<https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteB...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
4
5         Reviewed by Oliver Hunt.
6
7         The concurrent compilation thread should interact minimally with the Heap, including not 
8         triggering WriteBarriers. This is a prerequisite for generational GC.
9
10         * JavaScriptCore.xcodeproj/project.pbxproj:
11         * bytecode/CodeBlock.cpp:
12         (JSC::CodeBlock::addOrFindConstant):
13         (JSC::CodeBlock::findConstant):
14         * bytecode/CodeBlock.h:
15         (JSC::CodeBlock::addConstantLazily):
16         * dfg/DFGByteCodeParser.cpp:
17         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
18         (JSC::DFG::ByteCodeParser::constantUndefined):
19         (JSC::DFG::ByteCodeParser::constantNull):
20         (JSC::DFG::ByteCodeParser::one):
21         (JSC::DFG::ByteCodeParser::constantNaN):
22         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
23         * dfg/DFGCommonData.cpp:
24         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
25         * dfg/DFGCommonData.h:
26         * dfg/DFGDesiredTransitions.cpp: Added.
27         (JSC::DFG::DesiredTransition::DesiredTransition):
28         (JSC::DFG::DesiredTransition::reallyAdd):
29         (JSC::DFG::DesiredTransitions::DesiredTransitions):
30         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
31         (JSC::DFG::DesiredTransitions::addLazily):
32         (JSC::DFG::DesiredTransitions::reallyAdd):
33         * dfg/DFGDesiredTransitions.h: Added.
34         * dfg/DFGDesiredWeakReferences.cpp: Added.
35         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
36         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
37         (JSC::DFG::DesiredWeakReferences::addLazily):
38         (JSC::DFG::DesiredWeakReferences::reallyAdd):
39         * dfg/DFGDesiredWeakReferences.h: Added.
40         * dfg/DFGDesiredWriteBarriers.cpp: Added.
41         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
42         (JSC::DFG::DesiredWriteBarrier::trigger):
43         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
44         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
45         (JSC::DFG::DesiredWriteBarriers::addImpl):
46         (JSC::DFG::DesiredWriteBarriers::trigger):
47         * dfg/DFGDesiredWriteBarriers.h: Added.
48         (JSC::DFG::DesiredWriteBarriers::add):
49         (JSC::DFG::initializeLazyWriteBarrier):
50         * dfg/DFGFixupPhase.cpp:
51         (JSC::DFG::FixupPhase::truncateConstantToInt32):
52         * dfg/DFGGraph.h:
53         (JSC::DFG::Graph::convertToConstant):
54         * dfg/DFGJITCompiler.h:
55         (JSC::DFG::JITCompiler::addWeakReference):
56         * dfg/DFGPlan.cpp:
57         (JSC::DFG::Plan::Plan):
58         (JSC::DFG::Plan::reallyAdd):
59         * dfg/DFGPlan.h:
60         * dfg/DFGSpeculativeJIT32_64.cpp:
61         (JSC::DFG::SpeculativeJIT::compile):
62         * dfg/DFGSpeculativeJIT64.cpp:
63         (JSC::DFG::SpeculativeJIT::compile):
64         * runtime/WriteBarrier.h:
65         (JSC::WriteBarrierBase::set):
66         (JSC::WriteBarrier::WriteBarrier):
67
68 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
69
70         Fix x86 32bits build after r154158
71
72         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
73
74 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
75
76         Build fix attempt after r154156.
77
78         * jit/JITStubs.cpp:
79         (JSC::cti_vm_handle_exception): encode!
80
81 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
82
83         [JSC] x86: Use inc and dec when possible
84         https://bugs.webkit.org/show_bug.cgi?id=119831
85
86         Reviewed by Geoffrey Garen.
87
88         When incrementing or decrementing by an immediate of 1, use the insctructions
89         inc and dec instead of add and sub.
