https://bugs.webkit.org/show_bug.cgi?id=119995
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=119995
4         Start removing custom implementations of getOwnPropertyDescriptor
5
6         Reviewed by Oliver Hunt.
7
8         This can now typically implemented in terms of getOwnPropertySlot.
9         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
10         Switch over most classes in JSC & the WebCore bindings generator to use this.
11
12         * API/JSCallbackObjectFunctions.h:
13         * debugger/DebuggerActivation.cpp:
14         * runtime/Arguments.cpp:
15         * runtime/ArrayConstructor.cpp:
16         * runtime/ArrayPrototype.cpp:
17         * runtime/BooleanPrototype.cpp:
18         * runtime/DateConstructor.cpp:
19         * runtime/DatePrototype.cpp:
20         * runtime/ErrorPrototype.cpp:
21         * runtime/JSActivation.cpp:
22         * runtime/JSArray.cpp:
23         * runtime/JSArrayBuffer.cpp:
24         * runtime/JSArrayBufferView.cpp:
25         * runtime/JSCell.cpp:
26         * runtime/JSDataView.cpp:
27         * runtime/JSDataViewPrototype.cpp:
28         * runtime/JSFunction.cpp:
29         * runtime/JSGenericTypedArrayViewInlines.h:
30         * runtime/JSNotAnObject.cpp:
31         * runtime/JSONObject.cpp:
32         * runtime/JSObject.cpp:
33         * runtime/NamePrototype.cpp:
34         * runtime/NumberConstructor.cpp:
35         * runtime/NumberPrototype.cpp:
36         * runtime/ObjectConstructor.cpp:
37             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
38         * runtime/PropertyDescriptor.h:
39             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
40         * runtime/PropertySlot.h:
41         (JSC::PropertySlot::isValue):
42         (JSC::PropertySlot::isGetter):
43         (JSC::PropertySlot::isCustom):
44         (JSC::PropertySlot::isCacheableValue):
45         (JSC::PropertySlot::isCacheableGetter):
46         (JSC::PropertySlot::isCacheableCustom):
47         (JSC::PropertySlot::attributes):
48         (JSC::PropertySlot::getterSetter):
49             - Add accessors necessary to convert PropertySlot to descriptor.
50         * runtime/RegExpConstructor.cpp:
51         * runtime/RegExpMatchesArray.cpp:
52         * runtime/RegExpMatchesArray.h:
53         * runtime/RegExpObject.cpp:
54         * runtime/RegExpPrototype.cpp:
55         * runtime/StringConstructor.cpp:
56         * runtime/StringObject.cpp:
57             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
58
59 2013-08-19  Michael Saboff  <msaboff@apple.com>
60
61         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
62
63         Reviewed by Sam Weinig.
64
65         * dfg/DFGSpeculativeJIT32_64.cpp:
66         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
67         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
68         all versions of fillSpeculateBoolean().
69
70 2013-08-19  Michael Saboff  <msaboff@apple.com>
71
72         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
73
74         Reviewed by Benjamin Poulain.
75
76         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
77         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
78
79         * assembler/MacroAssemblerX86Common.h:
80         (JSC::MacroAssemblerX86Common::branchTest32):
81
82 2013-08-16  Oliver Hunt  <oliver@apple.com>
83
84         <https://webkit.org/b/119860> Crash during exception unwinding
85
86         Reviewed by Filip Pizlo.
87
88         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
89         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
90
91         We need this so that Throw and ThrowReferenceError no longer need to be treated as
92         terminals and the subsequent flush keeps the activation (and other registers) live.
93
94         * dfg/DFGAbstractInterpreterInlines.h:
95         (JSC::DFG::::executeEffects):
96         * dfg/DFGByteCodeParser.cpp:
97         (JSC::DFG::ByteCodeParser::parseBlock):
98         * dfg/DFGClobberize.h:
99         (JSC::DFG::clobberize):
100         * dfg/DFGFixupPhase.cpp:
101         (JSC::DFG::FixupPhase::fixupNode):
102         * dfg/DFGNode.h:
103         (JSC::DFG::Node::isTerminal):
104         * dfg/DFGNodeType.h:
105         * dfg/DFGPredictionPropagationPhase.cpp:
106         (JSC::DFG::PredictionPropagationPhase::propagate):
107         * dfg/DFGSafeToExecute.h:
108         (JSC::DFG::safeToExecute):
109         * dfg/DFGSpeculativeJIT32_64.cpp:
110         (JSC::DFG::SpeculativeJIT::compile):
111         * dfg/DFGSpeculativeJIT64.cpp:
112         (JSC::DFG::SpeculativeJIT::compile):
113
114 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
115
116         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
117
118         Reviewed by Oliver Hunt.
119
120         Guard the compilation of these files only if DFG_JIT is enabled.
121
122         * dfg/DFGDesiredTransitions.cpp:
123         * dfg/DFGDesiredTransitions.h:
124         * dfg/DFGDesiredWeakReferences.cpp:
125         * dfg/DFGDesiredWeakReferences.h:
126         * dfg/DFGDesiredWriteBarriers.cpp:
127         * dfg/DFGDesiredWriteBarriers.h:
128
129 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
130
131         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
132         https://bugs.webkit.org/show_bug.cgi?id=119961
133
134         Reviewed by Mark Hahnenberg.
135
136         * dfg/DFGFixupPhase.cpp:
137         (JSC::DFG::FixupPhase::fixupNode):
138
139 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
140
141         https://bugs.webkit.org/show_bug.cgi?id=119972
142         Add attributes field to PropertySlot
143
144         Reviewed by Geoff Garen.
145
146         For all JSC types, this makes getOwnPropertyDescriptor redundant.
147         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
148         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
149
150         No performance impact.
151
152         * runtime/PropertySlot.h:
153         (JSC::PropertySlot::setValue):
154         (JSC::PropertySlot::setCustom):
155         (JSC::PropertySlot::setCacheableCustom):
156         (JSC::PropertySlot::setCustomIndex):
157         (JSC::PropertySlot::setGetterSlot):
158         (JSC::PropertySlot::setCacheableGetterSlot):
159             - These mathods now all require 'attributes'.
160         * runtime/JSObject.h:
161         (JSC::JSObject::getDirect):
162         (JSC::JSObject::getDirectOffset):
163         (JSC::JSObject::inlineGetOwnPropertySlot):
164             - Added variants of getDirect, getDirectOffset that return the attributes.
165         * API/JSCallbackObjectFunctions.h:
166         (JSC::::getOwnPropertySlot):
167         * runtime/Arguments.cpp:
168         (JSC::Arguments::getOwnPropertySlotByIndex):
169         (JSC::Arguments::getOwnPropertySlot):
170         * runtime/JSActivation.cpp:
171         (JSC::JSActivation::symbolTableGet):
172         (JSC::JSActivation::getOwnPropertySlot):
173         * runtime/JSArray.cpp:
174         (JSC::JSArray::getOwnPropertySlot):
175         * runtime/JSArrayBuffer.cpp:
176         (JSC::JSArrayBuffer::getOwnPropertySlot):
177         * runtime/JSArrayBufferView.cpp:
178         (JSC::JSArrayBufferView::getOwnPropertySlot):
179         * runtime/JSDataView.cpp:
180         (JSC::JSDataView::getOwnPropertySlot):
181         * runtime/JSFunction.cpp:
182         (JSC::JSFunction::getOwnPropertySlot):
183         * runtime/JSGenericTypedArrayViewInlines.h:
184         (JSC::::getOwnPropertySlot):
185         (JSC::::getOwnPropertySlotByIndex):
186         * runtime/JSObject.cpp:
187         (JSC::JSObject::getOwnPropertySlotByIndex):
188         (JSC::JSObject::fillGetterPropertySlot):
189         * runtime/JSString.h:
190         (JSC::JSString::getStringPropertySlot):
191         * runtime/JSSymbolTableObject.h:
192         (JSC::symbolTableGet):
193         * runtime/Lookup.cpp:
194         (JSC::setUpStaticFunctionSlot):
195         * runtime/Lookup.h:
196         (JSC::getStaticPropertySlot):
197         (JSC::getStaticPropertyDescriptor):
198         (JSC::getStaticValueSlot):
199         (JSC::getStaticValueDescriptor):
200         * runtime/RegExpObject.cpp:
201         (JSC::RegExpObject::getOwnPropertySlot):
202         * runtime/SparseArrayValueMap.cpp:
203         (JSC::SparseArrayEntry::get):
204             - Pass attributes to PropertySlot::set* methods.
205
206 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
207
208         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
209
210         Reviewed by Filip Pizlo.
211
212         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
213         Vector of WriteBarriers rather than the specific address. The fact that we were 
214         arbitrarily storing into a Vector's backing store for constants at the end of 
215         compilation after the Vector could have resized was causing crashes.
216
217         * bytecode/CodeBlock.h:
218         (JSC::CodeBlock::constants):
219         (JSC::CodeBlock::addConstantLazily):
220         * dfg/DFGByteCodeParser.cpp:
221         (JSC::DFG::ByteCodeParser::addConstant):
222         * dfg/DFGDesiredWriteBarriers.cpp:
223         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
224         (JSC::DFG::DesiredWriteBarrier::trigger):
225         (JSC::DFG::initializeLazyWriteBarrierForConstant):
226         * dfg/DFGDesiredWriteBarriers.h:
227         (JSC::DFG::DesiredWriteBarriers::add):
228         * dfg/DFGFixupPhase.cpp:
229         (JSC::DFG::FixupPhase::truncateConstantToInt32):
230         * dfg/DFGGraph.h:
231         (JSC::DFG::Graph::constantRegisterForConstant):
232
233 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
234
235         DFG should optimize typedArray.byteLength
236         https://bugs.webkit.org/show_bug.cgi?id=119909
237
238         Reviewed by Oliver Hunt.
239         
240         This adds typedArray.byteLength inlining to the DFG, and does so without changing
241         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
242         legal since the byteLength of a typed array cannot exceed
243         numeric_limits<int32_t>::max().
244
245         * bytecode/SpeculatedType.cpp:
246         (JSC::typedArrayTypeFromSpeculation):
247         * bytecode/SpeculatedType.h:
248         * dfg/DFGArrayMode.cpp:
249         (JSC::DFG::toArrayType):
250         * dfg/DFGArrayMode.h:
251         * dfg/DFGFixupPhase.cpp:
252         (JSC::DFG::FixupPhase::fixupNode):
253         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
254         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
255         (JSC::DFG::FixupPhase::convertToGetArrayLength):
256         (JSC::DFG::FixupPhase::prependGetArrayLength):
257         * dfg/DFGGraph.h:
258         (JSC::DFG::Graph::constantRegisterForConstant):
259         (JSC::DFG::Graph::convertToConstant):
260         * runtime/TypedArrayType.h:
261         (JSC::logElementSize):
262         (JSC::elementSize):
263
264 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
265
266         DFG optimizes out strict mode arguments tear off
267         https://bugs.webkit.org/show_bug.cgi?id=119504
268
269         Reviewed by Mark Hahnenberg and Oliver Hunt.
270         
271         Don't do the optimization for strict mode.
272
273         * dfg/DFGArgumentsSimplificationPhase.cpp:
274         (JSC::DFG::ArgumentsSimplificationPhase::run):
275         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
276
277 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
278
279         [JSC] x86: improve code generation for xxxTest32
280         https://bugs.webkit.org/show_bug.cgi?id=119876
281
282         Reviewed by Geoffrey Garen.
283
284         Try to use testb whenever possible when testing for an immediate value.
285
286         When the input is an address and an offset, we can tweak the mask
287         and offset to be able to generate testb for any byte of the mask.
288
289         When the input is a register, we can use testb if we are only interested
290         in testing the low bits.
291
292         * assembler/MacroAssemblerX86Common.h:
293         (JSC::MacroAssemblerX86Common::branchTest32):
294         (JSC::MacroAssemblerX86Common::test32):
295         (JSC::MacroAssemblerX86Common::generateTest32):
296
297 2013-08-16  Mark Lam  <mark.lam@apple.com>
298
299         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
300         error message that an object is not a constructor though it expects a function
301
302         Reviewed by Michael Saboff.
303
304         * jit/JITStubs.cpp:
305         (JSC::DEFINE_STUB_FUNCTION):
306
307 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
308
309         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
310         https://bugs.webkit.org/show_bug.cgi?id=119897
311
312         Reviewed by Oliver Hunt.
313         
314         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
315         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
316         to turn objects into dictionaries when you're storing using bracket syntax or using
317         eval is still in place.
318
319         * bytecode/CodeBlock.h:
320         (JSC::CodeBlock::putByIdContext):
321         * dfg/DFGOperations.cpp:
322         * jit/JITStubs.cpp:
323         (JSC::DEFINE_STUB_FUNCTION):
324         * llint/LLIntSlowPaths.cpp:
325         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
326         * runtime/JSObject.h:
327         (JSC::JSObject::putDirectInternal):
328         * runtime/PutPropertySlot.h:
329         (JSC::PutPropertySlot::PutPropertySlot):
330         (JSC::PutPropertySlot::context):
331         * runtime/Structure.cpp:
332         (JSC::Structure::addPropertyTransition):
333         * runtime/Structure.h:
334
335 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
336
337         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
338
339         Reviewed by Allan Sandfeld Jensen.
340
341         ctiVMHandleException must jump/return using register ra (r31).
342
343         * jit/JITStubsMIPS.h:
344
345 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
346
347         <https://webkit.org/b/119879> Fix sh4 build after r154156.
348
349         Reviewed by Allan Sandfeld Jensen.
350
351         Fix typo in JITStubsSH4.h file.
352
353         * jit/JITStubsSH4.h:
354
355 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
356
357         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
358
359         Reviewed by Oliver Hunt.
360
361         The concurrent compilation thread should interact minimally with the Heap, including not 
362         triggering WriteBarriers. This is a prerequisite for generational GC.
363
364         * JavaScriptCore.xcodeproj/project.pbxproj:
365         * bytecode/CodeBlock.cpp:
366         (JSC::CodeBlock::addOrFindConstant):
367         (JSC::CodeBlock::findConstant):
368         * bytecode/CodeBlock.h:
369         (JSC::CodeBlock::addConstantLazily):
370         * dfg/DFGByteCodeParser.cpp:
371         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
372         (JSC::DFG::ByteCodeParser::constantUndefined):
373         (JSC::DFG::ByteCodeParser::constantNull):
374         (JSC::DFG::ByteCodeParser::one):
375         (JSC::DFG::ByteCodeParser::constantNaN):
376         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
377         * dfg/DFGCommonData.cpp:
378         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
379         * dfg/DFGCommonData.h:
380         * dfg/DFGDesiredTransitions.cpp: Added.
381         (JSC::DFG::DesiredTransition::DesiredTransition):
382         (JSC::DFG::DesiredTransition::reallyAdd):
383         (JSC::DFG::DesiredTransitions::DesiredTransitions):
384         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
385         (JSC::DFG::DesiredTransitions::addLazily):
386         (JSC::DFG::DesiredTransitions::reallyAdd):
387         * dfg/DFGDesiredTransitions.h: Added.
388         * dfg/DFGDesiredWeakReferences.cpp: Added.
389         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
390         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
391         (JSC::DFG::DesiredWeakReferences::addLazily):
392         (JSC::DFG::DesiredWeakReferences::reallyAdd):
393         * dfg/DFGDesiredWeakReferences.h: Added.
394         * dfg/DFGDesiredWriteBarriers.cpp: Added.
395         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
396         (JSC::DFG::DesiredWriteBarrier::trigger):
397         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
398         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
399         (JSC::DFG::DesiredWriteBarriers::addImpl):
400         (JSC::DFG::DesiredWriteBarriers::trigger):
401         * dfg/DFGDesiredWriteBarriers.h: Added.
402         (JSC::DFG::DesiredWriteBarriers::add):
403         (JSC::DFG::initializeLazyWriteBarrier):
404         * dfg/DFGFixupPhase.cpp:
405         (JSC::DFG::FixupPhase::truncateConstantToInt32):
406         * dfg/DFGGraph.h:
407         (JSC::DFG::Graph::convertToConstant):
408         * dfg/DFGJITCompiler.h:
409         (JSC::DFG::JITCompiler::addWeakReference):
410         * dfg/DFGPlan.cpp:
411         (JSC::DFG::Plan::Plan):
412         (JSC::DFG::Plan::reallyAdd):
413         * dfg/DFGPlan.h:
414         * dfg/DFGSpeculativeJIT32_64.cpp:
415         (JSC::DFG::SpeculativeJIT::compile):
416         * dfg/DFGSpeculativeJIT64.cpp:
417         (JSC::DFG::SpeculativeJIT::compile):
418         * runtime/WriteBarrier.h:
419         (JSC::WriteBarrierBase::set):
420         (JSC::WriteBarrier::WriteBarrier):
421
422 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
423
424         Fix x86 32bits build after r154158
425
426         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
427
428 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
429
430         Build fix attempt after r154156.
431
432         * jit/JITStubs.cpp:
433         (JSC::cti_vm_handle_exception): encode!
434
435 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
436
437         [JSC] x86: Use inc and dec when possible
438         https://bugs.webkit.org/show_bug.cgi?id=119831
439
440         Reviewed by Geoffrey Garen.
441
442         When incrementing or decrementing by an immediate of 1, use the insctructions
443         inc and dec instead of add and sub.
444         The instructions have good timing and their encoding is smaller.
445
446         * assembler/MacroAssemblerX86Common.h:
447         (JSC::MacroAssemblerX86_64::add32):
448         (JSC::MacroAssemblerX86_64::sub32):
449         * assembler/MacroAssemblerX86_64.h:
450         (JSC::MacroAssemblerX86_64::add64):
451         (JSC::MacroAssemblerX86_64::sub64):
452         * assembler/X86Assembler.h:
453         (JSC::X86Assembler::dec_r):
454         (JSC::X86Assembler::decq_r):
455         (JSC::X86Assembler::inc_r):
456         (JSC::X86Assembler::incq_r):
457
458 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
459
460         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
461         https://bugs.webkit.org/show_bug.cgi?id=119874
462
463         Reviewed by Oliver Hunt and Mark Hahnenberg.
464         
465         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
466         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
467         sometimes for typed array length accesses, and the FixupPhase assuming that a
468         ForceExit ArrayMode means that it should continue using a generic GetById.
469
470         This fixes the confusion.
471
472         * dfg/DFGFixupPhase.cpp:
473         (JSC::DFG::FixupPhase::fixupNode):
474
475 2013-08-15  Mark Lam  <mark.lam@apple.com>
476
477         Fix crash when performing activation tearoff.
478         https://bugs.webkit.org/show_bug.cgi?id=119848
479
480         Reviewed by Oliver Hunt.
481
482         The activation tearoff crash was due to a bug in the baseline JIT.
483         If we have a scenario where the a baseline JIT frame calls a LLINT
484         frame, an exception may be thrown while in the LLINT.
485
486         Interpreter::throwException() which handles the exception will unwind
487         all frames until it finds a catcher or sees a host frame. When we
488         return from the LLINT to the baseline JIT code, the baseline JIT code
489         errorneously sets topCallFrame to the value in its call frame register,
490         and starts unwinding the stack frames that have already been unwound.
491
492         The fix is:
493         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
494            This is a more accurate description of what this runtime function
495            is supposed to do i.e. it handles the exception which include doing
496            nothing (if there are no more frames to unwind).
497         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
498            set on it.
499         3. Reloading the call frame register from topCallFrame when we're
500            returning from a callee and detect exception handling in progress.
501
502         * interpreter/Interpreter.cpp:
503         (JSC::Interpreter::unwindCallFrame):
504         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
505         (JSC::Interpreter::getStackTrace):
506         * interpreter/Interpreter.h:
507         (JSC::TopCallFrameSetter::TopCallFrameSetter):
508         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
509         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
510         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
511         * jit/JIT.h:
512         * jit/JITExceptions.cpp:
513         (JSC::uncaughtExceptionHandler):
514         - Convenience function to get the handler for uncaught exceptions.
