         (JSC::JSGenericTypedArrayView::createStructure):
1177         (JSC::JSGenericTypedArrayView::info):
1178         (JSC::toNativeTypedView):
1179         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1180         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1181         (JSC::::JSGenericTypedArrayViewConstructor):
1182         (JSC::::finishCreation):
1183         (JSC::::create):
1184         (JSC::::createStructure):
1185         (JSC::constructGenericTypedArrayView):
1186         (JSC::::getConstructData):
1187         (JSC::::getCallData):
1188         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1189         (JSC::::JSGenericTypedArrayView):
1190         (JSC::::create):
1191         (JSC::::createUninitialized):
1192         (JSC::::validateRange):
1193         (JSC::::setWithSpecificType):
1194         (JSC::::set):
1195         (JSC::::getOwnPropertySlot):
1196         (JSC::::getOwnPropertyDescriptor):
1197         (JSC::::put):
1198         (JSC::::defineOwnProperty):
1199         (JSC::::deleteProperty):
1200         (JSC::::getOwnPropertySlotByIndex):
1201         (JSC::::putByIndex):
1202         (JSC::::deletePropertyByIndex):
1203         (JSC::::getOwnNonIndexPropertyNames):
1204         (JSC::::getOwnPropertyNames):
1205         (JSC::::visitChildren):
1206         (JSC::::copyBackingStore):
1207         (JSC::::slowDownAndWasteMemory):
1208         (JSC::::getTypedArrayImpl):
1209         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1210         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1211         (JSC::genericTypedArrayViewProtoFuncSet):
1212         (JSC::genericTypedArrayViewProtoFuncSubarray):
1213         (JSC::::JSGenericTypedArrayViewPrototype):
1214         (JSC::::finishCreation):
1215         (JSC::::create):
1216         (JSC::::createStructure):
1217         * runtime/JSGlobalObject.cpp:
1218         (JSC::JSGlobalObject::reset):
1219         (JSC::JSGlobalObject::visitChildren):
1220         * runtime/JSGlobalObject.h:
1221         (JSC::JSGlobalObject::arrayBufferPrototype):
1222         (JSC::JSGlobalObject::arrayBufferStructure):
1223         (JSC::JSGlobalObject::typedArrayStructure):
1224         * runtime/JSInt16Array.h: Added.
1225         * runtime/JSInt32Array.h: Added.
1226         * runtime/JSInt8Array.h: Added.
1227         * runtime/JSTypedArrayConstructors.cpp: Added.
1228         * runtime/JSTypedArrayConstructors.h: Added.
1229         * runtime/JSTypedArrayPrototypes.cpp: Added.
1230         * runtime/JSTypedArrayPrototypes.h: Added.
1231         * runtime/JSTypedArrays.cpp: Added.
1232         * runtime/JSTypedArrays.h: Added.
1233         * runtime/JSUint16Array.h: Added.
1234         * runtime/JSUint32Array.h: Added.
1235         * runtime/JSUint8Array.h: Added.
1236         * runtime/JSUint8ClampedArray.h: Added.
1237         * runtime/Operations.h:
1238         * runtime/Options.h:
1239         * runtime/SimpleTypedArrayController.cpp: Added.
1240         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1241         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1242         (JSC::SimpleTypedArrayController::toJS):
1243         * runtime/SimpleTypedArrayController.h: Added.
1244         * runtime/Structure.h:
1245         (JSC::Structure::couldHaveIndexingHeader):
1246         * runtime/StructureInlines.h:
1247         (JSC::Structure::hasIndexingHeader):
1248         * runtime/TypedArrayAdaptors.h: Added.
1249         (JSC::IntegralTypedArrayAdaptor::toNative):
1250         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1251         (JSC::IntegralTypedArrayAdaptor::toDouble):
1252         (JSC::FloatTypedArrayAdaptor::toNative):
1253         (JSC::FloatTypedArrayAdaptor::toJSValue):
1254         (JSC::FloatTypedArrayAdaptor::toDouble):
1255         (JSC::Uint8ClampedAdaptor::toNative):
1256         (JSC::Uint8ClampedAdaptor::toJSValue):
1257         (JSC::Uint8ClampedAdaptor::toDouble):
1258         (JSC::Uint8ClampedAdaptor::clamp):
1259         * runtime/TypedArrayController.cpp: Added.
1260         (JSC::TypedArrayController::TypedArrayController):
1261         (JSC::TypedArrayController::~TypedArrayController):
1262         * runtime/TypedArrayController.h: Added.
1263         * runtime/TypedArrayDescriptor.h: Removed.
1264         * runtime/TypedArrayInlines.h: Added.
1265         * runtime/TypedArrayType.cpp: Added.
1266         (JSC::classInfoForType):
1267         (WTF::printInternal):
1268         * runtime/TypedArrayType.h: Added.
1269         (JSC::toIndex):
1270         (JSC::isTypedView):
1271         (JSC::elementSize):
1272         (JSC::isInt):
1273         (JSC::isFloat):
1274         (JSC::isSigned):
1275         (JSC::isClamped):
1276         * runtime/TypedArrays.h: Added.
1277         * runtime/Uint16Array.h:
1278         * runtime/Uint32Array.h:
1279         * runtime/Uint8Array.h:
1280         * runtime/Uint8ClampedArray.h:
1281         * runtime/VM.cpp:
1282         (JSC::VM::VM):
1283         (JSC::VM::~VM):
1284         * runtime/VM.h:
1285
1286 2013-08-15  Oliver Hunt  <oliver@apple.com>
1287
1288         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1289
1290         Reviewed by Filip Pizlo.
1291
1292         Make sure dfgCapabilities doesn't report a Dynamic put as
1293         being compilable when we don't actually support it.  
1294
1295         * bytecode/CodeBlock.cpp:
1296         (JSC::CodeBlock::dumpBytecode):
1297         * dfg/DFGCapabilities.cpp:
1298         (JSC::DFG::capabilityLevel):
1299
1300 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1301
1302         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1303         https://bugs.webkit.org/show_bug.cgi?id=119847
1304
1305         Reviewed by Oliver Hunt.
1306
1307         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1308         * runtime/ArrayBufferView.h: Ditto.
1309
1310 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1311
1312         https://bugs.webkit.org/show_bug.cgi?id=119843
1313         PropertySlot::setValue is ambiguous
1314
1315         Reviewed by Geoff Garen.
1316
1317         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1318         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1319         Unify on always providing the object, and remove the version that just takes a value.
1320         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1321         Provide a version of setValue that takes a JSString as the owner of the property.
1322         We won't store this, but it makes it clear that this interface should only be used from JSString.
1323
1324         * API/JSCallbackObjectFunctions.h:
1325         (JSC::::getOwnPropertySlot):
1326         * JSCTypedArrayStubs.h:
1327         * runtime/Arguments.cpp:
1328         (JSC::Arguments::getOwnPropertySlotByIndex):
1329         (JSC::Arguments::getOwnPropertySlot):
1330         * runtime/JSActivation.cpp:
1331         (JSC::JSActivation::symbolTableGet):
1332         (JSC::JSActivation::getOwnPropertySlot):
1333         * runtime/JSArray.cpp:
1334         (JSC::JSArray::getOwnPropertySlot):
1335         * runtime/JSObject.cpp:
1336         (JSC::JSObject::getOwnPropertySlotByIndex):
1337         * runtime/JSString.h:
1338         (JSC::JSString::getStringPropertySlot):
1339         * runtime/JSSymbolTableObject.h:
1340         (JSC::symbolTableGet):
1341         * runtime/SparseArrayValueMap.cpp:
1342         (JSC::SparseArrayEntry::get):
1343             - Pass object containing property to PropertySlot::setValue
1344         * runtime/PropertySlot.h:
1345         (JSC::PropertySlot::setValue):
1346             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1347         (JSC::PropertySlot::setUndefined):
1348             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1349
1350 2013-08-15  Oliver Hunt  <oliver@apple.com>
1351
1352         Remove bogus assertion.
1353
1354         RS=Filip Pizlo
1355
1356         * dfg/DFGAbstractInterpreterInlines.h:
1357         (JSC::DFG::::executeEffects):
1358
1359 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1360
1361         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1362         https://bugs.webkit.org/show_bug.cgi?id=114913
1363
1364         Reviewed by Filip Pizlo.
1365
1366         The X87 register was not freed before some calls. Instead
1367         of inserting resetX87Registers to the last call sites,
1368         the two X87 registers are now freed in every call.
1369
1370         * llint/LowLevelInterpreter32_64.asm:
1371         * llint/LowLevelInterpreter64.asm:
1372         * offlineasm/instructions.rb:
1373         * offlineasm/x86.rb:
1374
1375 2013-08-14  Michael Saboff  <msaboff@apple.com>
1376
1377         Fixed jit on Win64.
1378         https://bugs.webkit.org/show_bug.cgi?id=119601
1379
1380         Reviewed by Oliver Hunt.
1381
1382         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1383         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1384         * jit/SlowPathCall.h:
1385         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1386
1387 2013-08-14  Alex Christensen  <achristensen@apple.com>
1388
1389         Compile fix for Win64 with jit disabled.
1390         https://bugs.webkit.org/show_bug.cgi?id=119804
1391
1392         Reviewed by Michael Saboff.
1393
1394         * offlineasm/cloop.rb: Added std:: before isnan.
1395
1396 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1397
1398         DFG_JIT implementation for sh4 architecture.
1399         https://bugs.webkit.org/show_bug.cgi?id=119737
1400
1401         Reviewed by Oliver Hunt.
1402
1403         * assembler/MacroAssemblerSH4.h:
1404         (JSC::MacroAssemblerSH4::invert):
1405         (JSC::MacroAssemblerSH4::add32):
1406         (JSC::MacroAssemblerSH4::and32):
1407         (JSC::MacroAssemblerSH4::lshift32):
1408         (JSC::MacroAssemblerSH4::mul32):
1409         (JSC::MacroAssemblerSH4::or32):
1410         (JSC::MacroAssemblerSH4::rshift32):
1411         (JSC::MacroAssemblerSH4::sub32):
1412         (JSC::MacroAssemblerSH4::xor32):
1413         (JSC::MacroAssemblerSH4::store32):
1414         (JSC::MacroAssemblerSH4::swapDouble):
1415         (JSC::MacroAssemblerSH4::storeDouble):
1416         (JSC::MacroAssemblerSH4::subDouble):
1417         (JSC::MacroAssemblerSH4::mulDouble):
1418         (JSC::MacroAssemblerSH4::divDouble):
1419         (JSC::MacroAssemblerSH4::negateDouble):
1420         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1421         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1422         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1423         (JSC::MacroAssemblerSH4::swap):
1424         (JSC::MacroAssemblerSH4::jump):
1425         (JSC::MacroAssemblerSH4::branchNeg32):
1426         (JSC::MacroAssemblerSH4::branchAdd32):
1427         (JSC::MacroAssemblerSH4::branchMul32):
1428         (JSC::MacroAssemblerSH4::urshift32):
1429         * assembler/SH4Assembler.h:
1430         (JSC::SH4Assembler::SH4Assembler):
1431         (JSC::SH4Assembler::labelForWatchpoint):
1432         (JSC::SH4Assembler::label):
1433         (JSC::SH4Assembler::debugOffset):
1434         * dfg/DFGAssemblyHelpers.h:
1435         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1436         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1437         (JSC::DFG::AssemblyHelpers::debugCall):
1438         * dfg/DFGCCallHelpers.h:
1439         (JSC::DFG::CCallHelpers::setupArguments):
1440         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1441         * dfg/DFGFPRInfo.h:
1442         (JSC::DFG::FPRInfo::toRegister):
1443         (JSC::DFG::FPRInfo::toIndex):
1444         (JSC::DFG::FPRInfo::debugName):
1445         * dfg/DFGGPRInfo.h:
1446         (JSC::DFG::GPRInfo::toRegister):
1447         (JSC::DFG::GPRInfo::toIndex):
1448         (JSC::DFG::GPRInfo::debugName):
1449         * dfg/DFGOperations.cpp:
1450         * dfg/DFGSpeculativeJIT.h:
1451         (JSC::DFG::SpeculativeJIT::callOperation):
1452         * jit/JITStubs.h:
1453         * jit/JITStubsSH4.h:
1454
1455 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1456
1457         Unreviewed, fix build.
1458
1459         * API/JSValue.mm:
1460         (isDate):
1461         (isArray):
1462         * API/JSWrapperMap.mm:
1463         (tryUnwrapObjcObject):
1464         * API/ObjCCallbackFunction.mm:
1465         (tryUnwrapBlock):
1466
1467 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1468
1469         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1470         https://bugs.webkit.org/show_bug.cgi?id=119770