90         The instructions have good timing and their encoding is smaller.
91
92         * assembler/MacroAssemblerX86Common.h:
93         (JSC::MacroAssemblerX86_64::add32):
94         (JSC::MacroAssemblerX86_64::sub32):
95         * assembler/MacroAssemblerX86_64.h:
96         (JSC::MacroAssemblerX86_64::add64):
97         (JSC::MacroAssemblerX86_64::sub64):
98         * assembler/X86Assembler.h:
99         (JSC::X86Assembler::dec_r):
100         (JSC::X86Assembler::decq_r):
101         (JSC::X86Assembler::inc_r):
102         (JSC::X86Assembler::incq_r):
103
104 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
105
106         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
107         https://bugs.webkit.org/show_bug.cgi?id=119874
108
109         Reviewed by Oliver Hunt and Mark Hahnenberg.
110         
111         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
112         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
113         sometimes for typed array length accesses, and the FixupPhase assuming that a
114         ForceExit ArrayMode means that it should continue using a generic GetById.
115
116         This fixes the confusion.
117
118         * dfg/DFGFixupPhase.cpp:
119         (JSC::DFG::FixupPhase::fixupNode):
120
121 2013-08-15  Mark Lam  <mark.lam@apple.com>
122
123         Fix crash when performing activation tearoff.
124         https://bugs.webkit.org/show_bug.cgi?id=119848
125
126         Reviewed by Oliver Hunt.
127
128         The activation tearoff crash was due to a bug in the baseline JIT.
129         If we have a scenario where the a baseline JIT frame calls a LLINT
130         frame, an exception may be thrown while in the LLINT.
131
132         Interpreter::throwException() which handles the exception will unwind
133         all frames until it finds a catcher or sees a host frame. When we
134         return from the LLINT to the baseline JIT code, the baseline JIT code
135         errorneously sets topCallFrame to the value in its call frame register,
136         and starts unwinding the stack frames that have already been unwound.
137
138         The fix is:
139         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
140            This is a more accurate description of what this runtime function
141            is supposed to do i.e. it handles the exception which include doing
142            nothing (if there are no more frames to unwind).
143         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
144            set on it.
145         3. Reloading the call frame register from topCallFrame when we're
146            returning from a callee and detect exception handling in progress.
147
148         * interpreter/Interpreter.cpp:
149         (JSC::Interpreter::unwindCallFrame):
150         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
151         (JSC::Interpreter::getStackTrace):
152         * interpreter/Interpreter.h:
153         (JSC::TopCallFrameSetter::TopCallFrameSetter):
154         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
155         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
156         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
157         * jit/JIT.h:
158         * jit/JITExceptions.cpp:
159         (JSC::uncaughtExceptionHandler):
160         - Convenience function to get the handler for uncaught exceptions.
161         * jit/JITExceptions.h:
162         * jit/JITInlines.h:
163         (JSC::JIT::reloadCallFrameFromTopCallFrame):
164         * jit/JITOpcodes32_64.cpp:
165         (JSC::JIT::privateCompileCTINativeCall):
166         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
167         * jit/JITStubs.cpp:
168         (JSC::throwExceptionFromOpCall):
169         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
170         (JSC::cti_vm_handle_exception):
171         - Check for the case when there are no more frames to unwind.
172         * jit/JITStubs.h:
173         * jit/JITStubsARM.h:
174         * jit/JITStubsARMv7.h:
175         * jit/JITStubsMIPS.h:
176         * jit/JITStubsSH4.h:
177         * jit/JITStubsX86.h:
178         * jit/JITStubsX86_64.h:
179         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
180         * jit/SlowPathCall.h:
181         (JSC::JITSlowPathCall::call):
182         - reload cfr from topcallFrame when handling an exception.
183         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
184         * jit/ThunkGenerators.cpp:
185         (JSC::nativeForGenerator):
186         * llint/LowLevelInterpreter32_64.asm:
187         * llint/LowLevelInterpreter64.asm:
188         - reload cfr from topcallFrame when handling an exception.
189         * runtime/VM.cpp:
190         (JSC::VM::VM):
191         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
192
193 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
194
195         Remove some code duplication.
196         
197         Rubber stamped by Mark Hahnenberg.
198
199         * runtime/JSDataViewPrototype.cpp:
200         (JSC::getData):
201         (JSC::setData):
202
203 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
204
205         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
206         https://bugs.webkit.org/show_bug.cgi?id=119794
207
208         Reviewed by Filip Pizlo.
209
210         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
211
212         * dfg/DFGUseKind.h:
213         (JSC::DFG::isNumerical):
214         (JSC::DFG::isDouble):
215
216 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
217
218         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
219
220         Rubber stamped by Oliver Hunt.
221         
222         This was causing some test crashes for me.
223
224         * dfg/DFGCapabilities.cpp:
225         (JSC::DFG::capabilityLevel):
226
227 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
228
229         [Windows] Clear up improper export declaration.
