Cleaning errorDescriptionForValue after r154839
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-30  Chris Curtis  <chris_curtis@apple.com>
2
3         Cleaning errorDescriptionForValue after r154839
4         https://bugs.webkit.org/show_bug.cgi?id=120531
5         
6         Reviewed by Darin Adler.
7         
8         Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 
9         can assert again that the parameterized JSValue is !isEmpty().
10         
11         * runtime/ExceptionHelpers.cpp:
12         (JSC::errorDescriptionForValue):
13
14 2013-08-30  Antti Koivisto  <antti@apple.com>
15
16         Remove code behind ENABLE(DIALOG_ELEMENT)
17         https://bugs.webkit.org/show_bug.cgi?id=120467
18
19         Reviewed by Darin Adler.
20
21         * Configurations/FeatureDefines.xcconfig:
22
23 2013-08-29  Andreas Kling  <akling@apple.com>
24
25         De-bork Qt build.
26
27         * Target.pri:
28
29 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
30
31         Unreviewed build fix attempt for Windows.
32
33         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
34         Renamed JSMapConstructor and JSMapPrototype.
35
36 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
37
38         Fix build break after r154861
39         https://bugs.webkit.org/show_bug.cgi?id=120503
40
41         Reviewed by Geoffrey Garen.
42
43         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
44
45         * CMakeLists.txt:
46         * GNUmakefile.list.am:
47         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
48         * Target.pri:
49         * runtime/MapData.h:
50         (JSC::MapData::KeyType::KeyType):
51
52 2013-08-29  Andreas Kling  <akling@apple.com>
53
54         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
55         <https://webkit.org/b/120487>
56
57         Reviewed by Oliver Hunt.
58
59         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
60         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
61         exact amount of space needed.
62
63         * bytecode/CodeBlock.h:
64         * bytecode/CodeBlock.cpp:
65         (JSC::CodeBlock::CodeBlock):
66         (JSC::CodeBlock::shrinkToFit):
67
68 2013-08-29  Oliver Hunt  <oliver@apple.com>
69
70         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
71
72         * runtime/MapData.h:
73         (JSC::MapData::KeyType::KeyType):
74
75 2013-08-29  Oliver Hunt  <oliver@apple.com>
76
77
78         Implement ES6 Map object
79         https://bugs.webkit.org/show_bug.cgi?id=120333
80
81         Reviewed by Geoffrey Garen.
82
83         Implement support for the ES6 Map type and related classes.
84
85         * JavaScriptCore.xcodeproj/project.pbxproj:
86         * heap/CopyToken.h: Add a new token to track copying the backing store
87         * runtime/CommonIdentifiers.h: Add new identifiers
88         * runtime/JSGlobalObject.cpp:
89         * runtime/JSGlobalObject.h:
90             Add new structures and prototypes
91
92         * runtime/JSMap.cpp: Added.
93         * runtime/JSMap.h: Added.
94             New JSMap class to represent a Map instance
95
96         * runtime/MapConstructor.cpp: Added.
97         * runtime/MapConstructor.h: Added.
98             The Map constructor
99
100         * runtime/MapData.cpp: Added.
101         * runtime/MapData.h: Added.
102             The most interesting data structure.  The roughly corresponds
103             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
104             map implementation.  We implement it using 2 hashtables and a flat
105             table.  Due to the different semantics of string comparisons vs.
106             all others we need have one map keyed by String and the other by
107             generic JSValue.  The actual table is represented more or less
108             exactly as described in the ES6 draft - a single contiguous list of
109             key/value pairs.  The entire map could be achieved with just this
110             table, however we need the HashMaps in order to maintain O(1) lookup.
111
112             Deleted values are simply cleared as the draft says, however the
113             implementation compacts the storage on copy as long as the are no
114             active iterators.
115
116         * runtime/MapPrototype.cpp: Added.
117         * runtime/MapPrototype.h: Added.
118             Implement Map prototype functions
119
120         * runtime/VM.cpp:
121             Add new structures.
122
123 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
124
125         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
126         https://bugs.webkit.org/show_bug.cgi?id=120489
127
128         Reviewed by Geoffrey Garen.
129         
130         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
131         DFG compilation but we've also started one or more FTL compilations, then we
132         shouldn't get confused. Previously we would have gotten confused because we would
133         see an in-process deferred compile (the FTL compile) and also an optimized
134         replacement (the DFG code).
135         
136         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
137         did two things in this order: triggered a tier-up compilation from the DFG into
138         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
139         shouldn't be confused by the presence of an in-process deferred compile (the FTL
140         compile). Previously we would have waited for that compile to finish; but the more
141         sensible thing to do is to let it complete and then invalidate it, while at the
142         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
143         
144         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
145         triggered an FTL compile for replacement, then it should fire off a second compile
146         instead of thinking that it can wait for that one to finish. Or vice-versa. We
147         need to allow for two FTL compiles to be enqueued at the same time (one for
148         replacement and one for OSR entry in a loop).
149         
150         Then there's also the problem that DFG::compile() is almost certainly going to be
151         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
152         right now there is no way to tell it which one you want.
153         
154         This fixes these problems and removes a bunch of potential confusion by making the
155         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
156         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
157         
158         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
159         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
160         possible. Fixing that is a bigger issue for a later changeset.
161
162         * CMakeLists.txt:
163         * GNUmakefile.list.am:
164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
165         * JavaScriptCore.xcodeproj/project.pbxproj:
166         * Target.pri:
167         * bytecode/CodeBlock.cpp:
168         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
169         * dfg/DFGCompilationKey.cpp: Added.
170         (JSC::DFG::CompilationKey::dump):
171         * dfg/DFGCompilationKey.h: Added.
172         (JSC::DFG::CompilationKey::CompilationKey):
173         (JSC::DFG::CompilationKey::operator!):
174         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
175         (JSC::DFG::CompilationKey::profiledBlock):
176         (JSC::DFG::CompilationKey::mode):
177         (JSC::DFG::CompilationKey::operator==):
178         (JSC::DFG::CompilationKey::hash):
179         (JSC::DFG::CompilationKeyHash::hash):
180         (JSC::DFG::CompilationKeyHash::equal):
181         * dfg/DFGCompilationMode.cpp: Added.
182         (WTF::printInternal):
183         * dfg/DFGCompilationMode.h: Added.
184         * dfg/DFGDriver.cpp:
185         (JSC::DFG::compileImpl):
186         (JSC::DFG::compile):
187         * dfg/DFGDriver.h:
188         * dfg/DFGPlan.cpp:
189         (JSC::DFG::Plan::Plan):
190         (JSC::DFG::Plan::key):
191         * dfg/DFGPlan.h:
192         * dfg/DFGWorklist.cpp:
193         (JSC::DFG::Worklist::enqueue):
194         (JSC::DFG::Worklist::compilationState):
195         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
196         (JSC::DFG::Worklist::runThread):
197         * dfg/DFGWorklist.h:
198         * jit/JITStubs.cpp:
199         (JSC::DEFINE_STUB_FUNCTION):
200
201 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
202
203         [Windows] Unreviewed build fix after r154847.
204         If you are going to exclude promises, actually exclude the build components.
205
206         * interpreter/CallFrame.h: Exclude promise declarations
207         * runtime/JSGlobalObject.cpp:
208         (JSC::JSGlobalObject::reset): Exclude promise code.
209         (JSC::JSGlobalObject::visitChildren): Ditto.
210         * runtime/VM.cpp: Ditto.
211         (JSC::VM::VM):
212         (JSC::VM::~VM):
213         * runtime/VM.h:
214
215 2013-08-29  Sam Weinig  <sam@webkit.org>
216
217         Add ENABLE guards for Promises
218         https://bugs.webkit.org/show_bug.cgi?id=120488
219
220         Reviewed by Andreas Kling.
221
222         * Configurations/FeatureDefines.xcconfig:
223         * runtime/JSGlobalObject.cpp:
224         * runtime/JSGlobalObject.h:
225         * runtime/JSPromise.cpp:
226         * runtime/JSPromise.h:
227         * runtime/JSPromiseCallback.cpp:
228         * runtime/JSPromiseCallback.h:
229         * runtime/JSPromiseConstructor.cpp:
230         * runtime/JSPromiseConstructor.h:
231         * runtime/JSPromisePrototype.cpp:
232         * runtime/JSPromisePrototype.h:
233         * runtime/JSPromiseResolver.cpp:
234         * runtime/JSPromiseResolver.h:
235         * runtime/JSPromiseResolverConstructor.cpp:
236         * runtime/JSPromiseResolverConstructor.h:
237         * runtime/JSPromiseResolverPrototype.cpp:
238         * runtime/JSPromiseResolverPrototype.h:
239
240 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
241
242         Unreviewed, fix FTL build.
243
244         * ftl/FTLLowerDFGToLLVM.cpp:
245         (JSC::FTL::LowerDFGToLLVM::callCheck):
246
247 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
248
249         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
250         https://bugs.webkit.org/show_bug.cgi?id=120080
251
252         Reviewed by Michael Saboff.
253
254         * jit/JITOpcodes32_64.cpp:
255         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
256
257 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
258
259         Kill code that became dead after http://trac.webkit.org/changeset/154833
260
261         Rubber stamped by Oliver Hunt.
262
263         * dfg/DFGDriver.h:
264
265 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
266
267         CodeBlock's magic for scaling tier-up thresholds should be more reusable
268         https://bugs.webkit.org/show_bug.cgi?id=120486
269
270         Reviewed by Oliver Hunt.
271         
272         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
273         as a adjustedCounterValue() method.
274
275         * bytecode/CodeBlock.cpp:
276         (JSC::CodeBlock::adjustedCounterValue):
277         (JSC::CodeBlock::optimizeAfterWarmUp):
278         (JSC::CodeBlock::optimizeAfterLongWarmUp):
279         (JSC::CodeBlock::optimizeSoon):
280         * bytecode/CodeBlock.h:
281         * dfg/DFGOSRExitCompilerCommon.cpp:
282         (JSC::DFG::handleExitCounts):
283
284 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
285
286         CodeBlock::prepareForExecution() is silly
287         https://bugs.webkit.org/show_bug.cgi?id=120453
288
289         Reviewed by Oliver Hunt.
290         
291         Instead of saying:
292         
293             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
294         
295         we should just say:
296         
297             JIT::compile(stuff, codeBlock, more stuff);
298         
299         And similarly for the LLInt and DFG.
300         
301         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
302         wrapper that uses the JITType argument to call into the appropriate execution
303         engine, which is what the user wanted to do in the first place.
304
305         * CMakeLists.txt:
306         * GNUmakefile.list.am:
307         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
308         * JavaScriptCore.xcodeproj/project.pbxproj:
309         * Target.pri:
310         * bytecode/CodeBlock.cpp:
311         * bytecode/CodeBlock.h:
312         * dfg/DFGDriver.cpp:
313         (JSC::DFG::compileImpl):
314         (JSC::DFG::compile):
315         * dfg/DFGDriver.h:
316         (JSC::DFG::tryCompile):
317         * dfg/DFGOSRExitPreparation.cpp:
318         (JSC::DFG::prepareCodeOriginForOSRExit):
319         * dfg/DFGWorklist.cpp:
320         (JSC::DFG::globalWorklist):
321         * dfg/DFGWorklist.h:
322         * jit/JIT.cpp:
323         (JSC::JIT::privateCompile):
324         * jit/JIT.h:
325         (JSC::JIT::compile):
326         * jit/JITStubs.cpp:
327         (JSC::DEFINE_STUB_FUNCTION):
328         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
329         (JSC::LLInt::setFunctionEntrypoint):
330         (JSC::LLInt::setEvalEntrypoint):
331         (JSC::LLInt::setProgramEntrypoint):
332         (JSC::LLInt::setEntrypoint):
333         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
334         * llint/LLIntEntrypoints.cpp: Removed.
335         * llint/LLIntEntrypoints.h: Removed.
336         * llint/LLIntSlowPaths.cpp:
337         (JSC::LLInt::jitCompileAndSetHeuristics):
338         * runtime/Executable.cpp:
339         (JSC::ScriptExecutable::prepareForExecutionImpl):
340
341 2013-08-29  Mark Lam  <mark.lam@apple.com>
342
343         Gardening: fixed broken non-DFG build.
344         https://bugs.webkit.org/show_bug.cgi?id=120481.
345
346         Not reviewed.
347
348         * interpreter/StackIterator.h:
349
350 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
351
352         CodeBlock compilation and installation should be simplified and rationalized
353         https://bugs.webkit.org/show_bug.cgi?id=120326
354
355         Reviewed by Oliver Hunt.
356         
357         Rolling r154804 back in after fixing no-LLInt build.
358         
359         Previously Executable owned the code for generating JIT code; you always had
360         to go through Executable. But often you also had to go through CodeBlock,
361         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
362         So you'd ask CodeBlock to do something, which would dispatch through a
363         virtual method that would select the appropriate Executable subtype's method.
364         This all meant that the same code would often be duplicated, because most of
365         the work needed to compile something was identical regardless of code type.
366         But then we tried to fix this, by having templatized helpers in
367         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
368         out what happened when you asked for something to be compiled, you'd go on a
369         wild ride that started with CodeBlock, touched upon Executable, and then
370         ricocheted into either ExecutionHarness or JITDriver (likely both).
371         
372         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
373         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
374         done once the compilation finished.
375         
376         Also, most of the DFG JIT drivers assumed that they couldn't install the
377         JITCode into the CodeBlock directly - instead they would return it via a
378         reference, which happened to be a reference to the JITCode pointer in
379         Executable. This was super weird.
380         
381         Finally, there was no notion of compiling code into a special CodeBlock that
382         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
383         entry.
384         
385         This patch solves these problems by reducing all of that complexity into just
386         three primitives:
387         
388         - Executable::newCodeBlock(). This gives you a new code block, either for call
389           or for construct, and either to serve as the baseline code or the optimized
390           code. The new code block is then owned by the caller; Executable doesn't
391           register it anywhere. The new code block has no JITCode and isn't callable,
392           but it has all of the bytecode.
393         
394         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
395           produces a JITCode, and then installs the JITCode into the CodeBlock. This
396           method takes a JITType, and always compiles with that JIT. If you ask for
397           JITCode::InterpreterThunk then you'll get JITCode that just points to the
398           LLInt entrypoints. Once this returns, it is possible to call into the
399           CodeBlock if you do so manually - but the Executable still won't know about
400           it so JS calls to that Executable will still be routed to whatever CodeBlock
401           is associated with the Executable.
402         
403         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
404           entry for that Executable. This involves unlinking the Executable's last
405           CodeBlock, if there was one. This also tells the GC about any effect on
406           memory usage and does a bunch of weird data structure rewiring, since
407           Executable caches some of CodeBlock's fields for the benefit of virtual call
408           fast paths.
409         
410         This functionality is then wrapped around three convenience methods:
411         
412         - Executable::prepareForExecution(). If there is no code block for that
413           Executable, then one is created (newCodeBlock()), compiled
414           (CodeBlock::prepareForExecution()) and installed (installCode()).
415         
416         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
417           can serve as an optimized replacement of the current one.
418         
419         - CodeBlock::install(). Asks the Executable to install this code block.
420         
421         This patch allows me to kill *a lot* of code and to remove a lot of
422         specializations for functions vs. not-functions, and a lot of places where we
423         pass around JITCode references and such. ExecutionHarness and JITDriver are
424         both gone. Overall this patch has more red than green.
425         
426         It also allows me to work on FTL OSR entry and tier-up:
427         
428         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
429           to do some compilation, but it will require the DFG::Worklist to do
430           something different than what JITStubs.cpp would want, once the compilation
431           finishes. This patch introduces a callback mechanism for that purpose.
432         
433         - FTL OSR entry: this will involve creating a special auto-jettisoned
434           CodeBlock that is used only for FTL OSR entry. The new set of primitives
435           allows for this: Executable can vend you a fresh new CodeBlock, and you can
436           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
437           can take that CodeBlock and compile it yourself. Previously the act of
438           producing a CodeBlock-for-optimization and the act of compiling code for it
439           were tightly coupled; now you can separate them and you can create such
440           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
441
442         * CMakeLists.txt:
443         * GNUmakefile.list.am:
444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
445         * JavaScriptCore.xcodeproj/project.pbxproj:
446         * Target.pri:
447         * bytecode/CodeBlock.cpp:
448         (JSC::CodeBlock::unlinkIncomingCalls):
449         (JSC::CodeBlock::prepareForExecutionImpl):
450         (JSC::CodeBlock::prepareForExecution):
451         (JSC::CodeBlock::prepareForExecutionAsynchronously):
452         (JSC::CodeBlock::install):
453         (JSC::CodeBlock::newReplacement):
454         (JSC::FunctionCodeBlock::jettisonImpl):
455         * bytecode/CodeBlock.h:
456         (JSC::CodeBlock::hasBaselineJITProfiling):
457         * bytecode/DeferredCompilationCallback.cpp: Added.
458         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
459         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
460         * bytecode/DeferredCompilationCallback.h: Added.
461         * dfg/DFGDriver.cpp:
462         (JSC::DFG::tryCompile):
463         * dfg/DFGDriver.h:
464         (JSC::DFG::tryCompile):
465         * dfg/DFGFailedFinalizer.cpp:
466         (JSC::DFG::FailedFinalizer::finalize):
467         (JSC::DFG::FailedFinalizer::finalizeFunction):
468         * dfg/DFGFailedFinalizer.h:
469         * dfg/DFGFinalizer.h:
470         * dfg/DFGJITFinalizer.cpp:
471         (JSC::DFG::JITFinalizer::finalize):
472         (JSC::DFG::JITFinalizer::finalizeFunction):
473         * dfg/DFGJITFinalizer.h:
474         * dfg/DFGOSRExitPreparation.cpp:
475         (JSC::DFG::prepareCodeOriginForOSRExit):
476         * dfg/DFGOperations.cpp:
477         * dfg/DFGPlan.cpp:
478         (JSC::DFG::Plan::Plan):
479         (JSC::DFG::Plan::compileInThreadImpl):
480         (JSC::DFG::Plan::notifyReady):
481         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
482         (JSC::DFG::Plan::finalizeAndNotifyCallback):
483         * dfg/DFGPlan.h:
484         * dfg/DFGSpeculativeJIT32_64.cpp:
485         (JSC::DFG::SpeculativeJIT::compile):
486         * dfg/DFGWorklist.cpp:
487         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
488         (JSC::DFG::Worklist::runThread):
489         * ftl/FTLJITFinalizer.cpp:
490         (JSC::FTL::JITFinalizer::finalize):
491         (JSC::FTL::JITFinalizer::finalizeFunction):
492         * ftl/FTLJITFinalizer.h:
493         * heap/Heap.h:
494         (JSC::Heap::isDeferred):
495         * interpreter/Interpreter.cpp:
496         (JSC::Interpreter::execute):
497         (JSC::Interpreter::executeCall):
498         (JSC::Interpreter::executeConstruct):
499         (JSC::Interpreter::prepareForRepeatCall):
500         * jit/JITDriver.h: Removed.
501         * jit/JITStubs.cpp:
502         (JSC::DEFINE_STUB_FUNCTION):
503         (JSC::jitCompileFor):
504         (JSC::lazyLinkFor):
505         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
506         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
507         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
508         (JSC::JITToDFGDeferredCompilationCallback::create):
509         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
510         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
511         * jit/JITToDFGDeferredCompilationCallback.h: Added.
