Error.stack should not be enumerable
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
2
3         Error.stack should not be enumerable
4         https://bugs.webkit.org/show_bug.cgi?id=120171
5
6         Reviewed by Oliver Hunt.
7
8         Breaks ECMA tests.
9
10         * runtime/ErrorInstance.cpp:
11         (JSC::ErrorInstance::finishCreation):
12             - None -> DontEnum
13
14 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
15
16         https://bugs.webkit.org/show_bug.cgi?id=120128
17         Remove putDirectVirtual
18
19         Reviewed by Sam Weinig.
20
21         This could most generously be described as 'vestigial'.
22         No performance impact.
23
24         * API/JSObjectRef.cpp:
25         (JSObjectSetProperty):
26             - changed to use defineOwnProperty
27         * debugger/DebuggerActivation.cpp:
28         * debugger/DebuggerActivation.h:
29             - remove putDirectVirtual
30         * interpreter/Interpreter.cpp:
31         (JSC::Interpreter::execute):
32             - changed to use defineOwnProperty
33         * runtime/ClassInfo.h:
34         * runtime/JSActivation.cpp:
35         * runtime/JSActivation.h:
36         * runtime/JSCell.cpp:
37         * runtime/JSCell.h:
38         * runtime/JSGlobalObject.cpp:
39         * runtime/JSGlobalObject.h:
40         * runtime/JSObject.cpp:
41         * runtime/JSObject.h:
42         * runtime/JSProxy.cpp:
43         * runtime/JSProxy.h:
44         * runtime/JSSymbolTableObject.cpp:
45         * runtime/JSSymbolTableObject.h:
46             - remove putDirectVirtual
47         * runtime/PropertyDescriptor.h:
48         (JSC::PropertyDescriptor::PropertyDescriptor):
49             - added constructor for convenience
50
51 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
52
53         errorDescriptionForValue() should not assume error value is an Object
54         https://bugs.webkit.org/show_bug.cgi?id=119812
55
56         Reviewed by Geoffrey Garen.
57
58         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
59         has no type, the function now returns the empty string. 
60         * runtime/ExceptionHelpers.cpp:
61         (JSC::errorDescriptionForValue):
62
63 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
64
65         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
66         https://bugs.webkit.org/show_bug.cgi?id=120107
67
68         Reviewed by Yong Li.
69
70         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
71
72         * dfg/DFGSpeculativeJIT.h:
73         (JSC::DFG::SpeculativeJIT::callOperation):
74
75 2013-08-21  Commit Queue  <commit-queue@webkit.org>
76
77         Unreviewed, rolling out r154416.
78         http://trac.webkit.org/changeset/154416
79         https://bugs.webkit.org/show_bug.cgi?id=120147
80
81         Broke Windows builds (Requested by rniwa on #webkit).
82
83         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
84         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
85         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
86         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
87         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
88         * JavaScriptCore.vcxproj/build-generated-files.sh:
89
90 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
91
92         Clarify var/const/function declaration
93         https://bugs.webkit.org/show_bug.cgi?id=120144
94
95         Reviewed by Sam Weinig.
96
97         Add methods to JSGlobalObject to declare vars, consts, and functions.
98
99         * runtime/Executable.cpp:
100         (JSC::ProgramExecutable::initializeGlobalProperties):
101         * runtime/Executable.h:
102             - Moved declaration code to JSGlobalObject
103         * runtime/JSGlobalObject.cpp:
104         (JSC::JSGlobalObject::addGlobalVar):
105             - internal implementation of addVar, addConst, addFunction
106         * runtime/JSGlobalObject.h:
107         (JSC::JSGlobalObject::addVar):
108         (JSC::JSGlobalObject::addConst):
109         (JSC::JSGlobalObject::addFunction):
110             - Added methods to declare vars, consts, and functions
111
112 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
113
114         https://bugs.webkit.org/show_bug.cgi?id=119900
115         Exception in global setter doesn't unwind correctly
116
117         Reviewed by Geoffrey Garen.
118
119         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
120
121         * jit/JITStubs.cpp:
122         (JSC::DEFINE_STUB_FUNCTION):
123
124 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
125
126         Rename/refactor setButterfly/setStructure
127         https://bugs.webkit.org/show_bug.cgi?id=120138
128
129         Reviewed by Geoffrey Garen.
130
131         setButterfly becomes setStructureAndButterfly.
132
133         Also removed the Butterfly* argument from setStructure and just implicitly
134         used m_butterfly internally since that's what every single client of setStructure
135         was doing already.
136
137         * jit/JITStubs.cpp:
138         (JSC::DEFINE_STUB_FUNCTION):
139         * runtime/JSObject.cpp:
140         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
141         (JSC::JSObject::createInitialUndecided):
142         (JSC::JSObject::createInitialInt32):
143         (JSC::JSObject::createInitialDouble):
144         (JSC::JSObject::createInitialContiguous):
145         (JSC::JSObject::createArrayStorage):
146         (JSC::JSObject::convertUndecidedToInt32):
147         (JSC::JSObject::convertUndecidedToDouble):
148         (JSC::JSObject::convertUndecidedToContiguous):
149         (JSC::JSObject::convertUndecidedToArrayStorage):
150         (JSC::JSObject::convertInt32ToDouble):
151         (JSC::JSObject::convertInt32ToContiguous):
152         (JSC::JSObject::convertInt32ToArrayStorage):
153         (JSC::JSObject::genericConvertDoubleToContiguous):
154         (JSC::JSObject::convertDoubleToArrayStorage):
155         (JSC::JSObject::convertContiguousToArrayStorage):
156         (JSC::JSObject::switchToSlowPutArrayStorage):
157         (JSC::JSObject::setPrototype):
158         (JSC::JSObject::putDirectAccessor):
159         (JSC::JSObject::seal):
160         (JSC::JSObject::freeze):
161         (JSC::JSObject::preventExtensions):
162         (JSC::JSObject::reifyStaticFunctionsForDelete):
163         (JSC::JSObject::removeDirect):
164         * runtime/JSObject.h:
165         (JSC::JSObject::setStructureAndButterfly):
166         (JSC::JSObject::setStructure):
167         (JSC::JSObject::putDirectInternal):
168         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
169         (JSC::JSObject::putDirectWithoutTransition):
170         * runtime/Structure.cpp:
171         (JSC::Structure::flattenDictionaryStructure):
172
173 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
174
175         https://bugs.webkit.org/show_bug.cgi?id=120127
176         Remove JSObject::propertyIsEnumerable
177
178         Unreviewed typo fix
179
180         * runtime/JSObject.h:
181             - fix typo
182
183 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
184
185         https://bugs.webkit.org/show_bug.cgi?id=120139
186         PropertyDescriptor argument to define methods should be const
187
188         Rubber stamped by Sam Weinig.
189
190         This should never be modified, and this way we can use rvalues.
191
192         * debugger/DebuggerActivation.cpp:
193         (JSC::DebuggerActivation::defineOwnProperty):
194         * debugger/DebuggerActivation.h:
195         * runtime/Arguments.cpp:
196         (JSC::Arguments::defineOwnProperty):
197         * runtime/Arguments.h:
198         * runtime/ClassInfo.h:
199         * runtime/JSArray.cpp:
200         (JSC::JSArray::defineOwnProperty):
201         * runtime/JSArray.h:
202         * runtime/JSArrayBuffer.cpp:
203         (JSC::JSArrayBuffer::defineOwnProperty):
204         * runtime/JSArrayBuffer.h:
205         * runtime/JSArrayBufferView.cpp:
206         (JSC::JSArrayBufferView::defineOwnProperty):
207         * runtime/JSArrayBufferView.h:
208         * runtime/JSCell.cpp:
209         (JSC::JSCell::defineOwnProperty):
210         * runtime/JSCell.h:
211         * runtime/JSFunction.cpp:
212         (JSC::JSFunction::defineOwnProperty):
213         * runtime/JSFunction.h:
214         * runtime/JSGenericTypedArrayView.h:
215         * runtime/JSGenericTypedArrayViewInlines.h:
216         (JSC::::defineOwnProperty):
217         * runtime/JSGlobalObject.cpp:
218         (JSC::JSGlobalObject::defineOwnProperty):
219         * runtime/JSGlobalObject.h:
220         * runtime/JSObject.cpp:
221         (JSC::JSObject::putIndexedDescriptor):
222         (JSC::JSObject::defineOwnIndexedProperty):
223         (JSC::putDescriptor):
224         (JSC::JSObject::defineOwnNonIndexProperty):
225         (JSC::JSObject::defineOwnProperty):
226         * runtime/JSObject.h:
227         * runtime/JSProxy.cpp:
228         (JSC::JSProxy::defineOwnProperty):
229         * runtime/JSProxy.h:
230         * runtime/RegExpMatchesArray.h:
231         (JSC::RegExpMatchesArray::defineOwnProperty):
232         * runtime/RegExpObject.cpp:
233         (JSC::RegExpObject::defineOwnProperty):
234         * runtime/RegExpObject.h:
235         * runtime/StringObject.cpp:
236         (JSC::StringObject::defineOwnProperty):
237         * runtime/StringObject.h:
238             - make PropertyDescriptor const
239
240 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
241
242         REGRESSION: Crash under JITCompiler::link while loading Gmail
243         https://bugs.webkit.org/show_bug.cgi?id=119872
244
245         Reviewed by Mark Hahnenberg.
246         
247         Apparently, unsigned + signed = unsigned. Work around it with a cast.
248
249         * dfg/DFGByteCodeParser.cpp:
250         (JSC::DFG::ByteCodeParser::parseBlock):
251
252 2013-08-21  Alex Christensen  <achristensen@apple.com>
253
254         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
255
256         Reviewed by Brent Fulgham.
257
258         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
259         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
260         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
261         Pass PlatformArchitecture as a command line parameter to bash scripts.
262         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
263         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
264         * JavaScriptCore.vcxproj/build-generated-files.sh:
265         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
266
267 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
268
269         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
270         https://bugs.webkit.org/show_bug.cgi?id=120099
271
272         Reviewed by Mark Hahnenberg.
273         
274         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
275         JSDataView may have ordinary JS indexed properties.
276
277         * runtime/ClassInfo.h:
278         * runtime/JSArrayBufferView.cpp:
279         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
280         (JSC::JSArrayBufferView::finishCreation):
281         * runtime/JSArrayBufferView.h:
282         (JSC::hasArrayBuffer):
283         * runtime/JSArrayBufferViewInlines.h:
284         (JSC::JSArrayBufferView::buffer):
285         (JSC::JSArrayBufferView::neuter):
286         (JSC::JSArrayBufferView::byteOffset):
287         * runtime/JSCell.cpp:
288         (JSC::JSCell::slowDownAndWasteMemory):
289         * runtime/JSCell.h:
290         * runtime/JSDataView.cpp:
291         (JSC::JSDataView::JSDataView):
292         (JSC::JSDataView::create):
293         (JSC::JSDataView::slowDownAndWasteMemory):
294         * runtime/JSDataView.h:
295         (JSC::JSDataView::buffer):
296         * runtime/JSGenericTypedArrayView.h:
297         * runtime/JSGenericTypedArrayViewInlines.h:
298         (JSC::::visitChildren):
299         (JSC::::slowDownAndWasteMemory):
300
301 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
302
303         Remove incorrect ASSERT from CopyVisitor::visitItem
304
305         Rubber stamped by Filip Pizlo.
306
307         * heap/CopyVisitorInlines.h:
308         (JSC::CopyVisitor::visitItem):
309
310 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
311
312         https://bugs.webkit.org/show_bug.cgi?id=120127
313         Remove JSObject::propertyIsEnumerable
314
315         Reviewed by Sam Weinig.
316
317         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
318
319         * runtime/JSObject.cpp:
320         * runtime/JSObject.h:
321             - remove propertyIsEnumerable
322         * runtime/ObjectPrototype.cpp:
323         (JSC::objectProtoFuncPropertyIsEnumerable):
324             - Move implementation here using getOwnPropertyDescriptor directly.
325
326 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
327
328         DFG should inline new typedArray()
329         https://bugs.webkit.org/show_bug.cgi?id=120022
330
331         Reviewed by Oliver Hunt.
332         
333         Adds inlining of typed array allocations in the DFG. Any operation of the
334         form:
335         
336             new foo(blah)
337         
338         or:
339         
340             foo(blah)
341         
342         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
343         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
344         is predicted integer, we generate inline code for an allocation. Otherwise
345         it turns into a call to an operation that behaves like the constructor would
346         if it was passed one argument (i.e. it may wrap a buffer or it may create a
347         copy or another array, or it may allocate an array of that length).
348
349         * bytecode/SpeculatedType.cpp:
350         (JSC::speculationFromTypedArrayType):
351         (JSC::speculationFromClassInfo):
352         * bytecode/SpeculatedType.h:
353         * dfg/DFGAbstractInterpreterInlines.h:
354         (JSC::DFG::::executeEffects):
355         * dfg/DFGBackwardsPropagationPhase.cpp:
356         (JSC::DFG::BackwardsPropagationPhase::propagate):
357         * dfg/DFGByteCodeParser.cpp:
358         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
359         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
360         * dfg/DFGCCallHelpers.h:
361         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
362         * dfg/DFGCSEPhase.cpp:
363         (JSC::DFG::CSEPhase::putStructureStoreElimination):
364         * dfg/DFGClobberize.h:
365         (JSC::DFG::clobberize):
366         * dfg/DFGFixupPhase.cpp:
367         (JSC::DFG::FixupPhase::fixupNode):
368         * dfg/DFGGraph.cpp:
369         (JSC::DFG::Graph::dump):
370         * dfg/DFGNode.h:
371         (JSC::DFG::Node::hasTypedArrayType):
372         (JSC::DFG::Node::typedArrayType):
373         * dfg/DFGNodeType.h:
374         * dfg/DFGOperations.cpp:
375         (JSC::DFG::newTypedArrayWithSize):
376         (JSC::DFG::newTypedArrayWithOneArgument):
377         * dfg/DFGOperations.h:
378         (JSC::DFG::operationNewTypedArrayWithSizeForType):
379         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
380         * dfg/DFGPredictionPropagationPhase.cpp:
381         (JSC::DFG::PredictionPropagationPhase::propagate):
382         * dfg/DFGSafeToExecute.h:
383         (JSC::DFG::safeToExecute):
384         * dfg/DFGSpeculativeJIT.cpp:
385         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
386         * dfg/DFGSpeculativeJIT.h:
387         (JSC::DFG::SpeculativeJIT::callOperation):
388         * dfg/DFGSpeculativeJIT32_64.cpp:
389         (JSC::DFG::SpeculativeJIT::compile):
390         * dfg/DFGSpeculativeJIT64.cpp:
391         (JSC::DFG::SpeculativeJIT::compile):
392         * jit/JITOpcodes.cpp:
393         (JSC::JIT::emit_op_new_object):
394         * jit/JITOpcodes32_64.cpp:
395         (JSC::JIT::emit_op_new_object):
396         * runtime/JSArray.h:
397         (JSC::JSArray::allocationSize):
398         * runtime/JSArrayBufferView.h:
399         (JSC::JSArrayBufferView::allocationSize):
400         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
401         (JSC::constructGenericTypedArrayView):
402         * runtime/JSObject.h:
403         (JSC::JSFinalObject::allocationSize):
404         * runtime/TypedArrayType.cpp:
405         (JSC::constructorClassInfoForType):
406         * runtime/TypedArrayType.h:
407         (JSC::indexToTypedArrayType):
408
409 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
410
411         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
412
413         Reviewed by Geoffrey Garen.
414
415         * dfg/DFGOperations.h:
416
417 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
418
419         https://bugs.webkit.org/show_bug.cgi?id=120093
420         Remove getOwnPropertyDescriptor trap
421
422         Reviewed by Geoff Garen.
423
424         All implementations of this method are now called via the method table, and equivalent in behaviour.
425         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
426
427         * API/JSCallbackObject.h:
428         * API/JSCallbackObjectFunctions.h:
429         * debugger/DebuggerActivation.cpp:
430         * debugger/DebuggerActivation.h:
431         * runtime/Arguments.cpp:
432         * runtime/Arguments.h:
433         * runtime/ArrayConstructor.cpp:
434         * runtime/ArrayConstructor.h:
435         * runtime/ArrayPrototype.cpp:
436         * runtime/ArrayPrototype.h:
437         * runtime/BooleanPrototype.cpp:
438         * runtime/BooleanPrototype.h:
439             - remove getOwnPropertyDescriptor
440         * runtime/ClassInfo.h:
441             - remove getOwnPropertyDescriptor from MethodTable
442         * runtime/DateConstructor.cpp:
443         * runtime/DateConstructor.h:
444         * runtime/DatePrototype.cpp:
445         * runtime/DatePrototype.h:
446         * runtime/ErrorPrototype.cpp:
447         * runtime/ErrorPrototype.h:
448         * runtime/JSActivation.cpp:
449         * runtime/JSActivation.h:
450         * runtime/JSArray.cpp:
451         * runtime/JSArray.h:
452         * runtime/JSArrayBuffer.cpp:
453         * runtime/JSArrayBuffer.h:
454         * runtime/JSArrayBufferView.cpp:
455         * runtime/JSArrayBufferView.h:
456         * runtime/JSCell.cpp:
457         * runtime/JSCell.h:
458         * runtime/JSDataView.cpp:
459         * runtime/JSDataView.h:
460         * runtime/JSDataViewPrototype.cpp:
461         * runtime/JSDataViewPrototype.h:
462         * runtime/JSFunction.cpp:
463         * runtime/JSFunction.h:
464         * runtime/JSGenericTypedArrayView.h:
465         * runtime/JSGenericTypedArrayViewInlines.h:
466         * runtime/JSGlobalObject.cpp:
467         * runtime/JSGlobalObject.h:
468         * runtime/JSNotAnObject.cpp:
469         * runtime/JSNotAnObject.h:
470         * runtime/JSONObject.cpp:
471         * runtime/JSONObject.h:
472             - remove getOwnPropertyDescriptor
473         * runtime/JSObject.cpp:
474         (JSC::JSObject::propertyIsEnumerable):
475             - switch to call new getOwnPropertyDescriptor member function
476         (JSC::JSObject::getOwnPropertyDescriptor):
477             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
478         (JSC::JSObject::defineOwnNonIndexProperty):
479             - switch to call new getOwnPropertyDescriptor member function
480         * runtime/JSObject.h:
481         * runtime/JSProxy.cpp:
482         * runtime/JSProxy.h:
483         * runtime/NamePrototype.cpp:
484         * runtime/NamePrototype.h:
485         * runtime/NumberConstructor.cpp:
486         * runtime/NumberConstructor.h:
487         * runtime/NumberPrototype.cpp:
488         * runtime/NumberPrototype.h:
489             - remove getOwnPropertyDescriptor
490         * runtime/ObjectConstructor.cpp:
491         (JSC::objectConstructorGetOwnPropertyDescriptor):
492         (JSC::objectConstructorSeal):
493         (JSC::objectConstructorFreeze):
494         (JSC::objectConstructorIsSealed):
495         (JSC::objectConstructorIsFrozen):
496             - switch to call new getOwnPropertyDescriptor member function
497         * runtime/ObjectConstructor.h:
498             - remove getOwnPropertyDescriptor
499         * runtime/PropertyDescriptor.h:
500             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
501         * runtime/RegExpConstructor.cpp:
502         * runtime/RegExpConstructor.h:
503         * runtime/RegExpMatchesArray.cpp:
504         * runtime/RegExpMatchesArray.h:
505         * runtime/RegExpObject.cpp:
506         * runtime/RegExpObject.h:
507         * runtime/RegExpPrototype.cpp:
508         * runtime/RegExpPrototype.h:
509         * runtime/StringConstructor.cpp:
510         * runtime/StringConstructor.h:
511         * runtime/StringObject.cpp:
512         * runtime/StringObject.h:
513             - remove getOwnPropertyDescriptor
514
515 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
516
517         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
518
519         Reviewed by Oliver Hunt.
520
521         When we flatten an object in dictionary mode, we compact its properties. If the object 
522         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
523         compaction its properties fit inline, the object's Structure "forgets" that the object 
524         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
525         with bytes = 0, which causes all sorts of badness in CopiedSpace.