230
231         * runtime/ArrayBufferView.h:
232
233 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
234
235         Unreviewed, remove some unnecessary periods from exceptions.
236
237         * runtime/JSDataViewPrototype.cpp:
238         (JSC::getData):
239         (JSC::setData):
240
241 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
242
243         Unreviewed, fix 32-bit build.
244
245         * dfg/DFGSpeculativeJIT32_64.cpp:
246         (JSC::DFG::SpeculativeJIT::compile):
247
248 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
249
250         Typed arrays should be rewritten
251         https://bugs.webkit.org/show_bug.cgi?id=119064
252
253         Reviewed by Oliver Hunt.
254         
255         Typed arrays were previously deficient in several major ways:
256         
257         - They were defined separately in WebCore and in the jsc shell. The two
258           implementations were different, and the jsc shell one was basically wrong.
259           The WebCore one was quite awful, also.
260         
261         - Typed arrays were not visible to the JIT except through some weird hooks.
262           For example, the JIT could not ask "what is the Structure that this typed
263           array would have if I just allocated it from this global object". Also,
264           it was difficult to wire any of the typed array intrinsics, because most
265           of the functionality wasn't visible anywhere in JSC.
266         
267         - Typed array allocation was brain-dead. Allocating a typed array involved
268           two JS objects, two GC weak handles, and three malloc allocations.
269         
270         - Neutering. It involved keeping tabs on all native views but not the view
271           wrappers, even though the native views can autoneuter just by asking the
272           buffer if it was neutered anytime you touch them; while the JS view
273           wrappers are the ones that you really want to reach out to.
274         
275         - Common case-ing. Most typed arrays have one buffer and one view, and
276           usually nobody touches the buffer. Yet we created all of that stuff
277           anyway, using data structures optimized for the case where you had a lot
278           of views.
279         
280         - Semantic goofs. Typed arrays should, in the future, behave like ES
281           features rather than DOM features, for example when it comes to exceptions.
282           Firefox already does this and I agree with them.
283         
284         This patch cleanses our codebase of these sins:
285         
286         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
287           management of native references to buffers is left to WebCore.
288         
289         - Allocating a typed array requires either two GC allocations (a cell and a
290           copied storage vector) or one GC allocation, a malloc allocation, and a
291           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
292           latter). The latter is only used for oversize arrays. Remember that before
293           it was 7 allocations no matter what.
294         
295         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
296           mode/length, void* vector. Before it was a lot more than that - remember,
297           there were five additional objects that did absolutely nothing for anybody.
298         
299         - Native views aren't tracked by the buffer, or by the wrappers. They are
300           transient. In the future we'll probably switch to not even having them be
301           malloc'd.
302         
303         - Native array buffers have an efficient way of tracking all of their JS view
304           wrappers, both for neutering, and for lifecycle management. The GC
305           special-cases native array buffers. This saves a bunch of grief; for example
306           it means that a JS view wrapper can refer to its buffer via the butterfly,
307           which would be dead by the time we went to finalize.
308         
309         - Typed array semantics now match Firefox, which also happens to be where the
310           standards are going. The discussion on webkit-dev seemed to confirm that
311           Chrome is also heading in this direction. This includes making
312           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
313           ArrayBufferView as a JS-visible construct.
314         
315         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
316         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
317         further typed array optimizations in the JSC JITs, including inlining typed
318         array allocation, inlining more of the accessors, reducing the cost of type
319         checks, etc.
320         
321         An additional property of this patch is that typed arrays are mostly
322         implemented using templates. This deduplicates a bunch of code, but does mean
323         that we need some hacks for exporting s_info's of template classes. See
324         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
325         low-impact compared to code duplication.
326         
327         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
328
329         * CMakeLists.txt:
330         * DerivedSources.make:
331         * GNUmakefile.list.am:
332         * JSCTypedArrayStubs.h: Removed.