515         * jit/JITExceptions.h:
516         * jit/JITInlines.h:
517         (JSC::JIT::reloadCallFrameFromTopCallFrame):
518         * jit/JITOpcodes32_64.cpp:
519         (JSC::JIT::privateCompileCTINativeCall):
520         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
521         * jit/JITStubs.cpp:
522         (JSC::throwExceptionFromOpCall):
523         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
524         (JSC::cti_vm_handle_exception):
525         - Check for the case when there are no more frames to unwind.
526         * jit/JITStubs.h:
527         * jit/JITStubsARM.h:
528         * jit/JITStubsARMv7.h:
529         * jit/JITStubsMIPS.h:
530         * jit/JITStubsSH4.h:
531         * jit/JITStubsX86.h:
532         * jit/JITStubsX86_64.h:
533         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
534         * jit/SlowPathCall.h:
535         (JSC::JITSlowPathCall::call):
536         - reload cfr from topcallFrame when handling an exception.
537         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
538         * jit/ThunkGenerators.cpp:
539         (JSC::nativeForGenerator):
540         * llint/LowLevelInterpreter32_64.asm:
541         * llint/LowLevelInterpreter64.asm:
542         - reload cfr from topcallFrame when handling an exception.
543         * runtime/VM.cpp:
544         (JSC::VM::VM):
545         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
546
547 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
548
549         Remove some code duplication.
550         
551         Rubber stamped by Mark Hahnenberg.
552
553         * runtime/JSDataViewPrototype.cpp:
554         (JSC::getData):
555         (JSC::setData):
556
557 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
558
559         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
560         https://bugs.webkit.org/show_bug.cgi?id=119794
561
562         Reviewed by Filip Pizlo.
563
564         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
565
566         * dfg/DFGUseKind.h:
567         (JSC::DFG::isNumerical):
568         (JSC::DFG::isDouble):
569
570 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
571
572         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
573
574         Rubber stamped by Oliver Hunt.
575         
576         This was causing some test crashes for me.
577
578         * dfg/DFGCapabilities.cpp:
579         (JSC::DFG::capabilityLevel):
580
581 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
582
583         [Windows] Clear up improper export declaration.
584
585         * runtime/ArrayBufferView.h:
586
587 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
588
589         Unreviewed, remove some unnecessary periods from exceptions.
590
591         * runtime/JSDataViewPrototype.cpp:
592         (JSC::getData):
593         (JSC::setData):
594
595 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
596
597         Unreviewed, fix 32-bit build.
598
599         * dfg/DFGSpeculativeJIT32_64.cpp:
600         (JSC::DFG::SpeculativeJIT::compile):
601
602 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
603
604         Typed arrays should be rewritten
605         https://bugs.webkit.org/show_bug.cgi?id=119064
606
607         Reviewed by Oliver Hunt.
608         
609         Typed arrays were previously deficient in several major ways:
610         
611         - They were defined separately in WebCore and in the jsc shell. The two
612           implementations were different, and the jsc shell one was basically wrong.
613           The WebCore one was quite awful, also.
614         
615         - Typed arrays were not visible to the JIT except through some weird hooks.
616           For example, the JIT could not ask "what is the Structure that this typed
617           array would have if I just allocated it from this global object". Also,
618           it was difficult to wire any of the typed array intrinsics, because most
619           of the functionality wasn't visible anywhere in JSC.
620         
621         - Typed array allocation was brain-dead. Allocating a typed array involved
622           two JS objects, two GC weak handles, and three malloc allocations.
623         
624         - Neutering. It involved keeping tabs on all native views but not the view
625           wrappers, even though the native views can autoneuter just by asking the
626           buffer if it was neutered anytime you touch them; while the JS view
627           wrappers are the ones that you really want to reach out to.
628         
629         - Common case-ing. Most typed arrays have one buffer and one view, and
630           usually nobody touches the buffer. Yet we created all of that stuff
631           anyway, using data structures optimized for the case where you had a lot
632           of views.
633         
634         - Semantic goofs. Typed arrays should, in the future, behave like ES
635           features rather than DOM features, for example when it comes to exceptions.
636           Firefox already does this and I agree with them.
637         
638         This patch cleanses our codebase of these sins:
639         
640         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
641           management of native references to buffers is left to WebCore.
642         
643         - Allocating a typed array requires either two GC allocations (a cell and a
644           copied storage vector) or one GC allocation, a malloc allocation, and a
645           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
646           latter). The latter is only used for oversize arrays. Remember that before
647           it was 7 allocations no matter what.
648         
649         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
650           mode/length, void* vector. Before it was a lot more than that - remember,
651           there were five additional objects that did absolutely nothing for anybody.
652         
653         - Native views aren't tracked by the buffer, or by the wrappers. They are
654           transient. In the future we'll probably switch to not even having them be
655           malloc'd.
656         
657         - Native array buffers have an efficient way of tracking all of their JS view
658           wrappers, both for neutering, and for lifecycle management. The GC
659           special-cases native array buffers. This saves a bunch of grief; for example
660           it means that a JS view wrapper can refer to its buffer via the butterfly,
661           which would be dead by the time we went to finalize.
662         
663         - Typed array semantics now match Firefox, which also happens to be where the
664           standards are going. The discussion on webkit-dev seemed to confirm that
665           Chrome is also heading in this direction. This includes making
666           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
667           ArrayBufferView as a JS-visible construct.
668         
669         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
670         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
671         further typed array optimizations in the JSC JITs, including inlining typed
672         array allocation, inlining more of the accessors, reducing the cost of type
673         checks, etc.
674         
675         An additional property of this patch is that typed arrays are mostly
676         implemented using templates. This deduplicates a bunch of code, but does mean
677         that we need some hacks for exporting s_info's of template classes. See
678         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
679         low-impact compared to code duplication.
680         
681         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
682
683         * CMakeLists.txt:
684         * DerivedSources.make:
685         * GNUmakefile.list.am:
686         * JSCTypedArrayStubs.h: Removed.
687         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
688         * JavaScriptCore.xcodeproj/project.pbxproj:
689         * Target.pri:
690         * bytecode/ByValInfo.h:
691         (JSC::hasOptimizableIndexingForClassInfo):
692         (JSC::jitArrayModeForClassInfo):
693         (JSC::typedArrayTypeForJITArrayMode):
694         * bytecode/SpeculatedType.cpp:
695         (JSC::speculationFromClassInfo):
696         * dfg/DFGArrayMode.cpp:
697         (JSC::DFG::toTypedArrayType):
698         * dfg/DFGArrayMode.h:
699         (JSC::DFG::ArrayMode::typedArrayType):
700         * dfg/DFGSpeculativeJIT.cpp:
701         (JSC::DFG::SpeculativeJIT::checkArray):
702         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
703         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
704         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
705         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
706         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
707         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
708         * dfg/DFGSpeculativeJIT.h:
709         * dfg/DFGSpeculativeJIT32_64.cpp:
710         (JSC::DFG::SpeculativeJIT::compile):
711         * dfg/DFGSpeculativeJIT64.cpp:
712         (JSC::DFG::SpeculativeJIT::compile):
713         * heap/CopyToken.h:
714         * heap/DeferGC.h:
715         (JSC::DeferGCForAWhile::DeferGCForAWhile):
716         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
717         * heap/GCIncomingRefCounted.h: Added.
718         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
719         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
720         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
721         (JSC::GCIncomingRefCounted::incomingReferenceAt):
722         (JSC::GCIncomingRefCounted::singletonFlag):
723         (JSC::GCIncomingRefCounted::hasVectorOfCells):
724         (JSC::GCIncomingRefCounted::hasAnyIncoming):
725         (JSC::GCIncomingRefCounted::hasSingleton):
726         (JSC::GCIncomingRefCounted::singleton):
727         (JSC::GCIncomingRefCounted::vectorOfCells):
728         * heap/GCIncomingRefCountedInlines.h: Added.
729         (JSC::::addIncomingReference):
730         (JSC::::filterIncomingReferences):
731         * heap/GCIncomingRefCountedSet.h: Added.
732         (JSC::GCIncomingRefCountedSet::size):
733         * heap/GCIncomingRefCountedSetInlines.h: Added.
734         (JSC::::GCIncomingRefCountedSet):
735         (JSC::::~GCIncomingRefCountedSet):
736         (JSC::::addReference):
737         (JSC::::sweep):
738         (JSC::::removeAll):
739         (JSC::::removeDead):
740         * heap/Heap.cpp:
741         (JSC::Heap::addReference):
742         (JSC::Heap::extraSize):
743         (JSC::Heap::size):
744         (JSC::Heap::capacity):
745         (JSC::Heap::collect):
746         (JSC::Heap::decrementDeferralDepth):
747         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
748         * heap/Heap.h:
749         * interpreter/CallFrame.h:
750         (JSC::ExecState::dataViewTable):
751         * jit/JIT.h:
752         * jit/JITPropertyAccess.cpp:
753         (JSC::JIT::privateCompileGetByVal):
754         (JSC::JIT::privateCompilePutByVal):
755         (JSC::JIT::emitIntTypedArrayGetByVal):
756         (JSC::JIT::emitFloatTypedArrayGetByVal):
757         (JSC::JIT::emitIntTypedArrayPutByVal):
758         (JSC::JIT::emitFloatTypedArrayPutByVal):
759         * jsc.cpp:
760         (GlobalObject::finishCreation):
761         * runtime/ArrayBuffer.cpp:
762         (JSC::ArrayBuffer::transfer):
763         * runtime/ArrayBuffer.h:
764         (JSC::ArrayBuffer::createAdopted):
765         (JSC::ArrayBuffer::ArrayBuffer):
766         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
767         (JSC::ArrayBuffer::pin):
768         (JSC::ArrayBuffer::unpin):
769         (JSC::ArrayBufferContents::tryAllocate):
770         * runtime/ArrayBufferView.cpp:
771         (JSC::ArrayBufferView::ArrayBufferView):
772         (JSC::ArrayBufferView::~ArrayBufferView):
773         (JSC::ArrayBufferView::setNeuterable):
774         * runtime/ArrayBufferView.h:
775         (JSC::ArrayBufferView::isNeutered):
776         (JSC::ArrayBufferView::buffer):
777         (JSC::ArrayBufferView::baseAddress):
778         (JSC::ArrayBufferView::byteOffset):
779         (JSC::ArrayBufferView::verifySubRange):
780         (JSC::ArrayBufferView::clampOffsetAndNumElements):
781         (JSC::ArrayBufferView::calculateOffsetAndLength):
782         * runtime/ClassInfo.h:
783         * runtime/CommonIdentifiers.h:
784         * runtime/DataView.cpp: Added.
785         (JSC::DataView::DataView):
786         (JSC::DataView::create):
787         (JSC::DataView::wrap):
788         * runtime/DataView.h: Added.
789         (JSC::DataView::byteLength):
790         (JSC::DataView::getType):
791         (JSC::DataView::get):
792         (JSC::DataView::set):
793         * runtime/Float32Array.h:
794         * runtime/Float64Array.h:
795         * runtime/GenericTypedArrayView.h: Added.
796         (JSC::GenericTypedArrayView::data):
797         (JSC::GenericTypedArrayView::set):
798         (JSC::GenericTypedArrayView::setRange):
799         (JSC::GenericTypedArrayView::zeroRange):
800         (JSC::GenericTypedArrayView::zeroFill):
801         (JSC::GenericTypedArrayView::length):
802         (JSC::GenericTypedArrayView::byteLength):
803         (JSC::GenericTypedArrayView::item):
804         (JSC::GenericTypedArrayView::checkInboundData):
805         (JSC::GenericTypedArrayView::getType):
806         * runtime/GenericTypedArrayViewInlines.h: Added.
807         (JSC::::GenericTypedArrayView):
808         (JSC::::create):
809         (JSC::::createUninitialized):
810         (JSC::::subarray):
811         (JSC::::wrap):
812         * runtime/IndexingHeader.h:
813         (JSC::IndexingHeader::arrayBuffer):
814         (JSC::IndexingHeader::setArrayBuffer):
815         * runtime/Int16Array.h:
816         * runtime/Int32Array.h:
817         * runtime/Int8Array.h:
818         * runtime/JSArrayBuffer.cpp: Added.
819         (JSC::JSArrayBuffer::JSArrayBuffer):
820         (JSC::JSArrayBuffer::finishCreation):
821         (JSC::JSArrayBuffer::create):
822         (JSC::JSArrayBuffer::createStructure):
823         (JSC::JSArrayBuffer::getOwnPropertySlot):
824         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
825         (JSC::JSArrayBuffer::put):
826         (JSC::JSArrayBuffer::defineOwnProperty):
827         (JSC::JSArrayBuffer::deleteProperty):
828         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
829         * runtime/JSArrayBuffer.h: Added.
830         (JSC::JSArrayBuffer::impl):
831         (JSC::toArrayBuffer):
832         * runtime/JSArrayBufferConstructor.cpp: Added.
833         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
834         (JSC::JSArrayBufferConstructor::finishCreation):
835         (JSC::JSArrayBufferConstructor::create):
836         (JSC::JSArrayBufferConstructor::createStructure):
837         (JSC::constructArrayBuffer):
838         (JSC::JSArrayBufferConstructor::getConstructData):
839         (JSC::JSArrayBufferConstructor::getCallData):
840         * runtime/JSArrayBufferConstructor.h: Added.
841         * runtime/JSArrayBufferPrototype.cpp: Added.
842         (JSC::arrayBufferProtoFuncSlice):
843         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
844         (JSC::JSArrayBufferPrototype::finishCreation):
845         (JSC::JSArrayBufferPrototype::create):
846         (JSC::JSArrayBufferPrototype::createStructure):
847         * runtime/JSArrayBufferPrototype.h: Added.
848         * runtime/JSArrayBufferView.cpp: Added.
849         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
850         (JSC::JSArrayBufferView::JSArrayBufferView):
851         (JSC::JSArrayBufferView::finishCreation):
852         (JSC::JSArrayBufferView::getOwnPropertySlot):
853         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
854         (JSC::JSArrayBufferView::put):
855         (JSC::JSArrayBufferView::defineOwnProperty):
856         (JSC::JSArrayBufferView::deleteProperty):
857         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
858         (JSC::JSArrayBufferView::finalize):
859         * runtime/JSArrayBufferView.h: Added.
860         (JSC::JSArrayBufferView::sizeOf):
861         (JSC::JSArrayBufferView::ConstructionContext::operator!):
862         (JSC::JSArrayBufferView::ConstructionContext::structure):
863         (JSC::JSArrayBufferView::ConstructionContext::vector):
864         (JSC::JSArrayBufferView::ConstructionContext::length):
865         (JSC::JSArrayBufferView::ConstructionContext::mode):
866         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
867         (JSC::JSArrayBufferView::mode):
868         (JSC::JSArrayBufferView::vector):
869         (JSC::JSArrayBufferView::length):
870         (JSC::JSArrayBufferView::offsetOfVector):
871         (JSC::JSArrayBufferView::offsetOfLength):
872         (JSC::JSArrayBufferView::offsetOfMode):
873         * runtime/JSArrayBufferViewInlines.h: Added.
874         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
875         (JSC::JSArrayBufferView::buffer):
876         (JSC::JSArrayBufferView::impl):
877         (JSC::JSArrayBufferView::neuter):
878         (JSC::JSArrayBufferView::byteOffset):
879         * runtime/JSCell.cpp:
880         (JSC::JSCell::slowDownAndWasteMemory):
881         (JSC::JSCell::getTypedArrayImpl):
882         * runtime/JSCell.h:
883         * runtime/JSDataView.cpp: Added.
884         (JSC::JSDataView::JSDataView):
885         (JSC::JSDataView::create):
886         (JSC::JSDataView::createUninitialized):
887         (JSC::JSDataView::set):
888         (JSC::JSDataView::typedImpl):
889         (JSC::JSDataView::getOwnPropertySlot):
890         (JSC::JSDataView::getOwnPropertyDescriptor):
891         (JSC::JSDataView::slowDownAndWasteMemory):
892         (JSC::JSDataView::getTypedArrayImpl):
893         (JSC::JSDataView::createStructure):
894         * runtime/JSDataView.h: Added.
895         * runtime/JSDataViewPrototype.cpp: Added.
896         (JSC::JSDataViewPrototype::JSDataViewPrototype):
897         (JSC::JSDataViewPrototype::create):
898         (JSC::JSDataViewPrototype::createStructure):
899         (JSC::JSDataViewPrototype::getOwnPropertySlot):
900         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
901         (JSC::getData):
902         (JSC::setData):
903         (JSC::dataViewProtoFuncGetInt8):
904         (JSC::dataViewProtoFuncGetInt16):
905         (JSC::dataViewProtoFuncGetInt32):
906         (JSC::dataViewProtoFuncGetUint8):
907         (JSC::dataViewProtoFuncGetUint16):
908         (JSC::dataViewProtoFuncGetUint32):
909         (JSC::dataViewProtoFuncGetFloat32):
910         (JSC::dataViewProtoFuncGetFloat64):
911         (JSC::dataViewProtoFuncSetInt8):
912         (JSC::dataViewProtoFuncSetInt16):
913         (JSC::dataViewProtoFuncSetInt32):
914         (JSC::dataViewProtoFuncSetUint8):
915         (JSC::dataViewProtoFuncSetUint16):
916         (JSC::dataViewProtoFuncSetUint32):
917         (JSC::dataViewProtoFuncSetFloat32):
918         (JSC::dataViewProtoFuncSetFloat64):
919         * runtime/JSDataViewPrototype.h: Added.
920         * runtime/JSFloat32Array.h: Added.
921         * runtime/JSFloat64Array.h: Added.
922         * runtime/JSGenericTypedArrayView.h: Added.
923         (JSC::JSGenericTypedArrayView::byteLength):
924         (JSC::JSGenericTypedArrayView::byteSize):
925         (JSC::JSGenericTypedArrayView::typedVector):
926         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
927         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
928         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
929         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
930         (JSC::JSGenericTypedArrayView::getIndexQuickly):
931         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
932         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
933         (JSC::JSGenericTypedArrayView::setIndexQuickly):
934         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
935         (JSC::JSGenericTypedArrayView::typedImpl):
936         (JSC::JSGenericTypedArrayView::createStructure):
937         (JSC::JSGenericTypedArrayView::info):
938         (JSC::toNativeTypedView):
939         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
940         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
941         (JSC::::JSGenericTypedArrayViewConstructor):
942         (JSC::::finishCreation):
943         (JSC::::create):
944         (JSC::::createStructure):
945         (JSC::constructGenericTypedArrayView):
946         (JSC::::getConstructData):
947         (JSC::::getCallData):
948         * runtime/JSGenericTypedArrayViewInlines.h: Added.
949         (JSC::::JSGenericTypedArrayView):
950         (JSC::::create):
951         (JSC::::createUninitialized):
952         (JSC::::validateRange):
953         (JSC::::setWithSpecificType):
954         (JSC::::set):
955         (JSC::::getOwnPropertySlot):
956         (JSC::::getOwnPropertyDescriptor):
957         (JSC::::put):
958         (JSC::::defineOwnProperty):
959         (JSC::::deleteProperty):
960         (JSC::::getOwnPropertySlotByIndex):
961         (JSC::::putByIndex):
962         (JSC::::deletePropertyByIndex):
963         (JSC::::getOwnNonIndexPropertyNames):
964         (JSC::::getOwnPropertyNames):
965         (JSC::::visitChildren):
966         (JSC::::copyBackingStore):
967         (JSC::::slowDownAndWasteMemory):
968         (JSC::::getTypedArrayImpl):
969         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
970         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
971         (JSC::genericTypedArrayViewProtoFuncSet):
972         (JSC::genericTypedArrayViewProtoFuncSubarray):
973         (JSC::::JSGenericTypedArrayViewPrototype):
974         (JSC::::finishCreation):
975         (JSC::::create):
976         (JSC::::createStructure):
977         * runtime/JSGlobalObject.cpp:
978         (JSC::JSGlobalObject::reset):
979         (JSC::JSGlobalObject::visitChildren):
980         * runtime/JSGlobalObject.h:
981         (JSC::JSGlobalObject::arrayBufferPrototype):
982         (JSC::JSGlobalObject::arrayBufferStructure):
983         (JSC::JSGlobalObject::typedArrayStructure):
984         * runtime/JSInt16Array.h: Added.
