Support the "json" responseType and JSON response entity in XHR
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-09-02  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Support the "json" responseType and JSON response entity in XHR
4         https://bugs.webkit.org/show_bug.cgi?id=73648
5
6         Reviewed by Oliver Hunt.
7
8         Based on the patch written by Jarred Nicholls.
9
10         Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'.
11
12         * JavaScriptCore.xcodeproj/project.pbxproj:
13         * runtime/JSONObject.cpp:
14         (JSC::JSONParse):
15         * runtime/JSONObject.h:
16
17 2013-09-02  Filip Pizlo  <fpizlo@apple.com>
18
19         CodeBlock::jettison() should be implicit
20         https://bugs.webkit.org/show_bug.cgi?id=120567
21
22         Reviewed by Oliver Hunt.
23         
24         This is a risky change from a performance standpoint, but I believe it's
25         necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC
26         can delete CodeBlocks because the GC always holds a reference to them.
27         Once a CodeBlock reaches just one reference (i.e. the one from the GC)
28         then the GC will free it only if it's not on the stack.
29         
30         This allows me to get rid of the jettisoning logic. We need this for FTL
31         tier-up. Well; we don't need it, but it will help prevent a lot of bugs.
32         Previously, if you wanted to to replace one code block with another, you
33         had to remember to tell the GC that the previous code block is
34         "jettisoned". We would need to do this when tiering up from DFG to FTL
35         and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot
36         of permutations here - tiering up to the FTL, OSR entering into the FTL,
37         deciding that an OSR entry code block is not relevant anymore - just to
38         name a few. In each of these cases we'd have to jettison the previous
39         code block. It smells like a huge source of future bugs.
40         
41         So I made jettisoning implicit by making the GC always watch out for a
42         CodeBlock being owned solely by the GC.
43         
44         This change is performance neutral.
45
46         * CMakeLists.txt:
47         * GNUmakefile.list.am:
48         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
49         * JavaScriptCore.xcodeproj/project.pbxproj:
50         * Target.pri:
51         * bytecode/CodeBlock.cpp:
52         (JSC::CodeBlock::CodeBlock):
53         (JSC::CodeBlock::~CodeBlock):
54         (JSC::CodeBlock::visitAggregate):
55         (JSC::CodeBlock::jettison):
56         * bytecode/CodeBlock.h:
57         (JSC::CodeBlock::setJITCode):
58         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
59         (JSC::CodeBlockSet::mark):
60         * dfg/DFGCommonData.h:
61         (JSC::DFG::CommonData::CommonData):
62         * heap/CodeBlockSet.cpp: Added.
63         (JSC::CodeBlockSet::CodeBlockSet):
64         (JSC::CodeBlockSet::~CodeBlockSet):
65         (JSC::CodeBlockSet::add):
66         (JSC::CodeBlockSet::clearMarks):
67         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
68         (JSC::CodeBlockSet::traceMarked):
69         * heap/CodeBlockSet.h: Added.
70         * heap/ConservativeRoots.cpp:
71         (JSC::ConservativeRoots::add):
72         * heap/ConservativeRoots.h:
73         * heap/DFGCodeBlocks.cpp: Removed.
74         * heap/DFGCodeBlocks.h: Removed.
75         * heap/Heap.cpp:
76         (JSC::Heap::markRoots):
77         (JSC::Heap::deleteAllCompiledCode):
78         (JSC::Heap::deleteUnmarkedCompiledCode):
79         * heap/Heap.h:
80         * interpreter/JSStack.cpp:
81         (JSC::JSStack::gatherConservativeRoots):
82         * interpreter/JSStack.h:
83         * runtime/Executable.cpp:
84         (JSC::ScriptExecutable::installCode):
85         * runtime/Executable.h:
86         * runtime/VM.h:
87
88 2013-09-02  Darin Adler  <darin@apple.com>
89
90         [Mac] No need for HardAutorelease, which is same as CFBridgingRelease
91         https://bugs.webkit.org/show_bug.cgi?id=120569
92
93         Reviewed by Andy Estes.
94
95         * API/JSValue.mm:
96         (valueToString): Use CFBridgingRelease.
97
98 2013-08-30  Filip Pizlo  <fpizlo@apple.com>
99
100         CodeBlock refactoring broke profile dumping
101         https://bugs.webkit.org/show_bug.cgi?id=120551
102
103         Reviewed by Michael Saboff.
104         
105         Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot
106         of the problems we have with code like CodeBlock::baselineVersion() is that we
107         were trying *way too hard* to side-step the fact that Executable can't return a
108         CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a
109         CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it
110         did have a CodeBlock, you were really going to have a bad time. Also it really
111         bugs me that the methods were called generatedBytecode(). In all other contexts
112         if you ask for a CodeBlock, then method to call is codeBlock(). So I made all
113         of those changes.
114
115         * bytecode/CodeBlock.cpp:
116         (JSC::CodeBlock::baselineVersion):
117         (JSC::ProgramCodeBlock::replacement):
118         (JSC::EvalCodeBlock::replacement):
119         (JSC::FunctionCodeBlock::replacement):
120         (JSC::CodeBlock::globalObjectFor):
121         * bytecode/CodeOrigin.cpp:
122         (JSC::InlineCallFrame::hash):
123         * dfg/DFGOperations.cpp:
124         * interpreter/Interpreter.cpp:
125         (JSC::Interpreter::execute):
126         (JSC::Interpreter::executeCall):
127         (JSC::Interpreter::executeConstruct):
128         (JSC::Interpreter::prepareForRepeatCall):
129         * jit/JITCode.h:
130         (JSC::JITCode::isExecutableScript):
131         (JSC::JITCode::isLowerTier):
132         * jit/JITStubs.cpp:
133         (JSC::lazyLinkFor):
134         (JSC::DEFINE_STUB_FUNCTION):
135         * llint/LLIntSlowPaths.cpp:
136         (JSC::LLInt::traceFunctionPrologue):
137         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
138         (JSC::LLInt::setUpCall):
139         * runtime/ArrayPrototype.cpp:
140         (JSC::isNumericCompareFunction):
141         * runtime/CommonSlowPaths.h:
142         (JSC::CommonSlowPaths::arityCheckFor):
143         * runtime/Executable.cpp:
144         (JSC::ScriptExecutable::installCode):
145         * runtime/Executable.h:
146         (JSC::EvalExecutable::codeBlock):
147         (JSC::ProgramExecutable::codeBlock):
148         (JSC::FunctionExecutable::eitherCodeBlock):
149         (JSC::FunctionExecutable::codeBlockForCall):
150         (JSC::FunctionExecutable::codeBlockForConstruct):
151         (JSC::FunctionExecutable::codeBlockFor):
152         * runtime/FunctionExecutableDump.cpp:
153         (JSC::FunctionExecutableDump::dump):
154
155 2013-08-30  Oliver Hunt  <oliver@apple.com>
156
157         Implement ES6 Set class
158         https://bugs.webkit.org/show_bug.cgi?id=120549
159
160         Reviewed by Filip Pizlo.
161
162         We simply reuse the MapData type from JSMap making the
163         it much simpler.
164
165         * JavaScriptCore.xcodeproj/project.pbxproj:
166         * runtime/CommonIdentifiers.h:
167         * runtime/JSGlobalObject.cpp:
168         (JSC::JSGlobalObject::reset):
169         (JSC::JSGlobalObject::visitChildren):
170         * runtime/JSGlobalObject.h:
171         (JSC::JSGlobalObject::setStructure):
172         * runtime/JSSet.cpp: Added.
173         (JSC::JSSet::visitChildren):
174         (JSC::JSSet::finishCreation):
175         * runtime/JSSet.h: Added.
176         (JSC::JSSet::createStructure):
177         (JSC::JSSet::create):
178         (JSC::JSSet::mapData):
179         (JSC::JSSet::JSSet):
180         * runtime/SetConstructor.cpp: Added.
181         (JSC::SetConstructor::finishCreation):
182         (JSC::callSet):
183         (JSC::constructSet):
184         (JSC::SetConstructor::getConstructData):
185         (JSC::SetConstructor::getCallData):
186         * runtime/SetConstructor.h: Added.
187         (JSC::SetConstructor::create):
188         (JSC::SetConstructor::createStructure):
189         (JSC::SetConstructor::SetConstructor):
190         * runtime/SetPrototype.cpp: Added.
191         (JSC::SetPrototype::finishCreation):
192         (JSC::getMapData):
193         (JSC::setProtoFuncAdd):
194         (JSC::setProtoFuncClear):
195         (JSC::setProtoFuncDelete):
196         (JSC::setProtoFuncForEach):
197         (JSC::setProtoFuncHas):
198         (JSC::setProtoFuncSize):
199         * runtime/SetPrototype.h: Added.
200         (JSC::SetPrototype::create):
201         (JSC::SetPrototype::createStructure):
202         (JSC::SetPrototype::SetPrototype):
203
204 2013-08-30  Oliver Hunt  <oliver@apple.com>
205
206         Make JSValue bool conversion less dangerous
207         https://bugs.webkit.org/show_bug.cgi?id=120505
208
209         Reviewed by Darin Adler.
210
211         Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
212         we do elsewhere.  Then fix the places where terrible type coercion was
213         happening.  All of the changes made had no fundamental behavioural impact
214         as they were coercion results that were ignored (returning undefined 
215         after an exception).  
216
217         * dfg/DFGOperations.cpp:
218         * interpreter/CallFrame.h:
219         (JSC::ExecState::hadException):
220         * runtime/JSCJSValue.h:
221         * runtime/JSCJSValueInlines.h:
222         (JSC::JSValue::operator UnspecifiedBoolType*):
223         * runtime/JSGlobalObjectFunctions.cpp:
224         (JSC::globalFuncEval):
225         * runtime/PropertyDescriptor.cpp:
226         (JSC::PropertyDescriptor::equalTo)
227
228 2013-08-30  Chris Curtis  <chris_curtis@apple.com>
229
230         Cleaning errorDescriptionForValue after r154839
231         https://bugs.webkit.org/show_bug.cgi?id=120531
232         
233         Reviewed by Darin Adler.
234         
235         Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 
236         can assert again that the parameterized JSValue is !isEmpty().
237         
238         * runtime/ExceptionHelpers.cpp:
239         (JSC::errorDescriptionForValue):
240
241 2013-08-30  Antti Koivisto  <antti@apple.com>
242
243         Remove code behind ENABLE(DIALOG_ELEMENT)
244         https://bugs.webkit.org/show_bug.cgi?id=120467
245
246         Reviewed by Darin Adler.
247
248         * Configurations/FeatureDefines.xcconfig:
249
250 2013-08-29  Andreas Kling  <akling@apple.com>
251
252         De-bork Qt build.
253
254         * Target.pri:
255
256 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
257
258         Unreviewed build fix attempt for Windows.
259
260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
261         Renamed JSMapConstructor and JSMapPrototype.
262
263 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
264
265         Fix build break after r154861
266         https://bugs.webkit.org/show_bug.cgi?id=120503
267
268         Reviewed by Geoffrey Garen.
269
270         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
271
272         * CMakeLists.txt:
273         * GNUmakefile.list.am:
274         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
275         * Target.pri:
276         * runtime/MapData.h:
277         (JSC::MapData::KeyType::KeyType):
278
279 2013-08-29  Andreas Kling  <akling@apple.com>
280
281         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
282         <https://webkit.org/b/120487>
283
284         Reviewed by Oliver Hunt.
285
286         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
287         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
288         exact amount of space needed.
289
290         * bytecode/CodeBlock.h:
291         * bytecode/CodeBlock.cpp:
292         (JSC::CodeBlock::CodeBlock):
293         (JSC::CodeBlock::shrinkToFit):
294
295 2013-08-29  Oliver Hunt  <oliver@apple.com>
296
297         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
298
299         * runtime/MapData.h:
300         (JSC::MapData::KeyType::KeyType):
301
302 2013-08-29  Oliver Hunt  <oliver@apple.com>
303
304
305         Implement ES6 Map object
306         https://bugs.webkit.org/show_bug.cgi?id=120333
307
308         Reviewed by Geoffrey Garen.
309
310         Implement support for the ES6 Map type and related classes.
311
312         * JavaScriptCore.xcodeproj/project.pbxproj:
313         * heap/CopyToken.h: Add a new token to track copying the backing store
314         * runtime/CommonIdentifiers.h: Add new identifiers
315         * runtime/JSGlobalObject.cpp:
316         * runtime/JSGlobalObject.h:
317             Add new structures and prototypes
318
319         * runtime/JSMap.cpp: Added.
320         * runtime/JSMap.h: Added.
321             New JSMap class to represent a Map instance
322
323         * runtime/MapConstructor.cpp: Added.
324         * runtime/MapConstructor.h: Added.
325             The Map constructor
326
327         * runtime/MapData.cpp: Added.
328         * runtime/MapData.h: Added.
329             The most interesting data structure.  The roughly corresponds
330             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
331             map implementation.  We implement it using 2 hashtables and a flat
332             table.  Due to the different semantics of string comparisons vs.
333             all others we need have one map keyed by String and the other by
334             generic JSValue.  The actual table is represented more or less
335             exactly as described in the ES6 draft - a single contiguous list of
336             key/value pairs.  The entire map could be achieved with just this
337             table, however we need the HashMaps in order to maintain O(1) lookup.
338
339             Deleted values are simply cleared as the draft says, however the
340             implementation compacts the storage on copy as long as the are no
341             active iterators.
342
343         * runtime/MapPrototype.cpp: Added.
344         * runtime/MapPrototype.h: Added.
345             Implement Map prototype functions
346
347         * runtime/VM.cpp:
348             Add new structures.
349
350 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
351
352         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
353         https://bugs.webkit.org/show_bug.cgi?id=120489
354
355         Reviewed by Geoffrey Garen.
356         
357         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
358         DFG compilation but we've also started one or more FTL compilations, then we
359         shouldn't get confused. Previously we would have gotten confused because we would
360         see an in-process deferred compile (the FTL compile) and also an optimized
361         replacement (the DFG code).
362         
363         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
364         did two things in this order: triggered a tier-up compilation from the DFG into
365         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
366         shouldn't be confused by the presence of an in-process deferred compile (the FTL
367         compile). Previously we would have waited for that compile to finish; but the more
368         sensible thing to do is to let it complete and then invalidate it, while at the
369         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
370         
371         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
372         triggered an FTL compile for replacement, then it should fire off a second compile
373         instead of thinking that it can wait for that one to finish. Or vice-versa. We
374         need to allow for two FTL compiles to be enqueued at the same time (one for
375         replacement and one for OSR entry in a loop).
376         
377         Then there's also the problem that DFG::compile() is almost certainly going to be
378         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
379         right now there is no way to tell it which one you want.
380         
381         This fixes these problems and removes a bunch of potential confusion by making the
382         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
383         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
384         
385         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
386         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
387         possible. Fixing that is a bigger issue for a later changeset.
388
389         * CMakeLists.txt:
390         * GNUmakefile.list.am:
391         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
392         * JavaScriptCore.xcodeproj/project.pbxproj:
393         * Target.pri:
394         * bytecode/CodeBlock.cpp:
395         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
396         * dfg/DFGCompilationKey.cpp: Added.
397         (JSC::DFG::CompilationKey::dump):
398         * dfg/DFGCompilationKey.h: Added.
399         (JSC::DFG::CompilationKey::CompilationKey):
400         (JSC::DFG::CompilationKey::operator!):
401         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
402         (JSC::DFG::CompilationKey::profiledBlock):
403         (JSC::DFG::CompilationKey::mode):
404         (JSC::DFG::CompilationKey::operator==):
405         (JSC::DFG::CompilationKey::hash):
406         (JSC::DFG::CompilationKeyHash::hash):
407         (JSC::DFG::CompilationKeyHash::equal):
408         * dfg/DFGCompilationMode.cpp: Added.
409         (WTF::printInternal):
410         * dfg/DFGCompilationMode.h: Added.
411         * dfg/DFGDriver.cpp:
412         (JSC::DFG::compileImpl):
413         (JSC::DFG::compile):
414         * dfg/DFGDriver.h:
415         * dfg/DFGPlan.cpp:
416         (JSC::DFG::Plan::Plan):
417         (JSC::DFG::Plan::key):
418         * dfg/DFGPlan.h:
419         * dfg/DFGWorklist.cpp:
420         (JSC::DFG::Worklist::enqueue):
421         (JSC::DFG::Worklist::compilationState):
422         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
423         (JSC::DFG::Worklist::runThread):
424         * dfg/DFGWorklist.h:
425         * jit/JITStubs.cpp:
426         (JSC::DEFINE_STUB_FUNCTION):
427
428 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
429
430         [Windows] Unreviewed build fix after r154847.
431         If you are going to exclude promises, actually exclude the build components.
432
433         * interpreter/CallFrame.h: Exclude promise declarations
434         * runtime/JSGlobalObject.cpp:
435         (JSC::JSGlobalObject::reset): Exclude promise code.
436         (JSC::JSGlobalObject::visitChildren): Ditto.
437         * runtime/VM.cpp: Ditto.
438         (JSC::VM::VM):
439         (JSC::VM::~VM):
440         * runtime/VM.h:
441
442 2013-08-29  Sam Weinig  <sam@webkit.org>
443
444         Add ENABLE guards for Promises
445         https://bugs.webkit.org/show_bug.cgi?id=120488
446
447         Reviewed by Andreas Kling.
448
449         * Configurations/FeatureDefines.xcconfig:
450         * runtime/JSGlobalObject.cpp:
451         * runtime/JSGlobalObject.h:
452         * runtime/JSPromise.cpp:
453         * runtime/JSPromise.h:
454         * runtime/JSPromiseCallback.cpp:
455         * runtime/JSPromiseCallback.h:
456         * runtime/JSPromiseConstructor.cpp:
457         * runtime/JSPromiseConstructor.h:
458         * runtime/JSPromisePrototype.cpp:
459         * runtime/JSPromisePrototype.h:
460         * runtime/JSPromiseResolver.cpp:
461         * runtime/JSPromiseResolver.h:
462         * runtime/JSPromiseResolverConstructor.cpp:
463         * runtime/JSPromiseResolverConstructor.h:
464         * runtime/JSPromiseResolverPrototype.cpp:
465         * runtime/JSPromiseResolverPrototype.h:
466
467 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
468
469         Unreviewed, fix FTL build.
470
471         * ftl/FTLLowerDFGToLLVM.cpp:
472         (JSC::FTL::LowerDFGToLLVM::callCheck):
473
474 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
475
476         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
477         https://bugs.webkit.org/show_bug.cgi?id=120080
478
479         Reviewed by Michael Saboff.
480
481         * jit/JITOpcodes32_64.cpp:
482         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
483
484 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
485
486         Kill code that became dead after http://trac.webkit.org/changeset/154833
487
488         Rubber stamped by Oliver Hunt.
489
490         * dfg/DFGDriver.h:
491
492 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
493
494         CodeBlock's magic for scaling tier-up thresholds should be more reusable
495         https://bugs.webkit.org/show_bug.cgi?id=120486
496
497         Reviewed by Oliver Hunt.
498         
499         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
500         as a adjustedCounterValue() method.
501
502         * bytecode/CodeBlock.cpp:
503         (JSC::CodeBlock::adjustedCounterValue):
504         (JSC::CodeBlock::optimizeAfterWarmUp):
505         (JSC::CodeBlock::optimizeAfterLongWarmUp):
506         (JSC::CodeBlock::optimizeSoon):
507         * bytecode/CodeBlock.h:
508         * dfg/DFGOSRExitCompilerCommon.cpp:
509         (JSC::DFG::handleExitCounts):
510
511 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
512
513         CodeBlock::prepareForExecution() is silly
514         https://bugs.webkit.org/show_bug.cgi?id=120453
515
516         Reviewed by Oliver Hunt.
517         
518         Instead of saying:
519         
520             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
521         
522         we should just say:
523         
524             JIT::compile(stuff, codeBlock, more stuff);
525         
526         And similarly for the LLInt and DFG.
527         
528         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
529         wrapper that uses the JITType argument to call into the appropriate execution
530         engine, which is what the user wanted to do in the first place.