333         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
334         * JavaScriptCore.xcodeproj/project.pbxproj:
335         * Target.pri:
336         * bytecode/ByValInfo.h:
337         (JSC::hasOptimizableIndexingForClassInfo):
338         (JSC::jitArrayModeForClassInfo):
339         (JSC::typedArrayTypeForJITArrayMode):
340         * bytecode/SpeculatedType.cpp:
341         (JSC::speculationFromClassInfo):
342         * dfg/DFGArrayMode.cpp:
343         (JSC::DFG::toTypedArrayType):
344         * dfg/DFGArrayMode.h:
345         (JSC::DFG::ArrayMode::typedArrayType):
346         * dfg/DFGSpeculativeJIT.cpp:
347         (JSC::DFG::SpeculativeJIT::checkArray):
348         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
349         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
350         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
351         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
352         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
353         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
354         * dfg/DFGSpeculativeJIT.h:
355         * dfg/DFGSpeculativeJIT32_64.cpp:
356         (JSC::DFG::SpeculativeJIT::compile):
357         * dfg/DFGSpeculativeJIT64.cpp:
358         (JSC::DFG::SpeculativeJIT::compile):
359         * heap/CopyToken.h:
360         * heap/DeferGC.h:
361         (JSC::DeferGCForAWhile::DeferGCForAWhile):
362         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
363         * heap/GCIncomingRefCounted.h: Added.
364         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
365         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
366         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
367         (JSC::GCIncomingRefCounted::incomingReferenceAt):
368         (JSC::GCIncomingRefCounted::singletonFlag):
369         (JSC::GCIncomingRefCounted::hasVectorOfCells):
370         (JSC::GCIncomingRefCounted::hasAnyIncoming):
371         (JSC::GCIncomingRefCounted::hasSingleton):
372         (JSC::GCIncomingRefCounted::singleton):
373         (JSC::GCIncomingRefCounted::vectorOfCells):
374         * heap/GCIncomingRefCountedInlines.h: Added.
375         (JSC::::addIncomingReference):
376         (JSC::::filterIncomingReferences):
377         * heap/GCIncomingRefCountedSet.h: Added.
378         (JSC::GCIncomingRefCountedSet::size):
379         * heap/GCIncomingRefCountedSetInlines.h: Added.
380         (JSC::::GCIncomingRefCountedSet):
381         (JSC::::~GCIncomingRefCountedSet):
382         (JSC::::addReference):
383         (JSC::::sweep):
384         (JSC::::removeAll):
385         (JSC::::removeDead):
386         * heap/Heap.cpp:
387         (JSC::Heap::addReference):
388         (JSC::Heap::extraSize):
389         (JSC::Heap::size):
390         (JSC::Heap::capacity):
391         (JSC::Heap::collect):
392         (JSC::Heap::decrementDeferralDepth):
393         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
394         * heap/Heap.h:
395         * interpreter/CallFrame.h:
396         (JSC::ExecState::dataViewTable):
397         * jit/JIT.h:
398         * jit/JITPropertyAccess.cpp:
399         (JSC::JIT::privateCompileGetByVal):
400         (JSC::JIT::privateCompilePutByVal):
401         (JSC::JIT::emitIntTypedArrayGetByVal):
402         (JSC::JIT::emitFloatTypedArrayGetByVal):
403         (JSC::JIT::emitIntTypedArrayPutByVal):
404         (JSC::JIT::emitFloatTypedArrayPutByVal):
405         * jsc.cpp:
406         (GlobalObject::finishCreation):
407         * runtime/ArrayBuffer.cpp:
408         (JSC::ArrayBuffer::transfer):
409         * runtime/ArrayBuffer.h:
410         (JSC::ArrayBuffer::createAdopted):
411         (JSC::ArrayBuffer::ArrayBuffer):
412         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
413         (JSC::ArrayBuffer::pin):
414         (JSC::ArrayBuffer::unpin):
415         (JSC::ArrayBufferContents::tryAllocate):
416         * runtime/ArrayBufferView.cpp:
417         (JSC::ArrayBufferView::ArrayBufferView):
418         (JSC::ArrayBufferView::~ArrayBufferView):
419         (JSC::ArrayBufferView::setNeuterable):
420         * runtime/ArrayBufferView.h:
421         (JSC::ArrayBufferView::isNeutered):
422         (JSC::ArrayBufferView::buffer):
423         (JSC::ArrayBufferView::baseAddress):
424         (JSC::ArrayBufferView::byteOffset):
425         (JSC::ArrayBufferView::verifySubRange):
426         (JSC::ArrayBufferView::clampOffsetAndNumElements):
427         (JSC::ArrayBufferView::calculateOffsetAndLength):
428         * runtime/ClassInfo.h:
429         * runtime/CommonIdentifiers.h:
430         * runtime/DataView.cpp: Added.
431         (JSC::DataView::DataView):
432         (JSC::DataView::create):
433         (JSC::DataView::wrap):
434         * runtime/DataView.h: Added.