1471
1472         Reviewed by Mark Hahnenberg.
1473
1474         * API/JSCallbackConstructor.cpp:
1475         (JSC::JSCallbackConstructor::finishCreation):
1476         * API/JSCallbackConstructor.h:
1477         (JSC::JSCallbackConstructor::createStructure):
1478         * API/JSCallbackFunction.cpp:
1479         (JSC::JSCallbackFunction::finishCreation):
1480         * API/JSCallbackFunction.h:
1481         (JSC::JSCallbackFunction::createStructure):
1482         * API/JSCallbackObject.cpp:
1483         (JSC::::createStructure):
1484         * API/JSCallbackObject.h:
1485         (JSC::JSCallbackObject::visitChildren):
1486         * API/JSCallbackObjectFunctions.h:
1487         (JSC::::asCallbackObject):
1488         (JSC::::finishCreation):
1489         * API/JSObjectRef.cpp:
1490         (JSObjectGetPrivate):
1491         (JSObjectSetPrivate):
1492         (JSObjectGetPrivateProperty):
1493         (JSObjectSetPrivateProperty):
1494         (JSObjectDeletePrivateProperty):
1495         * API/JSValueRef.cpp:
1496         (JSValueIsObjectOfClass):
1497         * API/JSWeakObjectMapRefPrivate.cpp:
1498         * API/ObjCCallbackFunction.h:
1499         (JSC::ObjCCallbackFunction::createStructure):
1500         * JSCTypedArrayStubs.h:
1501         * bytecode/CallLinkStatus.cpp:
1502         (JSC::CallLinkStatus::CallLinkStatus):
1503         (JSC::CallLinkStatus::function):
1504         (JSC::CallLinkStatus::internalFunction):
1505         * bytecode/CodeBlock.h:
1506         (JSC::baselineCodeBlockForInlineCallFrame):
1507         * bytecode/SpeculatedType.cpp:
1508         (JSC::speculationFromClassInfo):
1509         * bytecode/UnlinkedCodeBlock.cpp:
1510         (JSC::UnlinkedFunctionExecutable::visitChildren):
1511         (JSC::UnlinkedCodeBlock::visitChildren):
1512         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1513         * bytecode/UnlinkedCodeBlock.h:
1514         (JSC::UnlinkedFunctionExecutable::createStructure):
1515         (JSC::UnlinkedProgramCodeBlock::createStructure):
1516         (JSC::UnlinkedEvalCodeBlock::createStructure):
1517         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1518         * debugger/Debugger.cpp:
1519         * debugger/DebuggerActivation.cpp:
1520         (JSC::DebuggerActivation::visitChildren):
1521         * debugger/DebuggerActivation.h:
1522         (JSC::DebuggerActivation::createStructure):
1523         * debugger/DebuggerCallFrame.cpp:
1524         (JSC::DebuggerCallFrame::functionName):
1525         * dfg/DFGAbstractInterpreterInlines.h:
1526         (JSC::DFG::::executeEffects):
1527         * dfg/DFGByteCodeParser.cpp:
1528         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1529         (JSC::DFG::ByteCodeParser::parseBlock):
1530         * dfg/DFGFixupPhase.cpp:
1531         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1532         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1533         * dfg/DFGGraph.cpp:
1534         (JSC::DFG::Graph::dump):
1535         * dfg/DFGGraph.h:
1536         (JSC::DFG::Graph::isInternalFunctionConstant):
1537         * dfg/DFGOperations.cpp:
1538         * dfg/DFGSpeculativeJIT.cpp:
1539         (JSC::DFG::SpeculativeJIT::checkArray):
1540         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1541         * dfg/DFGThunks.cpp:
1542         (JSC::DFG::virtualForThunkGenerator):
1543         * interpreter/Interpreter.cpp:
1544         (JSC::loadVarargs):
1545         * jsc.cpp:
1546         (GlobalObject::createStructure):
1547         * profiler/LegacyProfiler.cpp:
1548         (JSC::LegacyProfiler::createCallIdentifier):
1549         * runtime/Arguments.cpp:
1550         (JSC::Arguments::visitChildren):
1551         * runtime/Arguments.h:
1552         (JSC::Arguments::createStructure):
1553         (JSC::asArguments):
1554         (JSC::Arguments::finishCreation):
1555         * runtime/ArrayConstructor.cpp:
1556         (JSC::arrayConstructorIsArray):
1557         * runtime/ArrayConstructor.h:
1558         (JSC::ArrayConstructor::createStructure):
1559         * runtime/ArrayPrototype.cpp:
1560         (JSC::ArrayPrototype::finishCreation):
1561         (JSC::arrayProtoFuncConcat):
1562         (JSC::attemptFastSort):
1563         * runtime/ArrayPrototype.h:
1564         (JSC::ArrayPrototype::createStructure):
1565         * runtime/BooleanConstructor.h:
1566         (JSC::BooleanConstructor::createStructure):
1567         * runtime/BooleanObject.cpp:
1568         (JSC::BooleanObject::finishCreation):
1569         * runtime/BooleanObject.h:
1570         (JSC::BooleanObject::createStructure):
1571         (JSC::asBooleanObject):
1572         * runtime/BooleanPrototype.cpp:
1573         (JSC::BooleanPrototype::finishCreation):
1574         (JSC::booleanProtoFuncToString):
1575         (JSC::booleanProtoFuncValueOf):
1576         * runtime/BooleanPrototype.h:
1577         (JSC::BooleanPrototype::createStructure):
1578         * runtime/DateConstructor.cpp:
1579         (JSC::constructDate):
1580         * runtime/DateConstructor.h:
1581         (JSC::DateConstructor::createStructure):
1582         * runtime/DateInstance.cpp:
1583         (JSC::DateInstance::finishCreation):
1584         * runtime/DateInstance.h:
1585         (JSC::DateInstance::createStructure):
1586         (JSC::asDateInstance):
1587         * runtime/DatePrototype.cpp:
1588         (JSC::formateDateInstance):
1589         (JSC::DatePrototype::finishCreation):
1590         (JSC::dateProtoFuncToISOString):
1591         (JSC::dateProtoFuncToLocaleString):
1592         (JSC::dateProtoFuncToLocaleDateString):
1593         (JSC::dateProtoFuncToLocaleTimeString):
1594         (JSC::dateProtoFuncGetTime):
1595         (JSC::dateProtoFuncGetFullYear):
1596         (JSC::dateProtoFuncGetUTCFullYear):
1597         (JSC::dateProtoFuncGetMonth):
1598         (JSC::dateProtoFuncGetUTCMonth):
1599         (JSC::dateProtoFuncGetDate):
1600         (JSC::dateProtoFuncGetUTCDate):
1601         (JSC::dateProtoFuncGetDay):
1602         (JSC::dateProtoFuncGetUTCDay):
1603         (JSC::dateProtoFuncGetHours):
1604         (JSC::dateProtoFuncGetUTCHours):
1605         (JSC::dateProtoFuncGetMinutes):
1606         (JSC::dateProtoFuncGetUTCMinutes):
1607         (JSC::dateProtoFuncGetSeconds):
1608         (JSC::dateProtoFuncGetUTCSeconds):
1609         (JSC::dateProtoFuncGetMilliSeconds):
1610         (JSC::dateProtoFuncGetUTCMilliseconds):
1611         (JSC::dateProtoFuncGetTimezoneOffset):
1612         (JSC::dateProtoFuncSetTime):
1613         (JSC::setNewValueFromTimeArgs):
1614         (JSC::setNewValueFromDateArgs):
1615         (JSC::dateProtoFuncSetYear):
1616         (JSC::dateProtoFuncGetYear):
1617         * runtime/DatePrototype.h:
1618         (JSC::DatePrototype::createStructure):
1619         * runtime/Error.h:
1620         (JSC::StrictModeTypeErrorFunction::createStructure):
1621         * runtime/ErrorConstructor.h:
1622         (JSC::ErrorConstructor::createStructure):
1623         * runtime/ErrorInstance.cpp:
1624         (JSC::ErrorInstance::finishCreation):
1625         * runtime/ErrorInstance.h:
1626         (JSC::ErrorInstance::createStructure):
1627         * runtime/ErrorPrototype.cpp:
1628         (JSC::ErrorPrototype::finishCreation):
1629         * runtime/ErrorPrototype.h:
1630         (JSC::ErrorPrototype::createStructure):
1631         * runtime/ExceptionHelpers.cpp:
1632         (JSC::isTerminatedExecutionException):
1633         * runtime/ExceptionHelpers.h:
1634         (JSC::TerminatedExecutionError::createStructure):
1635         * runtime/Executable.cpp:
1636         (JSC::EvalExecutable::visitChildren):
1637         (JSC::ProgramExecutable::visitChildren):
1638         (JSC::FunctionExecutable::visitChildren):
1639         (JSC::ExecutableBase::hashFor):
1640         * runtime/Executable.h:
1641         (JSC::ExecutableBase::createStructure):
1642         (JSC::NativeExecutable::createStructure):
1643         (JSC::EvalExecutable::createStructure):
1644         (JSC::ProgramExecutable::createStructure):
1645         (JSC::FunctionExecutable::compileFor):
1646         (JSC::FunctionExecutable::compileOptimizedFor):
1647         (JSC::FunctionExecutable::createStructure):
1648         * runtime/FunctionConstructor.h:
1649         (JSC::FunctionConstructor::createStructure):
1650         * runtime/FunctionPrototype.cpp:
1651         (JSC::functionProtoFuncToString):
1652         (JSC::functionProtoFuncApply):
1653         (JSC::functionProtoFuncBind):
1654         * runtime/FunctionPrototype.h:
1655         (JSC::FunctionPrototype::createStructure):
1656         * runtime/GetterSetter.cpp:
1657         (JSC::GetterSetter::visitChildren):
1658         * runtime/GetterSetter.h:
1659         (JSC::GetterSetter::createStructure):
1660         * runtime/InternalFunction.cpp:
1661         (JSC::InternalFunction::finishCreation):
1662         * runtime/InternalFunction.h:
1663         (JSC::InternalFunction::createStructure):
1664         (JSC::asInternalFunction):
1665         * runtime/JSAPIValueWrapper.h:
1666         (JSC::JSAPIValueWrapper::createStructure):
1667         * runtime/JSActivation.cpp:
1668         (JSC::JSActivation::visitChildren):
1669         (JSC::JSActivation::argumentsGetter):
1670         * runtime/JSActivation.h:
1671         (JSC::JSActivation::createStructure):
1672         (JSC::asActivation):
1673         * runtime/JSArray.h:
1674         (JSC::JSArray::createStructure):
1675         (JSC::asArray):
1676         (JSC::isJSArray):
1677         * runtime/JSBoundFunction.cpp:
1678         (JSC::JSBoundFunction::finishCreation):
1679         (JSC::JSBoundFunction::visitChildren):
1680         * runtime/JSBoundFunction.h:
1681         (JSC::JSBoundFunction::createStructure):
1682         * runtime/JSCJSValue.cpp:
1683         (JSC::JSValue::dumpInContext):
1684         * runtime/JSCJSValueInlines.h:
1685         (JSC::JSValue::isFunction):
1686         * runtime/JSCell.h:
1687         (JSC::jsCast):
1688         (JSC::jsDynamicCast):
1689         * runtime/JSCellInlines.h:
1690         (JSC::allocateCell):
1691         * runtime/JSFunction.cpp:
1692         (JSC::JSFunction::finishCreation):
1693         (JSC::JSFunction::visitChildren):
1694         (JSC::skipOverBoundFunctions):
1695         (JSC::JSFunction::callerGetter):
1696         * runtime/JSFunction.h:
1697         (JSC::JSFunction::createStructure):
1698         * runtime/JSGlobalObject.cpp:
1699         (JSC::JSGlobalObject::visitChildren):
1700         (JSC::slowValidateCell):
1701         * runtime/JSGlobalObject.h:
1702         (JSC::JSGlobalObject::createStructure):
1703         * runtime/JSNameScope.cpp:
1704         (JSC::JSNameScope::visitChildren):
1705         * runtime/JSNameScope.h:
1706         (JSC::JSNameScope::createStructure):
1707         * runtime/JSNotAnObject.h:
1708         (JSC::JSNotAnObject::createStructure):
1709         * runtime/JSONObject.cpp:
1710         (JSC::JSONObject::finishCreation):
1711         (JSC::unwrapBoxedPrimitive):
1712         (JSC::Stringifier::Stringifier):
1713         (JSC::Stringifier::appendStringifiedValue):
1714         (JSC::Stringifier::Holder::Holder):
1715         (JSC::Walker::walk):
1716         (JSC::JSONProtoFuncStringify):
1717         * runtime/JSONObject.h:
1718         (JSC::JSONObject::createStructure):
1719         * runtime/JSObject.cpp:
1720         (JSC::getCallableObjectSlow):
1721         (JSC::JSObject::visitChildren):
1722         (JSC::JSObject::copyBackingStore):
1723         (JSC::JSFinalObject::visitChildren):
1724         (JSC::JSObject::ensureInt32Slow):
1725         (JSC::JSObject::ensureDoubleSlow):
1726         (JSC::JSObject::ensureContiguousSlow):
1727         (JSC::JSObject::ensureArrayStorageSlow):
1728         * runtime/JSObject.h:
1729         (JSC::JSObject::finishCreation):
1730         (JSC::JSObject::createStructure):
1731         (JSC::JSNonFinalObject::createStructure):
1732         (JSC::JSFinalObject::createStructure):
1733         (JSC::isJSFinalObject):
1734         * runtime/JSPropertyNameIterator.cpp:
1735         (JSC::JSPropertyNameIterator::visitChildren):
1736         * runtime/JSPropertyNameIterator.h:
1737         (JSC::JSPropertyNameIterator::createStructure):
1738         * runtime/JSProxy.cpp:
1739         (JSC::JSProxy::visitChildren):
1740         * runtime/JSProxy.h:
1741         (JSC::JSProxy::createStructure):
1742         * runtime/JSScope.cpp:
1743         (JSC::JSScope::visitChildren):
1744         * runtime/JSSegmentedVariableObject.cpp:
1745         (JSC::JSSegmentedVariableObject::visitChildren):
1746         * runtime/JSString.h:
1747         (JSC::JSString::createStructure):
1748         (JSC::isJSString):
1749         * runtime/JSSymbolTableObject.cpp:
1750         (JSC::JSSymbolTableObject::visitChildren):
1751         * runtime/JSVariableObject.h:
1752         * runtime/JSWithScope.cpp:
1753         (JSC::JSWithScope::visitChildren):
1754         * runtime/JSWithScope.h:
1755         (JSC::JSWithScope::createStructure):
1756         * runtime/JSWrapperObject.cpp:
1757         (JSC::JSWrapperObject::visitChildren):
1758         * runtime/JSWrapperObject.h:
1759         (JSC::JSWrapperObject::createStructure):
1760         * runtime/MathObject.cpp:
1761         (JSC::MathObject::finishCreation):
1762         * runtime/MathObject.h:
1763         (JSC::MathObject::createStructure):
1764         * runtime/NameConstructor.h:
1765         (JSC::NameConstructor::createStructure):
1766         * runtime/NameInstance.h:
1767         (JSC::NameInstance::createStructure):
1768         (JSC::NameInstance::finishCreation):
1769         * runtime/NamePrototype.cpp:
1770         (JSC::NamePrototype::finishCreation):
1771         (JSC::privateNameProtoFuncToString):
1772         * runtime/NamePrototype.h:
1773         (JSC::NamePrototype::createStructure):
1774         * runtime/NativeErrorConstructor.cpp:
1775         (JSC::NativeErrorConstructor::visitChildren):