985         * runtime/JSInt32Array.h: Added.
986         * runtime/JSInt8Array.h: Added.
987         * runtime/JSTypedArrayConstructors.cpp: Added.
988         * runtime/JSTypedArrayConstructors.h: Added.
989         * runtime/JSTypedArrayPrototypes.cpp: Added.
990         * runtime/JSTypedArrayPrototypes.h: Added.
991         * runtime/JSTypedArrays.cpp: Added.
992         * runtime/JSTypedArrays.h: Added.
993         * runtime/JSUint16Array.h: Added.
994         * runtime/JSUint32Array.h: Added.
995         * runtime/JSUint8Array.h: Added.
996         * runtime/JSUint8ClampedArray.h: Added.
997         * runtime/Operations.h:
998         * runtime/Options.h:
999         * runtime/SimpleTypedArrayController.cpp: Added.
1000         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1001         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1002         (JSC::SimpleTypedArrayController::toJS):
1003         * runtime/SimpleTypedArrayController.h: Added.
1004         * runtime/Structure.h:
1005         (JSC::Structure::couldHaveIndexingHeader):
1006         * runtime/StructureInlines.h:
1007         (JSC::Structure::hasIndexingHeader):
1008         * runtime/TypedArrayAdaptors.h: Added.
1009         (JSC::IntegralTypedArrayAdaptor::toNative):
1010         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1011         (JSC::IntegralTypedArrayAdaptor::toDouble):
1012         (JSC::FloatTypedArrayAdaptor::toNative):
1013         (JSC::FloatTypedArrayAdaptor::toJSValue):
1014         (JSC::FloatTypedArrayAdaptor::toDouble):
1015         (JSC::Uint8ClampedAdaptor::toNative):
1016         (JSC::Uint8ClampedAdaptor::toJSValue):
1017         (JSC::Uint8ClampedAdaptor::toDouble):
1018         (JSC::Uint8ClampedAdaptor::clamp):
1019         * runtime/TypedArrayController.cpp: Added.
1020         (JSC::TypedArrayController::TypedArrayController):
1021         (JSC::TypedArrayController::~TypedArrayController):
1022         * runtime/TypedArrayController.h: Added.
1023         * runtime/TypedArrayDescriptor.h: Removed.
1024         * runtime/TypedArrayInlines.h: Added.
1025         * runtime/TypedArrayType.cpp: Added.
1026         (JSC::classInfoForType):
1027         (WTF::printInternal):
1028         * runtime/TypedArrayType.h: Added.
1029         (JSC::toIndex):
1030         (JSC::isTypedView):
1031         (JSC::elementSize):
1032         (JSC::isInt):
1033         (JSC::isFloat):
1034         (JSC::isSigned):
1035         (JSC::isClamped):
1036         * runtime/TypedArrays.h: Added.
1037         * runtime/Uint16Array.h:
1038         * runtime/Uint32Array.h:
1039         * runtime/Uint8Array.h:
1040         * runtime/Uint8ClampedArray.h:
1041         * runtime/VM.cpp:
1042         (JSC::VM::VM):
1043         (JSC::VM::~VM):
1044         * runtime/VM.h:
1045
1046 2013-08-15  Oliver Hunt  <oliver@apple.com>
1047
1048         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1049
1050         Reviewed by Filip Pizlo.
1051
1052         Make sure dfgCapabilities doesn't report a Dynamic put as
1053         being compilable when we don't actually support it.  
1054
1055         * bytecode/CodeBlock.cpp:
1056         (JSC::CodeBlock::dumpBytecode):
1057         * dfg/DFGCapabilities.cpp:
1058         (JSC::DFG::capabilityLevel):
1059
1060 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1061
1062         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1063         https://bugs.webkit.org/show_bug.cgi?id=119847
1064
1065         Reviewed by Oliver Hunt.
1066
1067         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1068         * runtime/ArrayBufferView.h: Ditto.
1069
1070 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1071
1072         https://bugs.webkit.org/show_bug.cgi?id=119843
1073         PropertySlot::setValue is ambiguous
1074
1075         Reviewed by Geoff Garen.
1076
1077         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1078         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1079         Unify on always providing the object, and remove the version that just takes a value.
1080         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1081         Provide a version of setValue that takes a JSString as the owner of the property.
1082         We won't store this, but it makes it clear that this interface should only be used from JSString.
1083
1084         * API/JSCallbackObjectFunctions.h:
1085         (JSC::::getOwnPropertySlot):
1086         * JSCTypedArrayStubs.h:
1087         * runtime/Arguments.cpp:
1088         (JSC::Arguments::getOwnPropertySlotByIndex):
1089         (JSC::Arguments::getOwnPropertySlot):
1090         * runtime/JSActivation.cpp:
1091         (JSC::JSActivation::symbolTableGet):
1092         (JSC::JSActivation::getOwnPropertySlot):
1093         * runtime/JSArray.cpp:
1094         (JSC::JSArray::getOwnPropertySlot):
1095         * runtime/JSObject.cpp:
1096         (JSC::JSObject::getOwnPropertySlotByIndex):
1097         * runtime/JSString.h:
1098         (JSC::JSString::getStringPropertySlot):
1099         * runtime/JSSymbolTableObject.h:
1100         (JSC::symbolTableGet):
1101         * runtime/SparseArrayValueMap.cpp:
1102         (JSC::SparseArrayEntry::get):
1103             - Pass object containing property to PropertySlot::setValue
1104         * runtime/PropertySlot.h:
1105         (JSC::PropertySlot::setValue):
1106             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1107         (JSC::PropertySlot::setUndefined):
1108             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1109
1110 2013-08-15  Oliver Hunt  <oliver@apple.com>
1111
1112         Remove bogus assertion.
1113
1114         RS=Filip Pizlo
1115
1116         * dfg/DFGAbstractInterpreterInlines.h:
1117         (JSC::DFG::::executeEffects):
1118
1119 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1120
1121         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1122         https://bugs.webkit.org/show_bug.cgi?id=114913
1123
1124         Reviewed by Filip Pizlo.
1125
1126         The X87 register was not freed before some calls. Instead
1127         of inserting resetX87Registers to the last call sites,
1128         the two X87 registers are now freed in every call.
1129
1130         * llint/LowLevelInterpreter32_64.asm:
1131         * llint/LowLevelInterpreter64.asm:
1132         * offlineasm/instructions.rb:
1133         * offlineasm/x86.rb:
1134
1135 2013-08-14  Michael Saboff  <msaboff@apple.com>
1136
1137         Fixed jit on Win64.
1138         https://bugs.webkit.org/show_bug.cgi?id=119601
1139
1140         Reviewed by Oliver Hunt.
1141
1142         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1143         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1144         * jit/SlowPathCall.h:
1145         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1146
1147 2013-08-14  Alex Christensen  <achristensen@apple.com>
1148
1149         Compile fix for Win64 with jit disabled.
1150         https://bugs.webkit.org/show_bug.cgi?id=119804
1151
1152         Reviewed by Michael Saboff.
1153
1154         * offlineasm/cloop.rb: Added std:: before isnan.
1155
1156 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1157
1158         DFG_JIT implementation for sh4 architecture.
1159         https://bugs.webkit.org/show_bug.cgi?id=119737
1160
1161         Reviewed by Oliver Hunt.
1162
1163         * assembler/MacroAssemblerSH4.h:
1164         (JSC::MacroAssemblerSH4::invert):
1165         (JSC::MacroAssemblerSH4::add32):
1166         (JSC::MacroAssemblerSH4::and32):
1167         (JSC::MacroAssemblerSH4::lshift32):
1168         (JSC::MacroAssemblerSH4::mul32):
1169         (JSC::MacroAssemblerSH4::or32):
1170         (JSC::MacroAssemblerSH4::rshift32):
1171         (JSC::MacroAssemblerSH4::sub32):
1172         (JSC::MacroAssemblerSH4::xor32):
1173         (JSC::MacroAssemblerSH4::store32):
1174         (JSC::MacroAssemblerSH4::swapDouble):
1175         (JSC::MacroAssemblerSH4::storeDouble):
1176         (JSC::MacroAssemblerSH4::subDouble):
1177         (JSC::MacroAssemblerSH4::mulDouble):
1178         (JSC::MacroAssemblerSH4::divDouble):
1179         (JSC::MacroAssemblerSH4::negateDouble):
1180         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1181         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1182         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1183         (JSC::MacroAssemblerSH4::swap):
1184         (JSC::MacroAssemblerSH4::jump):
1185         (JSC::MacroAssemblerSH4::branchNeg32):
1186         (JSC::MacroAssemblerSH4::branchAdd32):
1187         (JSC::MacroAssemblerSH4::branchMul32):
1188         (JSC::MacroAssemblerSH4::urshift32):
1189         * assembler/SH4Assembler.h:
1190         (JSC::SH4Assembler::SH4Assembler):
1191         (JSC::SH4Assembler::labelForWatchpoint):
1192         (JSC::SH4Assembler::label):
1193         (JSC::SH4Assembler::debugOffset):
1194         * dfg/DFGAssemblyHelpers.h:
1195         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1196         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1197         (JSC::DFG::AssemblyHelpers::debugCall):
1198         * dfg/DFGCCallHelpers.h:
1199         (JSC::DFG::CCallHelpers::setupArguments):
1200         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1201         * dfg/DFGFPRInfo.h:
1202         (JSC::DFG::FPRInfo::toRegister):
1203         (JSC::DFG::FPRInfo::toIndex):
1204         (JSC::DFG::FPRInfo::debugName):
1205         * dfg/DFGGPRInfo.h:
1206         (JSC::DFG::GPRInfo::toRegister):
1207         (JSC::DFG::GPRInfo::toIndex):
1208         (JSC::DFG::GPRInfo::debugName):
1209         * dfg/DFGOperations.cpp:
1210         * dfg/DFGSpeculativeJIT.h:
1211         (JSC::DFG::SpeculativeJIT::callOperation):
1212         * jit/JITStubs.h:
1213         * jit/JITStubsSH4.h:
1214
1215 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1216
1217         Unreviewed, fix build.
1218
1219         * API/JSValue.mm:
1220         (isDate):
1221         (isArray):
1222         * API/JSWrapperMap.mm:
1223         (tryUnwrapObjcObject):
1224         * API/ObjCCallbackFunction.mm:
1225         (tryUnwrapBlock):
1226
1227 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1228
1229         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1230         https://bugs.webkit.org/show_bug.cgi?id=119770
1231
1232         Reviewed by Mark Hahnenberg.
1233
1234         * API/JSCallbackConstructor.cpp:
1235         (JSC::JSCallbackConstructor::finishCreation):
1236         * API/JSCallbackConstructor.h:
1237         (JSC::JSCallbackConstructor::createStructure):
1238         * API/JSCallbackFunction.cpp:
1239         (JSC::JSCallbackFunction::finishCreation):
1240         * API/JSCallbackFunction.h:
1241         (JSC::JSCallbackFunction::createStructure):
1242         * API/JSCallbackObject.cpp:
1243         (JSC::::createStructure):
1244         * API/JSCallbackObject.h:
1245         (JSC::JSCallbackObject::visitChildren):
1246         * API/JSCallbackObjectFunctions.h:
1247         (JSC::::asCallbackObject):
1248         (JSC::::finishCreation):
1249         * API/JSObjectRef.cpp:
1250         (JSObjectGetPrivate):
1251         (JSObjectSetPrivate):
1252         (JSObjectGetPrivateProperty):
1253         (JSObjectSetPrivateProperty):
1254         (JSObjectDeletePrivateProperty):
1255         * API/JSValueRef.cpp:
1256         (JSValueIsObjectOfClass):
1257         * API/JSWeakObjectMapRefPrivate.cpp:
1258         * API/ObjCCallbackFunction.h:
1259         (JSC::ObjCCallbackFunction::createStructure):
1260         * JSCTypedArrayStubs.h:
1261         * bytecode/CallLinkStatus.cpp:
1262         (JSC::CallLinkStatus::CallLinkStatus):
1263         (JSC::CallLinkStatus::function):
1264         (JSC::CallLinkStatus::internalFunction):
1265         * bytecode/CodeBlock.h:
1266         (JSC::baselineCodeBlockForInlineCallFrame):
1267         * bytecode/SpeculatedType.cpp:
1268         (JSC::speculationFromClassInfo):
1269         * bytecode/UnlinkedCodeBlock.cpp:
1270         (JSC::UnlinkedFunctionExecutable::visitChildren):
1271         (JSC::UnlinkedCodeBlock::visitChildren):
1272         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1273         * bytecode/UnlinkedCodeBlock.h:
1274         (JSC::UnlinkedFunctionExecutable::createStructure):
1275         (JSC::UnlinkedProgramCodeBlock::createStructure):
1276         (JSC::UnlinkedEvalCodeBlock::createStructure):
1277         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1278         * debugger/Debugger.cpp:
1279         * debugger/DebuggerActivation.cpp:
1280         (JSC::DebuggerActivation::visitChildren):
1281         * debugger/DebuggerActivation.h:
1282         (JSC::DebuggerActivation::createStructure):
1283         * debugger/DebuggerCallFrame.cpp:
1284         (JSC::DebuggerCallFrame::functionName):
1285         * dfg/DFGAbstractInterpreterInlines.h:
1286         (JSC::DFG::::executeEffects):
1287         * dfg/DFGByteCodeParser.cpp:
1288         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1289         (JSC::DFG::ByteCodeParser::parseBlock):
1290         * dfg/DFGFixupPhase.cpp:
1291         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1292         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1293         * dfg/DFGGraph.cpp:
1294         (JSC::DFG::Graph::dump):
1295         * dfg/DFGGraph.h:
1296         (JSC::DFG::Graph::isInternalFunctionConstant):
1297         * dfg/DFGOperations.cpp:
1298         * dfg/DFGSpeculativeJIT.cpp:
1299         (JSC::DFG::SpeculativeJIT::checkArray):
1300         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1301         * dfg/DFGThunks.cpp:
1302         (JSC::DFG::virtualForThunkGenerator):
1303         * interpreter/Interpreter.cpp:
1304         (JSC::loadVarargs):
1305         * jsc.cpp:
1306         (GlobalObject::createStructure):
1307         * profiler/LegacyProfiler.cpp:
1308         (JSC::LegacyProfiler::createCallIdentifier):
1309         * runtime/Arguments.cpp:
1310         (JSC::Arguments::visitChildren):
1311         * runtime/Arguments.h:
1312         (JSC::Arguments::createStructure):
1313         (JSC::asArguments):
1314         (JSC::Arguments::finishCreation):
1315         * runtime/ArrayConstructor.cpp:
1316         (JSC::arrayConstructorIsArray):
1317         * runtime/ArrayConstructor.h:
1318         (JSC::ArrayConstructor::createStructure):
1319         * runtime/ArrayPrototype.cpp:
1320         (JSC::ArrayPrototype::finishCreation):
1321         (JSC::arrayProtoFuncConcat):
1322         (JSC::attemptFastSort):
1323         * runtime/ArrayPrototype.h:
1324         (JSC::ArrayPrototype::createStructure):
1325         * runtime/BooleanConstructor.h:
1326         (JSC::BooleanConstructor::createStructure):
1327         * runtime/BooleanObject.cpp:
1328         (JSC::BooleanObject::finishCreation):
1329         * runtime/BooleanObject.h:
1330         (JSC::BooleanObject::createStructure):
1331         (JSC::asBooleanObject):
1332         * runtime/BooleanPrototype.cpp:
1333         (JSC::BooleanPrototype::finishCreation):
1334         (JSC::booleanProtoFuncToString):
1335         (JSC::booleanProtoFuncValueOf):
1336         * runtime/BooleanPrototype.h:
1337         (JSC::BooleanPrototype::createStructure):
1338         * runtime/DateConstructor.cpp:
1339         (JSC::constructDate):
1340         * runtime/DateConstructor.h:
1341         (JSC::DateConstructor::createStructure):
1342         * runtime/DateInstance.cpp:
1343         (JSC::DateInstance::finishCreation):
1344         * runtime/DateInstance.h:
1345         (JSC::DateInstance::createStructure):
1346         (JSC::asDateInstance):
1347         * runtime/DatePrototype.cpp:
1348         (JSC::formateDateInstance):
1349         (JSC::DatePrototype::finishCreation):
1350         (JSC::dateProtoFuncToISOString):
1351         (JSC::dateProtoFuncToLocaleString):
1352         (JSC::dateProtoFuncToLocaleDateString):
1353         (JSC::dateProtoFuncToLocaleTimeString):
1354         (JSC::dateProtoFuncGetTime):
1355         (JSC::dateProtoFuncGetFullYear):
1356         (JSC::dateProtoFuncGetUTCFullYear):
1357         (JSC::dateProtoFuncGetMonth):
1358         (JSC::dateProtoFuncGetUTCMonth):
1359         (JSC::dateProtoFuncGetDate):
1360         (JSC::dateProtoFuncGetUTCDate):
1361         (JSC::dateProtoFuncGetDay):
1362         (JSC::dateProtoFuncGetUTCDay):
1363         (JSC::dateProtoFuncGetHours):
1364         (JSC::dateProtoFuncGetUTCHours):
1365         (JSC::dateProtoFuncGetMinutes):
1366         (JSC::dateProtoFuncGetUTCMinutes):
1367         (JSC::dateProtoFuncGetSeconds):
1368         (JSC::dateProtoFuncGetUTCSeconds):
1369         (JSC::dateProtoFuncGetMilliSeconds):
1370         (JSC::dateProtoFuncGetUTCMilliseconds):
1371         (JSC::dateProtoFuncGetTimezoneOffset):
1372         (JSC::dateProtoFuncSetTime):
1373         (JSC::setNewValueFromTimeArgs):
1374         (JSC::setNewValueFromDateArgs):
1375         (JSC::dateProtoFuncSetYear):
1376         (JSC::dateProtoFuncGetYear):
1377         * runtime/DatePrototype.h:
1378         (JSC::DatePrototype::createStructure):
1379         * runtime/Error.h:
1380         (JSC::StrictModeTypeErrorFunction::createStructure):
1381         * runtime/ErrorConstructor.h:
1382         (JSC::ErrorConstructor::createStructure):
1383         * runtime/ErrorInstance.cpp:
1384         (JSC::ErrorInstance::finishCreation):
1385         * runtime/ErrorInstance.h:
1386         (JSC::ErrorInstance::createStructure):
1387         * runtime/ErrorPrototype.cpp:
1388         (JSC::ErrorPrototype::finishCreation):
1389         * runtime/ErrorPrototype.h:
1390         (JSC::ErrorPrototype::createStructure):
1391         * runtime/ExceptionHelpers.cpp:
1392         (JSC::isTerminatedExecutionException):
1393         * runtime/ExceptionHelpers.h:
1394         (JSC::TerminatedExecutionError::createStructure):
1395         * runtime/Executable.cpp:
1396         (JSC::EvalExecutable::visitChildren):
1397         (JSC::ProgramExecutable::visitChildren):
1398         (JSC::FunctionExecutable::visitChildren):
1399         (JSC::ExecutableBase::hashFor):
1400         * runtime/Executable.h:
1401         (JSC::ExecutableBase::createStructure):
1402         (JSC::NativeExecutable::createStructure):
1403         (JSC::EvalExecutable::createStructure):
1404         (JSC::ProgramExecutable::createStructure):
1405         (JSC::FunctionExecutable::compileFor):
1406         (JSC::FunctionExecutable::compileOptimizedFor):
1407         (JSC::FunctionExecutable::createStructure):
1408         * runtime/FunctionConstructor.h:
1409         (JSC::FunctionConstructor::createStructure):
1410         * runtime/FunctionPrototype.cpp:
1411         (JSC::functionProtoFuncToString):