526
527         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
528         Butterfly pointer so that the GC doesn't get confused later.
529
530         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
531         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
532         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
533         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
534
535         * heap/SlotVisitorInlines.h:
536         (JSC::SlotVisitor::copyLater):
537         * runtime/JSObject.cpp:
538         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
539         (JSC::JSObject::convertUndecidedToInt32):
540         (JSC::JSObject::convertUndecidedToDouble):
541         (JSC::JSObject::convertUndecidedToContiguous):
542         (JSC::JSObject::convertInt32ToDouble):
543         (JSC::JSObject::convertInt32ToContiguous):
544         (JSC::JSObject::genericConvertDoubleToContiguous):
545         (JSC::JSObject::switchToSlowPutArrayStorage):
546         (JSC::JSObject::setPrototype):
547         (JSC::JSObject::putDirectAccessor):
548         (JSC::JSObject::seal):
549         (JSC::JSObject::freeze):
550         (JSC::JSObject::preventExtensions):
551         (JSC::JSObject::reifyStaticFunctionsForDelete):
552         (JSC::JSObject::removeDirect):
553         * runtime/JSObject.h:
554         (JSC::JSObject::setButterfly):
555         (JSC::JSObject::putDirectInternal):
556         (JSC::JSObject::setStructure):
557         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
558         * runtime/Structure.cpp:
559         (JSC::Structure::flattenDictionaryStructure):
560
561 2013-08-20  Alex Christensen  <achristensen@apple.com>
562
563         Compile fix for Win64 after r154156.
564
565         Rubber stamped by Oliver Hunt.
566
567         * jit/JITStubsMSVC64.asm:
568         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
569         cti_vm_throw_slowpath to cti_vm_handle_exception.
570
571 2013-08-20  Alex Christensen  <achristensen@apple.com>
572
573         <https://webkit.org/b/120076> More work towards a Win64 build
574
575         Reviewed by Brent Fulgham.
576
577         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
578         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
579         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
580         * JavaScriptCore.vcxproj/copy-files.cmd:
581         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
582         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
583         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
584
585 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
586
587         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
588
589         Reviewed by Geoffrey Garen.
590
591         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
592         initializeLazyWriteBarrierFor* wrapper functions more sane. 
593
594         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
595         and index when triggering the WriteBarrier at the end of compilation. 
596
597         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
598         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
599         little extra work that really shouldn't have been its responsibility.
600
601         * dfg/DFGByteCodeParser.cpp:
602         (JSC::DFG::ByteCodeParser::addConstant):
603         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
604         * dfg/DFGDesiredWriteBarriers.cpp:
605         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
606         (JSC::DFG::DesiredWriteBarrier::trigger):
607         * dfg/DFGDesiredWriteBarriers.h:
608         (JSC::DFG::DesiredWriteBarriers::add):
609         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
610         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
611         (JSC::DFG::initializeLazyWriteBarrierForConstant):
612         * dfg/DFGFixupPhase.cpp:
613         (JSC::DFG::FixupPhase::truncateConstantToInt32):
614         * dfg/DFGGraph.h:
615         (JSC::DFG::Graph::constantRegisterForConstant):
616
617 2013-08-20  Michael Saboff  <msaboff@apple.com>
618
619         https://bugs.webkit.org/show_bug.cgi?id=120075
620         REGRESSION (r128400): BBC4 website not displaying pictures
621
622         Reviewed by Oliver Hunt.
623
624         * runtime/RegExpMatchesArray.h:
625         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
626         so that the match results will be reified before any other modification to the results array.
627
628 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
629
630         Incorrect behavior on emscripten-compiled cube2hash
631         https://bugs.webkit.org/show_bug.cgi?id=120033
632
633         Reviewed by Mark Hahnenberg.
634         
635         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
636         then we should bail attempts to CSE.
637
638         * dfg/DFGCSEPhase.cpp:
639         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
640         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
641
642 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
643
644         https://bugs.webkit.org/show_bug.cgi?id=120073
645         Remove use of GOPD from JSFunction::defineProperty
646
647         Reviewed by Oliver Hunt.
648
649         Call getOwnPropertySlot to check for existing properties instead.
650
651         * runtime/JSFunction.cpp:
652         (JSC::JSFunction::defineOwnProperty):
653             - getOwnPropertyDescriptor -> getOwnPropertySlot
654
655 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
656
657         https://bugs.webkit.org/show_bug.cgi?id=120067
658         Remove getPropertyDescriptor
659
660         Reviewed by Oliver Hunt.
661
662         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
663         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
664
665         * runtime/JSObject.cpp:
666         * runtime/JSObject.h:
667             - remove getPropertyDescriptor
668         * runtime/ObjectPrototype.cpp:
669         (JSC::objectProtoFuncLookupGetter):
670         (JSC::objectProtoFuncLookupSetter):
671             - replace call to getPropertyDescriptor with getPropertySlot
672         * runtime/PropertyDescriptor.h:
673         * runtime/PropertySlot.h:
674         (JSC::PropertySlot::isAccessor):
675         (JSC::PropertySlot::isCacheableGetter):
676         (JSC::PropertySlot::getterSetter):
677             - rename isGetter() to isAccessor()
678
679 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
680
681         https://bugs.webkit.org/show_bug.cgi?id=120054
682         Remove some dead code following getOwnPropertyDescriptor cleanup
683
684         Reviewed by Oliver Hunt.
685
686         * runtime/Lookup.h:
687         (JSC::getStaticFunctionSlot):
688             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
689
690 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
691
692         https://bugs.webkit.org/show_bug.cgi?id=120052
693         Remove custom getOwnPropertyDescriptor for JSProxy
694
695         Reviewed by Geoff Garen.
696
697         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
698         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
699         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
700         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
701         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
702
703         * runtime/JSProxy.cpp:
704             - Remove custom getOwnPropertyDescriptor implementation.
705         * runtime/PropertyDescriptor.h:
706             - Modify own property access check to perform toThis conversion.
707
708 2013-08-20  Alex Christensen  <achristensen@apple.com>
709
710         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
711         https://bugs.webkit.org/show_bug.cgi?id=119512
712
713         Reviewed by Brent Fulgham.
714
715         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
716         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
717         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
718         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
719         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
720         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
721         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
722         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
723
724 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
725
726         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
727
728         Reviewed by Allan Sandfeld Jensen.
729
730         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
731         instructions and two constants now DFG is enabled for sh4 architecture.
732         These missing ensureSpace calls lead to random crashes.
733
734         * assembler/MacroAssemblerSH4.h:
735         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
736
737 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
738
739         https://bugs.webkit.org/show_bug.cgi?id=120034
740         Remove custom getOwnPropertyDescriptor for global objects
741
742         Reviewed by Geoff Garen.
743
744         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
745
746         * runtime/JSGlobalObject.cpp:
747             - Remove custom getOwnPropertyDescriptor implementation.
748         * runtime/JSSymbolTableObject.h:
749         (JSC::symbolTableGet):
750             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
751         * runtime/PropertyDescriptor.h:
752             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
753         * runtime/PropertySlot.h:
754         (JSC::PropertySlot::setUndefined):
755             - This is used by WebCore when blocking access to properties on cross-frame access.
756               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
757
758 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
759
760         DFG should inline typedArray.byteOffset
761         https://bugs.webkit.org/show_bug.cgi?id=119962
762
763         Reviewed by Oliver Hunt.
764         
765         This adds a new node, GetTypedArrayByteOffset, which inlines
766         typedArray.byteOffset.
767         
768         Also, I improved a bunch of the clobbering logic related to typed arrays
769         and clobbering in general. For example, PutByOffset/PutStructure are not
770         clobber-world so they can be handled by most default cases in CSE. Also,
771         It's better to use the 'Class_field' notation for typed arrays now that
772         they no longer involve magical descriptor thingies.
773
774         * bytecode/SpeculatedType.h:
775         * dfg/DFGAbstractHeap.h:
776         * dfg/DFGAbstractInterpreterInlines.h:
777         (JSC::DFG::::executeEffects):
778         * dfg/DFGArrayMode.h:
779         (JSC::DFG::neverNeedsStorage):
780         * dfg/DFGCSEPhase.cpp:
781         (JSC::DFG::CSEPhase::getByValLoadElimination):
782         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
783         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
784         (JSC::DFG::CSEPhase::checkArrayElimination):
785         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
786         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
787         (JSC::DFG::CSEPhase::performNodeCSE):
788         * dfg/DFGClobberize.h:
789         (JSC::DFG::clobberize):
790         * dfg/DFGFixupPhase.cpp:
791         (JSC::DFG::FixupPhase::fixupNode):
792         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
793         (JSC::DFG::FixupPhase::convertToGetArrayLength):
794         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
795         * dfg/DFGNodeType.h:
796         * dfg/DFGPredictionPropagationPhase.cpp:
797         (JSC::DFG::PredictionPropagationPhase::propagate):
798         * dfg/DFGSafeToExecute.h:
799         (JSC::DFG::safeToExecute):
800         * dfg/DFGSpeculativeJIT.cpp:
801         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
802         * dfg/DFGSpeculativeJIT.h:
803         * dfg/DFGSpeculativeJIT32_64.cpp:
804         (JSC::DFG::SpeculativeJIT::compile):
805         * dfg/DFGSpeculativeJIT64.cpp:
806         (JSC::DFG::SpeculativeJIT::compile):
807         * dfg/DFGTypeCheckHoistingPhase.cpp:
808         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
809         * runtime/ArrayBuffer.h:
810         (JSC::ArrayBuffer::offsetOfData):
811         * runtime/Butterfly.h:
812         (JSC::Butterfly::offsetOfArrayBuffer):
813         * runtime/IndexingHeader.h:
814         (JSC::IndexingHeader::offsetOfArrayBuffer):
815
816 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
817
818         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
819
820         Reviewed by Geoffrey Garen.
821
822         * dfg/DFGByteCodeParser.cpp:
823         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
824
825 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
826
827         https://bugs.webkit.org/show_bug.cgi?id=119995
828         Start removing custom implementations of getOwnPropertyDescriptor
829
830         Reviewed by Oliver Hunt.
831
832         This can now typically implemented in terms of getOwnPropertySlot.
833         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
834         Switch over most classes in JSC & the WebCore bindings generator to use this.
835
836         * API/JSCallbackObjectFunctions.h:
837         * debugger/DebuggerActivation.cpp:
838         * runtime/Arguments.cpp:
839         * runtime/ArrayConstructor.cpp:
840         * runtime/ArrayPrototype.cpp:
841         * runtime/BooleanPrototype.cpp:
842         * runtime/DateConstructor.cpp:
843         * runtime/DatePrototype.cpp:
844         * runtime/ErrorPrototype.cpp:
845         * runtime/JSActivation.cpp:
846         * runtime/JSArray.cpp:
847         * runtime/JSArrayBuffer.cpp:
848         * runtime/JSArrayBufferView.cpp:
849         * runtime/JSCell.cpp:
850         * runtime/JSDataView.cpp:
851         * runtime/JSDataViewPrototype.cpp:
852         * runtime/JSFunction.cpp:
853         * runtime/JSGenericTypedArrayViewInlines.h:
854         * runtime/JSNotAnObject.cpp:
855         * runtime/JSONObject.cpp:
856         * runtime/JSObject.cpp:
857         * runtime/NamePrototype.cpp:
858         * runtime/NumberConstructor.cpp:
859         * runtime/NumberPrototype.cpp:
860         * runtime/ObjectConstructor.cpp:
861             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
862         * runtime/PropertyDescriptor.h:
863             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
864         * runtime/PropertySlot.h:
865         (JSC::PropertySlot::isValue):
866         (JSC::PropertySlot::isGetter):
867         (JSC::PropertySlot::isCustom):
868         (JSC::PropertySlot::isCacheableValue):
869         (JSC::PropertySlot::isCacheableGetter):
870         (JSC::PropertySlot::isCacheableCustom):
871         (JSC::PropertySlot::attributes):
872         (JSC::PropertySlot::getterSetter):
873             - Add accessors necessary to convert PropertySlot to descriptor.
874         * runtime/RegExpConstructor.cpp:
875         * runtime/RegExpMatchesArray.cpp:
876         * runtime/RegExpMatchesArray.h:
877         * runtime/RegExpObject.cpp:
878         * runtime/RegExpPrototype.cpp:
879         * runtime/StringConstructor.cpp:
880         * runtime/StringObject.cpp:
881             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
882
883 2013-08-19  Michael Saboff  <msaboff@apple.com>
884
885         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
886
887         Reviewed by Sam Weinig.
888
889         * dfg/DFGSpeculativeJIT32_64.cpp:
890         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
891         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
892         all versions of fillSpeculateBoolean().
893
894 2013-08-19  Michael Saboff  <msaboff@apple.com>
895
896         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
897
898         Reviewed by Benjamin Poulain.
899
900         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
901         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
902
903         * assembler/MacroAssemblerX86Common.h:
904         (JSC::MacroAssemblerX86Common::branchTest32):
905
906 2013-08-16  Oliver Hunt  <oliver@apple.com>
907
908         <https://webkit.org/b/119860> Crash during exception unwinding
909
910         Reviewed by Filip Pizlo.
911
912         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
913         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
914
915         We need this so that Throw and ThrowReferenceError no longer need to be treated as
916         terminals and the subsequent flush keeps the activation (and other registers) live.
917
918         * dfg/DFGAbstractInterpreterInlines.h:
919         (JSC::DFG::::executeEffects):
920         * dfg/DFGByteCodeParser.cpp:
921         (JSC::DFG::ByteCodeParser::parseBlock):
922         * dfg/DFGClobberize.h:
923         (JSC::DFG::clobberize):
924         * dfg/DFGFixupPhase.cpp:
925         (JSC::DFG::FixupPhase::fixupNode):
926         * dfg/DFGNode.h:
927         (JSC::DFG::Node::isTerminal):
928         * dfg/DFGNodeType.h:
929         * dfg/DFGPredictionPropagationPhase.cpp:
930         (JSC::DFG::PredictionPropagationPhase::propagate):
931         * dfg/DFGSafeToExecute.h:
932         (JSC::DFG::safeToExecute):
933         * dfg/DFGSpeculativeJIT32_64.cpp:
934         (JSC::DFG::SpeculativeJIT::compile):
935         * dfg/DFGSpeculativeJIT64.cpp:
936         (JSC::DFG::SpeculativeJIT::compile):
937
938 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
939
940         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
941
942         Reviewed by Oliver Hunt.
943
944         Guard the compilation of these files only if DFG_JIT is enabled.
945
946         * dfg/DFGDesiredTransitions.cpp:
947         * dfg/DFGDesiredTransitions.h:
948         * dfg/DFGDesiredWeakReferences.cpp:
949         * dfg/DFGDesiredWeakReferences.h:
950         * dfg/DFGDesiredWriteBarriers.cpp:
951         * dfg/DFGDesiredWriteBarriers.h:
952
953 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
954
955         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
956         https://bugs.webkit.org/show_bug.cgi?id=119961
957
958         Reviewed by Mark Hahnenberg.
959
960         * dfg/DFGFixupPhase.cpp:
961         (JSC::DFG::FixupPhase::fixupNode):
962
963 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
964
965         https://bugs.webkit.org/show_bug.cgi?id=119972
966         Add attributes field to PropertySlot
967
968         Reviewed by Geoff Garen.
969
970         For all JSC types, this makes getOwnPropertyDescriptor redundant.
971         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
972         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
973
974         No performance impact.
975
976         * runtime/PropertySlot.h:
977         (JSC::PropertySlot::setValue):
978         (JSC::PropertySlot::setCustom):
979         (JSC::PropertySlot::setCacheableCustom):
980         (JSC::PropertySlot::setCustomIndex):
981         (JSC::PropertySlot::setGetterSlot):
982         (JSC::PropertySlot::setCacheableGetterSlot):
983             - These mathods now all require 'attributes'.
984         * runtime/JSObject.h:
985         (JSC::JSObject::getDirect):
986         (JSC::JSObject::getDirectOffset):
987         (JSC::JSObject::inlineGetOwnPropertySlot):
988             - Added variants of getDirect, getDirectOffset that return the attributes.
989         * API/JSCallbackObjectFunctions.h:
990         (JSC::::getOwnPropertySlot):
991         * runtime/Arguments.cpp:
992         (JSC::Arguments::getOwnPropertySlotByIndex):
993         (JSC::Arguments::getOwnPropertySlot):
994         * runtime/JSActivation.cpp:
995         (JSC::JSActivation::symbolTableGet):
996         (JSC::JSActivation::getOwnPropertySlot):
997         * runtime/JSArray.cpp:
998         (JSC::JSArray::getOwnPropertySlot):
999         * runtime/JSArrayBuffer.cpp:
1000         (JSC::JSArrayBuffer::getOwnPropertySlot):
1001         * runtime/JSArrayBufferView.cpp:
1002         (JSC::JSArrayBufferView::getOwnPropertySlot):
1003         * runtime/JSDataView.cpp:
1004         (JSC::JSDataView::getOwnPropertySlot):
1005         * runtime/JSFunction.cpp:
1006         (JSC::JSFunction::getOwnPropertySlot):
1007         * runtime/JSGenericTypedArrayViewInlines.h:
1008         (JSC::::getOwnPropertySlot):
1009         (JSC::::getOwnPropertySlotByIndex):
1010         * runtime/JSObject.cpp:
1011         (JSC::JSObject::getOwnPropertySlotByIndex):
1012         (JSC::JSObject::fillGetterPropertySlot):
1013         * runtime/JSString.h:
1014         (JSC::JSString::getStringPropertySlot):
1015         * runtime/JSSymbolTableObject.h:
1016         (JSC::symbolTableGet):
1017         * runtime/Lookup.cpp:
1018         (JSC::setUpStaticFunctionSlot):
1019         * runtime/Lookup.h:
1020         (JSC::getStaticPropertySlot):
1021         (JSC::getStaticPropertyDescriptor):
1022         (JSC::getStaticValueSlot):
1023         (JSC::getStaticValueDescriptor):
1024         * runtime/RegExpObject.cpp:
1025         (JSC::RegExpObject::getOwnPropertySlot):
1026         * runtime/SparseArrayValueMap.cpp:
1027         (JSC::SparseArrayEntry::get):
1028             - Pass attributes to PropertySlot::set* methods.
1029
1030 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
1031
1032         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1033
1034         Reviewed by Filip Pizlo.
1035
1036         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
1037         Vector of WriteBarriers rather than the specific address. The fact that we were 
1038         arbitrarily storing into a Vector's backing store for constants at the end of 
1039         compilation after the Vector could have resized was causing crashes.
1040
1041         * bytecode/CodeBlock.h:
1042         (JSC::CodeBlock::constants):
1043         (JSC::CodeBlock::addConstantLazily):
1044         * dfg/DFGByteCodeParser.cpp:
1045         (JSC::DFG::ByteCodeParser::addConstant):
1046         * dfg/DFGDesiredWriteBarriers.cpp:
1047         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1048         (JSC::DFG::DesiredWriteBarrier::trigger):
1049         (JSC::DFG::initializeLazyWriteBarrierForConstant):
1050         * dfg/DFGDesiredWriteBarriers.h:
1051         (JSC::DFG::DesiredWriteBarriers::add):
1052         * dfg/DFGFixupPhase.cpp:
1053         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1054         * dfg/DFGGraph.h:
1055         (JSC::DFG::Graph::constantRegisterForConstant):
1056
1057 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1058
1059         DFG should optimize typedArray.byteLength
1060         https://bugs.webkit.org/show_bug.cgi?id=119909
1061
1062         Reviewed by Oliver Hunt.
1063         
1064         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1065         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1066         legal since the byteLength of a typed array cannot exceed
1067         numeric_limits<int32_t>::max().