1776         * runtime/NativeErrorConstructor.h:
1777         (JSC::NativeErrorConstructor::createStructure):
1778         (JSC::NativeErrorConstructor::finishCreation):
1779         * runtime/NumberConstructor.cpp:
1780         (JSC::NumberConstructor::finishCreation):
1781         * runtime/NumberConstructor.h:
1782         (JSC::NumberConstructor::createStructure):
1783         * runtime/NumberObject.cpp:
1784         (JSC::NumberObject::finishCreation):
1785         * runtime/NumberObject.h:
1786         (JSC::NumberObject::createStructure):
1787         * runtime/NumberPrototype.cpp:
1788         (JSC::NumberPrototype::finishCreation):
1789         * runtime/NumberPrototype.h:
1790         (JSC::NumberPrototype::createStructure):
1791         * runtime/ObjectConstructor.h:
1792         (JSC::ObjectConstructor::createStructure):
1793         * runtime/ObjectPrototype.cpp:
1794         (JSC::ObjectPrototype::finishCreation):
1795         * runtime/ObjectPrototype.h:
1796         (JSC::ObjectPrototype::createStructure):
1797         * runtime/PropertyMapHashTable.h:
1798         (JSC::PropertyTable::createStructure):
1799         * runtime/PropertyTable.cpp:
1800         (JSC::PropertyTable::visitChildren):
1801         * runtime/RegExp.h:
1802         (JSC::RegExp::createStructure):
1803         * runtime/RegExpConstructor.cpp:
1804         (JSC::RegExpConstructor::finishCreation):
1805         (JSC::RegExpConstructor::visitChildren):
1806         (JSC::constructRegExp):
1807         * runtime/RegExpConstructor.h:
1808         (JSC::RegExpConstructor::createStructure):
1809         (JSC::asRegExpConstructor):
1810         * runtime/RegExpMatchesArray.cpp:
1811         (JSC::RegExpMatchesArray::visitChildren):
1812         * runtime/RegExpMatchesArray.h:
1813         (JSC::RegExpMatchesArray::createStructure):
1814         * runtime/RegExpObject.cpp:
1815         (JSC::RegExpObject::finishCreation):
1816         (JSC::RegExpObject::visitChildren):
1817         * runtime/RegExpObject.h:
1818         (JSC::RegExpObject::createStructure):
1819         (JSC::asRegExpObject):
1820         * runtime/RegExpPrototype.cpp:
1821         (JSC::regExpProtoFuncTest):
1822         (JSC::regExpProtoFuncExec):
1823         (JSC::regExpProtoFuncCompile):
1824         (JSC::regExpProtoFuncToString):
1825         * runtime/RegExpPrototype.h:
1826         (JSC::RegExpPrototype::createStructure):
1827         * runtime/SparseArrayValueMap.cpp:
1828         (JSC::SparseArrayValueMap::createStructure):
1829         * runtime/SparseArrayValueMap.h:
1830         * runtime/StrictEvalActivation.h:
1831         (JSC::StrictEvalActivation::createStructure):
1832         * runtime/StringConstructor.h:
1833         (JSC::StringConstructor::createStructure):
1834         * runtime/StringObject.cpp:
1835         (JSC::StringObject::finishCreation):
1836         * runtime/StringObject.h:
1837         (JSC::StringObject::createStructure):
1838         (JSC::asStringObject):
1839         * runtime/StringPrototype.cpp:
1840         (JSC::StringPrototype::finishCreation):
1841         (JSC::stringProtoFuncReplace):
1842         (JSC::stringProtoFuncToString):
1843         (JSC::stringProtoFuncMatch):
1844         (JSC::stringProtoFuncSearch):
1845         (JSC::stringProtoFuncSplit):
1846         * runtime/StringPrototype.h:
1847         (JSC::StringPrototype::createStructure):
1848         * runtime/Structure.cpp:
1849         (JSC::Structure::Structure):
1850         (JSC::Structure::materializePropertyMap):
1851         (JSC::Structure::get):
1852         (JSC::Structure::visitChildren):
1853         * runtime/Structure.h:
1854         (JSC::Structure::typeInfo):
1855         (JSC::Structure::previousID):
1856         (JSC::Structure::outOfLineSize):
1857         (JSC::Structure::totalStorageCapacity):
1858         (JSC::Structure::materializePropertyMapIfNecessary):
1859         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1860         * runtime/StructureChain.cpp:
1861         (JSC::StructureChain::visitChildren):
1862         * runtime/StructureChain.h:
1863         (JSC::StructureChain::createStructure):
1864         * runtime/StructureInlines.h:
1865         (JSC::Structure::get):
1866         * runtime/StructureRareData.cpp:
1867         (JSC::StructureRareData::createStructure):
1868         (JSC::StructureRareData::visitChildren):
1869         * runtime/StructureRareData.h:
1870         * runtime/SymbolTable.h:
1871         (JSC::SharedSymbolTable::createStructure):
1872         * runtime/VM.cpp:
1873         (JSC::VM::VM):
1874         (JSC::StackPreservingRecompiler::operator()):
1875         (JSC::VM::releaseExecutableMemory):
1876         * runtime/WriteBarrier.h:
1877         (JSC::validateCell):
1878         * testRegExp.cpp:
1879         (GlobalObject::createStructure):
1880
1881 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1882
1883         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1884         https://bugs.webkit.org/show_bug.cgi?id=119762
1885
1886         Reviewed by Geoffrey Garen.
1887
1888         * heap/Heap.cpp:
1889         (JSC::Heap::Heap):
1890         (JSC::Heap::markRoots):
1891         (JSC::Heap::collect):
1892         * jsc.cpp:
1893         (StopWatch::start):
1894         (StopWatch::stop):
1895         * testRegExp.cpp:
1896         (StopWatch::start):
1897         (StopWatch::stop):
1898
1899 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1900
1901         [sh4] Prepare LLINT for DFG_JIT implementation.
1902         https://bugs.webkit.org/show_bug.cgi?id=119755
1903
1904         Reviewed by Oliver Hunt.
1905
1906         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1907         * offlineasm/sh4.rb:
1908             - Handle storeb opcode.
1909             - Make relative jumps when possible using braf opcode.
1910             - Update bmulio implementation to be consistent with baseline JIT.
1911             - Remove useless code from leap opcode.
1912             - Fix incorrect comment.
1913
1914 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1915
1916         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1917         https://bugs.webkit.org/show_bug.cgi?id=119758
1918
1919         Reviewed by Oliver Hunt.
1920
1921         * assembler/MacroAssemblerSH4.h:
1922             - Introduce a loadEffectiveAddress function to avoid code duplication.
1923             - Add ASSERTs and clean code.
1924         * assembler/SH4Assembler.h:
1925             - Prepare DFG_JIT implementation.
1926             - Add ASSERTs.
1927         * jit/JITStubs.cpp:
1928             - Add SH4 specific call for assertions.
1929         * jit/JITStubs.h:
1930             - Cosmetic change.
1931         * jit/JITStubsSH4.h:
1932             - Use constants to be more flexible with sh4 JIT stack frame.
1933         * jit/JSInterfaceJIT.h:
1934             - Cosmetic change.
1935
1936 2013-08-13  Oliver Hunt  <oliver@apple.com>
1937
1938         Harden executeConstruct against incorrect return types from host functions
1939         https://bugs.webkit.org/show_bug.cgi?id=119757
1940
1941         Reviewed by Mark Hahnenberg.
1942
1943         Add logic to guard against bogus return types.  There doesn't seem to be any
1944         class in webkit that does this wrong, but the typed array stubs in debug JSC
1945         do exhibit this bad behaviour.
1946
1947         * interpreter/Interpreter.cpp:
1948         (JSC::Interpreter::executeConstruct):
1949
1950 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1951
1952         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1953         https://bugs.webkit.org/show_bug.cgi?id=119736
1954
1955         Reviewed by Anders Carlsson.
1956
1957         Don't force C++11 mode off anymore.
1958
1959         * Target.pri:
1960
1961 2013-08-12  Oliver Hunt  <oliver@apple.com>
1962
1963         Remove CodeBlock's notion of adding identifiers entirely
1964         https://bugs.webkit.org/show_bug.cgi?id=119708
1965
1966         Reviewed by Geoffrey Garen.
1967
1968         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1969         Move the addition of identifiers to DFGPlan::reallyAdd
1970
1971         * bytecode/CodeBlock.h:
1972         * dfg/DFGDesiredIdentifiers.cpp:
1973         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1974         * dfg/DFGDesiredIdentifiers.h:
1975         * dfg/DFGPlan.cpp:
1976         (JSC::DFG::Plan::reallyAdd):
1977         (JSC::DFG::Plan::finalize):
1978         * dfg/DFGPlan.h:
1979
1980 2013-08-12  Oliver Hunt  <oliver@apple.com>
1981
1982         Build fix
1983
1984         * runtime/JSCell.h:
1985
1986 2013-08-12  Oliver Hunt  <oliver@apple.com>
1987
1988         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1989         https://bugs.webkit.org/show_bug.cgi?id=119705
1990
1991         Reviewed by Geoffrey Garen.
1992
1993         Relatively trivial refactoring
1994
1995         * bytecode/CodeBlock.h:
1996         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1997         (JSC::CodeBlock::addAdditionalIdentifier):
1998         (JSC::CodeBlock::identifier):
1999         (JSC::CodeBlock::numberOfIdentifiers):
2000         * dfg/DFGCommonData.h:
2001
2002 2013-08-12  Oliver Hunt  <oliver@apple.com>
2003
2004         Stop making unnecessary copy of CodeBlock Identifier Vector
2005         https://bugs.webkit.org/show_bug.cgi?id=119702
2006
2007         Reviewed by Michael Saboff.
2008
2009         Make CodeBlock simply use a separate Vector for additional Identifiers
2010         and use the UnlinkedCodeBlock for the initial set of identifiers.
2011
2012         * bytecode/CodeBlock.cpp:
2013         (JSC::CodeBlock::printGetByIdOp):
2014         (JSC::dumpStructure):
2015         (JSC::dumpChain):
2016         (JSC::CodeBlock::printGetByIdCacheStatus):
2017         (JSC::CodeBlock::printPutByIdOp):
2018         (JSC::CodeBlock::dumpBytecode):
2019         (JSC::CodeBlock::CodeBlock):
2020         (JSC::CodeBlock::shrinkToFit):
2021         * bytecode/CodeBlock.h:
2022         (JSC::CodeBlock::numberOfIdentifiers):
2023         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2024         (JSC::CodeBlock::addAdditionalIdentifier):
2025         (JSC::CodeBlock::identifier):
2026         * dfg/DFGDesiredIdentifiers.cpp:
2027         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2028         * jit/JIT.h:
2029         * jit/JITOpcodes.cpp:
2030         (JSC::JIT::emitSlow_op_get_arguments_length):
2031         * jit/JITPropertyAccess.cpp:
2032         (JSC::JIT::emit_op_get_by_id):
2033         (JSC::JIT::compileGetByIdHotPath):
2034         (JSC::JIT::emitSlow_op_get_by_id):
2035         (JSC::JIT::compileGetByIdSlowCase):
2036         (JSC::JIT::emitSlow_op_put_by_id):
2037         * jit/JITPropertyAccess32_64.cpp:
2038         (JSC::JIT::emit_op_get_by_id):
2039         (JSC::JIT::compileGetByIdHotPath):
2040         (JSC::JIT::compileGetByIdSlowCase):
2041         * jit/JITStubs.cpp:
2042         (JSC::DEFINE_STUB_FUNCTION):
2043         * llint/LLIntSlowPaths.cpp:
2044         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2045
2046 2013-08-08  Mark Lam  <mark.lam@apple.com>
2047
2048         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2049         https://bugs.webkit.org/show_bug.cgi?id=119575.
2050
2051         Reviewed by Oliver Hunt.
2052
2053         * interpreter/Interpreter.h:
2054         - Made getStackTrace() private.
2055         * interpreter/StackIterator.cpp:
2056         (JSC::StackIterator::StackIterator):
2057         (JSC::StackIterator::numberOfFrames):
2058         - Computes the number of frames by iterating through the whole stack
2059           from the starting frame. The iterator will save its current frame
2060           position before counting the frames, and then restoring it after
2061           the counting.
2062         (JSC::StackIterator::gotoFrameAtIndex):
2063         (JSC::StackIterator::gotoNextFrame):
2064         (JSC::StackIterator::resetIterator):
2065         - Points the iterator to the starting frame.
2066         * interpreter/StackIteratorPrivate.h:
2067
2068 2013-08-08  Mark Lam  <mark.lam@apple.com>
2069
2070         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2071         the Interpreter class.
2072         https://bugs.webkit.org/show_bug.cgi?id=119576.
2073
2074         Reviewed by Oliver Hunt.
2075
2076         This change is needed to prepare for making Interpreter::getStackTrace()
2077         private. It does not change the behavior of the code, only the lexical
2078         scoping.
2079
2080         * interpreter/Interpreter.h:
2081         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2082         * runtime/ErrorConstructor.cpp:
2083         (JSC::Interpreter::constructWithErrorConstructor):
2084         (JSC::ErrorConstructor::getConstructData):
2085         (JSC::Interpreter::callErrorConstructor):
2086         (JSC::ErrorConstructor::getCallData):
2087         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2088           directly. So, we moved the helper functions into the Interpreter
2089           class.
2090         * runtime/NativeErrorConstructor.cpp:
2091         (JSC::Interpreter::constructWithNativeErrorConstructor):
2092         (JSC::NativeErrorConstructor::getConstructData):
2093         (JSC::Interpreter::callNativeErrorConstructor):
2094         (JSC::NativeErrorConstructor::getCallData):
2095         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2096           directly. So, we moved the helper functions into the Interpreter
2097           class.
2098
2099 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2100
2101         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2102         https://bugs.webkit.org/show_bug.cgi?id=119555
2103
2104         Reviewed by Geoffrey Garen.
2105
2106         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2107         This was causing crashes on maps.google.com in 32-bit debug builds.