512         * llint/LLIntEntrypoints.cpp:
513         (JSC::LLInt::setFunctionEntrypoint):
514         (JSC::LLInt::setEvalEntrypoint):
515         (JSC::LLInt::setProgramEntrypoint):
516         * llint/LLIntEntrypoints.h:
517         * llint/LLIntSlowPaths.cpp:
518         (JSC::LLInt::jitCompileAndSetHeuristics):
519         (JSC::LLInt::setUpCall):
520         * runtime/ArrayPrototype.cpp:
521         (JSC::isNumericCompareFunction):
522         * runtime/CommonSlowPaths.cpp:
523         * runtime/CompilationResult.cpp:
524         (WTF::printInternal):
525         * runtime/CompilationResult.h:
526         * runtime/Executable.cpp:
527         (JSC::ScriptExecutable::installCode):
528         (JSC::ScriptExecutable::newCodeBlockFor):
529         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
530         (JSC::ScriptExecutable::prepareForExecutionImpl):
531         * runtime/Executable.h:
532         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
533         (JSC::ExecutableBase::offsetOfNumParametersFor):
534         (JSC::ScriptExecutable::prepareForExecution):
535         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
536         * runtime/ExecutionHarness.h: Removed.
537
538 2013-08-29  Mark Lam  <mark.lam@apple.com>
539
540         Change StackIterator to not require writes to the JS stack.
541         https://bugs.webkit.org/show_bug.cgi?id=119657.
542
543         Reviewed by Geoffrey Garen.
544
545         * GNUmakefile.list.am:
546         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
547         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
548         * JavaScriptCore.xcodeproj/project.pbxproj:
549         * interpreter/CallFrame.h:
550         - Removed references to StackIteratorPrivate.h.
551         * interpreter/StackIterator.cpp:
552         (JSC::StackIterator::numberOfFrames):
553         (JSC::StackIterator::gotoFrameAtIndex):
554         (JSC::StackIterator::gotoNextFrame):
555         (JSC::StackIterator::resetIterator):
556         (JSC::StackIterator::find):
557         (JSC::StackIterator::readFrame):
558         (JSC::StackIterator::readNonInlinedFrame):
559         - Reads in the current CallFrame's data for non-inlined frames.
560         (JSC::inlinedFrameOffset):
561         - Convenience function to compute the inlined frame offset based on the
562           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
563           Otherwise, it's an inlined frame.
564         (JSC::StackIterator::readInlinedFrame):
565         - Determines the inlined frame's caller frame. Will read in the caller
566           frame if it is also an inlined frame i.e. we haven't reached the
567           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
568           read on the outer most frame.
569           This is based on the old StackIterator::Frame::logicalFrame().
570         (JSC::StackIterator::updateFrame):
571         - Reads the data of the caller frame of the current one. This function
572           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
573           but is now simplified because it delegates to the readInlinedFrame()
574           to get the caller for inlined frames.
575         (JSC::StackIterator::Frame::arguments):
576         - Fixed to use the inlined frame versions of Arguments::create() and
577           Arguments::tearOff() when the frame is an inlined frame.
578         (JSC::StackIterator::Frame::print):
579         (debugPrintCallFrame):
580         (debugPrintStack):
581         - Because sometimes, we want to see the whole stack while debugging.
582         * interpreter/StackIterator.h:
583         (JSC::StackIterator::Frame::argumentCount):
584         (JSC::StackIterator::Frame::callerFrame):
585         (JSC::StackIterator::Frame::callee):
586         (JSC::StackIterator::Frame::scope):
587         (JSC::StackIterator::Frame::codeBlock):
588         (JSC::StackIterator::Frame::bytecodeOffset):
589         (JSC::StackIterator::Frame::inlinedFrameInfo):
590         (JSC::StackIterator::Frame::isJSFrame):
591         (JSC::StackIterator::Frame::isInlinedFrame):
592         (JSC::StackIterator::Frame::callFrame):
593         (JSC::StackIterator::Frame::Frame):
594         (JSC::StackIterator::Frame::~Frame):
595         - StackIterator::Frame now caches commonly used accessed values from
596           the CallFrame. It still delegates argument queries to the CallFrame.
597         (JSC::StackIterator::operator*):
598         (JSC::StackIterator::operator->):
599         (JSC::StackIterator::operator!=):
600         (JSC::StackIterator::operator++):
601         (JSC::StackIterator::end):
602         (JSC::StackIterator::operator==):
603         * interpreter/StackIteratorPrivate.h: Removed.
604
605 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
606
607         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
608         https://bugs.webkit.org/show_bug.cgi?id=120472
609
610         Reviewed by Filip Pizlo.
611         
612         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
613         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
614         throwException can be called when topCallFrame is set.
615         * llint/LLIntSlowPaths.cpp:
616         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
617         * runtime/CommonSlowPaths.cpp:
618         (JSC::SLOW_PATH_DECL):
619         * runtime/CommonSlowPathsExceptions.cpp:
620         (JSC::CommonSlowPaths::interpreterThrowInCaller):
621         * runtime/CommonSlowPathsExceptions.h:
622
623         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
624         to throw errors. It unwinds the stack in order to report them. 
625         * dfg/DFGOperations.cpp:
626         * jit/JITExceptions.cpp:
627         (JSC::genericUnwind):
628         (JSC::jitThrowNew):
629         (JSC::jitThrow):
630         * jit/JITExceptions.h:
631         * llint/LLIntExceptions.cpp:
632         (JSC::LLInt::doThrow):
633     
634 2013-08-29  Commit Queue  <commit-queue@webkit.org>
635
636         Unreviewed, rolling out r154804.
637         http://trac.webkit.org/changeset/154804
638         https://bugs.webkit.org/show_bug.cgi?id=120477
639
640         Broke Windows build (assumes LLInt features not enabled on
641         this build) (Requested by bfulgham on #webkit).
642
643         * CMakeLists.txt:
644         * GNUmakefile.list.am:
645         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
646         * JavaScriptCore.xcodeproj/project.pbxproj:
647         * Target.pri:
648         * bytecode/CodeBlock.cpp:
649         (JSC::CodeBlock::linkIncomingCall):
650         (JSC::CodeBlock::unlinkIncomingCalls):
651         (JSC::CodeBlock::reoptimize):
652         (JSC::ProgramCodeBlock::replacement):
653         (JSC::EvalCodeBlock::replacement):
654         (JSC::FunctionCodeBlock::replacement):
655         (JSC::ProgramCodeBlock::compileOptimized):
656         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
657         (JSC::EvalCodeBlock::compileOptimized):
658         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
659         (JSC::FunctionCodeBlock::compileOptimized):
660         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
661         (JSC::ProgramCodeBlock::jitCompileImpl):
662         (JSC::EvalCodeBlock::jitCompileImpl):
663         (JSC::FunctionCodeBlock::jitCompileImpl):
664         * bytecode/CodeBlock.h:
665         (JSC::CodeBlock::jitType):
666         (JSC::CodeBlock::jitCompile):
667         * bytecode/DeferredCompilationCallback.cpp: Removed.
668         * bytecode/DeferredCompilationCallback.h: Removed.
669         * dfg/DFGDriver.cpp:
670         (JSC::DFG::compile):
671         (JSC::DFG::tryCompile):
672         (JSC::DFG::tryCompileFunction):
673         (JSC::DFG::tryFinalizePlan):
674         * dfg/DFGDriver.h:
675         (JSC::DFG::tryCompile):
676         (JSC::DFG::tryCompileFunction):
677         (JSC::DFG::tryFinalizePlan):
678         * dfg/DFGFailedFinalizer.cpp:
679         (JSC::DFG::FailedFinalizer::finalize):
680         (JSC::DFG::FailedFinalizer::finalizeFunction):
681         * dfg/DFGFailedFinalizer.h:
682         * dfg/DFGFinalizer.h:
683         * dfg/DFGJITFinalizer.cpp:
684         (JSC::DFG::JITFinalizer::finalize):
685         (JSC::DFG::JITFinalizer::finalizeFunction):
686         * dfg/DFGJITFinalizer.h:
687         * dfg/DFGOSRExitPreparation.cpp:
688         (JSC::DFG::prepareCodeOriginForOSRExit):
689         * dfg/DFGOperations.cpp:
690         * dfg/DFGPlan.cpp:
691         (JSC::DFG::Plan::Plan):
692         (JSC::DFG::Plan::compileInThreadImpl):
693         (JSC::DFG::Plan::finalize):
694         * dfg/DFGPlan.h:
695         * dfg/DFGSpeculativeJIT32_64.cpp:
696         (JSC::DFG::SpeculativeJIT::compile):
697         * dfg/DFGWorklist.cpp:
698         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
699         (JSC::DFG::Worklist::runThread):
700         * ftl/FTLJITFinalizer.cpp:
701         (JSC::FTL::JITFinalizer::finalize):
702         (JSC::FTL::JITFinalizer::finalizeFunction):
703         * ftl/FTLJITFinalizer.h:
704         * heap/Heap.h:
705         * interpreter/Interpreter.cpp:
706         (JSC::Interpreter::execute):
707         (JSC::Interpreter::executeCall):
708         (JSC::Interpreter::executeConstruct):
709         (JSC::Interpreter::prepareForRepeatCall):
710         * jit/JITDriver.h: Added.
711         (JSC::jitCompileIfAppropriateImpl):
712         (JSC::jitCompileFunctionIfAppropriateImpl):
713         (JSC::jitCompileIfAppropriate):
714         (JSC::jitCompileFunctionIfAppropriate):
715         * jit/JITStubs.cpp:
716         (JSC::DEFINE_STUB_FUNCTION):
717         (JSC::jitCompileFor):
718         (JSC::lazyLinkFor):
719         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
720         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
721         * llint/LLIntEntrypoints.cpp:
722         (JSC::LLInt::getFunctionEntrypoint):
723         (JSC::LLInt::getEvalEntrypoint):
724         (JSC::LLInt::getProgramEntrypoint):
725         * llint/LLIntEntrypoints.h:
726         (JSC::LLInt::getEntrypoint):
727         * llint/LLIntSlowPaths.cpp:
728         (JSC::LLInt::jitCompileAndSetHeuristics):
729         (JSC::LLInt::setUpCall):
730         * runtime/ArrayPrototype.cpp:
731         (JSC::isNumericCompareFunction):
732         * runtime/CommonSlowPaths.cpp:
733         * runtime/CompilationResult.cpp:
734         (WTF::printInternal):
735         * runtime/CompilationResult.h:
736         * runtime/Executable.cpp:
737         (JSC::EvalExecutable::compileOptimized):
738         (JSC::EvalExecutable::jitCompile):
739         (JSC::EvalExecutable::compileInternal):
740         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
741         (JSC::ProgramExecutable::compileOptimized):
742         (JSC::ProgramExecutable::jitCompile):
743         (JSC::ProgramExecutable::compileInternal):
744         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
745         (JSC::FunctionExecutable::compileOptimizedForCall):
746         (JSC::FunctionExecutable::compileOptimizedForConstruct):
747         (JSC::FunctionExecutable::jitCompileForCall):
748         (JSC::FunctionExecutable::jitCompileForConstruct):
749         (JSC::FunctionExecutable::produceCodeBlockFor):
750         (JSC::FunctionExecutable::compileForCallInternal):
751         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
752         (JSC::FunctionExecutable::compileForConstructInternal):
753         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
754         * runtime/Executable.h:
755         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
756         (JSC::ExecutableBase::offsetOfNumParametersFor):
757         (JSC::ExecutableBase::catchRoutineFor):
758         (JSC::EvalExecutable::compile):
759         (JSC::ProgramExecutable::compile):
760         (JSC::FunctionExecutable::compileForCall):
761         (JSC::FunctionExecutable::compileForConstruct):
762         (JSC::FunctionExecutable::compileFor):
763         (JSC::FunctionExecutable::compileOptimizedFor):
764         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
765         (JSC::FunctionExecutable::jitCompileFor):
766         * runtime/ExecutionHarness.h: Added.
767         (JSC::prepareForExecutionImpl):
768         (JSC::prepareFunctionForExecutionImpl):
769         (JSC::installOptimizedCode):
770         (JSC::prepareForExecution):
771         (JSC::prepareFunctionForExecution):
772         (JSC::replaceWithDeferredOptimizedCode):
773
774 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
775
776         CodeBlock compilation and installation should be simplified and rationalized
777         https://bugs.webkit.org/show_bug.cgi?id=120326
778
779         Reviewed by Oliver Hunt.
780         
781         Previously Executable owned the code for generating JIT code; you always had
782         to go through Executable. But often you also had to go through CodeBlock,
783         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
784         So you'd ask CodeBlock to do something, which would dispatch through a
785         virtual method that would select the appropriate Executable subtype's method.
786         This all meant that the same code would often be duplicated, because most of
787         the work needed to compile something was identical regardless of code type.
788         But then we tried to fix this, by having templatized helpers in
789         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
790         out what happened when you asked for something to be compiled, you'd go on a
791         wild ride that started with CodeBlock, touched upon Executable, and then
792         ricocheted into either ExecutionHarness or JITDriver (likely both).
793         
794         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
795         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
796         done once the compilation finished.
797         
798         Also, most of the DFG JIT drivers assumed that they couldn't install the
799         JITCode into the CodeBlock directly - instead they would return it via a
800         reference, which happened to be a reference to the JITCode pointer in
801         Executable. This was super weird.
802         
803         Finally, there was no notion of compiling code into a special CodeBlock that
804         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
805         entry.
806         
807         This patch solves these problems by reducing all of that complexity into just
808         three primitives:
809         
810         - Executable::newCodeBlock(). This gives you a new code block, either for call
811           or for construct, and either to serve as the baseline code or the optimized
812           code. The new code block is then owned by the caller; Executable doesn't
813           register it anywhere. The new code block has no JITCode and isn't callable,
814           but it has all of the bytecode.
815         
816         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
817           produces a JITCode, and then installs the JITCode into the CodeBlock. This
818           method takes a JITType, and always compiles with that JIT. If you ask for
819           JITCode::InterpreterThunk then you'll get JITCode that just points to the
820           LLInt entrypoints. Once this returns, it is possible to call into the
821           CodeBlock if you do so manually - but the Executable still won't know about
822           it so JS calls to that Executable will still be routed to whatever CodeBlock
823           is associated with the Executable.
824         
825         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
826           entry for that Executable. This involves unlinking the Executable's last
827           CodeBlock, if there was one. This also tells the GC about any effect on
828           memory usage and does a bunch of weird data structure rewiring, since
829           Executable caches some of CodeBlock's fields for the benefit of virtual call
830           fast paths.
831         
832         This functionality is then wrapped around three convenience methods:
833         
834         - Executable::prepareForExecution(). If there is no code block for that
835           Executable, then one is created (newCodeBlock()), compiled
836           (CodeBlock::prepareForExecution()) and installed (installCode()).
837         
838         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
839           can serve as an optimized replacement of the current one.
840         
841         - CodeBlock::install(). Asks the Executable to install this code block.
842         
843         This patch allows me to kill *a lot* of code and to remove a lot of
844         specializations for functions vs. not-functions, and a lot of places where we
845         pass around JITCode references and such. ExecutionHarness and JITDriver are
846         both gone. Overall this patch has more red than green.
847         
848         It also allows me to work on FTL OSR entry and tier-up:
849         
850         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
851           to do some compilation, but it will require the DFG::Worklist to do
852           something different than what JITStubs.cpp would want, once the compilation
853           finishes. This patch introduces a callback mechanism for that purpose.
854         
855         - FTL OSR entry: this will involve creating a special auto-jettisoned
856           CodeBlock that is used only for FTL OSR entry. The new set of primitives
857           allows for this: Executable can vend you a fresh new CodeBlock, and you can
858           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
859           can take that CodeBlock and compile it yourself. Previously the act of
860           producing a CodeBlock-for-optimization and the act of compiling code for it
861           were tightly coupled; now you can separate them and you can create such
862           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
863
864         * CMakeLists.txt:
865         * GNUmakefile.list.am:
866         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
867         * JavaScriptCore.xcodeproj/project.pbxproj:
868         * Target.pri:
869         * bytecode/CodeBlock.cpp:
870         (JSC::CodeBlock::prepareForExecution):
871         (JSC::CodeBlock::install):
872         (JSC::CodeBlock::newReplacement):
873         (JSC::FunctionCodeBlock::jettisonImpl):
874         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
875         * bytecode/CodeBlock.h:
876         (JSC::CodeBlock::hasBaselineJITProfiling):
877         * bytecode/DeferredCompilationCallback.cpp: Added.
878         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
879         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
880         * bytecode/DeferredCompilationCallback.h: Added.
881         * dfg/DFGDriver.cpp:
882         (JSC::DFG::tryCompile):
883         * dfg/DFGDriver.h:
884         (JSC::DFG::tryCompile):
885         * dfg/DFGFailedFinalizer.cpp:
886         (JSC::DFG::FailedFinalizer::finalize):
887         (JSC::DFG::FailedFinalizer::finalizeFunction):
888         * dfg/DFGFailedFinalizer.h:
889         * dfg/DFGFinalizer.h:
890         * dfg/DFGJITFinalizer.cpp:
891         (JSC::DFG::JITFinalizer::finalize):
892         (JSC::DFG::JITFinalizer::finalizeFunction):
893         * dfg/DFGJITFinalizer.h:
894         * dfg/DFGOSRExitPreparation.cpp:
895         (JSC::DFG::prepareCodeOriginForOSRExit):
896         * dfg/DFGOperations.cpp:
897         * dfg/DFGPlan.cpp:
898         (JSC::DFG::Plan::Plan):
899         (JSC::DFG::Plan::compileInThreadImpl):
900         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
901         (JSC::DFG::Plan::finalizeAndNotifyCallback):
902         * dfg/DFGPlan.h:
903         * dfg/DFGWorklist.cpp:
904         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
905         * ftl/FTLJITFinalizer.cpp:
906         (JSC::FTL::JITFinalizer::finalize):
907         (JSC::FTL::JITFinalizer::finalizeFunction):
908         * ftl/FTLJITFinalizer.h:
909         * heap/Heap.h:
910         (JSC::Heap::isDeferred):
911         * interpreter/Interpreter.cpp:
912         (JSC::Interpreter::execute):
913         (JSC::Interpreter::executeCall):
914         (JSC::Interpreter::executeConstruct):
915         (JSC::Interpreter::prepareForRepeatCall):
916         * jit/JITDriver.h: Removed.
917         * jit/JITStubs.cpp:
918         (JSC::DEFINE_STUB_FUNCTION):
919         (JSC::jitCompileFor):
920         (JSC::lazyLinkFor):
921         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
922         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
923         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
924         (JSC::JITToDFGDeferredCompilationCallback::create):
925         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
926         * jit/JITToDFGDeferredCompilationCallback.h: Added.
927         * llint/LLIntEntrypoints.cpp:
928         (JSC::LLInt::setFunctionEntrypoint):
929         (JSC::LLInt::setEvalEntrypoint):
930         (JSC::LLInt::setProgramEntrypoint):
931         * llint/LLIntEntrypoints.h:
932         * llint/LLIntSlowPaths.cpp:
933         (JSC::LLInt::jitCompileAndSetHeuristics):
934         (JSC::LLInt::setUpCall):
935         * runtime/ArrayPrototype.cpp:
936         (JSC::isNumericCompareFunction):
937         * runtime/CommonSlowPaths.cpp:
938         * runtime/CompilationResult.cpp:
939         (WTF::printInternal):
940         * runtime/CompilationResult.h:
941         * runtime/Executable.cpp:
942         (JSC::ScriptExecutable::installCode):
943         (JSC::ScriptExecutable::newCodeBlockFor):
944         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
945         (JSC::ScriptExecutable::prepareForExecutionImpl):
946         * runtime/Executable.h:
947         (JSC::ScriptExecutable::prepareForExecution):
948         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
949         * runtime/ExecutionHarness.h: Removed.
950
951 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
952
953         https://bugs.webkit.org/show_bug.cgi?id=119548
954         Refactoring Exception throws.
955         
956         Reviewed by Geoffrey Garen.
957         
958         Gardening of exception throws. The act of throwing an exception was being handled in 
959         different ways depending on whether the code was running in the LLint, Baseline JIT, 
960         or the DFG Jit. This made development in the vm exception and error objects difficult.