531
532         * CMakeLists.txt:
533         * GNUmakefile.list.am:
534         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
535         * JavaScriptCore.xcodeproj/project.pbxproj:
536         * Target.pri:
537         * bytecode/CodeBlock.cpp:
538         * bytecode/CodeBlock.h:
539         * dfg/DFGDriver.cpp:
540         (JSC::DFG::compileImpl):
541         (JSC::DFG::compile):
542         * dfg/DFGDriver.h:
543         (JSC::DFG::tryCompile):
544         * dfg/DFGOSRExitPreparation.cpp:
545         (JSC::DFG::prepareCodeOriginForOSRExit):
546         * dfg/DFGWorklist.cpp:
547         (JSC::DFG::globalWorklist):
548         * dfg/DFGWorklist.h:
549         * jit/JIT.cpp:
550         (JSC::JIT::privateCompile):
551         * jit/JIT.h:
552         (JSC::JIT::compile):
553         * jit/JITStubs.cpp:
554         (JSC::DEFINE_STUB_FUNCTION):
555         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
556         (JSC::LLInt::setFunctionEntrypoint):
557         (JSC::LLInt::setEvalEntrypoint):
558         (JSC::LLInt::setProgramEntrypoint):
559         (JSC::LLInt::setEntrypoint):
560         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
561         * llint/LLIntEntrypoints.cpp: Removed.
562         * llint/LLIntEntrypoints.h: Removed.
563         * llint/LLIntSlowPaths.cpp:
564         (JSC::LLInt::jitCompileAndSetHeuristics):
565         * runtime/Executable.cpp:
566         (JSC::ScriptExecutable::prepareForExecutionImpl):
567
568 2013-08-29  Mark Lam  <mark.lam@apple.com>
569
570         Gardening: fixed broken non-DFG build.
571         https://bugs.webkit.org/show_bug.cgi?id=120481.
572
573         Not reviewed.
574
575         * interpreter/StackIterator.h:
576
577 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
578
579         CodeBlock compilation and installation should be simplified and rationalized
580         https://bugs.webkit.org/show_bug.cgi?id=120326
581
582         Reviewed by Oliver Hunt.
583         
584         Rolling r154804 back in after fixing no-LLInt build.
585         
586         Previously Executable owned the code for generating JIT code; you always had
587         to go through Executable. But often you also had to go through CodeBlock,
588         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
589         So you'd ask CodeBlock to do something, which would dispatch through a
590         virtual method that would select the appropriate Executable subtype's method.
591         This all meant that the same code would often be duplicated, because most of
592         the work needed to compile something was identical regardless of code type.
593         But then we tried to fix this, by having templatized helpers in
594         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
595         out what happened when you asked for something to be compiled, you'd go on a
596         wild ride that started with CodeBlock, touched upon Executable, and then
597         ricocheted into either ExecutionHarness or JITDriver (likely both).
598         
599         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
600         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
601         done once the compilation finished.
602         
603         Also, most of the DFG JIT drivers assumed that they couldn't install the
604         JITCode into the CodeBlock directly - instead they would return it via a
605         reference, which happened to be a reference to the JITCode pointer in
606         Executable. This was super weird.
607         
608         Finally, there was no notion of compiling code into a special CodeBlock that
609         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
610         entry.
611         
612         This patch solves these problems by reducing all of that complexity into just
613         three primitives:
614         
615         - Executable::newCodeBlock(). This gives you a new code block, either for call
616           or for construct, and either to serve as the baseline code or the optimized
617           code. The new code block is then owned by the caller; Executable doesn't
618           register it anywhere. The new code block has no JITCode and isn't callable,
619           but it has all of the bytecode.
620         
621         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
622           produces a JITCode, and then installs the JITCode into the CodeBlock. This
623           method takes a JITType, and always compiles with that JIT. If you ask for
624           JITCode::InterpreterThunk then you'll get JITCode that just points to the
625           LLInt entrypoints. Once this returns, it is possible to call into the
626           CodeBlock if you do so manually - but the Executable still won't know about
627           it so JS calls to that Executable will still be routed to whatever CodeBlock
628           is associated with the Executable.
629         
630         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
631           entry for that Executable. This involves unlinking the Executable's last
632           CodeBlock, if there was one. This also tells the GC about any effect on
633           memory usage and does a bunch of weird data structure rewiring, since
634           Executable caches some of CodeBlock's fields for the benefit of virtual call
635           fast paths.
636         
637         This functionality is then wrapped around three convenience methods:
638         
639         - Executable::prepareForExecution(). If there is no code block for that
640           Executable, then one is created (newCodeBlock()), compiled
641           (CodeBlock::prepareForExecution()) and installed (installCode()).
642         
643         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
644           can serve as an optimized replacement of the current one.
645         
646         - CodeBlock::install(). Asks the Executable to install this code block.
647         
648         This patch allows me to kill *a lot* of code and to remove a lot of
649         specializations for functions vs. not-functions, and a lot of places where we
650         pass around JITCode references and such. ExecutionHarness and JITDriver are
651         both gone. Overall this patch has more red than green.
652         
653         It also allows me to work on FTL OSR entry and tier-up:
654         
655         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
656           to do some compilation, but it will require the DFG::Worklist to do
657           something different than what JITStubs.cpp would want, once the compilation
658           finishes. This patch introduces a callback mechanism for that purpose.
659         
660         - FTL OSR entry: this will involve creating a special auto-jettisoned
661           CodeBlock that is used only for FTL OSR entry. The new set of primitives
662           allows for this: Executable can vend you a fresh new CodeBlock, and you can
663           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
664           can take that CodeBlock and compile it yourself. Previously the act of
665           producing a CodeBlock-for-optimization and the act of compiling code for it
666           were tightly coupled; now you can separate them and you can create such
667           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
668
669         * CMakeLists.txt:
670         * GNUmakefile.list.am:
671         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
672         * JavaScriptCore.xcodeproj/project.pbxproj:
673         * Target.pri:
674         * bytecode/CodeBlock.cpp:
675         (JSC::CodeBlock::unlinkIncomingCalls):
676         (JSC::CodeBlock::prepareForExecutionImpl):
677         (JSC::CodeBlock::prepareForExecution):
678         (JSC::CodeBlock::prepareForExecutionAsynchronously):
679         (JSC::CodeBlock::install):
680         (JSC::CodeBlock::newReplacement):
681         (JSC::FunctionCodeBlock::jettisonImpl):
682         * bytecode/CodeBlock.h:
683         (JSC::CodeBlock::hasBaselineJITProfiling):
684         * bytecode/DeferredCompilationCallback.cpp: Added.
685         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
686         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
687         * bytecode/DeferredCompilationCallback.h: Added.
688         * dfg/DFGDriver.cpp:
689         (JSC::DFG::tryCompile):
690         * dfg/DFGDriver.h:
691         (JSC::DFG::tryCompile):
692         * dfg/DFGFailedFinalizer.cpp:
693         (JSC::DFG::FailedFinalizer::finalize):
694         (JSC::DFG::FailedFinalizer::finalizeFunction):
695         * dfg/DFGFailedFinalizer.h:
696         * dfg/DFGFinalizer.h:
697         * dfg/DFGJITFinalizer.cpp:
698         (JSC::DFG::JITFinalizer::finalize):
699         (JSC::DFG::JITFinalizer::finalizeFunction):
700         * dfg/DFGJITFinalizer.h:
701         * dfg/DFGOSRExitPreparation.cpp:
702         (JSC::DFG::prepareCodeOriginForOSRExit):
703         * dfg/DFGOperations.cpp:
704         * dfg/DFGPlan.cpp:
705         (JSC::DFG::Plan::Plan):
706         (JSC::DFG::Plan::compileInThreadImpl):
707         (JSC::DFG::Plan::notifyReady):
708         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
709         (JSC::DFG::Plan::finalizeAndNotifyCallback):
710         * dfg/DFGPlan.h:
711         * dfg/DFGSpeculativeJIT32_64.cpp:
712         (JSC::DFG::SpeculativeJIT::compile):
713         * dfg/DFGWorklist.cpp:
714         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
715         (JSC::DFG::Worklist::runThread):
716         * ftl/FTLJITFinalizer.cpp:
717         (JSC::FTL::JITFinalizer::finalize):
718         (JSC::FTL::JITFinalizer::finalizeFunction):
719         * ftl/FTLJITFinalizer.h:
720         * heap/Heap.h:
721         (JSC::Heap::isDeferred):
722         * interpreter/Interpreter.cpp:
723         (JSC::Interpreter::execute):
724         (JSC::Interpreter::executeCall):
725         (JSC::Interpreter::executeConstruct):
726         (JSC::Interpreter::prepareForRepeatCall):
727         * jit/JITDriver.h: Removed.
728         * jit/JITStubs.cpp:
729         (JSC::DEFINE_STUB_FUNCTION):
730         (JSC::jitCompileFor):
731         (JSC::lazyLinkFor):
732         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
733         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
734         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
735         (JSC::JITToDFGDeferredCompilationCallback::create):
736         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
737         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
738         * jit/JITToDFGDeferredCompilationCallback.h: Added.
739         * llint/LLIntEntrypoints.cpp:
740         (JSC::LLInt::setFunctionEntrypoint):
741         (JSC::LLInt::setEvalEntrypoint):
742         (JSC::LLInt::setProgramEntrypoint):
743         * llint/LLIntEntrypoints.h:
744         * llint/LLIntSlowPaths.cpp:
745         (JSC::LLInt::jitCompileAndSetHeuristics):
746         (JSC::LLInt::setUpCall):
747         * runtime/ArrayPrototype.cpp:
748         (JSC::isNumericCompareFunction):
749         * runtime/CommonSlowPaths.cpp:
750         * runtime/CompilationResult.cpp:
751         (WTF::printInternal):
752         * runtime/CompilationResult.h:
753         * runtime/Executable.cpp:
754         (JSC::ScriptExecutable::installCode):
755         (JSC::ScriptExecutable::newCodeBlockFor):
756         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
757         (JSC::ScriptExecutable::prepareForExecutionImpl):
758         * runtime/Executable.h:
759         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
760         (JSC::ExecutableBase::offsetOfNumParametersFor):
761         (JSC::ScriptExecutable::prepareForExecution):
762         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
763         * runtime/ExecutionHarness.h: Removed.
764
765 2013-08-29  Mark Lam  <mark.lam@apple.com>
766
767         Change StackIterator to not require writes to the JS stack.
768         https://bugs.webkit.org/show_bug.cgi?id=119657.
769
770         Reviewed by Geoffrey Garen.
771
772         * GNUmakefile.list.am:
773         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
774         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
775         * JavaScriptCore.xcodeproj/project.pbxproj:
776         * interpreter/CallFrame.h:
777         - Removed references to StackIteratorPrivate.h.
778         * interpreter/StackIterator.cpp:
779         (JSC::StackIterator::numberOfFrames):
780         (JSC::StackIterator::gotoFrameAtIndex):
781         (JSC::StackIterator::gotoNextFrame):
782         (JSC::StackIterator::resetIterator):
783         (JSC::StackIterator::find):
784         (JSC::StackIterator::readFrame):
785         (JSC::StackIterator::readNonInlinedFrame):
786         - Reads in the current CallFrame's data for non-inlined frames.
787         (JSC::inlinedFrameOffset):
788         - Convenience function to compute the inlined frame offset based on the
789           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
790           Otherwise, it's an inlined frame.
791         (JSC::StackIterator::readInlinedFrame):
792         - Determines the inlined frame's caller frame. Will read in the caller
793           frame if it is also an inlined frame i.e. we haven't reached the
794           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
795           read on the outer most frame.
796           This is based on the old StackIterator::Frame::logicalFrame().
797         (JSC::StackIterator::updateFrame):
798         - Reads the data of the caller frame of the current one. This function
799           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
800           but is now simplified because it delegates to the readInlinedFrame()
801           to get the caller for inlined frames.
802         (JSC::StackIterator::Frame::arguments):
803         - Fixed to use the inlined frame versions of Arguments::create() and
804           Arguments::tearOff() when the frame is an inlined frame.
805         (JSC::StackIterator::Frame::print):
806         (debugPrintCallFrame):
807         (debugPrintStack):
808         - Because sometimes, we want to see the whole stack while debugging.
809         * interpreter/StackIterator.h:
810         (JSC::StackIterator::Frame::argumentCount):
811         (JSC::StackIterator::Frame::callerFrame):
812         (JSC::StackIterator::Frame::callee):
813         (JSC::StackIterator::Frame::scope):
814         (JSC::StackIterator::Frame::codeBlock):
815         (JSC::StackIterator::Frame::bytecodeOffset):
816         (JSC::StackIterator::Frame::inlinedFrameInfo):
817         (JSC::StackIterator::Frame::isJSFrame):
818         (JSC::StackIterator::Frame::isInlinedFrame):
819         (JSC::StackIterator::Frame::callFrame):
820         (JSC::StackIterator::Frame::Frame):
821         (JSC::StackIterator::Frame::~Frame):
822         - StackIterator::Frame now caches commonly used accessed values from
823           the CallFrame. It still delegates argument queries to the CallFrame.
824         (JSC::StackIterator::operator*):
825         (JSC::StackIterator::operator->):
826         (JSC::StackIterator::operator!=):
827         (JSC::StackIterator::operator++):
828         (JSC::StackIterator::end):
829         (JSC::StackIterator::operator==):
830         * interpreter/StackIteratorPrivate.h: Removed.
831
832 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
833
834         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
835         https://bugs.webkit.org/show_bug.cgi?id=120472
836
837         Reviewed by Filip Pizlo.
838         
839         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
840         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
841         throwException can be called when topCallFrame is set.
842         * llint/LLIntSlowPaths.cpp:
843         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
844         * runtime/CommonSlowPaths.cpp:
845         (JSC::SLOW_PATH_DECL):
846         * runtime/CommonSlowPathsExceptions.cpp:
847         (JSC::CommonSlowPaths::interpreterThrowInCaller):
848         * runtime/CommonSlowPathsExceptions.h:
849
850         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
851         to throw errors. It unwinds the stack in order to report them. 
852         * dfg/DFGOperations.cpp:
853         * jit/JITExceptions.cpp:
854         (JSC::genericUnwind):
855         (JSC::jitThrowNew):
856         (JSC::jitThrow):
857         * jit/JITExceptions.h:
858         * llint/LLIntExceptions.cpp:
859         (JSC::LLInt::doThrow):
860     
861 2013-08-29  Commit Queue  <commit-queue@webkit.org>
862
863         Unreviewed, rolling out r154804.
864         http://trac.webkit.org/changeset/154804
865         https://bugs.webkit.org/show_bug.cgi?id=120477
866
867         Broke Windows build (assumes LLInt features not enabled on
868         this build) (Requested by bfulgham on #webkit).
869
870         * CMakeLists.txt:
871         * GNUmakefile.list.am:
872         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
873         * JavaScriptCore.xcodeproj/project.pbxproj:
874         * Target.pri:
875         * bytecode/CodeBlock.cpp:
876         (JSC::CodeBlock::linkIncomingCall):
877         (JSC::CodeBlock::unlinkIncomingCalls):
878         (JSC::CodeBlock::reoptimize):
879         (JSC::ProgramCodeBlock::replacement):
880         (JSC::EvalCodeBlock::replacement):
881         (JSC::FunctionCodeBlock::replacement):
882         (JSC::ProgramCodeBlock::compileOptimized):
883         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
884         (JSC::EvalCodeBlock::compileOptimized):
885         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
886         (JSC::FunctionCodeBlock::compileOptimized):
887         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
888         (JSC::ProgramCodeBlock::jitCompileImpl):
889         (JSC::EvalCodeBlock::jitCompileImpl):
890         (JSC::FunctionCodeBlock::jitCompileImpl):
891         * bytecode/CodeBlock.h:
892         (JSC::CodeBlock::jitType):
893         (JSC::CodeBlock::jitCompile):
894         * bytecode/DeferredCompilationCallback.cpp: Removed.
895         * bytecode/DeferredCompilationCallback.h: Removed.
896         * dfg/DFGDriver.cpp:
897         (JSC::DFG::compile):
898         (JSC::DFG::tryCompile):
899         (JSC::DFG::tryCompileFunction):
900         (JSC::DFG::tryFinalizePlan):
901         * dfg/DFGDriver.h:
902         (JSC::DFG::tryCompile):
903         (JSC::DFG::tryCompileFunction):
904         (JSC::DFG::tryFinalizePlan):
905         * dfg/DFGFailedFinalizer.cpp:
906         (JSC::DFG::FailedFinalizer::finalize):
907         (JSC::DFG::FailedFinalizer::finalizeFunction):
908         * dfg/DFGFailedFinalizer.h:
909         * dfg/DFGFinalizer.h:
910         * dfg/DFGJITFinalizer.cpp:
911         (JSC::DFG::JITFinalizer::finalize):
912         (JSC::DFG::JITFinalizer::finalizeFunction):
913         * dfg/DFGJITFinalizer.h:
914         * dfg/DFGOSRExitPreparation.cpp:
915         (JSC::DFG::prepareCodeOriginForOSRExit):
916         * dfg/DFGOperations.cpp:
917         * dfg/DFGPlan.cpp:
918         (JSC::DFG::Plan::Plan):
919         (JSC::DFG::Plan::compileInThreadImpl):
920         (JSC::DFG::Plan::finalize):
921         * dfg/DFGPlan.h:
922         * dfg/DFGSpeculativeJIT32_64.cpp:
923         (JSC::DFG::SpeculativeJIT::compile):
924         * dfg/DFGWorklist.cpp:
925         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
926         (JSC::DFG::Worklist::runThread):
927         * ftl/FTLJITFinalizer.cpp:
928         (JSC::FTL::JITFinalizer::finalize):
929         (JSC::FTL::JITFinalizer::finalizeFunction):
930         * ftl/FTLJITFinalizer.h:
931         * heap/Heap.h:
932         * interpreter/Interpreter.cpp:
933         (JSC::Interpreter::execute):
934         (JSC::Interpreter::executeCall):
935         (JSC::Interpreter::executeConstruct):
936         (JSC::Interpreter::prepareForRepeatCall):
937         * jit/JITDriver.h: Added.