1068
1069         * bytecode/SpeculatedType.cpp:
1070         (JSC::typedArrayTypeFromSpeculation):
1071         * bytecode/SpeculatedType.h:
1072         * dfg/DFGArrayMode.cpp:
1073         (JSC::DFG::toArrayType):
1074         * dfg/DFGArrayMode.h:
1075         * dfg/DFGFixupPhase.cpp:
1076         (JSC::DFG::FixupPhase::fixupNode):
1077         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1078         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1079         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1080         (JSC::DFG::FixupPhase::prependGetArrayLength):
1081         * dfg/DFGGraph.h:
1082         (JSC::DFG::Graph::constantRegisterForConstant):
1083         (JSC::DFG::Graph::convertToConstant):
1084         * runtime/TypedArrayType.h:
1085         (JSC::logElementSize):
1086         (JSC::elementSize):
1087
1088 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1089
1090         DFG optimizes out strict mode arguments tear off
1091         https://bugs.webkit.org/show_bug.cgi?id=119504
1092
1093         Reviewed by Mark Hahnenberg and Oliver Hunt.
1094         
1095         Don't do the optimization for strict mode.
1096
1097         * dfg/DFGArgumentsSimplificationPhase.cpp:
1098         (JSC::DFG::ArgumentsSimplificationPhase::run):
1099         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1100
1101 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1102
1103         [JSC] x86: improve code generation for xxxTest32
1104         https://bugs.webkit.org/show_bug.cgi?id=119876
1105
1106         Reviewed by Geoffrey Garen.
1107
1108         Try to use testb whenever possible when testing for an immediate value.
1109
1110         When the input is an address and an offset, we can tweak the mask
1111         and offset to be able to generate testb for any byte of the mask.
1112
1113         When the input is a register, we can use testb if we are only interested
1114         in testing the low bits.
1115
1116         * assembler/MacroAssemblerX86Common.h:
1117         (JSC::MacroAssemblerX86Common::branchTest32):
1118         (JSC::MacroAssemblerX86Common::test32):
1119         (JSC::MacroAssemblerX86Common::generateTest32):
1120
1121 2013-08-16  Mark Lam  <mark.lam@apple.com>
1122
1123         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1124         error message that an object is not a constructor though it expects a function
1125
1126         Reviewed by Michael Saboff.
1127
1128         * jit/JITStubs.cpp:
1129         (JSC::DEFINE_STUB_FUNCTION):
1130
1131 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1134         https://bugs.webkit.org/show_bug.cgi?id=119897
1135
1136         Reviewed by Oliver Hunt.
1137         
1138         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1139         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1140         to turn objects into dictionaries when you're storing using bracket syntax or using
1141         eval is still in place.
1142
1143         * bytecode/CodeBlock.h:
1144         (JSC::CodeBlock::putByIdContext):
1145         * dfg/DFGOperations.cpp:
1146         * jit/JITStubs.cpp:
1147         (JSC::DEFINE_STUB_FUNCTION):
1148         * llint/LLIntSlowPaths.cpp:
1149         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1150         * runtime/JSObject.h:
1151         (JSC::JSObject::putDirectInternal):
1152         * runtime/PutPropertySlot.h:
1153         (JSC::PutPropertySlot::PutPropertySlot):
1154         (JSC::PutPropertySlot::context):
1155         * runtime/Structure.cpp:
1156         (JSC::Structure::addPropertyTransition):
1157         * runtime/Structure.h:
1158
1159 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1160
1161         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1162
1163         Reviewed by Allan Sandfeld Jensen.
1164
1165         ctiVMHandleException must jump/return using register ra (r31).
1166
1167         * jit/JITStubsMIPS.h:
1168
1169 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1170
1171         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1172
1173         Reviewed by Allan Sandfeld Jensen.
1174
1175         Fix typo in JITStubsSH4.h file.
1176
1177         * jit/JITStubsSH4.h:
1178
1179 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1180
1181         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1182
1183         Reviewed by Oliver Hunt.
1184
1185         The concurrent compilation thread should interact minimally with the Heap, including not 
1186         triggering WriteBarriers. This is a prerequisite for generational GC.
1187
1188         * JavaScriptCore.xcodeproj/project.pbxproj:
1189         * bytecode/CodeBlock.cpp:
1190         (JSC::CodeBlock::addOrFindConstant):
1191         (JSC::CodeBlock::findConstant):
1192         * bytecode/CodeBlock.h:
1193         (JSC::CodeBlock::addConstantLazily):
1194         * dfg/DFGByteCodeParser.cpp:
1195         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1196         (JSC::DFG::ByteCodeParser::constantUndefined):
1197         (JSC::DFG::ByteCodeParser::constantNull):
1198         (JSC::DFG::ByteCodeParser::one):
1199         (JSC::DFG::ByteCodeParser::constantNaN):
1200         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1201         * dfg/DFGCommonData.cpp:
1202         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1203         * dfg/DFGCommonData.h:
1204         * dfg/DFGDesiredTransitions.cpp: Added.
1205         (JSC::DFG::DesiredTransition::DesiredTransition):
1206         (JSC::DFG::DesiredTransition::reallyAdd):
1207         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1208         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1209         (JSC::DFG::DesiredTransitions::addLazily):
1210         (JSC::DFG::DesiredTransitions::reallyAdd):
1211         * dfg/DFGDesiredTransitions.h: Added.
1212         * dfg/DFGDesiredWeakReferences.cpp: Added.
1213         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1214         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1215         (JSC::DFG::DesiredWeakReferences::addLazily):
1216         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1217         * dfg/DFGDesiredWeakReferences.h: Added.
1218         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1219         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1220         (JSC::DFG::DesiredWriteBarrier::trigger):
1221         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1222         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1223         (JSC::DFG::DesiredWriteBarriers::addImpl):
1224         (JSC::DFG::DesiredWriteBarriers::trigger):
1225         * dfg/DFGDesiredWriteBarriers.h: Added.
1226         (JSC::DFG::DesiredWriteBarriers::add):
1227         (JSC::DFG::initializeLazyWriteBarrier):
1228         * dfg/DFGFixupPhase.cpp:
1229         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1230         * dfg/DFGGraph.h:
1231         (JSC::DFG::Graph::convertToConstant):
1232         * dfg/DFGJITCompiler.h:
1233         (JSC::DFG::JITCompiler::addWeakReference):
1234         * dfg/DFGPlan.cpp:
1235         (JSC::DFG::Plan::Plan):
1236         (JSC::DFG::Plan::reallyAdd):
1237         * dfg/DFGPlan.h:
1238         * dfg/DFGSpeculativeJIT32_64.cpp:
1239         (JSC::DFG::SpeculativeJIT::compile):
1240         * dfg/DFGSpeculativeJIT64.cpp:
1241         (JSC::DFG::SpeculativeJIT::compile):
1242         * runtime/WriteBarrier.h:
1243         (JSC::WriteBarrierBase::set):
1244         (JSC::WriteBarrier::WriteBarrier):
1245
1246 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1247
1248         Fix x86 32bits build after r154158
1249
1250         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1251
1252 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1253
1254         Build fix attempt after r154156.
1255
1256         * jit/JITStubs.cpp:
1257         (JSC::cti_vm_handle_exception): encode!
1258
1259 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1260
1261         [JSC] x86: Use inc and dec when possible
1262         https://bugs.webkit.org/show_bug.cgi?id=119831
1263
1264         Reviewed by Geoffrey Garen.
1265
1266         When incrementing or decrementing by an immediate of 1, use the insctructions
1267         inc and dec instead of add and sub.
1268         The instructions have good timing and their encoding is smaller.
1269
1270         * assembler/MacroAssemblerX86Common.h:
1271         (JSC::MacroAssemblerX86_64::add32):
1272         (JSC::MacroAssemblerX86_64::sub32):
1273         * assembler/MacroAssemblerX86_64.h:
1274         (JSC::MacroAssemblerX86_64::add64):
1275         (JSC::MacroAssemblerX86_64::sub64):
1276         * assembler/X86Assembler.h:
1277         (JSC::X86Assembler::dec_r):
1278         (JSC::X86Assembler::decq_r):
1279         (JSC::X86Assembler::inc_r):
1280         (JSC::X86Assembler::incq_r):
1281
1282 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1283
1284         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1285         https://bugs.webkit.org/show_bug.cgi?id=119874
1286
1287         Reviewed by Oliver Hunt and Mark Hahnenberg.
1288         
1289         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1290         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1291         sometimes for typed array length accesses, and the FixupPhase assuming that a
1292         ForceExit ArrayMode means that it should continue using a generic GetById.
1293
1294         This fixes the confusion.
1295
1296         * dfg/DFGFixupPhase.cpp:
1297         (JSC::DFG::FixupPhase::fixupNode):
1298
1299 2013-08-15  Mark Lam  <mark.lam@apple.com>
1300
1301         Fix crash when performing activation tearoff.
1302         https://bugs.webkit.org/show_bug.cgi?id=119848
1303
1304         Reviewed by Oliver Hunt.
1305
1306         The activation tearoff crash was due to a bug in the baseline JIT.
1307         If we have a scenario where the a baseline JIT frame calls a LLINT
1308         frame, an exception may be thrown while in the LLINT.
1309
1310         Interpreter::throwException() which handles the exception will unwind
1311         all frames until it finds a catcher or sees a host frame. When we
1312         return from the LLINT to the baseline JIT code, the baseline JIT code
1313         errorneously sets topCallFrame to the value in its call frame register,
1314         and starts unwinding the stack frames that have already been unwound.
1315
1316         The fix is:
1317         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1318            This is a more accurate description of what this runtime function
1319            is supposed to do i.e. it handles the exception which include doing
1320            nothing (if there are no more frames to unwind).
1321         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1322            set on it.
1323         3. Reloading the call frame register from topCallFrame when we're
1324            returning from a callee and detect exception handling in progress.
1325
1326         * interpreter/Interpreter.cpp:
1327         (JSC::Interpreter::unwindCallFrame):
1328         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1329         (JSC::Interpreter::getStackTrace):
1330         * interpreter/Interpreter.h:
1331         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1332         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1333         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1334         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1335         * jit/JIT.h:
1336         * jit/JITExceptions.cpp:
1337         (JSC::uncaughtExceptionHandler):
1338         - Convenience function to get the handler for uncaught exceptions.
1339         * jit/JITExceptions.h:
1340         * jit/JITInlines.h:
1341         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1342         * jit/JITOpcodes32_64.cpp:
1343         (JSC::JIT::privateCompileCTINativeCall):
1344         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1345         * jit/JITStubs.cpp:
1346         (JSC::throwExceptionFromOpCall):
1347         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1348         (JSC::cti_vm_handle_exception):
1349         - Check for the case when there are no more frames to unwind.
1350         * jit/JITStubs.h:
1351         * jit/JITStubsARM.h:
1352         * jit/JITStubsARMv7.h:
1353         * jit/JITStubsMIPS.h:
1354         * jit/JITStubsSH4.h:
1355         * jit/JITStubsX86.h:
1356         * jit/JITStubsX86_64.h:
1357         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1358         * jit/SlowPathCall.h:
1359         (JSC::JITSlowPathCall::call):
1360         - reload cfr from topcallFrame when handling an exception.
1361         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1362         * jit/ThunkGenerators.cpp:
1363         (JSC::nativeForGenerator):
1364         * llint/LowLevelInterpreter32_64.asm:
1365         * llint/LowLevelInterpreter64.asm:
1366         - reload cfr from topcallFrame when handling an exception.
1367         * runtime/VM.cpp:
1368         (JSC::VM::VM):
1369         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1370
1371 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1372
1373         Remove some code duplication.
1374         
1375         Rubber stamped by Mark Hahnenberg.
1376
1377         * runtime/JSDataViewPrototype.cpp:
1378         (JSC::getData):
1379         (JSC::setData):
1380
1381 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1382
1383         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1384         https://bugs.webkit.org/show_bug.cgi?id=119794
1385
1386         Reviewed by Filip Pizlo.
1387
1388         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1389
1390         * dfg/DFGUseKind.h:
1391         (JSC::DFG::isNumerical):
1392         (JSC::DFG::isDouble):
1393
1394 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1395
1396         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1397
1398         Rubber stamped by Oliver Hunt.
1399         
1400         This was causing some test crashes for me.
1401
1402         * dfg/DFGCapabilities.cpp:
1403         (JSC::DFG::capabilityLevel):
1404
1405 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1406
1407         [Windows] Clear up improper export declaration.
1408
1409         * runtime/ArrayBufferView.h:
1410
1411 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1412
1413         Unreviewed, remove some unnecessary periods from exceptions.
1414
1415         * runtime/JSDataViewPrototype.cpp:
1416         (JSC::getData):
1417         (JSC::setData):
1418
1419 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1420
1421         Unreviewed, fix 32-bit build.
1422
1423         * dfg/DFGSpeculativeJIT32_64.cpp:
1424         (JSC::DFG::SpeculativeJIT::compile):
1425
1426 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1427
1428         Typed arrays should be rewritten
1429         https://bugs.webkit.org/show_bug.cgi?id=119064
1430
1431         Reviewed by Oliver Hunt.
1432         
1433         Typed arrays were previously deficient in several major ways:
1434         
1435         - They were defined separately in WebCore and in the jsc shell. The two
1436           implementations were different, and the jsc shell one was basically wrong.
1437           The WebCore one was quite awful, also.
1438         
1439         - Typed arrays were not visible to the JIT except through some weird hooks.
1440           For example, the JIT could not ask "what is the Structure that this typed
1441           array would have if I just allocated it from this global object". Also,
1442           it was difficult to wire any of the typed array intrinsics, because most
1443           of the functionality wasn't visible anywhere in JSC.
1444         
1445         - Typed array allocation was brain-dead. Allocating a typed array involved
1446           two JS objects, two GC weak handles, and three malloc allocations.
1447         
1448         - Neutering. It involved keeping tabs on all native views but not the view
1449           wrappers, even though the native views can autoneuter just by asking the
1450           buffer if it was neutered anytime you touch them; while the JS view
1451           wrappers are the ones that you really want to reach out to.
1452         
1453         - Common case-ing. Most typed arrays have one buffer and one view, and
1454           usually nobody touches the buffer. Yet we created all of that stuff
1455           anyway, using data structures optimized for the case where you had a lot
1456           of views.
1457         
1458         - Semantic goofs. Typed arrays should, in the future, behave like ES
1459           features rather than DOM features, for example when it comes to exceptions.
1460           Firefox already does this and I agree with them.
1461         
1462         This patch cleanses our codebase of these sins:
1463         
1464         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1465           management of native references to buffers is left to WebCore.
1466         
1467         - Allocating a typed array requires either two GC allocations (a cell and a
1468           copied storage vector) or one GC allocation, a malloc allocation, and a
1469           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1470           latter). The latter is only used for oversize arrays. Remember that before
1471           it was 7 allocations no matter what.
1472         
1473         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1474           mode/length, void* vector. Before it was a lot more than that - remember,
1475           there were five additional objects that did absolutely nothing for anybody.
1476         
1477         - Native views aren't tracked by the buffer, or by the wrappers. They are
1478           transient. In the future we'll probably switch to not even having them be
1479           malloc'd.
1480         
1481         - Native array buffers have an efficient way of tracking all of their JS view
1482           wrappers, both for neutering, and for lifecycle management. The GC
1483           special-cases native array buffers. This saves a bunch of grief; for example
1484           it means that a JS view wrapper can refer to its buffer via the butterfly,
1485           which would be dead by the time we went to finalize.
1486         
1487         - Typed array semantics now match Firefox, which also happens to be where the
1488           standards are going. The discussion on webkit-dev seemed to confirm that
1489           Chrome is also heading in this direction. This includes making
1490           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1491           ArrayBufferView as a JS-visible construct.
1492         
1493         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1494         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1495         further typed array optimizations in the JSC JITs, including inlining typed
1496         array allocation, inlining more of the accessors, reducing the cost of type
1497         checks, etc.
1498         
1499         An additional property of this patch is that typed arrays are mostly
1500         implemented using templates. This deduplicates a bunch of code, but does mean
1501         that we need some hacks for exporting s_info's of template classes. See
1502         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1503         low-impact compared to code duplication.
1504         
1505         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1506
1507         * CMakeLists.txt:
1508         * DerivedSources.make:
1509         * GNUmakefile.list.am:
1510         * JSCTypedArrayStubs.h: Removed.
1511         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1512         * JavaScriptCore.xcodeproj/project.pbxproj:
1513         * Target.pri:
1514         * bytecode/ByValInfo.h:
1515         (JSC::hasOptimizableIndexingForClassInfo):
1516         (JSC::jitArrayModeForClassInfo):
1517         (JSC::typedArrayTypeForJITArrayMode):
1518         * bytecode/SpeculatedType.cpp:
1519         (JSC::speculationFromClassInfo):
1520         * dfg/DFGArrayMode.cpp:
1521         (JSC::DFG::toTypedArrayType):
1522         * dfg/DFGArrayMode.h:
1523         (JSC::DFG::ArrayMode::typedArrayType):
1524         * dfg/DFGSpeculativeJIT.cpp:
1525         (JSC::DFG::SpeculativeJIT::checkArray):
1526         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1527         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1528         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1529         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1530         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1531         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1532         * dfg/DFGSpeculativeJIT.h:
1533         * dfg/DFGSpeculativeJIT32_64.cpp:
1534         (JSC::DFG::SpeculativeJIT::compile):
1535         * dfg/DFGSpeculativeJIT64.cpp:
1536         (JSC::DFG::SpeculativeJIT::compile):
1537         * heap/CopyToken.h:
1538         * heap/DeferGC.h:
1539         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1540         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1541         * heap/GCIncomingRefCounted.h: Added.
1542         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1543         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1544         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1545         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1546         (JSC::GCIncomingRefCounted::singletonFlag):
1547         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1548         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1549         (JSC::GCIncomingRefCounted::hasSingleton):
1550         (JSC::GCIncomingRefCounted::singleton):
1551         (JSC::GCIncomingRefCounted::vectorOfCells):
1552         * heap/GCIncomingRefCountedInlines.h: Added.
1553         (JSC::::addIncomingReference):
1554         (JSC::::filterIncomingReferences):
1555         * heap/GCIncomingRefCountedSet.h: Added.
1556         (JSC::GCIncomingRefCountedSet::size):
1557         * heap/GCIncomingRefCountedSetInlines.h: Added.
1558         (JSC::::GCIncomingRefCountedSet):
1559         (JSC::::~GCIncomingRefCountedSet):
1560         (JSC::::addReference):
1561         (JSC::::sweep):
1562         (JSC::::removeAll):
1563         (JSC::::removeDead):
1564         * heap/Heap.cpp:
1565         (JSC::Heap::addReference):
1566         (JSC::Heap::extraSize):
1567         (JSC::Heap::size):
1568         (JSC::Heap::capacity):
1569         (JSC::Heap::collect):
1570         (JSC::Heap::decrementDeferralDepth):
1571         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1572         * heap/Heap.h:
1573         * interpreter/CallFrame.h:
1574         (JSC::ExecState::dataViewTable):
1575         * jit/JIT.h:
1576         * jit/JITPropertyAccess.cpp:
1577         (JSC::JIT::privateCompileGetByVal):
1578         (JSC::JIT::privateCompilePutByVal):
1579         (JSC::JIT::emitIntTypedArrayGetByVal):
1580         (JSC::JIT::emitFloatTypedArrayGetByVal):
1581         (JSC::JIT::emitIntTypedArrayPutByVal):
1582         (JSC::JIT::emitFloatTypedArrayPutByVal):
1583         * jsc.cpp:
1584         (GlobalObject::finishCreation):
1585         * runtime/ArrayBuffer.cpp:
1586         (JSC::ArrayBuffer::transfer):
1587         * runtime/ArrayBuffer.h:
1588         (JSC::ArrayBuffer::createAdopted):
1589         (JSC::ArrayBuffer::ArrayBuffer):
1590         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1591         (JSC::ArrayBuffer::pin):
1592         (JSC::ArrayBuffer::unpin):
1593         (JSC::ArrayBufferContents::tryAllocate):
1594         * runtime/ArrayBufferView.cpp:
1595         (JSC::ArrayBufferView::ArrayBufferView):
1596         (JSC::ArrayBufferView::~ArrayBufferView):
1597         (JSC::ArrayBufferView::setNeuterable):
1598         * runtime/ArrayBufferView.h:
1599         (JSC::ArrayBufferView::isNeutered):
1600         (JSC::ArrayBufferView::buffer):
1601         (JSC::ArrayBufferView::baseAddress):
1602         (JSC::ArrayBufferView::byteOffset):
1603         (JSC::ArrayBufferView::verifySubRange):
1604         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1605         (JSC::ArrayBufferView::calculateOffsetAndLength):
1606         * runtime/ClassInfo.h:
1607         * runtime/CommonIdentifiers.h:
1608         * runtime/DataView.cpp: Added.