2108
2109         * dfg/DFGSpeculativeJIT32_64.cpp:
2110         (JSC::DFG::SpeculativeJIT::compile):
2111
2112 2013-08-06  Michael Saboff  <msaboff@apple.com>
2113
2114         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2115         https://bugs.webkit.org/show_bug.cgi?id=119405
2116
2117         Reviewed by Geoffrey Garen.
2118
2119         * dfg/DFGSpeculativeJIT.cpp:
2120         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2121         ourselves to save a register and then load from it.
2122
2123 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2124
2125         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2126         https://bugs.webkit.org/show_bug.cgi?id=119528
2127
2128         Reviewed by Geoffrey Garen.
2129
2130         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2131         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2132         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2133         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2134         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2135
2136         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2137
2138         * bytecode/CodeBlock.cpp:
2139         (JSC::CodeBlock::finalizeUnconditionally):
2140         * dfg/DFGDriver.cpp:
2141         (JSC::DFG::compile):
2142         * dfg/DFGFixupPhase.cpp:
2143         (JSC::DFG::FixupPhase::fixupNode):
2144         * dfg/DFGGraph.cpp:
2145         (JSC::DFG::Graph::dump):
2146         * dfg/DFGSpeculativeJIT64.cpp:
2147         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2148         * runtime/JSObject.h:
2149         (JSC::JSObject::getIndexQuickly):
2150         (JSC::JSObject::tryGetIndexQuickly):
2151
2152 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2153
2154         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2155
2156         Unreviewed.
2157
2158         Ensure llint symbols are in source order.
2159
2160         * JavaScriptCore.order:
2161
2162 2013-08-06  Mark Lam  <mark.lam@apple.com>
2163
2164         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2165         https://bugs.webkit.org/show_bug.cgi?id=119532.
2166
2167         Reviewed by Oliver Hunt.
2168
2169         * parser/Parser.cpp:
2170         (JSC::::Parser):
2171         - Just need to initialize the Parser's JSTokenLocation's initial line and
2172           startOffset as well during Parser construction.
2173
2174 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2175
2176         Update Order Files for Safari
2177         <rdar://problem/14517392>
2178
2179         Unreviewed.
2180
2181         * JavaScriptCore.order:
2182
2183 2013-08-04  Sam Weinig  <sam@webkit.org>
2184
2185         Remove support for HTML5 MicroData
2186         https://bugs.webkit.org/show_bug.cgi?id=119480
2187
2188         Reviewed by Anders Carlsson.
2189
2190         * Configurations/FeatureDefines.xcconfig:
2191
2192 2013-08-05  Oliver Hunt  <oliver@apple.com>
2193
2194         Delay Arguments creation in strict mode
2195         https://bugs.webkit.org/show_bug.cgi?id=119505
2196
2197         Reviewed by Geoffrey Garen.
2198
2199         Make use of the write tracking performed by the parser to
2200         allow us to know if we're modifying the parameters to a function.
2201         Then use that information to make strict mode function opt out
2202         of eager arguments creation.
2203
2204         * bytecompiler/BytecodeGenerator.cpp:
2205         (JSC::BytecodeGenerator::BytecodeGenerator):
2206         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2207         (JSC::BytecodeGenerator::emitReturn):
2208         * bytecompiler/BytecodeGenerator.h:
2209         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2210         * parser/Nodes.h:
2211         (JSC::ScopeNode::modifiesParameter):
2212         * parser/Parser.cpp:
2213         (JSC::::parseInner):
2214         * parser/Parser.h:
2215         (JSC::Scope::declareParameter):
2216         (JSC::Scope::getCapturedVariables):
2217         (JSC::Parser::declareWrite):
2218         * parser/ParserModes.h:
2219
2220 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2221
2222         Remove useless code from COMPILER(RVCT) JITStubs
2223         https://bugs.webkit.org/show_bug.cgi?id=119521
2224
2225         Reviewed by Geoffrey Garen.
2226
2227         * jit/JITStubsARMv7.h:
2228         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2229         (JSC::ctiOpThrowNotCaught): Ditto.
2230
2231 2013-07-23  David Farler  <dfarler@apple.com>
2232
2233         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2234         https://bugs.webkit.org/show_bug.cgi?id=117762
2235
2236         Reviewed by Mark Rowe.
2237
2238         * Configurations/DebugRelease.xcconfig:
2239         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2240         * Configurations/JavaScriptCore.xcconfig:
2241         Add ASAN_OTHER_LDFLAGS.
2242         * Configurations/ToolExecutable.xcconfig:
2243         Don't use ASAN for build tools.
2244
2245 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2246
2247         Build fix for ARM MSVC after r153222 and r153648.
2248
2249         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2250
2251 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2252
2253         Build fix for ARM MSVC after r150109.
2254
2255         Read the stub template from a header files instead of the JITStubs.cpp.
2256
2257         * CMakeLists.txt:
2258         * DerivedSources.pri:
2259         * create_jit_stubs:
2260
2261 2013-08-05  Oliver Hunt  <oliver@apple.com>
2262
2263         Move TypedArray implementation into JSC
2264         https://bugs.webkit.org/show_bug.cgi?id=119489
2265
2266         Reviewed by Filip Pizlo.
2267
2268         Move TypedArray implementation into JSC in advance of re-implementation
2269
2270         * GNUmakefile.list.am:
2271         * JSCTypedArrayStubs.h:
2272         * JavaScriptCore.xcodeproj/project.pbxproj:
2273         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2274         (JSC::ArrayBuffer::transfer):
2275         (JSC::ArrayBuffer::addView):
2276         (JSC::ArrayBuffer::removeView):
2277         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2278         (JSC::ArrayBufferContents::ArrayBufferContents):
2279         (JSC::ArrayBufferContents::data):
2280         (JSC::ArrayBufferContents::sizeInBytes):
2281         (JSC::ArrayBufferContents::transfer):
2282         (JSC::ArrayBufferContents::copyTo):
2283         (JSC::ArrayBuffer::isNeutered):
2284         (JSC::ArrayBuffer::~ArrayBuffer):
2285         (JSC::ArrayBuffer::clampValue):
2286         (JSC::ArrayBuffer::create):
2287         (JSC::ArrayBuffer::createUninitialized):
2288         (JSC::ArrayBuffer::ArrayBuffer):
2289         (JSC::ArrayBuffer::data):
2290         (JSC::ArrayBuffer::byteLength):
2291         (JSC::ArrayBuffer::slice):
2292         (JSC::ArrayBuffer::sliceImpl):
2293         (JSC::ArrayBuffer::clampIndex):
2294         (JSC::ArrayBufferContents::tryAllocate):
2295         (JSC::ArrayBufferContents::~ArrayBufferContents):
2296         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2297         (JSC::ArrayBufferView::ArrayBufferView):
2298         (JSC::ArrayBufferView::~ArrayBufferView):
2299         (JSC::ArrayBufferView::neuter):
2300         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2301         (JSC::ArrayBufferView::buffer):
2302         (JSC::ArrayBufferView::baseAddress):
2303         (JSC::ArrayBufferView::byteOffset):
2304         (JSC::ArrayBufferView::setNeuterable):
2305         (JSC::ArrayBufferView::isNeuterable):
2306         (JSC::ArrayBufferView::verifySubRange):
2307         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2308         (JSC::ArrayBufferView::setImpl):
2309         (JSC::ArrayBufferView::setRangeImpl):
2310         (JSC::ArrayBufferView::zeroRangeImpl):
2311         (JSC::ArrayBufferView::calculateOffsetAndLength):
2312         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2313         (JSC::Float32Array::set):
2314         (JSC::Float32Array::getType):
2315         (JSC::Float32Array::create):
2316         (JSC::Float32Array::createUninitialized):
2317         (JSC::Float32Array::Float32Array):
2318         (JSC::Float32Array::subarray):
2319         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2320         (JSC::Float64Array::set):
2321         (JSC::Float64Array::getType):
2322         (JSC::Float64Array::create):
2323         (JSC::Float64Array::createUninitialized):
2324         (JSC::Float64Array::Float64Array):
2325         (JSC::Float64Array::subarray):
2326         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2327         (JSC::Int16Array::getType):
2328         (JSC::Int16Array::create):
2329         (JSC::Int16Array::createUninitialized):
2330         (JSC::Int16Array::Int16Array):
2331         (JSC::Int16Array::subarray):
2332         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2333         (JSC::Int32Array::getType):
2334         (JSC::Int32Array::create):
2335         (JSC::Int32Array::createUninitialized):
2336         (JSC::Int32Array::Int32Array):
2337         (JSC::Int32Array::subarray):
2338         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2339         (JSC::Int8Array::getType):
2340         (JSC::Int8Array::create):
2341         (JSC::Int8Array::createUninitialized):
2342         (JSC::Int8Array::Int8Array):
2343         (JSC::Int8Array::subarray):
2344         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2345         (JSC::IntegralTypedArrayBase::set):
2346         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2347         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2348         (JSC::TypedArrayBase::data):
2349         (JSC::TypedArrayBase::set):
2350         (JSC::TypedArrayBase::setRange):
2351         (JSC::TypedArrayBase::zeroRange):
2352         (JSC::TypedArrayBase::length):
2353         (JSC::TypedArrayBase::byteLength):
2354         (JSC::TypedArrayBase::item):
2355         (JSC::TypedArrayBase::checkInboundData):
2356         (JSC::TypedArrayBase::TypedArrayBase):
2357         (JSC::TypedArrayBase::create):
2358         (JSC::TypedArrayBase::createUninitialized):
2359         (JSC::TypedArrayBase::subarrayImpl):
2360         (JSC::TypedArrayBase::neuter):
2361         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2362         (JSC::Uint16Array::getType):
2363         (JSC::Uint16Array::create):
2364         (JSC::Uint16Array::createUninitialized):
2365         (JSC::Uint16Array::Uint16Array):
2366         (JSC::Uint16Array::subarray):
2367         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2368         (JSC::Uint32Array::getType):
2369         (JSC::Uint32Array::create):
2370         (JSC::Uint32Array::createUninitialized):
2371         (JSC::Uint32Array::Uint32Array):
2372         (JSC::Uint32Array::subarray):
2373         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2374         (JSC::Uint8Array::getType):
2375         (JSC::Uint8Array::create):
2376         (JSC::Uint8Array::createUninitialized):
2377         (JSC::Uint8Array::Uint8Array):
2378         (JSC::Uint8Array::subarray):
2379         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2380         (JSC::Uint8ClampedArray::getType):
2381         (JSC::Uint8ClampedArray::create):
2382         (JSC::Uint8ClampedArray::createUninitialized):
2383         (JSC::Uint8ClampedArray::zeroFill):
2384         (JSC::Uint8ClampedArray::set):
2385         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2386         (JSC::Uint8ClampedArray::subarray):
2387         * runtime/VM.h:
2388
2389 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2390
2391         Copied space should be able to handle more than one copied backing store per JSCell
2392         https://bugs.webkit.org/show_bug.cgi?id=119471
2393
2394         Reviewed by Mark Hahnenberg.
2395         
2396         This allows a cell to call copyLater() multiple times for multiple different
2397         backing stores, and then have copyBackingStore() called exactly once for each
2398         of those. A token tells it which backing store to copy. All backing stores
2399         must be named using the CopyToken, an enumeration which currently cannot
2400         exceed eight entries.
2401         
2402         When copyBackingStore() is called, it's up to the callee to (a) use the token
2403         to decide what to copy and (b) call its base class's copyBackingStore() in
2404         case the base class had something that needed copying. The only exception is
2405         that JSCell never asks anything to be copied, and so if your base is JSCell
2406         then you don't have to do anything.
2407
2408         * GNUmakefile.list.am:
2409         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2410         * JavaScriptCore.xcodeproj/project.pbxproj:
2411         * heap/CopiedBlock.h:
2412         * heap/CopiedBlockInlines.h:
2413         (JSC::CopiedBlock::reportLiveBytes):
2414         * heap/CopyToken.h: Added.
2415         * heap/CopyVisitor.cpp:
2416         (JSC::CopyVisitor::copyFromShared):
2417         * heap/CopyVisitor.h:
2418         * heap/CopyVisitorInlines.h:
2419         (JSC::CopyVisitor::visitItem):
2420         * heap/CopyWorkList.h:
2421         (JSC::CopyWorklistItem::CopyWorklistItem):
2422         (JSC::CopyWorklistItem::cell):
2423         (JSC::CopyWorklistItem::token):
2424         (JSC::CopyWorkListSegment::get):
2425         (JSC::CopyWorkListSegment::append):
2426         (JSC::CopyWorkListSegment::data):
2427         (JSC::CopyWorkListIterator::get):
2428         (JSC::CopyWorkListIterator::operator*):
2429         (JSC::CopyWorkListIterator::operator->):
2430         (JSC::CopyWorkList::append):
2431         * heap/SlotVisitor.h:
2432         * heap/SlotVisitorInlines.h:
2433         (JSC::SlotVisitor::copyLater):
2434         * runtime/ClassInfo.h:
2435         * runtime/JSCell.cpp:
2436         (JSC::JSCell::copyBackingStore):
2437         * runtime/JSCell.h:
2438         * runtime/JSObject.cpp:
2439         (JSC::JSObject::visitButterfly):
2440         (JSC::JSObject::copyBackingStore):
2441         * runtime/JSObject.h:
2442
2443 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2444
2445         [Automake] Define ENABLE_JIT through the Autoconf header
2446         https://bugs.webkit.org/show_bug.cgi?id=119445
2447
2448         Reviewed by Martin Robinson.
2449
2450         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2451
2452 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2453
2454         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2455         https://bugs.webkit.org/show_bug.cgi?id=119470
2456
2457         Reviewed by Oliver Hunt.
2458         
2459         Structure can still tell you if the object "could" (in the conservative sense)
2460         have an indexing header; that's used by the compiler.