938         (JSC::jitCompileIfAppropriateImpl):
939         (JSC::jitCompileFunctionIfAppropriateImpl):
940         (JSC::jitCompileIfAppropriate):
941         (JSC::jitCompileFunctionIfAppropriate):
942         * jit/JITStubs.cpp:
943         (JSC::DEFINE_STUB_FUNCTION):
944         (JSC::jitCompileFor):
945         (JSC::lazyLinkFor):
946         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
947         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
948         * llint/LLIntEntrypoints.cpp:
949         (JSC::LLInt::getFunctionEntrypoint):
950         (JSC::LLInt::getEvalEntrypoint):
951         (JSC::LLInt::getProgramEntrypoint):
952         * llint/LLIntEntrypoints.h:
953         (JSC::LLInt::getEntrypoint):
954         * llint/LLIntSlowPaths.cpp:
955         (JSC::LLInt::jitCompileAndSetHeuristics):
956         (JSC::LLInt::setUpCall):
957         * runtime/ArrayPrototype.cpp:
958         (JSC::isNumericCompareFunction):
959         * runtime/CommonSlowPaths.cpp:
960         * runtime/CompilationResult.cpp:
961         (WTF::printInternal):
962         * runtime/CompilationResult.h:
963         * runtime/Executable.cpp:
964         (JSC::EvalExecutable::compileOptimized):
965         (JSC::EvalExecutable::jitCompile):
966         (JSC::EvalExecutable::compileInternal):
967         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
968         (JSC::ProgramExecutable::compileOptimized):
969         (JSC::ProgramExecutable::jitCompile):
970         (JSC::ProgramExecutable::compileInternal):
971         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
972         (JSC::FunctionExecutable::compileOptimizedForCall):
973         (JSC::FunctionExecutable::compileOptimizedForConstruct):
974         (JSC::FunctionExecutable::jitCompileForCall):
975         (JSC::FunctionExecutable::jitCompileForConstruct):
976         (JSC::FunctionExecutable::produceCodeBlockFor):
977         (JSC::FunctionExecutable::compileForCallInternal):
978         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
979         (JSC::FunctionExecutable::compileForConstructInternal):
980         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
981         * runtime/Executable.h:
982         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
983         (JSC::ExecutableBase::offsetOfNumParametersFor):
984         (JSC::ExecutableBase::catchRoutineFor):
985         (JSC::EvalExecutable::compile):
986         (JSC::ProgramExecutable::compile):
987         (JSC::FunctionExecutable::compileForCall):
988         (JSC::FunctionExecutable::compileForConstruct):
989         (JSC::FunctionExecutable::compileFor):
990         (JSC::FunctionExecutable::compileOptimizedFor):
991         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
992         (JSC::FunctionExecutable::jitCompileFor):
993         * runtime/ExecutionHarness.h: Added.
994         (JSC::prepareForExecutionImpl):
995         (JSC::prepareFunctionForExecutionImpl):
996         (JSC::installOptimizedCode):
997         (JSC::prepareForExecution):
998         (JSC::prepareFunctionForExecution):
999         (JSC::replaceWithDeferredOptimizedCode):
1000
1001 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
1002
1003         CodeBlock compilation and installation should be simplified and rationalized
1004         https://bugs.webkit.org/show_bug.cgi?id=120326
1005
1006         Reviewed by Oliver Hunt.
1007         
1008         Previously Executable owned the code for generating JIT code; you always had
1009         to go through Executable. But often you also had to go through CodeBlock,
1010         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
1011         So you'd ask CodeBlock to do something, which would dispatch through a
1012         virtual method that would select the appropriate Executable subtype's method.
1013         This all meant that the same code would often be duplicated, because most of
1014         the work needed to compile something was identical regardless of code type.
1015         But then we tried to fix this, by having templatized helpers in
1016         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
1017         out what happened when you asked for something to be compiled, you'd go on a
1018         wild ride that started with CodeBlock, touched upon Executable, and then
1019         ricocheted into either ExecutionHarness or JITDriver (likely both).
1020         
1021         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
1022         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
1023         done once the compilation finished.
1024         
1025         Also, most of the DFG JIT drivers assumed that they couldn't install the
1026         JITCode into the CodeBlock directly - instead they would return it via a
1027         reference, which happened to be a reference to the JITCode pointer in
1028         Executable. This was super weird.
1029         
1030         Finally, there was no notion of compiling code into a special CodeBlock that
1031         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
1032         entry.
1033         
1034         This patch solves these problems by reducing all of that complexity into just
1035         three primitives:
1036         
1037         - Executable::newCodeBlock(). This gives you a new code block, either for call
1038           or for construct, and either to serve as the baseline code or the optimized
1039           code. The new code block is then owned by the caller; Executable doesn't
1040           register it anywhere. The new code block has no JITCode and isn't callable,
1041           but it has all of the bytecode.
1042         
1043         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
1044           produces a JITCode, and then installs the JITCode into the CodeBlock. This
1045           method takes a JITType, and always compiles with that JIT. If you ask for
1046           JITCode::InterpreterThunk then you'll get JITCode that just points to the
1047           LLInt entrypoints. Once this returns, it is possible to call into the
1048           CodeBlock if you do so manually - but the Executable still won't know about
1049           it so JS calls to that Executable will still be routed to whatever CodeBlock
1050           is associated with the Executable.
1051         
1052         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
1053           entry for that Executable. This involves unlinking the Executable's last
1054           CodeBlock, if there was one. This also tells the GC about any effect on
1055           memory usage and does a bunch of weird data structure rewiring, since
1056           Executable caches some of CodeBlock's fields for the benefit of virtual call
1057           fast paths.
1058         
1059         This functionality is then wrapped around three convenience methods:
1060         
1061         - Executable::prepareForExecution(). If there is no code block for that
1062           Executable, then one is created (newCodeBlock()), compiled
1063           (CodeBlock::prepareForExecution()) and installed (installCode()).
1064         
1065         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
1066           can serve as an optimized replacement of the current one.
1067         
1068         - CodeBlock::install(). Asks the Executable to install this code block.
1069         
1070         This patch allows me to kill *a lot* of code and to remove a lot of
1071         specializations for functions vs. not-functions, and a lot of places where we
1072         pass around JITCode references and such. ExecutionHarness and JITDriver are
1073         both gone. Overall this patch has more red than green.
1074         
1075         It also allows me to work on FTL OSR entry and tier-up:
1076         
1077         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
1078           to do some compilation, but it will require the DFG::Worklist to do
1079           something different than what JITStubs.cpp would want, once the compilation
1080           finishes. This patch introduces a callback mechanism for that purpose.
1081         
1082         - FTL OSR entry: this will involve creating a special auto-jettisoned
1083           CodeBlock that is used only for FTL OSR entry. The new set of primitives
1084           allows for this: Executable can vend you a fresh new CodeBlock, and you can
1085           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
1086           can take that CodeBlock and compile it yourself. Previously the act of
1087           producing a CodeBlock-for-optimization and the act of compiling code for it
1088           were tightly coupled; now you can separate them and you can create such
1089           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
1090
1091         * CMakeLists.txt:
1092         * GNUmakefile.list.am:
1093         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1094         * JavaScriptCore.xcodeproj/project.pbxproj:
1095         * Target.pri:
1096         * bytecode/CodeBlock.cpp:
1097         (JSC::CodeBlock::prepareForExecution):
1098         (JSC::CodeBlock::install):
1099         (JSC::CodeBlock::newReplacement):
1100         (JSC::FunctionCodeBlock::jettisonImpl):
1101         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1102         * bytecode/CodeBlock.h:
1103         (JSC::CodeBlock::hasBaselineJITProfiling):
1104         * bytecode/DeferredCompilationCallback.cpp: Added.
1105         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
1106         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
1107         * bytecode/DeferredCompilationCallback.h: Added.
1108         * dfg/DFGDriver.cpp:
1109         (JSC::DFG::tryCompile):
1110         * dfg/DFGDriver.h:
1111         (JSC::DFG::tryCompile):
1112         * dfg/DFGFailedFinalizer.cpp:
1113         (JSC::DFG::FailedFinalizer::finalize):
1114         (JSC::DFG::FailedFinalizer::finalizeFunction):
1115         * dfg/DFGFailedFinalizer.h:
1116         * dfg/DFGFinalizer.h:
1117         * dfg/DFGJITFinalizer.cpp:
1118         (JSC::DFG::JITFinalizer::finalize):
1119         (JSC::DFG::JITFinalizer::finalizeFunction):
1120         * dfg/DFGJITFinalizer.h:
1121         * dfg/DFGOSRExitPreparation.cpp:
1122         (JSC::DFG::prepareCodeOriginForOSRExit):
1123         * dfg/DFGOperations.cpp:
1124         * dfg/DFGPlan.cpp:
1125         (JSC::DFG::Plan::Plan):
1126         (JSC::DFG::Plan::compileInThreadImpl):
1127         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1128         (JSC::DFG::Plan::finalizeAndNotifyCallback):
1129         * dfg/DFGPlan.h:
1130         * dfg/DFGWorklist.cpp:
1131         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
1132         * ftl/FTLJITFinalizer.cpp:
1133         (JSC::FTL::JITFinalizer::finalize):
1134         (JSC::FTL::JITFinalizer::finalizeFunction):
1135         * ftl/FTLJITFinalizer.h:
1136         * heap/Heap.h:
1137         (JSC::Heap::isDeferred):
1138         * interpreter/Interpreter.cpp:
1139         (JSC::Interpreter::execute):
1140         (JSC::Interpreter::executeCall):
1141         (JSC::Interpreter::executeConstruct):
1142         (JSC::Interpreter::prepareForRepeatCall):
1143         * jit/JITDriver.h: Removed.
1144         * jit/JITStubs.cpp:
1145         (JSC::DEFINE_STUB_FUNCTION):
1146         (JSC::jitCompileFor):
1147         (JSC::lazyLinkFor):
1148         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
1149         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
1150         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
1151         (JSC::JITToDFGDeferredCompilationCallback::create):
1152         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1153         * jit/JITToDFGDeferredCompilationCallback.h: Added.
1154         * llint/LLIntEntrypoints.cpp:
1155         (JSC::LLInt::setFunctionEntrypoint):
1156         (JSC::LLInt::setEvalEntrypoint):
1157         (JSC::LLInt::setProgramEntrypoint):
1158         * llint/LLIntEntrypoints.h:
1159         * llint/LLIntSlowPaths.cpp:
1160         (JSC::LLInt::jitCompileAndSetHeuristics):
1161         (JSC::LLInt::setUpCall):
1162         * runtime/ArrayPrototype.cpp:
1163         (JSC::isNumericCompareFunction):
1164         * runtime/CommonSlowPaths.cpp:
1165         * runtime/CompilationResult.cpp:
1166         (WTF::printInternal):
1167         * runtime/CompilationResult.h:
1168         * runtime/Executable.cpp:
1169         (JSC::ScriptExecutable::installCode):
1170         (JSC::ScriptExecutable::newCodeBlockFor):
1171         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
1172         (JSC::ScriptExecutable::prepareForExecutionImpl):
1173         * runtime/Executable.h:
1174         (JSC::ScriptExecutable::prepareForExecution):
1175         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
1176         * runtime/ExecutionHarness.h: Removed.
1177
1178 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
1179
1180         https://bugs.webkit.org/show_bug.cgi?id=119548
1181         Refactoring Exception throws.
1182         
1183         Reviewed by Geoffrey Garen.
1184         
1185         Gardening of exception throws. The act of throwing an exception was being handled in 
1186         different ways depending on whether the code was running in the LLint, Baseline JIT, 
1187         or the DFG Jit. This made development in the vm exception and error objects difficult.
1188         
1189          * runtime/VM.cpp:
1190         (JSC::appendSourceToError): 
1191         This function moved from the interpreter into the VM. It views the developers code
1192         (if there is a codeBlock) to extract what was trying to be evaluated when the error
1193         occurred.
1194         
1195         (JSC::VM::throwException):
1196         This function takes in the error object and sets the following:
1197             1: The VM's exception stack
1198             2: The VM's exception 
1199             3: Appends extra information on the error message(via appendSourceToError)
1200             4: The error object's line number
1201             5: The error object's column number
1202             6: The error object's sourceURL
1203             7: The error object's stack trace (unless it already exists because the developer 
1204                 created the error object). 
1205
1206         (JSC::VM::getExceptionInfo):
1207         (JSC::VM::setExceptionInfo):
1208         (JSC::VM::clearException):
1209         (JSC::clearExceptionStack):
1210         * runtime/VM.h:
1211         (JSC::VM::exceptionOffset):
1212         (JSC::VM::exception):
1213         (JSC::VM::addressOfException):
1214         (JSC::VM::exceptionStack):
1215         VM exception and exceptionStack are now private data members.
1216
1217         * interpreter/Interpreter.h:
1218         (JSC::ClearExceptionScope::ClearExceptionScope):
1219         Created this structure to temporarily clear the exception within the VM. This 
1220         needed to see if addition errors occur when setting the debugger as we are 
1221         unwinding the stack.
1222
1223          * interpreter/Interpreter.cpp:
1224         (JSC::Interpreter::unwind): 
1225         Removed the code that would try to add error information if it did not exist. 
1226         All of this functionality has moved into the VM and all error information is set 
1227         at the time the error occurs. 
1228
1229         The rest of these functions reference the new calling convention to throw an error.
1230
1231         * API/APICallbackFunction.h:
1232         (JSC::APICallbackFunction::call):
1233         * API/JSCallbackConstructor.cpp:
1234         (JSC::constructJSCallback):
1235         * API/JSCallbackObjectFunctions.h:
1236         (JSC::::getOwnPropertySlot):
1237         (JSC::::defaultValue):
1238         (JSC::::put):
1239         (JSC::::putByIndex):
1240         (JSC::::deleteProperty):
1241         (JSC::::construct):
1242         (JSC::::customHasInstance):
1243         (JSC::::call):
1244         (JSC::::getStaticValue):
1245         (JSC::::staticFunctionGetter):
1246         (JSC::::callbackGetter):
1247         * debugger/Debugger.cpp:
1248         (JSC::evaluateInGlobalCallFrame):
1249         * debugger/DebuggerCallFrame.cpp:
1250         (JSC::DebuggerCallFrame::evaluate):
1251         * dfg/DFGAssemblyHelpers.h:
1252         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
1253         * dfg/DFGOperations.cpp:
1254         (JSC::DFG::operationPutByValInternal):
1255         * ftl/FTLLowerDFGToLLVM.cpp:
1256         (JSC::FTL::LowerDFGToLLVM::callCheck):
1257         * heap/Heap.cpp:
1258         (JSC::Heap::markRoots):
1259         * interpreter/CallFrame.h:
1260         (JSC::ExecState::clearException):
1261         (JSC::ExecState::exception):
1262         (JSC::ExecState::hadException):
1263         * interpreter/Interpreter.cpp:
1264         (JSC::eval):
1265         (JSC::loadVarargs):
1266         (JSC::stackTraceAsString):
1267         (JSC::Interpreter::execute):
1268         (JSC::Interpreter::executeCall):
1269         (JSC::Interpreter::executeConstruct):
1270         (JSC::Interpreter::prepareForRepeatCall):
1271         * interpreter/Interpreter.h:
1272         (JSC::ClearExceptionScope::ClearExceptionScope):
1273         * jit/JITCode.cpp:
1274         (JSC::JITCode::execute):
1275         * jit/JITExceptions.cpp:
1276         (JSC::genericThrow):
1277         * jit/JITOpcodes.cpp:
1278         (JSC::JIT::emit_op_catch):
1279         * jit/JITOpcodes32_64.cpp:
1280         (JSC::JIT::privateCompileCTINativeCall):
1281         (JSC::JIT::emit_op_catch):
1282         * jit/JITStubs.cpp:
1283         (JSC::returnToThrowTrampoline):
1284         (JSC::throwExceptionFromOpCall):
1285         (JSC::DEFINE_STUB_FUNCTION):
1286         (JSC::jitCompileFor):
1287         (JSC::lazyLinkFor):
1288         (JSC::putByVal):
1289         (JSC::cti_vm_handle_exception):
1290         * jit/SlowPathCall.h:
1291         (JSC::JITSlowPathCall::call):
1292         * jit/ThunkGenerators.cpp:
1293         (JSC::nativeForGenerator):
1294         * jsc.cpp:
1295         (functionRun):
1296         (functionLoad):
1297         (functionCheckSyntax):
1298         * llint/LLIntExceptions.cpp:
1299         (JSC::LLInt::doThrow):
1300         (JSC::LLInt::returnToThrow):
1301         (JSC::LLInt::callToThrow):
1302         * llint/LLIntSlowPaths.cpp:
1303         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1304         * llint/LowLevelInterpreter.cpp:
1305         (JSC::CLoop::execute):
1306         * llint/LowLevelInterpreter32_64.asm:
1307         * llint/LowLevelInterpreter64.asm:
1308         * runtime/ArrayConstructor.cpp:
1309         (JSC::constructArrayWithSizeQuirk):
1310         * runtime/CommonSlowPaths.cpp:
1311         (JSC::SLOW_PATH_DECL):
1312         * runtime/CommonSlowPaths.h:
1313         (JSC::CommonSlowPaths::opIn):
1314         * runtime/CommonSlowPathsExceptions.cpp:
1315         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1316         * runtime/Completion.cpp:
1317         (JSC::evaluate):
1318         * runtime/Error.cpp:
1319         (JSC::addErrorInfo):
1320         (JSC::throwTypeError):
1321         (JSC::throwSyntaxError):
1322         * runtime/Error.h:
1323         (JSC::throwVMError):
1324         * runtime/ExceptionHelpers.cpp:
1325         (JSC::throwOutOfMemoryError):
1326         (JSC::throwStackOverflowError):
1327         (JSC::throwTerminatedExecutionException):
1328         * runtime/Executable.cpp:
1329         (JSC::EvalExecutable::create):
1330         (JSC::FunctionExecutable::produceCodeBlockFor):
1331         * runtime/FunctionConstructor.cpp:
1332         (JSC::constructFunction):
1333         (JSC::constructFunctionSkippingEvalEnabledCheck):
1334         * runtime/JSArray.cpp:
1335         (JSC::JSArray::defineOwnProperty):
1336         (JSC::JSArray::put):
1337         (JSC::JSArray::push):
1338         * runtime/JSCJSValue.cpp:
1339         (JSC::JSValue::toObjectSlowCase):
1340         (JSC::JSValue::synthesizePrototype):
1341         (JSC::JSValue::putToPrimitive):
1342         * runtime/JSFunction.cpp:
1343         (JSC::JSFunction::defineOwnProperty):
1344         * runtime/JSGenericTypedArrayViewInlines.h:
1345         (JSC::::create):
1346         (JSC::::createUninitialized):
1347         (JSC::::validateRange):
1348         (JSC::::setWithSpecificType):
1349         * runtime/JSGlobalObjectFunctions.cpp:
1350         (JSC::encode):
1351         (JSC::decode):
1352         (JSC::globalFuncProtoSetter):
1353         * runtime/JSNameScope.cpp:
1354         (JSC::JSNameScope::put):
1355         * runtime/JSONObject.cpp:
1356         (JSC::Stringifier::appendStringifiedValue):
1357         (JSC::Walker::walk):
1358         * runtime/JSObject.cpp:
1359         (JSC::JSObject::put):
1360         (JSC::JSObject::defaultValue):
1361         (JSC::JSObject::hasInstance):
1362         (JSC::JSObject::defaultHasInstance):
1363         (JSC::JSObject::defineOwnNonIndexProperty):
1364         (JSC::throwTypeError):
1365         * runtime/ObjectConstructor.cpp:
1366         (JSC::toPropertyDescriptor):
1367         * runtime/RegExpConstructor.cpp:
1368         (JSC::constructRegExp):
1369         * runtime/StringObject.cpp:
1370         (JSC::StringObject::defineOwnProperty):
1371         * runtime/StringRecursionChecker.cpp:
1372         (JSC::StringRecursionChecker::throwStackOverflowError):
1373
1374 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1375
1376         [GTK] Add support for building JSC with FTL JIT enabled
1377         https://bugs.webkit.org/show_bug.cgi?id=120270
1378
1379         Reviewed by Filip Pizlo.
1380
1381         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1382         compiler flags for the JSC library.
1383         * GNUmakefile.list.am: Add the missing build targets.
1384         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1385         failures when using the Clang compiler with the libstdc++ standard library.
1386         (JSC::FTL::mdKindID):
1387         (JSC::FTL::mdString):
1388
1389 2013-08-23  Andy Estes  <aestes@apple.com>
1390
1391         Fix issues found by the Clang Static Analyzer
1392         https://bugs.webkit.org/show_bug.cgi?id=120230
1393
1394         Reviewed by Darin Adler.
1395
1396         * API/JSValue.mm:
1397         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1398         * API/ObjCCallbackFunction.mm:
1399         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1400         release m_invocation's target since NSInvocation will do it for us on
1401         -dealloc.
1402         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1403         and -release our reference to the copied block.