1609         (JSC::DataView::DataView):
1610         (JSC::DataView::create):
1611         (JSC::DataView::wrap):
1612         * runtime/DataView.h: Added.
1613         (JSC::DataView::byteLength):
1614         (JSC::DataView::getType):
1615         (JSC::DataView::get):
1616         (JSC::DataView::set):
1617         * runtime/Float32Array.h:
1618         * runtime/Float64Array.h:
1619         * runtime/GenericTypedArrayView.h: Added.
1620         (JSC::GenericTypedArrayView::data):
1621         (JSC::GenericTypedArrayView::set):
1622         (JSC::GenericTypedArrayView::setRange):
1623         (JSC::GenericTypedArrayView::zeroRange):
1624         (JSC::GenericTypedArrayView::zeroFill):
1625         (JSC::GenericTypedArrayView::length):
1626         (JSC::GenericTypedArrayView::byteLength):
1627         (JSC::GenericTypedArrayView::item):
1628         (JSC::GenericTypedArrayView::checkInboundData):
1629         (JSC::GenericTypedArrayView::getType):
1630         * runtime/GenericTypedArrayViewInlines.h: Added.
1631         (JSC::::GenericTypedArrayView):
1632         (JSC::::create):
1633         (JSC::::createUninitialized):
1634         (JSC::::subarray):
1635         (JSC::::wrap):
1636         * runtime/IndexingHeader.h:
1637         (JSC::IndexingHeader::arrayBuffer):
1638         (JSC::IndexingHeader::setArrayBuffer):
1639         * runtime/Int16Array.h:
1640         * runtime/Int32Array.h:
1641         * runtime/Int8Array.h:
1642         * runtime/JSArrayBuffer.cpp: Added.
1643         (JSC::JSArrayBuffer::JSArrayBuffer):
1644         (JSC::JSArrayBuffer::finishCreation):
1645         (JSC::JSArrayBuffer::create):
1646         (JSC::JSArrayBuffer::createStructure):
1647         (JSC::JSArrayBuffer::getOwnPropertySlot):
1648         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1649         (JSC::JSArrayBuffer::put):
1650         (JSC::JSArrayBuffer::defineOwnProperty):
1651         (JSC::JSArrayBuffer::deleteProperty):
1652         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1653         * runtime/JSArrayBuffer.h: Added.
1654         (JSC::JSArrayBuffer::impl):
1655         (JSC::toArrayBuffer):
1656         * runtime/JSArrayBufferConstructor.cpp: Added.
1657         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1658         (JSC::JSArrayBufferConstructor::finishCreation):
1659         (JSC::JSArrayBufferConstructor::create):
1660         (JSC::JSArrayBufferConstructor::createStructure):
1661         (JSC::constructArrayBuffer):
1662         (JSC::JSArrayBufferConstructor::getConstructData):
1663         (JSC::JSArrayBufferConstructor::getCallData):
1664         * runtime/JSArrayBufferConstructor.h: Added.
1665         * runtime/JSArrayBufferPrototype.cpp: Added.
1666         (JSC::arrayBufferProtoFuncSlice):
1667         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1668         (JSC::JSArrayBufferPrototype::finishCreation):
1669         (JSC::JSArrayBufferPrototype::create):
1670         (JSC::JSArrayBufferPrototype::createStructure):
1671         * runtime/JSArrayBufferPrototype.h: Added.
1672         * runtime/JSArrayBufferView.cpp: Added.
1673         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1674         (JSC::JSArrayBufferView::JSArrayBufferView):
1675         (JSC::JSArrayBufferView::finishCreation):
1676         (JSC::JSArrayBufferView::getOwnPropertySlot):
1677         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1678         (JSC::JSArrayBufferView::put):
1679         (JSC::JSArrayBufferView::defineOwnProperty):
1680         (JSC::JSArrayBufferView::deleteProperty):
1681         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1682         (JSC::JSArrayBufferView::finalize):
1683         * runtime/JSArrayBufferView.h: Added.
1684         (JSC::JSArrayBufferView::sizeOf):
1685         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1686         (JSC::JSArrayBufferView::ConstructionContext::structure):
1687         (JSC::JSArrayBufferView::ConstructionContext::vector):
1688         (JSC::JSArrayBufferView::ConstructionContext::length):
1689         (JSC::JSArrayBufferView::ConstructionContext::mode):
1690         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1691         (JSC::JSArrayBufferView::mode):
1692         (JSC::JSArrayBufferView::vector):
1693         (JSC::JSArrayBufferView::length):
1694         (JSC::JSArrayBufferView::offsetOfVector):
1695         (JSC::JSArrayBufferView::offsetOfLength):
1696         (JSC::JSArrayBufferView::offsetOfMode):
1697         * runtime/JSArrayBufferViewInlines.h: Added.
1698         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1699         (JSC::JSArrayBufferView::buffer):
1700         (JSC::JSArrayBufferView::impl):
1701         (JSC::JSArrayBufferView::neuter):
1702         (JSC::JSArrayBufferView::byteOffset):
1703         * runtime/JSCell.cpp:
1704         (JSC::JSCell::slowDownAndWasteMemory):
1705         (JSC::JSCell::getTypedArrayImpl):
1706         * runtime/JSCell.h:
1707         * runtime/JSDataView.cpp: Added.
1708         (JSC::JSDataView::JSDataView):
1709         (JSC::JSDataView::create):
1710         (JSC::JSDataView::createUninitialized):
1711         (JSC::JSDataView::set):
1712         (JSC::JSDataView::typedImpl):
1713         (JSC::JSDataView::getOwnPropertySlot):
1714         (JSC::JSDataView::getOwnPropertyDescriptor):
1715         (JSC::JSDataView::slowDownAndWasteMemory):
1716         (JSC::JSDataView::getTypedArrayImpl):
1717         (JSC::JSDataView::createStructure):
1718         * runtime/JSDataView.h: Added.
1719         * runtime/JSDataViewPrototype.cpp: Added.
1720         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1721         (JSC::JSDataViewPrototype::create):
1722         (JSC::JSDataViewPrototype::createStructure):
1723         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1724         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1725         (JSC::getData):
1726         (JSC::setData):
1727         (JSC::dataViewProtoFuncGetInt8):
1728         (JSC::dataViewProtoFuncGetInt16):
1729         (JSC::dataViewProtoFuncGetInt32):
1730         (JSC::dataViewProtoFuncGetUint8):
1731         (JSC::dataViewProtoFuncGetUint16):
1732         (JSC::dataViewProtoFuncGetUint32):
1733         (JSC::dataViewProtoFuncGetFloat32):
1734         (JSC::dataViewProtoFuncGetFloat64):
1735         (JSC::dataViewProtoFuncSetInt8):
1736         (JSC::dataViewProtoFuncSetInt16):
1737         (JSC::dataViewProtoFuncSetInt32):
1738         (JSC::dataViewProtoFuncSetUint8):
1739         (JSC::dataViewProtoFuncSetUint16):
1740         (JSC::dataViewProtoFuncSetUint32):
1741         (JSC::dataViewProtoFuncSetFloat32):
1742         (JSC::dataViewProtoFuncSetFloat64):
1743         * runtime/JSDataViewPrototype.h: Added.
1744         * runtime/JSFloat32Array.h: Added.
1745         * runtime/JSFloat64Array.h: Added.
1746         * runtime/JSGenericTypedArrayView.h: Added.
1747         (JSC::JSGenericTypedArrayView::byteLength):
1748         (JSC::JSGenericTypedArrayView::byteSize):
1749         (JSC::JSGenericTypedArrayView::typedVector):
1750         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1751         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1752         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1753         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1754         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1755         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1756         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1757         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1758         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1759         (JSC::JSGenericTypedArrayView::typedImpl):
1760         (JSC::JSGenericTypedArrayView::createStructure):
1761         (JSC::JSGenericTypedArrayView::info):
1762         (JSC::toNativeTypedView):
1763         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1764         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1765         (JSC::::JSGenericTypedArrayViewConstructor):
1766         (JSC::::finishCreation):
1767         (JSC::::create):
1768         (JSC::::createStructure):
1769         (JSC::constructGenericTypedArrayView):
1770         (JSC::::getConstructData):
1771         (JSC::::getCallData):
1772         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1773         (JSC::::JSGenericTypedArrayView):
1774         (JSC::::create):
1775         (JSC::::createUninitialized):
1776         (JSC::::validateRange):
1777         (JSC::::setWithSpecificType):
1778         (JSC::::set):
1779         (JSC::::getOwnPropertySlot):
1780         (JSC::::getOwnPropertyDescriptor):
1781         (JSC::::put):
1782         (JSC::::defineOwnProperty):
1783         (JSC::::deleteProperty):
1784         (JSC::::getOwnPropertySlotByIndex):
1785         (JSC::::putByIndex):
1786         (JSC::::deletePropertyByIndex):
1787         (JSC::::getOwnNonIndexPropertyNames):
1788         (JSC::::getOwnPropertyNames):
1789         (JSC::::visitChildren):
1790         (JSC::::copyBackingStore):
1791         (JSC::::slowDownAndWasteMemory):
1792         (JSC::::getTypedArrayImpl):
1793         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1794         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1795         (JSC::genericTypedArrayViewProtoFuncSet):
1796         (JSC::genericTypedArrayViewProtoFuncSubarray):
1797         (JSC::::JSGenericTypedArrayViewPrototype):
1798         (JSC::::finishCreation):
1799         (JSC::::create):
1800         (JSC::::createStructure):
1801         * runtime/JSGlobalObject.cpp:
1802         (JSC::JSGlobalObject::reset):
1803         (JSC::JSGlobalObject::visitChildren):
1804         * runtime/JSGlobalObject.h:
1805         (JSC::JSGlobalObject::arrayBufferPrototype):
1806         (JSC::JSGlobalObject::arrayBufferStructure):
1807         (JSC::JSGlobalObject::typedArrayStructure):
1808         * runtime/JSInt16Array.h: Added.
1809         * runtime/JSInt32Array.h: Added.
1810         * runtime/JSInt8Array.h: Added.
1811         * runtime/JSTypedArrayConstructors.cpp: Added.
1812         * runtime/JSTypedArrayConstructors.h: Added.
1813         * runtime/JSTypedArrayPrototypes.cpp: Added.
1814         * runtime/JSTypedArrayPrototypes.h: Added.
1815         * runtime/JSTypedArrays.cpp: Added.
1816         * runtime/JSTypedArrays.h: Added.
1817         * runtime/JSUint16Array.h: Added.
1818         * runtime/JSUint32Array.h: Added.
1819         * runtime/JSUint8Array.h: Added.
1820         * runtime/JSUint8ClampedArray.h: Added.
1821         * runtime/Operations.h:
1822         * runtime/Options.h:
1823         * runtime/SimpleTypedArrayController.cpp: Added.
1824         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1825         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1826         (JSC::SimpleTypedArrayController::toJS):
1827         * runtime/SimpleTypedArrayController.h: Added.
1828         * runtime/Structure.h:
1829         (JSC::Structure::couldHaveIndexingHeader):
1830         * runtime/StructureInlines.h:
1831         (JSC::Structure::hasIndexingHeader):
1832         * runtime/TypedArrayAdaptors.h: Added.
1833         (JSC::IntegralTypedArrayAdaptor::toNative):
1834         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1835         (JSC::IntegralTypedArrayAdaptor::toDouble):
1836         (JSC::FloatTypedArrayAdaptor::toNative):
1837         (JSC::FloatTypedArrayAdaptor::toJSValue):
1838         (JSC::FloatTypedArrayAdaptor::toDouble):
1839         (JSC::Uint8ClampedAdaptor::toNative):
1840         (JSC::Uint8ClampedAdaptor::toJSValue):
1841         (JSC::Uint8ClampedAdaptor::toDouble):
1842         (JSC::Uint8ClampedAdaptor::clamp):
1843         * runtime/TypedArrayController.cpp: Added.
1844         (JSC::TypedArrayController::TypedArrayController):
1845         (JSC::TypedArrayController::~TypedArrayController):
1846         * runtime/TypedArrayController.h: Added.
1847         * runtime/TypedArrayDescriptor.h: Removed.
1848         * runtime/TypedArrayInlines.h: Added.
1849         * runtime/TypedArrayType.cpp: Added.
1850         (JSC::classInfoForType):
1851         (WTF::printInternal):
1852         * runtime/TypedArrayType.h: Added.
1853         (JSC::toIndex):
1854         (JSC::isTypedView):
1855         (JSC::elementSize):
1856         (JSC::isInt):
1857         (JSC::isFloat):
1858         (JSC::isSigned):
1859         (JSC::isClamped):
1860         * runtime/TypedArrays.h: Added.
1861         * runtime/Uint16Array.h:
1862         * runtime/Uint32Array.h:
1863         * runtime/Uint8Array.h:
1864         * runtime/Uint8ClampedArray.h:
1865         * runtime/VM.cpp:
1866         (JSC::VM::VM):
1867         (JSC::VM::~VM):
1868         * runtime/VM.h:
1869
1870 2013-08-15  Oliver Hunt  <oliver@apple.com>
1871
1872         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1873
1874         Reviewed by Filip Pizlo.
1875
1876         Make sure dfgCapabilities doesn't report a Dynamic put as
1877         being compilable when we don't actually support it.  
1878
1879         * bytecode/CodeBlock.cpp:
1880         (JSC::CodeBlock::dumpBytecode):
1881         * dfg/DFGCapabilities.cpp:
1882         (JSC::DFG::capabilityLevel):
1883
1884 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1885
1886         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1887         https://bugs.webkit.org/show_bug.cgi?id=119847
1888
1889         Reviewed by Oliver Hunt.
1890
1891         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1892         * runtime/ArrayBufferView.h: Ditto.
1893
1894 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1895
1896         https://bugs.webkit.org/show_bug.cgi?id=119843
1897         PropertySlot::setValue is ambiguous
1898
1899         Reviewed by Geoff Garen.
1900
1901         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1902         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1903         Unify on always providing the object, and remove the version that just takes a value.
1904         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1905         Provide a version of setValue that takes a JSString as the owner of the property.
1906         We won't store this, but it makes it clear that this interface should only be used from JSString.
1907
1908         * API/JSCallbackObjectFunctions.h:
1909         (JSC::::getOwnPropertySlot):
1910         * JSCTypedArrayStubs.h:
1911         * runtime/Arguments.cpp:
1912         (JSC::Arguments::getOwnPropertySlotByIndex):
1913         (JSC::Arguments::getOwnPropertySlot):
1914         * runtime/JSActivation.cpp:
1915         (JSC::JSActivation::symbolTableGet):
1916         (JSC::JSActivation::getOwnPropertySlot):
1917         * runtime/JSArray.cpp:
1918         (JSC::JSArray::getOwnPropertySlot):
1919         * runtime/JSObject.cpp:
1920         (JSC::JSObject::getOwnPropertySlotByIndex):
1921         * runtime/JSString.h:
1922         (JSC::JSString::getStringPropertySlot):
1923         * runtime/JSSymbolTableObject.h:
1924         (JSC::symbolTableGet):
1925         * runtime/SparseArrayValueMap.cpp:
1926         (JSC::SparseArrayEntry::get):
1927             - Pass object containing property to PropertySlot::setValue
1928         * runtime/PropertySlot.h:
1929         (JSC::PropertySlot::setValue):
1930             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1931         (JSC::PropertySlot::setUndefined):
1932             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1933
1934 2013-08-15  Oliver Hunt  <oliver@apple.com>
1935
1936         Remove bogus assertion.
1937
1938         RS=Filip Pizlo
1939
1940         * dfg/DFGAbstractInterpreterInlines.h:
1941         (JSC::DFG::::executeEffects):
1942
1943 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1944
1945         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1946         https://bugs.webkit.org/show_bug.cgi?id=114913
1947
1948         Reviewed by Filip Pizlo.
1949
1950         The X87 register was not freed before some calls. Instead
1951         of inserting resetX87Registers to the last call sites,
1952         the two X87 registers are now freed in every call.
1953
1954         * llint/LowLevelInterpreter32_64.asm:
1955         * llint/LowLevelInterpreter64.asm:
1956         * offlineasm/instructions.rb:
1957         * offlineasm/x86.rb:
1958
1959 2013-08-14  Michael Saboff  <msaboff@apple.com>
1960
1961         Fixed jit on Win64.
1962         https://bugs.webkit.org/show_bug.cgi?id=119601
1963
1964         Reviewed by Oliver Hunt.
1965
1966         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1967         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1968         * jit/SlowPathCall.h:
1969         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1970
1971 2013-08-14  Alex Christensen  <achristensen@apple.com>
1972
1973         Compile fix for Win64 with jit disabled.
1974         https://bugs.webkit.org/show_bug.cgi?id=119804
1975
1976         Reviewed by Michael Saboff.
1977
1978         * offlineasm/cloop.rb: Added std:: before isnan.