1412         (JSC::functionProtoFuncApply):
1413         (JSC::functionProtoFuncBind):
1414         * runtime/FunctionPrototype.h:
1415         (JSC::FunctionPrototype::createStructure):
1416         * runtime/GetterSetter.cpp:
1417         (JSC::GetterSetter::visitChildren):
1418         * runtime/GetterSetter.h:
1419         (JSC::GetterSetter::createStructure):
1420         * runtime/InternalFunction.cpp:
1421         (JSC::InternalFunction::finishCreation):
1422         * runtime/InternalFunction.h:
1423         (JSC::InternalFunction::createStructure):
1424         (JSC::asInternalFunction):
1425         * runtime/JSAPIValueWrapper.h:
1426         (JSC::JSAPIValueWrapper::createStructure):
1427         * runtime/JSActivation.cpp:
1428         (JSC::JSActivation::visitChildren):
1429         (JSC::JSActivation::argumentsGetter):
1430         * runtime/JSActivation.h:
1431         (JSC::JSActivation::createStructure):
1432         (JSC::asActivation):
1433         * runtime/JSArray.h:
1434         (JSC::JSArray::createStructure):
1435         (JSC::asArray):
1436         (JSC::isJSArray):
1437         * runtime/JSBoundFunction.cpp:
1438         (JSC::JSBoundFunction::finishCreation):
1439         (JSC::JSBoundFunction::visitChildren):
1440         * runtime/JSBoundFunction.h:
1441         (JSC::JSBoundFunction::createStructure):
1442         * runtime/JSCJSValue.cpp:
1443         (JSC::JSValue::dumpInContext):
1444         * runtime/JSCJSValueInlines.h:
1445         (JSC::JSValue::isFunction):
1446         * runtime/JSCell.h:
1447         (JSC::jsCast):
1448         (JSC::jsDynamicCast):
1449         * runtime/JSCellInlines.h:
1450         (JSC::allocateCell):
1451         * runtime/JSFunction.cpp:
1452         (JSC::JSFunction::finishCreation):
1453         (JSC::JSFunction::visitChildren):
1454         (JSC::skipOverBoundFunctions):
1455         (JSC::JSFunction::callerGetter):
1456         * runtime/JSFunction.h:
1457         (JSC::JSFunction::createStructure):
1458         * runtime/JSGlobalObject.cpp:
1459         (JSC::JSGlobalObject::visitChildren):
1460         (JSC::slowValidateCell):
1461         * runtime/JSGlobalObject.h:
1462         (JSC::JSGlobalObject::createStructure):
1463         * runtime/JSNameScope.cpp:
1464         (JSC::JSNameScope::visitChildren):
1465         * runtime/JSNameScope.h:
1466         (JSC::JSNameScope::createStructure):
1467         * runtime/JSNotAnObject.h:
1468         (JSC::JSNotAnObject::createStructure):
1469         * runtime/JSONObject.cpp:
1470         (JSC::JSONObject::finishCreation):
1471         (JSC::unwrapBoxedPrimitive):
1472         (JSC::Stringifier::Stringifier):
1473         (JSC::Stringifier::appendStringifiedValue):
1474         (JSC::Stringifier::Holder::Holder):
1475         (JSC::Walker::walk):
1476         (JSC::JSONProtoFuncStringify):
1477         * runtime/JSONObject.h:
1478         (JSC::JSONObject::createStructure):
1479         * runtime/JSObject.cpp:
1480         (JSC::getCallableObjectSlow):
1481         (JSC::JSObject::visitChildren):
1482         (JSC::JSObject::copyBackingStore):
1483         (JSC::JSFinalObject::visitChildren):
1484         (JSC::JSObject::ensureInt32Slow):
1485         (JSC::JSObject::ensureDoubleSlow):
1486         (JSC::JSObject::ensureContiguousSlow):
1487         (JSC::JSObject::ensureArrayStorageSlow):
1488         * runtime/JSObject.h:
1489         (JSC::JSObject::finishCreation):
1490         (JSC::JSObject::createStructure):
1491         (JSC::JSNonFinalObject::createStructure):
1492         (JSC::JSFinalObject::createStructure):
1493         (JSC::isJSFinalObject):
1494         * runtime/JSPropertyNameIterator.cpp:
1495         (JSC::JSPropertyNameIterator::visitChildren):
1496         * runtime/JSPropertyNameIterator.h:
1497         (JSC::JSPropertyNameIterator::createStructure):
1498         * runtime/JSProxy.cpp:
1499         (JSC::JSProxy::visitChildren):
1500         * runtime/JSProxy.h:
1501         (JSC::JSProxy::createStructure):
1502         * runtime/JSScope.cpp:
1503         (JSC::JSScope::visitChildren):
1504         * runtime/JSSegmentedVariableObject.cpp:
1505         (JSC::JSSegmentedVariableObject::visitChildren):
1506         * runtime/JSString.h:
1507         (JSC::JSString::createStructure):
1508         (JSC::isJSString):
1509         * runtime/JSSymbolTableObject.cpp:
1510         (JSC::JSSymbolTableObject::visitChildren):
1511         * runtime/JSVariableObject.h:
1512         * runtime/JSWithScope.cpp:
1513         (JSC::JSWithScope::visitChildren):
1514         * runtime/JSWithScope.h:
1515         (JSC::JSWithScope::createStructure):
1516         * runtime/JSWrapperObject.cpp:
1517         (JSC::JSWrapperObject::visitChildren):
1518         * runtime/JSWrapperObject.h:
1519         (JSC::JSWrapperObject::createStructure):
1520         * runtime/MathObject.cpp:
1521         (JSC::MathObject::finishCreation):
1522         * runtime/MathObject.h:
1523         (JSC::MathObject::createStructure):
1524         * runtime/NameConstructor.h:
1525         (JSC::NameConstructor::createStructure):
1526         * runtime/NameInstance.h:
1527         (JSC::NameInstance::createStructure):
1528         (JSC::NameInstance::finishCreation):
1529         * runtime/NamePrototype.cpp:
1530         (JSC::NamePrototype::finishCreation):
1531         (JSC::privateNameProtoFuncToString):
1532         * runtime/NamePrototype.h:
1533         (JSC::NamePrototype::createStructure):
1534         * runtime/NativeErrorConstructor.cpp:
1535         (JSC::NativeErrorConstructor::visitChildren):
1536         * runtime/NativeErrorConstructor.h:
1537         (JSC::NativeErrorConstructor::createStructure):
1538         (JSC::NativeErrorConstructor::finishCreation):
1539         * runtime/NumberConstructor.cpp:
1540         (JSC::NumberConstructor::finishCreation):
1541         * runtime/NumberConstructor.h:
1542         (JSC::NumberConstructor::createStructure):
1543         * runtime/NumberObject.cpp:
1544         (JSC::NumberObject::finishCreation):
1545         * runtime/NumberObject.h:
1546         (JSC::NumberObject::createStructure):
1547         * runtime/NumberPrototype.cpp:
1548         (JSC::NumberPrototype::finishCreation):
1549         * runtime/NumberPrototype.h:
1550         (JSC::NumberPrototype::createStructure):
1551         * runtime/ObjectConstructor.h:
1552         (JSC::ObjectConstructor::createStructure):
1553         * runtime/ObjectPrototype.cpp:
1554         (JSC::ObjectPrototype::finishCreation):
1555         * runtime/ObjectPrototype.h:
1556         (JSC::ObjectPrototype::createStructure):
1557         * runtime/PropertyMapHashTable.h:
1558         (JSC::PropertyTable::createStructure):
1559         * runtime/PropertyTable.cpp:
1560         (JSC::PropertyTable::visitChildren):
1561         * runtime/RegExp.h:
1562         (JSC::RegExp::createStructure):
1563         * runtime/RegExpConstructor.cpp:
1564         (JSC::RegExpConstructor::finishCreation):
1565         (JSC::RegExpConstructor::visitChildren):
1566         (JSC::constructRegExp):
1567         * runtime/RegExpConstructor.h:
1568         (JSC::RegExpConstructor::createStructure):
1569         (JSC::asRegExpConstructor):
1570         * runtime/RegExpMatchesArray.cpp:
1571         (JSC::RegExpMatchesArray::visitChildren):
1572         * runtime/RegExpMatchesArray.h:
1573         (JSC::RegExpMatchesArray::createStructure):
1574         * runtime/RegExpObject.cpp:
1575         (JSC::RegExpObject::finishCreation):
1576         (JSC::RegExpObject::visitChildren):
1577         * runtime/RegExpObject.h:
1578         (JSC::RegExpObject::createStructure):
1579         (JSC::asRegExpObject):
1580         * runtime/RegExpPrototype.cpp:
1581         (JSC::regExpProtoFuncTest):
1582         (JSC::regExpProtoFuncExec):
1583         (JSC::regExpProtoFuncCompile):
1584         (JSC::regExpProtoFuncToString):
1585         * runtime/RegExpPrototype.h:
1586         (JSC::RegExpPrototype::createStructure):
1587         * runtime/SparseArrayValueMap.cpp:
1588         (JSC::SparseArrayValueMap::createStructure):
1589         * runtime/SparseArrayValueMap.h:
1590         * runtime/StrictEvalActivation.h:
1591         (JSC::StrictEvalActivation::createStructure):
1592         * runtime/StringConstructor.h:
1593         (JSC::StringConstructor::createStructure):
1594         * runtime/StringObject.cpp:
1595         (JSC::StringObject::finishCreation):
1596         * runtime/StringObject.h:
1597         (JSC::StringObject::createStructure):
1598         (JSC::asStringObject):
1599         * runtime/StringPrototype.cpp:
1600         (JSC::StringPrototype::finishCreation):
1601         (JSC::stringProtoFuncReplace):
1602         (JSC::stringProtoFuncToString):
1603         (JSC::stringProtoFuncMatch):
1604         (JSC::stringProtoFuncSearch):
1605         (JSC::stringProtoFuncSplit):
1606         * runtime/StringPrototype.h:
1607         (JSC::StringPrototype::createStructure):
1608         * runtime/Structure.cpp:
1609         (JSC::Structure::Structure):
1610         (JSC::Structure::materializePropertyMap):
1611         (JSC::Structure::get):
1612         (JSC::Structure::visitChildren):
1613         * runtime/Structure.h:
1614         (JSC::Structure::typeInfo):
1615         (JSC::Structure::previousID):
1616         (JSC::Structure::outOfLineSize):
1617         (JSC::Structure::totalStorageCapacity):
1618         (JSC::Structure::materializePropertyMapIfNecessary):
1619         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1620         * runtime/StructureChain.cpp:
1621         (JSC::StructureChain::visitChildren):
1622         * runtime/StructureChain.h:
1623         (JSC::StructureChain::createStructure):
1624         * runtime/StructureInlines.h:
1625         (JSC::Structure::get):
1626         * runtime/StructureRareData.cpp:
1627         (JSC::StructureRareData::createStructure):
1628         (JSC::StructureRareData::visitChildren):
1629         * runtime/StructureRareData.h:
1630         * runtime/SymbolTable.h:
1631         (JSC::SharedSymbolTable::createStructure):
1632         * runtime/VM.cpp:
1633         (JSC::VM::VM):
1634         (JSC::StackPreservingRecompiler::operator()):
1635         (JSC::VM::releaseExecutableMemory):
1636         * runtime/WriteBarrier.h:
1637         (JSC::validateCell):
1638         * testRegExp.cpp:
1639         (GlobalObject::createStructure):
1640
1641 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1642
1643         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1644         https://bugs.webkit.org/show_bug.cgi?id=119762
1645
1646         Reviewed by Geoffrey Garen.
1647
1648         * heap/Heap.cpp:
1649         (JSC::Heap::Heap):
1650         (JSC::Heap::markRoots):
1651         (JSC::Heap::collect):
1652         * jsc.cpp:
1653         (StopWatch::start):
1654         (StopWatch::stop):
1655         * testRegExp.cpp:
1656         (StopWatch::start):
1657         (StopWatch::stop):
1658
1659 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1660
1661         [sh4] Prepare LLINT for DFG_JIT implementation.
1662         https://bugs.webkit.org/show_bug.cgi?id=119755
1663
1664         Reviewed by Oliver Hunt.
1665
1666         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1667         * offlineasm/sh4.rb:
1668             - Handle storeb opcode.
1669             - Make relative jumps when possible using braf opcode.
1670             - Update bmulio implementation to be consistent with baseline JIT.
1671             - Remove useless code from leap opcode.
1672             - Fix incorrect comment.
1673
1674 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1675
1676         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1677         https://bugs.webkit.org/show_bug.cgi?id=119758
1678
1679         Reviewed by Oliver Hunt.
1680
1681         * assembler/MacroAssemblerSH4.h:
1682             - Introduce a loadEffectiveAddress function to avoid code duplication.
1683             - Add ASSERTs and clean code.
1684         * assembler/SH4Assembler.h:
1685             - Prepare DFG_JIT implementation.
1686             - Add ASSERTs.
1687         * jit/JITStubs.cpp:
1688             - Add SH4 specific call for assertions.
1689         * jit/JITStubs.h:
1690             - Cosmetic change.
1691         * jit/JITStubsSH4.h:
1692             - Use constants to be more flexible with sh4 JIT stack frame.
1693         * jit/JSInterfaceJIT.h:
1694             - Cosmetic change.
1695
1696 2013-08-13  Oliver Hunt  <oliver@apple.com>
1697
1698         Harden executeConstruct against incorrect return types from host functions
1699         https://bugs.webkit.org/show_bug.cgi?id=119757
1700
1701         Reviewed by Mark Hahnenberg.
1702
1703         Add logic to guard against bogus return types.  There doesn't seem to be any
1704         class in webkit that does this wrong, but the typed array stubs in debug JSC
1705         do exhibit this bad behaviour.
1706
1707         * interpreter/Interpreter.cpp:
1708         (JSC::Interpreter::executeConstruct):
1709
1710 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1711
1712         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1713         https://bugs.webkit.org/show_bug.cgi?id=119736
1714
1715         Reviewed by Anders Carlsson.
1716
1717         Don't force C++11 mode off anymore.
1718
1719         * Target.pri:
1720
1721 2013-08-12  Oliver Hunt  <oliver@apple.com>
1722
1723         Remove CodeBlock's notion of adding identifiers entirely
1724         https://bugs.webkit.org/show_bug.cgi?id=119708
1725
1726         Reviewed by Geoffrey Garen.
1727
1728         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1729         Move the addition of identifiers to DFGPlan::reallyAdd
1730
1731         * bytecode/CodeBlock.h:
1732         * dfg/DFGDesiredIdentifiers.cpp:
1733         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1734         * dfg/DFGDesiredIdentifiers.h:
1735         * dfg/DFGPlan.cpp:
1736         (JSC::DFG::Plan::reallyAdd):
1737         (JSC::DFG::Plan::finalize):
1738         * dfg/DFGPlan.h:
1739
1740 2013-08-12  Oliver Hunt  <oliver@apple.com>
1741
1742         Build fix
1743
1744         * runtime/JSCell.h:
1745
1746 2013-08-12  Oliver Hunt  <oliver@apple.com>
1747
1748         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1749         https://bugs.webkit.org/show_bug.cgi?id=119705
1750
1751         Reviewed by Geoffrey Garen.
1752
1753         Relatively trivial refactoring
1754
1755         * bytecode/CodeBlock.h:
1756         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1757         (JSC::CodeBlock::addAdditionalIdentifier):
1758         (JSC::CodeBlock::identifier):
1759         (JSC::CodeBlock::numberOfIdentifiers):
1760         * dfg/DFGCommonData.h:
1761
1762 2013-08-12  Oliver Hunt  <oliver@apple.com>
1763
1764         Stop making unnecessary copy of CodeBlock Identifier Vector
1765         https://bugs.webkit.org/show_bug.cgi?id=119702
1766
1767         Reviewed by Michael Saboff.
1768
1769         Make CodeBlock simply use a separate Vector for additional Identifiers
1770         and use the UnlinkedCodeBlock for the initial set of identifiers.
1771
1772         * bytecode/CodeBlock.cpp:
1773         (JSC::CodeBlock::printGetByIdOp):
1774         (JSC::dumpStructure):
1775         (JSC::dumpChain):
1776         (JSC::CodeBlock::printGetByIdCacheStatus):
1777         (JSC::CodeBlock::printPutByIdOp):
1778         (JSC::CodeBlock::dumpBytecode):
1779         (JSC::CodeBlock::CodeBlock):
1780         (JSC::CodeBlock::shrinkToFit):
1781         * bytecode/CodeBlock.h:
1782         (JSC::CodeBlock::numberOfIdentifiers):
1783         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1784         (JSC::CodeBlock::addAdditionalIdentifier):
1785         (JSC::CodeBlock::identifier):
1786         * dfg/DFGDesiredIdentifiers.cpp:
1787         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1788         * jit/JIT.h:
1789         * jit/JITOpcodes.cpp:
1790         (JSC::JIT::emitSlow_op_get_arguments_length):
1791         * jit/JITPropertyAccess.cpp:
1792         (JSC::JIT::emit_op_get_by_id):
1793         (JSC::JIT::compileGetByIdHotPath):
1794         (JSC::JIT::emitSlow_op_get_by_id):
1795         (JSC::JIT::compileGetByIdSlowCase):
1796         (JSC::JIT::emitSlow_op_put_by_id):
1797         * jit/JITPropertyAccess32_64.cpp:
1798         (JSC::JIT::emit_op_get_by_id):
1799         (JSC::JIT::compileGetByIdHotPath):
1800         (JSC::JIT::compileGetByIdSlowCase):
1801         * jit/JITStubs.cpp:
1802         (JSC::DEFINE_STUB_FUNCTION):
1803         * llint/LLIntSlowPaths.cpp:
1804         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1805
1806 2013-08-08  Mark Lam  <mark.lam@apple.com>
1807
1808         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1809         https://bugs.webkit.org/show_bug.cgi?id=119575.
1810
1811         Reviewed by Oliver Hunt.
1812
1813         * interpreter/Interpreter.h:
1814         - Made getStackTrace() private.
1815         * interpreter/StackIterator.cpp:
1816         (JSC::StackIterator::StackIterator):
1817         (JSC::StackIterator::numberOfFrames):
1818         - Computes the number of frames by iterating through the whole stack
1819           from the starting frame. The iterator will save its current frame
1820           position before counting the frames, and then restoring it after
1821           the counting.
1822         (JSC::StackIterator::gotoFrameAtIndex):
1823         (JSC::StackIterator::gotoNextFrame):
1824         (JSC::StackIterator::resetIterator):
1825         - Points the iterator to the starting frame.
1826         * interpreter/StackIteratorPrivate.h:
1827
1828 2013-08-08  Mark Lam  <mark.lam@apple.com>
1829
1830         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1831         the Interpreter class.
1832         https://bugs.webkit.org/show_bug.cgi?id=119576.
1833
1834         Reviewed by Oliver Hunt.
1835
1836         This change is needed to prepare for making Interpreter::getStackTrace()
1837         private. It does not change the behavior of the code, only the lexical
1838         scoping.
1839
1840         * interpreter/Interpreter.h:
1841         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1842         * runtime/ErrorConstructor.cpp:
1843         (JSC::Interpreter::constructWithErrorConstructor):
1844         (JSC::ErrorConstructor::getConstructData):
1845         (JSC::Interpreter::callErrorConstructor):
1846         (JSC::ErrorConstructor::getCallData):
1847         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1848           directly. So, we moved the helper functions into the Interpreter
1849           class.