1404         * API/tests/minidom.c:
1405         (createStringWithContentsOfFile): Free buffer before returning.
1406         * API/tests/testapi.c:
1407         (createStringWithContentsOfFile): Ditto.
1408
1409 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1410
1411         [Windows] Unreviewed build fix after r154629.
1412
1413         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1414         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1415
1416 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1417
1418         Windows build fix attempt after r154629.
1419
1420         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1421
1422 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1423
1424         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1425         https://bugs.webkit.org/show_bug.cgi?id=120278
1426
1427         Reviewed by Geoffrey Garen.
1428
1429         * runtime/JSObject.cpp:
1430         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1431
1432 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1433
1434         Fix indention of Executable.h.
1435
1436         Rubber stamped by Mark Hahnenberg.
1437
1438         * runtime/Executable.h:
1439
1440 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1441
1442         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1443         https://bugs.webkit.org/show_bug.cgi?id=120314
1444
1445         Reviewed by Darin Adler.
1446
1447         Currently with the way that defineProperty works, we leave a stray low bit set in 
1448         PropertyDescriptor::m_attributes in the following code:
1449
1450         var o = {};
1451         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1452         
1453         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1454         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1455         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1456         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1457
1458         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1459         framework's public C API, it's safer to just change how we calculate the default value, which is
1460         where the weirdness was originating from in the first place.
1461
1462         * runtime/PropertyDescriptor.cpp:
1463
1464 2013-08-24  Sam Weinig  <sam@webkit.org>
1465
1466         Add support for Promises
1467         https://bugs.webkit.org/show_bug.cgi?id=120260
1468
1469         Reviewed by Darin Adler.
1470
1471         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1472         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1473           in preparation for the Promises eventually being defined in ECMAScript.
1474
1475         * CMakeLists.txt:
1476         * DerivedSources.make:
1477         * DerivedSources.pri:
1478         * GNUmakefile.list.am:
1479         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1480         * JavaScriptCore.xcodeproj/project.pbxproj:
1481         * Target.pri:
1482         Add new files.
1483
1484         * jsc.cpp:
1485         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1486         you can't quite use Promises with with the command line tool yet.
1487     
1488         * interpreter/CallFrame.h:
1489         (JSC::ExecState::promisePrototypeTable):
1490         (JSC::ExecState::promiseConstructorTable):
1491         (JSC::ExecState::promiseResolverPrototypeTable):
1492         * runtime/VM.cpp:
1493         (JSC::VM::VM):
1494         (JSC::VM::~VM):
1495         * runtime/VM.h:
1496         Add supporting code for the new static lookup tables.
1497
1498         * runtime/CommonIdentifiers.h:
1499         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1500
1501         * runtime/JSGlobalObject.cpp:
1502         (JSC::JSGlobalObject::reset):
1503         (JSC::JSGlobalObject::visitChildren):
1504         Add supporting code Promise and PromiseResolver's constructors and structures.
1505
1506         * runtime/JSGlobalObject.h:
1507         (JSC::TaskContext::~TaskContext):
1508         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1509
1510         (JSC::JSGlobalObject::promisePrototype):
1511         (JSC::JSGlobalObject::promiseResolverPrototype):
1512         (JSC::JSGlobalObject::promiseStructure):
1513         (JSC::JSGlobalObject::promiseResolverStructure):
1514         (JSC::JSGlobalObject::promiseCallbackStructure):
1515         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1516         Add supporting code Promise and PromiseResolver's constructors and structures.
1517
1518         * runtime/JSPromise.cpp: Added.
1519         * runtime/JSPromise.h: Added.
1520         * runtime/JSPromiseCallback.cpp: Added.
1521         * runtime/JSPromiseCallback.h: Added.
1522         * runtime/JSPromiseConstructor.cpp: Added.
1523         * runtime/JSPromiseConstructor.h: Added.
1524         * runtime/JSPromisePrototype.cpp: Added.
1525         * runtime/JSPromisePrototype.h: Added.
1526         * runtime/JSPromiseResolver.cpp: Added.
1527         * runtime/JSPromiseResolver.h: Added.
1528         * runtime/JSPromiseResolverConstructor.cpp: Added.
1529         * runtime/JSPromiseResolverConstructor.h: Added.
1530         * runtime/JSPromiseResolverPrototype.cpp: Added.
1531         * runtime/JSPromiseResolverPrototype.h: Added.
1532         Add Promise implementation.
1533
1534 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1535
1536         Plenty of -Wcast-align warnings in KeywordLookup.h
1537         https://bugs.webkit.org/show_bug.cgi?id=120316
1538
1539         Reviewed by Darin Adler.
1540
1541         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1542         the character pointers to types of larger size. This avoids spewing lots of warnings
1543         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1544
1545 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1546
1547         RegExpMatchesArray should not call [[put]]
1548         https://bugs.webkit.org/show_bug.cgi?id=120317
1549
1550         Reviewed by Oliver Hunt.
1551
1552         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1553         property called index or input to either of these prototypes will result in broken behavior.
1554
1555         * runtime/RegExpMatchesArray.cpp:
1556         (JSC::RegExpMatchesArray::reifyAllProperties):
1557             - put -> putDirect
1558
1559 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1560
1561         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1562         https://bugs.webkit.org/show_bug.cgi?id=120228
1563
1564         Reviewed by Oliver Hunt.
1565         
1566         It turns out that there were three problems:
1567         
1568         - Using jsNumber() meant that we were converting doubles to integers and then
1569           possibly back again whenever doing a set() between floating point arrays.
1570         
1571         - Slow-path accesses to double typed arrays were slower than necessary because
1572           of the to-int conversion attempt.
1573         
1574         - The use of JSValue as an intermediate for converting between differen types
1575           in typedArray.set() resulted in worse code than I had previously expected.
1576         
1577         This patch solves the problem by using template double-dispatch to ensure that
1578         that C++ compiler sees the simplest possible combination of casts between any
1579         combination of typed array types, while still preserving JS and typed array
1580         conversion semantics. Conversions are done as follows:
1581         
1582             SourceAdaptor::convertTo<TargetAdaptor>(value)
1583         
1584         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1585         with one method for each of int32_t, uint32_t, and double. This means that the
1586         C++ compiler will at worst see a widening cast to one of those types followed
1587         by a narrowing conversion (not necessarily a cast - may have clamping or the
1588         JS toInt32() function).
1589         
1590         This change doesn't just affect typedArray.set(); it also affects slow-path
1591         accesses to typed arrays as well. This patch also adds a bunch of new test
1592         coverage.
1593         
1594         This change is a ~50% speed-up on typedArray.set() involving floating point
1595         types.
1596
1597         * GNUmakefile.list.am:
1598         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1599         * JavaScriptCore.xcodeproj/project.pbxproj:
1600         * runtime/GenericTypedArrayView.h:
1601         (JSC::GenericTypedArrayView::set):
1602         * runtime/JSDataViewPrototype.cpp:
1603         (JSC::setData):
1604         * runtime/JSGenericTypedArrayView.h:
1605         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1606         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1607         * runtime/JSGenericTypedArrayViewInlines.h:
1608         (JSC::::setWithSpecificType):
1609         (JSC::::set):
1610         * runtime/ToNativeFromValue.h: Added.
1611         (JSC::toNativeFromValue):
1612         * runtime/TypedArrayAdaptors.h:
1613         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1614         (JSC::IntegralTypedArrayAdaptor::toDouble):
1615         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1616         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1617         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1618         (JSC::IntegralTypedArrayAdaptor::convertTo):
1619         (JSC::FloatTypedArrayAdaptor::toJSValue):
1620         (JSC::FloatTypedArrayAdaptor::toDouble):
1621         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1622         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1623         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1624         (JSC::FloatTypedArrayAdaptor::convertTo):
1625         (JSC::Uint8ClampedAdaptor::toJSValue):
1626         (JSC::Uint8ClampedAdaptor::toDouble):
1627         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1628         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1629         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1630         (JSC::Uint8ClampedAdaptor::convertTo):
1631
1632 2013-08-24  Dan Bernstein  <mitz@apple.com>
1633
1634         [mac] link against libz in a more civilized manner
1635         https://bugs.webkit.org/show_bug.cgi?id=120258
1636
1637         Reviewed by Darin Adler.
1638
1639         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1640         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1641         Link Binary With Libraries build phase.
1642
1643 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1644
1645         Failure building with python3
1646         https://bugs.webkit.org/show_bug.cgi?id=106645
1647
1648         Reviewed by Benjamin Poulain.
1649
1650         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1651         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1652
1653         * disassembler/udis86/itab.py:
1654         (UdItabGenerator.genInsnTable):
1655         * disassembler/udis86/ud_opcode.py:
1656         (UdOpcodeTables.print_table):
1657         * disassembler/udis86/ud_optable.py:
1658         (UdOptableXmlParser.parseDef):
1659         (UdOptableXmlParser.parse):
1660         (printFn):
1661
1662 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1663
1664         Incorrect TypedArray#set behavior
1665         https://bugs.webkit.org/show_bug.cgi?id=83818
1666
1667         Reviewed by Oliver Hunt and Mark Hahnenberg.
1668         
1669         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1670         not smart enough to figure out optimal versions for *all* of the cases. But I
1671         did come up with optimal implementations for most of the cases, and I wrote
1672         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1673         enough to write optimal code for.
1674
1675         * runtime/JSArrayBufferView.h:
1676         (JSC::JSArrayBufferView::hasArrayBuffer):
1677         * runtime/JSArrayBufferViewInlines.h:
1678         (JSC::JSArrayBufferView::buffer):
1679         (JSC::JSArrayBufferView::existingBufferInButterfly):
1680         (JSC::JSArrayBufferView::neuter):
1681         (JSC::JSArrayBufferView::byteOffset):
1682         * runtime/JSGenericTypedArrayView.h:
1683         * runtime/JSGenericTypedArrayViewInlines.h:
1684         (JSC::::setWithSpecificType):
1685         (JSC::::set):
1686         (JSC::::existingBuffer):
1687
1688 2013-08-23  Alex Christensen  <achristensen@apple.com>
1689
1690         Re-separating Win32 and Win64 builds.
1691         https://bugs.webkit.org/show_bug.cgi?id=120178
1692
1693         Reviewed by Brent Fulgham.
1694
1695         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1696         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1697         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1698         Pass PlatformArchitecture as a command line parameter to bash scripts.
1699         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1700         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1701         * JavaScriptCore.vcxproj/build-generated-files.sh:
1702         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1703
1704 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1705
1706         build-jsc --ftl-jit should work
1707         https://bugs.webkit.org/show_bug.cgi?id=120194
1708
1709         Reviewed by Oliver Hunt.
1710
1711         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1712         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1713         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1714         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1715         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1716         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1717
1718 2013-08-23  Oliver Hunt  <oliver@apple.com>
1719
1720         Re-sort xcode project file
1721
1722         * JavaScriptCore.xcodeproj/project.pbxproj:
1723
1724 2013-08-23  Oliver Hunt  <oliver@apple.com>
1725
1726         Support in memory compression of rarely used data
1727         https://bugs.webkit.org/show_bug.cgi?id=120143
1728
1729         Reviewed by Gavin Barraclough.
1730
1731         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1732
1733         * Configurations/JavaScriptCore.xcconfig:
1734         * bytecode/UnlinkedCodeBlock.cpp:
1735         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1736         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1737         * bytecode/UnlinkedCodeBlock.h:
1738
1739 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1740
1741         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1742         https://bugs.webkit.org/show_bug.cgi?id=120179
1743
1744         Reviewed by Geoffrey Garen.
1745
1746         There are many places in the code for JSObject and JSArray where they are manipulating their 
1747         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1748         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1749         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1750         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1751         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1752         should not incur any additional overhead.
1753
1754         * heap/Heap.h:
1755         * runtime/JSArray.cpp:
1756         (JSC::JSArray::unshiftCountSlowCase):
1757         * runtime/JSObject.cpp:
1758         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1759         (JSC::JSObject::createInitialUndecided):
1760         (JSC::JSObject::createInitialInt32):
1761         (JSC::JSObject::createInitialDouble):
1762         (JSC::JSObject::createInitialContiguous):
1763         (JSC::JSObject::createArrayStorage):
1764         (JSC::JSObject::convertUndecidedToArrayStorage):
1765         (JSC::JSObject::convertInt32ToArrayStorage):
1766         (JSC::JSObject::convertDoubleToArrayStorage):
1767         (JSC::JSObject::convertContiguousToArrayStorage):
1768         (JSC::JSObject::increaseVectorLength):
1769         (JSC::JSObject::ensureLengthSlow):
1770         * runtime/JSObject.h:
1771         (JSC::JSObject::putDirectInternal):
1772         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1773         (JSC::JSObject::putDirectWithoutTransition):
1774
1775 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1776
1777         Update LLVM binary drops and scripts to the latest version from SVN
1778         https://bugs.webkit.org/show_bug.cgi?id=120184
1779
1780         Reviewed by Mark Hahnenberg.
1781
1782         * dfg/DFGPlan.cpp:
1783         (JSC::DFG::Plan::compileInThreadImpl):
1784
1785 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1786
1787         Don't leak registers for redeclared variables
1788         https://bugs.webkit.org/show_bug.cgi?id=120174
1789
1790         Reviewed by Geoff Garen.
1791
1792         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1793         Only allocate new registers when necessary.
1794
1795         No performance impact.
1796
1797         * interpreter/Interpreter.cpp:
1798         (JSC::Interpreter::execute):
1799         * runtime/Executable.cpp:
1800         (JSC::ProgramExecutable::initializeGlobalProperties):
1801             - Don't allocate the register here.
1802         * runtime/JSGlobalObject.cpp:
1803         (JSC::JSGlobalObject::addGlobalVar):
1804             - Allocate the register here instead.
1805
1806 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1807
1808         https://bugs.webkit.org/show_bug.cgi?id=120128
1809         Remove putDirectVirtual
1810
1811         Unreviewed, checked in commented out code. :-(
1812
1813         * interpreter/Interpreter.cpp:
1814         (JSC::Interpreter::execute):
1815             - delete commented out code
1816
1817 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1818
1819         Error.stack should not be enumerable
1820         https://bugs.webkit.org/show_bug.cgi?id=120171
1821
1822         Reviewed by Oliver Hunt.
1823
1824         Breaks ECMA tests.
1825
1826         * runtime/ErrorInstance.cpp:
1827         (JSC::ErrorInstance::finishCreation):
1828             - None -> DontEnum
1829
1830 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1831
1832         https://bugs.webkit.org/show_bug.cgi?id=120128
1833         Remove putDirectVirtual
1834
1835         Reviewed by Sam Weinig.
1836
1837         This could most generously be described as 'vestigial'.
1838         No performance impact.
1839
1840         * API/JSObjectRef.cpp:
1841         (JSObjectSetProperty):
1842             - changed to use defineOwnProperty
1843         * debugger/DebuggerActivation.cpp:
1844         * debugger/DebuggerActivation.h:
1845             - remove putDirectVirtual
1846         * interpreter/Interpreter.cpp:
1847         (JSC::Interpreter::execute):
1848             - changed to use defineOwnProperty
1849         * runtime/ClassInfo.h:
1850         * runtime/JSActivation.cpp:
1851         * runtime/JSActivation.h:
1852         * runtime/JSCell.cpp:
1853         * runtime/JSCell.h:
1854         * runtime/JSGlobalObject.cpp:
1855         * runtime/JSGlobalObject.h:
1856         * runtime/JSObject.cpp:
1857         * runtime/JSObject.h:
1858         * runtime/JSProxy.cpp:
1859         * runtime/JSProxy.h:
1860         * runtime/JSSymbolTableObject.cpp:
1861         * runtime/JSSymbolTableObject.h:
1862             - remove putDirectVirtual
1863         * runtime/PropertyDescriptor.h:
1864         (JSC::PropertyDescriptor::PropertyDescriptor):
1865             - added constructor for convenience
1866
1867 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1868
1869         errorDescriptionForValue() should not assume error value is an Object
1870         https://bugs.webkit.org/show_bug.cgi?id=119812
1871
1872         Reviewed by Geoffrey Garen.
1873
1874         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1875         has no type, the function now returns the empty string. 
1876         * runtime/ExceptionHelpers.cpp:
1877         (JSC::errorDescriptionForValue):
1878
1879 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1880
1881         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1882         https://bugs.webkit.org/show_bug.cgi?id=120107
1883
1884         Reviewed by Yong Li.
1885
1886         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1887
1888         * dfg/DFGSpeculativeJIT.h:
1889         (JSC::DFG::SpeculativeJIT::callOperation):
1890
1891 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1892
1893         Unreviewed, rolling out r154416.
1894         http://trac.webkit.org/changeset/154416
1895         https://bugs.webkit.org/show_bug.cgi?id=120147
1896
1897         Broke Windows builds (Requested by rniwa on #webkit).
1898
1899         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1900         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1901         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1902         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1903         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1904         * JavaScriptCore.vcxproj/build-generated-files.sh:
1905
1906 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1907
1908         Clarify var/const/function declaration
1909         https://bugs.webkit.org/show_bug.cgi?id=120144
1910
1911         Reviewed by Sam Weinig.
1912
1913         Add methods to JSGlobalObject to declare vars, consts, and functions.
1914
1915         * runtime/Executable.cpp:
1916         (JSC::ProgramExecutable::initializeGlobalProperties):
1917         * runtime/Executable.h:
1918             - Moved declaration code to JSGlobalObject
1919         * runtime/JSGlobalObject.cpp:
1920         (JSC::JSGlobalObject::addGlobalVar):
1921             - internal implementation of addVar, addConst, addFunction
1922         * runtime/JSGlobalObject.h:
1923         (JSC::JSGlobalObject::addVar):
1924         (JSC::JSGlobalObject::addConst):
1925         (JSC::JSGlobalObject::addFunction):
1926             - Added methods to declare vars, consts, and functions
1927
1928 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1929
1930         https://bugs.webkit.org/show_bug.cgi?id=119900
1931         Exception in global setter doesn't unwind correctly
1932
1933         Reviewed by Geoffrey Garen.
1934
1935         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1936
1937         * jit/JITStubs.cpp:
1938         (JSC::DEFINE_STUB_FUNCTION):
1939
1940 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1941
1942         Rename/refactor setButterfly/setStructure
1943         https://bugs.webkit.org/show_bug.cgi?id=120138
1944
1945         Reviewed by Geoffrey Garen.
1946
1947         setButterfly becomes setStructureAndButterfly.
1948
1949         Also removed the Butterfly* argument from setStructure and just implicitly
1950         used m_butterfly internally since that's what every single client of setStructure
1951         was doing already.