1979
1980 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1981
1982         DFG_JIT implementation for sh4 architecture.
1983         https://bugs.webkit.org/show_bug.cgi?id=119737
1984
1985         Reviewed by Oliver Hunt.
1986
1987         * assembler/MacroAssemblerSH4.h:
1988         (JSC::MacroAssemblerSH4::invert):
1989         (JSC::MacroAssemblerSH4::add32):
1990         (JSC::MacroAssemblerSH4::and32):
1991         (JSC::MacroAssemblerSH4::lshift32):
1992         (JSC::MacroAssemblerSH4::mul32):
1993         (JSC::MacroAssemblerSH4::or32):
1994         (JSC::MacroAssemblerSH4::rshift32):
1995         (JSC::MacroAssemblerSH4::sub32):
1996         (JSC::MacroAssemblerSH4::xor32):
1997         (JSC::MacroAssemblerSH4::store32):
1998         (JSC::MacroAssemblerSH4::swapDouble):
1999         (JSC::MacroAssemblerSH4::storeDouble):
2000         (JSC::MacroAssemblerSH4::subDouble):
2001         (JSC::MacroAssemblerSH4::mulDouble):
2002         (JSC::MacroAssemblerSH4::divDouble):
2003         (JSC::MacroAssemblerSH4::negateDouble):
2004         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2005         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2006         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2007         (JSC::MacroAssemblerSH4::swap):
2008         (JSC::MacroAssemblerSH4::jump):
2009         (JSC::MacroAssemblerSH4::branchNeg32):
2010         (JSC::MacroAssemblerSH4::branchAdd32):
2011         (JSC::MacroAssemblerSH4::branchMul32):
2012         (JSC::MacroAssemblerSH4::urshift32):
2013         * assembler/SH4Assembler.h:
2014         (JSC::SH4Assembler::SH4Assembler):
2015         (JSC::SH4Assembler::labelForWatchpoint):
2016         (JSC::SH4Assembler::label):
2017         (JSC::SH4Assembler::debugOffset):
2018         * dfg/DFGAssemblyHelpers.h:
2019         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
2020         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
2021         (JSC::DFG::AssemblyHelpers::debugCall):
2022         * dfg/DFGCCallHelpers.h:
2023         (JSC::DFG::CCallHelpers::setupArguments):
2024         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2025         * dfg/DFGFPRInfo.h:
2026         (JSC::DFG::FPRInfo::toRegister):
2027         (JSC::DFG::FPRInfo::toIndex):
2028         (JSC::DFG::FPRInfo::debugName):
2029         * dfg/DFGGPRInfo.h:
2030         (JSC::DFG::GPRInfo::toRegister):
2031         (JSC::DFG::GPRInfo::toIndex):
2032         (JSC::DFG::GPRInfo::debugName):
2033         * dfg/DFGOperations.cpp:
2034         * dfg/DFGSpeculativeJIT.h:
2035         (JSC::DFG::SpeculativeJIT::callOperation):
2036         * jit/JITStubs.h:
2037         * jit/JITStubsSH4.h:
2038
2039 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2040
2041         Unreviewed, fix build.
2042
2043         * API/JSValue.mm:
2044         (isDate):
2045         (isArray):
2046         * API/JSWrapperMap.mm:
2047         (tryUnwrapObjcObject):
2048         * API/ObjCCallbackFunction.mm:
2049         (tryUnwrapBlock):
2050
2051 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2052
2053         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
2054         https://bugs.webkit.org/show_bug.cgi?id=119770
2055
2056         Reviewed by Mark Hahnenberg.
2057
2058         * API/JSCallbackConstructor.cpp:
2059         (JSC::JSCallbackConstructor::finishCreation):
2060         * API/JSCallbackConstructor.h:
2061         (JSC::JSCallbackConstructor::createStructure):
2062         * API/JSCallbackFunction.cpp:
2063         (JSC::JSCallbackFunction::finishCreation):
2064         * API/JSCallbackFunction.h:
2065         (JSC::JSCallbackFunction::createStructure):
2066         * API/JSCallbackObject.cpp:
2067         (JSC::::createStructure):
2068         * API/JSCallbackObject.h:
2069         (JSC::JSCallbackObject::visitChildren):
2070         * API/JSCallbackObjectFunctions.h:
2071         (JSC::::asCallbackObject):
2072         (JSC::::finishCreation):
2073         * API/JSObjectRef.cpp:
2074         (JSObjectGetPrivate):
2075         (JSObjectSetPrivate):
2076         (JSObjectGetPrivateProperty):
2077         (JSObjectSetPrivateProperty):
2078         (JSObjectDeletePrivateProperty):
2079         * API/JSValueRef.cpp:
2080         (JSValueIsObjectOfClass):
2081         * API/JSWeakObjectMapRefPrivate.cpp:
2082         * API/ObjCCallbackFunction.h:
2083         (JSC::ObjCCallbackFunction::createStructure):
2084         * JSCTypedArrayStubs.h:
2085         * bytecode/CallLinkStatus.cpp:
2086         (JSC::CallLinkStatus::CallLinkStatus):
2087         (JSC::CallLinkStatus::function):
2088         (JSC::CallLinkStatus::internalFunction):
2089         * bytecode/CodeBlock.h:
2090         (JSC::baselineCodeBlockForInlineCallFrame):
2091         * bytecode/SpeculatedType.cpp:
2092         (JSC::speculationFromClassInfo):
2093         * bytecode/UnlinkedCodeBlock.cpp:
2094         (JSC::UnlinkedFunctionExecutable::visitChildren):
2095         (JSC::UnlinkedCodeBlock::visitChildren):
2096         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2097         * bytecode/UnlinkedCodeBlock.h:
2098         (JSC::UnlinkedFunctionExecutable::createStructure):
2099         (JSC::UnlinkedProgramCodeBlock::createStructure):
2100         (JSC::UnlinkedEvalCodeBlock::createStructure):
2101         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2102         * debugger/Debugger.cpp:
2103         * debugger/DebuggerActivation.cpp:
2104         (JSC::DebuggerActivation::visitChildren):
2105         * debugger/DebuggerActivation.h:
2106         (JSC::DebuggerActivation::createStructure):
2107         * debugger/DebuggerCallFrame.cpp:
2108         (JSC::DebuggerCallFrame::functionName):
2109         * dfg/DFGAbstractInterpreterInlines.h:
2110         (JSC::DFG::::executeEffects):
2111         * dfg/DFGByteCodeParser.cpp:
2112         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2113         (JSC::DFG::ByteCodeParser::parseBlock):
2114         * dfg/DFGFixupPhase.cpp:
2115         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2116         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2117         * dfg/DFGGraph.cpp:
2118         (JSC::DFG::Graph::dump):
2119         * dfg/DFGGraph.h:
2120         (JSC::DFG::Graph::isInternalFunctionConstant):
2121         * dfg/DFGOperations.cpp:
2122         * dfg/DFGSpeculativeJIT.cpp:
2123         (JSC::DFG::SpeculativeJIT::checkArray):
2124         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2125         * dfg/DFGThunks.cpp:
2126         (JSC::DFG::virtualForThunkGenerator):
2127         * interpreter/Interpreter.cpp:
2128         (JSC::loadVarargs):
2129         * jsc.cpp:
2130         (GlobalObject::createStructure):
2131         * profiler/LegacyProfiler.cpp:
2132         (JSC::LegacyProfiler::createCallIdentifier):
2133         * runtime/Arguments.cpp:
2134         (JSC::Arguments::visitChildren):
2135         * runtime/Arguments.h:
2136         (JSC::Arguments::createStructure):
2137         (JSC::asArguments):
2138         (JSC::Arguments::finishCreation):
2139         * runtime/ArrayConstructor.cpp:
2140         (JSC::arrayConstructorIsArray):
2141         * runtime/ArrayConstructor.h:
2142         (JSC::ArrayConstructor::createStructure):
2143         * runtime/ArrayPrototype.cpp:
2144         (JSC::ArrayPrototype::finishCreation):
2145         (JSC::arrayProtoFuncConcat):
2146         (JSC::attemptFastSort):
2147         * runtime/ArrayPrototype.h:
2148         (JSC::ArrayPrototype::createStructure):
2149         * runtime/BooleanConstructor.h:
2150         (JSC::BooleanConstructor::createStructure):
2151         * runtime/BooleanObject.cpp:
2152         (JSC::BooleanObject::finishCreation):
2153         * runtime/BooleanObject.h:
2154         (JSC::BooleanObject::createStructure):
2155         (JSC::asBooleanObject):
2156         * runtime/BooleanPrototype.cpp:
2157         (JSC::BooleanPrototype::finishCreation):
2158         (JSC::booleanProtoFuncToString):
2159         (JSC::booleanProtoFuncValueOf):
2160         * runtime/BooleanPrototype.h:
2161         (JSC::BooleanPrototype::createStructure):
2162         * runtime/DateConstructor.cpp:
2163         (JSC::constructDate):
2164         * runtime/DateConstructor.h:
2165         (JSC::DateConstructor::createStructure):
2166         * runtime/DateInstance.cpp:
2167         (JSC::DateInstance::finishCreation):
2168         * runtime/DateInstance.h:
2169         (JSC::DateInstance::createStructure):
2170         (JSC::asDateInstance):
2171         * runtime/DatePrototype.cpp:
2172         (JSC::formateDateInstance):
2173         (JSC::DatePrototype::finishCreation):
2174         (JSC::dateProtoFuncToISOString):
2175         (JSC::dateProtoFuncToLocaleString):
2176         (JSC::dateProtoFuncToLocaleDateString):
2177         (JSC::dateProtoFuncToLocaleTimeString):
2178         (JSC::dateProtoFuncGetTime):
2179         (JSC::dateProtoFuncGetFullYear):
2180         (JSC::dateProtoFuncGetUTCFullYear):
2181         (JSC::dateProtoFuncGetMonth):
2182         (JSC::dateProtoFuncGetUTCMonth):
2183         (JSC::dateProtoFuncGetDate):
2184         (JSC::dateProtoFuncGetUTCDate):
2185         (JSC::dateProtoFuncGetDay):
2186         (JSC::dateProtoFuncGetUTCDay):
2187         (JSC::dateProtoFuncGetHours):
2188         (JSC::dateProtoFuncGetUTCHours):
2189         (JSC::dateProtoFuncGetMinutes):
2190         (JSC::dateProtoFuncGetUTCMinutes):
2191         (JSC::dateProtoFuncGetSeconds):
2192         (JSC::dateProtoFuncGetUTCSeconds):
2193         (JSC::dateProtoFuncGetMilliSeconds):
2194         (JSC::dateProtoFuncGetUTCMilliseconds):
2195         (JSC::dateProtoFuncGetTimezoneOffset):
2196         (JSC::dateProtoFuncSetTime):
2197         (JSC::setNewValueFromTimeArgs):
2198         (JSC::setNewValueFromDateArgs):
2199         (JSC::dateProtoFuncSetYear):
2200         (JSC::dateProtoFuncGetYear):
2201         * runtime/DatePrototype.h:
2202         (JSC::DatePrototype::createStructure):
2203         * runtime/Error.h:
2204         (JSC::StrictModeTypeErrorFunction::createStructure):
2205         * runtime/ErrorConstructor.h:
2206         (JSC::ErrorConstructor::createStructure):
2207         * runtime/ErrorInstance.cpp:
2208         (JSC::ErrorInstance::finishCreation):
2209         * runtime/ErrorInstance.h:
2210         (JSC::ErrorInstance::createStructure):
2211         * runtime/ErrorPrototype.cpp:
2212         (JSC::ErrorPrototype::finishCreation):
2213         * runtime/ErrorPrototype.h:
2214         (JSC::ErrorPrototype::createStructure):
2215         * runtime/ExceptionHelpers.cpp:
2216         (JSC::isTerminatedExecutionException):
2217         * runtime/ExceptionHelpers.h:
2218         (JSC::TerminatedExecutionError::createStructure):
2219         * runtime/Executable.cpp:
2220         (JSC::EvalExecutable::visitChildren):
2221         (JSC::ProgramExecutable::visitChildren):
2222         (JSC::FunctionExecutable::visitChildren):
2223         (JSC::ExecutableBase::hashFor):
2224         * runtime/Executable.h:
2225         (JSC::ExecutableBase::createStructure):
2226         (JSC::NativeExecutable::createStructure):
2227         (JSC::EvalExecutable::createStructure):
2228         (JSC::ProgramExecutable::createStructure):
2229         (JSC::FunctionExecutable::compileFor):
2230         (JSC::FunctionExecutable::compileOptimizedFor):
2231         (JSC::FunctionExecutable::createStructure):
2232         * runtime/FunctionConstructor.h:
2233         (JSC::FunctionConstructor::createStructure):
2234         * runtime/FunctionPrototype.cpp:
2235         (JSC::functionProtoFuncToString):
2236         (JSC::functionProtoFuncApply):
2237         (JSC::functionProtoFuncBind):
2238         * runtime/FunctionPrototype.h:
2239         (JSC::FunctionPrototype::createStructure):
2240         * runtime/GetterSetter.cpp:
2241         (JSC::GetterSetter::visitChildren):
2242         * runtime/GetterSetter.h:
2243         (JSC::GetterSetter::createStructure):
2244         * runtime/InternalFunction.cpp:
2245         (JSC::InternalFunction::finishCreation):
2246         * runtime/InternalFunction.h:
2247         (JSC::InternalFunction::createStructure):
2248         (JSC::asInternalFunction):
2249         * runtime/JSAPIValueWrapper.h:
2250         (JSC::JSAPIValueWrapper::createStructure):
2251         * runtime/JSActivation.cpp:
2252         (JSC::JSActivation::visitChildren):
2253         (JSC::JSActivation::argumentsGetter):
2254         * runtime/JSActivation.h:
2255         (JSC::JSActivation::createStructure):
2256         (JSC::asActivation):
2257         * runtime/JSArray.h:
2258         (JSC::JSArray::createStructure):
2259         (JSC::asArray):
2260         (JSC::isJSArray):
2261         * runtime/JSBoundFunction.cpp:
2262         (JSC::JSBoundFunction::finishCreation):
2263         (JSC::JSBoundFunction::visitChildren):
2264         * runtime/JSBoundFunction.h:
2265         (JSC::JSBoundFunction::createStructure):
2266         * runtime/JSCJSValue.cpp:
2267         (JSC::JSValue::dumpInContext):
2268         * runtime/JSCJSValueInlines.h:
2269         (JSC::JSValue::isFunction):
2270         * runtime/JSCell.h:
2271         (JSC::jsCast):
2272         (JSC::jsDynamicCast):
2273         * runtime/JSCellInlines.h:
2274         (JSC::allocateCell):
2275         * runtime/JSFunction.cpp:
2276         (JSC::JSFunction::finishCreation):
2277         (JSC::JSFunction::visitChildren):
2278         (JSC::skipOverBoundFunctions):
2279         (JSC::JSFunction::callerGetter):
2280         * runtime/JSFunction.h:
2281         (JSC::JSFunction::createStructure):
2282         * runtime/JSGlobalObject.cpp:
2283         (JSC::JSGlobalObject::visitChildren):
2284         (JSC::slowValidateCell):
2285         * runtime/JSGlobalObject.h:
2286         (JSC::JSGlobalObject::createStructure):
2287         * runtime/JSNameScope.cpp:
2288         (JSC::JSNameScope::visitChildren):
2289         * runtime/JSNameScope.h:
2290         (JSC::JSNameScope::createStructure):
2291         * runtime/JSNotAnObject.h:
2292         (JSC::JSNotAnObject::createStructure):
2293         * runtime/JSONObject.cpp:
2294         (JSC::JSONObject::finishCreation):
2295         (JSC::unwrapBoxedPrimitive):
2296         (JSC::Stringifier::Stringifier):
2297         (JSC::Stringifier::appendStringifiedValue):
2298         (JSC::Stringifier::Holder::Holder):
2299         (JSC::Walker::walk):
2300         (JSC::JSONProtoFuncStringify):
2301         * runtime/JSONObject.h:
2302         (JSC::JSONObject::createStructure):
2303         * runtime/JSObject.cpp:
2304         (JSC::getCallableObjectSlow):
2305         (JSC::JSObject::visitChildren):
2306         (JSC::JSObject::copyBackingStore):
2307         (JSC::JSFinalObject::visitChildren):
2308         (JSC::JSObject::ensureInt32Slow):
2309         (JSC::JSObject::ensureDoubleSlow):
2310         (JSC::JSObject::ensureContiguousSlow):
2311         (JSC::JSObject::ensureArrayStorageSlow):
2312         * runtime/JSObject.h:
2313         (JSC::JSObject::finishCreation):
2314         (JSC::JSObject::createStructure):
2315         (JSC::JSNonFinalObject::createStructure):
2316         (JSC::JSFinalObject::createStructure):
2317         (JSC::isJSFinalObject):
2318         * runtime/JSPropertyNameIterator.cpp:
2319         (JSC::JSPropertyNameIterator::visitChildren):
2320         * runtime/JSPropertyNameIterator.h:
2321         (JSC::JSPropertyNameIterator::createStructure):
2322         * runtime/JSProxy.cpp:
2323         (JSC::JSProxy::visitChildren):
2324         * runtime/JSProxy.h:
2325         (JSC::JSProxy::createStructure):
2326         * runtime/JSScope.cpp:
2327         (JSC::JSScope::visitChildren):
2328         * runtime/JSSegmentedVariableObject.cpp:
2329         (JSC::JSSegmentedVariableObject::visitChildren):
2330         * runtime/JSString.h:
2331         (JSC::JSString::createStructure):
2332         (JSC::isJSString):
2333         * runtime/JSSymbolTableObject.cpp:
2334         (JSC::JSSymbolTableObject::visitChildren):
2335         * runtime/JSVariableObject.h:
2336         * runtime/JSWithScope.cpp:
2337         (JSC::JSWithScope::visitChildren):
2338         * runtime/JSWithScope.h:
2339         (JSC::JSWithScope::createStructure):
2340         * runtime/JSWrapperObject.cpp:
2341         (JSC::JSWrapperObject::visitChildren):
2342         * runtime/JSWrapperObject.h:
2343         (JSC::JSWrapperObject::createStructure):
2344         * runtime/MathObject.cpp:
2345         (JSC::MathObject::finishCreation):
2346         * runtime/MathObject.h:
2347         (JSC::MathObject::createStructure):
2348         * runtime/NameConstructor.h:
2349         (JSC::NameConstructor::createStructure):
2350         * runtime/NameInstance.h:
2351         (JSC::NameInstance::createStructure):
2352         (JSC::NameInstance::finishCreation):
2353         * runtime/NamePrototype.cpp:
2354         (JSC::NamePrototype::finishCreation):
2355         (JSC::privateNameProtoFuncToString):
2356         * runtime/NamePrototype.h:
2357         (JSC::NamePrototype::createStructure):
2358         * runtime/NativeErrorConstructor.cpp:
2359         (JSC::NativeErrorConstructor::visitChildren):
2360         * runtime/NativeErrorConstructor.h:
2361         (JSC::NativeErrorConstructor::createStructure):
2362         (JSC::NativeErrorConstructor::finishCreation):
2363         * runtime/NumberConstructor.cpp:
2364         (JSC::NumberConstructor::finishCreation):
2365         * runtime/NumberConstructor.h:
2366         (JSC::NumberConstructor::createStructure):
2367         * runtime/NumberObject.cpp:
2368         (JSC::NumberObject::finishCreation):
2369         * runtime/NumberObject.h:
2370         (JSC::NumberObject::createStructure):
2371         * runtime/NumberPrototype.cpp:
2372         (JSC::NumberPrototype::finishCreation):
2373         * runtime/NumberPrototype.h:
2374         (JSC::NumberPrototype::createStructure):
2375         * runtime/ObjectConstructor.h:
2376         (JSC::ObjectConstructor::createStructure):
2377         * runtime/ObjectPrototype.cpp:
2378         (JSC::ObjectPrototype::finishCreation):
2379         * runtime/ObjectPrototype.h:
2380         (JSC::ObjectPrototype::createStructure):
2381         * runtime/PropertyMapHashTable.h:
2382         (JSC::PropertyTable::createStructure):
2383         * runtime/PropertyTable.cpp:
2384         (JSC::PropertyTable::visitChildren):
2385         * runtime/RegExp.h:
2386         (JSC::RegExp::createStructure):
2387         * runtime/RegExpConstructor.cpp:
2388         (JSC::RegExpConstructor::finishCreation):
2389         (JSC::RegExpConstructor::visitChildren):
2390         (JSC::constructRegExp):
2391         * runtime/RegExpConstructor.h:
2392         (JSC::RegExpConstructor::createStructure):
2393         (JSC::asRegExpConstructor):
2394         * runtime/RegExpMatchesArray.cpp:
2395         (JSC::RegExpMatchesArray::visitChildren):
2396         * runtime/RegExpMatchesArray.h:
2397         (JSC::RegExpMatchesArray::createStructure):
2398         * runtime/RegExpObject.cpp:
2399         (JSC::RegExpObject::finishCreation):
2400         (JSC::RegExpObject::visitChildren):
2401         * runtime/RegExpObject.h:
2402         (JSC::RegExpObject::createStructure):
2403         (JSC::asRegExpObject):
2404         * runtime/RegExpPrototype.cpp:
2405         (JSC::regExpProtoFuncTest):
2406         (JSC::regExpProtoFuncExec):
2407         (JSC::regExpProtoFuncCompile):
2408         (JSC::regExpProtoFuncToString):
2409         * runtime/RegExpPrototype.h:
2410         (JSC::RegExpPrototype::createStructure):
2411         * runtime/SparseArrayValueMap.cpp:
2412         (JSC::SparseArrayValueMap::createStructure):
2413         * runtime/SparseArrayValueMap.h:
2414         * runtime/StrictEvalActivation.h:
2415         (JSC::StrictEvalActivation::createStructure):
2416         * runtime/StringConstructor.h:
2417         (JSC::StringConstructor::createStructure):
2418         * runtime/StringObject.cpp:
2419         (JSC::StringObject::finishCreation):
2420         * runtime/StringObject.h:
2421         (JSC::StringObject::createStructure):
2422         (JSC::asStringObject):
2423         * runtime/StringPrototype.cpp:
2424         (JSC::StringPrototype::finishCreation):
2425         (JSC::stringProtoFuncReplace):
2426         (JSC::stringProtoFuncToString):
2427         (JSC::stringProtoFuncMatch):
2428         (JSC::stringProtoFuncSearch):
2429         (JSC::stringProtoFuncSplit):
2430         * runtime/StringPrototype.h:
2431         (JSC::StringPrototype::createStructure):
2432         * runtime/Structure.cpp:
2433         (JSC::Structure::Structure):
2434         (JSC::Structure::materializePropertyMap):
2435         (JSC::Structure::get):
2436         (JSC::Structure::visitChildren):
2437         * runtime/Structure.h:
2438         (JSC::Structure::typeInfo):
2439         (JSC::Structure::previousID):
2440         (JSC::Structure::outOfLineSize):
2441         (JSC::Structure::totalStorageCapacity):
2442         (JSC::Structure::materializePropertyMapIfNecessary):
2443         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2444         * runtime/StructureChain.cpp:
2445         (JSC::StructureChain::visitChildren):
2446         * runtime/StructureChain.h:
2447         (JSC::StructureChain::createStructure):
2448         * runtime/StructureInlines.h:
2449         (JSC::Structure::get):
2450         * runtime/StructureRareData.cpp:
2451         (JSC::StructureRareData::createStructure):
2452         (JSC::StructureRareData::visitChildren):
2453         * runtime/StructureRareData.h:
2454         * runtime/SymbolTable.h:
2455         (JSC::SharedSymbolTable::createStructure):
2456         * runtime/VM.cpp:
2457         (JSC::VM::VM):
2458         (JSC::StackPreservingRecompiler::operator()):
2459         (JSC::VM::releaseExecutableMemory):
2460         * runtime/WriteBarrier.h:
2461         (JSC::validateCell):
2462         * testRegExp.cpp:
2463         (GlobalObject::createStructure):
2464
2465 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2466
2467         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2468         https://bugs.webkit.org/show_bug.cgi?id=119762
2469
2470         Reviewed by Geoffrey Garen.
2471
2472         * heap/Heap.cpp:
2473         (JSC::Heap::Heap):
2474         (JSC::Heap::markRoots):
2475         (JSC::Heap::collect):
2476         * jsc.cpp:
2477         (StopWatch::start):
2478         (StopWatch::stop):
2479         * testRegExp.cpp:
2480         (StopWatch::start):
2481         (StopWatch::stop):
2482
2483 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2484
2485         [sh4] Prepare LLINT for DFG_JIT implementation.