1850         * runtime/NativeErrorConstructor.cpp:
1851         (JSC::Interpreter::constructWithNativeErrorConstructor):
1852         (JSC::NativeErrorConstructor::getConstructData):
1853         (JSC::Interpreter::callNativeErrorConstructor):
1854         (JSC::NativeErrorConstructor::getCallData):
1855         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1856           directly. So, we moved the helper functions into the Interpreter
1857           class.
1858
1859 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1860
1861         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1862         https://bugs.webkit.org/show_bug.cgi?id=119555
1863
1864         Reviewed by Geoffrey Garen.
1865
1866         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1867         This was causing crashes on maps.google.com in 32-bit debug builds.
1868
1869         * dfg/DFGSpeculativeJIT32_64.cpp:
1870         (JSC::DFG::SpeculativeJIT::compile):
1871
1872 2013-08-06  Michael Saboff  <msaboff@apple.com>
1873
1874         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1875         https://bugs.webkit.org/show_bug.cgi?id=119405
1876
1877         Reviewed by Geoffrey Garen.
1878
1879         * dfg/DFGSpeculativeJIT.cpp:
1880         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1881         ourselves to save a register and then load from it.
1882
1883 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1884
1885         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1886         https://bugs.webkit.org/show_bug.cgi?id=119528
1887
1888         Reviewed by Geoffrey Garen.
1889
1890         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1891         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1892         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1893         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1894         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1895
1896         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1897
1898         * bytecode/CodeBlock.cpp:
1899         (JSC::CodeBlock::finalizeUnconditionally):
1900         * dfg/DFGDriver.cpp:
1901         (JSC::DFG::compile):
1902         * dfg/DFGFixupPhase.cpp:
1903         (JSC::DFG::FixupPhase::fixupNode):
1904         * dfg/DFGGraph.cpp:
1905         (JSC::DFG::Graph::dump):
1906         * dfg/DFGSpeculativeJIT64.cpp:
1907         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1908         * runtime/JSObject.h:
1909         (JSC::JSObject::getIndexQuickly):
1910         (JSC::JSObject::tryGetIndexQuickly):
1911
1912 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1913
1914         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1915
1916         Unreviewed.
1917
1918         Ensure llint symbols are in source order.
1919
1920         * JavaScriptCore.order:
1921
1922 2013-08-06  Mark Lam  <mark.lam@apple.com>
1923
1924         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1925         https://bugs.webkit.org/show_bug.cgi?id=119532.
1926
1927         Reviewed by Oliver Hunt.
1928
1929         * parser/Parser.cpp:
1930         (JSC::::Parser):
1931         - Just need to initialize the Parser's JSTokenLocation's initial line and
1932           startOffset as well during Parser construction.
1933
1934 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1935
1936         Update Order Files for Safari
1937         <rdar://problem/14517392>
1938
1939         Unreviewed.
1940
1941         * JavaScriptCore.order:
1942
1943 2013-08-04  Sam Weinig  <sam@webkit.org>
1944
1945         Remove support for HTML5 MicroData
1946         https://bugs.webkit.org/show_bug.cgi?id=119480
1947
1948         Reviewed by Anders Carlsson.
1949
1950         * Configurations/FeatureDefines.xcconfig:
1951
1952 2013-08-05  Oliver Hunt  <oliver@apple.com>
1953
1954         Delay Arguments creation in strict mode
1955         https://bugs.webkit.org/show_bug.cgi?id=119505
1956
1957         Reviewed by Geoffrey Garen.
1958
1959         Make use of the write tracking performed by the parser to
1960         allow us to know if we're modifying the parameters to a function.
1961         Then use that information to make strict mode function opt out
1962         of eager arguments creation.
1963
1964         * bytecompiler/BytecodeGenerator.cpp:
1965         (JSC::BytecodeGenerator::BytecodeGenerator):
1966         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1967         (JSC::BytecodeGenerator::emitReturn):
1968         * bytecompiler/BytecodeGenerator.h:
1969         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1970         * parser/Nodes.h:
1971         (JSC::ScopeNode::modifiesParameter):
1972         * parser/Parser.cpp:
1973         (JSC::::parseInner):
1974         * parser/Parser.h:
1975         (JSC::Scope::declareParameter):
1976         (JSC::Scope::getCapturedVariables):
1977         (JSC::Parser::declareWrite):
1978         * parser/ParserModes.h:
1979
1980 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1981
1982         Remove useless code from COMPILER(RVCT) JITStubs
1983         https://bugs.webkit.org/show_bug.cgi?id=119521
1984
1985         Reviewed by Geoffrey Garen.
1986
1987         * jit/JITStubsARMv7.h:
1988         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1989         (JSC::ctiOpThrowNotCaught): Ditto.
1990
1991 2013-07-23  David Farler  <dfarler@apple.com>
1992
1993         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1994         https://bugs.webkit.org/show_bug.cgi?id=117762
1995
1996         Reviewed by Mark Rowe.
1997
1998         * Configurations/DebugRelease.xcconfig:
1999         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2000         * Configurations/JavaScriptCore.xcconfig:
2001         Add ASAN_OTHER_LDFLAGS.
2002         * Configurations/ToolExecutable.xcconfig:
2003         Don't use ASAN for build tools.
2004
2005 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2006
2007         Build fix for ARM MSVC after r153222 and r153648.
2008
2009         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2010
2011 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2012
2013         Build fix for ARM MSVC after r150109.
2014
2015         Read the stub template from a header files instead of the JITStubs.cpp.
2016
2017         * CMakeLists.txt:
2018         * DerivedSources.pri:
2019         * create_jit_stubs:
2020
2021 2013-08-05  Oliver Hunt  <oliver@apple.com>
2022
2023         Move TypedArray implementation into JSC
2024         https://bugs.webkit.org/show_bug.cgi?id=119489
2025
2026         Reviewed by Filip Pizlo.
2027
2028         Move TypedArray implementation into JSC in advance of re-implementation
2029
2030         * GNUmakefile.list.am:
2031         * JSCTypedArrayStubs.h:
2032         * JavaScriptCore.xcodeproj/project.pbxproj:
2033         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2034         (JSC::ArrayBuffer::transfer):
2035         (JSC::ArrayBuffer::addView):
2036         (JSC::ArrayBuffer::removeView):
2037         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2038         (JSC::ArrayBufferContents::ArrayBufferContents):
2039         (JSC::ArrayBufferContents::data):
2040         (JSC::ArrayBufferContents::sizeInBytes):
2041         (JSC::ArrayBufferContents::transfer):
2042         (JSC::ArrayBufferContents::copyTo):
2043         (JSC::ArrayBuffer::isNeutered):
2044         (JSC::ArrayBuffer::~ArrayBuffer):
2045         (JSC::ArrayBuffer::clampValue):
2046         (JSC::ArrayBuffer::create):
2047         (JSC::ArrayBuffer::createUninitialized):
2048         (JSC::ArrayBuffer::ArrayBuffer):
2049         (JSC::ArrayBuffer::data):
2050         (JSC::ArrayBuffer::byteLength):
2051         (JSC::ArrayBuffer::slice):
2052         (JSC::ArrayBuffer::sliceImpl):
2053         (JSC::ArrayBuffer::clampIndex):
2054         (JSC::ArrayBufferContents::tryAllocate):
2055         (JSC::ArrayBufferContents::~ArrayBufferContents):
2056         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2057         (JSC::ArrayBufferView::ArrayBufferView):
2058         (JSC::ArrayBufferView::~ArrayBufferView):
2059         (JSC::ArrayBufferView::neuter):
2060         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2061         (JSC::ArrayBufferView::buffer):
2062         (JSC::ArrayBufferView::baseAddress):
2063         (JSC::ArrayBufferView::byteOffset):
2064         (JSC::ArrayBufferView::setNeuterable):
2065         (JSC::ArrayBufferView::isNeuterable):
2066         (JSC::ArrayBufferView::verifySubRange):
2067         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2068         (JSC::ArrayBufferView::setImpl):
2069         (JSC::ArrayBufferView::setRangeImpl):
2070         (JSC::ArrayBufferView::zeroRangeImpl):
2071         (JSC::ArrayBufferView::calculateOffsetAndLength):
2072         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2073         (JSC::Float32Array::set):
2074         (JSC::Float32Array::getType):
2075         (JSC::Float32Array::create):
2076         (JSC::Float32Array::createUninitialized):
2077         (JSC::Float32Array::Float32Array):
2078         (JSC::Float32Array::subarray):
2079         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2080         (JSC::Float64Array::set):
2081         (JSC::Float64Array::getType):
2082         (JSC::Float64Array::create):
2083         (JSC::Float64Array::createUninitialized):
2084         (JSC::Float64Array::Float64Array):
2085         (JSC::Float64Array::subarray):
2086         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2087         (JSC::Int16Array::getType):
2088         (JSC::Int16Array::create):
2089         (JSC::Int16Array::createUninitialized):
2090         (JSC::Int16Array::Int16Array):
2091         (JSC::Int16Array::subarray):
2092         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2093         (JSC::Int32Array::getType):
2094         (JSC::Int32Array::create):
2095         (JSC::Int32Array::createUninitialized):
2096         (JSC::Int32Array::Int32Array):
2097         (JSC::Int32Array::subarray):
2098         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2099         (JSC::Int8Array::getType):
2100         (JSC::Int8Array::create):
2101         (JSC::Int8Array::createUninitialized):
2102         (JSC::Int8Array::Int8Array):
2103         (JSC::Int8Array::subarray):
2104         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2105         (JSC::IntegralTypedArrayBase::set):
2106         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2107         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2108         (JSC::TypedArrayBase::data):
2109         (JSC::TypedArrayBase::set):
2110         (JSC::TypedArrayBase::setRange):
2111         (JSC::TypedArrayBase::zeroRange):
2112         (JSC::TypedArrayBase::length):
2113         (JSC::TypedArrayBase::byteLength):
2114         (JSC::TypedArrayBase::item):
2115         (JSC::TypedArrayBase::checkInboundData):
2116         (JSC::TypedArrayBase::TypedArrayBase):
2117         (JSC::TypedArrayBase::create):
2118         (JSC::TypedArrayBase::createUninitialized):
2119         (JSC::TypedArrayBase::subarrayImpl):
2120         (JSC::TypedArrayBase::neuter):
2121         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2122         (JSC::Uint16Array::getType):
2123         (JSC::Uint16Array::create):
2124         (JSC::Uint16Array::createUninitialized):
2125         (JSC::Uint16Array::Uint16Array):
2126         (JSC::Uint16Array::subarray):
2127         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2128         (JSC::Uint32Array::getType):
2129         (JSC::Uint32Array::create):
2130         (JSC::Uint32Array::createUninitialized):
2131         (JSC::Uint32Array::Uint32Array):
2132         (JSC::Uint32Array::subarray):
2133         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2134         (JSC::Uint8Array::getType):
2135         (JSC::Uint8Array::create):
2136         (JSC::Uint8Array::createUninitialized):
2137         (JSC::Uint8Array::Uint8Array):
2138         (JSC::Uint8Array::subarray):
2139         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2140         (JSC::Uint8ClampedArray::getType):
2141         (JSC::Uint8ClampedArray::create):
2142         (JSC::Uint8ClampedArray::createUninitialized):
2143         (JSC::Uint8ClampedArray::zeroFill):
2144         (JSC::Uint8ClampedArray::set):
2145         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2146         (JSC::Uint8ClampedArray::subarray):
2147         * runtime/VM.h:
2148
2149 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2150
2151         Copied space should be able to handle more than one copied backing store per JSCell
2152         https://bugs.webkit.org/show_bug.cgi?id=119471
2153
2154         Reviewed by Mark Hahnenberg.
2155         
2156         This allows a cell to call copyLater() multiple times for multiple different
2157         backing stores, and then have copyBackingStore() called exactly once for each
2158         of those. A token tells it which backing store to copy. All backing stores
2159         must be named using the CopyToken, an enumeration which currently cannot
2160         exceed eight entries.
2161         
2162         When copyBackingStore() is called, it's up to the callee to (a) use the token
2163         to decide what to copy and (b) call its base class's copyBackingStore() in
2164         case the base class had something that needed copying. The only exception is
2165         that JSCell never asks anything to be copied, and so if your base is JSCell
2166         then you don't have to do anything.
2167
2168         * GNUmakefile.list.am:
2169         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2170         * JavaScriptCore.xcodeproj/project.pbxproj:
2171         * heap/CopiedBlock.h:
2172         * heap/CopiedBlockInlines.h:
2173         (JSC::CopiedBlock::reportLiveBytes):
2174         * heap/CopyToken.h: Added.
2175         * heap/CopyVisitor.cpp:
2176         (JSC::CopyVisitor::copyFromShared):
2177         * heap/CopyVisitor.h:
2178         * heap/CopyVisitorInlines.h:
2179         (JSC::CopyVisitor::visitItem):
2180         * heap/CopyWorkList.h:
2181         (JSC::CopyWorklistItem::CopyWorklistItem):
2182         (JSC::CopyWorklistItem::cell):
2183         (JSC::CopyWorklistItem::token):
2184         (JSC::CopyWorkListSegment::get):
2185         (JSC::CopyWorkListSegment::append):
2186         (JSC::CopyWorkListSegment::data):
2187         (JSC::CopyWorkListIterator::get):
2188         (JSC::CopyWorkListIterator::operator*):
2189         (JSC::CopyWorkListIterator::operator->):
2190         (JSC::CopyWorkList::append):
2191         * heap/SlotVisitor.h:
2192         * heap/SlotVisitorInlines.h:
2193         (JSC::SlotVisitor::copyLater):
2194         * runtime/ClassInfo.h:
2195         * runtime/JSCell.cpp:
2196         (JSC::JSCell::copyBackingStore):
2197         * runtime/JSCell.h:
2198         * runtime/JSObject.cpp:
2199         (JSC::JSObject::visitButterfly):
2200         (JSC::JSObject::copyBackingStore):
2201         * runtime/JSObject.h:
2202
2203 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2204
2205         [Automake] Define ENABLE_JIT through the Autoconf header
2206         https://bugs.webkit.org/show_bug.cgi?id=119445
2207
2208         Reviewed by Martin Robinson.
2209
2210         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2211
2212 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2213
2214         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2215         https://bugs.webkit.org/show_bug.cgi?id=119470
2216
2217         Reviewed by Oliver Hunt.
2218         
2219         Structure can still tell you if the object "could" (in the conservative sense)
2220         have an indexing header; that's used by the compiler.
2221         
2222         Most of the time if you want to know if there's an indexing header, you ask the
2223         JSObject.
2224         
2225         In some cases, the JSObject wants to know if it would have an indexing header if
2226         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2227
2228         * dfg/DFGRepatch.cpp:
2229         (JSC::DFG::tryCachePutByID):
2230         (JSC::DFG::tryBuildPutByIdList):
2231         * dfg/DFGSpeculativeJIT.cpp:
2232         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2233         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2234         * runtime/ButterflyInlines.h:
2235         (JSC::Butterfly::create):
2236         (JSC::Butterfly::growPropertyStorage):
2237         (JSC::Butterfly::growArrayRight):
2238         (JSC::Butterfly::resizeArray):
2239         * runtime/JSObject.cpp:
2240         (JSC::JSObject::copyButterfly):
2241         (JSC::JSObject::visitButterfly):
2242         * runtime/JSObject.h:
2243         (JSC::JSObject::hasIndexingHeader):
2244         (JSC::JSObject::setButterfly):
2245         * runtime/Structure.h:
2246         (JSC::Structure::couldHaveIndexingHeader):
2247         (JSC::Structure::hasIndexingHeader):
2248
2249 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2250
2251         Give the error object's stack property accessor attributes.
2252         https://bugs.webkit.org/show_bug.cgi?id=119404
2253
2254         Reviewed by Geoffrey Garen.
2255         
2256         Changed the attributes of error object's stack property to allow developers to write
2257         and delete the stack property. This will match the functionality of Chrome. Firefox  
2258         allows developers to write the error's stack, but not delete it. 
2259
2260         * interpreter/Interpreter.cpp:
2261         (JSC::Interpreter::addStackTraceIfNecessary):
2262         * runtime/ErrorInstance.cpp:
2263         (JSC::ErrorInstance::finishCreation):
2264
2265 2013-08-02  Oliver Hunt  <oliver@apple.com>
2266
2267         Incorrect type speculation reported by ToPrimitive
2268         https://bugs.webkit.org/show_bug.cgi?id=119458
2269
2270         Reviewed by Mark Hahnenberg.
2271
2272         Make sure that we report the correct type possibilities for the output
2273         from ToPrimitive
2274
2275         * dfg/DFGAbstractInterpreterInlines.h:
2276         (JSC::DFG::::executeEffects):
2277
2278 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2279
2280         Remove no-arguments constructor to PropertySlot
2281         https://bugs.webkit.org/show_bug.cgi?id=119460
2282
2283         Reviewed by Geoff Garen.
2284
2285         This constructor was unsafe if getValue is subsequently called,
2286         and the property is a getter. Simplest to just remove it.
2287
2288         * runtime/Arguments.cpp:
2289         (JSC::Arguments::defineOwnProperty):
2290         * runtime/JSActivation.cpp:
2291         (JSC::JSActivation::getOwnPropertyDescriptor):
2292         * runtime/JSFunction.cpp:
2293         (JSC::JSFunction::getOwnPropertyDescriptor):
2294         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2295         (JSC::JSFunction::put):
2296         (JSC::JSFunction::defineOwnProperty):
2297         * runtime/JSGlobalObject.cpp:
2298         (JSC::JSGlobalObject::defineOwnProperty):
2299         * runtime/JSGlobalObject.h:
2300         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2301         * runtime/JSNameScope.cpp:
2302         (JSC::JSNameScope::put):
2303         * runtime/JSONObject.cpp:
2304         (JSC::Stringifier::Holder::appendNextProperty):
2305         (JSC::Walker::walk):
2306         * runtime/JSObject.cpp:
2307         (JSC::JSObject::hasProperty):
2308         (JSC::JSObject::hasOwnProperty):
2309         (JSC::JSObject::reifyStaticFunctionsForDelete):
2310         * runtime/Lookup.h:
2311         (JSC::getStaticPropertyDescriptor):
2312         (JSC::getStaticFunctionDescriptor):
2313         (JSC::getStaticValueDescriptor):
2314         * runtime/ObjectConstructor.cpp:
2315         (JSC::defineProperties):
2316         * runtime/PropertySlot.h:
2317
2318 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2319
2320         DFG validation can cause assertion failures due to dumping
2321         https://bugs.webkit.org/show_bug.cgi?id=119456
2322
2323         Reviewed by Geoffrey Garen.
2324
2325         * bytecode/CodeBlock.cpp:
2326         (JSC::CodeBlock::hasHash):
2327         (JSC::CodeBlock::isSafeToComputeHash):
2328         (JSC::CodeBlock::hash):
2329         (JSC::CodeBlock::dumpAssumingJITType):
2330         * bytecode/CodeBlock.h:
2331
2332 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2333
2334         Have vm's exceptionStack match java's vm's exceptionStack.
2335         https://bugs.webkit.org/show_bug.cgi?id=119362
2336
2337         Reviewed by Geoffrey Garen.
2338         
2339         The error object's stack is only updated if it does not exist yet. This matches 
2340         the functionality of other browsers, and Java VMs. 
2341
2342         * interpreter/Interpreter.cpp:
2343         (JSC::Interpreter::addStackTraceIfNecessary):
2344         (JSC::Interpreter::throwException):
2345         * runtime/VM.cpp:
2346         (JSC::VM::clearExceptionStack):
2347         * runtime/VM.h:
2348         (JSC::VM::lastExceptionStack):
2349
2350 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2351
2352         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2353         https://bugs.webkit.org/show_bug.cgi?id=119447
2354
2355         Reviewed by Geoffrey Garen.
2356
2357         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2358         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2359         r153583 (sh4) and r153648 (ARM).