1952
1953         * jit/JITStubs.cpp:
1954         (JSC::DEFINE_STUB_FUNCTION):
1955         * runtime/JSObject.cpp:
1956         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1957         (JSC::JSObject::createInitialUndecided):
1958         (JSC::JSObject::createInitialInt32):
1959         (JSC::JSObject::createInitialDouble):
1960         (JSC::JSObject::createInitialContiguous):
1961         (JSC::JSObject::createArrayStorage):
1962         (JSC::JSObject::convertUndecidedToInt32):
1963         (JSC::JSObject::convertUndecidedToDouble):
1964         (JSC::JSObject::convertUndecidedToContiguous):
1965         (JSC::JSObject::convertUndecidedToArrayStorage):
1966         (JSC::JSObject::convertInt32ToDouble):
1967         (JSC::JSObject::convertInt32ToContiguous):
1968         (JSC::JSObject::convertInt32ToArrayStorage):
1969         (JSC::JSObject::genericConvertDoubleToContiguous):
1970         (JSC::JSObject::convertDoubleToArrayStorage):
1971         (JSC::JSObject::convertContiguousToArrayStorage):
1972         (JSC::JSObject::switchToSlowPutArrayStorage):
1973         (JSC::JSObject::setPrototype):
1974         (JSC::JSObject::putDirectAccessor):
1975         (JSC::JSObject::seal):
1976         (JSC::JSObject::freeze):
1977         (JSC::JSObject::preventExtensions):
1978         (JSC::JSObject::reifyStaticFunctionsForDelete):
1979         (JSC::JSObject::removeDirect):
1980         * runtime/JSObject.h:
1981         (JSC::JSObject::setStructureAndButterfly):
1982         (JSC::JSObject::setStructure):
1983         (JSC::JSObject::putDirectInternal):
1984         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1985         (JSC::JSObject::putDirectWithoutTransition):
1986         * runtime/Structure.cpp:
1987         (JSC::Structure::flattenDictionaryStructure):
1988
1989 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1990
1991         https://bugs.webkit.org/show_bug.cgi?id=120127
1992         Remove JSObject::propertyIsEnumerable
1993
1994         Unreviewed typo fix
1995
1996         * runtime/JSObject.h:
1997             - fix typo
1998
1999 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2000
2001         https://bugs.webkit.org/show_bug.cgi?id=120139
2002         PropertyDescriptor argument to define methods should be const
2003
2004         Rubber stamped by Sam Weinig.
2005
2006         This should never be modified, and this way we can use rvalues.
2007
2008         * debugger/DebuggerActivation.cpp:
2009         (JSC::DebuggerActivation::defineOwnProperty):
2010         * debugger/DebuggerActivation.h:
2011         * runtime/Arguments.cpp:
2012         (JSC::Arguments::defineOwnProperty):
2013         * runtime/Arguments.h:
2014         * runtime/ClassInfo.h:
2015         * runtime/JSArray.cpp:
2016         (JSC::JSArray::defineOwnProperty):
2017         * runtime/JSArray.h:
2018         * runtime/JSArrayBuffer.cpp:
2019         (JSC::JSArrayBuffer::defineOwnProperty):
2020         * runtime/JSArrayBuffer.h:
2021         * runtime/JSArrayBufferView.cpp:
2022         (JSC::JSArrayBufferView::defineOwnProperty):
2023         * runtime/JSArrayBufferView.h:
2024         * runtime/JSCell.cpp:
2025         (JSC::JSCell::defineOwnProperty):
2026         * runtime/JSCell.h:
2027         * runtime/JSFunction.cpp:
2028         (JSC::JSFunction::defineOwnProperty):
2029         * runtime/JSFunction.h:
2030         * runtime/JSGenericTypedArrayView.h:
2031         * runtime/JSGenericTypedArrayViewInlines.h:
2032         (JSC::::defineOwnProperty):
2033         * runtime/JSGlobalObject.cpp:
2034         (JSC::JSGlobalObject::defineOwnProperty):
2035         * runtime/JSGlobalObject.h:
2036         * runtime/JSObject.cpp:
2037         (JSC::JSObject::putIndexedDescriptor):
2038         (JSC::JSObject::defineOwnIndexedProperty):
2039         (JSC::putDescriptor):
2040         (JSC::JSObject::defineOwnNonIndexProperty):
2041         (JSC::JSObject::defineOwnProperty):
2042         * runtime/JSObject.h:
2043         * runtime/JSProxy.cpp:
2044         (JSC::JSProxy::defineOwnProperty):
2045         * runtime/JSProxy.h:
2046         * runtime/RegExpMatchesArray.h:
2047         (JSC::RegExpMatchesArray::defineOwnProperty):
2048         * runtime/RegExpObject.cpp:
2049         (JSC::RegExpObject::defineOwnProperty):
2050         * runtime/RegExpObject.h:
2051         * runtime/StringObject.cpp:
2052         (JSC::StringObject::defineOwnProperty):
2053         * runtime/StringObject.h:
2054             - make PropertyDescriptor const
2055
2056 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
2057
2058         REGRESSION: Crash under JITCompiler::link while loading Gmail
2059         https://bugs.webkit.org/show_bug.cgi?id=119872
2060
2061         Reviewed by Mark Hahnenberg.
2062         
2063         Apparently, unsigned + signed = unsigned. Work around it with a cast.
2064
2065         * dfg/DFGByteCodeParser.cpp:
2066         (JSC::DFG::ByteCodeParser::parseBlock):
2067
2068 2013-08-21  Alex Christensen  <achristensen@apple.com>
2069
2070         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
2071
2072         Reviewed by Brent Fulgham.
2073
2074         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2075         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2076         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2077         Pass PlatformArchitecture as a command line parameter to bash scripts.
2078         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
2079         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
2080         * JavaScriptCore.vcxproj/build-generated-files.sh:
2081         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
2082
2083 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
2084
2085         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
2086         https://bugs.webkit.org/show_bug.cgi?id=120099
2087
2088         Reviewed by Mark Hahnenberg.
2089         
2090         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
2091         JSDataView may have ordinary JS indexed properties.
2092
2093         * runtime/ClassInfo.h:
2094         * runtime/JSArrayBufferView.cpp:
2095         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2096         (JSC::JSArrayBufferView::finishCreation):
2097         * runtime/JSArrayBufferView.h:
2098         (JSC::hasArrayBuffer):
2099         * runtime/JSArrayBufferViewInlines.h:
2100         (JSC::JSArrayBufferView::buffer):
2101         (JSC::JSArrayBufferView::neuter):
2102         (JSC::JSArrayBufferView::byteOffset):
2103         * runtime/JSCell.cpp:
2104         (JSC::JSCell::slowDownAndWasteMemory):
2105         * runtime/JSCell.h:
2106         * runtime/JSDataView.cpp:
2107         (JSC::JSDataView::JSDataView):
2108         (JSC::JSDataView::create):
2109         (JSC::JSDataView::slowDownAndWasteMemory):
2110         * runtime/JSDataView.h:
2111         (JSC::JSDataView::buffer):
2112         * runtime/JSGenericTypedArrayView.h:
2113         * runtime/JSGenericTypedArrayViewInlines.h:
2114         (JSC::::visitChildren):
2115         (JSC::::slowDownAndWasteMemory):
2116
2117 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2118
2119         Remove incorrect ASSERT from CopyVisitor::visitItem
2120
2121         Rubber stamped by Filip Pizlo.
2122
2123         * heap/CopyVisitorInlines.h:
2124         (JSC::CopyVisitor::visitItem):
2125
2126 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
2127
2128         https://bugs.webkit.org/show_bug.cgi?id=120127
2129         Remove JSObject::propertyIsEnumerable
2130
2131         Reviewed by Sam Weinig.
2132
2133         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
2134
2135         * runtime/JSObject.cpp:
2136         * runtime/JSObject.h:
2137             - remove propertyIsEnumerable
2138         * runtime/ObjectPrototype.cpp:
2139         (JSC::objectProtoFuncPropertyIsEnumerable):
2140             - Move implementation here using getOwnPropertyDescriptor directly.
2141
2142 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
2143
2144         DFG should inline new typedArray()
2145         https://bugs.webkit.org/show_bug.cgi?id=120022
2146
2147         Reviewed by Oliver Hunt.
2148         
2149         Adds inlining of typed array allocations in the DFG. Any operation of the
2150         form:
2151         
2152             new foo(blah)
2153         
2154         or:
2155         
2156             foo(blah)
2157         
2158         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
2159         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
2160         is predicted integer, we generate inline code for an allocation. Otherwise
2161         it turns into a call to an operation that behaves like the constructor would
2162         if it was passed one argument (i.e. it may wrap a buffer or it may create a
2163         copy or another array, or it may allocate an array of that length).
2164
2165         * bytecode/SpeculatedType.cpp:
2166         (JSC::speculationFromTypedArrayType):
2167         (JSC::speculationFromClassInfo):
2168         * bytecode/SpeculatedType.h:
2169         * dfg/DFGAbstractInterpreterInlines.h:
2170         (JSC::DFG::::executeEffects):
2171         * dfg/DFGBackwardsPropagationPhase.cpp:
2172         (JSC::DFG::BackwardsPropagationPhase::propagate):
2173         * dfg/DFGByteCodeParser.cpp:
2174         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2175         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2176         * dfg/DFGCCallHelpers.h:
2177         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2178         * dfg/DFGCSEPhase.cpp:
2179         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2180         * dfg/DFGClobberize.h:
2181         (JSC::DFG::clobberize):
2182         * dfg/DFGFixupPhase.cpp:
2183         (JSC::DFG::FixupPhase::fixupNode):
2184         * dfg/DFGGraph.cpp:
2185         (JSC::DFG::Graph::dump):
2186         * dfg/DFGNode.h:
2187         (JSC::DFG::Node::hasTypedArrayType):
2188         (JSC::DFG::Node::typedArrayType):
2189         * dfg/DFGNodeType.h:
2190         * dfg/DFGOperations.cpp:
2191         (JSC::DFG::newTypedArrayWithSize):
2192         (JSC::DFG::newTypedArrayWithOneArgument):
2193         * dfg/DFGOperations.h:
2194         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2195         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
2196         * dfg/DFGPredictionPropagationPhase.cpp:
2197         (JSC::DFG::PredictionPropagationPhase::propagate):
2198         * dfg/DFGSafeToExecute.h:
2199         (JSC::DFG::safeToExecute):
2200         * dfg/DFGSpeculativeJIT.cpp:
2201         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2202         * dfg/DFGSpeculativeJIT.h:
2203         (JSC::DFG::SpeculativeJIT::callOperation):
2204         * dfg/DFGSpeculativeJIT32_64.cpp:
2205         (JSC::DFG::SpeculativeJIT::compile):
2206         * dfg/DFGSpeculativeJIT64.cpp:
2207         (JSC::DFG::SpeculativeJIT::compile):
2208         * jit/JITOpcodes.cpp:
2209         (JSC::JIT::emit_op_new_object):
2210         * jit/JITOpcodes32_64.cpp:
2211         (JSC::JIT::emit_op_new_object):
2212         * runtime/JSArray.h:
2213         (JSC::JSArray::allocationSize):
2214         * runtime/JSArrayBufferView.h:
2215         (JSC::JSArrayBufferView::allocationSize):
2216         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2217         (JSC::constructGenericTypedArrayView):
2218         * runtime/JSObject.h:
2219         (JSC::JSFinalObject::allocationSize):
2220         * runtime/TypedArrayType.cpp:
2221         (JSC::constructorClassInfoForType):
2222         * runtime/TypedArrayType.h:
2223         (JSC::indexToTypedArrayType):
2224
2225 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
2226
2227         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
2228
2229         Reviewed by Geoffrey Garen.
2230
2231         * dfg/DFGOperations.h:
2232
2233 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2234
2235         https://bugs.webkit.org/show_bug.cgi?id=120093
2236         Remove getOwnPropertyDescriptor trap
2237
2238         Reviewed by Geoff Garen.
2239
2240         All implementations of this method are now called via the method table, and equivalent in behaviour.
2241         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
2242
2243         * API/JSCallbackObject.h:
2244         * API/JSCallbackObjectFunctions.h:
2245         * debugger/DebuggerActivation.cpp:
2246         * debugger/DebuggerActivation.h:
2247         * runtime/Arguments.cpp:
2248         * runtime/Arguments.h:
2249         * runtime/ArrayConstructor.cpp:
2250         * runtime/ArrayConstructor.h:
2251         * runtime/ArrayPrototype.cpp:
2252         * runtime/ArrayPrototype.h:
2253         * runtime/BooleanPrototype.cpp:
2254         * runtime/BooleanPrototype.h:
2255             - remove getOwnPropertyDescriptor
2256         * runtime/ClassInfo.h:
2257             - remove getOwnPropertyDescriptor from MethodTable
2258         * runtime/DateConstructor.cpp:
2259         * runtime/DateConstructor.h:
2260         * runtime/DatePrototype.cpp:
2261         * runtime/DatePrototype.h:
2262         * runtime/ErrorPrototype.cpp:
2263         * runtime/ErrorPrototype.h:
2264         * runtime/JSActivation.cpp:
2265         * runtime/JSActivation.h:
2266         * runtime/JSArray.cpp:
2267         * runtime/JSArray.h:
2268         * runtime/JSArrayBuffer.cpp:
2269         * runtime/JSArrayBuffer.h:
2270         * runtime/JSArrayBufferView.cpp:
2271         * runtime/JSArrayBufferView.h:
2272         * runtime/JSCell.cpp:
2273         * runtime/JSCell.h:
2274         * runtime/JSDataView.cpp:
2275         * runtime/JSDataView.h:
2276         * runtime/JSDataViewPrototype.cpp:
2277         * runtime/JSDataViewPrototype.h:
2278         * runtime/JSFunction.cpp:
2279         * runtime/JSFunction.h:
2280         * runtime/JSGenericTypedArrayView.h:
2281         * runtime/JSGenericTypedArrayViewInlines.h:
2282         * runtime/JSGlobalObject.cpp:
2283         * runtime/JSGlobalObject.h:
2284         * runtime/JSNotAnObject.cpp:
2285         * runtime/JSNotAnObject.h:
2286         * runtime/JSONObject.cpp:
2287         * runtime/JSONObject.h:
2288             - remove getOwnPropertyDescriptor
2289         * runtime/JSObject.cpp:
2290         (JSC::JSObject::propertyIsEnumerable):
2291             - switch to call new getOwnPropertyDescriptor member function
2292         (JSC::JSObject::getOwnPropertyDescriptor):
2293             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2294         (JSC::JSObject::defineOwnNonIndexProperty):
2295             - switch to call new getOwnPropertyDescriptor member function
2296         * runtime/JSObject.h:
2297         * runtime/JSProxy.cpp:
2298         * runtime/JSProxy.h:
2299         * runtime/NamePrototype.cpp:
2300         * runtime/NamePrototype.h:
2301         * runtime/NumberConstructor.cpp:
2302         * runtime/NumberConstructor.h:
2303         * runtime/NumberPrototype.cpp:
2304         * runtime/NumberPrototype.h:
2305             - remove getOwnPropertyDescriptor
2306         * runtime/ObjectConstructor.cpp:
2307         (JSC::objectConstructorGetOwnPropertyDescriptor):
2308         (JSC::objectConstructorSeal):
2309         (JSC::objectConstructorFreeze):
2310         (JSC::objectConstructorIsSealed):
2311         (JSC::objectConstructorIsFrozen):
2312             - switch to call new getOwnPropertyDescriptor member function
2313         * runtime/ObjectConstructor.h:
2314             - remove getOwnPropertyDescriptor
2315         * runtime/PropertyDescriptor.h:
2316             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2317         * runtime/RegExpConstructor.cpp:
2318         * runtime/RegExpConstructor.h:
2319         * runtime/RegExpMatchesArray.cpp:
2320         * runtime/RegExpMatchesArray.h:
2321         * runtime/RegExpObject.cpp:
2322         * runtime/RegExpObject.h:
2323         * runtime/RegExpPrototype.cpp:
2324         * runtime/RegExpPrototype.h:
2325         * runtime/StringConstructor.cpp:
2326         * runtime/StringConstructor.h:
2327         * runtime/StringObject.cpp:
2328         * runtime/StringObject.h:
2329             - remove getOwnPropertyDescriptor
2330
2331 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2332
2333         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2334
2335         Reviewed by Oliver Hunt.
2336
2337         When we flatten an object in dictionary mode, we compact its properties. If the object 
2338         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2339         compaction its properties fit inline, the object's Structure "forgets" that the object 
2340         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2341         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2342
2343         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2344         Butterfly pointer so that the GC doesn't get confused later.
2345
2346         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2347         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2348         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2349         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2350
2351         * heap/SlotVisitorInlines.h:
2352         (JSC::SlotVisitor::copyLater):
2353         * runtime/JSObject.cpp:
2354         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2355         (JSC::JSObject::convertUndecidedToInt32):
2356         (JSC::JSObject::convertUndecidedToDouble):
2357         (JSC::JSObject::convertUndecidedToContiguous):
2358         (JSC::JSObject::convertInt32ToDouble):
2359         (JSC::JSObject::convertInt32ToContiguous):
2360         (JSC::JSObject::genericConvertDoubleToContiguous):
2361         (JSC::JSObject::switchToSlowPutArrayStorage):
2362         (JSC::JSObject::setPrototype):
2363         (JSC::JSObject::putDirectAccessor):
2364         (JSC::JSObject::seal):
2365         (JSC::JSObject::freeze):
2366         (JSC::JSObject::preventExtensions):
2367         (JSC::JSObject::reifyStaticFunctionsForDelete):
2368         (JSC::JSObject::removeDirect):
2369         * runtime/JSObject.h:
2370         (JSC::JSObject::setButterfly):
2371         (JSC::JSObject::putDirectInternal):
2372         (JSC::JSObject::setStructure):
2373         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2374         * runtime/Structure.cpp:
2375         (JSC::Structure::flattenDictionaryStructure):
2376
2377 2013-08-20  Alex Christensen  <achristensen@apple.com>
2378
2379         Compile fix for Win64 after r154156.
2380
2381         Rubber stamped by Oliver Hunt.
2382
2383         * jit/JITStubsMSVC64.asm:
2384         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2385         cti_vm_throw_slowpath to cti_vm_handle_exception.
2386
2387 2013-08-20  Alex Christensen  <achristensen@apple.com>
2388
2389         <https://webkit.org/b/120076> More work towards a Win64 build
2390
2391         Reviewed by Brent Fulgham.
2392
2393         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2394         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2395         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2396         * JavaScriptCore.vcxproj/copy-files.cmd:
2397         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2398         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2399         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2400
2401 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2402
2403         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2404
2405         Reviewed by Geoffrey Garen.
2406
2407         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2408         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2409
2410         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2411         and index when triggering the WriteBarrier at the end of compilation. 
2412
2413         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2414         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2415         little extra work that really shouldn't have been its responsibility.
2416
2417         * dfg/DFGByteCodeParser.cpp:
2418         (JSC::DFG::ByteCodeParser::addConstant):
2419         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2420         * dfg/DFGDesiredWriteBarriers.cpp:
2421         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2422         (JSC::DFG::DesiredWriteBarrier::trigger):
2423         * dfg/DFGDesiredWriteBarriers.h:
2424         (JSC::DFG::DesiredWriteBarriers::add):
2425         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2426         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2427         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2428         * dfg/DFGFixupPhase.cpp:
2429         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2430         * dfg/DFGGraph.h:
2431         (JSC::DFG::Graph::constantRegisterForConstant):
2432
2433 2013-08-20  Michael Saboff  <msaboff@apple.com>
2434
2435         https://bugs.webkit.org/show_bug.cgi?id=120075
2436         REGRESSION (r128400): BBC4 website not displaying pictures
2437
2438         Reviewed by Oliver Hunt.
2439
2440         * runtime/RegExpMatchesArray.h:
2441         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2442         so that the match results will be reified before any other modification to the results array.
2443
2444 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2445
2446         Incorrect behavior on emscripten-compiled cube2hash
2447         https://bugs.webkit.org/show_bug.cgi?id=120033
2448
2449         Reviewed by Mark Hahnenberg.
2450         
2451         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2452         then we should bail attempts to CSE.