961         
962          * runtime/VM.cpp:
963         (JSC::appendSourceToError): 
964         This function moved from the interpreter into the VM. It views the developers code
965         (if there is a codeBlock) to extract what was trying to be evaluated when the error
966         occurred.
967         
968         (JSC::VM::throwException):
969         This function takes in the error object and sets the following:
970             1: The VM's exception stack
971             2: The VM's exception 
972             3: Appends extra information on the error message(via appendSourceToError)
973             4: The error object's line number
974             5: The error object's column number
975             6: The error object's sourceURL
976             7: The error object's stack trace (unless it already exists because the developer 
977                 created the error object). 
978
979         (JSC::VM::getExceptionInfo):
980         (JSC::VM::setExceptionInfo):
981         (JSC::VM::clearException):
982         (JSC::clearExceptionStack):
983         * runtime/VM.h:
984         (JSC::VM::exceptionOffset):
985         (JSC::VM::exception):
986         (JSC::VM::addressOfException):
987         (JSC::VM::exceptionStack):
988         VM exception and exceptionStack are now private data members.
989
990         * interpreter/Interpreter.h:
991         (JSC::ClearExceptionScope::ClearExceptionScope):
992         Created this structure to temporarily clear the exception within the VM. This 
993         needed to see if addition errors occur when setting the debugger as we are 
994         unwinding the stack.
995
996          * interpreter/Interpreter.cpp:
997         (JSC::Interpreter::unwind): 
998         Removed the code that would try to add error information if it did not exist. 
999         All of this functionality has moved into the VM and all error information is set 
1000         at the time the error occurs. 
1001
1002         The rest of these functions reference the new calling convention to throw an error.
1003
1004         * API/APICallbackFunction.h:
1005         (JSC::APICallbackFunction::call):
1006         * API/JSCallbackConstructor.cpp:
1007         (JSC::constructJSCallback):
1008         * API/JSCallbackObjectFunctions.h:
1009         (JSC::::getOwnPropertySlot):
1010         (JSC::::defaultValue):
1011         (JSC::::put):
1012         (JSC::::putByIndex):
1013         (JSC::::deleteProperty):
1014         (JSC::::construct):
1015         (JSC::::customHasInstance):
1016         (JSC::::call):
1017         (JSC::::getStaticValue):
1018         (JSC::::staticFunctionGetter):
1019         (JSC::::callbackGetter):
1020         * debugger/Debugger.cpp:
1021         (JSC::evaluateInGlobalCallFrame):
1022         * debugger/DebuggerCallFrame.cpp:
1023         (JSC::DebuggerCallFrame::evaluate):
1024         * dfg/DFGAssemblyHelpers.h:
1025         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
1026         * dfg/DFGOperations.cpp:
1027         (JSC::DFG::operationPutByValInternal):
1028         * ftl/FTLLowerDFGToLLVM.cpp:
1029         (JSC::FTL::LowerDFGToLLVM::callCheck):
1030         * heap/Heap.cpp:
1031         (JSC::Heap::markRoots):
1032         * interpreter/CallFrame.h:
1033         (JSC::ExecState::clearException):
1034         (JSC::ExecState::exception):
1035         (JSC::ExecState::hadException):
1036         * interpreter/Interpreter.cpp:
1037         (JSC::eval):
1038         (JSC::loadVarargs):
1039         (JSC::stackTraceAsString):
1040         (JSC::Interpreter::execute):
1041         (JSC::Interpreter::executeCall):
1042         (JSC::Interpreter::executeConstruct):
1043         (JSC::Interpreter::prepareForRepeatCall):
1044         * interpreter/Interpreter.h:
1045         (JSC::ClearExceptionScope::ClearExceptionScope):
1046         * jit/JITCode.cpp:
1047         (JSC::JITCode::execute):
1048         * jit/JITExceptions.cpp:
1049         (JSC::genericThrow):
1050         * jit/JITOpcodes.cpp:
1051         (JSC::JIT::emit_op_catch):
1052         * jit/JITOpcodes32_64.cpp:
1053         (JSC::JIT::privateCompileCTINativeCall):
1054         (JSC::JIT::emit_op_catch):
1055         * jit/JITStubs.cpp:
1056         (JSC::returnToThrowTrampoline):
1057         (JSC::throwExceptionFromOpCall):
1058         (JSC::DEFINE_STUB_FUNCTION):
1059         (JSC::jitCompileFor):
1060         (JSC::lazyLinkFor):
1061         (JSC::putByVal):
1062         (JSC::cti_vm_handle_exception):
1063         * jit/SlowPathCall.h:
1064         (JSC::JITSlowPathCall::call):
1065         * jit/ThunkGenerators.cpp:
1066         (JSC::nativeForGenerator):
1067         * jsc.cpp:
1068         (functionRun):
1069         (functionLoad):
1070         (functionCheckSyntax):
1071         * llint/LLIntExceptions.cpp:
1072         (JSC::LLInt::doThrow):
1073         (JSC::LLInt::returnToThrow):
1074         (JSC::LLInt::callToThrow):
1075         * llint/LLIntSlowPaths.cpp:
1076         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1077         * llint/LowLevelInterpreter.cpp:
1078         (JSC::CLoop::execute):
1079         * llint/LowLevelInterpreter32_64.asm:
1080         * llint/LowLevelInterpreter64.asm:
1081         * runtime/ArrayConstructor.cpp:
1082         (JSC::constructArrayWithSizeQuirk):
1083         * runtime/CommonSlowPaths.cpp:
1084         (JSC::SLOW_PATH_DECL):
1085         * runtime/CommonSlowPaths.h:
1086         (JSC::CommonSlowPaths::opIn):
1087         * runtime/CommonSlowPathsExceptions.cpp:
1088         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1089         * runtime/Completion.cpp:
1090         (JSC::evaluate):
1091         * runtime/Error.cpp:
1092         (JSC::addErrorInfo):
1093         (JSC::throwTypeError):
1094         (JSC::throwSyntaxError):
1095         * runtime/Error.h:
1096         (JSC::throwVMError):
1097         * runtime/ExceptionHelpers.cpp:
1098         (JSC::throwOutOfMemoryError):
1099         (JSC::throwStackOverflowError):
1100         (JSC::throwTerminatedExecutionException):
1101         * runtime/Executable.cpp:
1102         (JSC::EvalExecutable::create):
1103         (JSC::FunctionExecutable::produceCodeBlockFor):
1104         * runtime/FunctionConstructor.cpp:
1105         (JSC::constructFunction):
1106         (JSC::constructFunctionSkippingEvalEnabledCheck):
1107         * runtime/JSArray.cpp:
1108         (JSC::JSArray::defineOwnProperty):
1109         (JSC::JSArray::put):
1110         (JSC::JSArray::push):
1111         * runtime/JSCJSValue.cpp:
1112         (JSC::JSValue::toObjectSlowCase):
1113         (JSC::JSValue::synthesizePrototype):
1114         (JSC::JSValue::putToPrimitive):
1115         * runtime/JSFunction.cpp:
1116         (JSC::JSFunction::defineOwnProperty):
1117         * runtime/JSGenericTypedArrayViewInlines.h:
1118         (JSC::::create):
1119         (JSC::::createUninitialized):
1120         (JSC::::validateRange):
1121         (JSC::::setWithSpecificType):
1122         * runtime/JSGlobalObjectFunctions.cpp:
1123         (JSC::encode):
1124         (JSC::decode):
1125         (JSC::globalFuncProtoSetter):
1126         * runtime/JSNameScope.cpp:
1127         (JSC::JSNameScope::put):
1128         * runtime/JSONObject.cpp:
1129         (JSC::Stringifier::appendStringifiedValue):
1130         (JSC::Walker::walk):
1131         * runtime/JSObject.cpp:
1132         (JSC::JSObject::put):
1133         (JSC::JSObject::defaultValue):
1134         (JSC::JSObject::hasInstance):
1135         (JSC::JSObject::defaultHasInstance):
1136         (JSC::JSObject::defineOwnNonIndexProperty):
1137         (JSC::throwTypeError):
1138         * runtime/ObjectConstructor.cpp:
1139         (JSC::toPropertyDescriptor):
1140         * runtime/RegExpConstructor.cpp:
1141         (JSC::constructRegExp):
1142         * runtime/StringObject.cpp:
1143         (JSC::StringObject::defineOwnProperty):
1144         * runtime/StringRecursionChecker.cpp:
1145         (JSC::StringRecursionChecker::throwStackOverflowError):
1146
1147 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1148
1149         [GTK] Add support for building JSC with FTL JIT enabled
1150         https://bugs.webkit.org/show_bug.cgi?id=120270
1151
1152         Reviewed by Filip Pizlo.
1153
1154         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1155         compiler flags for the JSC library.
1156         * GNUmakefile.list.am: Add the missing build targets.
1157         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1158         failures when using the Clang compiler with the libstdc++ standard library.
1159         (JSC::FTL::mdKindID):
1160         (JSC::FTL::mdString):
1161
1162 2013-08-23  Andy Estes  <aestes@apple.com>
1163
1164         Fix issues found by the Clang Static Analyzer
1165         https://bugs.webkit.org/show_bug.cgi?id=120230
1166
1167         Reviewed by Darin Adler.
1168
1169         * API/JSValue.mm:
1170         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1171         * API/ObjCCallbackFunction.mm:
1172         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1173         release m_invocation's target since NSInvocation will do it for us on
1174         -dealloc.
1175         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1176         and -release our reference to the copied block.
1177         * API/tests/minidom.c:
1178         (createStringWithContentsOfFile): Free buffer before returning.
1179         * API/tests/testapi.c:
1180         (createStringWithContentsOfFile): Ditto.
1181
1182 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1183
1184         [Windows] Unreviewed build fix after r154629.
1185
1186         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1188
1189 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1190
1191         Windows build fix attempt after r154629.
1192
1193         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1194
1195 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1196
1197         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1198         https://bugs.webkit.org/show_bug.cgi?id=120278
1199
1200         Reviewed by Geoffrey Garen.
1201
1202         * runtime/JSObject.cpp:
1203         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1204
1205 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1206
1207         Fix indention of Executable.h.
1208
1209         Rubber stamped by Mark Hahnenberg.
1210
1211         * runtime/Executable.h:
1212
1213 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1214
1215         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1216         https://bugs.webkit.org/show_bug.cgi?id=120314
1217
1218         Reviewed by Darin Adler.
1219
1220         Currently with the way that defineProperty works, we leave a stray low bit set in 
1221         PropertyDescriptor::m_attributes in the following code:
1222
1223         var o = {};
1224         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1225         
1226         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1227         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1228         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1229         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1230
1231         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1232         framework's public C API, it's safer to just change how we calculate the default value, which is
1233         where the weirdness was originating from in the first place.
1234
1235         * runtime/PropertyDescriptor.cpp:
1236
1237 2013-08-24  Sam Weinig  <sam@webkit.org>
1238
1239         Add support for Promises
1240         https://bugs.webkit.org/show_bug.cgi?id=120260
1241
1242         Reviewed by Darin Adler.
1243
1244         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1245         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1246           in preparation for the Promises eventually being defined in ECMAScript.
1247
1248         * CMakeLists.txt:
1249         * DerivedSources.make:
1250         * DerivedSources.pri:
1251         * GNUmakefile.list.am:
1252         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1253         * JavaScriptCore.xcodeproj/project.pbxproj:
1254         * Target.pri:
1255         Add new files.
1256
1257         * jsc.cpp:
1258         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1259         you can't quite use Promises with with the command line tool yet.
1260     
1261         * interpreter/CallFrame.h:
1262         (JSC::ExecState::promisePrototypeTable):
1263         (JSC::ExecState::promiseConstructorTable):
1264         (JSC::ExecState::promiseResolverPrototypeTable):
1265         * runtime/VM.cpp:
1266         (JSC::VM::VM):
1267         (JSC::VM::~VM):
1268         * runtime/VM.h:
1269         Add supporting code for the new static lookup tables.
1270
1271         * runtime/CommonIdentifiers.h:
1272         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1273
1274         * runtime/JSGlobalObject.cpp:
1275         (JSC::JSGlobalObject::reset):
1276         (JSC::JSGlobalObject::visitChildren):
1277         Add supporting code Promise and PromiseResolver's constructors and structures.
1278
1279         * runtime/JSGlobalObject.h:
1280         (JSC::TaskContext::~TaskContext):
1281         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1282
1283         (JSC::JSGlobalObject::promisePrototype):
1284         (JSC::JSGlobalObject::promiseResolverPrototype):
1285         (JSC::JSGlobalObject::promiseStructure):
1286         (JSC::JSGlobalObject::promiseResolverStructure):
1287         (JSC::JSGlobalObject::promiseCallbackStructure):
1288         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1289         Add supporting code Promise and PromiseResolver's constructors and structures.
1290
1291         * runtime/JSPromise.cpp: Added.
1292         * runtime/JSPromise.h: Added.
1293         * runtime/JSPromiseCallback.cpp: Added.
1294         * runtime/JSPromiseCallback.h: Added.
1295         * runtime/JSPromiseConstructor.cpp: Added.
1296         * runtime/JSPromiseConstructor.h: Added.
1297         * runtime/JSPromisePrototype.cpp: Added.
1298         * runtime/JSPromisePrototype.h: Added.
1299         * runtime/JSPromiseResolver.cpp: Added.
1300         * runtime/JSPromiseResolver.h: Added.
1301         * runtime/JSPromiseResolverConstructor.cpp: Added.
1302         * runtime/JSPromiseResolverConstructor.h: Added.
1303         * runtime/JSPromiseResolverPrototype.cpp: Added.
1304         * runtime/JSPromiseResolverPrototype.h: Added.
1305         Add Promise implementation.
1306
1307 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1308
1309         Plenty of -Wcast-align warnings in KeywordLookup.h
1310         https://bugs.webkit.org/show_bug.cgi?id=120316
1311
1312         Reviewed by Darin Adler.
1313
1314         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1315         the character pointers to types of larger size. This avoids spewing lots of warnings
1316         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1317
1318 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1319
1320         RegExpMatchesArray should not call [[put]]
1321         https://bugs.webkit.org/show_bug.cgi?id=120317
1322
1323         Reviewed by Oliver Hunt.
1324
1325         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1326         property called index or input to either of these prototypes will result in broken behavior.
1327
1328         * runtime/RegExpMatchesArray.cpp:
1329         (JSC::RegExpMatchesArray::reifyAllProperties):
1330             - put -> putDirect
1331
1332 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1333
1334         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1335         https://bugs.webkit.org/show_bug.cgi?id=120228
1336
1337         Reviewed by Oliver Hunt.
1338         
1339         It turns out that there were three problems:
1340         
1341         - Using jsNumber() meant that we were converting doubles to integers and then
1342           possibly back again whenever doing a set() between floating point arrays.
1343         
1344         - Slow-path accesses to double typed arrays were slower than necessary because
1345           of the to-int conversion attempt.
1346         
1347         - The use of JSValue as an intermediate for converting between differen types
1348           in typedArray.set() resulted in worse code than I had previously expected.
1349         
1350         This patch solves the problem by using template double-dispatch to ensure that
1351         that C++ compiler sees the simplest possible combination of casts between any
1352         combination of typed array types, while still preserving JS and typed array
1353         conversion semantics. Conversions are done as follows:
1354         
1355             SourceAdaptor::convertTo<TargetAdaptor>(value)
1356         
1357         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1358         with one method for each of int32_t, uint32_t, and double. This means that the
1359         C++ compiler will at worst see a widening cast to one of those types followed
1360         by a narrowing conversion (not necessarily a cast - may have clamping or the
1361         JS toInt32() function).
1362         
1363         This change doesn't just affect typedArray.set(); it also affects slow-path
1364         accesses to typed arrays as well. This patch also adds a bunch of new test
1365         coverage.
1366         
1367         This change is a ~50% speed-up on typedArray.set() involving floating point
1368         types.
1369
1370         * GNUmakefile.list.am:
1371         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1372         * JavaScriptCore.xcodeproj/project.pbxproj:
1373         * runtime/GenericTypedArrayView.h:
1374         (JSC::GenericTypedArrayView::set):
1375         * runtime/JSDataViewPrototype.cpp:
1376         (JSC::setData):
1377         * runtime/JSGenericTypedArrayView.h:
1378         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1379         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1380         * runtime/JSGenericTypedArrayViewInlines.h:
1381         (JSC::::setWithSpecificType):
1382         (JSC::::set):
1383         * runtime/ToNativeFromValue.h: Added.
1384         (JSC::toNativeFromValue):
1385         * runtime/TypedArrayAdaptors.h:
1386         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1387         (JSC::IntegralTypedArrayAdaptor::toDouble):
1388         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1389         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1390         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1391         (JSC::IntegralTypedArrayAdaptor::convertTo):
1392         (JSC::FloatTypedArrayAdaptor::toJSValue):
1393         (JSC::FloatTypedArrayAdaptor::toDouble):
1394         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1395         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1396         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1397         (JSC::FloatTypedArrayAdaptor::convertTo):
1398         (JSC::Uint8ClampedAdaptor::toJSValue):
1399         (JSC::Uint8ClampedAdaptor::toDouble):
1400         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1401         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1402         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1403         (JSC::Uint8ClampedAdaptor::convertTo):
1404
1405 2013-08-24  Dan Bernstein  <mitz@apple.com>
1406
1407         [mac] link against libz in a more civilized manner
1408         https://bugs.webkit.org/show_bug.cgi?id=120258
1409
1410         Reviewed by Darin Adler.
1411
1412         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1413         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1414         Link Binary With Libraries build phase.
1415
1416 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1417
1418         Failure building with python3
1419         https://bugs.webkit.org/show_bug.cgi?id=106645
1420
1421         Reviewed by Benjamin Poulain.
1422
1423         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1424         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1425
1426         * disassembler/udis86/itab.py:
1427         (UdItabGenerator.genInsnTable):
1428         * disassembler/udis86/ud_opcode.py:
1429         (UdOpcodeTables.print_table):
1430         * disassembler/udis86/ud_optable.py:
1431         (UdOptableXmlParser.parseDef):
1432         (UdOptableXmlParser.parse):
1433         (printFn):
1434
1435 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1436
1437         Incorrect TypedArray#set behavior
1438         https://bugs.webkit.org/show_bug.cgi?id=83818
1439
1440         Reviewed by Oliver Hunt and Mark Hahnenberg.
1441         
1442         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1443         not smart enough to figure out optimal versions for *all* of the cases. But I
1444         did come up with optimal implementations for most of the cases, and I wrote
1445         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1446         enough to write optimal code for.
1447
1448         * runtime/JSArrayBufferView.h:
1449         (JSC::JSArrayBufferView::hasArrayBuffer):
1450         * runtime/JSArrayBufferViewInlines.h:
1451         (JSC::JSArrayBufferView::buffer):
1452         (JSC::JSArrayBufferView::existingBufferInButterfly):
1453         (JSC::JSArrayBufferView::neuter):
1454         (JSC::JSArrayBufferView::byteOffset):
1455         * runtime/JSGenericTypedArrayView.h:
1456         * runtime/JSGenericTypedArrayViewInlines.h:
1457         (JSC::::setWithSpecificType):
1458         (JSC::::set):
1459         (JSC::::existingBuffer):
1460
1461 2013-08-23  Alex Christensen  <achristensen@apple.com>
1462
1463         Re-separating Win32 and Win64 builds.
1464         https://bugs.webkit.org/show_bug.cgi?id=120178
1465
1466         Reviewed by Brent Fulgham.
1467
1468         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1469         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1470         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1471         Pass PlatformArchitecture as a command line parameter to bash scripts.