2360
2361         * jit/JITStubsMIPS.h:
2362
2363 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2364
2365         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2366         https://bugs.webkit.org/show_bug.cgi?id=119422
2367
2368         Reviewed by Oliver Hunt.
2369         
2370         This simplifies some code and also allows Structure to claim that an object
2371         has an indexing header even if it doesn't have indexed properties.
2372         
2373         I also changed some calls to use hasIndexedProperties() since in some cases,
2374         that's what we actually meant. Currently the two are synonyms.
2375
2376         * dfg/DFGRepatch.cpp:
2377         (JSC::DFG::tryCachePutByID):
2378         (JSC::DFG::tryBuildPutByIdList):
2379         * dfg/DFGSpeculativeJIT.cpp:
2380         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2381         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2382         * runtime/ButterflyInlines.h:
2383         (JSC::Butterfly::create):
2384         (JSC::Butterfly::growPropertyStorage):
2385         (JSC::Butterfly::growArrayRight):
2386         (JSC::Butterfly::resizeArray):
2387         * runtime/IndexingType.h:
2388         * runtime/JSObject.cpp:
2389         (JSC::JSObject::copyButterfly):
2390         (JSC::JSObject::visitButterfly):
2391         (JSC::JSObject::setPrototype):
2392         * runtime/JSObject.h:
2393         (JSC::JSObject::setButterfly):
2394         * runtime/JSPropertyNameIterator.cpp:
2395         (JSC::JSPropertyNameIterator::create):
2396         * runtime/Structure.h:
2397         (JSC::Structure::hasIndexingHeader):
2398
2399 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2400
2401         REGRESSION: ARM still crashes after change set r153612.
2402         https://bugs.webkit.org/show_bug.cgi?id=119433
2403
2404         Reviewed by Michael Saboff.
2405
2406         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2407         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2408         for sh4 architecture.
2409
2410         * jit/JITStubsARM.h:
2411         * jit/JITStubsARMv7.h:
2412
2413 2013-08-02  Michael Saboff  <msaboff@apple.com>
2414
2415         REGRESSION(r153612): It made jsc and layout tests crash
2416         https://bugs.webkit.org/show_bug.cgi?id=119440
2417
2418         Reviewed by Csaba Osztrogonác.
2419
2420         Made the changes if changeset r153612 only apply to 32 bit builds.
2421
2422         * jit/JITExceptions.cpp:
2423         * jit/JITExceptions.h:
2424         * jit/JITStubs.cpp:
2425         (JSC::cti_vm_throw_slowpath):
2426         * jit/JITStubs.h:
2427
2428 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2429
2430         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2431
2432         * CMakeLists.txt:
2433
2434 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2435
2436         [Forms: color] <input type='color'> popover color well implementation
2437         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2438
2439         Reviewed by Benjamin Poulain.
2440
2441         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2442
2443 2013-08-01  Oliver Hunt  <oliver@apple.com>
2444
2445         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2446         https://bugs.webkit.org/show_bug.cgi?id=119408
2447
2448         Reviewed by Filip Pizlo.
2449
2450         Construct ToString and Phantom nodes in advance of MakeRope
2451         nodes to ensure that ordering is ensured, and correct values
2452         will be reified on OSR exit.
2453
2454         * dfg/DFGByteCodeParser.cpp:
2455         (JSC::DFG::ByteCodeParser::parseBlock):
2456
2457 2013-08-01  Michael Saboff  <msaboff@apple.com>
2458
2459         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2460         https://bugs.webkit.org/show_bug.cgi?id=119140
2461
2462         Reviewed by Filip Pizlo.
2463
2464         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2465
2466         * jit/JITExceptions.cpp:
2467         (JSC::encode):
2468         * jit/JITExceptions.h:
2469         * jit/JITStubs.cpp:
2470         (JSC::cti_vm_throw_slowpath):
2471         * jit/JITStubs.h:
2472
2473 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2474
2475         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2476         https://bugs.webkit.org/show_bug.cgi?id=119391
2477
2478         Reviewed by Csaba Osztrogonác.
2479
2480         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2481             - Call frame is in r14 register.
2482             - Do not restore registers from JIT stack frame here.
2483
2484 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2485
2486         More cleanup in PropertySlot
2487         https://bugs.webkit.org/show_bug.cgi?id=119359
2488
2489         Reviewed by Geoff Garen.
2490
2491         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2492         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2493
2494         * dfg/DFGRepatch.cpp:
2495         (JSC::DFG::tryCacheGetByID):
2496         (JSC::DFG::tryBuildGetByIDList):
2497             - No need to ASSERT slotBase is an object.
2498         * jit/JITStubs.cpp:
2499         (JSC::tryCacheGetByID):
2500         (JSC::DEFINE_STUB_FUNCTION):
2501             - No need to ASSERT slotBase is an object.
2502         * runtime/JSObject.cpp:
2503         (JSC::JSObject::getOwnPropertySlotByIndex):
2504         (JSC::JSObject::fillGetterPropertySlot):
2505             - Pass an object through to setGetterSlot.
2506         * runtime/JSObject.h:
2507         (JSC::PropertySlot::getValue):
2508             - Moved from PropertySlot (need to know anout JSObject).
2509         * runtime/PropertySlot.cpp:
2510         (JSC::PropertySlot::functionGetter):
2511             - update per member name changes
2512         * runtime/PropertySlot.h:
2513         (JSC::PropertySlot::PropertySlot):
2514             - Argument to constructor set to 'thisValue'.
2515         (JSC::PropertySlot::slotBase):
2516             - This returns a JSObject*.
2517         (JSC::PropertySlot::setValue):
2518         (JSC::PropertySlot::setCustom):
2519         (JSC::PropertySlot::setCacheableCustom):
2520         (JSC::PropertySlot::setCustomIndex):
2521         (JSC::PropertySlot::setGetterSlot):
2522         (JSC::PropertySlot::setCacheableGetterSlot):
2523             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2524         * runtime/SparseArrayValueMap.cpp:
2525         (JSC::SparseArrayEntry::get):
2526             - Pass an object through to setGetterSlot.
2527         * runtime/SparseArrayValueMap.h:
2528             - Pass an object through to setGetterSlot.
2529
2530 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2531
2532         Reduce JSC API static value setter/getter overhead.
2533         https://bugs.webkit.org/show_bug.cgi?id=119277
2534
2535         Reviewed by Geoffrey Garen.
2536
2537         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2538         need to get called every time when set or get the static value.
2539
2540         * API/JSCallbackObjectFunctions.h:
2541         (JSC::::put):
2542         (JSC::::putByIndex):
2543         (JSC::::getStaticValue):
2544         * API/JSClassRef.cpp:
2545         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2546         * API/JSClassRef.h:
2547         (StaticValueEntry::StaticValueEntry):
2548
2549 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2550
2551         Use emptyString instead of String("")
2552         https://bugs.webkit.org/show_bug.cgi?id=119335
2553
2554         Reviewed by Darin Adler.
2555
2556         Use emptyString() instead of String("") because it is better style and
2557         faster. This is a followup to r116908, removing all occurrences of
2558         String("") from WebKit.
2559
2560         * runtime/RegExpConstructor.cpp:
2561         (JSC::constructRegExp):
2562         * runtime/RegExpPrototype.cpp:
2563         (JSC::regExpProtoFuncCompile):
2564         * runtime/StringPrototype.cpp:
2565         (JSC::stringProtoFuncMatch):
2566         (JSC::stringProtoFuncSearch):
2567
2568 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2569
2570         <input type=color> Mac UI behaviour
2571         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2572
2573         Reviewed by Brady Eidson.
2574
2575         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2576
2577 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2578
2579         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2580         https://bugs.webkit.org/show_bug.cgi?id=119349
2581
2582         Reviewed by Geoffrey Garen.
2583
2584         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2585         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2586         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2587         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2588         JIT then this resizing never happens and we crash at link time in the DFG.
2589
2590         We can fix this by also doing the resize in the DFG to catch this case.
2591
2592         * dfg/DFGJITCompiler.cpp:
2593         (JSC::DFG::JITCompiler::link):
2594
2595 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2596
2597         Speculative Windows build fix.
2598
2599         Reviewed by NOBODY
2600
2601         * runtime/JSString.cpp:
2602         (JSC::JSRopeString::getIndexSlowCase):
2603         * runtime/JSString.h:
2604
2605 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2606
2607         Some cleanup in JSValue::get
2608         https://bugs.webkit.org/show_bug.cgi?id=119343
2609
2610         Reviewed by Geoff Garen.
2611
2612         JSValue::get is implemented to:
2613             1) Check if the value is a cell – if not, synthesize a prototype to search,
2614             2) call getOwnPropertySlot on the cell,
2615             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2616         By all rights this should crash when passed a string and accessing a property that does not exist, because
2617         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2618         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2619         prototype chain, and faking out a return value of undefined if no property is found.
2620
2621         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2622         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2623
2624         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2625         slots anyway.
2626
2627         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2628
2629 2013-07-31  Michael Saboff  <msaboff@apple.com>
2630
2631         [Win] JavaScript crash.
2632         https://bugs.webkit.org/show_bug.cgi?id=119339
2633
2634         Reviewed by Mark Hahnenberg.
2635
2636         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2637         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2638
2639 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2640
2641         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2642         https://bugs.webkit.org/show_bug.cgi?id=119281
2643
2644         Reviewed by Geoffrey Garen.
2645
2646         This leads to out of bounds accesses and subsequent crashes.
2647
2648         * dfg/DFGSpeculativeJIT.cpp:
2649         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2650         * dfg/DFGSpeculativeJIT64.cpp:
2651         (JSC::DFG::SpeculativeJIT::compile):
2652
2653 2013-07-30  Oliver Hunt  <oliver@apple.com>
2654
2655         Add an assertion to SpeculateCellOperand
2656         https://bugs.webkit.org/show_bug.cgi?id=119276
2657
2658         Reviewed by Michael Saboff.
2659
2660         More assertions are better
2661
2662         * dfg/DFGSpeculativeJIT64.cpp:
2663         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2664         (JSC::DFG::SpeculativeJIT::compile):
2665
2666 2013-07-30  Mark Lam  <mark.lam@apple.com>
2667
2668         Fix problems with divot and lineStart mismatches.
2669         https://bugs.webkit.org/show_bug.cgi?id=118662.
2670
2671         Reviewed by Oliver Hunt.
2672
2673         r152494 added the recording of lineStart values for divot positions.
2674         This is needed for the computation of column numbers. Similarly, it also
2675         added the recording of line numbers for the divot positions. One problem
2676         with the approach taken was that the line and lineStart values were
2677         recorded independently, and hence were not always guaranteed to be
2678         sampled at the same place that the divot position is recorded. This
2679         resulted in potential mismatches that cause some assertions to fail.
2680
2681         The solution is to introduce a JSTextPosition abstraction that records
2682         the divot position, line, and lineStart as a single quantity. Wherever
2683         we record the divot position as an unsigned int previously, we now record
2684         its JSTextPosition which captures all 3 values in one go. This ensures
2685         that the captured line and lineStart will always match the captured divot
2686         position.
2687
2688         * bytecompiler/BytecodeGenerator.cpp:
2689         (JSC::BytecodeGenerator::emitCall):
2690         (JSC::BytecodeGenerator::emitCallEval):
2691         (JSC::BytecodeGenerator::emitCallVarargs):
2692         (JSC::BytecodeGenerator::emitConstruct):
2693         (JSC::BytecodeGenerator::emitDebugHook):
2694         - Use JSTextPosition instead of passing line and lineStart explicitly.
2695         * bytecompiler/BytecodeGenerator.h:
2696         (JSC::BytecodeGenerator::emitExpressionInfo):
2697         - Use JSTextPosition instead of passing line and lineStart explicitly.
2698         * bytecompiler/NodesCodegen.cpp:
2699         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2700         (JSC::ResolveNode::emitBytecode):
2701         (JSC::BracketAccessorNode::emitBytecode):
2702         (JSC::DotAccessorNode::emitBytecode):
2703         (JSC::NewExprNode::emitBytecode):
2704         (JSC::EvalFunctionCallNode::emitBytecode):
2705         (JSC::FunctionCallValueNode::emitBytecode):
2706         (JSC::FunctionCallResolveNode::emitBytecode):
2707         (JSC::FunctionCallBracketNode::emitBytecode):
2708         (JSC::FunctionCallDotNode::emitBytecode):
2709         (JSC::CallFunctionCallDotNode::emitBytecode):
2710         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2711         (JSC::PostfixNode::emitResolve):
2712         (JSC::PostfixNode::emitBracket):
2713         (JSC::PostfixNode::emitDot):
2714         (JSC::DeleteResolveNode::emitBytecode):
2715         (JSC::DeleteBracketNode::emitBytecode):
2716         (JSC::DeleteDotNode::emitBytecode):
2717         (JSC::PrefixNode::emitResolve):
2718         (JSC::PrefixNode::emitBracket):
2719         (JSC::PrefixNode::emitDot):
2720         (JSC::UnaryOpNode::emitBytecode):
2721         (JSC::BinaryOpNode::emitStrcat):
2722         (JSC::BinaryOpNode::emitBytecode):
2723         (JSC::ThrowableBinaryOpNode::emitBytecode):
2724         (JSC::InstanceOfNode::emitBytecode):
2725         (JSC::emitReadModifyAssignment):
2726         (JSC::ReadModifyResolveNode::emitBytecode):
2727         (JSC::AssignResolveNode::emitBytecode):
2728         (JSC::AssignDotNode::emitBytecode):
2729         (JSC::ReadModifyDotNode::emitBytecode):
2730         (JSC::AssignBracketNode::emitBytecode):
2731         (JSC::ReadModifyBracketNode::emitBytecode):
2732         (JSC::ForInNode::emitBytecode):
2733         (JSC::WithNode::emitBytecode):
2734         (JSC::ThrowNode::emitBytecode):
2735         - Use JSTextPosition instead of passing line and lineStart explicitly.
2736         * parser/ASTBuilder.h:
2737         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2738         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2739         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2740         (JSC::ASTBuilder::createResolve):
2741         (JSC::ASTBuilder::createBracketAccess):
2742         (JSC::ASTBuilder::createDotAccess):
2743         (JSC::ASTBuilder::createRegExp):
2744         (JSC::ASTBuilder::createNewExpr):
2745         (JSC::ASTBuilder::createAssignResolve):
2746         (JSC::ASTBuilder::createExprStatement):
2747         (JSC::ASTBuilder::createForInLoop):
2748         (JSC::ASTBuilder::createReturnStatement):
2749         (JSC::ASTBuilder::createBreakStatement):
2750         (JSC::ASTBuilder::createContinueStatement):
2751         (JSC::ASTBuilder::createLabelStatement):
2752         (JSC::ASTBuilder::createWithStatement):
2753         (JSC::ASTBuilder::createThrowStatement):
2754         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2755         (JSC::ASTBuilder::appendUnaryToken):
2756         (JSC::ASTBuilder::unaryTokenStackLastStart):
2757         (JSC::ASTBuilder::assignmentStackAppend):
2758         (JSC::ASTBuilder::createAssignment):
2759         (JSC::ASTBuilder::setExceptionLocation):
2760         (JSC::ASTBuilder::makeDeleteNode):
2761         (JSC::ASTBuilder::makeFunctionCallNode):
2762         (JSC::ASTBuilder::makeBinaryNode):
2763         (JSC::ASTBuilder::makeAssignNode):
2764         (JSC::ASTBuilder::makePrefixNode):
2765         (JSC::ASTBuilder::makePostfixNode):
2766         - Use JSTextPosition instead of passing line and lineStart explicitly.
2767         * parser/Lexer.cpp:
2768         (JSC::::lex):
2769         - Added support for capturing the appropriate JSTextPositions instead
2770           of just the character offset.
2771         * parser/Lexer.h:
2772         (JSC::Lexer::currentPosition):
2773         (JSC::::lexExpectIdentifier):
2774         - Added support for capturing the appropriate JSTextPositions instead
2775           of just the character offset.
2776         * parser/NodeConstructors.h:
2777         (JSC::Node::Node):
2778         (JSC::ResolveNode::ResolveNode):
2779         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2780         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2781         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2782         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2783         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2784         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2785         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2786         (JSC::PostfixNode::PostfixNode):
2787         (JSC::DeleteResolveNode::DeleteResolveNode):
2788         (JSC::DeleteBracketNode::DeleteBracketNode):
2789         (JSC::DeleteDotNode::DeleteDotNode):
2790         (JSC::PrefixNode::PrefixNode):
2791         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2792         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2793         (JSC::AssignBracketNode::AssignBracketNode):
2794         (JSC::AssignDotNode::AssignDotNode):
2795         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2796         (JSC::AssignErrorNode::AssignErrorNode):
2797         (JSC::WithNode::WithNode):
2798         (JSC::ForInNode::ForInNode):
2799         - Use JSTextPosition instead of passing line and lineStart explicitly.
2800         * parser/Nodes.cpp:
2801         (JSC::StatementNode::setLoc):
2802         - Use JSTextPosition instead of passing line and lineStart explicitly.
2803         * parser/Nodes.h:
2804         (JSC::Node::lineNo):
2805         (JSC::Node::startOffset):
2806         (JSC::Node::lineStartOffset):
2807         (JSC::Node::position):
2808         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2809         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2810         (JSC::ThrowableExpressionData::divot):
2811         (JSC::ThrowableExpressionData::divotStart):
2812         (JSC::ThrowableExpressionData::divotEnd):
2813         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2814         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2815         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2816         (JSC::ThrowableSubExpressionData::subexpressionStart):
2817         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2818         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2819         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2820         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2821         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2822         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2823         - Use JSTextPosition instead of passing line and lineStart explicitly.
2824         * parser/Parser.cpp:
2825         (JSC::::Parser):
2826         (JSC::::parseInner):
2827         - Use JSTextPosition instead of passing line and lineStart explicitly.
2828         (JSC::::didFinishParsing):
2829         - Remove setting of m_lastLine value. We always pass in the value from
2830           m_lastLine anyway. So, this assignment is effectively a nop.
2831         (JSC::::parseVarDeclaration):
2832         (JSC::::parseVarDeclarationList):
2833         (JSC::::parseForStatement):
2834         (JSC::::parseBreakStatement):
2835         (JSC::::parseContinueStatement):
2836         (JSC::::parseReturnStatement):
2837         (JSC::::parseThrowStatement):
2838         (JSC::::parseWithStatement):
2839         (JSC::::parseTryStatement):
2840         (JSC::::parseBlockStatement):
2841         (JSC::::parseFunctionDeclaration):
2842         (JSC::LabelInfo::LabelInfo):
2843         (JSC::::parseExpressionOrLabelStatement):
2844         (JSC::::parseExpressionStatement):
2845         (JSC::::parseAssignmentExpression):
2846         (JSC::::parseBinaryExpression):
2847         (JSC::::parseProperty):
2848         (JSC::::parsePrimaryExpression):
2849         (JSC::::parseMemberExpression):
2850         (JSC::::parseUnaryExpression):
2851         - Use JSTextPosition instead of passing line and lineStart explicitly.
2852         * parser/Parser.h:
2853         (JSC::Parser::next):
2854         (JSC::Parser::nextExpectIdentifier):
2855         (JSC::Parser::getToken):
2856         (JSC::Parser::tokenStartPosition):
2857         (JSC::Parser::tokenEndPosition):
2858         (JSC::Parser::lastTokenEndPosition):
2859         (JSC::::parse):
2860         - Use JSTextPosition instead of passing line and lineStart explicitly.
2861         * parser/ParserTokens.h:
2862         (JSC::JSTextPosition::JSTextPosition):
2863         (JSC::JSTextPosition::operator+):
2864         (JSC::JSTextPosition::operator-):
2865         (JSC::JSTextPosition::operator int):
2866         - Added JSTextPosition.