2453
2454         * dfg/DFGCSEPhase.cpp:
2455         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2456         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2457
2458 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2459
2460         https://bugs.webkit.org/show_bug.cgi?id=120073
2461         Remove use of GOPD from JSFunction::defineProperty
2462
2463         Reviewed by Oliver Hunt.
2464
2465         Call getOwnPropertySlot to check for existing properties instead.
2466
2467         * runtime/JSFunction.cpp:
2468         (JSC::JSFunction::defineOwnProperty):
2469             - getOwnPropertyDescriptor -> getOwnPropertySlot
2470
2471 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2472
2473         https://bugs.webkit.org/show_bug.cgi?id=120067
2474         Remove getPropertyDescriptor
2475
2476         Reviewed by Oliver Hunt.
2477
2478         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2479         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2480
2481         * runtime/JSObject.cpp:
2482         * runtime/JSObject.h:
2483             - remove getPropertyDescriptor
2484         * runtime/ObjectPrototype.cpp:
2485         (JSC::objectProtoFuncLookupGetter):
2486         (JSC::objectProtoFuncLookupSetter):
2487             - replace call to getPropertyDescriptor with getPropertySlot
2488         * runtime/PropertyDescriptor.h:
2489         * runtime/PropertySlot.h:
2490         (JSC::PropertySlot::isAccessor):
2491         (JSC::PropertySlot::isCacheableGetter):
2492         (JSC::PropertySlot::getterSetter):
2493             - rename isGetter() to isAccessor()
2494
2495 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2496
2497         https://bugs.webkit.org/show_bug.cgi?id=120054
2498         Remove some dead code following getOwnPropertyDescriptor cleanup
2499
2500         Reviewed by Oliver Hunt.
2501
2502         * runtime/Lookup.h:
2503         (JSC::getStaticFunctionSlot):
2504             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2505
2506 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2507
2508         https://bugs.webkit.org/show_bug.cgi?id=120052
2509         Remove custom getOwnPropertyDescriptor for JSProxy
2510
2511         Reviewed by Geoff Garen.
2512
2513         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2514         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2515         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2516         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2517         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2518
2519         * runtime/JSProxy.cpp:
2520             - Remove custom getOwnPropertyDescriptor implementation.
2521         * runtime/PropertyDescriptor.h:
2522             - Modify own property access check to perform toThis conversion.
2523
2524 2013-08-20  Alex Christensen  <achristensen@apple.com>
2525
2526         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2527         https://bugs.webkit.org/show_bug.cgi?id=119512
2528
2529         Reviewed by Brent Fulgham.
2530
2531         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2532         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2533         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2534         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2535         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2536         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2537         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2538         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2539
2540 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2541
2542         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2543
2544         Reviewed by Allan Sandfeld Jensen.
2545
2546         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2547         instructions and two constants now DFG is enabled for sh4 architecture.
2548         These missing ensureSpace calls lead to random crashes.
2549
2550         * assembler/MacroAssemblerSH4.h:
2551         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2552
2553 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2554
2555         https://bugs.webkit.org/show_bug.cgi?id=120034
2556         Remove custom getOwnPropertyDescriptor for global objects
2557
2558         Reviewed by Geoff Garen.
2559
2560         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2561
2562         * runtime/JSGlobalObject.cpp:
2563             - Remove custom getOwnPropertyDescriptor implementation.
2564         * runtime/JSSymbolTableObject.h:
2565         (JSC::symbolTableGet):
2566             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2567         * runtime/PropertyDescriptor.h:
2568             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2569         * runtime/PropertySlot.h:
2570         (JSC::PropertySlot::setUndefined):
2571             - This is used by WebCore when blocking access to properties on cross-frame access.
2572               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2573
2574 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2575
2576         DFG should inline typedArray.byteOffset
2577         https://bugs.webkit.org/show_bug.cgi?id=119962
2578
2579         Reviewed by Oliver Hunt.
2580         
2581         This adds a new node, GetTypedArrayByteOffset, which inlines
2582         typedArray.byteOffset.
2583         
2584         Also, I improved a bunch of the clobbering logic related to typed arrays
2585         and clobbering in general. For example, PutByOffset/PutStructure are not
2586         clobber-world so they can be handled by most default cases in CSE. Also,
2587         It's better to use the 'Class_field' notation for typed arrays now that
2588         they no longer involve magical descriptor thingies.
2589
2590         * bytecode/SpeculatedType.h:
2591         * dfg/DFGAbstractHeap.h:
2592         * dfg/DFGAbstractInterpreterInlines.h:
2593         (JSC::DFG::::executeEffects):
2594         * dfg/DFGArrayMode.h:
2595         (JSC::DFG::neverNeedsStorage):
2596         * dfg/DFGCSEPhase.cpp:
2597         (JSC::DFG::CSEPhase::getByValLoadElimination):
2598         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2599         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2600         (JSC::DFG::CSEPhase::checkArrayElimination):
2601         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2602         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2603         (JSC::DFG::CSEPhase::performNodeCSE):
2604         * dfg/DFGClobberize.h:
2605         (JSC::DFG::clobberize):
2606         * dfg/DFGFixupPhase.cpp:
2607         (JSC::DFG::FixupPhase::fixupNode):
2608         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2609         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2610         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2611         * dfg/DFGNodeType.h:
2612         * dfg/DFGPredictionPropagationPhase.cpp:
2613         (JSC::DFG::PredictionPropagationPhase::propagate):
2614         * dfg/DFGSafeToExecute.h:
2615         (JSC::DFG::safeToExecute):
2616         * dfg/DFGSpeculativeJIT.cpp:
2617         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2618         * dfg/DFGSpeculativeJIT.h:
2619         * dfg/DFGSpeculativeJIT32_64.cpp:
2620         (JSC::DFG::SpeculativeJIT::compile):
2621         * dfg/DFGSpeculativeJIT64.cpp:
2622         (JSC::DFG::SpeculativeJIT::compile):
2623         * dfg/DFGTypeCheckHoistingPhase.cpp:
2624         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2625         * runtime/ArrayBuffer.h:
2626         (JSC::ArrayBuffer::offsetOfData):
2627         * runtime/Butterfly.h:
2628         (JSC::Butterfly::offsetOfArrayBuffer):
2629         * runtime/IndexingHeader.h:
2630         (JSC::IndexingHeader::offsetOfArrayBuffer):
2631
2632 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2633
2634         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2635
2636         Reviewed by Geoffrey Garen.
2637
2638         * dfg/DFGByteCodeParser.cpp:
2639         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2640
2641 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2642
2643         https://bugs.webkit.org/show_bug.cgi?id=119995
2644         Start removing custom implementations of getOwnPropertyDescriptor
2645
2646         Reviewed by Oliver Hunt.
2647
2648         This can now typically implemented in terms of getOwnPropertySlot.
2649         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2650         Switch over most classes in JSC & the WebCore bindings generator to use this.
2651
2652         * API/JSCallbackObjectFunctions.h:
2653         * debugger/DebuggerActivation.cpp:
2654         * runtime/Arguments.cpp:
2655         * runtime/ArrayConstructor.cpp:
2656         * runtime/ArrayPrototype.cpp:
2657         * runtime/BooleanPrototype.cpp:
2658         * runtime/DateConstructor.cpp:
2659         * runtime/DatePrototype.cpp:
2660         * runtime/ErrorPrototype.cpp:
2661         * runtime/JSActivation.cpp:
2662         * runtime/JSArray.cpp:
2663         * runtime/JSArrayBuffer.cpp:
2664         * runtime/JSArrayBufferView.cpp:
2665         * runtime/JSCell.cpp:
2666         * runtime/JSDataView.cpp:
2667         * runtime/JSDataViewPrototype.cpp:
2668         * runtime/JSFunction.cpp:
2669         * runtime/JSGenericTypedArrayViewInlines.h:
2670         * runtime/JSNotAnObject.cpp:
2671         * runtime/JSONObject.cpp:
2672         * runtime/JSObject.cpp:
2673         * runtime/NamePrototype.cpp:
2674         * runtime/NumberConstructor.cpp:
2675         * runtime/NumberPrototype.cpp:
2676         * runtime/ObjectConstructor.cpp:
2677             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2678         * runtime/PropertyDescriptor.h:
2679             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2680         * runtime/PropertySlot.h:
2681         (JSC::PropertySlot::isValue):
2682         (JSC::PropertySlot::isGetter):
2683         (JSC::PropertySlot::isCustom):
2684         (JSC::PropertySlot::isCacheableValue):
2685         (JSC::PropertySlot::isCacheableGetter):
2686         (JSC::PropertySlot::isCacheableCustom):
2687         (JSC::PropertySlot::attributes):
2688         (JSC::PropertySlot::getterSetter):
2689             - Add accessors necessary to convert PropertySlot to descriptor.
2690         * runtime/RegExpConstructor.cpp:
2691         * runtime/RegExpMatchesArray.cpp:
2692         * runtime/RegExpMatchesArray.h:
2693         * runtime/RegExpObject.cpp:
2694         * runtime/RegExpPrototype.cpp:
2695         * runtime/StringConstructor.cpp:
2696         * runtime/StringObject.cpp:
2697             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2698
2699 2013-08-19  Michael Saboff  <msaboff@apple.com>
2700
2701         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2702
2703         Reviewed by Sam Weinig.
2704
2705         * dfg/DFGSpeculativeJIT32_64.cpp:
2706         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2707         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2708         all versions of fillSpeculateBoolean().
2709
2710 2013-08-19  Michael Saboff  <msaboff@apple.com>
2711
2712         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2713
2714         Reviewed by Benjamin Poulain.
2715
2716         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2717         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2718
2719         * assembler/MacroAssemblerX86Common.h:
2720         (JSC::MacroAssemblerX86Common::branchTest32):
2721
2722 2013-08-16  Oliver Hunt  <oliver@apple.com>
2723
2724         <https://webkit.org/b/119860> Crash during exception unwinding
2725
2726         Reviewed by Filip Pizlo.
2727
2728         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2729         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2730
2731         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2732         terminals and the subsequent flush keeps the activation (and other registers) live.
2733
2734         * dfg/DFGAbstractInterpreterInlines.h:
2735         (JSC::DFG::::executeEffects):
2736         * dfg/DFGByteCodeParser.cpp:
2737         (JSC::DFG::ByteCodeParser::parseBlock):
2738         * dfg/DFGClobberize.h:
2739         (JSC::DFG::clobberize):
2740         * dfg/DFGFixupPhase.cpp:
2741         (JSC::DFG::FixupPhase::fixupNode):
2742         * dfg/DFGNode.h:
2743         (JSC::DFG::Node::isTerminal):
2744         * dfg/DFGNodeType.h:
2745         * dfg/DFGPredictionPropagationPhase.cpp:
2746         (JSC::DFG::PredictionPropagationPhase::propagate):
2747         * dfg/DFGSafeToExecute.h:
2748         (JSC::DFG::safeToExecute):
2749         * dfg/DFGSpeculativeJIT32_64.cpp:
2750         (JSC::DFG::SpeculativeJIT::compile):
2751         * dfg/DFGSpeculativeJIT64.cpp:
2752         (JSC::DFG::SpeculativeJIT::compile):
2753
2754 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2755
2756         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2757
2758         Reviewed by Oliver Hunt.
2759
2760         Guard the compilation of these files only if DFG_JIT is enabled.
2761
2762         * dfg/DFGDesiredTransitions.cpp:
2763         * dfg/DFGDesiredTransitions.h:
2764         * dfg/DFGDesiredWeakReferences.cpp:
2765         * dfg/DFGDesiredWeakReferences.h:
2766         * dfg/DFGDesiredWriteBarriers.cpp:
2767         * dfg/DFGDesiredWriteBarriers.h:
2768
2769 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2770
2771         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2772         https://bugs.webkit.org/show_bug.cgi?id=119961
2773
2774         Reviewed by Mark Hahnenberg.
2775
2776         * dfg/DFGFixupPhase.cpp:
2777         (JSC::DFG::FixupPhase::fixupNode):
2778
2779 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2780
2781         https://bugs.webkit.org/show_bug.cgi?id=119972
2782         Add attributes field to PropertySlot
2783
2784         Reviewed by Geoff Garen.
2785
2786         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2787         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2788         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2789
2790         No performance impact.
2791
2792         * runtime/PropertySlot.h:
2793         (JSC::PropertySlot::setValue):
2794         (JSC::PropertySlot::setCustom):
2795         (JSC::PropertySlot::setCacheableCustom):
2796         (JSC::PropertySlot::setCustomIndex):
2797         (JSC::PropertySlot::setGetterSlot):
2798         (JSC::PropertySlot::setCacheableGetterSlot):
2799             - These mathods now all require 'attributes'.
2800         * runtime/JSObject.h:
2801         (JSC::JSObject::getDirect):
2802         (JSC::JSObject::getDirectOffset):
2803         (JSC::JSObject::inlineGetOwnPropertySlot):
2804             - Added variants of getDirect, getDirectOffset that return the attributes.
2805         * API/JSCallbackObjectFunctions.h:
2806         (JSC::::getOwnPropertySlot):
2807         * runtime/Arguments.cpp:
2808         (JSC::Arguments::getOwnPropertySlotByIndex):
2809         (JSC::Arguments::getOwnPropertySlot):
2810         * runtime/JSActivation.cpp:
2811         (JSC::JSActivation::symbolTableGet):
2812         (JSC::JSActivation::getOwnPropertySlot):
2813         * runtime/JSArray.cpp:
2814         (JSC::JSArray::getOwnPropertySlot):
2815         * runtime/JSArrayBuffer.cpp:
2816         (JSC::JSArrayBuffer::getOwnPropertySlot):
2817         * runtime/JSArrayBufferView.cpp:
2818         (JSC::JSArrayBufferView::getOwnPropertySlot):
2819         * runtime/JSDataView.cpp:
2820         (JSC::JSDataView::getOwnPropertySlot):
2821         * runtime/JSFunction.cpp:
2822         (JSC::JSFunction::getOwnPropertySlot):
2823         * runtime/JSGenericTypedArrayViewInlines.h:
2824         (JSC::::getOwnPropertySlot):
2825         (JSC::::getOwnPropertySlotByIndex):
2826         * runtime/JSObject.cpp:
2827         (JSC::JSObject::getOwnPropertySlotByIndex):
2828         (JSC::JSObject::fillGetterPropertySlot):
2829         * runtime/JSString.h:
2830         (JSC::JSString::getStringPropertySlot):
2831         * runtime/JSSymbolTableObject.h:
2832         (JSC::symbolTableGet):
2833         * runtime/Lookup.cpp:
2834         (JSC::setUpStaticFunctionSlot):
2835         * runtime/Lookup.h:
2836         (JSC::getStaticPropertySlot):
2837         (JSC::getStaticPropertyDescriptor):
2838         (JSC::getStaticValueSlot):
2839         (JSC::getStaticValueDescriptor):
2840         * runtime/RegExpObject.cpp:
2841         (JSC::RegExpObject::getOwnPropertySlot):
2842         * runtime/SparseArrayValueMap.cpp:
2843         (JSC::SparseArrayEntry::get):
2844             - Pass attributes to PropertySlot::set* methods.
2845
2846 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2847
2848         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2849
2850         Reviewed by Filip Pizlo.
2851
2852         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2853         Vector of WriteBarriers rather than the specific address. The fact that we were 
2854         arbitrarily storing into a Vector's backing store for constants at the end of 
2855         compilation after the Vector could have resized was causing crashes.
2856
2857         * bytecode/CodeBlock.h:
2858         (JSC::CodeBlock::constants):
2859         (JSC::CodeBlock::addConstantLazily):
2860         * dfg/DFGByteCodeParser.cpp:
2861         (JSC::DFG::ByteCodeParser::addConstant):
2862         * dfg/DFGDesiredWriteBarriers.cpp:
2863         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2864         (JSC::DFG::DesiredWriteBarrier::trigger):
2865         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2866         * dfg/DFGDesiredWriteBarriers.h:
2867         (JSC::DFG::DesiredWriteBarriers::add):
2868         * dfg/DFGFixupPhase.cpp:
2869         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2870         * dfg/DFGGraph.h:
2871         (JSC::DFG::Graph::constantRegisterForConstant):
2872
2873 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2874
2875         DFG should optimize typedArray.byteLength
2876         https://bugs.webkit.org/show_bug.cgi?id=119909
2877
2878         Reviewed by Oliver Hunt.
2879         
2880         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2881         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2882         legal since the byteLength of a typed array cannot exceed
2883         numeric_limits<int32_t>::max().
2884
2885         * bytecode/SpeculatedType.cpp:
2886         (JSC::typedArrayTypeFromSpeculation):
2887         * bytecode/SpeculatedType.h:
2888         * dfg/DFGArrayMode.cpp:
2889         (JSC::DFG::toArrayType):
2890         * dfg/DFGArrayMode.h:
2891         * dfg/DFGFixupPhase.cpp:
2892         (JSC::DFG::FixupPhase::fixupNode):
2893         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2894         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2895         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2896         (JSC::DFG::FixupPhase::prependGetArrayLength):
2897         * dfg/DFGGraph.h:
2898         (JSC::DFG::Graph::constantRegisterForConstant):
2899         (JSC::DFG::Graph::convertToConstant):
2900         * runtime/TypedArrayType.h:
2901         (JSC::logElementSize):
2902         (JSC::elementSize):
2903
2904 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2905
2906         DFG optimizes out strict mode arguments tear off
2907         https://bugs.webkit.org/show_bug.cgi?id=119504
2908
2909         Reviewed by Mark Hahnenberg and Oliver Hunt.
2910         
2911         Don't do the optimization for strict mode.
2912
2913         * dfg/DFGArgumentsSimplificationPhase.cpp:
2914         (JSC::DFG::ArgumentsSimplificationPhase::run):
2915         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2916
2917 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2918
2919         [JSC] x86: improve code generation for xxxTest32
2920         https://bugs.webkit.org/show_bug.cgi?id=119876
2921
2922         Reviewed by Geoffrey Garen.
2923
2924         Try to use testb whenever possible when testing for an immediate value.
2925
2926         When the input is an address and an offset, we can tweak the mask
2927         and offset to be able to generate testb for any byte of the mask.
2928
2929         When the input is a register, we can use testb if we are only interested
2930         in testing the low bits.
2931
2932         * assembler/MacroAssemblerX86Common.h:
2933         (JSC::MacroAssemblerX86Common::branchTest32):
2934         (JSC::MacroAssemblerX86Common::test32):
2935         (JSC::MacroAssemblerX86Common::generateTest32):
2936
2937 2013-08-16  Mark Lam  <mark.lam@apple.com>
2938
2939         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2940         error message that an object is not a constructor though it expects a function
2941
2942         Reviewed by Michael Saboff.
2943
2944         * jit/JITStubs.cpp:
2945         (JSC::DEFINE_STUB_FUNCTION):
2946
2947 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2948
2949         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2950         https://bugs.webkit.org/show_bug.cgi?id=119897
2951
2952         Reviewed by Oliver Hunt.
2953         
2954         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2955         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2956         to turn objects into dictionaries when you're storing using bracket syntax or using
2957         eval is still in place.
2958
2959         * bytecode/CodeBlock.h:
2960         (JSC::CodeBlock::putByIdContext):
2961         * dfg/DFGOperations.cpp:
2962         * jit/JITStubs.cpp:
2963         (JSC::DEFINE_STUB_FUNCTION):
2964         * llint/LLIntSlowPaths.cpp:
2965         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2966         * runtime/JSObject.h:
2967         (JSC::JSObject::putDirectInternal):
2968         * runtime/PutPropertySlot.h:
2969         (JSC::PutPropertySlot::PutPropertySlot):
2970         (JSC::PutPropertySlot::context):
2971         * runtime/Structure.cpp:
2972         (JSC::Structure::addPropertyTransition):
2973         * runtime/Structure.h:
2974
2975 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2976
2977         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2978
2979         Reviewed by Allan Sandfeld Jensen.
2980
2981         ctiVMHandleException must jump/return using register ra (r31).
2982
2983         * jit/JITStubsMIPS.h:
2984
2985 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2986
2987         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2988
2989         Reviewed by Allan Sandfeld Jensen.
2990
2991         Fix typo in JITStubsSH4.h file.
2992
2993         * jit/JITStubsSH4.h:
2994
2995 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2996
2997         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2998
2999         Reviewed by Oliver Hunt.
3000
3001         The concurrent compilation thread should interact minimally with the Heap, including not 
3002         triggering WriteBarriers. This is a prerequisite for generational GC.