2461         
2462         Most of the time if you want to know if there's an indexing header, you ask the
2463         JSObject.
2464         
2465         In some cases, the JSObject wants to know if it would have an indexing header if
2466         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2467
2468         * dfg/DFGRepatch.cpp:
2469         (JSC::DFG::tryCachePutByID):
2470         (JSC::DFG::tryBuildPutByIdList):
2471         * dfg/DFGSpeculativeJIT.cpp:
2472         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2473         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2474         * runtime/ButterflyInlines.h:
2475         (JSC::Butterfly::create):
2476         (JSC::Butterfly::growPropertyStorage):
2477         (JSC::Butterfly::growArrayRight):
2478         (JSC::Butterfly::resizeArray):
2479         * runtime/JSObject.cpp:
2480         (JSC::JSObject::copyButterfly):
2481         (JSC::JSObject::visitButterfly):
2482         * runtime/JSObject.h:
2483         (JSC::JSObject::hasIndexingHeader):
2484         (JSC::JSObject::setButterfly):
2485         * runtime/Structure.h:
2486         (JSC::Structure::couldHaveIndexingHeader):
2487         (JSC::Structure::hasIndexingHeader):
2488
2489 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2490
2491         Give the error object's stack property accessor attributes.
2492         https://bugs.webkit.org/show_bug.cgi?id=119404
2493
2494         Reviewed by Geoffrey Garen.
2495         
2496         Changed the attributes of error object's stack property to allow developers to write
2497         and delete the stack property. This will match the functionality of Chrome. Firefox  
2498         allows developers to write the error's stack, but not delete it. 
2499
2500         * interpreter/Interpreter.cpp:
2501         (JSC::Interpreter::addStackTraceIfNecessary):
2502         * runtime/ErrorInstance.cpp:
2503         (JSC::ErrorInstance::finishCreation):
2504
2505 2013-08-02  Oliver Hunt  <oliver@apple.com>
2506
2507         Incorrect type speculation reported by ToPrimitive
2508         https://bugs.webkit.org/show_bug.cgi?id=119458
2509
2510         Reviewed by Mark Hahnenberg.
2511
2512         Make sure that we report the correct type possibilities for the output
2513         from ToPrimitive
2514
2515         * dfg/DFGAbstractInterpreterInlines.h:
2516         (JSC::DFG::::executeEffects):
2517
2518 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2519
2520         Remove no-arguments constructor to PropertySlot
2521         https://bugs.webkit.org/show_bug.cgi?id=119460
2522
2523         Reviewed by Geoff Garen.
2524
2525         This constructor was unsafe if getValue is subsequently called,
2526         and the property is a getter. Simplest to just remove it.
2527
2528         * runtime/Arguments.cpp:
2529         (JSC::Arguments::defineOwnProperty):
2530         * runtime/JSActivation.cpp:
2531         (JSC::JSActivation::getOwnPropertyDescriptor):
2532         * runtime/JSFunction.cpp:
2533         (JSC::JSFunction::getOwnPropertyDescriptor):
2534         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2535         (JSC::JSFunction::put):
2536         (JSC::JSFunction::defineOwnProperty):
2537         * runtime/JSGlobalObject.cpp:
2538         (JSC::JSGlobalObject::defineOwnProperty):
2539         * runtime/JSGlobalObject.h:
2540         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2541         * runtime/JSNameScope.cpp:
2542         (JSC::JSNameScope::put):
2543         * runtime/JSONObject.cpp:
2544         (JSC::Stringifier::Holder::appendNextProperty):
2545         (JSC::Walker::walk):
2546         * runtime/JSObject.cpp:
2547         (JSC::JSObject::hasProperty):
2548         (JSC::JSObject::hasOwnProperty):
2549         (JSC::JSObject::reifyStaticFunctionsForDelete):
2550         * runtime/Lookup.h:
2551         (JSC::getStaticPropertyDescriptor):
2552         (JSC::getStaticFunctionDescriptor):
2553         (JSC::getStaticValueDescriptor):
2554         * runtime/ObjectConstructor.cpp:
2555         (JSC::defineProperties):
2556         * runtime/PropertySlot.h:
2557
2558 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2559
2560         DFG validation can cause assertion failures due to dumping
2561         https://bugs.webkit.org/show_bug.cgi?id=119456
2562
2563         Reviewed by Geoffrey Garen.
2564
2565         * bytecode/CodeBlock.cpp:
2566         (JSC::CodeBlock::hasHash):
2567         (JSC::CodeBlock::isSafeToComputeHash):
2568         (JSC::CodeBlock::hash):
2569         (JSC::CodeBlock::dumpAssumingJITType):
2570         * bytecode/CodeBlock.h:
2571
2572 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2573
2574         Have vm's exceptionStack match java's vm's exceptionStack.
2575         https://bugs.webkit.org/show_bug.cgi?id=119362
2576
2577         Reviewed by Geoffrey Garen.
2578         
2579         The error object's stack is only updated if it does not exist yet. This matches 
2580         the functionality of other browsers, and Java VMs. 
2581
2582         * interpreter/Interpreter.cpp:
2583         (JSC::Interpreter::addStackTraceIfNecessary):
2584         (JSC::Interpreter::throwException):
2585         * runtime/VM.cpp:
2586         (JSC::VM::clearExceptionStack):
2587         * runtime/VM.h:
2588         (JSC::VM::lastExceptionStack):
2589
2590 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2591
2592         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2593         https://bugs.webkit.org/show_bug.cgi?id=119447
2594
2595         Reviewed by Geoffrey Garen.
2596
2597         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2598         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2599         r153583 (sh4) and r153648 (ARM).
2600
2601         * jit/JITStubsMIPS.h:
2602
2603 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2604
2605         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2606         https://bugs.webkit.org/show_bug.cgi?id=119422
2607
2608         Reviewed by Oliver Hunt.
2609         
2610         This simplifies some code and also allows Structure to claim that an object
2611         has an indexing header even if it doesn't have indexed properties.
2612         
2613         I also changed some calls to use hasIndexedProperties() since in some cases,
2614         that's what we actually meant. Currently the two are synonyms.
2615
2616         * dfg/DFGRepatch.cpp:
2617         (JSC::DFG::tryCachePutByID):
2618         (JSC::DFG::tryBuildPutByIdList):
2619         * dfg/DFGSpeculativeJIT.cpp:
2620         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2621         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2622         * runtime/ButterflyInlines.h:
2623         (JSC::Butterfly::create):
2624         (JSC::Butterfly::growPropertyStorage):
2625         (JSC::Butterfly::growArrayRight):
2626         (JSC::Butterfly::resizeArray):
2627         * runtime/IndexingType.h:
2628         * runtime/JSObject.cpp:
2629         (JSC::JSObject::copyButterfly):
2630         (JSC::JSObject::visitButterfly):
2631         (JSC::JSObject::setPrototype):
2632         * runtime/JSObject.h:
2633         (JSC::JSObject::setButterfly):
2634         * runtime/JSPropertyNameIterator.cpp:
2635         (JSC::JSPropertyNameIterator::create):
2636         * runtime/Structure.h:
2637         (JSC::Structure::hasIndexingHeader):
2638
2639 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2640
2641         REGRESSION: ARM still crashes after change set r153612.
2642         https://bugs.webkit.org/show_bug.cgi?id=119433
2643
2644         Reviewed by Michael Saboff.
2645
2646         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2647         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2648         for sh4 architecture.
2649
2650         * jit/JITStubsARM.h:
2651         * jit/JITStubsARMv7.h:
2652
2653 2013-08-02  Michael Saboff  <msaboff@apple.com>
2654
2655         REGRESSION(r153612): It made jsc and layout tests crash
2656         https://bugs.webkit.org/show_bug.cgi?id=119440
2657
2658         Reviewed by Csaba Osztrogonác.
2659
2660         Made the changes if changeset r153612 only apply to 32 bit builds.
2661
2662         * jit/JITExceptions.cpp:
2663         * jit/JITExceptions.h:
2664         * jit/JITStubs.cpp:
2665         (JSC::cti_vm_throw_slowpath):
2666         * jit/JITStubs.h:
2667
2668 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2669
2670         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2671
2672         * CMakeLists.txt:
2673
2674 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2675
2676         [Forms: color] <input type='color'> popover color well implementation
2677         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2678
2679         Reviewed by Benjamin Poulain.
2680
2681         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2682
2683 2013-08-01  Oliver Hunt  <oliver@apple.com>
2684
2685         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2686         https://bugs.webkit.org/show_bug.cgi?id=119408
2687
2688         Reviewed by Filip Pizlo.
2689
2690         Construct ToString and Phantom nodes in advance of MakeRope
2691         nodes to ensure that ordering is ensured, and correct values
2692         will be reified on OSR exit.
2693
2694         * dfg/DFGByteCodeParser.cpp:
2695         (JSC::DFG::ByteCodeParser::parseBlock):
2696
2697 2013-08-01  Michael Saboff  <msaboff@apple.com>
2698
2699         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2700         https://bugs.webkit.org/show_bug.cgi?id=119140
2701
2702         Reviewed by Filip Pizlo.
2703
2704         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2705
2706         * jit/JITExceptions.cpp:
2707         (JSC::encode):
2708         * jit/JITExceptions.h:
2709         * jit/JITStubs.cpp:
2710         (JSC::cti_vm_throw_slowpath):
2711         * jit/JITStubs.h:
2712
2713 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2714
2715         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2716         https://bugs.webkit.org/show_bug.cgi?id=119391
2717
2718         Reviewed by Csaba Osztrogonác.
2719
2720         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2721             - Call frame is in r14 register.
2722             - Do not restore registers from JIT stack frame here.
2723
2724 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2725
2726         More cleanup in PropertySlot
2727         https://bugs.webkit.org/show_bug.cgi?id=119359
2728
2729         Reviewed by Geoff Garen.
2730
2731         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2732         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2733
2734         * dfg/DFGRepatch.cpp:
2735         (JSC::DFG::tryCacheGetByID):
2736         (JSC::DFG::tryBuildGetByIDList):
2737             - No need to ASSERT slotBase is an object.
2738         * jit/JITStubs.cpp:
2739         (JSC::tryCacheGetByID):
2740         (JSC::DEFINE_STUB_FUNCTION):
2741             - No need to ASSERT slotBase is an object.
2742         * runtime/JSObject.cpp:
2743         (JSC::JSObject::getOwnPropertySlotByIndex):
2744         (JSC::JSObject::fillGetterPropertySlot):
2745             - Pass an object through to setGetterSlot.
2746         * runtime/JSObject.h:
2747         (JSC::PropertySlot::getValue):
2748             - Moved from PropertySlot (need to know anout JSObject).
2749         * runtime/PropertySlot.cpp:
2750         (JSC::PropertySlot::functionGetter):
2751             - update per member name changes
2752         * runtime/PropertySlot.h:
2753         (JSC::PropertySlot::PropertySlot):
2754             - Argument to constructor set to 'thisValue'.
2755         (JSC::PropertySlot::slotBase):
2756             - This returns a JSObject*.
2757         (JSC::PropertySlot::setValue):
2758         (JSC::PropertySlot::setCustom):
2759         (JSC::PropertySlot::setCacheableCustom):
2760         (JSC::PropertySlot::setCustomIndex):
2761         (JSC::PropertySlot::setGetterSlot):
2762         (JSC::PropertySlot::setCacheableGetterSlot):
2763             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2764         * runtime/SparseArrayValueMap.cpp:
2765         (JSC::SparseArrayEntry::get):
2766             - Pass an object through to setGetterSlot.
2767         * runtime/SparseArrayValueMap.h:
2768             - Pass an object through to setGetterSlot.
2769
2770 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2771
2772         Reduce JSC API static value setter/getter overhead.
2773         https://bugs.webkit.org/show_bug.cgi?id=119277
2774
2775         Reviewed by Geoffrey Garen.
2776
2777         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2778         need to get called every time when set or get the static value.
2779
2780         * API/JSCallbackObjectFunctions.h:
2781         (JSC::::put):
2782         (JSC::::putByIndex):
2783         (JSC::::getStaticValue):
2784         * API/JSClassRef.cpp:
2785         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2786         * API/JSClassRef.h:
2787         (StaticValueEntry::StaticValueEntry):
2788
2789 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2790
2791         Use emptyString instead of String("")
2792         https://bugs.webkit.org/show_bug.cgi?id=119335
2793
2794         Reviewed by Darin Adler.
2795
2796         Use emptyString() instead of String("") because it is better style and
2797         faster. This is a followup to r116908, removing all occurrences of
2798         String("") from WebKit.
2799
2800         * runtime/RegExpConstructor.cpp:
2801         (JSC::constructRegExp):
2802         * runtime/RegExpPrototype.cpp:
2803         (JSC::regExpProtoFuncCompile):
2804         * runtime/StringPrototype.cpp:
2805         (JSC::stringProtoFuncMatch):
2806         (JSC::stringProtoFuncSearch):
2807
2808 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2809
2810         <input type=color> Mac UI behaviour
2811         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2812
2813         Reviewed by Brady Eidson.
2814
2815         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2816
2817 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2818
2819         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2820         https://bugs.webkit.org/show_bug.cgi?id=119349
2821
2822         Reviewed by Geoffrey Garen.
2823
2824         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2825         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2826         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2827         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2828         JIT then this resizing never happens and we crash at link time in the DFG.
2829
2830         We can fix this by also doing the resize in the DFG to catch this case.
2831
2832         * dfg/DFGJITCompiler.cpp:
2833         (JSC::DFG::JITCompiler::link):
2834
2835 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2836
2837         Speculative Windows build fix.
2838
2839         Reviewed by NOBODY
2840
2841         * runtime/JSString.cpp:
2842         (JSC::JSRopeString::getIndexSlowCase):
2843         * runtime/JSString.h:
2844
2845 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2846
2847         Some cleanup in JSValue::get
2848         https://bugs.webkit.org/show_bug.cgi?id=119343
2849
2850         Reviewed by Geoff Garen.
2851
2852         JSValue::get is implemented to:
2853             1) Check if the value is a cell – if not, synthesize a prototype to search,
2854             2) call getOwnPropertySlot on the cell,
2855             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2856         By all rights this should crash when passed a string and accessing a property that does not exist, because
2857         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2858         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2859         prototype chain, and faking out a return value of undefined if no property is found.