2867         * parser/SyntaxChecker.h:
2868         (JSC::SyntaxChecker::makeFunctionCallNode):
2869         (JSC::SyntaxChecker::makeAssignNode):
2870         (JSC::SyntaxChecker::makePrefixNode):
2871         (JSC::SyntaxChecker::makePostfixNode):
2872         (JSC::SyntaxChecker::makeDeleteNode):
2873         (JSC::SyntaxChecker::createResolve):
2874         (JSC::SyntaxChecker::createBracketAccess):
2875         (JSC::SyntaxChecker::createDotAccess):
2876         (JSC::SyntaxChecker::createRegExp):
2877         (JSC::SyntaxChecker::createNewExpr):
2878         (JSC::SyntaxChecker::createAssignResolve):
2879         (JSC::SyntaxChecker::createForInLoop):
2880         (JSC::SyntaxChecker::createReturnStatement):
2881         (JSC::SyntaxChecker::createBreakStatement):
2882         (JSC::SyntaxChecker::createContinueStatement):
2883         (JSC::SyntaxChecker::createWithStatement):
2884         (JSC::SyntaxChecker::createLabelStatement):
2885         (JSC::SyntaxChecker::createThrowStatement):
2886         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2887         (JSC::SyntaxChecker::operatorStackPop):
2888         - Use JSTextPosition instead of passing line and lineStart explicitly.
2889
2890 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2891
2892         Unreviewed. Fix make distcheck.
2893
2894         * GNUmakefile.list.am: Add missing files to compilation.
2895         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2896         include FTL header files not included in the compilation.
2897         * dfg/DFGDriver.cpp: Ditto.
2898         * dfg/DFGPlan.cpp: Ditto.
2899
2900 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2901
2902         Eager stack trace for error objects.
2903         https://bugs.webkit.org/show_bug.cgi?id=118918
2904
2905         Reviewed by Geoffrey Garen.
2906         
2907         Chrome and Firefox give error objects the stack property and we wanted to match
2908         that functionality. This allows developers to see the stack without throwing an object.
2909
2910         * runtime/ErrorInstance.cpp:
2911         (JSC::ErrorInstance::finishCreation):
2912          For error objects that are not thrown as an exception, we pass the stackTrace in 
2913          as a parameter. This allows the error object to have the stack property.
2914         
2915         * interpreter/Interpreter.cpp:
2916         (JSC::stackTraceAsString):
2917         Helper function used to eliminate duplicate code.
2918
2919         (JSC::Interpreter::addStackTraceIfNecessary):
2920         When an error object is created by the user the vm->exceptionStack is not set.
2921         If the user throws this error object later the stack that is in the error object 
2922         may not be the correct stack for the throw, so when we set the vm->exception stack,
2923         the stack property on the error object is set as well.
2924         
2925         * runtime/ErrorConstructor.cpp:
2926         (JSC::constructWithErrorConstructor):
2927         (JSC::callErrorConstructor):
2928         * runtime/NativeErrorConstructor.cpp:
2929         (JSC::constructWithNativeErrorConstructor):
2930         (JSC::callNativeErrorConstructor):
2931         These functions indicate that the user created an error object. For all error objects 
2932         that the user explicitly creates, the topCallFrame is at a new frame created to 
2933         handle the user's call. In this case though, the error object needs the caller's 
2934         frame to create the stack trace correctly.
2935         
2936         * interpreter/Interpreter.h:
2937         * runtime/ErrorInstance.h:
2938         (JSC::ErrorInstance::create):
2939
2940 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2941
2942         Some cleanup in PropertySlot
2943         https://bugs.webkit.org/show_bug.cgi?id=119189
2944
2945         Reviewed by Geoff Garen.
2946
2947         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2948         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2949         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2950         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2951         (this is invalidOffset if not cacheable).
2952
2953             * Internally, always track the type of the property using an enum value, PropertyType.
2954             * Use m_offset to indicate cacheable.
2955             * Keep the external interface (CachedPropertyType) unchanged.
2956             * Better pack data into the m_data union.
2957
2958         Performance neutral.
2959
2960         * dfg/DFGRepatch.cpp:
2961         (JSC::DFG::tryCacheGetByID):
2962         (JSC::DFG::tryBuildGetByIDList):
2963             - cachedPropertyType() -> isCacheable*()
2964         * jit/JITPropertyAccess.cpp:
2965         (JSC::JIT::privateCompileGetByIdProto):
2966         (JSC::JIT::privateCompileGetByIdSelfList):
2967         (JSC::JIT::privateCompileGetByIdProtoList):
2968         (JSC::JIT::privateCompileGetByIdChainList):
2969         (JSC::JIT::privateCompileGetByIdChain):
2970             - cachedPropertyType() -> isCacheable*()
2971         * jit/JITPropertyAccess32_64.cpp:
2972         (JSC::JIT::privateCompileGetByIdProto):
2973         (JSC::JIT::privateCompileGetByIdSelfList):
2974         (JSC::JIT::privateCompileGetByIdProtoList):
2975         (JSC::JIT::privateCompileGetByIdChainList):
2976         (JSC::JIT::privateCompileGetByIdChain):
2977             - cachedPropertyType() -> isCacheable*()
2978         * jit/JITStubs.cpp:
2979         (JSC::tryCacheGetByID):
2980             - cachedPropertyType() -> isCacheable*()
2981         * llint/LLIntSlowPaths.cpp:
2982         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2983             - cachedPropertyType() -> isCacheable*()
2984         * runtime/PropertySlot.cpp:
2985         (JSC::PropertySlot::functionGetter):
2986             - refactoring described above.
2987         * runtime/PropertySlot.h:
2988         (JSC::PropertySlot::PropertySlot):
2989         (JSC::PropertySlot::getValue):
2990         (JSC::PropertySlot::isCacheable):
2991         (JSC::PropertySlot::isCacheableValue):
2992         (JSC::PropertySlot::isCacheableGetter):
2993         (JSC::PropertySlot::isCacheableCustom):
2994         (JSC::PropertySlot::cachedOffset):
2995         (JSC::PropertySlot::customGetter):
2996         (JSC::PropertySlot::setValue):
2997         (JSC::PropertySlot::setCustom):
2998         (JSC::PropertySlot::setCacheableCustom):
2999         (JSC::PropertySlot::setCustomIndex):
3000         (JSC::PropertySlot::setGetterSlot):
3001         (JSC::PropertySlot::setCacheableGetterSlot):
3002         (JSC::PropertySlot::setUndefined):
3003         (JSC::PropertySlot::slotBase):
3004         (JSC::PropertySlot::setBase):
3005             - refactoring described above.
3006
3007 2013-07-28  Oliver Hunt  <oliver@apple.com>
3008
3009         REGRESSION: Crash when opening Facebook.com
3010         https://bugs.webkit.org/show_bug.cgi?id=119155
3011
3012         Reviewed by Andreas Kling.
3013
3014         Scope nodes are always objects, so we should be using SpecObjectOther
3015         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3016         contradiction in the CFA, resulting in bogus codegen.
3017
3018         * dfg/DFGAbstractInterpreterInlines.h:
3019         (JSC::DFG::::executeEffects):
3020         * dfg/DFGPredictionPropagationPhase.cpp:
3021         (JSC::DFG::PredictionPropagationPhase::propagate):
3022
3023 2013-07-26  Oliver Hunt  <oliver@apple.com>
3024
3025         REGRESSION(FTL?): Crashes in plugin tests
3026         https://bugs.webkit.org/show_bug.cgi?id=119141
3027
3028         Reviewed by Michael Saboff.
3029
3030         Re-export getStackTrace
3031
3032         * interpreter/Interpreter.h:
3033
3034 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3035
3036         REGRESSION: Crash when opening a message on Gmail
3037         https://bugs.webkit.org/show_bug.cgi?id=119105
3038
3039         Reviewed by Oliver Hunt and Mark Hahnenberg.
3040         
3041         - GetById patching in the DFG needs to be more disciplined about how it derives the
3042           slow path.
3043         
3044         - Fix some dumping code thread safety issues.
3045
3046         * bytecode/CallLinkStatus.cpp:
3047         (JSC::CallLinkStatus::dump):
3048         * bytecode/CodeBlock.cpp:
3049         (JSC::CodeBlock::dumpBytecode):
3050         * dfg/DFGRepatch.cpp:
3051         (JSC::DFG::getPolymorphicStructureList):
3052         (JSC::DFG::tryBuildGetByIDList):
3053
3054 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3055
3056         [mips] Fix LLINT build for mips backend
3057         https://bugs.webkit.org/show_bug.cgi?id=119152
3058
3059         Reviewed by Oliver Hunt.
3060
3061         * offlineasm/mips.rb:
3062
3063 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3064
3065         Setting a large numeric property on an object causes it to allocate a huge backing store
3066         https://bugs.webkit.org/show_bug.cgi?id=118914
3067
3068         Reviewed by Geoffrey Garen.
3069
3070         There are two distinct actions that we're trying to optimize for:
3071
3072         new Array(100000);
3073
3074         and:
3075
3076         a = [];
3077         a[100000] = 42;
3078         
3079         In the first case, the programmer has indicated that they expect this Array to be very big, 
3080         so they should get a contiguous array up until some threshold, above which we perform density 
3081         calculations to see if it is indeed dense enough to warrant being contiguous.
3082         
3083         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3084         we should be more conservative and assume it should be sparse until we've proven otherwise.
3085         
3086         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3087         between them for the purposes of not over-allocating large backing stores like we see on 
3088         http://www.peekanalytics.com/burgerjoints/
3089         
3090         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3091         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3092         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3093         map instead. So for example, in the second case above the empty array has a blank indexing 
3094         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3095
3096         This fix is ~800x speedup on the accompanying regression test :-o
3097
3098         * runtime/ArrayConventions.h:
3099         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3100         * runtime/JSObject.cpp:
3101         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3102         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3103         (JSC::JSObject::putByIndexBeyondVectorLength):
3104         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3105
3106 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3107
3108         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3109         https://bugs.webkit.org/show_bug.cgi?id=119148
3110
3111         Reviewed by Csaba Osztrogonác.
3112
3113         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3114         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3115         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3116         code duplication.
3117
3118 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3119
3120         REGRESSION(FTL): Crash in sh4 baseline JIT.
3121         https://bugs.webkit.org/show_bug.cgi?id=119138
3122
3123         Reviewed by Csaba Osztrogonác.
3124
3125         This crash is due to incomplete report of r150146 and r148474.
3126
3127         * jit/JITStubsSH4.h:
3128
3129 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3130
3131         Unreviewed.
3132
3133         * Target.pri: Adding missing DFG files to the Qt build.
3134
3135 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3136
3137         GTK and Qt buildfix after the intrusive win buildfix r153360.
3138
3139         * GNUmakefile.list.am:
3140         * Target.pri:
3141
3142 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3143
3144         Unreviewed, fix build break after r153360.
3145
3146         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3147
3148 2013-07-25  Roger Fong  <roger_fong@apple.com>
3149
3150         Unreviewed build fix, AppleWin port.
3151
3152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3153         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3154         * JavaScriptCore.vcxproj/copy-files.cmd:
3155
3156 2013-07-25  Roger Fong  <roger_fong@apple.com>
3157
3158         Unreviewed. Followup to r153360.
3159
3160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3162
3163 2013-07-25  Michael Saboff  <msaboff@apple.com>
3164
3165         [Windows] Speculative build fix.
3166
3167         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3168         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3169
3170         * JavaScriptCore.xcodeproj/project.pbxproj:
3171         * llint/LLIntExceptions.cpp:
3172         * llint/LLIntExceptions.h:
3173         * llint/LLIntSlowPaths.cpp:
3174         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3175         * runtime/CommonSlowPaths.cpp:
3176         (JSC::SLOW_PATH_DECL):
3177         * runtime/CommonSlowPathsExceptions.cpp: Added.
3178         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3179         * runtime/CommonSlowPathsExceptions.h: Added.
3180
3181 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3182
3183         [Windows] Unreviewed build fix.
3184
3185         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3186         parser/SourceCode.h,.cpp.
3187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3188
3189 2013-07-25  Anders Carlsson  <andersca@apple.com>
3190
3191         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3192         https://bugs.webkit.org/show_bug.cgi?id=119108
3193
3194         Reviewed by Mark Hahnenberg.
3195
3196         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3197
3198         * heap/CopiedSpace.cpp:
3199         (JSC::CopiedSpace::tryAllocateSlowCase):
3200         * heap/Heap.cpp:
3201         (JSC::Heap::protect):
3202         (JSC::Heap::unprotect):
3203         (JSC::Heap::collect):
3204         * heap/MarkedAllocator.cpp:
3205         (JSC::MarkedAllocator::allocateSlowCase):
3206         * runtime/JSGlobalObject.cpp:
3207         (JSC::JSGlobalObject::init):
3208         * runtime/VM.h:
3209         (JSC::VM::currentThreadIsHoldingAPILock):
3210
3211 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3212
3213         REGRESSION(FTL): Most layout tests crashes
3214         https://bugs.webkit.org/show_bug.cgi?id=119089
3215
3216         Reviewed by Oliver Hunt.
3217
3218         * runtime/ExecutionHarness.h:
3219         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3220         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3221         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3222         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3223         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3224         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3225
3226 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3227
3228         [Windows] Unreviewed build fix.
3229
3230         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3231         include path.
3232
3233 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3234
3235         [Windows] Unreviewed build fix.
3236
3237         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3238         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3239         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3240
3241 2013-07-25  Oliver Hunt  <oliver@apple.com>
3242
3243         Make all jit & non-jit combos build cleanly
3244         https://bugs.webkit.org/show_bug.cgi?id=119102
3245
3246         Reviewed by Anders Carlsson.
3247
3248         * bytecode/CodeBlock.cpp:
3249         (JSC::CodeBlock::counterValueForOptimizeSoon):
3250         * bytecode/CodeBlock.h:
3251         (JSC::CodeBlock::optimizeAfterWarmUp):
3252         (JSC::CodeBlock::numberOfDFGCompiles):
3253
3254 2013-07-25  Oliver Hunt  <oliver@apple.com>
3255
3256         32 bit portion of load validation logic
3257         https://bugs.webkit.org/show_bug.cgi?id=118878
3258
3259         Reviewed by NOBODY (Build fix).
3260
3261         * dfg/DFGSpeculativeJIT32_64.cpp:
3262         (JSC::DFG::SpeculativeJIT::compile):
3263
3264 2013-07-25  Oliver Hunt  <oliver@apple.com>
3265
3266         More 32bit build fixes
3267
3268         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3269
3270         * API/APICallbackFunction.h:
3271         (JSC::APICallbackFunction::call):
3272         * bytecode/CodeBlock.cpp:
3273         * runtime/Structure.cpp:
3274
3275 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3276
3277         Optimize the thread locks for API Shims
3278         https://bugs.webkit.org/show_bug.cgi?id=118573
3279
3280         Reviewed by Geoffrey Garen.
3281
3282         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3283         only used by WebCore's main thread).
3284
3285         * API/APIShims.h:
3286         (JSC::APIEntryShim::APIEntryShim):
3287         (JSC::APICallbackShim::APICallbackShim):
3288         * runtime/JSLock.cpp:
3289         (JSC::JSLockHolder::JSLockHolder):
3290         (JSC::JSLockHolder::init):
3291         (JSC::JSLockHolder::~JSLockHolder):
3292         (JSC::JSLock::DropAllLocks::DropAllLocks):
3293         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3294         * runtime/VM.cpp:
3295         (JSC::VM::VM):
3296         * runtime/VM.h:
3297
3298 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3299
3300         Unreviewed build fix after r153218.
3301
3302         Broke the EFL port build with gcc 4.7.
3303
3304         * interpreter/StackIterator.cpp:
3305         (JSC::printif):
3306
3307 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3308
3309         Build fix: add missing #include.
3310         https://bugs.webkit.org/show_bug.cgi?id=119087
3311
3312         Reviewed by Allan Sandfeld Jensen.
3313
3314         * bytecode/ArrayProfile.cpp:
3315
3316 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3317
3318         Unreviewed, build fix on the EFL port.
3319
3320         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3321
3322 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3323
3324         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3325         https://bugs.webkit.org/show_bug.cgi?id=119083
3326
3327         Reviewed by Allan Sandfeld Jensen.
3328
3329         * assembler/MacroAssemblerSH4.h:
3330         (JSC::MacroAssemblerSH4::store8):
3331
3332 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3333
3334         [Qt] Fix test build after FTL upstream
3335
3336         Unreviewed build fix.
3337
3338         * Target.pri:
3339
3340 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3341
3342         [Qt] Build fix after FTL.
3343
3344         Un Reviewed build fix.
3345
3346         * Target.pri:
3347         * interpreter/StackIterator.cpp:
3348         (JSC::StackIterator::Frame::print):
3349
3350 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3351
3352         Unreviewed build fix after FTL upstream.
3353
3354         * dfg/DFGWorklist.cpp:
3355         (JSC::DFG::Worklist::~Worklist):
3356
3357 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3358
3359         Unreviewed, build fix on the EFL port.
3360
3361         * CMakeLists.txt:
3362         Added SourceCode.cpp and removed BlackBerry file.
3363         * jit/JITCode.h:
3364         (JSC::JITCode::nextTierJIT):
3365         Fixed to build break because of -Werror=return-type
3366         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3367         * runtime/JSScope.h:
3368         (JSC::makeType):
3369         Fixed to build break because of -Werror=return-type
3370
3371 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3372
3373         Unreviewed build fixing after FTL upstream.
3374
3375         * runtime/Executable.cpp:
3376         (JSC::FunctionExecutable::produceCodeBlockFor):
3377
3378 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3379
3380         Add missing implementation of bxxxnz in sh4 LLINT.
3381         https://bugs.webkit.org/show_bug.cgi?id=119079
3382
3383         Reviewed by Allan Sandfeld Jensen.
3384
3385         * offlineasm/sh4.rb:
3386
3387 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3388
3389         Unreviewed, build fix on the Qt port.
3390
3391         * Target.pri: Add additional build files for the FTL.
3392
3393 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3394
3395         Unreviewed buildfix after FTL upstream..
3396
3397         * interpreter/StackIterator.cpp:
3398         (JSC::StackIterator::Frame::codeType):
3399         (JSC::StackIterator::Frame::functionName):
3400         (JSC::StackIterator::Frame::sourceURL):
3401         (JSC::StackIterator::Frame::logicalFrame):
3402
3403 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3404
3405         Unreviewed.
3406
3407         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3408         method is not left undefined, causing build failures on (at least) the GTK port.