2486         https://bugs.webkit.org/show_bug.cgi?id=119755
2487
2488         Reviewed by Oliver Hunt.
2489
2490         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2491         * offlineasm/sh4.rb:
2492             - Handle storeb opcode.
2493             - Make relative jumps when possible using braf opcode.
2494             - Update bmulio implementation to be consistent with baseline JIT.
2495             - Remove useless code from leap opcode.
2496             - Fix incorrect comment.
2497
2498 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2499
2500         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2501         https://bugs.webkit.org/show_bug.cgi?id=119758
2502
2503         Reviewed by Oliver Hunt.
2504
2505         * assembler/MacroAssemblerSH4.h:
2506             - Introduce a loadEffectiveAddress function to avoid code duplication.
2507             - Add ASSERTs and clean code.
2508         * assembler/SH4Assembler.h:
2509             - Prepare DFG_JIT implementation.
2510             - Add ASSERTs.
2511         * jit/JITStubs.cpp:
2512             - Add SH4 specific call for assertions.
2513         * jit/JITStubs.h:
2514             - Cosmetic change.
2515         * jit/JITStubsSH4.h:
2516             - Use constants to be more flexible with sh4 JIT stack frame.
2517         * jit/JSInterfaceJIT.h:
2518             - Cosmetic change.
2519
2520 2013-08-13  Oliver Hunt  <oliver@apple.com>
2521
2522         Harden executeConstruct against incorrect return types from host functions
2523         https://bugs.webkit.org/show_bug.cgi?id=119757
2524
2525         Reviewed by Mark Hahnenberg.
2526
2527         Add logic to guard against bogus return types.  There doesn't seem to be any
2528         class in webkit that does this wrong, but the typed array stubs in debug JSC
2529         do exhibit this bad behaviour.
2530
2531         * interpreter/Interpreter.cpp:
2532         (JSC::Interpreter::executeConstruct):
2533
2534 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2535
2536         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2537         https://bugs.webkit.org/show_bug.cgi?id=119736
2538
2539         Reviewed by Anders Carlsson.
2540
2541         Don't force C++11 mode off anymore.
2542
2543         * Target.pri:
2544
2545 2013-08-12  Oliver Hunt  <oliver@apple.com>
2546
2547         Remove CodeBlock's notion of adding identifiers entirely
2548         https://bugs.webkit.org/show_bug.cgi?id=119708
2549
2550         Reviewed by Geoffrey Garen.
2551
2552         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2553         Move the addition of identifiers to DFGPlan::reallyAdd
2554
2555         * bytecode/CodeBlock.h:
2556         * dfg/DFGDesiredIdentifiers.cpp:
2557         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2558         * dfg/DFGDesiredIdentifiers.h:
2559         * dfg/DFGPlan.cpp:
2560         (JSC::DFG::Plan::reallyAdd):
2561         (JSC::DFG::Plan::finalize):
2562         * dfg/DFGPlan.h:
2563
2564 2013-08-12  Oliver Hunt  <oliver@apple.com>
2565
2566         Build fix
2567
2568         * runtime/JSCell.h:
2569
2570 2013-08-12  Oliver Hunt  <oliver@apple.com>
2571
2572         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2573         https://bugs.webkit.org/show_bug.cgi?id=119705
2574
2575         Reviewed by Geoffrey Garen.
2576
2577         Relatively trivial refactoring
2578
2579         * bytecode/CodeBlock.h:
2580         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2581         (JSC::CodeBlock::addAdditionalIdentifier):
2582         (JSC::CodeBlock::identifier):
2583         (JSC::CodeBlock::numberOfIdentifiers):
2584         * dfg/DFGCommonData.h:
2585
2586 2013-08-12  Oliver Hunt  <oliver@apple.com>
2587
2588         Stop making unnecessary copy of CodeBlock Identifier Vector
2589         https://bugs.webkit.org/show_bug.cgi?id=119702
2590
2591         Reviewed by Michael Saboff.
2592
2593         Make CodeBlock simply use a separate Vector for additional Identifiers
2594         and use the UnlinkedCodeBlock for the initial set of identifiers.
2595
2596         * bytecode/CodeBlock.cpp:
2597         (JSC::CodeBlock::printGetByIdOp):
2598         (JSC::dumpStructure):
2599         (JSC::dumpChain):
2600         (JSC::CodeBlock::printGetByIdCacheStatus):
2601         (JSC::CodeBlock::printPutByIdOp):
2602         (JSC::CodeBlock::dumpBytecode):
2603         (JSC::CodeBlock::CodeBlock):
2604         (JSC::CodeBlock::shrinkToFit):
2605         * bytecode/CodeBlock.h:
2606         (JSC::CodeBlock::numberOfIdentifiers):
2607         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2608         (JSC::CodeBlock::addAdditionalIdentifier):
2609         (JSC::CodeBlock::identifier):
2610         * dfg/DFGDesiredIdentifiers.cpp:
2611         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2612         * jit/JIT.h:
2613         * jit/JITOpcodes.cpp:
2614         (JSC::JIT::emitSlow_op_get_arguments_length):
2615         * jit/JITPropertyAccess.cpp:
2616         (JSC::JIT::emit_op_get_by_id):
2617         (JSC::JIT::compileGetByIdHotPath):
2618         (JSC::JIT::emitSlow_op_get_by_id):
2619         (JSC::JIT::compileGetByIdSlowCase):
2620         (JSC::JIT::emitSlow_op_put_by_id):
2621         * jit/JITPropertyAccess32_64.cpp:
2622         (JSC::JIT::emit_op_get_by_id):
2623         (JSC::JIT::compileGetByIdHotPath):
2624         (JSC::JIT::compileGetByIdSlowCase):
2625         * jit/JITStubs.cpp:
2626         (JSC::DEFINE_STUB_FUNCTION):
2627         * llint/LLIntSlowPaths.cpp:
2628         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2629
2630 2013-08-08  Mark Lam  <mark.lam@apple.com>
2631
2632         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2633         https://bugs.webkit.org/show_bug.cgi?id=119575.
2634
2635         Reviewed by Oliver Hunt.
2636
2637         * interpreter/Interpreter.h:
2638         - Made getStackTrace() private.
2639         * interpreter/StackIterator.cpp:
2640         (JSC::StackIterator::StackIterator):
2641         (JSC::StackIterator::numberOfFrames):
2642         - Computes the number of frames by iterating through the whole stack
2643           from the starting frame. The iterator will save its current frame
2644           position before counting the frames, and then restoring it after
2645           the counting.
2646         (JSC::StackIterator::gotoFrameAtIndex):
2647         (JSC::StackIterator::gotoNextFrame):
2648         (JSC::StackIterator::resetIterator):
2649         - Points the iterator to the starting frame.
2650         * interpreter/StackIteratorPrivate.h:
2651
2652 2013-08-08  Mark Lam  <mark.lam@apple.com>
2653
2654         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2655         the Interpreter class.
2656         https://bugs.webkit.org/show_bug.cgi?id=119576.
2657
2658         Reviewed by Oliver Hunt.
2659
2660         This change is needed to prepare for making Interpreter::getStackTrace()
2661         private. It does not change the behavior of the code, only the lexical
2662         scoping.
2663
2664         * interpreter/Interpreter.h:
2665         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2666         * runtime/ErrorConstructor.cpp:
2667         (JSC::Interpreter::constructWithErrorConstructor):
2668         (JSC::ErrorConstructor::getConstructData):
2669         (JSC::Interpreter::callErrorConstructor):
2670         (JSC::ErrorConstructor::getCallData):
2671         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2672           directly. So, we moved the helper functions into the Interpreter
2673           class.
2674         * runtime/NativeErrorConstructor.cpp:
2675         (JSC::Interpreter::constructWithNativeErrorConstructor):
2676         (JSC::NativeErrorConstructor::getConstructData):
2677         (JSC::Interpreter::callNativeErrorConstructor):
2678         (JSC::NativeErrorConstructor::getCallData):
2679         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2680           directly. So, we moved the helper functions into the Interpreter
2681           class.
2682
2683 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2684
2685         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2686         https://bugs.webkit.org/show_bug.cgi?id=119555
2687
2688         Reviewed by Geoffrey Garen.
2689
2690         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2691         This was causing crashes on maps.google.com in 32-bit debug builds.
2692
2693         * dfg/DFGSpeculativeJIT32_64.cpp:
2694         (JSC::DFG::SpeculativeJIT::compile):
2695
2696 2013-08-06  Michael Saboff  <msaboff@apple.com>
2697
2698         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2699         https://bugs.webkit.org/show_bug.cgi?id=119405
2700
2701         Reviewed by Geoffrey Garen.
2702
2703         * dfg/DFGSpeculativeJIT.cpp:
2704         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2705         ourselves to save a register and then load from it.
2706
2707 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2708
2709         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2710         https://bugs.webkit.org/show_bug.cgi?id=119528
2711
2712         Reviewed by Geoffrey Garen.
2713
2714         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2715         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2716         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2717         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2718         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2719
2720         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2721
2722         * bytecode/CodeBlock.cpp:
2723         (JSC::CodeBlock::finalizeUnconditionally):
2724         * dfg/DFGDriver.cpp:
2725         (JSC::DFG::compile):
2726         * dfg/DFGFixupPhase.cpp:
2727         (JSC::DFG::FixupPhase::fixupNode):
2728         * dfg/DFGGraph.cpp:
2729         (JSC::DFG::Graph::dump):
2730         * dfg/DFGSpeculativeJIT64.cpp:
2731         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2732         * runtime/JSObject.h:
2733         (JSC::JSObject::getIndexQuickly):
2734         (JSC::JSObject::tryGetIndexQuickly):
2735
2736 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2737
2738         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2739
2740         Unreviewed.
2741
2742         Ensure llint symbols are in source order.
2743
2744         * JavaScriptCore.order:
2745
2746 2013-08-06  Mark Lam  <mark.lam@apple.com>
2747
2748         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2749         https://bugs.webkit.org/show_bug.cgi?id=119532.
2750
2751         Reviewed by Oliver Hunt.
2752
2753         * parser/Parser.cpp:
2754         (JSC::::Parser):
2755         - Just need to initialize the Parser's JSTokenLocation's initial line and
2756           startOffset as well during Parser construction.
2757
2758 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2759
2760         Update Order Files for Safari
2761         <rdar://problem/14517392>
2762
2763         Unreviewed.
2764
2765         * JavaScriptCore.order:
2766
2767 2013-08-04  Sam Weinig  <sam@webkit.org>
2768
2769         Remove support for HTML5 MicroData
2770         https://bugs.webkit.org/show_bug.cgi?id=119480
2771
2772         Reviewed by Anders Carlsson.
2773
2774         * Configurations/FeatureDefines.xcconfig:
2775
2776 2013-08-05  Oliver Hunt  <oliver@apple.com>
2777
2778         Delay Arguments creation in strict mode
2779         https://bugs.webkit.org/show_bug.cgi?id=119505
2780
2781         Reviewed by Geoffrey Garen.
2782
2783         Make use of the write tracking performed by the parser to
2784         allow us to know if we're modifying the parameters to a function.
2785         Then use that information to make strict mode function opt out
2786         of eager arguments creation.
2787
2788         * bytecompiler/BytecodeGenerator.cpp:
2789         (JSC::BytecodeGenerator::BytecodeGenerator):
2790         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2791         (JSC::BytecodeGenerator::emitReturn):
2792         * bytecompiler/BytecodeGenerator.h:
2793         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2794         * parser/Nodes.h:
2795         (JSC::ScopeNode::modifiesParameter):
2796         * parser/Parser.cpp:
2797         (JSC::::parseInner):
2798         * parser/Parser.h:
2799         (JSC::Scope::declareParameter):
2800         (JSC::Scope::getCapturedVariables):
2801         (JSC::Parser::declareWrite):
2802         * parser/ParserModes.h:
2803
2804 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2805
2806         Remove useless code from COMPILER(RVCT) JITStubs
2807         https://bugs.webkit.org/show_bug.cgi?id=119521
2808
2809         Reviewed by Geoffrey Garen.
2810
2811         * jit/JITStubsARMv7.h:
2812         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2813         (JSC::ctiOpThrowNotCaught): Ditto.
2814
2815 2013-07-23  David Farler  <dfarler@apple.com>
2816
2817         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2818         https://bugs.webkit.org/show_bug.cgi?id=117762
2819
2820         Reviewed by Mark Rowe.
2821
2822         * Configurations/DebugRelease.xcconfig:
2823         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2824         * Configurations/JavaScriptCore.xcconfig:
2825         Add ASAN_OTHER_LDFLAGS.
2826         * Configurations/ToolExecutable.xcconfig:
2827         Don't use ASAN for build tools.
2828
2829 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2830
2831         Build fix for ARM MSVC after r153222 and r153648.
2832
2833         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2834
2835 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2836
2837         Build fix for ARM MSVC after r150109.
2838
2839         Read the stub template from a header files instead of the JITStubs.cpp.
2840
2841         * CMakeLists.txt:
2842         * DerivedSources.pri:
2843         * create_jit_stubs:
2844
2845 2013-08-05  Oliver Hunt  <oliver@apple.com>
2846
2847         Move TypedArray implementation into JSC
2848         https://bugs.webkit.org/show_bug.cgi?id=119489
2849
2850         Reviewed by Filip Pizlo.
2851
2852         Move TypedArray implementation into JSC in advance of re-implementation
2853
2854         * GNUmakefile.list.am:
2855         * JSCTypedArrayStubs.h:
2856         * JavaScriptCore.xcodeproj/project.pbxproj:
2857         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2858         (JSC::ArrayBuffer::transfer):
2859         (JSC::ArrayBuffer::addView):
2860         (JSC::ArrayBuffer::removeView):
2861         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2862         (JSC::ArrayBufferContents::ArrayBufferContents):
2863         (JSC::ArrayBufferContents::data):
2864         (JSC::ArrayBufferContents::sizeInBytes):
2865         (JSC::ArrayBufferContents::transfer):
2866         (JSC::ArrayBufferContents::copyTo):
2867         (JSC::ArrayBuffer::isNeutered):
2868         (JSC::ArrayBuffer::~ArrayBuffer):
2869         (JSC::ArrayBuffer::clampValue):
2870         (JSC::ArrayBuffer::create):
2871         (JSC::ArrayBuffer::createUninitialized):
2872         (JSC::ArrayBuffer::ArrayBuffer):
2873         (JSC::ArrayBuffer::data):
2874         (JSC::ArrayBuffer::byteLength):
2875         (JSC::ArrayBuffer::slice):
2876         (JSC::ArrayBuffer::sliceImpl):
2877         (JSC::ArrayBuffer::clampIndex):
2878         (JSC::ArrayBufferContents::tryAllocate):
2879         (JSC::ArrayBufferContents::~ArrayBufferContents):
2880         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2881         (JSC::ArrayBufferView::ArrayBufferView):
2882         (JSC::ArrayBufferView::~ArrayBufferView):
2883         (JSC::ArrayBufferView::neuter):
2884         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2885         (JSC::ArrayBufferView::buffer):
2886         (JSC::ArrayBufferView::baseAddress):
2887         (JSC::ArrayBufferView::byteOffset):
2888         (JSC::ArrayBufferView::setNeuterable):
2889         (JSC::ArrayBufferView::isNeuterable):
2890         (JSC::ArrayBufferView::verifySubRange):
2891         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2892         (JSC::ArrayBufferView::setImpl):
2893         (JSC::ArrayBufferView::setRangeImpl):
2894         (JSC::ArrayBufferView::zeroRangeImpl):
2895         (JSC::ArrayBufferView::calculateOffsetAndLength):
2896         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2897         (JSC::Float32Array::set):
2898         (JSC::Float32Array::getType):
2899         (JSC::Float32Array::create):
2900         (JSC::Float32Array::createUninitialized):
2901         (JSC::Float32Array::Float32Array):
2902         (JSC::Float32Array::subarray):
2903         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2904         (JSC::Float64Array::set):
2905         (JSC::Float64Array::getType):
2906         (JSC::Float64Array::create):
2907         (JSC::Float64Array::createUninitialized):
2908         (JSC::Float64Array::Float64Array):
2909         (JSC::Float64Array::subarray):
2910         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2911         (JSC::Int16Array::getType):
2912         (JSC::Int16Array::create):
2913         (JSC::Int16Array::createUninitialized):
2914         (JSC::Int16Array::Int16Array):
2915         (JSC::Int16Array::subarray):
2916         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2917         (JSC::Int32Array::getType):
2918         (JSC::Int32Array::create):
2919         (JSC::Int32Array::createUninitialized):
2920         (JSC::Int32Array::Int32Array):
2921         (JSC::Int32Array::subarray):
2922         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2923         (JSC::Int8Array::getType):
2924         (JSC::Int8Array::create):
2925         (JSC::Int8Array::createUninitialized):
2926         (JSC::Int8Array::Int8Array):
2927         (JSC::Int8Array::subarray):
2928         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2929         (JSC::IntegralTypedArrayBase::set):
2930         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2931         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2932         (JSC::TypedArrayBase::data):
2933         (JSC::TypedArrayBase::set):
2934         (JSC::TypedArrayBase::setRange):
2935         (JSC::TypedArrayBase::zeroRange):
2936         (JSC::TypedArrayBase::length):
2937         (JSC::TypedArrayBase::byteLength):
2938         (JSC::TypedArrayBase::item):
2939         (JSC::TypedArrayBase::checkInboundData):
2940         (JSC::TypedArrayBase::TypedArrayBase):
2941         (JSC::TypedArrayBase::create):
2942         (JSC::TypedArrayBase::createUninitialized):
2943         (JSC::TypedArrayBase::subarrayImpl):
2944         (JSC::TypedArrayBase::neuter):
2945         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2946         (JSC::Uint16Array::getType):
2947         (JSC::Uint16Array::create):
2948         (JSC::Uint16Array::createUninitialized):
2949         (JSC::Uint16Array::Uint16Array):
2950         (JSC::Uint16Array::subarray):
2951         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2952         (JSC::Uint32Array::getType):
2953         (JSC::Uint32Array::create):
2954         (JSC::Uint32Array::createUninitialized):
2955         (JSC::Uint32Array::Uint32Array):
2956         (JSC::Uint32Array::subarray):
2957         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2958         (JSC::Uint8Array::getType):
2959         (JSC::Uint8Array::create):
2960         (JSC::Uint8Array::createUninitialized):
2961         (JSC::Uint8Array::Uint8Array):
2962         (JSC::Uint8Array::subarray):
2963         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2964         (JSC::Uint8ClampedArray::getType):
2965         (JSC::Uint8ClampedArray::create):
2966         (JSC::Uint8ClampedArray::createUninitialized):
2967         (JSC::Uint8ClampedArray::zeroFill):
2968         (JSC::Uint8ClampedArray::set):
2969         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2970         (JSC::Uint8ClampedArray::subarray):
2971         * runtime/VM.h:
2972
2973 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2974
2975         Copied space should be able to handle more than one copied backing store per JSCell
2976         https://bugs.webkit.org/show_bug.cgi?id=119471
2977
2978         Reviewed by Mark Hahnenberg.
2979         
2980         This allows a cell to call copyLater() multiple times for multiple different
2981         backing stores, and then have copyBackingStore() called exactly once for each
2982         of those. A token tells it which backing store to copy. All backing stores
2983         must be named using the CopyToken, an enumeration which currently cannot
2984         exceed eight entries.