1472         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1473         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1474         * JavaScriptCore.vcxproj/build-generated-files.sh:
1475         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1476
1477 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1478
1479         build-jsc --ftl-jit should work
1480         https://bugs.webkit.org/show_bug.cgi?id=120194
1481
1482         Reviewed by Oliver Hunt.
1483
1484         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1485         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1486         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1487         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1488         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1489         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1490
1491 2013-08-23  Oliver Hunt  <oliver@apple.com>
1492
1493         Re-sort xcode project file
1494
1495         * JavaScriptCore.xcodeproj/project.pbxproj:
1496
1497 2013-08-23  Oliver Hunt  <oliver@apple.com>
1498
1499         Support in memory compression of rarely used data
1500         https://bugs.webkit.org/show_bug.cgi?id=120143
1501
1502         Reviewed by Gavin Barraclough.
1503
1504         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1505
1506         * Configurations/JavaScriptCore.xcconfig:
1507         * bytecode/UnlinkedCodeBlock.cpp:
1508         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1509         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1510         * bytecode/UnlinkedCodeBlock.h:
1511
1512 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1513
1514         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1515         https://bugs.webkit.org/show_bug.cgi?id=120179
1516
1517         Reviewed by Geoffrey Garen.
1518
1519         There are many places in the code for JSObject and JSArray where they are manipulating their 
1520         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1521         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1522         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1523         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1524         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1525         should not incur any additional overhead.
1526
1527         * heap/Heap.h:
1528         * runtime/JSArray.cpp:
1529         (JSC::JSArray::unshiftCountSlowCase):
1530         * runtime/JSObject.cpp:
1531         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1532         (JSC::JSObject::createInitialUndecided):
1533         (JSC::JSObject::createInitialInt32):
1534         (JSC::JSObject::createInitialDouble):
1535         (JSC::JSObject::createInitialContiguous):
1536         (JSC::JSObject::createArrayStorage):
1537         (JSC::JSObject::convertUndecidedToArrayStorage):
1538         (JSC::JSObject::convertInt32ToArrayStorage):
1539         (JSC::JSObject::convertDoubleToArrayStorage):
1540         (JSC::JSObject::convertContiguousToArrayStorage):
1541         (JSC::JSObject::increaseVectorLength):
1542         (JSC::JSObject::ensureLengthSlow):
1543         * runtime/JSObject.h:
1544         (JSC::JSObject::putDirectInternal):
1545         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1546         (JSC::JSObject::putDirectWithoutTransition):
1547
1548 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1549
1550         Update LLVM binary drops and scripts to the latest version from SVN
1551         https://bugs.webkit.org/show_bug.cgi?id=120184
1552
1553         Reviewed by Mark Hahnenberg.
1554
1555         * dfg/DFGPlan.cpp:
1556         (JSC::DFG::Plan::compileInThreadImpl):
1557
1558 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1559
1560         Don't leak registers for redeclared variables
1561         https://bugs.webkit.org/show_bug.cgi?id=120174
1562
1563         Reviewed by Geoff Garen.
1564
1565         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1566         Only allocate new registers when necessary.
1567
1568         No performance impact.
1569
1570         * interpreter/Interpreter.cpp:
1571         (JSC::Interpreter::execute):
1572         * runtime/Executable.cpp:
1573         (JSC::ProgramExecutable::initializeGlobalProperties):
1574             - Don't allocate the register here.
1575         * runtime/JSGlobalObject.cpp:
1576         (JSC::JSGlobalObject::addGlobalVar):
1577             - Allocate the register here instead.
1578
1579 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1580
1581         https://bugs.webkit.org/show_bug.cgi?id=120128
1582         Remove putDirectVirtual
1583
1584         Unreviewed, checked in commented out code. :-(
1585
1586         * interpreter/Interpreter.cpp:
1587         (JSC::Interpreter::execute):
1588             - delete commented out code
1589
1590 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1591
1592         Error.stack should not be enumerable
1593         https://bugs.webkit.org/show_bug.cgi?id=120171
1594
1595         Reviewed by Oliver Hunt.
1596
1597         Breaks ECMA tests.
1598
1599         * runtime/ErrorInstance.cpp:
1600         (JSC::ErrorInstance::finishCreation):
1601             - None -> DontEnum
1602
1603 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1604
1605         https://bugs.webkit.org/show_bug.cgi?id=120128
1606         Remove putDirectVirtual
1607
1608         Reviewed by Sam Weinig.
1609
1610         This could most generously be described as 'vestigial'.
1611         No performance impact.
1612
1613         * API/JSObjectRef.cpp:
1614         (JSObjectSetProperty):
1615             - changed to use defineOwnProperty
1616         * debugger/DebuggerActivation.cpp:
1617         * debugger/DebuggerActivation.h:
1618             - remove putDirectVirtual
1619         * interpreter/Interpreter.cpp:
1620         (JSC::Interpreter::execute):
1621             - changed to use defineOwnProperty
1622         * runtime/ClassInfo.h:
1623         * runtime/JSActivation.cpp:
1624         * runtime/JSActivation.h:
1625         * runtime/JSCell.cpp:
1626         * runtime/JSCell.h:
1627         * runtime/JSGlobalObject.cpp:
1628         * runtime/JSGlobalObject.h:
1629         * runtime/JSObject.cpp:
1630         * runtime/JSObject.h:
1631         * runtime/JSProxy.cpp:
1632         * runtime/JSProxy.h:
1633         * runtime/JSSymbolTableObject.cpp:
1634         * runtime/JSSymbolTableObject.h:
1635             - remove putDirectVirtual
1636         * runtime/PropertyDescriptor.h:
1637         (JSC::PropertyDescriptor::PropertyDescriptor):
1638             - added constructor for convenience
1639
1640 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1641
1642         errorDescriptionForValue() should not assume error value is an Object
1643         https://bugs.webkit.org/show_bug.cgi?id=119812
1644
1645         Reviewed by Geoffrey Garen.
1646
1647         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1648         has no type, the function now returns the empty string. 
1649         * runtime/ExceptionHelpers.cpp:
1650         (JSC::errorDescriptionForValue):
1651
1652 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1653
1654         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1655         https://bugs.webkit.org/show_bug.cgi?id=120107
1656
1657         Reviewed by Yong Li.
1658
1659         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1660
1661         * dfg/DFGSpeculativeJIT.h:
1662         (JSC::DFG::SpeculativeJIT::callOperation):
1663
1664 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1665
1666         Unreviewed, rolling out r154416.
1667         http://trac.webkit.org/changeset/154416
1668         https://bugs.webkit.org/show_bug.cgi?id=120147
1669
1670         Broke Windows builds (Requested by rniwa on #webkit).
1671
1672         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1673         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1674         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1675         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1676         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1677         * JavaScriptCore.vcxproj/build-generated-files.sh:
1678
1679 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1680
1681         Clarify var/const/function declaration
1682         https://bugs.webkit.org/show_bug.cgi?id=120144
1683
1684         Reviewed by Sam Weinig.
1685
1686         Add methods to JSGlobalObject to declare vars, consts, and functions.
1687
1688         * runtime/Executable.cpp:
1689         (JSC::ProgramExecutable::initializeGlobalProperties):
1690         * runtime/Executable.h:
1691             - Moved declaration code to JSGlobalObject
1692         * runtime/JSGlobalObject.cpp:
1693         (JSC::JSGlobalObject::addGlobalVar):
1694             - internal implementation of addVar, addConst, addFunction
1695         * runtime/JSGlobalObject.h:
1696         (JSC::JSGlobalObject::addVar):
1697         (JSC::JSGlobalObject::addConst):
1698         (JSC::JSGlobalObject::addFunction):
1699             - Added methods to declare vars, consts, and functions
1700
1701 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1702
1703         https://bugs.webkit.org/show_bug.cgi?id=119900
1704         Exception in global setter doesn't unwind correctly
1705
1706         Reviewed by Geoffrey Garen.
1707
1708         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1709
1710         * jit/JITStubs.cpp:
1711         (JSC::DEFINE_STUB_FUNCTION):
1712
1713 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1714
1715         Rename/refactor setButterfly/setStructure
1716         https://bugs.webkit.org/show_bug.cgi?id=120138
1717
1718         Reviewed by Geoffrey Garen.
1719
1720         setButterfly becomes setStructureAndButterfly.
1721
1722         Also removed the Butterfly* argument from setStructure and just implicitly
1723         used m_butterfly internally since that's what every single client of setStructure
1724         was doing already.
1725
1726         * jit/JITStubs.cpp:
1727         (JSC::DEFINE_STUB_FUNCTION):
1728         * runtime/JSObject.cpp:
1729         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1730         (JSC::JSObject::createInitialUndecided):
1731         (JSC::JSObject::createInitialInt32):
1732         (JSC::JSObject::createInitialDouble):
1733         (JSC::JSObject::createInitialContiguous):
1734         (JSC::JSObject::createArrayStorage):
1735         (JSC::JSObject::convertUndecidedToInt32):
1736         (JSC::JSObject::convertUndecidedToDouble):
1737         (JSC::JSObject::convertUndecidedToContiguous):
1738         (JSC::JSObject::convertUndecidedToArrayStorage):
1739         (JSC::JSObject::convertInt32ToDouble):
1740         (JSC::JSObject::convertInt32ToContiguous):
1741         (JSC::JSObject::convertInt32ToArrayStorage):
1742         (JSC::JSObject::genericConvertDoubleToContiguous):
1743         (JSC::JSObject::convertDoubleToArrayStorage):
1744         (JSC::JSObject::convertContiguousToArrayStorage):
1745         (JSC::JSObject::switchToSlowPutArrayStorage):
1746         (JSC::JSObject::setPrototype):
1747         (JSC::JSObject::putDirectAccessor):
1748         (JSC::JSObject::seal):
1749         (JSC::JSObject::freeze):
1750         (JSC::JSObject::preventExtensions):
1751         (JSC::JSObject::reifyStaticFunctionsForDelete):
1752         (JSC::JSObject::removeDirect):
1753         * runtime/JSObject.h:
1754         (JSC::JSObject::setStructureAndButterfly):
1755         (JSC::JSObject::setStructure):
1756         (JSC::JSObject::putDirectInternal):
1757         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1758         (JSC::JSObject::putDirectWithoutTransition):
1759         * runtime/Structure.cpp:
1760         (JSC::Structure::flattenDictionaryStructure):
1761
1762 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1763
1764         https://bugs.webkit.org/show_bug.cgi?id=120127
1765         Remove JSObject::propertyIsEnumerable
1766
1767         Unreviewed typo fix
1768
1769         * runtime/JSObject.h:
1770             - fix typo
1771
1772 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1773
1774         https://bugs.webkit.org/show_bug.cgi?id=120139
1775         PropertyDescriptor argument to define methods should be const
1776
1777         Rubber stamped by Sam Weinig.
1778
1779         This should never be modified, and this way we can use rvalues.
1780
1781         * debugger/DebuggerActivation.cpp:
1782         (JSC::DebuggerActivation::defineOwnProperty):
1783         * debugger/DebuggerActivation.h:
1784         * runtime/Arguments.cpp:
1785         (JSC::Arguments::defineOwnProperty):
1786         * runtime/Arguments.h:
1787         * runtime/ClassInfo.h:
1788         * runtime/JSArray.cpp:
1789         (JSC::JSArray::defineOwnProperty):
1790         * runtime/JSArray.h:
1791         * runtime/JSArrayBuffer.cpp:
1792         (JSC::JSArrayBuffer::defineOwnProperty):
1793         * runtime/JSArrayBuffer.h:
1794         * runtime/JSArrayBufferView.cpp:
1795         (JSC::JSArrayBufferView::defineOwnProperty):
1796         * runtime/JSArrayBufferView.h:
1797         * runtime/JSCell.cpp:
1798         (JSC::JSCell::defineOwnProperty):
1799         * runtime/JSCell.h:
1800         * runtime/JSFunction.cpp:
1801         (JSC::JSFunction::defineOwnProperty):
1802         * runtime/JSFunction.h:
1803         * runtime/JSGenericTypedArrayView.h:
1804         * runtime/JSGenericTypedArrayViewInlines.h:
1805         (JSC::::defineOwnProperty):
1806         * runtime/JSGlobalObject.cpp:
1807         (JSC::JSGlobalObject::defineOwnProperty):
1808         * runtime/JSGlobalObject.h:
1809         * runtime/JSObject.cpp:
1810         (JSC::JSObject::putIndexedDescriptor):
1811         (JSC::JSObject::defineOwnIndexedProperty):
1812         (JSC::putDescriptor):
1813         (JSC::JSObject::defineOwnNonIndexProperty):
1814         (JSC::JSObject::defineOwnProperty):
1815         * runtime/JSObject.h:
1816         * runtime/JSProxy.cpp:
1817         (JSC::JSProxy::defineOwnProperty):
1818         * runtime/JSProxy.h:
1819         * runtime/RegExpMatchesArray.h:
1820         (JSC::RegExpMatchesArray::defineOwnProperty):
1821         * runtime/RegExpObject.cpp:
1822         (JSC::RegExpObject::defineOwnProperty):
1823         * runtime/RegExpObject.h:
1824         * runtime/StringObject.cpp:
1825         (JSC::StringObject::defineOwnProperty):
1826         * runtime/StringObject.h:
1827             - make PropertyDescriptor const
1828
1829 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1830
1831         REGRESSION: Crash under JITCompiler::link while loading Gmail
1832         https://bugs.webkit.org/show_bug.cgi?id=119872
1833
1834         Reviewed by Mark Hahnenberg.
1835         
1836         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1837
1838         * dfg/DFGByteCodeParser.cpp:
1839         (JSC::DFG::ByteCodeParser::parseBlock):
1840
1841 2013-08-21  Alex Christensen  <achristensen@apple.com>
1842
1843         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1844
1845         Reviewed by Brent Fulgham.
1846
1847         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1848         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1849         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1850         Pass PlatformArchitecture as a command line parameter to bash scripts.
1851         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1852         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1853         * JavaScriptCore.vcxproj/build-generated-files.sh:
1854         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1855
1856 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1857
1858         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1859         https://bugs.webkit.org/show_bug.cgi?id=120099
1860
1861         Reviewed by Mark Hahnenberg.
1862         
1863         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1864         JSDataView may have ordinary JS indexed properties.
1865
1866         * runtime/ClassInfo.h:
1867         * runtime/JSArrayBufferView.cpp:
1868         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1869         (JSC::JSArrayBufferView::finishCreation):
1870         * runtime/JSArrayBufferView.h:
1871         (JSC::hasArrayBuffer):
1872         * runtime/JSArrayBufferViewInlines.h:
1873         (JSC::JSArrayBufferView::buffer):
1874         (JSC::JSArrayBufferView::neuter):
1875         (JSC::JSArrayBufferView::byteOffset):
1876         * runtime/JSCell.cpp:
1877         (JSC::JSCell::slowDownAndWasteMemory):
1878         * runtime/JSCell.h:
1879         * runtime/JSDataView.cpp:
1880         (JSC::JSDataView::JSDataView):
1881         (JSC::JSDataView::create):
1882         (JSC::JSDataView::slowDownAndWasteMemory):
1883         * runtime/JSDataView.h:
1884         (JSC::JSDataView::buffer):
1885         * runtime/JSGenericTypedArrayView.h:
1886         * runtime/JSGenericTypedArrayViewInlines.h:
1887         (JSC::::visitChildren):
1888         (JSC::::slowDownAndWasteMemory):
1889
1890 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1891
1892         Remove incorrect ASSERT from CopyVisitor::visitItem
1893
1894         Rubber stamped by Filip Pizlo.
1895
1896         * heap/CopyVisitorInlines.h:
1897         (JSC::CopyVisitor::visitItem):
1898
1899 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1900
1901         https://bugs.webkit.org/show_bug.cgi?id=120127
1902         Remove JSObject::propertyIsEnumerable
1903
1904         Reviewed by Sam Weinig.
1905
1906         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1907
1908         * runtime/JSObject.cpp:
1909         * runtime/JSObject.h:
1910             - remove propertyIsEnumerable
1911         * runtime/ObjectPrototype.cpp:
1912         (JSC::objectProtoFuncPropertyIsEnumerable):
1913             - Move implementation here using getOwnPropertyDescriptor directly.
1914
1915 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1916
1917         DFG should inline new typedArray()
1918         https://bugs.webkit.org/show_bug.cgi?id=120022
1919
1920         Reviewed by Oliver Hunt.
1921         
1922         Adds inlining of typed array allocations in the DFG. Any operation of the
1923         form:
1924         
1925             new foo(blah)
1926         
1927         or:
1928         
1929             foo(blah)
1930         
1931         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1932         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1933         is predicted integer, we generate inline code for an allocation. Otherwise
1934         it turns into a call to an operation that behaves like the constructor would
1935         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1936         copy or another array, or it may allocate an array of that length).
1937
1938         * bytecode/SpeculatedType.cpp:
1939         (JSC::speculationFromTypedArrayType):
1940         (JSC::speculationFromClassInfo):
1941         * bytecode/SpeculatedType.h:
1942         * dfg/DFGAbstractInterpreterInlines.h:
1943         (JSC::DFG::::executeEffects):
1944         * dfg/DFGBackwardsPropagationPhase.cpp:
1945         (JSC::DFG::BackwardsPropagationPhase::propagate):
1946         * dfg/DFGByteCodeParser.cpp:
1947         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1948         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1949         * dfg/DFGCCallHelpers.h:
1950         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1951         * dfg/DFGCSEPhase.cpp:
1952         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1953         * dfg/DFGClobberize.h:
1954         (JSC::DFG::clobberize):
1955         * dfg/DFGFixupPhase.cpp:
1956         (JSC::DFG::FixupPhase::fixupNode):
1957         * dfg/DFGGraph.cpp:
1958         (JSC::DFG::Graph::dump):
1959         * dfg/DFGNode.h:
1960         (JSC::DFG::Node::hasTypedArrayType):
1961         (JSC::DFG::Node::typedArrayType):
1962         * dfg/DFGNodeType.h:
1963         * dfg/DFGOperations.cpp:
1964         (JSC::DFG::newTypedArrayWithSize):
1965         (JSC::DFG::newTypedArrayWithOneArgument):
1966         * dfg/DFGOperations.h:
1967         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1968         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1969         * dfg/DFGPredictionPropagationPhase.cpp:
1970         (JSC::DFG::PredictionPropagationPhase::propagate):
1971         * dfg/DFGSafeToExecute.h:
1972         (JSC::DFG::safeToExecute):
1973         * dfg/DFGSpeculativeJIT.cpp:
1974         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1975         * dfg/DFGSpeculativeJIT.h:
1976         (JSC::DFG::SpeculativeJIT::callOperation):
1977         * dfg/DFGSpeculativeJIT32_64.cpp:
1978         (JSC::DFG::SpeculativeJIT::compile):
1979         * dfg/DFGSpeculativeJIT64.cpp:
1980         (JSC::DFG::SpeculativeJIT::compile):
1981         * jit/JITOpcodes.cpp:
1982         (JSC::JIT::emit_op_new_object):
1983         * jit/JITOpcodes32_64.cpp:
1984         (JSC::JIT::emit_op_new_object):
1985         * runtime/JSArray.h:
1986         (JSC::JSArray::allocationSize):
1987         * runtime/JSArrayBufferView.h:
1988         (JSC::JSArrayBufferView::allocationSize):
1989         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1990         (JSC::constructGenericTypedArrayView):
1991         * runtime/JSObject.h:
1992         (JSC::JSFinalObject::allocationSize):
1993         * runtime/TypedArrayType.cpp:
1994         (JSC::constructorClassInfoForType):
1995         * runtime/TypedArrayType.h:
1996         (JSC::indexToTypedArrayType):
1997
1998 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1999
2000         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
2001
2002         Reviewed by Geoffrey Garen.
2003
2004         * dfg/DFGOperations.h:
2005
2006 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2007
2008         https://bugs.webkit.org/show_bug.cgi?id=120093
2009         Remove getOwnPropertyDescriptor trap
2010
2011         Reviewed by Geoff Garen.
2012
2013         All implementations of this method are now called via the method table, and equivalent in behaviour.
2014         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
2015
2016         * API/JSCallbackObject.h:
2017         * API/JSCallbackObjectFunctions.h:
2018         * debugger/DebuggerActivation.cpp:
2019         * debugger/DebuggerActivation.h:
2020         * runtime/Arguments.cpp:
2021         * runtime/Arguments.h:
2022         * runtime/ArrayConstructor.cpp:
2023         * runtime/ArrayConstructor.h:
2024         * runtime/ArrayPrototype.cpp:
2025         * runtime/ArrayPrototype.h:
2026         * runtime/BooleanPrototype.cpp:
2027         * runtime/BooleanPrototype.h:
2028             - remove getOwnPropertyDescriptor
2029         * runtime/ClassInfo.h:
2030             - remove getOwnPropertyDescriptor from MethodTable
2031         * runtime/DateConstructor.cpp:
2032         * runtime/DateConstructor.h:
2033         * runtime/DatePrototype.cpp:
2034         * runtime/DatePrototype.h:
2035         * runtime/ErrorPrototype.cpp:
2036         * runtime/ErrorPrototype.h:
2037         * runtime/JSActivation.cpp:
2038         * runtime/JSActivation.h:
2039         * runtime/JSArray.cpp:
2040         * runtime/JSArray.h:
2041         * runtime/JSArrayBuffer.cpp:
2042         * runtime/JSArrayBuffer.h:
2043         * runtime/JSArrayBufferView.cpp:
2044         * runtime/JSArrayBufferView.h:
2045         * runtime/JSCell.cpp:
2046         * runtime/JSCell.h:
2047         * runtime/JSDataView.cpp:
2048         * runtime/JSDataView.h:
2049         * runtime/JSDataViewPrototype.cpp:
2050         * runtime/JSDataViewPrototype.h:
2051         * runtime/JSFunction.cpp:
2052         * runtime/JSFunction.h:
2053         * runtime/JSGenericTypedArrayView.h:
2054         * runtime/JSGenericTypedArrayViewInlines.h:
2055         * runtime/JSGlobalObject.cpp:
2056         * runtime/JSGlobalObject.h:
2057         * runtime/JSNotAnObject.cpp:
2058         * runtime/JSNotAnObject.h:
2059         * runtime/JSONObject.cpp:
2060         * runtime/JSONObject.h:
2061             - remove getOwnPropertyDescriptor
2062         * runtime/JSObject.cpp:
2063         (JSC::JSObject::propertyIsEnumerable):
2064             - switch to call new getOwnPropertyDescriptor member function
2065         (JSC::JSObject::getOwnPropertyDescriptor):
2066             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2067         (JSC::JSObject::defineOwnNonIndexProperty):
2068             - switch to call new getOwnPropertyDescriptor member function
2069         * runtime/JSObject.h:
2070         * runtime/JSProxy.cpp:
2071         * runtime/JSProxy.h:
2072         * runtime/NamePrototype.cpp:
2073         * runtime/NamePrototype.h:
2074         * runtime/NumberConstructor.cpp:
2075         * runtime/NumberConstructor.h:
2076         * runtime/NumberPrototype.cpp:
2077         * runtime/NumberPrototype.h:
2078             - remove getOwnPropertyDescriptor
2079         * runtime/ObjectConstructor.cpp:
2080         (JSC::objectConstructorGetOwnPropertyDescriptor):
2081         (JSC::objectConstructorSeal):
2082         (JSC::objectConstructorFreeze):
2083         (JSC::objectConstructorIsSealed):
2084         (JSC::objectConstructorIsFrozen):
2085             - switch to call new getOwnPropertyDescriptor member function
2086         * runtime/ObjectConstructor.h:
2087             - remove getOwnPropertyDescriptor
2088         * runtime/PropertyDescriptor.h:
2089             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2090         * runtime/RegExpConstructor.cpp:
2091         * runtime/RegExpConstructor.h:
2092         * runtime/RegExpMatchesArray.cpp:
2093         * runtime/RegExpMatchesArray.h:
2094         * runtime/RegExpObject.cpp:
2095         * runtime/RegExpObject.h:
2096         * runtime/RegExpPrototype.cpp:
2097         * runtime/RegExpPrototype.h:
2098         * runtime/StringConstructor.cpp:
2099         * runtime/StringConstructor.h:
2100         * runtime/StringObject.cpp:
2101         * runtime/StringObject.h:
2102             - remove getOwnPropertyDescriptor
2103
2104 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2105
2106         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2107
2108         Reviewed by Oliver Hunt.
2109
2110         When we flatten an object in dictionary mode, we compact its properties. If the object 
2111         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2112         compaction its properties fit inline, the object's Structure "forgets" that the object 
2113         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2114         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2115
2116         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2117         Butterfly pointer so that the GC doesn't get confused later.
2118
2119         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2120         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2121         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2122         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2123
2124         * heap/SlotVisitorInlines.h:
2125         (JSC::SlotVisitor::copyLater):
2126         * runtime/JSObject.cpp:
2127         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2128         (JSC::JSObject::convertUndecidedToInt32):
2129         (JSC::JSObject::convertUndecidedToDouble):
2130         (JSC::JSObject::convertUndecidedToContiguous):
2131         (JSC::JSObject::convertInt32ToDouble):
2132         (JSC::JSObject::convertInt32ToContiguous):
2133         (JSC::JSObject::genericConvertDoubleToContiguous):
2134         (JSC::JSObject::switchToSlowPutArrayStorage):
2135         (JSC::JSObject::setPrototype):
2136         (JSC::JSObject::putDirectAccessor):
2137         (JSC::JSObject::seal):
2138         (JSC::JSObject::freeze):
2139         (JSC::JSObject::preventExtensions):
2140         (JSC::JSObject::reifyStaticFunctionsForDelete):
2141         (JSC::JSObject::removeDirect):
2142         * runtime/JSObject.h:
2143         (JSC::JSObject::setButterfly):
2144         (JSC::JSObject::putDirectInternal):
2145         (JSC::JSObject::setStructure):
2146         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2147         * runtime/Structure.cpp:
2148         (JSC::Structure::flattenDictionaryStructure):
2149
2150 2013-08-20  Alex Christensen  <achristensen@apple.com>
2151
2152         Compile fix for Win64 after r154156.
2153
2154         Rubber stamped by Oliver Hunt.
2155
2156         * jit/JITStubsMSVC64.asm:
2157         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2158         cti_vm_throw_slowpath to cti_vm_handle_exception.
2159
2160 2013-08-20  Alex Christensen  <achristensen@apple.com>
2161
2162         <https://webkit.org/b/120076> More work towards a Win64 build
2163
2164         Reviewed by Brent Fulgham.
2165
2166         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2167         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2168         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2169         * JavaScriptCore.vcxproj/copy-files.cmd:
2170         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2171         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2172         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2173
2174 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2175
2176         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2177
2178         Reviewed by Geoffrey Garen.
2179
2180         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2181         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2182
2183         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2184         and index when triggering the WriteBarrier at the end of compilation. 
2185
2186         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2187         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2188         little extra work that really shouldn't have been its responsibility.
2189
2190         * dfg/DFGByteCodeParser.cpp:
2191         (JSC::DFG::ByteCodeParser::addConstant):
2192         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2193         * dfg/DFGDesiredWriteBarriers.cpp:
2194         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2195         (JSC::DFG::DesiredWriteBarrier::trigger):
2196         * dfg/DFGDesiredWriteBarriers.h:
2197         (JSC::DFG::DesiredWriteBarriers::add):
2198         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2199         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2200         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2201         * dfg/DFGFixupPhase.cpp:
2202         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2203         * dfg/DFGGraph.h:
2204         (JSC::DFG::Graph::constantRegisterForConstant):
2205
2206 2013-08-20  Michael Saboff  <msaboff@apple.com>
2207
2208         https://bugs.webkit.org/show_bug.cgi?id=120075
2209         REGRESSION (r128400): BBC4 website not displaying pictures
2210
2211         Reviewed by Oliver Hunt.
2212
2213         * runtime/RegExpMatchesArray.h:
2214         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2215         so that the match results will be reified before any other modification to the results array.
2216
2217 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2218
2219         Incorrect behavior on emscripten-compiled cube2hash
2220         https://bugs.webkit.org/show_bug.cgi?id=120033
2221
2222         Reviewed by Mark Hahnenberg.
2223         
2224         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2225         then we should bail attempts to CSE.
2226
2227         * dfg/DFGCSEPhase.cpp:
2228         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2229         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2230
2231 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2232
2233         https://bugs.webkit.org/show_bug.cgi?id=120073
2234         Remove use of GOPD from JSFunction::defineProperty
2235
2236         Reviewed by Oliver Hunt.
2237
2238         Call getOwnPropertySlot to check for existing properties instead.
2239
2240         * runtime/JSFunction.cpp:
2241         (JSC::JSFunction::defineOwnProperty):
2242             - getOwnPropertyDescriptor -> getOwnPropertySlot
2243
2244 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2245
2246         https://bugs.webkit.org/show_bug.cgi?id=120067
2247         Remove getPropertyDescriptor
2248
2249         Reviewed by Oliver Hunt.
2250
2251         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2252         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2253
2254         * runtime/JSObject.cpp:
2255         * runtime/JSObject.h:
2256             - remove getPropertyDescriptor
2257         * runtime/ObjectPrototype.cpp:
2258         (JSC::objectProtoFuncLookupGetter):
2259         (JSC::objectProtoFuncLookupSetter):
2260             - replace call to getPropertyDescriptor with getPropertySlot
2261         * runtime/PropertyDescriptor.h:
2262         * runtime/PropertySlot.h:
2263         (JSC::PropertySlot::isAccessor):
2264         (JSC::PropertySlot::isCacheableGetter):
2265         (JSC::PropertySlot::getterSetter):
2266             - rename isGetter() to isAccessor()
2267
2268 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2269
2270         https://bugs.webkit.org/show_bug.cgi?id=120054
2271         Remove some dead code following getOwnPropertyDescriptor cleanup
2272
2273         Reviewed by Oliver Hunt.
2274
2275         * runtime/Lookup.h:
2276         (JSC::getStaticFunctionSlot):
2277             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2278
2279 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2280
2281         https://bugs.webkit.org/show_bug.cgi?id=120052
2282         Remove custom getOwnPropertyDescriptor for JSProxy
2283
2284         Reviewed by Geoff Garen.
2285
2286         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2287         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2288         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2289         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2290         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2291
2292         * runtime/JSProxy.cpp:
2293             - Remove custom getOwnPropertyDescriptor implementation.
2294         * runtime/PropertyDescriptor.h:
2295             - Modify own property access check to perform toThis conversion.
2296
2297 2013-08-20  Alex Christensen  <achristensen@apple.com>
2298
2299         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2300         https://bugs.webkit.org/show_bug.cgi?id=119512
2301
2302         Reviewed by Brent Fulgham.
2303
2304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2305         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2306         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2307         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2308         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2309         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2310         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2311         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2312
2313 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2314
2315         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2316
2317         Reviewed by Allan Sandfeld Jensen.
2318
2319         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2320         instructions and two constants now DFG is enabled for sh4 architecture.
2321         These missing ensureSpace calls lead to random crashes.
2322
2323         * assembler/MacroAssemblerSH4.h:
2324         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2325
2326 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2327
2328         https://bugs.webkit.org/show_bug.cgi?id=120034
2329         Remove custom getOwnPropertyDescriptor for global objects
2330
2331         Reviewed by Geoff Garen.
2332
2333         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2334
2335         * runtime/JSGlobalObject.cpp:
2336             - Remove custom getOwnPropertyDescriptor implementation.
2337         * runtime/JSSymbolTableObject.h:
2338         (JSC::symbolTableGet):
2339             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2340         * runtime/PropertyDescriptor.h:
2341             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2342         * runtime/PropertySlot.h:
2343         (JSC::PropertySlot::setUndefined):
2344             - This is used by WebCore when blocking access to properties on cross-frame access.
2345               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2346
2347 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2348
2349         DFG should inline typedArray.byteOffset
2350         https://bugs.webkit.org/show_bug.cgi?id=119962
2351
2352         Reviewed by Oliver Hunt.
2353         
2354         This adds a new node, GetTypedArrayByteOffset, which inlines
2355         typedArray.byteOffset.
2356         
2357         Also, I improved a bunch of the clobbering logic related to typed arrays
2358         and clobbering in general. For example, PutByOffset/PutStructure are not
2359         clobber-world so they can be handled by most default cases in CSE. Also,
2360         It's better to use the 'Class_field' notation for typed arrays now that
2361         they no longer involve magical descriptor thingies.
2362
2363         * bytecode/SpeculatedType.h:
2364         * dfg/DFGAbstractHeap.h:
2365         * dfg/DFGAbstractInterpreterInlines.h:
2366         (JSC::DFG::::executeEffects):
2367         * dfg/DFGArrayMode.h:
2368         (JSC::DFG::neverNeedsStorage):
2369         * dfg/DFGCSEPhase.cpp:
2370         (JSC::DFG::CSEPhase::getByValLoadElimination):
2371         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2372         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2373         (JSC::DFG::CSEPhase::checkArrayElimination):
2374         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2375         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2376         (JSC::DFG::CSEPhase::performNodeCSE):
2377         * dfg/DFGClobberize.h:
2378         (JSC::DFG::clobberize):
2379         * dfg/DFGFixupPhase.cpp:
2380         (JSC::DFG::FixupPhase::fixupNode):
2381         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2382         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2383         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2384         * dfg/DFGNodeType.h:
2385         * dfg/DFGPredictionPropagationPhase.cpp:
2386         (JSC::DFG::PredictionPropagationPhase::propagate):
2387         * dfg/DFGSafeToExecute.h:
2388         (JSC::DFG::safeToExecute):
2389         * dfg/DFGSpeculativeJIT.cpp:
2390         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2391         * dfg/DFGSpeculativeJIT.h:
2392         * dfg/DFGSpeculativeJIT32_64.cpp:
2393         (JSC::DFG::SpeculativeJIT::compile):
2394         * dfg/DFGSpeculativeJIT64.cpp:
2395         (JSC::DFG::SpeculativeJIT::compile):
2396         * dfg/DFGTypeCheckHoistingPhase.cpp:
2397         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2398         * runtime/ArrayBuffer.h:
2399         (JSC::ArrayBuffer::offsetOfData):
2400         * runtime/Butterfly.h:
2401         (JSC::Butterfly::offsetOfArrayBuffer):
2402         * runtime/IndexingHeader.h:
2403         (JSC::IndexingHeader::offsetOfArrayBuffer):
2404
2405 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2406
2407         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2408
2409         Reviewed by Geoffrey Garen.
2410
2411         * dfg/DFGByteCodeParser.cpp:
2412         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2413
2414 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2415
2416         https://bugs.webkit.org/show_bug.cgi?id=119995
2417         Start removing custom implementations of getOwnPropertyDescriptor
2418
2419         Reviewed by Oliver Hunt.
2420
2421         This can now typically implemented in terms of getOwnPropertySlot.
2422         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2423         Switch over most classes in JSC & the WebCore bindings generator to use this.
2424
2425         * API/JSCallbackObjectFunctions.h:
2426         * debugger/DebuggerActivation.cpp:
2427         * runtime/Arguments.cpp:
2428         * runtime/ArrayConstructor.cpp:
2429         * runtime/ArrayPrototype.cpp:
2430         * runtime/BooleanPrototype.cpp:
2431         * runtime/DateConstructor.cpp:
2432         * runtime/DatePrototype.cpp:
2433         * runtime/ErrorPrototype.cpp:
2434         * runtime/JSActivation.cpp:
2435         * runtime/JSArray.cpp:
2436         * runtime/JSArrayBuffer.cpp:
2437         * runtime/JSArrayBufferView.cpp:
2438         * runtime/JSCell.cpp:
2439         * runtime/JSDataView.cpp:
2440         * runtime/JSDataViewPrototype.cpp:
2441         * runtime/JSFunction.cpp:
2442         * runtime/JSGenericTypedArrayViewInlines.h:
2443         * runtime/JSNotAnObject.cpp:
2444         * runtime/JSONObject.cpp:
2445         * runtime/JSObject.cpp:
2446         * runtime/NamePrototype.cpp:
2447         * runtime/NumberConstructor.cpp:
2448         * runtime/NumberPrototype.cpp:
2449         * runtime/ObjectConstructor.cpp:
2450             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2451         * runtime/PropertyDescriptor.h:
2452             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2453         * runtime/PropertySlot.h:
2454         (JSC::PropertySlot::isValue):
2455         (JSC::PropertySlot::isGetter):
2456         (JSC::PropertySlot::isCustom):
2457         (JSC::PropertySlot::isCacheableValue):
2458         (JSC::PropertySlot::isCacheableGetter):
2459         (JSC::PropertySlot::isCacheableCustom):
2460         (JSC::PropertySlot::attributes):
2461         (JSC::PropertySlot::getterSetter):
2462             - Add accessors necessary to convert PropertySlot to descriptor.
2463         * runtime/RegExpConstructor.cpp:
2464         * runtime/RegExpMatchesArray.cpp:
2465         * runtime/RegExpMatchesArray.h:
2466         * runtime/RegExpObject.cpp:
2467         * runtime/RegExpPrototype.cpp:
2468         * runtime/StringConstructor.cpp:
2469         * runtime/StringObject.cpp:
2470             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2471
2472 2013-08-19  Michael Saboff  <msaboff@apple.com>
2473
2474         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2475
2476         Reviewed by Sam Weinig.
2477
2478         * dfg/DFGSpeculativeJIT32_64.cpp:
2479         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2480         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2481         all versions of fillSpeculateBoolean().
2482
2483 2013-08-19  Michael Saboff  <msaboff@apple.com>
2484
2485         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2486
2487         Reviewed by Benjamin Poulain.
2488
2489         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2490         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2491
2492         * assembler/MacroAssemblerX86Common.h:
2493         (JSC::MacroAssemblerX86Common::branchTest32):
2494
2495 2013-08-16  Oliver Hunt  <oliver@apple.com>
2496
2497         <https://webkit.org/b/119860> Crash during exception unwinding
2498
2499         Reviewed by Filip Pizlo.
2500
2501         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2502         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2503
2504         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2505         terminals and the subsequent flush keeps the activation (and other registers) live.
2506
2507         * dfg/DFGAbstractInterpreterInlines.h:
2508         (JSC::DFG::::executeEffects):
2509         * dfg/DFGByteCodeParser.cpp:
2510         (JSC::DFG::ByteCodeParser::parseBlock):
2511         * dfg/DFGClobberize.h:
2512         (JSC::DFG::clobberize):
2513         * dfg/DFGFixupPhase.cpp:
2514         (JSC::DFG::FixupPhase::fixupNode):
2515         * dfg/DFGNode.h:
2516         (JSC::DFG::Node::isTerminal):
2517         * dfg/DFGNodeType.h:
2518         * dfg/DFGPredictionPropagationPhase.cpp:
2519         (JSC::DFG::PredictionPropagationPhase::propagate):
2520         * dfg/DFGSafeToExecute.h:
2521         (JSC::DFG::safeToExecute):
2522         * dfg/DFGSpeculativeJIT32_64.cpp:
2523         (JSC::DFG::SpeculativeJIT::compile):
2524         * dfg/DFGSpeculativeJIT64.cpp:
2525         (JSC::DFG::SpeculativeJIT::compile):
2526
2527 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2528
2529         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2530
2531         Reviewed by Oliver Hunt.
2532
2533         Guard the compilation of these files only if DFG_JIT is enabled.
2534
2535         * dfg/DFGDesiredTransitions.cpp:
2536         * dfg/DFGDesiredTransitions.h:
2537         * dfg/DFGDesiredWeakReferences.cpp:
2538         * dfg/DFGDesiredWeakReferences.h:
2539         * dfg/DFGDesiredWriteBarriers.cpp:
2540         * dfg/DFGDesiredWriteBarriers.h:
2541
2542 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2543
2544         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2545         https://bugs.webkit.org/show_bug.cgi?id=119961
2546
2547         Reviewed by Mark Hahnenberg.
2548
2549         * dfg/DFGFixupPhase.cpp:
2550         (JSC::DFG::FixupPhase::fixupNode):
2551
2552 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2553
2554         https://bugs.webkit.org/show_bug.cgi?id=119972
2555         Add attributes field to PropertySlot
2556
2557         Reviewed by Geoff Garen.
2558
2559         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2560         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2561         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2562
2563         No performance impact.
2564
2565         * runtime/PropertySlot.h:
2566         (JSC::PropertySlot::setValue):
2567         (JSC::PropertySlot::setCustom):
2568         (JSC::PropertySlot::setCacheableCustom):
2569         (JSC::PropertySlot::setCustomIndex):
2570         (JSC::PropertySlot::setGetterSlot):
2571         (JSC::PropertySlot::setCacheableGetterSlot):
2572             - These mathods now all require 'attributes'.