3003
3004         * JavaScriptCore.xcodeproj/project.pbxproj:
3005         * bytecode/CodeBlock.cpp:
3006         (JSC::CodeBlock::addOrFindConstant):
3007         (JSC::CodeBlock::findConstant):
3008         * bytecode/CodeBlock.h:
3009         (JSC::CodeBlock::addConstantLazily):
3010         * dfg/DFGByteCodeParser.cpp:
3011         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
3012         (JSC::DFG::ByteCodeParser::constantUndefined):
3013         (JSC::DFG::ByteCodeParser::constantNull):
3014         (JSC::DFG::ByteCodeParser::one):
3015         (JSC::DFG::ByteCodeParser::constantNaN):
3016         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3017         * dfg/DFGCommonData.cpp:
3018         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3019         * dfg/DFGCommonData.h:
3020         * dfg/DFGDesiredTransitions.cpp: Added.
3021         (JSC::DFG::DesiredTransition::DesiredTransition):
3022         (JSC::DFG::DesiredTransition::reallyAdd):
3023         (JSC::DFG::DesiredTransitions::DesiredTransitions):
3024         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
3025         (JSC::DFG::DesiredTransitions::addLazily):
3026         (JSC::DFG::DesiredTransitions::reallyAdd):
3027         * dfg/DFGDesiredTransitions.h: Added.
3028         * dfg/DFGDesiredWeakReferences.cpp: Added.
3029         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
3030         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
3031         (JSC::DFG::DesiredWeakReferences::addLazily):
3032         (JSC::DFG::DesiredWeakReferences::reallyAdd):
3033         * dfg/DFGDesiredWeakReferences.h: Added.
3034         * dfg/DFGDesiredWriteBarriers.cpp: Added.
3035         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
3036         (JSC::DFG::DesiredWriteBarrier::trigger):
3037         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
3038         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
3039         (JSC::DFG::DesiredWriteBarriers::addImpl):
3040         (JSC::DFG::DesiredWriteBarriers::trigger):
3041         * dfg/DFGDesiredWriteBarriers.h: Added.
3042         (JSC::DFG::DesiredWriteBarriers::add):
3043         (JSC::DFG::initializeLazyWriteBarrier):
3044         * dfg/DFGFixupPhase.cpp:
3045         (JSC::DFG::FixupPhase::truncateConstantToInt32):
3046         * dfg/DFGGraph.h:
3047         (JSC::DFG::Graph::convertToConstant):
3048         * dfg/DFGJITCompiler.h:
3049         (JSC::DFG::JITCompiler::addWeakReference):
3050         * dfg/DFGPlan.cpp:
3051         (JSC::DFG::Plan::Plan):
3052         (JSC::DFG::Plan::reallyAdd):
3053         * dfg/DFGPlan.h:
3054         * dfg/DFGSpeculativeJIT32_64.cpp:
3055         (JSC::DFG::SpeculativeJIT::compile):
3056         * dfg/DFGSpeculativeJIT64.cpp:
3057         (JSC::DFG::SpeculativeJIT::compile):
3058         * runtime/WriteBarrier.h:
3059         (JSC::WriteBarrierBase::set):
3060         (JSC::WriteBarrier::WriteBarrier):
3061
3062 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
3063
3064         Fix x86 32bits build after r154158
3065
3066         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
3067
3068 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
3069
3070         Build fix attempt after r154156.
3071
3072         * jit/JITStubs.cpp:
3073         (JSC::cti_vm_handle_exception): encode!
3074
3075 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
3076
3077         [JSC] x86: Use inc and dec when possible
3078         https://bugs.webkit.org/show_bug.cgi?id=119831
3079
3080         Reviewed by Geoffrey Garen.
3081
3082         When incrementing or decrementing by an immediate of 1, use the insctructions
3083         inc and dec instead of add and sub.
3084         The instructions have good timing and their encoding is smaller.
3085
3086         * assembler/MacroAssemblerX86Common.h:
3087         (JSC::MacroAssemblerX86_64::add32):
3088         (JSC::MacroAssemblerX86_64::sub32):
3089         * assembler/MacroAssemblerX86_64.h:
3090         (JSC::MacroAssemblerX86_64::add64):
3091         (JSC::MacroAssemblerX86_64::sub64):
3092         * assembler/X86Assembler.h:
3093         (JSC::X86Assembler::dec_r):
3094         (JSC::X86Assembler::decq_r):
3095         (JSC::X86Assembler::inc_r):
3096         (JSC::X86Assembler::incq_r):
3097
3098 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3099
3100         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
3101         https://bugs.webkit.org/show_bug.cgi?id=119874
3102
3103         Reviewed by Oliver Hunt and Mark Hahnenberg.
3104         
3105         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
3106         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
3107         sometimes for typed array length accesses, and the FixupPhase assuming that a
3108         ForceExit ArrayMode means that it should continue using a generic GetById.
3109
3110         This fixes the confusion.
3111
3112         * dfg/DFGFixupPhase.cpp:
3113         (JSC::DFG::FixupPhase::fixupNode):
3114
3115 2013-08-15  Mark Lam  <mark.lam@apple.com>
3116
3117         Fix crash when performing activation tearoff.
3118         https://bugs.webkit.org/show_bug.cgi?id=119848
3119
3120         Reviewed by Oliver Hunt.
3121
3122         The activation tearoff crash was due to a bug in the baseline JIT.
3123         If we have a scenario where the a baseline JIT frame calls a LLINT
3124         frame, an exception may be thrown while in the LLINT.
3125
3126         Interpreter::throwException() which handles the exception will unwind
3127         all frames until it finds a catcher or sees a host frame. When we
3128         return from the LLINT to the baseline JIT code, the baseline JIT code
3129         errorneously sets topCallFrame to the value in its call frame register,
3130         and starts unwinding the stack frames that have already been unwound.
3131
3132         The fix is:
3133         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
3134            This is a more accurate description of what this runtime function
3135            is supposed to do i.e. it handles the exception which include doing
3136            nothing (if there are no more frames to unwind).
3137         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
3138            set on it.
3139         3. Reloading the call frame register from topCallFrame when we're
3140            returning from a callee and detect exception handling in progress.
3141
3142         * interpreter/Interpreter.cpp:
3143         (JSC::Interpreter::unwindCallFrame):
3144         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
3145         (JSC::Interpreter::getStackTrace):
3146         * interpreter/Interpreter.h:
3147         (JSC::TopCallFrameSetter::TopCallFrameSetter):
3148         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
3149         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3150         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
3151         * jit/JIT.h:
3152         * jit/JITExceptions.cpp:
3153         (JSC::uncaughtExceptionHandler):
3154         - Convenience function to get the handler for uncaught exceptions.
3155         * jit/JITExceptions.h:
3156         * jit/JITInlines.h:
3157         (JSC::JIT::reloadCallFrameFromTopCallFrame):
3158         * jit/JITOpcodes32_64.cpp:
3159         (JSC::JIT::privateCompileCTINativeCall):
3160         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
3161         * jit/JITStubs.cpp:
3162         (JSC::throwExceptionFromOpCall):
3163         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
3164         (JSC::cti_vm_handle_exception):
3165         - Check for the case when there are no more frames to unwind.
3166         * jit/JITStubs.h:
3167         * jit/JITStubsARM.h:
3168         * jit/JITStubsARMv7.h:
3169         * jit/JITStubsMIPS.h:
3170         * jit/JITStubsSH4.h:
3171         * jit/JITStubsX86.h:
3172         * jit/JITStubsX86_64.h:
3173         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
3174         * jit/SlowPathCall.h:
3175         (JSC::JITSlowPathCall::call):
3176         - reload cfr from topcallFrame when handling an exception.
3177         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
3178         * jit/ThunkGenerators.cpp:
3179         (JSC::nativeForGenerator):
3180         * llint/LowLevelInterpreter32_64.asm:
3181         * llint/LowLevelInterpreter64.asm:
3182         - reload cfr from topcallFrame when handling an exception.
3183         * runtime/VM.cpp:
3184         (JSC::VM::VM):
3185         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
3186
3187 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3188
3189         Remove some code duplication.
3190         
3191         Rubber stamped by Mark Hahnenberg.
3192
3193         * runtime/JSDataViewPrototype.cpp:
3194         (JSC::getData):
3195         (JSC::setData):
3196
3197 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
3198
3199         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
3200         https://bugs.webkit.org/show_bug.cgi?id=119794
3201
3202         Reviewed by Filip Pizlo.
3203
3204         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
3205
3206         * dfg/DFGUseKind.h:
3207         (JSC::DFG::isNumerical):
3208         (JSC::DFG::isDouble):
3209
3210 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3211
3212         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
3213
3214         Rubber stamped by Oliver Hunt.
3215         
3216         This was causing some test crashes for me.
3217
3218         * dfg/DFGCapabilities.cpp:
3219         (JSC::DFG::capabilityLevel):
3220
3221 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3222
3223         [Windows] Clear up improper export declaration.
3224
3225         * runtime/ArrayBufferView.h:
3226
3227 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3228
3229         Unreviewed, remove some unnecessary periods from exceptions.
3230
3231         * runtime/JSDataViewPrototype.cpp:
3232         (JSC::getData):
3233         (JSC::setData):
3234
3235 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
3236
3237         Unreviewed, fix 32-bit build.
3238
3239         * dfg/DFGSpeculativeJIT32_64.cpp:
3240         (JSC::DFG::SpeculativeJIT::compile):
3241
3242 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
3243
3244         Typed arrays should be rewritten
3245         https://bugs.webkit.org/show_bug.cgi?id=119064
3246
3247         Reviewed by Oliver Hunt.
3248         
3249         Typed arrays were previously deficient in several major ways:
3250         
3251         - They were defined separately in WebCore and in the jsc shell. The two
3252           implementations were different, and the jsc shell one was basically wrong.
3253           The WebCore one was quite awful, also.
3254         
3255         - Typed arrays were not visible to the JIT except through some weird hooks.
3256           For example, the JIT could not ask "what is the Structure that this typed
3257           array would have if I just allocated it from this global object". Also,
3258           it was difficult to wire any of the typed array intrinsics, because most
3259           of the functionality wasn't visible anywhere in JSC.
3260         
3261         - Typed array allocation was brain-dead. Allocating a typed array involved
3262           two JS objects, two GC weak handles, and three malloc allocations.
3263         
3264         - Neutering. It involved keeping tabs on all native views but not the view
3265           wrappers, even though the native views can autoneuter just by asking the
3266           buffer if it was neutered anytime you touch them; while the JS view
3267           wrappers are the ones that you really want to reach out to.
3268         
3269         - Common case-ing. Most typed arrays have one buffer and one view, and
3270           usually nobody touches the buffer. Yet we created all of that stuff
3271           anyway, using data structures optimized for the case where you had a lot
3272           of views.
3273         
3274         - Semantic goofs. Typed arrays should, in the future, behave like ES
3275           features rather than DOM features, for example when it comes to exceptions.
3276           Firefox already does this and I agree with them.
3277         
3278         This patch cleanses our codebase of these sins:
3279         
3280         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3281           management of native references to buffers is left to WebCore.
3282         
3283         - Allocating a typed array requires either two GC allocations (a cell and a
3284           copied storage vector) or one GC allocation, a malloc allocation, and a
3285           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3286           latter). The latter is only used for oversize arrays. Remember that before
3287           it was 7 allocations no matter what.
3288         
3289         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3290           mode/length, void* vector. Before it was a lot more than that - remember,
3291           there were five additional objects that did absolutely nothing for anybody.
3292         
3293         - Native views aren't tracked by the buffer, or by the wrappers. They are
3294           transient. In the future we'll probably switch to not even having them be
3295           malloc'd.
3296         
3297         - Native array buffers have an efficient way of tracking all of their JS view
3298           wrappers, both for neutering, and for lifecycle management. The GC
3299           special-cases native array buffers. This saves a bunch of grief; for example
3300           it means that a JS view wrapper can refer to its buffer via the butterfly,
3301           which would be dead by the time we went to finalize.
3302         
3303         - Typed array semantics now match Firefox, which also happens to be where the
3304           standards are going. The discussion on webkit-dev seemed to confirm that
3305           Chrome is also heading in this direction. This includes making
3306           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3307           ArrayBufferView as a JS-visible construct.
3308         
3309         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3310         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3311         further typed array optimizations in the JSC JITs, including inlining typed
3312         array allocation, inlining more of the accessors, reducing the cost of type
3313         checks, etc.
3314         
3315         An additional property of this patch is that typed arrays are mostly
3316         implemented using templates. This deduplicates a bunch of code, but does mean
3317         that we need some hacks for exporting s_info's of template classes. See
3318         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3319         low-impact compared to code duplication.
3320         
3321         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3322
3323         * CMakeLists.txt:
3324         * DerivedSources.make:
3325         * GNUmakefile.list.am:
3326         * JSCTypedArrayStubs.h: Removed.
3327         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3328         * JavaScriptCore.xcodeproj/project.pbxproj:
3329         * Target.pri:
3330         * bytecode/ByValInfo.h:
3331         (JSC::hasOptimizableIndexingForClassInfo):
3332         (JSC::jitArrayModeForClassInfo):
3333         (JSC::typedArrayTypeForJITArrayMode):
3334         * bytecode/SpeculatedType.cpp:
3335         (JSC::speculationFromClassInfo):
3336         * dfg/DFGArrayMode.cpp:
3337         (JSC::DFG::toTypedArrayType):
3338         * dfg/DFGArrayMode.h:
3339         (JSC::DFG::ArrayMode::typedArrayType):
3340         * dfg/DFGSpeculativeJIT.cpp:
3341         (JSC::DFG::SpeculativeJIT::checkArray):
3342         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3343         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3344         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3345         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3346         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3347         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3348         * dfg/DFGSpeculativeJIT.h:
3349         * dfg/DFGSpeculativeJIT32_64.cpp:
3350         (JSC::DFG::SpeculativeJIT::compile):
3351         * dfg/DFGSpeculativeJIT64.cpp:
3352         (JSC::DFG::SpeculativeJIT::compile):
3353         * heap/CopyToken.h:
3354         * heap/DeferGC.h:
3355         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3356         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3357         * heap/GCIncomingRefCounted.h: Added.
3358         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3359         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3360         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3361         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3362         (JSC::GCIncomingRefCounted::singletonFlag):
3363         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3364         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3365         (JSC::GCIncomingRefCounted::hasSingleton):
3366         (JSC::GCIncomingRefCounted::singleton):
3367         (JSC::GCIncomingRefCounted::vectorOfCells):
3368         * heap/GCIncomingRefCountedInlines.h: Added.
3369         (JSC::::addIncomingReference):
3370         (JSC::::filterIncomingReferences):
3371         * heap/GCIncomingRefCountedSet.h: Added.
3372         (JSC::GCIncomingRefCountedSet::size):
3373         * heap/GCIncomingRefCountedSetInlines.h: Added.
3374         (JSC::::GCIncomingRefCountedSet):
3375         (JSC::::~GCIncomingRefCountedSet):
3376         (JSC::::addReference):
3377         (JSC::::sweep):
3378         (JSC::::removeAll):
3379         (JSC::::removeDead):
3380         * heap/Heap.cpp:
3381         (JSC::Heap::addReference):
3382         (JSC::Heap::extraSize):
3383         (JSC::Heap::size):
3384         (JSC::Heap::capacity):
3385         (JSC::Heap::collect):
3386         (JSC::Heap::decrementDeferralDepth):
3387         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3388         * heap/Heap.h:
3389         * interpreter/CallFrame.h:
3390         (JSC::ExecState::dataViewTable):
3391         * jit/JIT.h:
3392         * jit/JITPropertyAccess.cpp:
3393         (JSC::JIT::privateCompileGetByVal):
3394         (JSC::JIT::privateCompilePutByVal):
3395         (JSC::JIT::emitIntTypedArrayGetByVal):
3396         (JSC::JIT::emitFloatTypedArrayGetByVal):
3397         (JSC::JIT::emitIntTypedArrayPutByVal):
3398         (JSC::JIT::emitFloatTypedArrayPutByVal):
3399         * jsc.cpp:
3400         (GlobalObject::finishCreation):
3401         * runtime/ArrayBuffer.cpp:
3402         (JSC::ArrayBuffer::transfer):
3403         * runtime/ArrayBuffer.h:
3404         (JSC::ArrayBuffer::createAdopted):
3405         (JSC::ArrayBuffer::ArrayBuffer):
3406         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3407         (JSC::ArrayBuffer::pin):
3408         (JSC::ArrayBuffer::unpin):
3409         (JSC::ArrayBufferContents::tryAllocate):
3410         * runtime/ArrayBufferView.cpp:
3411         (JSC::ArrayBufferView::ArrayBufferView):
3412         (JSC::ArrayBufferView::~ArrayBufferView):
3413         (JSC::ArrayBufferView::setNeuterable):
3414         * runtime/ArrayBufferView.h:
3415         (JSC::ArrayBufferView::isNeutered):
3416         (JSC::ArrayBufferView::buffer):
3417         (JSC::ArrayBufferView::baseAddress):
3418         (JSC::ArrayBufferView::byteOffset):
3419         (JSC::ArrayBufferView::verifySubRange):
3420         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3421         (JSC::ArrayBufferView::calculateOffsetAndLength):
3422         * runtime/ClassInfo.h:
3423         * runtime/CommonIdentifiers.h:
3424         * runtime/DataView.cpp: Added.
3425         (JSC::DataView::DataView):
3426         (JSC::DataView::create):
3427         (JSC::DataView::wrap):
3428         * runtime/DataView.h: Added.
3429         (JSC::DataView::byteLength):
3430         (JSC::DataView::getType):
3431         (JSC::DataView::get):
3432         (JSC::DataView::set):
3433         * runtime/Float32Array.h:
3434         * runtime/Float64Array.h:
3435         * runtime/GenericTypedArrayView.h: Added.
3436         (JSC::GenericTypedArrayView::data):
3437         (JSC::GenericTypedArrayView::set):
3438         (JSC::GenericTypedArrayView::setRange):
3439         (JSC::GenericTypedArrayView::zeroRange):
3440         (JSC::GenericTypedArrayView::zeroFill):
3441         (JSC::GenericTypedArrayView::length):
3442         (JSC::GenericTypedArrayView::byteLength):
3443         (JSC::GenericTypedArrayView::item):
3444         (JSC::GenericTypedArrayView::checkInboundData):
3445         (JSC::GenericTypedArrayView::getType):
3446         * runtime/GenericTypedArrayViewInlines.h: Added.
3447         (JSC::::GenericTypedArrayView):
3448         (JSC::::create):
3449         (JSC::::createUninitialized):
3450         (JSC::::subarray):
3451         (JSC::::wrap):
3452         * runtime/IndexingHeader.h:
3453         (JSC::IndexingHeader::arrayBuffer):
3454         (JSC::IndexingHeader::setArrayBuffer):
3455         * runtime/Int16Array.h:
3456         * runtime/Int32Array.h:
3457         * runtime/Int8Array.h:
3458         * runtime/JSArrayBuffer.cpp: Added.
3459         (JSC::JSArrayBuffer::JSArrayBuffer):
3460         (JSC::JSArrayBuffer::finishCreation):
3461         (JSC::JSArrayBuffer::create):
3462         (JSC::JSArrayBuffer::createStructure):
3463         (JSC::JSArrayBuffer::getOwnPropertySlot):
3464         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3465         (JSC::JSArrayBuffer::put):
3466         (JSC::JSArrayBuffer::defineOwnProperty):
3467         (JSC::JSArrayBuffer::deleteProperty):
3468         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3469         * runtime/JSArrayBuffer.h: Added.