3409
3410 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3411
3412         Unreviewed, further build fixing on the GTK port.
3413
3414         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3415
3416 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3417
3418         Unreviewed GTK build fixing.
3419
3420         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3421         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3422
3423 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3424
3425         Buildfix after this error:
3426         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3427
3428         * dfg/DFGPlan.cpp:
3429         (JSC::DFG::Plan::compileInThread):
3430
3431 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3432
3433         One more buildfix after FTL upstream.
3434
3435         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3436
3437         * dfg/DFGLazyJSValue.cpp:
3438         (JSC::DFG::LazyJSValue::getValue):
3439         (JSC::DFG::LazyJSValue::strictEqual):
3440
3441 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3442
3443         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3444         https://bugs.webkit.org/show_bug.cgi?id=119076
3445
3446         Reviewed by Allan Sandfeld Jensen.
3447
3448         * offlineasm/mips.rb:
3449         * offlineasm/sh4.rb:
3450
3451 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3452
3453         Unreviewed GTK build fix.
3454
3455         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3456
3457 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3458
3459         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3460         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3461
3462         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3463
3464 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3465
3466         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3467
3468         * GNUmakefile.am:
3469         * GNUmakefile.list.am:
3470
3471 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3472
3473         Unreviewed buildfix after FTL upstream.
3474
3475         * runtime/JSScope.h:
3476         (JSC::needsVarInjectionChecks):
3477
3478 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3479
3480         One more fix after FTL upstream.
3481
3482         * Target.pri:
3483         * bytecode/CodeBlock.h:
3484         * bytecode/GetByIdStatus.h:
3485         (JSC::GetByIdStatus::GetByIdStatus):
3486
3487 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3488
3489         Unreviewed buildfix after FTL upstream.
3490
3491         Add ftl directory as include path.
3492
3493         * CMakeLists.txt:
3494         * JavaScriptCore.pri:
3495
3496 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3497
3498         Unreviewed buildfix after FTL upstream for non C++11 builds.
3499
3500         * interpreter/CallFrame.h:
3501         * interpreter/StackIteratorPrivate.h:
3502         (JSC::StackIterator::end):
3503
3504 2013-07-24  Oliver Hunt  <oliver@apple.com>
3505
3506         Endeavour to fix CMakelist builds
3507
3508         * CMakeLists.txt:
3509
3510 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3511
3512         fourthTier: DFG IR dumps should be easier to read
3513         https://bugs.webkit.org/show_bug.cgi?id=119050
3514
3515         Reviewed by Mark Hahnenberg.
3516         
3517         Added a DumpContext that includes support for printing an endnote
3518         that describes all structures in full, while the main flow of the
3519         dump just uses made-up names for the structures. This is helpful
3520         since Structure::dump() may print a lot. The stuff it prints is
3521         useful, but if it's all inline with the surrounding thing you're        
3522         dumping (often, a node in the DFG), then you get a ridiculously
3523         long print-out. All classes that dump structures (including
3524         Structure itself) now have dumpInContext() methods that use
3525         inContext() for dumping anything that might transitively print a
3526         structure. If Structure::dumpInContext() is called with a NULL
3527         context, it just uses dump() like before. Hence you don't have to
3528         know anything about DumpContext unless you want to.
3529         
3530         inContext(*structure, context) dumps something like %B4:Array,
3531         and the endnote will have something like:
3532         
3533             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3534         
3535         where B4 is the inferred name that StringHashDumpContext came up
3536         with.
3537         
3538         Also shortened a bunch of other dumps, removing information that
3539         isn't so important.
3540         
3541         * JavaScriptCore.xcodeproj/project.pbxproj:
3542         * bytecode/ArrayProfile.cpp:
3543         (JSC::dumpArrayModes):
3544         * bytecode/CodeBlockHash.cpp:
3545         (JSC):
3546         (JSC::CodeBlockHash::CodeBlockHash):
3547         (JSC::CodeBlockHash::dump):
3548         * bytecode/CodeOrigin.cpp:
3549         (JSC::CodeOrigin::dumpInContext):
3550         (JSC):
3551         (JSC::InlineCallFrame::dumpInContext):
3552         (JSC::InlineCallFrame::dump):
3553         * bytecode/CodeOrigin.h:
3554         (CodeOrigin):
3555         (InlineCallFrame):
3556         * bytecode/Operands.h:
3557         (JSC::OperandValueTraits::isEmptyForDump):
3558         (Operands):
3559         (JSC::Operands::dump):
3560         (JSC):
3561         * bytecode/OperandsInlines.h: Added.
3562         (JSC):
3563         (JSC::::dumpInContext):
3564         * bytecode/StructureSet.h:
3565         (JSC::StructureSet::dumpInContext):
3566         (JSC::StructureSet::dump):
3567         (StructureSet):
3568         * dfg/DFGAbstractValue.cpp:
3569         (JSC::DFG::AbstractValue::dump):
3570         (DFG):
3571         (JSC::DFG::AbstractValue::dumpInContext):
3572         * dfg/DFGAbstractValue.h:
3573         (JSC::DFG::AbstractValue::operator!):
3574         (AbstractValue):
3575         * dfg/DFGCFAPhase.cpp:
3576         (JSC::DFG::CFAPhase::performBlockCFA):
3577         * dfg/DFGCommon.cpp:
3578         * dfg/DFGCommon.h:
3579         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3580         * dfg/DFGDisassembler.cpp:
3581         (JSC::DFG::Disassembler::createDumpList):
3582         * dfg/DFGDisassembler.h:
3583         (Disassembler):
3584         * dfg/DFGFlushFormat.h:
3585         (WTF::inContext):
3586         (WTF):
3587         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3588         * dfg/DFGGraph.cpp:
3589         (JSC::DFG::Graph::dumpCodeOrigin):
3590         (JSC::DFG::Graph::dump):
3591         (JSC::DFG::Graph::dumpBlockHeader):
3592         * dfg/DFGGraph.h:
3593         (Graph):
3594         * dfg/DFGLazyJSValue.cpp:
3595         (JSC::DFG::LazyJSValue::dumpInContext):
3596         (JSC::DFG::LazyJSValue::dump):
3597         (DFG):
3598         * dfg/DFGLazyJSValue.h:
3599         (LazyJSValue):
3600         * dfg/DFGNode.h:
3601         (JSC::DFG::nodeMapDump):
3602         (WTF::inContext):
3603         (WTF):
3604         * dfg/DFGOSRExitCompiler32_64.cpp:
3605         (JSC::DFG::OSRExitCompiler::compileExit):
3606         * dfg/DFGOSRExitCompiler64.cpp:
3607         (JSC::DFG::OSRExitCompiler::compileExit):
3608         * dfg/DFGStructureAbstractValue.h:
3609         (JSC::DFG::StructureAbstractValue::dumpInContext):
3610         (JSC::DFG::StructureAbstractValue::dump):
3611         (StructureAbstractValue):
3612         * ftl/FTLExitValue.cpp:
3613         (JSC::FTL::ExitValue::dumpInContext):
3614         (JSC::FTL::ExitValue::dump):
3615         (FTL):
3616         * ftl/FTLExitValue.h:
3617         (ExitValue):
3618         * ftl/FTLLowerDFGToLLVM.cpp:
3619         * ftl/FTLValueSource.cpp:
3620         (JSC::FTL::ValueSource::dumpInContext):
3621         (FTL):
3622         * ftl/FTLValueSource.h:
3623         (ValueSource):
3624         * runtime/DumpContext.cpp: Added.
3625         (JSC):
3626         (JSC::DumpContext::DumpContext):
3627         (JSC::DumpContext::~DumpContext):
3628         (JSC::DumpContext::isEmpty):
3629         (JSC::DumpContext::dump):
3630         * runtime/DumpContext.h: Added.
3631         (JSC):
3632         (DumpContext):
3633         * runtime/JSCJSValue.cpp:
3634         (JSC::JSValue::dump):
3635         (JSC):
3636         (JSC::JSValue::dumpInContext):
3637         * runtime/JSCJSValue.h:
3638         (JSC):
3639         (JSValue):
3640         * runtime/Structure.cpp:
3641         (JSC::Structure::dumpInContext):
3642         (JSC):
3643         (JSC::Structure::dumpBrief):
3644         (JSC::Structure::dumpContextHeader):
3645         * runtime/Structure.h:
3646         (JSC):
3647         (Structure):
3648
3649 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3650
3651         fourthTier: DFG should do a high-level LICM before going to FTL
3652         https://bugs.webkit.org/show_bug.cgi?id=118749
3653
3654         Reviewed by Oliver Hunt.
3655         
3656         Implements LICM hoisting for nodes that never write anything and never read
3657         things that are clobbered by the loop. There are some other preconditions for
3658         hoisting, see DFGLICMPhase.cpp.
3659
3660         Also did a few fixes:
3661         
3662         - ClobberSet::add was failing to switch Super entries to Direct entries in
3663           some cases.
3664         
3665         - DFGClobberize.cpp needed to #include "Operations.h".
3666         
3667         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3668         
3669         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3670           Knowing the indexInBlock is an optional optimization that all other clients
3671           of AI still opt into, but LICM doesn't.
3672         
3673         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3674
3675         * JavaScriptCore.xcodeproj/project.pbxproj:
3676         * dfg/DFGAbstractInterpreter.h:
3677         (AbstractInterpreter):
3678         * dfg/DFGAbstractInterpreterInlines.h:
3679         (JSC::DFG::::executeEffects):
3680         (JSC::DFG::::execute):
3681         (DFG):
3682         (JSC::DFG::::clobberWorld):
3683         (JSC::DFG::::clobberStructures):
3684         * dfg/DFGAtTailAbstractState.cpp: Added.
3685         (DFG):
3686         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3687         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3688         (JSC::DFG::AtTailAbstractState::createValueForNode):
3689         (JSC::DFG::AtTailAbstractState::forNode):
3690         * dfg/DFGAtTailAbstractState.h: Added.
3691         (DFG):
3692         (AtTailAbstractState):
3693         (JSC::DFG::AtTailAbstractState::initializeTo):
3694         (JSC::DFG::AtTailAbstractState::forNode):
3695         (JSC::DFG::AtTailAbstractState::variables):
3696         (JSC::DFG::AtTailAbstractState::block):
3697         (JSC::DFG::AtTailAbstractState::isValid):
3698         (JSC::DFG::AtTailAbstractState::setDidClobber):
3699         (JSC::DFG::AtTailAbstractState::setIsValid):
3700         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3701         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3702         (JSC::DFG::AtTailAbstractState::haveStructures):
3703         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3704         * dfg/DFGBasicBlock.h:
3705         (JSC::DFG::BasicBlock::insertBeforeLast):
3706         * dfg/DFGBasicBlockInlines.h:
3707         (DFG):
3708         * dfg/DFGClobberSet.cpp:
3709         (JSC::DFG::ClobberSet::add):
3710         (JSC::DFG::ClobberSet::addAll):
3711         * dfg/DFGClobberize.cpp:
3712         (JSC::DFG::doesWrites):
3713         * dfg/DFGClobberize.h:
3714         (DFG):
3715         * dfg/DFGDCEPhase.cpp:
3716         (JSC::DFG::DCEPhase::DCEPhase):
3717         (JSC::DFG::DCEPhase::run):
3718         (JSC::DFG::DCEPhase::fixupBlock):
3719         (DCEPhase):
3720         * dfg/DFGEdgeDominates.h: Added.
3721         (DFG):
3722         (EdgeDominates):
3723         (JSC::DFG::EdgeDominates::EdgeDominates):
3724         (JSC::DFG::EdgeDominates::operator()):
3725         (JSC::DFG::EdgeDominates::result):
3726         (JSC::DFG::edgesDominate):
3727         * dfg/DFGFixupPhase.cpp:
3728         (JSC::DFG::FixupPhase::fixupNode):
3729         (JSC::DFG::FixupPhase::checkArray):
3730         * dfg/DFGLICMPhase.cpp: Added.
3731         (LICMPhase):
3732         (JSC::DFG::LICMPhase::LICMPhase):
3733         (JSC::DFG::LICMPhase::run):
3734         (JSC::DFG::LICMPhase::attemptHoist):
3735         (DFG):
3736         (JSC::DFG::performLICM):
3737         * dfg/DFGLICMPhase.h: Added.
3738         (DFG):
3739         * dfg/DFGPlan.cpp:
3740         (JSC::DFG::Plan::compileInThreadImpl):
3741
3742 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3743
3744         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3745         https://bugs.webkit.org/show_bug.cgi?id=118910
3746
3747         Reviewed by Sam Weinig.
3748         
3749         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3750         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3751         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3752         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3753         create them all up front). FTL AbstractHeaps also don't actually give you the
3754         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3755         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3756         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3757         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3758         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3759         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3760         payload is the direct subtype of its corresponding TOP Kind).
3761         
3762         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3763         clobbered. It represents the set that results from unifying a bunch of
3764         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3765         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3766         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3767         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3768         member is equal to it, or if any of its ancestors are equal to a direct member.
3769         
3770         Example #1:
3771         
3772             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3773               is a subtype of Variables, which is a subtype of World.
3774             - You query Variables. I.e. Variables with a TOP payload, which is the
3775               supertype of Variables(X) for any X, and a subtype of World.
3776             
3777             The set will have Variables(5) as a direct member, and Variables and World as
3778             super members. The Variables query will immediately return true, because
3779             Variables is indeed a super member.
3780         
3781         Example #2:
3782         
3783             - I add Variables(5)
3784             - You query NamedProperties
3785             
3786             NamedProperties is not a member at all (neither direct or super). We next
3787             query World. World is a member, but it's a super member, so we return false.
3788         
3789         Example #3:
3790         
3791             - I add Variables
3792             - You query Variables(5)
3793             
3794             The set will have Variables as a direct member, and World as a super member.
3795             The Variables(5) query will not find Variables(5) in the set, but then it
3796             will query Variables. Variables is a direct member, so we return true.
3797         
3798         Example #4:
3799         
3800             - I add Variables
3801             - You query NamedProperties(5)
3802             
3803             Neither NamedProperties nor NamedProperties(5) are members. We next query
3804             World. World is a member, but it's a super member, so we return false.
3805         
3806         Overlap queries require that either the heap being queried is in the set (either
3807         direct or super), or that one of its ancestors is a direct member. Another way to
3808         think about how this works is that two heaps A and B are said to overlap if
3809         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3810         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3811         heaps and answers the question, "is any member in the set an ancestor (i.e.
3812         supertype) of some other heap". We would have the set contain the heaps themselves,
3813         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3814         chain of A, and repeatedly querying its membership in the set. This is what the
3815         "direct" members of our set do. Now consider the other part, where we want to ask if
3816         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3817         would implement this by implementing set.add(B) as adding not just B but also all of
3818         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3819         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3820         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3821         heap" question. ClobberSet does this, but combines the two sets into a single
3822         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3823         supertype set and the subtype set; if it's false then it's only a member of one of
3824         them.
3825         
3826         Finally, this adds a functorized clobberize() method that adds the read and write
3827         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3828         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3829         are also provided. This allows you to say things like:
3830         
3831             ClobberSet set;
3832             addWrites(graph, node1, set);
3833             if (readsOverlap(graph, node2, set))
3834                 // We know that node1 may write to something that node2 may read from.
3835         
3836         Currently this facility is only used to improve graph dumping, but it will be
3837         instrumental in both LICM and GVN. In the future, I want to completely kill the
3838         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3839         of accomplishing almost exactly what AbstractHeap gives you.
3840
3841         * JavaScriptCore.xcodeproj/project.pbxproj:
3842         * dfg/DFGAbstractHeap.cpp: Added.
3843         (DFG):
3844         (JSC::DFG::AbstractHeap::Payload::dump):
3845         (JSC::DFG::AbstractHeap::dump):
3846         (WTF):
3847         (WTF::printInternal):
3848         * dfg/DFGAbstractHeap.h: Added.
3849         (DFG):
3850         (AbstractHeap):
3851         (Payload):
3852         (JSC::DFG::AbstractHeap::Payload::Payload):
3853         (JSC::DFG::AbstractHeap::Payload::top):
3854         (JSC::DFG::AbstractHeap::Payload::isTop):
3855         (JSC::DFG::AbstractHeap::Payload::value):
3856         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3857         (JSC::DFG::AbstractHeap::Payload::operator==):
3858         (JSC::DFG::AbstractHeap::Payload::operator!=):
3859         (JSC::DFG::AbstractHeap::Payload::operator<):
3860         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3861         (JSC::DFG::AbstractHeap::Payload::overlaps):
3862         (JSC::DFG::AbstractHeap::AbstractHeap):
3863         (JSC::DFG::AbstractHeap::operator!):
3864         (JSC::DFG::AbstractHeap::kind):
3865         (JSC::DFG::AbstractHeap::payload):
3866         (JSC::DFG::AbstractHeap::isDisjoint):
3867         (JSC::DFG::AbstractHeap::overlaps):
3868         (JSC::DFG::AbstractHeap::supertype):
3869         (JSC::DFG::AbstractHeap::hash):
3870         (JSC::DFG::AbstractHeap::operator==):
3871         (JSC::DFG::AbstractHeap::operator!=):
3872         (JSC::DFG::AbstractHeap::operator<):
3873         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3874         (JSC::DFG::AbstractHeap::payloadImpl):
3875         (JSC::DFG::AbstractHeap::encode):
3876         (JSC::DFG::AbstractHeapHash::hash):
3877         (JSC::DFG::AbstractHeapHash::equal):
3878         (AbstractHeapHash):
3879         (WTF):
3880         * dfg/DFGClobberSet.cpp: Added.
3881         (DFG):
3882         (JSC::DFG::ClobberSet::ClobberSet):
3883         (JSC::DFG::ClobberSet::~ClobberSet):
3884         (JSC::DFG::ClobberSet::add):
3885         (JSC::DFG::ClobberSet::addAll):
3886         (JSC::DFG::ClobberSet::contains):
3887         (JSC::DFG::ClobberSet::overlaps):
3888         (JSC::DFG::ClobberSet::clear):
3889         (JSC::DFG::ClobberSet::direct):
3890         (JSC::DFG::ClobberSet::super):
3891         (JSC::DFG::ClobberSet::dump):
3892         (JSC::DFG::ClobberSet::setOf):
3893         (JSC::DFG::addReads):
3894         (JSC::DFG::addWrites):
3895         (JSC::DFG::addReadsAndWrites):
3896         (JSC::DFG::readsOverlap):
3897         (JSC::DFG::writesOverlap):
3898         * dfg/DFGClobberSet.h: Added.
3899         (DFG):
3900         (ClobberSet):
3901         (JSC::DFG::ClobberSet::isEmpty):
3902         (ClobberSetAdd):
3903         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
3904         (JSC::DFG::ClobberSetAdd::operator()):
3905         (ClobberSetOverlaps):
3906         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
3907         (JSC::DFG::ClobberSetOverlaps::operator()):
3908         (JSC::DFG::ClobberSetOverlaps::result):
3909         * dfg/DFGClobberize.cpp: Added.
3910         (DFG):
3911         (JSC::DFG::didWrites):
3912         * dfg/DFGClobberize.h: Added.
3913         (DFG):
3914         (JSC::DFG::clobberize):
3915         (NoOpClobberize):
3916         (JSC::DFG::NoOpClobberize::NoOpClobberize):
3917         (JSC::DFG::NoOpClobberize::operator()):
3918         (CheckClobberize):
3919         (JSC::DFG::CheckClobberize::CheckClobberize):
3920         (JSC::DFG::CheckClobberize::operator()):
3921         (JSC::DFG::CheckClobberize::result):
3922         * dfg/DFGGraph.cpp:
3923         (JSC::DFG::Graph::dump):
3924
3925 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3926
3927         fourthTier: It should be easy to figure out which blocks nodes belong to
3928         https://bugs.webkit.org/show_bug.cgi?id=118957
3929
3930         Reviewed by Sam Weinig.
3931
3932         * dfg/DFGGraph.cpp:
3933         (DFG):
3934         (JSC::DFG::Graph::initializeNodeOwners):
3935         * dfg/DFGGraph.h:
3936         (Graph):
3937         * dfg/DFGNode.h:
3938
3939 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3940
3941         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
3942         https://bugs.webkit.org/show_bug.cgi?id=118956
3943
3944         Reviewed by Sam Weinig.
3945         
3946         We had two way of expressing that something exits forward: the NodeExitsForward
3947         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
3948         makes it just be a flag.
3949
3950         * dfg/DFGAbstractInterpreterInlines.h:
3951         (JSC::DFG::::executeEffects):
3952         * dfg/DFGArgumentsSimplificationPhase.cpp:
3953         (JSC::DFG::ArgumentsSimplificationPhase::run):
3954         * dfg/DFGCSEPhase.cpp:
3955         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
3956         (JSC::DFG::CSEPhase::checkStructureElimination):
3957         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3958         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3959         (JSC::DFG::CSEPhase::checkArrayElimination):
3960         (JSC::DFG::CSEPhase::performNodeCSE):
3961         * dfg/DFGConstantFoldingPhase.cpp:
3962         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3963         * dfg/DFGFixupPhase.cpp:
3964         (JSC::DFG::FixupPhase::fixupNode):