2573         * runtime/JSObject.h:
2574         (JSC::JSObject::getDirect):
2575         (JSC::JSObject::getDirectOffset):
2576         (JSC::JSObject::inlineGetOwnPropertySlot):
2577             - Added variants of getDirect, getDirectOffset that return the attributes.
2578         * API/JSCallbackObjectFunctions.h:
2579         (JSC::::getOwnPropertySlot):
2580         * runtime/Arguments.cpp:
2581         (JSC::Arguments::getOwnPropertySlotByIndex):
2582         (JSC::Arguments::getOwnPropertySlot):
2583         * runtime/JSActivation.cpp:
2584         (JSC::JSActivation::symbolTableGet):
2585         (JSC::JSActivation::getOwnPropertySlot):
2586         * runtime/JSArray.cpp:
2587         (JSC::JSArray::getOwnPropertySlot):
2588         * runtime/JSArrayBuffer.cpp:
2589         (JSC::JSArrayBuffer::getOwnPropertySlot):
2590         * runtime/JSArrayBufferView.cpp:
2591         (JSC::JSArrayBufferView::getOwnPropertySlot):
2592         * runtime/JSDataView.cpp:
2593         (JSC::JSDataView::getOwnPropertySlot):
2594         * runtime/JSFunction.cpp:
2595         (JSC::JSFunction::getOwnPropertySlot):
2596         * runtime/JSGenericTypedArrayViewInlines.h:
2597         (JSC::::getOwnPropertySlot):
2598         (JSC::::getOwnPropertySlotByIndex):
2599         * runtime/JSObject.cpp:
2600         (JSC::JSObject::getOwnPropertySlotByIndex):
2601         (JSC::JSObject::fillGetterPropertySlot):
2602         * runtime/JSString.h:
2603         (JSC::JSString::getStringPropertySlot):
2604         * runtime/JSSymbolTableObject.h:
2605         (JSC::symbolTableGet):
2606         * runtime/Lookup.cpp:
2607         (JSC::setUpStaticFunctionSlot):
2608         * runtime/Lookup.h:
2609         (JSC::getStaticPropertySlot):
2610         (JSC::getStaticPropertyDescriptor):
2611         (JSC::getStaticValueSlot):
2612         (JSC::getStaticValueDescriptor):
2613         * runtime/RegExpObject.cpp:
2614         (JSC::RegExpObject::getOwnPropertySlot):
2615         * runtime/SparseArrayValueMap.cpp:
2616         (JSC::SparseArrayEntry::get):
2617             - Pass attributes to PropertySlot::set* methods.
2618
2619 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2620
2621         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2622
2623         Reviewed by Filip Pizlo.
2624
2625         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2626         Vector of WriteBarriers rather than the specific address. The fact that we were 
2627         arbitrarily storing into a Vector's backing store for constants at the end of 
2628         compilation after the Vector could have resized was causing crashes.
2629
2630         * bytecode/CodeBlock.h:
2631         (JSC::CodeBlock::constants):
2632         (JSC::CodeBlock::addConstantLazily):
2633         * dfg/DFGByteCodeParser.cpp:
2634         (JSC::DFG::ByteCodeParser::addConstant):
2635         * dfg/DFGDesiredWriteBarriers.cpp:
2636         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2637         (JSC::DFG::DesiredWriteBarrier::trigger):
2638         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2639         * dfg/DFGDesiredWriteBarriers.h:
2640         (JSC::DFG::DesiredWriteBarriers::add):
2641         * dfg/DFGFixupPhase.cpp:
2642         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2643         * dfg/DFGGraph.h:
2644         (JSC::DFG::Graph::constantRegisterForConstant):
2645
2646 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2647
2648         DFG should optimize typedArray.byteLength
2649         https://bugs.webkit.org/show_bug.cgi?id=119909
2650
2651         Reviewed by Oliver Hunt.
2652         
2653         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2654         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2655         legal since the byteLength of a typed array cannot exceed
2656         numeric_limits<int32_t>::max().
2657
2658         * bytecode/SpeculatedType.cpp:
2659         (JSC::typedArrayTypeFromSpeculation):
2660         * bytecode/SpeculatedType.h:
2661         * dfg/DFGArrayMode.cpp:
2662         (JSC::DFG::toArrayType):
2663         * dfg/DFGArrayMode.h:
2664         * dfg/DFGFixupPhase.cpp:
2665         (JSC::DFG::FixupPhase::fixupNode):
2666         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2667         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2668         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2669         (JSC::DFG::FixupPhase::prependGetArrayLength):
2670         * dfg/DFGGraph.h:
2671         (JSC::DFG::Graph::constantRegisterForConstant):
2672         (JSC::DFG::Graph::convertToConstant):
2673         * runtime/TypedArrayType.h:
2674         (JSC::logElementSize):
2675         (JSC::elementSize):
2676
2677 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2678
2679         DFG optimizes out strict mode arguments tear off
2680         https://bugs.webkit.org/show_bug.cgi?id=119504
2681
2682         Reviewed by Mark Hahnenberg and Oliver Hunt.
2683         
2684         Don't do the optimization for strict mode.
2685
2686         * dfg/DFGArgumentsSimplificationPhase.cpp:
2687         (JSC::DFG::ArgumentsSimplificationPhase::run):
2688         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2689
2690 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2691
2692         [JSC] x86: improve code generation for xxxTest32
2693         https://bugs.webkit.org/show_bug.cgi?id=119876
2694
2695         Reviewed by Geoffrey Garen.
2696
2697         Try to use testb whenever possible when testing for an immediate value.
2698
2699         When the input is an address and an offset, we can tweak the mask
2700         and offset to be able to generate testb for any byte of the mask.
2701
2702         When the input is a register, we can use testb if we are only interested
2703         in testing the low bits.
2704
2705         * assembler/MacroAssemblerX86Common.h:
2706         (JSC::MacroAssemblerX86Common::branchTest32):
2707         (JSC::MacroAssemblerX86Common::test32):
2708         (JSC::MacroAssemblerX86Common::generateTest32):
2709
2710 2013-08-16  Mark Lam  <mark.lam@apple.com>
2711
2712         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2713         error message that an object is not a constructor though it expects a function
2714
2715         Reviewed by Michael Saboff.
2716
2717         * jit/JITStubs.cpp:
2718         (JSC::DEFINE_STUB_FUNCTION):
2719
2720 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2721
2722         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2723         https://bugs.webkit.org/show_bug.cgi?id=119897
2724
2725         Reviewed by Oliver Hunt.
2726         
2727         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2728         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2729         to turn objects into dictionaries when you're storing using bracket syntax or using
2730         eval is still in place.
2731
2732         * bytecode/CodeBlock.h:
2733         (JSC::CodeBlock::putByIdContext):
2734         * dfg/DFGOperations.cpp:
2735         * jit/JITStubs.cpp:
2736         (JSC::DEFINE_STUB_FUNCTION):
2737         * llint/LLIntSlowPaths.cpp:
2738         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2739         * runtime/JSObject.h:
2740         (JSC::JSObject::putDirectInternal):
2741         * runtime/PutPropertySlot.h:
2742         (JSC::PutPropertySlot::PutPropertySlot):
2743         (JSC::PutPropertySlot::context):
2744         * runtime/Structure.cpp:
2745         (JSC::Structure::addPropertyTransition):
2746         * runtime/Structure.h:
2747
2748 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2749
2750         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2751
2752         Reviewed by Allan Sandfeld Jensen.
2753
2754         ctiVMHandleException must jump/return using register ra (r31).
2755
2756         * jit/JITStubsMIPS.h:
2757
2758 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2759
2760         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2761
2762         Reviewed by Allan Sandfeld Jensen.
2763
2764         Fix typo in JITStubsSH4.h file.
2765
2766         * jit/JITStubsSH4.h:
2767
2768 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2769
2770         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2771
2772         Reviewed by Oliver Hunt.
2773
2774         The concurrent compilation thread should interact minimally with the Heap, including not 
2775         triggering WriteBarriers. This is a prerequisite for generational GC.
2776
2777         * JavaScriptCore.xcodeproj/project.pbxproj:
2778         * bytecode/CodeBlock.cpp:
2779         (JSC::CodeBlock::addOrFindConstant):
2780         (JSC::CodeBlock::findConstant):
2781         * bytecode/CodeBlock.h:
2782         (JSC::CodeBlock::addConstantLazily):
2783         * dfg/DFGByteCodeParser.cpp:
2784         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2785         (JSC::DFG::ByteCodeParser::constantUndefined):
2786         (JSC::DFG::ByteCodeParser::constantNull):
2787         (JSC::DFG::ByteCodeParser::one):
2788         (JSC::DFG::ByteCodeParser::constantNaN):
2789         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2790         * dfg/DFGCommonData.cpp:
2791         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2792         * dfg/DFGCommonData.h:
2793         * dfg/DFGDesiredTransitions.cpp: Added.
2794         (JSC::DFG::DesiredTransition::DesiredTransition):
2795         (JSC::DFG::DesiredTransition::reallyAdd):
2796         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2797         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2798         (JSC::DFG::DesiredTransitions::addLazily):
2799         (JSC::DFG::DesiredTransitions::reallyAdd):
2800         * dfg/DFGDesiredTransitions.h: Added.
2801         * dfg/DFGDesiredWeakReferences.cpp: Added.
2802         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2803         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2804         (JSC::DFG::DesiredWeakReferences::addLazily):
2805         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2806         * dfg/DFGDesiredWeakReferences.h: Added.
2807         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2808         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2809         (JSC::DFG::DesiredWriteBarrier::trigger):
2810         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2811         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2812         (JSC::DFG::DesiredWriteBarriers::addImpl):
2813         (JSC::DFG::DesiredWriteBarriers::trigger):
2814         * dfg/DFGDesiredWriteBarriers.h: Added.
2815         (JSC::DFG::DesiredWriteBarriers::add):
2816         (JSC::DFG::initializeLazyWriteBarrier):
2817         * dfg/DFGFixupPhase.cpp:
2818         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2819         * dfg/DFGGraph.h:
2820         (JSC::DFG::Graph::convertToConstant):
2821         * dfg/DFGJITCompiler.h:
2822         (JSC::DFG::JITCompiler::addWeakReference):
2823         * dfg/DFGPlan.cpp:
2824         (JSC::DFG::Plan::Plan):
2825         (JSC::DFG::Plan::reallyAdd):
2826         * dfg/DFGPlan.h:
2827         * dfg/DFGSpeculativeJIT32_64.cpp:
2828         (JSC::DFG::SpeculativeJIT::compile):
2829         * dfg/DFGSpeculativeJIT64.cpp:
2830         (JSC::DFG::SpeculativeJIT::compile):
2831         * runtime/WriteBarrier.h:
2832         (JSC::WriteBarrierBase::set):
2833         (JSC::WriteBarrier::WriteBarrier):
2834
2835 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2836
2837         Fix x86 32bits build after r154158
2838
2839         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2840
2841 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2842
2843         Build fix attempt after r154156.
2844
2845         * jit/JITStubs.cpp:
2846         (JSC::cti_vm_handle_exception): encode!
2847
2848 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2849
2850         [JSC] x86: Use inc and dec when possible
2851         https://bugs.webkit.org/show_bug.cgi?id=119831
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         When incrementing or decrementing by an immediate of 1, use the insctructions
2856         inc and dec instead of add and sub.
2857         The instructions have good timing and their encoding is smaller.
2858
2859         * assembler/MacroAssemblerX86Common.h:
2860         (JSC::MacroAssemblerX86_64::add32):
2861         (JSC::MacroAssemblerX86_64::sub32):
2862         * assembler/MacroAssemblerX86_64.h:
2863         (JSC::MacroAssemblerX86_64::add64):
2864         (JSC::MacroAssemblerX86_64::sub64):
2865         * assembler/X86Assembler.h:
2866         (JSC::X86Assembler::dec_r):
2867         (JSC::X86Assembler::decq_r):
2868         (JSC::X86Assembler::inc_r):
2869         (JSC::X86Assembler::incq_r):
2870
2871 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2872
2873         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2874         https://bugs.webkit.org/show_bug.cgi?id=119874
2875
2876         Reviewed by Oliver Hunt and Mark Hahnenberg.
2877         
2878         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2879         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2880         sometimes for typed array length accesses, and the FixupPhase assuming that a
2881         ForceExit ArrayMode means that it should continue using a generic GetById.
2882
2883         This fixes the confusion.
2884
2885         * dfg/DFGFixupPhase.cpp:
2886         (JSC::DFG::FixupPhase::fixupNode):
2887
2888 2013-08-15  Mark Lam  <mark.lam@apple.com>
2889
2890         Fix crash when performing activation tearoff.
2891         https://bugs.webkit.org/show_bug.cgi?id=119848
2892
2893         Reviewed by Oliver Hunt.
2894
2895         The activation tearoff crash was due to a bug in the baseline JIT.
2896         If we have a scenario where the a baseline JIT frame calls a LLINT
2897         frame, an exception may be thrown while in the LLINT.
2898
2899         Interpreter::throwException() which handles the exception will unwind
2900         all frames until it finds a catcher or sees a host frame. When we
2901         return from the LLINT to the baseline JIT code, the baseline JIT code
2902         errorneously sets topCallFrame to the value in its call frame register,
2903         and starts unwinding the stack frames that have already been unwound.
2904
2905         The fix is:
2906         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2907            This is a more accurate description of what this runtime function
2908            is supposed to do i.e. it handles the exception which include doing
2909            nothing (if there are no more frames to unwind).
2910         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2911            set on it.
2912         3. Reloading the call frame register from topCallFrame when we're
2913            returning from a callee and detect exception handling in progress.
2914
2915         * interpreter/Interpreter.cpp:
2916         (JSC::Interpreter::unwindCallFrame):
2917         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2918         (JSC::Interpreter::getStackTrace):
2919         * interpreter/Interpreter.h:
2920         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2921         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2922         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2923         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2924         * jit/JIT.h:
2925         * jit/JITExceptions.cpp:
2926         (JSC::uncaughtExceptionHandler):
2927         - Convenience function to get the handler for uncaught exceptions.
2928         * jit/JITExceptions.h:
2929         * jit/JITInlines.h:
2930         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2931         * jit/JITOpcodes32_64.cpp:
2932         (JSC::JIT::privateCompileCTINativeCall):
2933         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2934         * jit/JITStubs.cpp:
2935         (JSC::throwExceptionFromOpCall):
2936         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2937         (JSC::cti_vm_handle_exception):
2938         - Check for the case when there are no more frames to unwind.
2939         * jit/JITStubs.h:
2940         * jit/JITStubsARM.h:
2941         * jit/JITStubsARMv7.h:
2942         * jit/JITStubsMIPS.h:
2943         * jit/JITStubsSH4.h:
2944         * jit/JITStubsX86.h:
2945         * jit/JITStubsX86_64.h:
2946         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2947         * jit/SlowPathCall.h:
2948         (JSC::JITSlowPathCall::call):
2949         - reload cfr from topcallFrame when handling an exception.
2950         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2951         * jit/ThunkGenerators.cpp:
2952         (JSC::nativeForGenerator):
2953         * llint/LowLevelInterpreter32_64.asm:
2954         * llint/LowLevelInterpreter64.asm:
2955         - reload cfr from topcallFrame when handling an exception.
2956         * runtime/VM.cpp:
2957         (JSC::VM::VM):
2958         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2959
2960 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2961
2962         Remove some code duplication.
2963         
2964         Rubber stamped by Mark Hahnenberg.
2965
2966         * runtime/JSDataViewPrototype.cpp:
2967         (JSC::getData):
2968         (JSC::setData):
2969
2970 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2971
2972         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2973         https://bugs.webkit.org/show_bug.cgi?id=119794
2974
2975         Reviewed by Filip Pizlo.
2976
2977         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2978
2979         * dfg/DFGUseKind.h:
2980         (JSC::DFG::isNumerical):
2981         (JSC::DFG::isDouble):
2982
2983 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2984
2985         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2986
2987         Rubber stamped by Oliver Hunt.
2988         
2989         This was causing some test crashes for me.
2990
2991         * dfg/DFGCapabilities.cpp:
2992         (JSC::DFG::capabilityLevel):
2993
2994 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2995
2996         [Windows] Clear up improper export declaration.
2997
2998         * runtime/ArrayBufferView.h:
2999
3000 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3001
3002         Unreviewed, remove some unnecessary periods from exceptions.
3003
3004         * runtime/JSDataViewPrototype.cpp:
3005         (JSC::getData):
3006         (JSC::setData):
3007
3008 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3009
3010         Unreviewed, fix 32-bit build.
3011
3012         * dfg/DFGSpeculativeJIT32_64.cpp:
3013         (JSC::DFG::SpeculativeJIT::compile):
3014
3015 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Typed arrays should be rewritten
3018         https://bugs.webkit.org/show_bug.cgi?id=119064
3019
3020         Reviewed by Oliver Hunt.
3021         
3022         Typed arrays were previously deficient in several major ways:
3023         
3024         - They were defined separately in WebCore and in the jsc shell. The two
3025           implementations were different, and the jsc shell one was basically wrong.
3026           The WebCore one was quite awful, also.
3027         
3028         - Typed arrays were not visible to the JIT except through some weird hooks.
3029           For example, the JIT could not ask "what is the Structure that this typed
3030           array would have if I just allocated it from this global object". Also,
3031           it was difficult to wire any of the typed array intrinsics, because most
3032           of the functionality wasn't visible anywhere in JSC.
3033         
3034         - Typed array allocation was brain-dead. Allocating a typed array involved
3035           two JS objects, two GC weak handles, and three malloc allocations.
3036         
3037         - Neutering. It involved keeping tabs on all native views but not the view
3038           wrappers, even though the native views can autoneuter just by asking the
3039           buffer if it was neutered anytime you touch them; while the JS view
3040           wrappers are the ones that you really want to reach out to.
3041         
3042         - Common case-ing. Most typed arrays have one buffer and one view, and
3043           usually nobody touches the buffer. Yet we created all of that stuff
3044           anyway, using data structures optimized for the case where you had a lot
3045           of views.
3046         
3047         - Semantic goofs. Typed arrays should, in the future, behave like ES
3048           features rather than DOM features, for example when it comes to exceptions.
3049           Firefox already does this and I agree with them.
3050         
3051         This patch cleanses our codebase of these sins:
3052         
3053         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3054           management of native references to buffers is left to WebCore.
3055         
3056         - Allocating a typed array requires either two GC allocations (a cell and a
3057           copied storage vector) or one GC allocation, a malloc allocation, and a
3058           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3059           latter). The latter is only used for oversize arrays. Remember that before
3060           it was 7 allocations no matter what.
3061         
3062         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3063           mode/length, void* vector. Before it was a lot more than that - remember,
3064           there were five additional objects that did absolutely nothing for anybody.
3065         
3066         - Native views aren't tracked by the buffer, or by the wrappers. They are
3067           transient. In the future we'll probably switch to not even having them be
3068           malloc'd.