2860
2861         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2862         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2863
2864         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2865         slots anyway.
2866
2867         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2868
2869 2013-07-31  Michael Saboff  <msaboff@apple.com>
2870
2871         [Win] JavaScript crash.
2872         https://bugs.webkit.org/show_bug.cgi?id=119339
2873
2874         Reviewed by Mark Hahnenberg.
2875
2876         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2877         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2878
2879 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2880
2881         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2882         https://bugs.webkit.org/show_bug.cgi?id=119281
2883
2884         Reviewed by Geoffrey Garen.
2885
2886         This leads to out of bounds accesses and subsequent crashes.
2887
2888         * dfg/DFGSpeculativeJIT.cpp:
2889         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2890         * dfg/DFGSpeculativeJIT64.cpp:
2891         (JSC::DFG::SpeculativeJIT::compile):
2892
2893 2013-07-30  Oliver Hunt  <oliver@apple.com>
2894
2895         Add an assertion to SpeculateCellOperand
2896         https://bugs.webkit.org/show_bug.cgi?id=119276
2897
2898         Reviewed by Michael Saboff.
2899
2900         More assertions are better
2901
2902         * dfg/DFGSpeculativeJIT64.cpp:
2903         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2904         (JSC::DFG::SpeculativeJIT::compile):
2905
2906 2013-07-30  Mark Lam  <mark.lam@apple.com>
2907
2908         Fix problems with divot and lineStart mismatches.
2909         https://bugs.webkit.org/show_bug.cgi?id=118662.
2910
2911         Reviewed by Oliver Hunt.
2912
2913         r152494 added the recording of lineStart values for divot positions.
2914         This is needed for the computation of column numbers. Similarly, it also
2915         added the recording of line numbers for the divot positions. One problem
2916         with the approach taken was that the line and lineStart values were
2917         recorded independently, and hence were not always guaranteed to be
2918         sampled at the same place that the divot position is recorded. This
2919         resulted in potential mismatches that cause some assertions to fail.
2920
2921         The solution is to introduce a JSTextPosition abstraction that records
2922         the divot position, line, and lineStart as a single quantity. Wherever
2923         we record the divot position as an unsigned int previously, we now record
2924         its JSTextPosition which captures all 3 values in one go. This ensures
2925         that the captured line and lineStart will always match the captured divot
2926         position.
2927
2928         * bytecompiler/BytecodeGenerator.cpp:
2929         (JSC::BytecodeGenerator::emitCall):
2930         (JSC::BytecodeGenerator::emitCallEval):
2931         (JSC::BytecodeGenerator::emitCallVarargs):
2932         (JSC::BytecodeGenerator::emitConstruct):
2933         (JSC::BytecodeGenerator::emitDebugHook):
2934         - Use JSTextPosition instead of passing line and lineStart explicitly.
2935         * bytecompiler/BytecodeGenerator.h:
2936         (JSC::BytecodeGenerator::emitExpressionInfo):
2937         - Use JSTextPosition instead of passing line and lineStart explicitly.
2938         * bytecompiler/NodesCodegen.cpp:
2939         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2940         (JSC::ResolveNode::emitBytecode):
2941         (JSC::BracketAccessorNode::emitBytecode):
2942         (JSC::DotAccessorNode::emitBytecode):
2943         (JSC::NewExprNode::emitBytecode):
2944         (JSC::EvalFunctionCallNode::emitBytecode):
2945         (JSC::FunctionCallValueNode::emitBytecode):
2946         (JSC::FunctionCallResolveNode::emitBytecode):
2947         (JSC::FunctionCallBracketNode::emitBytecode):
2948         (JSC::FunctionCallDotNode::emitBytecode):
2949         (JSC::CallFunctionCallDotNode::emitBytecode):
2950         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2951         (JSC::PostfixNode::emitResolve):
2952         (JSC::PostfixNode::emitBracket):
2953         (JSC::PostfixNode::emitDot):
2954         (JSC::DeleteResolveNode::emitBytecode):
2955         (JSC::DeleteBracketNode::emitBytecode):
2956         (JSC::DeleteDotNode::emitBytecode):
2957         (JSC::PrefixNode::emitResolve):
2958         (JSC::PrefixNode::emitBracket):
2959         (JSC::PrefixNode::emitDot):
2960         (JSC::UnaryOpNode::emitBytecode):
2961         (JSC::BinaryOpNode::emitStrcat):
2962         (JSC::BinaryOpNode::emitBytecode):
2963         (JSC::ThrowableBinaryOpNode::emitBytecode):
2964         (JSC::InstanceOfNode::emitBytecode):
2965         (JSC::emitReadModifyAssignment):
2966         (JSC::ReadModifyResolveNode::emitBytecode):
2967         (JSC::AssignResolveNode::emitBytecode):
2968         (JSC::AssignDotNode::emitBytecode):
2969         (JSC::ReadModifyDotNode::emitBytecode):
2970         (JSC::AssignBracketNode::emitBytecode):
2971         (JSC::ReadModifyBracketNode::emitBytecode):
2972         (JSC::ForInNode::emitBytecode):
2973         (JSC::WithNode::emitBytecode):
2974         (JSC::ThrowNode::emitBytecode):
2975         - Use JSTextPosition instead of passing line and lineStart explicitly.
2976         * parser/ASTBuilder.h:
2977         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2978         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2979         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2980         (JSC::ASTBuilder::createResolve):
2981         (JSC::ASTBuilder::createBracketAccess):
2982         (JSC::ASTBuilder::createDotAccess):
2983         (JSC::ASTBuilder::createRegExp):
2984         (JSC::ASTBuilder::createNewExpr):
2985         (JSC::ASTBuilder::createAssignResolve):
2986         (JSC::ASTBuilder::createExprStatement):
2987         (JSC::ASTBuilder::createForInLoop):
2988         (JSC::ASTBuilder::createReturnStatement):
2989         (JSC::ASTBuilder::createBreakStatement):
2990         (JSC::ASTBuilder::createContinueStatement):
2991         (JSC::ASTBuilder::createLabelStatement):
2992         (JSC::ASTBuilder::createWithStatement):
2993         (JSC::ASTBuilder::createThrowStatement):
2994         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2995         (JSC::ASTBuilder::appendUnaryToken):
2996         (JSC::ASTBuilder::unaryTokenStackLastStart):
2997         (JSC::ASTBuilder::assignmentStackAppend):
2998         (JSC::ASTBuilder::createAssignment):
2999         (JSC::ASTBuilder::setExceptionLocation):
3000         (JSC::ASTBuilder::makeDeleteNode):
3001         (JSC::ASTBuilder::makeFunctionCallNode):
3002         (JSC::ASTBuilder::makeBinaryNode):
3003         (JSC::ASTBuilder::makeAssignNode):
3004         (JSC::ASTBuilder::makePrefixNode):
3005         (JSC::ASTBuilder::makePostfixNode):
3006         - Use JSTextPosition instead of passing line and lineStart explicitly.
3007         * parser/Lexer.cpp:
3008         (JSC::::lex):
3009         - Added support for capturing the appropriate JSTextPositions instead
3010           of just the character offset.
3011         * parser/Lexer.h:
3012         (JSC::Lexer::currentPosition):
3013         (JSC::::lexExpectIdentifier):
3014         - Added support for capturing the appropriate JSTextPositions instead
3015           of just the character offset.
3016         * parser/NodeConstructors.h:
3017         (JSC::Node::Node):
3018         (JSC::ResolveNode::ResolveNode):
3019         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3020         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3021         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3022         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3023         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3024         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3025         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3026         (JSC::PostfixNode::PostfixNode):
3027         (JSC::DeleteResolveNode::DeleteResolveNode):
3028         (JSC::DeleteBracketNode::DeleteBracketNode):
3029         (JSC::DeleteDotNode::DeleteDotNode):
3030         (JSC::PrefixNode::PrefixNode):
3031         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3032         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3033         (JSC::AssignBracketNode::AssignBracketNode):
3034         (JSC::AssignDotNode::AssignDotNode):
3035         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3036         (JSC::AssignErrorNode::AssignErrorNode):
3037         (JSC::WithNode::WithNode):
3038         (JSC::ForInNode::ForInNode):
3039         - Use JSTextPosition instead of passing line and lineStart explicitly.
3040         * parser/Nodes.cpp:
3041         (JSC::StatementNode::setLoc):
3042         - Use JSTextPosition instead of passing line and lineStart explicitly.
3043         * parser/Nodes.h:
3044         (JSC::Node::lineNo):
3045         (JSC::Node::startOffset):
3046         (JSC::Node::lineStartOffset):
3047         (JSC::Node::position):
3048         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3049         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3050         (JSC::ThrowableExpressionData::divot):
3051         (JSC::ThrowableExpressionData::divotStart):
3052         (JSC::ThrowableExpressionData::divotEnd):
3053         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3054         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3055         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3056         (JSC::ThrowableSubExpressionData::subexpressionStart):
3057         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3058         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3059         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3060         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3061         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3062         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3063         - Use JSTextPosition instead of passing line and lineStart explicitly.
3064         * parser/Parser.cpp:
3065         (JSC::::Parser):
3066         (JSC::::parseInner):
3067         - Use JSTextPosition instead of passing line and lineStart explicitly.
3068         (JSC::::didFinishParsing):
3069         - Remove setting of m_lastLine value. We always pass in the value from
3070           m_lastLine anyway. So, this assignment is effectively a nop.
3071         (JSC::::parseVarDeclaration):
3072         (JSC::::parseVarDeclarationList):
3073         (JSC::::parseForStatement):
3074         (JSC::::parseBreakStatement):
3075         (JSC::::parseContinueStatement):
3076         (JSC::::parseReturnStatement):
3077         (JSC::::parseThrowStatement):
3078         (JSC::::parseWithStatement):
3079         (JSC::::parseTryStatement):
3080         (JSC::::parseBlockStatement):
3081         (JSC::::parseFunctionDeclaration):
3082         (JSC::LabelInfo::LabelInfo):
3083         (JSC::::parseExpressionOrLabelStatement):
3084         (JSC::::parseExpressionStatement):
3085         (JSC::::parseAssignmentExpression):
3086         (JSC::::parseBinaryExpression):
3087         (JSC::::parseProperty):
3088         (JSC::::parsePrimaryExpression):
3089         (JSC::::parseMemberExpression):
3090         (JSC::::parseUnaryExpression):
3091         - Use JSTextPosition instead of passing line and lineStart explicitly.
3092         * parser/Parser.h:
3093         (JSC::Parser::next):
3094         (JSC::Parser::nextExpectIdentifier):
3095         (JSC::Parser::getToken):
3096         (JSC::Parser::tokenStartPosition):
3097         (JSC::Parser::tokenEndPosition):
3098         (JSC::Parser::lastTokenEndPosition):
3099         (JSC::::parse):
3100         - Use JSTextPosition instead of passing line and lineStart explicitly.
3101         * parser/ParserTokens.h:
3102         (JSC::JSTextPosition::JSTextPosition):
3103         (JSC::JSTextPosition::operator+):
3104         (JSC::JSTextPosition::operator-):
3105         (JSC::JSTextPosition::operator int):
3106         - Added JSTextPosition.
3107         * parser/SyntaxChecker.h:
3108         (JSC::SyntaxChecker::makeFunctionCallNode):
3109         (JSC::SyntaxChecker::makeAssignNode):
3110         (JSC::SyntaxChecker::makePrefixNode):
3111         (JSC::SyntaxChecker::makePostfixNode):
3112         (JSC::SyntaxChecker::makeDeleteNode):
3113         (JSC::SyntaxChecker::createResolve):
3114         (JSC::SyntaxChecker::createBracketAccess):
3115         (JSC::SyntaxChecker::createDotAccess):
3116         (JSC::SyntaxChecker::createRegExp):
3117         (JSC::SyntaxChecker::createNewExpr):
3118         (JSC::SyntaxChecker::createAssignResolve):
3119         (JSC::SyntaxChecker::createForInLoop):
3120         (JSC::SyntaxChecker::createReturnStatement):
3121         (JSC::SyntaxChecker::createBreakStatement):
3122         (JSC::SyntaxChecker::createContinueStatement):
3123         (JSC::SyntaxChecker::createWithStatement):
3124         (JSC::SyntaxChecker::createLabelStatement):
3125         (JSC::SyntaxChecker::createThrowStatement):
3126         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3127         (JSC::SyntaxChecker::operatorStackPop):
3128         - Use JSTextPosition instead of passing line and lineStart explicitly.
3129
3130 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3131
3132         Unreviewed. Fix make distcheck.
3133
3134         * GNUmakefile.list.am: Add missing files to compilation.
3135         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3136         include FTL header files not included in the compilation.
3137         * dfg/DFGDriver.cpp: Ditto.
3138         * dfg/DFGPlan.cpp: Ditto.
3139
3140 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3141
3142         Eager stack trace for error objects.
3143         https://bugs.webkit.org/show_bug.cgi?id=118918
3144
3145         Reviewed by Geoffrey Garen.
3146         
3147         Chrome and Firefox give error objects the stack property and we wanted to match
3148         that functionality. This allows developers to see the stack without throwing an object.
3149
3150         * runtime/ErrorInstance.cpp:
3151         (JSC::ErrorInstance::finishCreation):
3152          For error objects that are not thrown as an exception, we pass the stackTrace in 
3153          as a parameter. This allows the error object to have the stack property.
3154         
3155         * interpreter/Interpreter.cpp:
3156         (JSC::stackTraceAsString):
3157         Helper function used to eliminate duplicate code.
3158
3159         (JSC::Interpreter::addStackTraceIfNecessary):
3160         When an error object is created by the user the vm->exceptionStack is not set.
3161         If the user throws this error object later the stack that is in the error object 
3162         may not be the correct stack for the throw, so when we set the vm->exception stack,
3163         the stack property on the error object is set as well.