2985         
2986         When copyBackingStore() is called, it's up to the callee to (a) use the token
2987         to decide what to copy and (b) call its base class's copyBackingStore() in
2988         case the base class had something that needed copying. The only exception is
2989         that JSCell never asks anything to be copied, and so if your base is JSCell
2990         then you don't have to do anything.
2991
2992         * GNUmakefile.list.am:
2993         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2994         * JavaScriptCore.xcodeproj/project.pbxproj:
2995         * heap/CopiedBlock.h:
2996         * heap/CopiedBlockInlines.h:
2997         (JSC::CopiedBlock::reportLiveBytes):
2998         * heap/CopyToken.h: Added.
2999         * heap/CopyVisitor.cpp:
3000         (JSC::CopyVisitor::copyFromShared):
3001         * heap/CopyVisitor.h:
3002         * heap/CopyVisitorInlines.h:
3003         (JSC::CopyVisitor::visitItem):
3004         * heap/CopyWorkList.h:
3005         (JSC::CopyWorklistItem::CopyWorklistItem):
3006         (JSC::CopyWorklistItem::cell):
3007         (JSC::CopyWorklistItem::token):
3008         (JSC::CopyWorkListSegment::get):
3009         (JSC::CopyWorkListSegment::append):
3010         (JSC::CopyWorkListSegment::data):
3011         (JSC::CopyWorkListIterator::get):
3012         (JSC::CopyWorkListIterator::operator*):
3013         (JSC::CopyWorkListIterator::operator->):
3014         (JSC::CopyWorkList::append):
3015         * heap/SlotVisitor.h:
3016         * heap/SlotVisitorInlines.h:
3017         (JSC::SlotVisitor::copyLater):
3018         * runtime/ClassInfo.h:
3019         * runtime/JSCell.cpp:
3020         (JSC::JSCell::copyBackingStore):
3021         * runtime/JSCell.h:
3022         * runtime/JSObject.cpp:
3023         (JSC::JSObject::visitButterfly):
3024         (JSC::JSObject::copyBackingStore):
3025         * runtime/JSObject.h:
3026
3027 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
3028
3029         [Automake] Define ENABLE_JIT through the Autoconf header
3030         https://bugs.webkit.org/show_bug.cgi?id=119445
3031
3032         Reviewed by Martin Robinson.
3033
3034         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
3035
3036 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
3037
3038         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
3039         https://bugs.webkit.org/show_bug.cgi?id=119470
3040
3041         Reviewed by Oliver Hunt.
3042         
3043         Structure can still tell you if the object "could" (in the conservative sense)
3044         have an indexing header; that's used by the compiler.
3045         
3046         Most of the time if you want to know if there's an indexing header, you ask the
3047         JSObject.
3048         
3049         In some cases, the JSObject wants to know if it would have an indexing header if
3050         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
3051
3052         * dfg/DFGRepatch.cpp:
3053         (JSC::DFG::tryCachePutByID):
3054         (JSC::DFG::tryBuildPutByIdList):
3055         * dfg/DFGSpeculativeJIT.cpp:
3056         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3057         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3058         * runtime/ButterflyInlines.h:
3059         (JSC::Butterfly::create):
3060         (JSC::Butterfly::growPropertyStorage):
3061         (JSC::Butterfly::growArrayRight):
3062         (JSC::Butterfly::resizeArray):
3063         * runtime/JSObject.cpp:
3064         (JSC::JSObject::copyButterfly):
3065         (JSC::JSObject::visitButterfly):
3066         * runtime/JSObject.h:
3067         (JSC::JSObject::hasIndexingHeader):
3068         (JSC::JSObject::setButterfly):
3069         * runtime/Structure.h:
3070         (JSC::Structure::couldHaveIndexingHeader):
3071         (JSC::Structure::hasIndexingHeader):
3072
3073 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3074
3075         Give the error object's stack property accessor attributes.
3076         https://bugs.webkit.org/show_bug.cgi?id=119404
3077
3078         Reviewed by Geoffrey Garen.
3079         
3080         Changed the attributes of error object's stack property to allow developers to write
3081         and delete the stack property. This will match the functionality of Chrome. Firefox  
3082         allows developers to write the error's stack, but not delete it. 
3083
3084         * interpreter/Interpreter.cpp:
3085         (JSC::Interpreter::addStackTraceIfNecessary):
3086         * runtime/ErrorInstance.cpp:
3087         (JSC::ErrorInstance::finishCreation):
3088
3089 2013-08-02  Oliver Hunt  <oliver@apple.com>
3090
3091         Incorrect type speculation reported by ToPrimitive
3092         https://bugs.webkit.org/show_bug.cgi?id=119458
3093
3094         Reviewed by Mark Hahnenberg.
3095
3096         Make sure that we report the correct type possibilities for the output
3097         from ToPrimitive
3098
3099         * dfg/DFGAbstractInterpreterInlines.h:
3100         (JSC::DFG::::executeEffects):
3101
3102 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3103
3104         Remove no-arguments constructor to PropertySlot
3105         https://bugs.webkit.org/show_bug.cgi?id=119460
3106
3107         Reviewed by Geoff Garen.
3108
3109         This constructor was unsafe if getValue is subsequently called,
3110         and the property is a getter. Simplest to just remove it.
3111
3112         * runtime/Arguments.cpp:
3113         (JSC::Arguments::defineOwnProperty):
3114         * runtime/JSActivation.cpp:
3115         (JSC::JSActivation::getOwnPropertyDescriptor):
3116         * runtime/JSFunction.cpp:
3117         (JSC::JSFunction::getOwnPropertyDescriptor):
3118         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3119         (JSC::JSFunction::put):
3120         (JSC::JSFunction::defineOwnProperty):
3121         * runtime/JSGlobalObject.cpp:
3122         (JSC::JSGlobalObject::defineOwnProperty):
3123         * runtime/JSGlobalObject.h:
3124         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3125         * runtime/JSNameScope.cpp:
3126         (JSC::JSNameScope::put):
3127         * runtime/JSONObject.cpp:
3128         (JSC::Stringifier::Holder::appendNextProperty):
3129         (JSC::Walker::walk):
3130         * runtime/JSObject.cpp:
3131         (JSC::JSObject::hasProperty):
3132         (JSC::JSObject::hasOwnProperty):
3133         (JSC::JSObject::reifyStaticFunctionsForDelete):
3134         * runtime/Lookup.h:
3135         (JSC::getStaticPropertyDescriptor):
3136         (JSC::getStaticFunctionDescriptor):
3137         (JSC::getStaticValueDescriptor):
3138         * runtime/ObjectConstructor.cpp:
3139         (JSC::defineProperties):
3140         * runtime/PropertySlot.h:
3141
3142 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3143
3144         DFG validation can cause assertion failures due to dumping
3145         https://bugs.webkit.org/show_bug.cgi?id=119456
3146
3147         Reviewed by Geoffrey Garen.
3148
3149         * bytecode/CodeBlock.cpp:
3150         (JSC::CodeBlock::hasHash):
3151         (JSC::CodeBlock::isSafeToComputeHash):
3152         (JSC::CodeBlock::hash):
3153         (JSC::CodeBlock::dumpAssumingJITType):
3154         * bytecode/CodeBlock.h:
3155
3156 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3157
3158         Have vm's exceptionStack match java's vm's exceptionStack.
3159         https://bugs.webkit.org/show_bug.cgi?id=119362
3160
3161         Reviewed by Geoffrey Garen.
3162         
3163         The error object's stack is only updated if it does not exist yet. This matches 
3164         the functionality of other browsers, and Java VMs. 
3165
3166         * interpreter/Interpreter.cpp:
3167         (JSC::Interpreter::addStackTraceIfNecessary):
3168         (JSC::Interpreter::throwException):
3169         * runtime/VM.cpp:
3170         (JSC::VM::clearExceptionStack):
3171         * runtime/VM.h:
3172         (JSC::VM::lastExceptionStack):
3173
3174 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3175
3176         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3177         https://bugs.webkit.org/show_bug.cgi?id=119447
3178
3179         Reviewed by Geoffrey Garen.
3180
3181         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3182         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3183         r153583 (sh4) and r153648 (ARM).
3184
3185         * jit/JITStubsMIPS.h:
3186
3187 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3188
3189         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3190         https://bugs.webkit.org/show_bug.cgi?id=119422
3191
3192         Reviewed by Oliver Hunt.
3193         
3194         This simplifies some code and also allows Structure to claim that an object
3195         has an indexing header even if it doesn't have indexed properties.
3196         
3197         I also changed some calls to use hasIndexedProperties() since in some cases,
3198         that's what we actually meant. Currently the two are synonyms.
3199
3200         * dfg/DFGRepatch.cpp:
3201         (JSC::DFG::tryCachePutByID):
3202         (JSC::DFG::tryBuildPutByIdList):
3203         * dfg/DFGSpeculativeJIT.cpp:
3204         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3205         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3206         * runtime/ButterflyInlines.h:
3207         (JSC::Butterfly::create):
3208         (JSC::Butterfly::growPropertyStorage):
3209         (JSC::Butterfly::growArrayRight):
3210         (JSC::Butterfly::resizeArray):
3211         * runtime/IndexingType.h:
3212         * runtime/JSObject.cpp:
3213         (JSC::JSObject::copyButterfly):
3214         (JSC::JSObject::visitButterfly):
3215         (JSC::JSObject::setPrototype):
3216         * runtime/JSObject.h:
3217         (JSC::JSObject::setButterfly):
3218         * runtime/JSPropertyNameIterator.cpp:
3219         (JSC::JSPropertyNameIterator::create):
3220         * runtime/Structure.h:
3221         (JSC::Structure::hasIndexingHeader):
3222
3223 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3224
3225         REGRESSION: ARM still crashes after change set r153612.
3226         https://bugs.webkit.org/show_bug.cgi?id=119433
3227
3228         Reviewed by Michael Saboff.
3229
3230         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3231         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3232         for sh4 architecture.
3233
3234         * jit/JITStubsARM.h:
3235         * jit/JITStubsARMv7.h:
3236
3237 2013-08-02  Michael Saboff  <msaboff@apple.com>
3238
3239         REGRESSION(r153612): It made jsc and layout tests crash
3240         https://bugs.webkit.org/show_bug.cgi?id=119440
3241
3242         Reviewed by Csaba Osztrogonác.
3243
3244         Made the changes if changeset r153612 only apply to 32 bit builds.
3245
3246         * jit/JITExceptions.cpp:
3247         * jit/JITExceptions.h:
3248         * jit/JITStubs.cpp:
3249         (JSC::cti_vm_throw_slowpath):
3250         * jit/JITStubs.h:
3251
3252 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3253
3254         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3255
3256         * CMakeLists.txt:
3257
3258 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3259
3260         [Forms: color] <input type='color'> popover color well implementation
3261         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3262
3263         Reviewed by Benjamin Poulain.
3264
3265         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3266
3267 2013-08-01  Oliver Hunt  <oliver@apple.com>
3268
3269         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3270         https://bugs.webkit.org/show_bug.cgi?id=119408
3271
3272         Reviewed by Filip Pizlo.
3273
3274         Construct ToString and Phantom nodes in advance of MakeRope
3275         nodes to ensure that ordering is ensured, and correct values
3276         will be reified on OSR exit.
3277
3278         * dfg/DFGByteCodeParser.cpp:
3279         (JSC::DFG::ByteCodeParser::parseBlock):
3280
3281 2013-08-01  Michael Saboff  <msaboff@apple.com>
3282
3283         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3284         https://bugs.webkit.org/show_bug.cgi?id=119140
3285
3286         Reviewed by Filip Pizlo.
3287
3288         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3289
3290         * jit/JITExceptions.cpp:
3291         (JSC::encode):
3292         * jit/JITExceptions.h:
3293         * jit/JITStubs.cpp:
3294         (JSC::cti_vm_throw_slowpath):
3295         * jit/JITStubs.h:
3296
3297 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3298
3299         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3300         https://bugs.webkit.org/show_bug.cgi?id=119391
3301
3302         Reviewed by Csaba Osztrogonác.
3303
3304         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3305             - Call frame is in r14 register.
3306             - Do not restore registers from JIT stack frame here.
3307
3308 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3309
3310         More cleanup in PropertySlot
3311         https://bugs.webkit.org/show_bug.cgi?id=119359
3312
3313         Reviewed by Geoff Garen.
3314
3315         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3316         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3317
3318         * dfg/DFGRepatch.cpp:
3319         (JSC::DFG::tryCacheGetByID):
3320         (JSC::DFG::tryBuildGetByIDList):
3321             - No need to ASSERT slotBase is an object.
3322         * jit/JITStubs.cpp:
3323         (JSC::tryCacheGetByID):
3324         (JSC::DEFINE_STUB_FUNCTION):
3325             - No need to ASSERT slotBase is an object.
3326         * runtime/JSObject.cpp:
3327         (JSC::JSObject::getOwnPropertySlotByIndex):
3328         (JSC::JSObject::fillGetterPropertySlot):
3329             - Pass an object through to setGetterSlot.
3330         * runtime/JSObject.h:
3331         (JSC::PropertySlot::getValue):
3332             - Moved from PropertySlot (need to know anout JSObject).
3333         * runtime/PropertySlot.cpp:
3334         (JSC::PropertySlot::functionGetter):
3335             - update per member name changes
3336         * runtime/PropertySlot.h:
3337         (JSC::PropertySlot::PropertySlot):
3338             - Argument to constructor set to 'thisValue'.
3339         (JSC::PropertySlot::slotBase):
3340             - This returns a JSObject*.
3341         (JSC::PropertySlot::setValue):
3342         (JSC::PropertySlot::setCustom):
3343         (JSC::PropertySlot::setCacheableCustom):
3344         (JSC::PropertySlot::setCustomIndex):
3345         (JSC::PropertySlot::setGetterSlot):
3346         (JSC::PropertySlot::setCacheableGetterSlot):
3347             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3348         * runtime/SparseArrayValueMap.cpp:
3349         (JSC::SparseArrayEntry::get):
3350             - Pass an object through to setGetterSlot.
3351         * runtime/SparseArrayValueMap.h:
3352             - Pass an object through to setGetterSlot.
3353
3354 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3355
3356         Reduce JSC API static value setter/getter overhead.
3357         https://bugs.webkit.org/show_bug.cgi?id=119277
3358
3359         Reviewed by Geoffrey Garen.
3360
3361         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3362         need to get called every time when set or get the static value.
3363
3364         * API/JSCallbackObjectFunctions.h:
3365         (JSC::::put):
3366         (JSC::::putByIndex):
3367         (JSC::::getStaticValue):
3368         * API/JSClassRef.cpp:
3369         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3370         * API/JSClassRef.h:
3371         (StaticValueEntry::StaticValueEntry):
3372
3373 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3374
3375         Use emptyString instead of String("")
3376         https://bugs.webkit.org/show_bug.cgi?id=119335
3377
3378         Reviewed by Darin Adler.
3379
3380         Use emptyString() instead of String("") because it is better style and
3381         faster. This is a followup to r116908, removing all occurrences of
3382         String("") from WebKit.
3383
3384         * runtime/RegExpConstructor.cpp:
3385         (JSC::constructRegExp):
3386         * runtime/RegExpPrototype.cpp:
3387         (JSC::regExpProtoFuncCompile):
3388         * runtime/StringPrototype.cpp:
3389         (JSC::stringProtoFuncMatch):
3390         (JSC::stringProtoFuncSearch):
3391
3392 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3393
3394         <input type=color> Mac UI behaviour
3395         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3396
3397         Reviewed by Brady Eidson.
3398
3399         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3400
3401 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3402
3403         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3404         https://bugs.webkit.org/show_bug.cgi?id=119349
3405
3406         Reviewed by Geoffrey Garen.
3407
3408         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3409         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3410         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3411         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3412         JIT then this resizing never happens and we crash at link time in the DFG.
3413
3414         We can fix this by also doing the resize in the DFG to catch this case.
3415
3416         * dfg/DFGJITCompiler.cpp:
3417         (JSC::DFG::JITCompiler::link):
3418
3419 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3420
3421         Speculative Windows build fix.
3422
3423         Reviewed by NOBODY
3424
3425         * runtime/JSString.cpp:
3426         (JSC::JSRopeString::getIndexSlowCase):
3427         * runtime/JSString.h:
3428
3429 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3430
3431         Some cleanup in JSValue::get
3432         https://bugs.webkit.org/show_bug.cgi?id=119343
3433
3434         Reviewed by Geoff Garen.
3435
3436         JSValue::get is implemented to:
3437             1) Check if the value is a cell – if not, synthesize a prototype to search,
3438             2) call getOwnPropertySlot on the cell,
3439             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3440         By all rights this should crash when passed a string and accessing a property that does not exist, because
3441         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3442         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3443         prototype chain, and faking out a return value of undefined if no property is found.
3444
3445         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3446         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3447
3448         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3449         slots anyway.
3450
3451         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3452
3453 2013-07-31  Michael Saboff  <msaboff@apple.com>
3454
3455         [Win] JavaScript crash.
3456         https://bugs.webkit.org/show_bug.cgi?id=119339
3457
3458         Reviewed by Mark Hahnenberg.
3459
3460         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3461         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3462
3463 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3464
3465         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3466         https://bugs.webkit.org/show_bug.cgi?id=119281
3467
3468         Reviewed by Geoffrey Garen.
3469
3470         This leads to out of bounds accesses and subsequent crashes.
3471
3472         * dfg/DFGSpeculativeJIT.cpp:
3473         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3474         * dfg/DFGSpeculativeJIT64.cpp:
3475         (JSC::DFG::SpeculativeJIT::compile):
3476
3477 2013-07-30  Oliver Hunt  <oliver@apple.com>
3478
3479         Add an assertion to SpeculateCellOperand
3480         https://bugs.webkit.org/show_bug.cgi?id=119276
3481
3482         Reviewed by Michael Saboff.
3483
3484         More assertions are better
3485
3486         * dfg/DFGSpeculativeJIT64.cpp:
3487         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3488         (JSC::DFG::SpeculativeJIT::compile):
3489
3490 2013-07-30  Mark Lam  <mark.lam@apple.com>
3491
3492         Fix problems with divot and lineStart mismatches.
3493         https://bugs.webkit.org/show_bug.cgi?id=118662.
3494
3495         Reviewed by Oliver Hunt.
3496
3497         r152494 added the recording of lineStart values for divot positions.