3069         
3070         - Native array buffers have an efficient way of tracking all of their JS view
3071           wrappers, both for neutering, and for lifecycle management. The GC
3072           special-cases native array buffers. This saves a bunch of grief; for example
3073           it means that a JS view wrapper can refer to its buffer via the butterfly,
3074           which would be dead by the time we went to finalize.
3075         
3076         - Typed array semantics now match Firefox, which also happens to be where the
3077           standards are going. The discussion on webkit-dev seemed to confirm that
3078           Chrome is also heading in this direction. This includes making
3079           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3080           ArrayBufferView as a JS-visible construct.
3081         
3082         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3083         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3084         further typed array optimizations in the JSC JITs, including inlining typed
3085         array allocation, inlining more of the accessors, reducing the cost of type
3086         checks, etc.
3087         
3088         An additional property of this patch is that typed arrays are mostly
3089         implemented using templates. This deduplicates a bunch of code, but does mean
3090         that we need some hacks for exporting s_info's of template classes. See
3091         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3092         low-impact compared to code duplication.
3093         
3094         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3095
3096         * CMakeLists.txt:
3097         * DerivedSources.make:
3098         * GNUmakefile.list.am:
3099         * JSCTypedArrayStubs.h: Removed.
3100         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3101         * JavaScriptCore.xcodeproj/project.pbxproj:
3102         * Target.pri:
3103         * bytecode/ByValInfo.h:
3104         (JSC::hasOptimizableIndexingForClassInfo):
3105         (JSC::jitArrayModeForClassInfo):
3106         (JSC::typedArrayTypeForJITArrayMode):
3107         * bytecode/SpeculatedType.cpp:
3108         (JSC::speculationFromClassInfo):
3109         * dfg/DFGArrayMode.cpp:
3110         (JSC::DFG::toTypedArrayType):
3111         * dfg/DFGArrayMode.h:
3112         (JSC::DFG::ArrayMode::typedArrayType):
3113         * dfg/DFGSpeculativeJIT.cpp:
3114         (JSC::DFG::SpeculativeJIT::checkArray):
3115         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3116         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3117         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3118         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3119         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3120         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3121         * dfg/DFGSpeculativeJIT.h:
3122         * dfg/DFGSpeculativeJIT32_64.cpp:
3123         (JSC::DFG::SpeculativeJIT::compile):
3124         * dfg/DFGSpeculativeJIT64.cpp:
3125         (JSC::DFG::SpeculativeJIT::compile):
3126         * heap/CopyToken.h:
3127         * heap/DeferGC.h:
3128         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3129         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3130         * heap/GCIncomingRefCounted.h: Added.
3131         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3132         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3133         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3134         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3135         (JSC::GCIncomingRefCounted::singletonFlag):
3136         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3137         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3138         (JSC::GCIncomingRefCounted::hasSingleton):
3139         (JSC::GCIncomingRefCounted::singleton):
3140         (JSC::GCIncomingRefCounted::vectorOfCells):
3141         * heap/GCIncomingRefCountedInlines.h: Added.
3142         (JSC::::addIncomingReference):
3143         (JSC::::filterIncomingReferences):
3144         * heap/GCIncomingRefCountedSet.h: Added.
3145         (JSC::GCIncomingRefCountedSet::size):
3146         * heap/GCIncomingRefCountedSetInlines.h: Added.
3147         (JSC::::GCIncomingRefCountedSet):
3148         (JSC::::~GCIncomingRefCountedSet):
3149         (JSC::::addReference):
3150         (JSC::::sweep):
3151         (JSC::::removeAll):
3152         (JSC::::removeDead):
3153         * heap/Heap.cpp:
3154         (JSC::Heap::addReference):
3155         (JSC::Heap::extraSize):
3156         (JSC::Heap::size):
3157         (JSC::Heap::capacity):
3158         (JSC::Heap::collect):
3159         (JSC::Heap::decrementDeferralDepth):
3160         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3161         * heap/Heap.h:
3162         * interpreter/CallFrame.h:
3163         (JSC::ExecState::dataViewTable):
3164         * jit/JIT.h:
3165         * jit/JITPropertyAccess.cpp:
3166         (JSC::JIT::privateCompileGetByVal):
3167         (JSC::JIT::privateCompilePutByVal):
3168         (JSC::JIT::emitIntTypedArrayGetByVal):
3169         (JSC::JIT::emitFloatTypedArrayGetByVal):
3170         (JSC::JIT::emitIntTypedArrayPutByVal):
3171         (JSC::JIT::emitFloatTypedArrayPutByVal):
3172         * jsc.cpp:
3173         (GlobalObject::finishCreation):
3174         * runtime/ArrayBuffer.cpp:
3175         (JSC::ArrayBuffer::transfer):
3176         * runtime/ArrayBuffer.h:
3177         (JSC::ArrayBuffer::createAdopted):
3178         (JSC::ArrayBuffer::ArrayBuffer):
3179         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3180         (JSC::ArrayBuffer::pin):
3181         (JSC::ArrayBuffer::unpin):
3182         (JSC::ArrayBufferContents::tryAllocate):
3183         * runtime/ArrayBufferView.cpp:
3184         (JSC::ArrayBufferView::ArrayBufferView):
3185         (JSC::ArrayBufferView::~ArrayBufferView):
3186         (JSC::ArrayBufferView::setNeuterable):
3187         * runtime/ArrayBufferView.h:
3188         (JSC::ArrayBufferView::isNeutered):
3189         (JSC::ArrayBufferView::buffer):
3190         (JSC::ArrayBufferView::baseAddress):
3191         (JSC::ArrayBufferView::byteOffset):
3192         (JSC::ArrayBufferView::verifySubRange):
3193         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3194         (JSC::ArrayBufferView::calculateOffsetAndLength):
3195         * runtime/ClassInfo.h:
3196         * runtime/CommonIdentifiers.h:
3197         * runtime/DataView.cpp: Added.
3198         (JSC::DataView::DataView):
3199         (JSC::DataView::create):
3200         (JSC::DataView::wrap):
3201         * runtime/DataView.h: Added.
3202         (JSC::DataView::byteLength):
3203         (JSC::DataView::getType):
3204         (JSC::DataView::get):
3205         (JSC::DataView::set):
3206         * runtime/Float32Array.h:
3207         * runtime/Float64Array.h:
3208         * runtime/GenericTypedArrayView.h: Added.
3209         (JSC::GenericTypedArrayView::data):
3210         (JSC::GenericTypedArrayView::set):
3211         (JSC::GenericTypedArrayView::setRange):
3212         (JSC::GenericTypedArrayView::zeroRange):
3213         (JSC::GenericTypedArrayView::zeroFill):
3214         (JSC::GenericTypedArrayView::length):
3215         (JSC::GenericTypedArrayView::byteLength):
3216         (JSC::GenericTypedArrayView::item):
3217         (JSC::GenericTypedArrayView::checkInboundData):
3218         (JSC::GenericTypedArrayView::getType):
3219         * runtime/GenericTypedArrayViewInlines.h: Added.
3220         (JSC::::GenericTypedArrayView):
3221         (JSC::::create):
3222         (JSC::::createUninitialized):
3223         (JSC::::subarray):
3224         (JSC::::wrap):
3225         * runtime/IndexingHeader.h:
3226         (JSC::IndexingHeader::arrayBuffer):
3227         (JSC::IndexingHeader::setArrayBuffer):
3228         * runtime/Int16Array.h:
3229         * runtime/Int32Array.h:
3230         * runtime/Int8Array.h:
3231         * runtime/JSArrayBuffer.cpp: Added.
3232         (JSC::JSArrayBuffer::JSArrayBuffer):
3233         (JSC::JSArrayBuffer::finishCreation):
3234         (JSC::JSArrayBuffer::create):
3235         (JSC::JSArrayBuffer::createStructure):
3236         (JSC::JSArrayBuffer::getOwnPropertySlot):
3237         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3238         (JSC::JSArrayBuffer::put):
3239         (JSC::JSArrayBuffer::defineOwnProperty):
3240         (JSC::JSArrayBuffer::deleteProperty):
3241         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3242         * runtime/JSArrayBuffer.h: Added.
3243         (JSC::JSArrayBuffer::impl):
3244         (JSC::toArrayBuffer):
3245         * runtime/JSArrayBufferConstructor.cpp: Added.
3246         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3247         (JSC::JSArrayBufferConstructor::finishCreation):
3248         (JSC::JSArrayBufferConstructor::create):
3249         (JSC::JSArrayBufferConstructor::createStructure):
3250         (JSC::constructArrayBuffer):
3251         (JSC::JSArrayBufferConstructor::getConstructData):
3252         (JSC::JSArrayBufferConstructor::getCallData):
3253         * runtime/JSArrayBufferConstructor.h: Added.
3254         * runtime/JSArrayBufferPrototype.cpp: Added.
3255         (JSC::arrayBufferProtoFuncSlice):
3256         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3257         (JSC::JSArrayBufferPrototype::finishCreation):
3258         (JSC::JSArrayBufferPrototype::create):
3259         (JSC::JSArrayBufferPrototype::createStructure):
3260         * runtime/JSArrayBufferPrototype.h: Added.
3261         * runtime/JSArrayBufferView.cpp: Added.
3262         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3263         (JSC::JSArrayBufferView::JSArrayBufferView):
3264         (JSC::JSArrayBufferView::finishCreation):
3265         (JSC::JSArrayBufferView::getOwnPropertySlot):
3266         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3267         (JSC::JSArrayBufferView::put):
3268         (JSC::JSArrayBufferView::defineOwnProperty):
3269         (JSC::JSArrayBufferView::deleteProperty):
3270         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3271         (JSC::JSArrayBufferView::finalize):
3272         * runtime/JSArrayBufferView.h: Added.
3273         (JSC::JSArrayBufferView::sizeOf):
3274         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3275         (JSC::JSArrayBufferView::ConstructionContext::structure):
3276         (JSC::JSArrayBufferView::ConstructionContext::vector):
3277         (JSC::JSArrayBufferView::ConstructionContext::length):
3278         (JSC::JSArrayBufferView::ConstructionContext::mode):
3279         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3280         (JSC::JSArrayBufferView::mode):
3281         (JSC::JSArrayBufferView::vector):
3282         (JSC::JSArrayBufferView::length):
3283         (JSC::JSArrayBufferView::offsetOfVector):
3284         (JSC::JSArrayBufferView::offsetOfLength):
3285         (JSC::JSArrayBufferView::offsetOfMode):
3286         * runtime/JSArrayBufferViewInlines.h: Added.
3287         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3288         (JSC::JSArrayBufferView::buffer):
3289         (JSC::JSArrayBufferView::impl):
3290         (JSC::JSArrayBufferView::neuter):
3291         (JSC::JSArrayBufferView::byteOffset):
3292         * runtime/JSCell.cpp:
3293         (JSC::JSCell::slowDownAndWasteMemory):
3294         (JSC::JSCell::getTypedArrayImpl):
3295         * runtime/JSCell.h:
3296         * runtime/JSDataView.cpp: Added.
3297         (JSC::JSDataView::JSDataView):
3298         (JSC::JSDataView::create):
3299         (JSC::JSDataView::createUninitialized):
3300         (JSC::JSDataView::set):
3301         (JSC::JSDataView::typedImpl):
3302         (JSC::JSDataView::getOwnPropertySlot):
3303         (JSC::JSDataView::getOwnPropertyDescriptor):
3304         (JSC::JSDataView::slowDownAndWasteMemory):
3305         (JSC::JSDataView::getTypedArrayImpl):
3306         (JSC::JSDataView::createStructure):
3307         * runtime/JSDataView.h: Added.
3308         * runtime/JSDataViewPrototype.cpp: Added.
3309         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3310         (JSC::JSDataViewPrototype::create):
3311         (JSC::JSDataViewPrototype::createStructure):
3312         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3313         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3314         (JSC::getData):
3315         (JSC::setData):
3316         (JSC::dataViewProtoFuncGetInt8):
3317         (JSC::dataViewProtoFuncGetInt16):
3318         (JSC::dataViewProtoFuncGetInt32):
3319         (JSC::dataViewProtoFuncGetUint8):
3320         (JSC::dataViewProtoFuncGetUint16):
3321         (JSC::dataViewProtoFuncGetUint32):
3322         (JSC::dataViewProtoFuncGetFloat32):
3323         (JSC::dataViewProtoFuncGetFloat64):
3324         (JSC::dataViewProtoFuncSetInt8):
3325         (JSC::dataViewProtoFuncSetInt16):
3326         (JSC::dataViewProtoFuncSetInt32):
3327         (JSC::dataViewProtoFuncSetUint8):
3328         (JSC::dataViewProtoFuncSetUint16):
3329         (JSC::dataViewProtoFuncSetUint32):
3330         (JSC::dataViewProtoFuncSetFloat32):
3331         (JSC::dataViewProtoFuncSetFloat64):
3332         * runtime/JSDataViewPrototype.h: Added.
3333         * runtime/JSFloat32Array.h: Added.
3334         * runtime/JSFloat64Array.h: Added.
3335         * runtime/JSGenericTypedArrayView.h: Added.
3336         (JSC::JSGenericTypedArrayView::byteLength):
3337         (JSC::JSGenericTypedArrayView::byteSize):
3338         (JSC::JSGenericTypedArrayView::typedVector):
3339         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3340         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3341         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3342         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3343         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3344         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3345         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3346         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3347         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3348         (JSC::JSGenericTypedArrayView::typedImpl):
3349         (JSC::JSGenericTypedArrayView::createStructure):
3350         (JSC::JSGenericTypedArrayView::info):
3351         (JSC::toNativeTypedView):
3352         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3353         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3354         (JSC::::JSGenericTypedArrayViewConstructor):
3355         (JSC::::finishCreation):
3356         (JSC::::create):
3357         (JSC::::createStructure):
3358         (JSC::constructGenericTypedArrayView):
3359         (JSC::::getConstructData):
3360         (JSC::::getCallData):
3361         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3362         (JSC::::JSGenericTypedArrayView):
3363         (JSC::::create):
3364         (JSC::::createUninitialized):
3365         (JSC::::validateRange):
3366         (JSC::::setWithSpecificType):
3367         (JSC::::set):
3368         (JSC::::getOwnPropertySlot):
3369         (JSC::::getOwnPropertyDescriptor):
3370         (JSC::::put):
3371         (JSC::::defineOwnProperty):
3372         (JSC::::deleteProperty):
3373         (JSC::::getOwnPropertySlotByIndex):
3374         (JSC::::putByIndex):
3375         (JSC::::deletePropertyByIndex):
3376         (JSC::::getOwnNonIndexPropertyNames):
3377         (JSC::::getOwnPropertyNames):
3378         (JSC::::visitChildren):
3379         (JSC::::copyBackingStore):
3380         (JSC::::slowDownAndWasteMemory):
3381         (JSC::::getTypedArrayImpl):
3382         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
3383         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
3384         (JSC::genericTypedArrayViewProtoFuncSet):
3385         (JSC::genericTypedArrayViewProtoFuncSubarray):
3386         (JSC::::JSGenericTypedArrayViewPrototype):
3387         (JSC::::finishCreation):
3388         (JSC::::create):
3389         (JSC::::createStructure):
3390         * runtime/JSGlobalObject.cpp:
3391         (JSC::JSGlobalObject::reset):
3392         (JSC::JSGlobalObject::visitChildren):
3393         * runtime/JSGlobalObject.h:
3394         (JSC::JSGlobalObject::arrayBufferPrototype):
3395         (JSC::JSGlobalObject::arrayBufferStructure):
3396         (JSC::JSGlobalObject::typedArrayStructure):
3397         * runtime/JSInt16Array.h: Added.
3398         * runtime/JSInt32Array.h: Added.
3399         * runtime/JSInt8Array.h: Added.
3400         * runtime/JSTypedArrayConstructors.cpp: Added.
3401         * runtime/JSTypedArrayConstructors.h: Added.
3402         * runtime/JSTypedArrayPrototypes.cpp: Added.
3403         * runtime/JSTypedArrayPrototypes.h: Added.
3404         * runtime/JSTypedArrays.cpp: Added.
3405         * runtime/JSTypedArrays.h: Added.
3406         * runtime/JSUint16Array.h: Added.
3407         * runtime/JSUint32Array.h: Added.
3408         * runtime/JSUint8Array.h: Added.
3409         * runtime/JSUint8ClampedArray.h: Added.
3410         * runtime/Operations.h:
3411         * runtime/Options.h:
3412         * runtime/SimpleTypedArrayController.cpp: Added.
3413         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
3414         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
3415         (JSC::SimpleTypedArrayController::toJS):
3416         * runtime/SimpleTypedArrayController.h: Added.
3417         * runtime/Structure.h:
3418         (JSC::Structure::couldHaveIndexingHeader):
3419         * runtime/StructureInlines.h:
3420         (JSC::Structure::hasIndexingHeader):
3421         * runtime/TypedArrayAdaptors.h: Added.
3422         (JSC::IntegralTypedArrayAdaptor::toNative):
3423         (JSC::IntegralTypedArrayAdaptor::toJSValue):
3424         (JSC::IntegralTypedArrayAdaptor::toDouble):
3425         (JSC::FloatTypedArrayAdaptor::toNative):
3426         (JSC::FloatTypedArrayAdaptor::toJSValue):
3427         (JSC::FloatTypedArrayAdaptor::toDouble):
3428         (JSC::Uint8ClampedAdaptor::toNative):
3429         (JSC::Uint8ClampedAdaptor::toJSValue):
3430         (JSC::Uint8ClampedAdaptor::toDouble):
3431         (JSC::Uint8ClampedAdaptor::clamp):
3432         * runtime/TypedArrayController.cpp: Added.
3433         (JSC::TypedArrayController::TypedArrayController):
3434         (JSC::TypedArrayController::~TypedArrayController):
3435         * runtime/TypedArrayController.h: Added.
3436         * runtime/TypedArrayDescriptor.h: Removed.
3437         * runtime/TypedArrayInlines.h: Added.
3438         * runtime/TypedArrayType.cpp: Added.
3439         (JSC::classInfoForType):
3440         (WTF::printInternal):
3441         * runtime/TypedArrayType.h: Added.
3442         (JSC::toIndex):
3443         (JSC::isTypedView):
3444         (JSC::elementSize):
3445         (JSC::isInt):
3446         (JSC::isFloat):
3447         (JSC::isSigned):
3448         (JSC::isClamped):
3449         * runtime/TypedArrays.h: Added.
3450         * runtime/Uint16Array.h:
3451         * runtime/Uint32Array.h:
3452         * runtime/Uint8Array.h:
3453         * runtime/Uint8ClampedArray.h:
3454         * runtime/VM.cpp:
3455         (JSC::VM::VM):
3456         (JSC::VM::~VM):
3457         * runtime/VM.h:
3458
3459 2013-08-15  Oliver Hunt  <oliver@apple.com>
3460
3461         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
3462
3463         Reviewed by Filip Pizlo.
3464
3465         Make sure dfgCapabilities doesn't report a Dynamic put as
3466         being compilable when we don't actually support it.  
3467
3468         * bytecode/CodeBlock.cpp:
3469         (JSC::CodeBlock::dumpBytecode):
3470         * dfg/DFGCapabilities.cpp:
3471         (JSC::DFG::capabilityLevel):
3472
3473 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3474
3475         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
3476         https://bugs.webkit.org/show_bug.cgi?id=119847
3477
3478         Reviewed by Oliver Hunt.
3479
3480         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
3481         * runtime/ArrayBufferView.h: Ditto.