3164         
3165         * runtime/ErrorConstructor.cpp:
3166         (JSC::constructWithErrorConstructor):
3167         (JSC::callErrorConstructor):
3168         * runtime/NativeErrorConstructor.cpp:
3169         (JSC::constructWithNativeErrorConstructor):
3170         (JSC::callNativeErrorConstructor):
3171         These functions indicate that the user created an error object. For all error objects 
3172         that the user explicitly creates, the topCallFrame is at a new frame created to 
3173         handle the user's call. In this case though, the error object needs the caller's 
3174         frame to create the stack trace correctly.
3175         
3176         * interpreter/Interpreter.h:
3177         * runtime/ErrorInstance.h:
3178         (JSC::ErrorInstance::create):
3179
3180 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3181
3182         Some cleanup in PropertySlot
3183         https://bugs.webkit.org/show_bug.cgi?id=119189
3184
3185         Reviewed by Geoff Garen.
3186
3187         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3188         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3189         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3190         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3191         (this is invalidOffset if not cacheable).
3192
3193             * Internally, always track the type of the property using an enum value, PropertyType.
3194             * Use m_offset to indicate cacheable.
3195             * Keep the external interface (CachedPropertyType) unchanged.
3196             * Better pack data into the m_data union.
3197
3198         Performance neutral.
3199
3200         * dfg/DFGRepatch.cpp:
3201         (JSC::DFG::tryCacheGetByID):
3202         (JSC::DFG::tryBuildGetByIDList):
3203             - cachedPropertyType() -> isCacheable*()
3204         * jit/JITPropertyAccess.cpp:
3205         (JSC::JIT::privateCompileGetByIdProto):
3206         (JSC::JIT::privateCompileGetByIdSelfList):
3207         (JSC::JIT::privateCompileGetByIdProtoList):
3208         (JSC::JIT::privateCompileGetByIdChainList):
3209         (JSC::JIT::privateCompileGetByIdChain):
3210             - cachedPropertyType() -> isCacheable*()
3211         * jit/JITPropertyAccess32_64.cpp:
3212         (JSC::JIT::privateCompileGetByIdProto):
3213         (JSC::JIT::privateCompileGetByIdSelfList):
3214         (JSC::JIT::privateCompileGetByIdProtoList):
3215         (JSC::JIT::privateCompileGetByIdChainList):
3216         (JSC::JIT::privateCompileGetByIdChain):
3217             - cachedPropertyType() -> isCacheable*()
3218         * jit/JITStubs.cpp:
3219         (JSC::tryCacheGetByID):
3220             - cachedPropertyType() -> isCacheable*()
3221         * llint/LLIntSlowPaths.cpp:
3222         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3223             - cachedPropertyType() -> isCacheable*()
3224         * runtime/PropertySlot.cpp:
3225         (JSC::PropertySlot::functionGetter):
3226             - refactoring described above.
3227         * runtime/PropertySlot.h:
3228         (JSC::PropertySlot::PropertySlot):
3229         (JSC::PropertySlot::getValue):
3230         (JSC::PropertySlot::isCacheable):
3231         (JSC::PropertySlot::isCacheableValue):
3232         (JSC::PropertySlot::isCacheableGetter):
3233         (JSC::PropertySlot::isCacheableCustom):
3234         (JSC::PropertySlot::cachedOffset):
3235         (JSC::PropertySlot::customGetter):
3236         (JSC::PropertySlot::setValue):
3237         (JSC::PropertySlot::setCustom):
3238         (JSC::PropertySlot::setCacheableCustom):
3239         (JSC::PropertySlot::setCustomIndex):
3240         (JSC::PropertySlot::setGetterSlot):
3241         (JSC::PropertySlot::setCacheableGetterSlot):
3242         (JSC::PropertySlot::setUndefined):
3243         (JSC::PropertySlot::slotBase):
3244         (JSC::PropertySlot::setBase):
3245             - refactoring described above.
3246
3247 2013-07-28  Oliver Hunt  <oliver@apple.com>
3248
3249         REGRESSION: Crash when opening Facebook.com
3250         https://bugs.webkit.org/show_bug.cgi?id=119155
3251
3252         Reviewed by Andreas Kling.
3253
3254         Scope nodes are always objects, so we should be using SpecObjectOther
3255         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3256         contradiction in the CFA, resulting in bogus codegen.
3257
3258         * dfg/DFGAbstractInterpreterInlines.h:
3259         (JSC::DFG::::executeEffects):
3260         * dfg/DFGPredictionPropagationPhase.cpp:
3261         (JSC::DFG::PredictionPropagationPhase::propagate):
3262
3263 2013-07-26  Oliver Hunt  <oliver@apple.com>
3264
3265         REGRESSION(FTL?): Crashes in plugin tests
3266         https://bugs.webkit.org/show_bug.cgi?id=119141
3267
3268         Reviewed by Michael Saboff.
3269
3270         Re-export getStackTrace
3271
3272         * interpreter/Interpreter.h:
3273
3274 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3275
3276         REGRESSION: Crash when opening a message on Gmail
3277         https://bugs.webkit.org/show_bug.cgi?id=119105
3278
3279         Reviewed by Oliver Hunt and Mark Hahnenberg.
3280         
3281         - GetById patching in the DFG needs to be more disciplined about how it derives the
3282           slow path.
3283         
3284         - Fix some dumping code thread safety issues.
3285
3286         * bytecode/CallLinkStatus.cpp:
3287         (JSC::CallLinkStatus::dump):
3288         * bytecode/CodeBlock.cpp:
3289         (JSC::CodeBlock::dumpBytecode):
3290         * dfg/DFGRepatch.cpp:
3291         (JSC::DFG::getPolymorphicStructureList):
3292         (JSC::DFG::tryBuildGetByIDList):
3293
3294 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3295
3296         [mips] Fix LLINT build for mips backend
3297         https://bugs.webkit.org/show_bug.cgi?id=119152
3298
3299         Reviewed by Oliver Hunt.
3300
3301         * offlineasm/mips.rb:
3302
3303 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3304
3305         Setting a large numeric property on an object causes it to allocate a huge backing store
3306         https://bugs.webkit.org/show_bug.cgi?id=118914
3307
3308         Reviewed by Geoffrey Garen.
3309
3310         There are two distinct actions that we're trying to optimize for:
3311
3312         new Array(100000);
3313
3314         and:
3315
3316         a = [];
3317         a[100000] = 42;
3318         
3319         In the first case, the programmer has indicated that they expect this Array to be very big, 
3320         so they should get a contiguous array up until some threshold, above which we perform density 
3321         calculations to see if it is indeed dense enough to warrant being contiguous.
3322         
3323         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3324         we should be more conservative and assume it should be sparse until we've proven otherwise.
3325         
3326         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3327         between them for the purposes of not over-allocating large backing stores like we see on 
3328         http://www.peekanalytics.com/burgerjoints/
3329         
3330         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3331         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3332         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3333         map instead. So for example, in the second case above the empty array has a blank indexing 
3334         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3335
3336         This fix is ~800x speedup on the accompanying regression test :-o
3337
3338         * runtime/ArrayConventions.h:
3339         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3340         * runtime/JSObject.cpp:
3341         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3342         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3343         (JSC::JSObject::putByIndexBeyondVectorLength):
3344         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3345
3346 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3347
3348         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3349         https://bugs.webkit.org/show_bug.cgi?id=119148
3350
3351         Reviewed by Csaba Osztrogonác.
3352
3353         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3354         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3355         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3356         code duplication.
3357
3358 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3359
3360         REGRESSION(FTL): Crash in sh4 baseline JIT.
3361         https://bugs.webkit.org/show_bug.cgi?id=119138
3362
3363         Reviewed by Csaba Osztrogonác.
3364
3365         This crash is due to incomplete report of r150146 and r148474.
3366
3367         * jit/JITStubsSH4.h:
3368
3369 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3370
3371         Unreviewed.
3372
3373         * Target.pri: Adding missing DFG files to the Qt build.
3374
3375 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3376
3377         GTK and Qt buildfix after the intrusive win buildfix r153360.
3378
3379         * GNUmakefile.list.am:
3380         * Target.pri:
3381
3382 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3383
3384         Unreviewed, fix build break after r153360.
3385
3386         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3387
3388 2013-07-25  Roger Fong  <roger_fong@apple.com>
3389
3390         Unreviewed build fix, AppleWin port.
3391
3392         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3393         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3394         * JavaScriptCore.vcxproj/copy-files.cmd:
3395
3396 2013-07-25  Roger Fong  <roger_fong@apple.com>
3397
3398         Unreviewed. Followup to r153360.
3399
3400         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3401         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3402
3403 2013-07-25  Michael Saboff  <msaboff@apple.com>
3404
3405         [Windows] Speculative build fix.
3406
3407         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3408         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3409
3410         * JavaScriptCore.xcodeproj/project.pbxproj:
3411         * llint/LLIntExceptions.cpp:
3412         * llint/LLIntExceptions.h:
3413         * llint/LLIntSlowPaths.cpp:
3414         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3415         * runtime/CommonSlowPaths.cpp:
3416         (JSC::SLOW_PATH_DECL):
3417         * runtime/CommonSlowPathsExceptions.cpp: Added.
3418         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3419         * runtime/CommonSlowPathsExceptions.h: Added.
3420
3421 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3422
3423         [Windows] Unreviewed build fix.
3424
3425         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3426         parser/SourceCode.h,.cpp.
3427         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3428
3429 2013-07-25  Anders Carlsson  <andersca@apple.com>
3430
3431         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3432         https://bugs.webkit.org/show_bug.cgi?id=119108
3433
3434         Reviewed by Mark Hahnenberg.
3435
3436         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3437
3438         * heap/CopiedSpace.cpp:
3439         (JSC::CopiedSpace::tryAllocateSlowCase):
3440         * heap/Heap.cpp:
3441         (JSC::Heap::protect):
3442         (JSC::Heap::unprotect):
3443         (JSC::Heap::collect):
3444         * heap/MarkedAllocator.cpp:
3445         (JSC::MarkedAllocator::allocateSlowCase):
3446         * runtime/JSGlobalObject.cpp:
3447         (JSC::JSGlobalObject::init):
3448         * runtime/VM.h:
3449         (JSC::VM::currentThreadIsHoldingAPILock):
3450
3451 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3452
3453         REGRESSION(FTL): Most layout tests crashes
3454         https://bugs.webkit.org/show_bug.cgi?id=119089
3455
3456         Reviewed by Oliver Hunt.
3457
3458         * runtime/ExecutionHarness.h:
3459         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3460         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3461         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3462         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3463         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3464         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3465
3466 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3467
3468         [Windows] Unreviewed build fix.
3469
3470         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3471         include path.
3472
3473 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3474
3475         [Windows] Unreviewed build fix.
3476
3477         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3478         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3480
3481 2013-07-25  Oliver Hunt  <oliver@apple.com>
3482
3483         Make all jit & non-jit combos build cleanly
3484         https://bugs.webkit.org/show_bug.cgi?id=119102
3485
3486         Reviewed by Anders Carlsson.
3487
3488         * bytecode/CodeBlock.cpp:
3489         (JSC::CodeBlock::counterValueForOptimizeSoon):
3490         * bytecode/CodeBlock.h:
3491         (JSC::CodeBlock::optimizeAfterWarmUp):
3492         (JSC::CodeBlock::numberOfDFGCompiles):
3493
3494 2013-07-25  Oliver Hunt  <oliver@apple.com>
3495
3496         32 bit portion of load validation logic
3497         https://bugs.webkit.org/show_bug.cgi?id=118878
3498
3499         Reviewed by NOBODY (Build fix).
3500
3501         * dfg/DFGSpeculativeJIT32_64.cpp:
3502         (JSC::DFG::SpeculativeJIT::compile):
3503
3504 2013-07-25  Oliver Hunt  <oliver@apple.com>
3505
3506         More 32bit build fixes
3507
3508         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3509
3510         * API/APICallbackFunction.h:
3511         (JSC::APICallbackFunction::call):
3512         * bytecode/CodeBlock.cpp:
3513         * runtime/Structure.cpp:
3514
3515 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3516
3517         Optimize the thread locks for API Shims
3518         https://bugs.webkit.org/show_bug.cgi?id=118573
3519
3520         Reviewed by Geoffrey Garen.
3521
3522         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3523         only used by WebCore's main thread).
3524
3525         * API/APIShims.h:
3526         (JSC::APIEntryShim::APIEntryShim):
3527         (JSC::APICallbackShim::APICallbackShim):
3528         * runtime/JSLock.cpp:
3529         (JSC::JSLockHolder::JSLockHolder):
3530         (JSC::JSLockHolder::init):
3531         (JSC::JSLockHolder::~JSLockHolder):
3532         (JSC::JSLock::DropAllLocks::DropAllLocks):
3533         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3534         * runtime/VM.cpp:
3535         (JSC::VM::VM):
3536         * runtime/VM.h:
3537
3538 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3539
3540         Unreviewed build fix after r153218.
3541
3542         Broke the EFL port build with gcc 4.7.
3543
3544         * interpreter/StackIterator.cpp:
3545         (JSC::printif):
3546
3547 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3548
3549         Build fix: add missing #include.
3550         https://bugs.webkit.org/show_bug.cgi?id=119087
3551
3552         Reviewed by Allan Sandfeld Jensen.
3553
3554         * bytecode/ArrayProfile.cpp:
3555
3556 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3557
3558         Unreviewed, build fix on the EFL port.
3559
3560         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3561
3562 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3563
3564         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3565         https://bugs.webkit.org/show_bug.cgi?id=119083
3566
3567         Reviewed by Allan Sandfeld Jensen.
3568
3569         * assembler/MacroAssemblerSH4.h:
3570         (JSC::MacroAssemblerSH4::store8):
3571
3572 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3573
3574         [Qt] Fix test build after FTL upstream
3575
3576         Unreviewed build fix.
3577
3578         * Target.pri:
3579
3580 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3581
3582         [Qt] Build fix after FTL.