3470         (JSC::JSArrayBuffer::impl):
3471         (JSC::toArrayBuffer):
3472         * runtime/JSArrayBufferConstructor.cpp: Added.
3473         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3474         (JSC::JSArrayBufferConstructor::finishCreation):
3475         (JSC::JSArrayBufferConstructor::create):
3476         (JSC::JSArrayBufferConstructor::createStructure):
3477         (JSC::constructArrayBuffer):
3478         (JSC::JSArrayBufferConstructor::getConstructData):
3479         (JSC::JSArrayBufferConstructor::getCallData):
3480         * runtime/JSArrayBufferConstructor.h: Added.
3481         * runtime/JSArrayBufferPrototype.cpp: Added.
3482         (JSC::arrayBufferProtoFuncSlice):
3483         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3484         (JSC::JSArrayBufferPrototype::finishCreation):
3485         (JSC::JSArrayBufferPrototype::create):
3486         (JSC::JSArrayBufferPrototype::createStructure):
3487         * runtime/JSArrayBufferPrototype.h: Added.
3488         * runtime/JSArrayBufferView.cpp: Added.
3489         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3490         (JSC::JSArrayBufferView::JSArrayBufferView):
3491         (JSC::JSArrayBufferView::finishCreation):
3492         (JSC::JSArrayBufferView::getOwnPropertySlot):
3493         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3494         (JSC::JSArrayBufferView::put):
3495         (JSC::JSArrayBufferView::defineOwnProperty):
3496         (JSC::JSArrayBufferView::deleteProperty):
3497         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3498         (JSC::JSArrayBufferView::finalize):
3499         * runtime/JSArrayBufferView.h: Added.
3500         (JSC::JSArrayBufferView::sizeOf):
3501         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3502         (JSC::JSArrayBufferView::ConstructionContext::structure):
3503         (JSC::JSArrayBufferView::ConstructionContext::vector):
3504         (JSC::JSArrayBufferView::ConstructionContext::length):
3505         (JSC::JSArrayBufferView::ConstructionContext::mode):
3506         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3507         (JSC::JSArrayBufferView::mode):
3508         (JSC::JSArrayBufferView::vector):
3509         (JSC::JSArrayBufferView::length):
3510         (JSC::JSArrayBufferView::offsetOfVector):
3511         (JSC::JSArrayBufferView::offsetOfLength):
3512         (JSC::JSArrayBufferView::offsetOfMode):
3513         * runtime/JSArrayBufferViewInlines.h: Added.
3514         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3515         (JSC::JSArrayBufferView::buffer):
3516         (JSC::JSArrayBufferView::impl):
3517         (JSC::JSArrayBufferView::neuter):
3518         (JSC::JSArrayBufferView::byteOffset):
3519         * runtime/JSCell.cpp:
3520         (JSC::JSCell::slowDownAndWasteMemory):
3521         (JSC::JSCell::getTypedArrayImpl):
3522         * runtime/JSCell.h:
3523         * runtime/JSDataView.cpp: Added.
3524         (JSC::JSDataView::JSDataView):
3525         (JSC::JSDataView::create):
3526         (JSC::JSDataView::createUninitialized):
3527         (JSC::JSDataView::set):
3528         (JSC::JSDataView::typedImpl):
3529         (JSC::JSDataView::getOwnPropertySlot):
3530         (JSC::JSDataView::getOwnPropertyDescriptor):
3531         (JSC::JSDataView::slowDownAndWasteMemory):
3532         (JSC::JSDataView::getTypedArrayImpl):
3533         (JSC::JSDataView::createStructure):
3534         * runtime/JSDataView.h: Added.
3535         * runtime/JSDataViewPrototype.cpp: Added.
3536         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3537         (JSC::JSDataViewPrototype::create):
3538         (JSC::JSDataViewPrototype::createStructure):
3539         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3540         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3541         (JSC::getData):
3542         (JSC::setData):
3543         (JSC::dataViewProtoFuncGetInt8):
3544         (JSC::dataViewProtoFuncGetInt16):
3545         (JSC::dataViewProtoFuncGetInt32):
3546         (JSC::dataViewProtoFuncGetUint8):
3547         (JSC::dataViewProtoFuncGetUint16):
3548         (JSC::dataViewProtoFuncGetUint32):
3549         (JSC::dataViewProtoFuncGetFloat32):
3550         (JSC::dataViewProtoFuncGetFloat64):
3551         (JSC::dataViewProtoFuncSetInt8):
3552         (JSC::dataViewProtoFuncSetInt16):
3553         (JSC::dataViewProtoFuncSetInt32):
3554         (JSC::dataViewProtoFuncSetUint8):
3555         (JSC::dataViewProtoFuncSetUint16):
3556         (JSC::dataViewProtoFuncSetUint32):
3557         (JSC::dataViewProtoFuncSetFloat32):
3558         (JSC::dataViewProtoFuncSetFloat64):
3559         * runtime/JSDataViewPrototype.h: Added.
3560         * runtime/JSFloat32Array.h: Added.
3561         * runtime/JSFloat64Array.h: Added.
3562         * runtime/JSGenericTypedArrayView.h: Added.
3563         (JSC::JSGenericTypedArrayView::byteLength):
3564         (JSC::JSGenericTypedArrayView::byteSize):
3565         (JSC::JSGenericTypedArrayView::typedVector):
3566         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3567         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3568         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3569         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3570         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3571         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3572         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3573         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3574         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3575         (JSC::JSGenericTypedArrayView::typedImpl):
3576         (JSC::JSGenericTypedArrayView::createStructure):
3577         (JSC::JSGenericTypedArrayView::info):
3578         (JSC::toNativeTypedView):
3579         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3580         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3581         (JSC::::JSGenericTypedArrayViewConstructor):
3582         (JSC::::finishCreation):
3583         (JSC::::create):
3584         (JSC::::createStructure):
3585         (JSC::constructGenericTypedArrayView):
3586         (JSC::::getConstructData):
3587         (JSC::::getCallData):
3588         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3589         (JSC::::JSGenericTypedArrayView):
3590         (JSC::::create):
3591         (JSC::::createUninitialized):
3592         (JSC::::validateRange):
3593         (JSC::::setWithSpecificType):
3594         (JSC::::set):
3595         (JSC::::getOwnPropertySlot):
3596         (JSC::::getOwnPropertyDescriptor):
3597         (JSC::::put):
3598         (JSC::::defineOwnProperty):
3599         (JSC::::deleteProperty):
3600         (JSC::::getOwnPropertySlotByIndex):
3601         (JSC::::putByIndex):
3602         (JSC::::deletePropertyByIndex):
3603         (JSC::::getOwnNonIndexPropertyNames):
3604         (JSC::::getOwnPropertyNames):
3605         (JSC::::visitChildren):
3606         (JSC::::copyBackingStore):
3607         (JSC::::slowDownAndWasteMemory):
3608         (JSC::::getTypedArrayImpl):
3609         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
3610         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
3611         (JSC::genericTypedArrayViewProtoFuncSet):
3612         (JSC::genericTypedArrayViewProtoFuncSubarray):
3613         (JSC::::JSGenericTypedArrayViewPrototype):
3614         (JSC::::finishCreation):
3615         (JSC::::create):
3616         (JSC::::createStructure):
3617         * runtime/JSGlobalObject.cpp:
3618         (JSC::JSGlobalObject::reset):
3619         (JSC::JSGlobalObject::visitChildren):
3620         * runtime/JSGlobalObject.h:
3621         (JSC::JSGlobalObject::arrayBufferPrototype):
3622         (JSC::JSGlobalObject::arrayBufferStructure):
3623         (JSC::JSGlobalObject::typedArrayStructure):
3624         * runtime/JSInt16Array.h: Added.
3625         * runtime/JSInt32Array.h: Added.
3626         * runtime/JSInt8Array.h: Added.
3627         * runtime/JSTypedArrayConstructors.cpp: Added.
3628         * runtime/JSTypedArrayConstructors.h: Added.
3629         * runtime/JSTypedArrayPrototypes.cpp: Added.
3630         * runtime/JSTypedArrayPrototypes.h: Added.
3631         * runtime/JSTypedArrays.cpp: Added.
3632         * runtime/JSTypedArrays.h: Added.
3633         * runtime/JSUint16Array.h: Added.
3634         * runtime/JSUint32Array.h: Added.
3635         * runtime/JSUint8Array.h: Added.
3636         * runtime/JSUint8ClampedArray.h: Added.
3637         * runtime/Operations.h:
3638         * runtime/Options.h:
3639         * runtime/SimpleTypedArrayController.cpp: Added.
3640         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
3641         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
3642         (JSC::SimpleTypedArrayController::toJS):
3643         * runtime/SimpleTypedArrayController.h: Added.
3644         * runtime/Structure.h:
3645         (JSC::Structure::couldHaveIndexingHeader):
3646         * runtime/StructureInlines.h:
3647         (JSC::Structure::hasIndexingHeader):
3648         * runtime/TypedArrayAdaptors.h: Added.
3649         (JSC::IntegralTypedArrayAdaptor::toNative):
3650         (JSC::IntegralTypedArrayAdaptor::toJSValue):
3651         (JSC::IntegralTypedArrayAdaptor::toDouble):
3652         (JSC::FloatTypedArrayAdaptor::toNative):
3653         (JSC::FloatTypedArrayAdaptor::toJSValue):
3654         (JSC::FloatTypedArrayAdaptor::toDouble):
3655         (JSC::Uint8ClampedAdaptor::toNative):
3656         (JSC::Uint8ClampedAdaptor::toJSValue):
3657         (JSC::Uint8ClampedAdaptor::toDouble):
3658         (JSC::Uint8ClampedAdaptor::clamp):
3659         * runtime/TypedArrayController.cpp: Added.
3660         (JSC::TypedArrayController::TypedArrayController):
3661         (JSC::TypedArrayController::~TypedArrayController):
3662         * runtime/TypedArrayController.h: Added.
3663         * runtime/TypedArrayDescriptor.h: Removed.
3664         * runtime/TypedArrayInlines.h: Added.
3665         * runtime/TypedArrayType.cpp: Added.
3666         (JSC::classInfoForType):
3667         (WTF::printInternal):
3668         * runtime/TypedArrayType.h: Added.
3669         (JSC::toIndex):
3670         (JSC::isTypedView):
3671         (JSC::elementSize):
3672         (JSC::isInt):
3673         (JSC::isFloat):
3674         (JSC::isSigned):
3675         (JSC::isClamped):
3676         * runtime/TypedArrays.h: Added.
3677         * runtime/Uint16Array.h:
3678         * runtime/Uint32Array.h:
3679         * runtime/Uint8Array.h:
3680         * runtime/Uint8ClampedArray.h:
3681         * runtime/VM.cpp:
3682         (JSC::VM::VM):
3683         (JSC::VM::~VM):
3684         * runtime/VM.h:
3685
3686 2013-08-15  Oliver Hunt  <oliver@apple.com>
3687
3688         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
3689
3690         Reviewed by Filip Pizlo.
3691
3692         Make sure dfgCapabilities doesn't report a Dynamic put as
3693         being compilable when we don't actually support it.  
3694
3695         * bytecode/CodeBlock.cpp:
3696         (JSC::CodeBlock::dumpBytecode):
3697         * dfg/DFGCapabilities.cpp:
3698         (JSC::DFG::capabilityLevel):
3699
3700 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
3701
3702         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
3703         https://bugs.webkit.org/show_bug.cgi?id=119847
3704
3705         Reviewed by Oliver Hunt.
3706
3707         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
3708         * runtime/ArrayBufferView.h: Ditto.
3709
3710 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
3711
3712         https://bugs.webkit.org/show_bug.cgi?id=119843
3713         PropertySlot::setValue is ambiguous
3714
3715         Reviewed by Geoff Garen.
3716
3717         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
3718         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
3719         Unify on always providing the object, and remove the version that just takes a value.
3720         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
3721         Provide a version of setValue that takes a JSString as the owner of the property.
3722         We won't store this, but it makes it clear that this interface should only be used from JSString.
3723
3724         * API/JSCallbackObjectFunctions.h:
3725         (JSC::::getOwnPropertySlot):
3726         * JSCTypedArrayStubs.h:
3727         * runtime/Arguments.cpp:
3728         (JSC::Arguments::getOwnPropertySlotByIndex):
3729         (JSC::Arguments::getOwnPropertySlot):
3730         * runtime/JSActivation.cpp:
3731         (JSC::JSActivation::symbolTableGet):
3732         (JSC::JSActivation::getOwnPropertySlot):
3733         * runtime/JSArray.cpp:
3734         (JSC::JSArray::getOwnPropertySlot):
3735         * runtime/JSObject.cpp:
3736         (JSC::JSObject::getOwnPropertySlotByIndex):
3737         * runtime/JSString.h:
3738         (JSC::JSString::getStringPropertySlot):
3739         * runtime/JSSymbolTableObject.h:
3740         (JSC::symbolTableGet):
3741         * runtime/SparseArrayValueMap.cpp:
3742         (JSC::SparseArrayEntry::get):
3743             - Pass object containing property to PropertySlot::setValue
3744         * runtime/PropertySlot.h:
3745         (JSC::PropertySlot::setValue):
3746             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
3747         (JSC::PropertySlot::setUndefined):
3748             - removed setValue(JSValue), added setValue(JSString*, JSValue)
3749
3750 2013-08-15  Oliver Hunt  <oliver@apple.com>
3751
3752         Remove bogus assertion.
3753
3754         RS=Filip Pizlo
3755
3756         * dfg/DFGAbstractInterpreterInlines.h:
3757         (JSC::DFG::::executeEffects):
3758
3759 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3760
3761         REGRESSION(r148790) Made 7 tests fail on x86 32bit
3762         https://bugs.webkit.org/show_bug.cgi?id=114913
3763
3764         Reviewed by Filip Pizlo.
3765
3766         The X87 register was not freed before some calls. Instead
3767         of inserting resetX87Registers to the last call sites,
3768         the two X87 registers are now freed in every call.
3769
3770         * llint/LowLevelInterpreter32_64.asm:
3771         * llint/LowLevelInterpreter64.asm:
3772         * offlineasm/instructions.rb:
3773         * offlineasm/x86.rb:
3774
3775 2013-08-14  Michael Saboff  <msaboff@apple.com>
3776
3777         Fixed jit on Win64.
3778         https://bugs.webkit.org/show_bug.cgi?id=119601
3779
3780         Reviewed by Oliver Hunt.
3781
3782         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
3783         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
3784         * jit/SlowPathCall.h:
3785         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
3786
3787 2013-08-14  Alex Christensen  <achristensen@apple.com>
3788
3789         Compile fix for Win64 with jit disabled.
3790         https://bugs.webkit.org/show_bug.cgi?id=119804
3791
3792         Reviewed by Michael Saboff.
3793
3794         * offlineasm/cloop.rb: Added std:: before isnan.
3795
3796 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
3797
3798         DFG_JIT implementation for sh4 architecture.
3799         https://bugs.webkit.org/show_bug.cgi?id=119737
3800
3801         Reviewed by Oliver Hunt.
3802
3803         * assembler/MacroAssemblerSH4.h:
3804         (JSC::MacroAssemblerSH4::invert):
3805         (JSC::MacroAssemblerSH4::add32):
3806         (JSC::MacroAssemblerSH4::and32):
3807         (JSC::MacroAssemblerSH4::lshift32):
3808         (JSC::MacroAssemblerSH4::mul32):
3809         (JSC::MacroAssemblerSH4::or32):
3810         (JSC::MacroAssemblerSH4::rshift32):
3811         (JSC::MacroAssemblerSH4::sub32):
3812         (JSC::MacroAssemblerSH4::xor32):
3813         (JSC::MacroAssemblerSH4::store32):
3814         (JSC::MacroAssemblerSH4::swapDouble):
3815         (JSC::MacroAssemblerSH4::storeDouble):
3816         (JSC::MacroAssemblerSH4::subDouble):
3817         (JSC::MacroAssemblerSH4::mulDouble):
3818         (JSC::MacroAssemblerSH4::divDouble):
3819         (JSC::MacroAssemblerSH4::negateDouble):
3820         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
3821         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
3822         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
3823         (JSC::MacroAssemblerSH4::swap):
3824         (JSC::MacroAssemblerSH4::jump):
3825         (JSC::MacroAssemblerSH4::branchNeg32):
3826         (JSC::MacroAssemblerSH4::branchAdd32):
3827         (JSC::MacroAssemblerSH4::branchMul32):
3828         (JSC::MacroAssemblerSH4::urshift32):
3829         * assembler/SH4Assembler.h:
3830         (JSC::SH4Assembler::SH4Assembler):
3831         (JSC::SH4Assembler::labelForWatchpoint):
3832         (JSC::SH4Assembler::label):
3833         (JSC::SH4Assembler::debugOffset):
3834         * dfg/DFGAssemblyHelpers.h:
3835         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3836         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3837         (JSC::DFG::AssemblyHelpers::debugCall):
3838         * dfg/DFGCCallHelpers.h:
3839         (JSC::DFG::CCallHelpers::setupArguments):
3840         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3841         * dfg/DFGFPRInfo.h:
3842         (JSC::DFG::FPRInfo::toRegister):
3843         (JSC::DFG::FPRInfo::toIndex):
3844         (JSC::DFG::FPRInfo::debugName):
3845         * dfg/DFGGPRInfo.h:
3846         (JSC::DFG::GPRInfo::toRegister):
3847         (JSC::DFG::GPRInfo::toIndex):
3848         (JSC::DFG::GPRInfo::debugName):
3849         * dfg/DFGOperations.cpp:
3850         * dfg/DFGSpeculativeJIT.h:
3851         (JSC::DFG::SpeculativeJIT::callOperation):
3852         * jit/JITStubs.h:
3853         * jit/JITStubsSH4.h:
3854
3855 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3856
3857         Unreviewed, fix build.
3858
3859         * API/JSValue.mm:
3860         (isDate):
3861         (isArray):
3862         * API/JSWrapperMap.mm:
3863         (tryUnwrapObjcObject):
3864         * API/ObjCCallbackFunction.mm:
3865         (tryUnwrapBlock):
3866
3867 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
3868
3869         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3870         https://bugs.webkit.org/show_bug.cgi?id=119770
3871
3872         Reviewed by Mark Hahnenberg.
3873
3874         * API/JSCallbackConstructor.cpp:
3875         (JSC::JSCallbackConstructor::finishCreation):
3876         * API/JSCallbackConstructor.h:
3877         (JSC::JSCallbackConstructor::createStructure):
3878         * API/JSCallbackFunction.cpp:
3879         (JSC::JSCallbackFunction::finishCreation):
3880         * API/JSCallbackFunction.h:
3881         (JSC::JSCallbackFunction::createStructure):
3882         * API/JSCallbackObject.cpp:
3883         (JSC::::createStructure):
3884         * API/JSCallbackObject.h:
3885         (JSC::JSCallbackObject::visitChildren):
3886         * API/JSCallbackObjectFunctions.h:
3887         (JSC::::asCallbackObject):
3888         (JSC::::finishCreation):
3889         * API/JSObjectRef.cpp:
3890         (JSObjectGetPrivate):
3891         (JSObjectSetPrivate):
3892         (JSObjectGetPrivateProperty):
3893         (JSObjectSetPrivateProperty):
3894         (JSObjectDeletePrivateProperty):
3895         * API/JSValueRef.cpp:
3896         (JSValueIsObjectOfClass):
3897         * API/JSWeakObjectMapRefPrivate.cpp:
3898         * API/ObjCCallbackFunction.h:
3899         (JSC::ObjCCallbackFunction::createStructure):
3900         * JSCTypedArrayStubs.h:
3901         * bytecode/CallLinkStatus.cpp:
3902         (JSC::CallLinkStatus::CallLinkStatus):
3903         (JSC::CallLinkStatus::function):