3482
3483 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
3484
3485         https://bugs.webkit.org/show_bug.cgi?id=119843
3486         PropertySlot::setValue is ambiguous
3487
3488         Reviewed by Geoff Garen.
3489
3490         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
3491         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
3492         Unify on always providing the object, and remove the version that just takes a value.
3493         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
3494         Provide a version of setValue that takes a JSString as the owner of the property.
3495         We won't store this, but it makes it clear that this interface should only be used from JSString.
3496
3497         * API/JSCallbackObjectFunctions.h:
3498         (JSC::::getOwnPropertySlot):
3499         * JSCTypedArrayStubs.h:
3500         * runtime/Arguments.cpp:
3501         (JSC::Arguments::getOwnPropertySlotByIndex):
3502         (JSC::Arguments::getOwnPropertySlot):
3503         * runtime/JSActivation.cpp:
3504         (JSC::JSActivation::symbolTableGet):
3505         (JSC::JSActivation::getOwnPropertySlot):
3506         * runtime/JSArray.cpp:
3507         (JSC::JSArray::getOwnPropertySlot):
3508         * runtime/JSObject.cpp:
3509         (JSC::JSObject::getOwnPropertySlotByIndex):
3510         * runtime/JSString.h:
3511         (JSC::JSString::getStringPropertySlot):
3512         * runtime/JSSymbolTableObject.h:
3513         (JSC::symbolTableGet):
3514         * runtime/SparseArrayValueMap.cpp:
3515         (JSC::SparseArrayEntry::get):
3516             - Pass object containing property to PropertySlot::setValue
3517         * runtime/PropertySlot.h:
3518         (JSC::PropertySlot::setValue):
3519             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
3520         (JSC::PropertySlot::setUndefined):
3521             - removed setValue(JSValue), added setValue(JSString*, JSValue)
3522
3523 2013-08-15  Oliver Hunt  <oliver@apple.com>
3524
3525         Remove bogus assertion.
3526
3527         RS=Filip Pizlo
3528
3529         * dfg/DFGAbstractInterpreterInlines.h:
3530         (JSC::DFG::::executeEffects):
3531
3532 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3533
3534         REGRESSION(r148790) Made 7 tests fail on x86 32bit
3535         https://bugs.webkit.org/show_bug.cgi?id=114913
3536
3537         Reviewed by Filip Pizlo.
3538
3539         The X87 register was not freed before some calls. Instead
3540         of inserting resetX87Registers to the last call sites,
3541         the two X87 registers are now freed in every call.
3542
3543         * llint/LowLevelInterpreter32_64.asm:
3544         * llint/LowLevelInterpreter64.asm:
3545         * offlineasm/instructions.rb:
3546         * offlineasm/x86.rb:
3547
3548 2013-08-14  Michael Saboff  <msaboff@apple.com>
3549
3550         Fixed jit on Win64.
3551         https://bugs.webkit.org/show_bug.cgi?id=119601
3552
3553         Reviewed by Oliver Hunt.
3554
3555         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3556         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3557         * jit/SlowPathCall.h:
3558         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3559
3560 2013-08-14  Alex Christensen  <achristensen@apple.com>
3561
3562         Compile fix for Win64 with jit disabled.
3563         https://bugs.webkit.org/show_bug.cgi?id=119804
3564
3565         Reviewed by Michael Saboff.
3566
3567         * offlineasm/cloop.rb: Added std:: before isnan.
3568
3569 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3570
3571         DFG_JIT implementation for sh4 architecture.
3572         https://bugs.webkit.org/show_bug.cgi?id=119737
3573
3574         Reviewed by Oliver Hunt.
3575
3576         * assembler/MacroAssemblerSH4.h:
3577         (JSC::MacroAssemblerSH4::invert):
3578         (JSC::MacroAssemblerSH4::add32):
3579         (JSC::MacroAssemblerSH4::and32):
3580         (JSC::MacroAssemblerSH4::lshift32):
3581         (JSC::MacroAssemblerSH4::mul32):
3582         (JSC::MacroAssemblerSH4::or32):
3583         (JSC::MacroAssemblerSH4::rshift32):
3584         (JSC::MacroAssemblerSH4::sub32):
3585         (JSC::MacroAssemblerSH4::xor32):
3586         (JSC::MacroAssemblerSH4::store32):
3587         (JSC::MacroAssemblerSH4::swapDouble):
3588         (JSC::MacroAssemblerSH4::storeDouble):
3589         (JSC::MacroAssemblerSH4::subDouble):
3590         (JSC::MacroAssemblerSH4::mulDouble):
3591         (JSC::MacroAssemblerSH4::divDouble):
3592         (JSC::MacroAssemblerSH4::negateDouble):
3593         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3594         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3595         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3596         (JSC::MacroAssemblerSH4::swap):
3597         (JSC::MacroAssemblerSH4::jump):
3598         (JSC::MacroAssemblerSH4::branchNeg32):
3599         (JSC::MacroAssemblerSH4::branchAdd32):
3600         (JSC::MacroAssemblerSH4::branchMul32):
3601         (JSC::MacroAssemblerSH4::urshift32):
3602         * assembler/SH4Assembler.h:
3603         (JSC::SH4Assembler::SH4Assembler):
3604         (JSC::SH4Assembler::labelForWatchpoint):
3605         (JSC::SH4Assembler::label):
3606         (JSC::SH4Assembler::debugOffset):
3607         * dfg/DFGAssemblyHelpers.h:
3608         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3609         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3610         (JSC::DFG::AssemblyHelpers::debugCall):
3611         * dfg/DFGCCallHelpers.h:
3612         (JSC::DFG::CCallHelpers::setupArguments):
3613         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3614         * dfg/DFGFPRInfo.h:
3615         (JSC::DFG::FPRInfo::toRegister):
3616         (JSC::DFG::FPRInfo::toIndex):
3617         (JSC::DFG::FPRInfo::debugName):
3618         * dfg/DFGGPRInfo.h:
3619         (JSC::DFG::GPRInfo::toRegister):
3620         (JSC::DFG::GPRInfo::toIndex):
3621         (JSC::DFG::GPRInfo::debugName):
3622         * dfg/DFGOperations.cpp:
3623         * dfg/DFGSpeculativeJIT.h:
3624         (JSC::DFG::SpeculativeJIT::callOperation):
3625         * jit/JITStubs.h:
3626         * jit/JITStubsSH4.h:
3627
3628 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3629
3630         Unreviewed, fix build.
3631
3632         * API/JSValue.mm:
3633         (isDate):
3634         (isArray):
3635         * API/JSWrapperMap.mm:
3636         (tryUnwrapObjcObject):
3637         * API/ObjCCallbackFunction.mm:
3638         (tryUnwrapBlock):
3639
3640 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3641
3642         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3643         https://bugs.webkit.org/show_bug.cgi?id=119770
3644
3645         Reviewed by Mark Hahnenberg.
3646
3647         * API/JSCallbackConstructor.cpp:
3648         (JSC::JSCallbackConstructor::finishCreation):
3649         * API/JSCallbackConstructor.h:
3650         (JSC::JSCallbackConstructor::createStructure):
3651         * API/JSCallbackFunction.cpp:
3652         (JSC::JSCallbackFunction::finishCreation):
3653         * API/JSCallbackFunction.h:
3654         (JSC::JSCallbackFunction::createStructure):
3655         * API/JSCallbackObject.cpp:
3656         (JSC::::createStructure):
3657         * API/JSCallbackObject.h:
3658         (JSC::JSCallbackObject::visitChildren):
3659         * API/JSCallbackObjectFunctions.h:
3660         (JSC::::asCallbackObject):
3661         (JSC::::finishCreation):
3662         * API/JSObjectRef.cpp:
3663         (JSObjectGetPrivate):
3664         (JSObjectSetPrivate):
3665         (JSObjectGetPrivateProperty):
3666         (JSObjectSetPrivateProperty):
3667         (JSObjectDeletePrivateProperty):
3668         * API/JSValueRef.cpp:
3669         (JSValueIsObjectOfClass):
3670         * API/JSWeakObjectMapRefPrivate.cpp:
3671         * API/ObjCCallbackFunction.h:
3672         (JSC::ObjCCallbackFunction::createStructure):
3673         * JSCTypedArrayStubs.h:
3674         * bytecode/CallLinkStatus.cpp:
3675         (JSC::CallLinkStatus::CallLinkStatus):
3676         (JSC::CallLinkStatus::function):
3677         (JSC::CallLinkStatus::internalFunction):
3678         * bytecode/CodeBlock.h:
3679         (JSC::baselineCodeBlockForInlineCallFrame):
3680         * bytecode/SpeculatedType.cpp:
3681         (JSC::speculationFromClassInfo):
3682         * bytecode/UnlinkedCodeBlock.cpp:
3683         (JSC::UnlinkedFunctionExecutable::visitChildren):
3684         (JSC::UnlinkedCodeBlock::visitChildren):
3685         (JSC::UnlinkedProgramCodeBlock::visitChildren):
3686         * bytecode/UnlinkedCodeBlock.h:
3687         (JSC::UnlinkedFunctionExecutable::createStructure):
3688         (JSC::UnlinkedProgramCodeBlock::createStructure):
3689         (JSC::UnlinkedEvalCodeBlock::createStructure):
3690         (JSC::UnlinkedFunctionCodeBlock::createStructure):
3691         * debugger/Debugger.cpp:
3692         * debugger/DebuggerActivation.cpp:
3693         (JSC::DebuggerActivation::visitChildren):
3694         * debugger/DebuggerActivation.h:
3695         (JSC::DebuggerActivation::createStructure):
3696         * debugger/DebuggerCallFrame.cpp:
3697         (JSC::DebuggerCallFrame::functionName):
3698         * dfg/DFGAbstractInterpreterInlines.h:
3699         (JSC::DFG::::executeEffects):
3700         * dfg/DFGByteCodeParser.cpp:
3701         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3702         (JSC::DFG::ByteCodeParser::parseBlock):
3703         * dfg/DFGFixupPhase.cpp:
3704         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3705         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3706         * dfg/DFGGraph.cpp:
3707         (JSC::DFG::Graph::dump):
3708         * dfg/DFGGraph.h:
3709         (JSC::DFG::Graph::isInternalFunctionConstant):
3710         * dfg/DFGOperations.cpp:
3711         * dfg/DFGSpeculativeJIT.cpp:
3712         (JSC::DFG::SpeculativeJIT::checkArray):
3713         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3714         * dfg/DFGThunks.cpp:
3715         (JSC::DFG::virtualForThunkGenerator):
3716         * interpreter/Interpreter.cpp:
3717         (JSC::loadVarargs):
3718         * jsc.cpp:
3719         (GlobalObject::createStructure):
3720         * profiler/LegacyProfiler.cpp:
3721         (JSC::LegacyProfiler::createCallIdentifier):
3722         * runtime/Arguments.cpp:
3723         (JSC::Arguments::visitChildren):
3724         * runtime/Arguments.h:
3725         (JSC::Arguments::createStructure):
3726         (JSC::asArguments):
3727         (JSC::Arguments::finishCreation):
3728         * runtime/ArrayConstructor.cpp:
3729         (JSC::arrayConstructorIsArray):
3730         * runtime/ArrayConstructor.h:
3731         (JSC::ArrayConstructor::createStructure):
3732         * runtime/ArrayPrototype.cpp:
3733         (JSC::ArrayPrototype::finishCreation):
3734         (JSC::arrayProtoFuncConcat):
3735         (JSC::attemptFastSort):
3736         * runtime/ArrayPrototype.h:
3737         (JSC::ArrayPrototype::createStructure):
3738         * runtime/BooleanConstructor.h:
3739         (JSC::BooleanConstructor::createStructure):
3740         * runtime/BooleanObject.cpp:
3741         (JSC::BooleanObject::finishCreation):
3742         * runtime/BooleanObject.h:
3743         (JSC::BooleanObject::createStructure):
3744         (JSC::asBooleanObject):
3745         * runtime/BooleanPrototype.cpp:
3746         (JSC::BooleanPrototype::finishCreation):
3747         (JSC::booleanProtoFuncToString):
3748         (JSC::booleanProtoFuncValueOf):
3749         * runtime/BooleanPrototype.h:
3750         (JSC::BooleanPrototype::createStructure):
3751         * runtime/DateConstructor.cpp:
3752         (JSC::constructDate):
3753         * runtime/DateConstructor.h:
3754         (JSC::DateConstructor::createStructure):
3755         * runtime/DateInstance.cpp:
3756         (JSC::DateInstance::finishCreation):
3757         * runtime/DateInstance.h:
3758         (JSC::DateInstance::createStructure):
3759         (JSC::asDateInstance):
3760         * runtime/DatePrototype.cpp:
3761         (JSC::formateDateInstance):
3762         (JSC::DatePrototype::finishCreation):
3763         (JSC::dateProtoFuncToISOString):
3764         (JSC::dateProtoFuncToLocaleString):
3765         (JSC::dateProtoFuncToLocaleDateString):
3766         (JSC::dateProtoFuncToLocaleTimeString):
3767         (JSC::dateProtoFuncGetTime):
3768         (JSC::dateProtoFuncGetFullYear):
3769         (JSC::dateProtoFuncGetUTCFullYear):
3770         (JSC::dateProtoFuncGetMonth):
3771         (JSC::dateProtoFuncGetUTCMonth):
3772         (JSC::dateProtoFuncGetDate):
3773         (JSC::dateProtoFuncGetUTCDate):
3774         (JSC::dateProtoFuncGetDay):
3775         (JSC::dateProtoFuncGetUTCDay):
3776         (JSC::dateProtoFuncGetHours):
3777         (JSC::dateProtoFuncGetUTCHours):
3778         (JSC::dateProtoFuncGetMinutes):
3779         (JSC::dateProtoFuncGetUTCMinutes):
3780         (JSC::dateProtoFuncGetSeconds):
3781         (JSC::dateProtoFuncGetUTCSeconds):
3782         (JSC::dateProtoFuncGetMilliSeconds):
3783         (JSC::dateProtoFuncGetUTCMilliseconds):
3784         (JSC::dateProtoFuncGetTimezoneOffset):
3785         (JSC::dateProtoFuncSetTime):
3786         (JSC::setNewValueFromTimeArgs):
3787         (JSC::setNewValueFromDateArgs):
3788         (JSC::dateProtoFuncSetYear):
3789         (JSC::dateProtoFuncGetYear):
3790         * runtime/DatePrototype.h:
3791         (JSC::DatePrototype::createStructure):
3792         * runtime/Error.h:
3793         (JSC::StrictModeTypeErrorFunction::createStructure):
3794         * runtime/ErrorConstructor.h:
3795         (JSC::ErrorConstructor::createStructure):
3796         * runtime/ErrorInstance.cpp:
3797         (JSC::ErrorInstance::finishCreation):
3798         * runtime/ErrorInstance.h:
3799         (JSC::ErrorInstance::createStructure):
3800         * runtime/ErrorPrototype.cpp:
3801         (JSC::ErrorPrototype::finishCreation):
3802         * runtime/ErrorPrototype.h:
3803         (JSC::ErrorPrototype::createStructure):
3804         * runtime/ExceptionHelpers.cpp:
3805         (JSC::isTerminatedExecutionException):
3806         * runtime/ExceptionHelpers.h:
3807         (JSC::TerminatedExecutionError::createStructure):
3808         * runtime/Executable.cpp:
3809         (JSC::EvalExecutable::visitChildren):
3810         (JSC::ProgramExecutable::visitChildren):
3811         (JSC::FunctionExecutable::visitChildren):
3812         (JSC::ExecutableBase::hashFor):
3813         * runtime/Executable.h:
3814         (JSC::ExecutableBase::createStructure):
3815         (JSC::NativeExecutable::createStructure):
3816         (JSC::EvalExecutable::createStructure):
3817         (JSC::ProgramExecutable::createStructure):
3818         (JSC::FunctionExecutable::compileFor):
3819         (JSC::FunctionExecutable::compileOptimizedFor):
3820         (JSC::FunctionExecutable::createStructure):
3821         * runtime/FunctionConstructor.h:
3822         (JSC::FunctionConstructor::createStructure):
3823         * runtime/FunctionPrototype.cpp:
3824         (JSC::functionProtoFuncToString):
3825         (JSC::functionProtoFuncApply):
3826         (JSC::functionProtoFuncBind):
3827         * runtime/FunctionPrototype.h:
3828         (JSC::FunctionPrototype::createStructure):
3829         * runtime/GetterSetter.cpp:
3830         (JSC::GetterSetter::visitChildren):
3831         * runtime/GetterSetter.h:
3832         (JSC::GetterSetter::createStructure):
3833         * runtime/InternalFunction.cpp:
3834         (JSC::InternalFunction::finishCreation):
3835         * runtime/InternalFunction.h:
3836         (JSC::InternalFunction::createStructure):
3837         (JSC::asInternalFunction):
3838         * runtime/JSAPIValueWrapper.h:
3839         (JSC::JSAPIValueWrapper::createStructure):
3840         * runtime/JSActivation.cpp:
3841         (JSC::JSActivation::visitChildren):
3842         (JSC::JSActivation::argumentsGetter):
3843         * runtime/JSActivation.h:
3844         (JSC::JSActivation::createStructure):
3845         (JSC::asActivation):
3846         * runtime/JSArray.h:
3847         (JSC::JSArray::createStructure):
3848         (JSC::asArray):
3849         (JSC::isJSArray):
3850         * runtime/JSBoundFunction.cpp:
3851         (JSC::JSBoundFunction::finishCreation):
3852         (JSC::JSBoundFunction::visitChildren):
3853         * runtime/JSBoundFunction.h:
3854         (JSC::JSBoundFunction::createStructure):
3855         * runtime/JSCJSValue.cpp:
3856         (JSC::JSValue::dumpInContext):
3857         * runtime/JSCJSValueInlines.h:
3858         (JSC::JSValue::isFunction):
3859         * runtime/JSCell.h:
3860         (JSC::jsCast):
3861         (JSC::jsDynamicCast):
3862         * runtime/JSCellInlines.h:
3863         (JSC::allocateCell):
3864         * runtime/JSFunction.cpp:
3865         (JSC::JSFunction::finishCreation):
3866         (JSC::JSFunction::visitChildren):
3867         (JSC::skipOverBoundFunctions):
3868         (JSC::JSFunction::callerGetter):
3869         * runtime/JSFunction.h:
3870         (JSC::JSFunction::createStructure):
3871         * runtime/JSGlobalObject.cpp:
3872         (JSC::JSGlobalObject::visitChildren):
3873         (JSC::slowValidateCell):
3874         * runtime/JSGlobalObject.h:
3875         (JSC::JSGlobalObject::createStructure):
3876         * runtime/JSNameScope.cpp:
3877         (JSC::JSNameScope::visitChildren):
3878         * runtime/JSNameScope.h:
3879         (JSC::JSNameScope::createStructure):
3880         * runtime/JSNotAnObject.h:
3881         (JSC::JSNotAnObject::createStructure):
3882         * runtime/JSONObject.cpp:
3883         (JSC::JSONObject::finishCreation):
3884         (JSC::unwrapBoxedPrimitive):
3885         (JSC::Stringifier::Stringifier):
3886         (JSC::Stringifier::appendStringifiedValue):
3887         (JSC::Stringifier::Holder::Holder):
3888         (JSC::Walker::walk):
3889         (JSC::JSONProtoFuncStringify):
3890         * runtime/JSONObject.h:
3891         (JSC::JSONObject::createStructure):
3892         * runtime/JSObject.cpp:
3893         (JSC::getCallableObjectSlow):
3894         (JSC::JSObject::visitChildren):
3895         (JSC::JSObject::copyBackingStore):
3896         (JSC::JSFinalObject::visitChildren):
3897         (JSC::JSObject::ensureInt32Slow):
3898         (JSC::JSObject::ensureDoubleSlow):
3899         (JSC::JSObject::ensureContiguousSlow):
3900         (JSC::JSObject::ensureArrayStorageSlow):
3901         * runtime/JSObject.h:
3902         (JSC::JSObject::finishCreation):
3903         (JSC::JSObject::createStructure):
3904         (JSC::JSNonFinalObject::createStructure):
3905         (JSC::JSFinalObject::createStructure):
3906         (JSC::isJSFinalObject):