3498         This is needed for the computation of column numbers. Similarly, it also
3499         added the recording of line numbers for the divot positions. One problem
3500         with the approach taken was that the line and lineStart values were
3501         recorded independently, and hence were not always guaranteed to be
3502         sampled at the same place that the divot position is recorded. This
3503         resulted in potential mismatches that cause some assertions to fail.
3504
3505         The solution is to introduce a JSTextPosition abstraction that records
3506         the divot position, line, and lineStart as a single quantity. Wherever
3507         we record the divot position as an unsigned int previously, we now record
3508         its JSTextPosition which captures all 3 values in one go. This ensures
3509         that the captured line and lineStart will always match the captured divot
3510         position.
3511
3512         * bytecompiler/BytecodeGenerator.cpp:
3513         (JSC::BytecodeGenerator::emitCall):
3514         (JSC::BytecodeGenerator::emitCallEval):
3515         (JSC::BytecodeGenerator::emitCallVarargs):
3516         (JSC::BytecodeGenerator::emitConstruct):
3517         (JSC::BytecodeGenerator::emitDebugHook):
3518         - Use JSTextPosition instead of passing line and lineStart explicitly.
3519         * bytecompiler/BytecodeGenerator.h:
3520         (JSC::BytecodeGenerator::emitExpressionInfo):
3521         - Use JSTextPosition instead of passing line and lineStart explicitly.
3522         * bytecompiler/NodesCodegen.cpp:
3523         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3524         (JSC::ResolveNode::emitBytecode):
3525         (JSC::BracketAccessorNode::emitBytecode):
3526         (JSC::DotAccessorNode::emitBytecode):
3527         (JSC::NewExprNode::emitBytecode):
3528         (JSC::EvalFunctionCallNode::emitBytecode):
3529         (JSC::FunctionCallValueNode::emitBytecode):
3530         (JSC::FunctionCallResolveNode::emitBytecode):
3531         (JSC::FunctionCallBracketNode::emitBytecode):
3532         (JSC::FunctionCallDotNode::emitBytecode):
3533         (JSC::CallFunctionCallDotNode::emitBytecode):
3534         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3535         (JSC::PostfixNode::emitResolve):
3536         (JSC::PostfixNode::emitBracket):
3537         (JSC::PostfixNode::emitDot):
3538         (JSC::DeleteResolveNode::emitBytecode):
3539         (JSC::DeleteBracketNode::emitBytecode):
3540         (JSC::DeleteDotNode::emitBytecode):
3541         (JSC::PrefixNode::emitResolve):
3542         (JSC::PrefixNode::emitBracket):
3543         (JSC::PrefixNode::emitDot):
3544         (JSC::UnaryOpNode::emitBytecode):
3545         (JSC::BinaryOpNode::emitStrcat):
3546         (JSC::BinaryOpNode::emitBytecode):
3547         (JSC::ThrowableBinaryOpNode::emitBytecode):
3548         (JSC::InstanceOfNode::emitBytecode):
3549         (JSC::emitReadModifyAssignment):
3550         (JSC::ReadModifyResolveNode::emitBytecode):
3551         (JSC::AssignResolveNode::emitBytecode):
3552         (JSC::AssignDotNode::emitBytecode):
3553         (JSC::ReadModifyDotNode::emitBytecode):
3554         (JSC::AssignBracketNode::emitBytecode):
3555         (JSC::ReadModifyBracketNode::emitBytecode):
3556         (JSC::ForInNode::emitBytecode):
3557         (JSC::WithNode::emitBytecode):
3558         (JSC::ThrowNode::emitBytecode):
3559         - Use JSTextPosition instead of passing line and lineStart explicitly.
3560         * parser/ASTBuilder.h:
3561         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3562         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
3563         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
3564         (JSC::ASTBuilder::createResolve):
3565         (JSC::ASTBuilder::createBracketAccess):
3566         (JSC::ASTBuilder::createDotAccess):
3567         (JSC::ASTBuilder::createRegExp):
3568         (JSC::ASTBuilder::createNewExpr):
3569         (JSC::ASTBuilder::createAssignResolve):
3570         (JSC::ASTBuilder::createExprStatement):
3571         (JSC::ASTBuilder::createForInLoop):
3572         (JSC::ASTBuilder::createReturnStatement):
3573         (JSC::ASTBuilder::createBreakStatement):
3574         (JSC::ASTBuilder::createContinueStatement):
3575         (JSC::ASTBuilder::createLabelStatement):
3576         (JSC::ASTBuilder::createWithStatement):
3577         (JSC::ASTBuilder::createThrowStatement):
3578         (JSC::ASTBuilder::appendBinaryExpressionInfo):
3579         (JSC::ASTBuilder::appendUnaryToken):
3580         (JSC::ASTBuilder::unaryTokenStackLastStart):
3581         (JSC::ASTBuilder::assignmentStackAppend):
3582         (JSC::ASTBuilder::createAssignment):
3583         (JSC::ASTBuilder::setExceptionLocation):
3584         (JSC::ASTBuilder::makeDeleteNode):
3585         (JSC::ASTBuilder::makeFunctionCallNode):
3586         (JSC::ASTBuilder::makeBinaryNode):
3587         (JSC::ASTBuilder::makeAssignNode):
3588         (JSC::ASTBuilder::makePrefixNode):
3589         (JSC::ASTBuilder::makePostfixNode):
3590         - Use JSTextPosition instead of passing line and lineStart explicitly.
3591         * parser/Lexer.cpp:
3592         (JSC::::lex):
3593         - Added support for capturing the appropriate JSTextPositions instead
3594           of just the character offset.
3595         * parser/Lexer.h:
3596         (JSC::Lexer::currentPosition):
3597         (JSC::::lexExpectIdentifier):
3598         - Added support for capturing the appropriate JSTextPositions instead
3599           of just the character offset.
3600         * parser/NodeConstructors.h:
3601         (JSC::Node::Node):
3602         (JSC::ResolveNode::ResolveNode):
3603         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3604         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3605         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3606         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3607         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3608         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3609         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3610         (JSC::PostfixNode::PostfixNode):
3611         (JSC::DeleteResolveNode::DeleteResolveNode):
3612         (JSC::DeleteBracketNode::DeleteBracketNode):
3613         (JSC::DeleteDotNode::DeleteDotNode):
3614         (JSC::PrefixNode::PrefixNode):
3615         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3616         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3617         (JSC::AssignBracketNode::AssignBracketNode):
3618         (JSC::AssignDotNode::AssignDotNode):
3619         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3620         (JSC::AssignErrorNode::AssignErrorNode):
3621         (JSC::WithNode::WithNode):
3622         (JSC::ForInNode::ForInNode):
3623         - Use JSTextPosition instead of passing line and lineStart explicitly.
3624         * parser/Nodes.cpp:
3625         (JSC::StatementNode::setLoc):
3626         - Use JSTextPosition instead of passing line and lineStart explicitly.
3627         * parser/Nodes.h:
3628         (JSC::Node::lineNo):
3629         (JSC::Node::startOffset):
3630         (JSC::Node::lineStartOffset):
3631         (JSC::Node::position):
3632         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3633         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3634         (JSC::ThrowableExpressionData::divot):
3635         (JSC::ThrowableExpressionData::divotStart):
3636         (JSC::ThrowableExpressionData::divotEnd):
3637         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3638         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3639         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3640         (JSC::ThrowableSubExpressionData::subexpressionStart):
3641         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3642         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3643         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3644         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3645         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3646         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3647         - Use JSTextPosition instead of passing line and lineStart explicitly.
3648         * parser/Parser.cpp:
3649         (JSC::::Parser):
3650         (JSC::::parseInner):
3651         - Use JSTextPosition instead of passing line and lineStart explicitly.
3652         (JSC::::didFinishParsing):
3653         - Remove setting of m_lastLine value. We always pass in the value from
3654           m_lastLine anyway. So, this assignment is effectively a nop.
3655         (JSC::::parseVarDeclaration):
3656         (JSC::::parseVarDeclarationList):
3657         (JSC::::parseForStatement):
3658         (JSC::::parseBreakStatement):
3659         (JSC::::parseContinueStatement):
3660         (JSC::::parseReturnStatement):
3661         (JSC::::parseThrowStatement):
3662         (JSC::::parseWithStatement):
3663         (JSC::::parseTryStatement):
3664         (JSC::::parseBlockStatement):
3665         (JSC::::parseFunctionDeclaration):
3666         (JSC::LabelInfo::LabelInfo):
3667         (JSC::::parseExpressionOrLabelStatement):
3668         (JSC::::parseExpressionStatement):
3669         (JSC::::parseAssignmentExpression):
3670         (JSC::::parseBinaryExpression):
3671         (JSC::::parseProperty):
3672         (JSC::::parsePrimaryExpression):
3673         (JSC::::parseMemberExpression):
3674         (JSC::::parseUnaryExpression):
3675         - Use JSTextPosition instead of passing line and lineStart explicitly.
3676         * parser/Parser.h:
3677         (JSC::Parser::next):
3678         (JSC::Parser::nextExpectIdentifier):
3679         (JSC::Parser::getToken):
3680         (JSC::Parser::tokenStartPosition):
3681         (JSC::Parser::tokenEndPosition):
3682         (JSC::Parser::lastTokenEndPosition):
3683         (JSC::::parse):
3684         - Use JSTextPosition instead of passing line and lineStart explicitly.
3685         * parser/ParserTokens.h:
3686         (JSC::JSTextPosition::JSTextPosition):
3687         (JSC::JSTextPosition::operator+):
3688         (JSC::JSTextPosition::operator-):
3689         (JSC::JSTextPosition::operator int):
3690         - Added JSTextPosition.
3691         * parser/SyntaxChecker.h:
3692         (JSC::SyntaxChecker::makeFunctionCallNode):
3693         (JSC::SyntaxChecker::makeAssignNode):
3694         (JSC::SyntaxChecker::makePrefixNode):
3695         (JSC::SyntaxChecker::makePostfixNode):
3696         (JSC::SyntaxChecker::makeDeleteNode):
3697         (JSC::SyntaxChecker::createResolve):
3698         (JSC::SyntaxChecker::createBracketAccess):
3699         (JSC::SyntaxChecker::createDotAccess):
3700         (JSC::SyntaxChecker::createRegExp):
3701         (JSC::SyntaxChecker::createNewExpr):
3702         (JSC::SyntaxChecker::createAssignResolve):
3703         (JSC::SyntaxChecker::createForInLoop):
3704         (JSC::SyntaxChecker::createReturnStatement):
3705         (JSC::SyntaxChecker::createBreakStatement):
3706         (JSC::SyntaxChecker::createContinueStatement):
3707         (JSC::SyntaxChecker::createWithStatement):
3708         (JSC::SyntaxChecker::createLabelStatement):
3709         (JSC::SyntaxChecker::createThrowStatement):
3710         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3711         (JSC::SyntaxChecker::operatorStackPop):
3712         - Use JSTextPosition instead of passing line and lineStart explicitly.
3713
3714 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3715
3716         Unreviewed. Fix make distcheck.
3717
3718         * GNUmakefile.list.am: Add missing files to compilation.
3719         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3720         include FTL header files not included in the compilation.
3721         * dfg/DFGDriver.cpp: Ditto.
3722         * dfg/DFGPlan.cpp: Ditto.
3723
3724 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3725
3726         Eager stack trace for error objects.
3727         https://bugs.webkit.org/show_bug.cgi?id=118918
3728
3729         Reviewed by Geoffrey Garen.
3730         
3731         Chrome and Firefox give error objects the stack property and we wanted to match
3732         that functionality. This allows developers to see the stack without throwing an object.
3733
3734         * runtime/ErrorInstance.cpp:
3735         (JSC::ErrorInstance::finishCreation):
3736          For error objects that are not thrown as an exception, we pass the stackTrace in 
3737          as a parameter. This allows the error object to have the stack property.
3738         
3739         * interpreter/Interpreter.cpp:
3740         (JSC::stackTraceAsString):
3741         Helper function used to eliminate duplicate code.
3742
3743         (JSC::Interpreter::addStackTraceIfNecessary):
3744         When an error object is created by the user the vm->exceptionStack is not set.
3745         If the user throws this error object later the stack that is in the error object 
3746         may not be the correct stack for the throw, so when we set the vm->exception stack,
3747         the stack property on the error object is set as well.
3748         
3749         * runtime/ErrorConstructor.cpp:
3750         (JSC::constructWithErrorConstructor):
3751         (JSC::callErrorConstructor):
3752         * runtime/NativeErrorConstructor.cpp:
3753         (JSC::constructWithNativeErrorConstructor):
3754         (JSC::callNativeErrorConstructor):
3755         These functions indicate that the user created an error object. For all error objects 
3756         that the user explicitly creates, the topCallFrame is at a new frame created to 
3757         handle the user's call. In this case though, the error object needs the caller's 
3758         frame to create the stack trace correctly.
3759         
3760         * interpreter/Interpreter.h:
3761         * runtime/ErrorInstance.h:
3762         (JSC::ErrorInstance::create):
3763
3764 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3765
3766         Some cleanup in PropertySlot
3767         https://bugs.webkit.org/show_bug.cgi?id=119189
3768
3769         Reviewed by Geoff Garen.
3770
3771         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3772         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3773         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3774         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3775         (this is invalidOffset if not cacheable).
3776
3777             * Internally, always track the type of the property using an enum value, PropertyType.
3778             * Use m_offset to indicate cacheable.
3779             * Keep the external interface (CachedPropertyType) unchanged.
3780             * Better pack data into the m_data union.
3781
3782         Performance neutral.
3783
3784         * dfg/DFGRepatch.cpp:
3785         (JSC::DFG::tryCacheGetByID):
3786         (JSC::DFG::tryBuildGetByIDList):
3787             - cachedPropertyType() -> isCacheable*()
3788         * jit/JITPropertyAccess.cpp:
3789         (JSC::JIT::privateCompileGetByIdProto):
3790         (JSC::JIT::privateCompileGetByIdSelfList):
3791         (JSC::JIT::privateCompileGetByIdProtoList):
3792         (JSC::JIT::privateCompileGetByIdChainList):
3793         (JSC::JIT::privateCompileGetByIdChain):
3794             - cachedPropertyType() -> isCacheable*()
3795         * jit/JITPropertyAccess32_64.cpp:
3796         (JSC::JIT::privateCompileGetByIdProto):
3797         (JSC::JIT::privateCompileGetByIdSelfList):
3798         (JSC::JIT::privateCompileGetByIdProtoList):
3799         (JSC::JIT::privateCompileGetByIdChainList):
3800         (JSC::JIT::privateCompileGetByIdChain):
3801             - cachedPropertyType() -> isCacheable*()
3802         * jit/JITStubs.cpp:
3803         (JSC::tryCacheGetByID):
3804             - cachedPropertyType() -> isCacheable*()
3805         * llint/LLIntSlowPaths.cpp:
3806         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3807             - cachedPropertyType() -> isCacheable*()
3808         * runtime/PropertySlot.cpp:
3809         (JSC::PropertySlot::functionGetter):
3810             - refactoring described above.
3811         * runtime/PropertySlot.h:
3812         (JSC::PropertySlot::PropertySlot):
3813         (JSC::PropertySlot::getValue):
3814         (JSC::PropertySlot::isCacheable):
3815         (JSC::PropertySlot::isCacheableValue):
3816         (JSC::PropertySlot::isCacheableGetter):
3817         (JSC::PropertySlot::isCacheableCustom):
3818         (JSC::PropertySlot::cachedOffset):
3819         (JSC::PropertySlot::customGetter):
3820         (JSC::PropertySlot::setValue):
3821         (JSC::PropertySlot::setCustom):
3822         (JSC::PropertySlot::setCacheableCustom):
3823         (JSC::PropertySlot::setCustomIndex):
3824         (JSC::PropertySlot::setGetterSlot):
3825         (JSC::PropertySlot::setCacheableGetterSlot):
3826         (JSC::PropertySlot::setUndefined):
3827         (JSC::PropertySlot::slotBase):
3828         (JSC::PropertySlot::setBase):
3829             - refactoring described above.
3830
3831 2013-07-28  Oliver Hunt  <oliver@apple.com>
3832
3833         REGRESSION: Crash when opening Facebook.com
3834         https://bugs.webkit.org/show_bug.cgi?id=119155
3835
3836         Reviewed by Andreas Kling.
3837
3838         Scope nodes are always objects, so we should be using SpecObjectOther
3839         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3840         contradiction in the CFA, resulting in bogus codegen.
3841
3842         * dfg/DFGAbstractInterpreterInlines.h:
3843         (JSC::DFG::::executeEffects):
3844         * dfg/DFGPredictionPropagationPhase.cpp:
3845         (JSC::DFG::PredictionPropagationPhase::propagate):
3846
3847 2013-07-26  Oliver Hunt  <oliver@apple.com>
3848
3849         REGRESSION(FTL?): Crashes in plugin tests
3850         https://bugs.webkit.org/show_bug.cgi?id=119141
3851
3852         Reviewed by Michael Saboff.
3853
3854         Re-export getStackTrace
3855
3856         * interpreter/Interpreter.h:
3857
3858 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3859
3860         REGRESSION: Crash when opening a message on Gmail
3861         https://bugs.webkit.org/show_bug.cgi?id=119105
3862
3863         Reviewed by Oliver Hunt and Mark Hahnenberg.
3864         
3865         - GetById patching in the DFG needs to be more disciplined about how it derives the
3866           slow path.
3867         
3868         - Fix some dumping code thread safety issues.
3869
3870         * bytecode/CallLinkStatus.cpp:
3871         (JSC::CallLinkStatus::dump):
3872         * bytecode/CodeBlock.cpp:
3873         (JSC::CodeBlock::dumpBytecode):
3874         * dfg/DFGRepatch.cpp:
3875         (JSC::DFG::getPolymorphicStructureList):
3876         (JSC::DFG::tryBuildGetByIDList):
3877
3878 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3879
3880         [mips] Fix LLINT build for mips backend
3881         https://bugs.webkit.org/show_bug.cgi?id=119152
3882
3883         Reviewed by Oliver Hunt.
3884
3885         * offlineasm/mips.rb:
3886
3887 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3888
3889         Setting a large numeric property on an object causes it to allocate a huge backing store
3890         https://bugs.webkit.org/show_bug.cgi?id=118914
3891
3892         Reviewed by Geoffrey Garen.
3893
3894         There are two distinct actions that we're trying to optimize for:
3895
3896         new Array(100000);
3897
3898         and:
3899
3900         a = [];
3901         a[100000] = 42;
3902         
3903         In the first case, the programmer has indicated that they expect this Array to be very big, 
3904         so they should get a contiguous array up until some threshold, above which we perform density 
3905         calculations to see if it is indeed dense enough to warrant being contiguous.
3906         
3907         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3908         we should be more conservative and assume it should be sparse until we've proven otherwise.
3909         
3910         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3911         between them for the purposes of not over-allocating large backing stores like we see on 
3912         http://www.peekanalytics.com/burgerjoints/
3913         
3914         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3915         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3916         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3917         map instead. So for example, in the second case above the empty array has a blank indexing 
3918         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3919
3920         This fix is ~800x speedup on the accompanying regression test :-o
3921
3922         * runtime/ArrayConventions.h:
3923         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3924         * runtime/JSObject.cpp:
3925         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3926         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3927         (JSC::JSObject::putByIndexBeyondVectorLength):
3928         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3929
3930 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3931
3932         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3933         https://bugs.webkit.org/show_bug.cgi?id=119148
3934
3935         Reviewed by Csaba Osztrogonác.
3936
3937         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3938         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3939         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3940         code duplication.
3941
3942 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3943
3944         REGRESSION(FTL): Crash in sh4 baseline JIT.
3945         https://bugs.webkit.org/show_bug.cgi?id=119138
3946
3947         Reviewed by Csaba Osztrogonác.
3948
3949         This crash is due to incomplete report of r150146 and r148474.
3950
3951         * jit/JITStubsSH4.h:
3952
3953 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3954
3955         Unreviewed.
3956
3957         * Target.pri: Adding missing DFG files to the Qt build.
3958
3959 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>