3583
3584         Un Reviewed build fix.
3585
3586         * Target.pri:
3587         * interpreter/StackIterator.cpp:
3588         (JSC::StackIterator::Frame::print):
3589
3590 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3591
3592         Unreviewed build fix after FTL upstream.
3593
3594         * dfg/DFGWorklist.cpp:
3595         (JSC::DFG::Worklist::~Worklist):
3596
3597 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3598
3599         Unreviewed, build fix on the EFL port.
3600
3601         * CMakeLists.txt:
3602         Added SourceCode.cpp and removed BlackBerry file.
3603         * jit/JITCode.h:
3604         (JSC::JITCode::nextTierJIT):
3605         Fixed to build break because of -Werror=return-type
3606         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3607         * runtime/JSScope.h:
3608         (JSC::makeType):
3609         Fixed to build break because of -Werror=return-type
3610
3611 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3612
3613         Unreviewed build fixing after FTL upstream.
3614
3615         * runtime/Executable.cpp:
3616         (JSC::FunctionExecutable::produceCodeBlockFor):
3617
3618 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3619
3620         Add missing implementation of bxxxnz in sh4 LLINT.
3621         https://bugs.webkit.org/show_bug.cgi?id=119079
3622
3623         Reviewed by Allan Sandfeld Jensen.
3624
3625         * offlineasm/sh4.rb:
3626
3627 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3628
3629         Unreviewed, build fix on the Qt port.
3630
3631         * Target.pri: Add additional build files for the FTL.
3632
3633 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3634
3635         Unreviewed buildfix after FTL upstream..
3636
3637         * interpreter/StackIterator.cpp:
3638         (JSC::StackIterator::Frame::codeType):
3639         (JSC::StackIterator::Frame::functionName):
3640         (JSC::StackIterator::Frame::sourceURL):
3641         (JSC::StackIterator::Frame::logicalFrame):
3642
3643 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3644
3645         Unreviewed.
3646
3647         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3648         method is not left undefined, causing build failures on (at least) the GTK port.
3649
3650 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3651
3652         Unreviewed, further build fixing on the GTK port.
3653
3654         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3655
3656 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3657
3658         Unreviewed GTK build fixing.
3659
3660         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3661         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3662
3663 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3664
3665         Buildfix after this error:
3666         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3667
3668         * dfg/DFGPlan.cpp:
3669         (JSC::DFG::Plan::compileInThread):
3670
3671 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3672
3673         One more buildfix after FTL upstream.
3674
3675         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3676
3677         * dfg/DFGLazyJSValue.cpp:
3678         (JSC::DFG::LazyJSValue::getValue):
3679         (JSC::DFG::LazyJSValue::strictEqual):
3680
3681 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3682
3683         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3684         https://bugs.webkit.org/show_bug.cgi?id=119076
3685
3686         Reviewed by Allan Sandfeld Jensen.
3687
3688         * offlineasm/mips.rb:
3689         * offlineasm/sh4.rb:
3690
3691 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3692
3693         Unreviewed GTK build fix.
3694
3695         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3696
3697 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3698
3699         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3700         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3701
3702         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3703
3704 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3705
3706         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3707
3708         * GNUmakefile.am:
3709         * GNUmakefile.list.am:
3710
3711 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3712
3713         Unreviewed buildfix after FTL upstream.
3714
3715         * runtime/JSScope.h:
3716         (JSC::needsVarInjectionChecks):
3717
3718 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3719
3720         One more fix after FTL upstream.
3721
3722         * Target.pri:
3723         * bytecode/CodeBlock.h:
3724         * bytecode/GetByIdStatus.h:
3725         (JSC::GetByIdStatus::GetByIdStatus):
3726
3727 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3728
3729         Unreviewed buildfix after FTL upstream.
3730
3731         Add ftl directory as include path.
3732
3733         * CMakeLists.txt:
3734         * JavaScriptCore.pri:
3735
3736 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3737
3738         Unreviewed buildfix after FTL upstream for non C++11 builds.
3739
3740         * interpreter/CallFrame.h:
3741         * interpreter/StackIteratorPrivate.h:
3742         (JSC::StackIterator::end):
3743
3744 2013-07-24  Oliver Hunt  <oliver@apple.com>
3745
3746         Endeavour to fix CMakelist builds
3747
3748         * CMakeLists.txt:
3749
3750 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3751
3752         fourthTier: DFG IR dumps should be easier to read
3753         https://bugs.webkit.org/show_bug.cgi?id=119050
3754
3755         Reviewed by Mark Hahnenberg.
3756         
3757         Added a DumpContext that includes support for printing an endnote
3758         that describes all structures in full, while the main flow of the
3759         dump just uses made-up names for the structures. This is helpful
3760         since Structure::dump() may print a lot. The stuff it prints is
3761         useful, but if it's all inline with the surrounding thing you're        
3762         dumping (often, a node in the DFG), then you get a ridiculously
3763         long print-out. All classes that dump structures (including
3764         Structure itself) now have dumpInContext() methods that use
3765         inContext() for dumping anything that might transitively print a
3766         structure. If Structure::dumpInContext() is called with a NULL
3767         context, it just uses dump() like before. Hence you don't have to
3768         know anything about DumpContext unless you want to.
3769         
3770         inContext(*structure, context) dumps something like %B4:Array,
3771         and the endnote will have something like:
3772         
3773             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3774         
3775         where B4 is the inferred name that StringHashDumpContext came up
3776         with.
3777         
3778         Also shortened a bunch of other dumps, removing information that
3779         isn't so important.
3780         
3781         * JavaScriptCore.xcodeproj/project.pbxproj:
3782         * bytecode/ArrayProfile.cpp:
3783         (JSC::dumpArrayModes):
3784         * bytecode/CodeBlockHash.cpp:
3785         (JSC):
3786         (JSC::CodeBlockHash::CodeBlockHash):
3787         (JSC::CodeBlockHash::dump):
3788         * bytecode/CodeOrigin.cpp:
3789         (JSC::CodeOrigin::dumpInContext):
3790         (JSC):
3791         (JSC::InlineCallFrame::dumpInContext):
3792         (JSC::InlineCallFrame::dump):
3793         * bytecode/CodeOrigin.h:
3794         (CodeOrigin):
3795         (InlineCallFrame):
3796         * bytecode/Operands.h:
3797         (JSC::OperandValueTraits::isEmptyForDump):
3798         (Operands):
3799         (JSC::Operands::dump):
3800         (JSC):
3801         * bytecode/OperandsInlines.h: Added.
3802         (JSC):
3803         (JSC::::dumpInContext):
3804         * bytecode/StructureSet.h:
3805         (JSC::StructureSet::dumpInContext):
3806         (JSC::StructureSet::dump):
3807         (StructureSet):
3808         * dfg/DFGAbstractValue.cpp:
3809         (JSC::DFG::AbstractValue::dump):
3810         (DFG):
3811         (JSC::DFG::AbstractValue::dumpInContext):
3812         * dfg/DFGAbstractValue.h:
3813         (JSC::DFG::AbstractValue::operator!):
3814         (AbstractValue):
3815         * dfg/DFGCFAPhase.cpp:
3816         (JSC::DFG::CFAPhase::performBlockCFA):
3817         * dfg/DFGCommon.cpp:
3818         * dfg/DFGCommon.h:
3819         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3820         * dfg/DFGDisassembler.cpp:
3821         (JSC::DFG::Disassembler::createDumpList):
3822         * dfg/DFGDisassembler.h:
3823         (Disassembler):
3824         * dfg/DFGFlushFormat.h:
3825         (WTF::inContext):
3826         (WTF):
3827         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3828         * dfg/DFGGraph.cpp:
3829         (JSC::DFG::Graph::dumpCodeOrigin):
3830         (JSC::DFG::Graph::dump):
3831         (JSC::DFG::Graph::dumpBlockHeader):
3832         * dfg/DFGGraph.h:
3833         (Graph):
3834         * dfg/DFGLazyJSValue.cpp:
3835         (JSC::DFG::LazyJSValue::dumpInContext):
3836         (JSC::DFG::LazyJSValue::dump):
3837         (DFG):
3838         * dfg/DFGLazyJSValue.h:
3839         (LazyJSValue):
3840         * dfg/DFGNode.h:
3841         (JSC::DFG::nodeMapDump):
3842         (WTF::inContext):
3843         (WTF):
3844         * dfg/DFGOSRExitCompiler32_64.cpp:
3845         (JSC::DFG::OSRExitCompiler::compileExit):
3846         * dfg/DFGOSRExitCompiler64.cpp:
3847         (JSC::DFG::OSRExitCompiler::compileExit):
3848         * dfg/DFGStructureAbstractValue.h:
3849         (JSC::DFG::StructureAbstractValue::dumpInContext):
3850         (JSC::DFG::StructureAbstractValue::dump):
3851         (StructureAbstractValue):
3852         * ftl/FTLExitValue.cpp:
3853         (JSC::FTL::ExitValue::dumpInContext):
3854         (JSC::FTL::ExitValue::dump):
3855         (FTL):
3856         * ftl/FTLExitValue.h:
3857         (ExitValue):
3858         * ftl/FTLLowerDFGToLLVM.cpp:
3859         * ftl/FTLValueSource.cpp:
3860         (JSC::FTL::ValueSource::dumpInContext):
3861         (FTL):
3862         * ftl/FTLValueSource.h:
3863         (ValueSource):
3864         * runtime/DumpContext.cpp: Added.
3865         (JSC):
3866         (JSC::DumpContext::DumpContext):
3867         (JSC::DumpContext::~DumpContext):
3868         (JSC::DumpContext::isEmpty):
3869         (JSC::DumpContext::dump):
3870         * runtime/DumpContext.h: Added.
3871         (JSC):
3872         (DumpContext):
3873         * runtime/JSCJSValue.cpp:
3874         (JSC::JSValue::dump):
3875         (JSC):
3876         (JSC::JSValue::dumpInContext):
3877         * runtime/JSCJSValue.h:
3878         (JSC):
3879         (JSValue):
3880         * runtime/Structure.cpp:
3881         (JSC::Structure::dumpInContext):
3882         (JSC):
3883         (JSC::Structure::dumpBrief):
3884         (JSC::Structure::dumpContextHeader):
3885         * runtime/Structure.h:
3886         (JSC):
3887         (Structure):
3888
3889 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3890
3891         fourthTier: DFG should do a high-level LICM before going to FTL
3892         https://bugs.webkit.org/show_bug.cgi?id=118749
3893
3894         Reviewed by Oliver Hunt.
3895         
3896         Implements LICM hoisting for nodes that never write anything and never read
3897         things that are clobbered by the loop. There are some other preconditions for
3898         hoisting, see DFGLICMPhase.cpp.
3899
3900         Also did a few fixes:
3901         
3902         - ClobberSet::add was failing to switch Super entries to Direct entries in
3903           some cases.
3904         
3905         - DFGClobberize.cpp needed to #include "Operations.h".
3906         
3907         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3908         
3909         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3910           Knowing the indexInBlock is an optional optimization that all other clients
3911           of AI still opt into, but LICM doesn't.
3912         
3913         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3914
3915         * JavaScriptCore.xcodeproj/project.pbxproj:
3916         * dfg/DFGAbstractInterpreter.h:
3917         (AbstractInterpreter):
3918         * dfg/DFGAbstractInterpreterInlines.h:
3919         (JSC::DFG::::executeEffects):
3920         (JSC::DFG::::execute):
3921         (DFG):
3922         (JSC::DFG::::clobberWorld):
3923         (JSC::DFG::::clobberStructures):
3924         * dfg/DFGAtTailAbstractState.cpp: Added.
3925         (DFG):
3926         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3927         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3928         (JSC::DFG::AtTailAbstractState::createValueForNode):
3929         (JSC::DFG::AtTailAbstractState::forNode):
3930         * dfg/DFGAtTailAbstractState.h: Added.
3931         (DFG):
3932         (AtTailAbstractState):
3933         (JSC::DFG::AtTailAbstractState::initializeTo):
3934         (JSC::DFG::AtTailAbstractState::forNode):
3935         (JSC::DFG::AtTailAbstractState::variables):
3936         (JSC::DFG::AtTailAbstractState::block):
3937         (JSC::DFG::AtTailAbstractState::isValid):
3938         (JSC::DFG::AtTailAbstractState::setDidClobber):
3939         (JSC::DFG::AtTailAbstractState::setIsValid):
3940         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3941         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3942         (JSC::DFG::AtTailAbstractState::haveStructures):
3943         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3944         * dfg/DFGBasicBlock.h:
3945         (JSC::DFG::BasicBlock::insertBeforeLast):
3946         * dfg/DFGBasicBlockInlines.h:
3947         (DFG):
3948         * dfg/DFGClobberSet.cpp:
3949         (JSC::DFG::ClobberSet::add):
3950         (JSC::DFG::ClobberSet::addAll):
3951         * dfg/DFGClobberize.cpp:
3952         (JSC::DFG::doesWrites):
3953         * dfg/DFGClobberize.h:
3954         (DFG):
3955         * dfg/DFGDCEPhase.cpp:
3956         (JSC::DFG::DCEPhase::DCEPhase):
3957         (JSC::DFG::DCEPhase::run):
3958         (JSC::DFG::DCEPhase::fixupBlock):
3959         (DCEPhase):
3960         * dfg/DFGEdgeDominates.h: Added.
3961         (DFG):
3962         (EdgeDominates):
3963         (JSC::DFG::EdgeDominates::EdgeDominates):
3964         (JSC::DFG::EdgeDominates::operator()):
3965         (JSC::DFG::EdgeDominates::result):
3966         (JSC::DFG::edgesDominate):
3967         * dfg/DFGFixupPhase.cpp:
3968         (JSC::DFG::FixupPhase::fixupNode):
3969         (JSC::DFG::FixupPhase::checkArray):
3970         * dfg/DFGLICMPhase.cpp: Added.
3971         (LICMPhase):
3972         (JSC::DFG::LICMPhase::LICMPhase):
3973         (JSC::DFG::LICMPhase::run):
3974         (JSC::DFG::LICMPhase::attemptHoist):
3975         (DFG):
3976         (JSC::DFG::performLICM):
3977         * dfg/DFGLICMPhase.h: Added.
3978         (DFG):
3979         * dfg/DFGPlan.cpp:
3980       &