435         (JSC::DataView::byteLength):
436         (JSC::DataView::getType):
437         (JSC::DataView::get):
438         (JSC::DataView::set):
439         * runtime/Float32Array.h:
440         * runtime/Float64Array.h:
441         * runtime/GenericTypedArrayView.h: Added.
442         (JSC::GenericTypedArrayView::data):
443         (JSC::GenericTypedArrayView::set):
444         (JSC::GenericTypedArrayView::setRange):
445         (JSC::GenericTypedArrayView::zeroRange):
446         (JSC::GenericTypedArrayView::zeroFill):
447         (JSC::GenericTypedArrayView::length):
448         (JSC::GenericTypedArrayView::byteLength):
449         (JSC::GenericTypedArrayView::item):
450         (JSC::GenericTypedArrayView::checkInboundData):
451         (JSC::GenericTypedArrayView::getType):
452         * runtime/GenericTypedArrayViewInlines.h: Added.
453         (JSC::::GenericTypedArrayView):
454         (JSC::::create):
455         (JSC::::createUninitialized):
456         (JSC::::subarray):
457         (JSC::::wrap):
458         * runtime/IndexingHeader.h:
459         (JSC::IndexingHeader::arrayBuffer):
460         (JSC::IndexingHeader::setArrayBuffer):
461         * runtime/Int16Array.h:
462         * runtime/Int32Array.h:
463         * runtime/Int8Array.h:
464         * runtime/JSArrayBuffer.cpp: Added.
465         (JSC::JSArrayBuffer::JSArrayBuffer):
466         (JSC::JSArrayBuffer::finishCreation):
467         (JSC::JSArrayBuffer::create):
468         (JSC::JSArrayBuffer::createStructure):
469         (JSC::JSArrayBuffer::getOwnPropertySlot):
470         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
471         (JSC::JSArrayBuffer::put):
472         (JSC::JSArrayBuffer::defineOwnProperty):
473         (JSC::JSArrayBuffer::deleteProperty):
474         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
475         * runtime/JSArrayBuffer.h: Added.
476         (JSC::JSArrayBuffer::impl):
477         (JSC::toArrayBuffer):
478         * runtime/JSArrayBufferConstructor.cpp: Added.
479         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
480         (JSC::JSArrayBufferConstructor::finishCreation):
481         (JSC::JSArrayBufferConstructor::create):
482         (JSC::JSArrayBufferConstructor::createStructure):
483         (JSC::constructArrayBuffer):
484         (JSC::JSArrayBufferConstructor::getConstructData):
485         (JSC::JSArrayBufferConstructor::getCallData):
486         * runtime/JSArrayBufferConstructor.h: Added.
487         * runtime/JSArrayBufferPrototype.cpp: Added.
488         (JSC::arrayBufferProtoFuncSlice):
489         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
490         (JSC::JSArrayBufferPrototype::finishCreation):
491         (JSC::JSArrayBufferPrototype::create):
492         (JSC::JSArrayBufferPrototype::createStructure):
493         * runtime/JSArrayBufferPrototype.h: Added.
494         * runtime/JSArrayBufferView.cpp: Added.
495         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
496         (JSC::JSArrayBufferView::JSArrayBufferView):
497         (JSC::JSArrayBufferView::finishCreation):
498         (JSC::JSArrayBufferView::getOwnPropertySlot):
499         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
500         (JSC::JSArrayBufferView::put):
501         (JSC::JSArrayBufferView::defineOwnProperty):
502         (JSC::JSArrayBufferView::deleteProperty):
503         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
504         (JSC::JSArrayBufferView::finalize):
505         * runtime/JSArrayBufferView.h: Added.
506         (JSC::JSArrayBufferView::sizeOf):
507         (JSC::JSArrayBufferView::ConstructionContext::operator!):
508         (JSC::JSArrayBufferView::ConstructionContext::structure):
509         (JSC::JSArrayBufferView::ConstructionContext::vector):
510         (JSC::JSArrayBufferView::ConstructionContext::length):
511         (JSC::JSArrayBufferView::ConstructionContext::mode):
512         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
513         (JSC::JSArrayBufferView::mode):
514         (JSC::JSArrayBufferView::vector):
515         (JSC::JSArrayBufferView::length):
516         (JSC::JSArrayBufferView::offsetOfVector):
517         (JSC::JSArrayBufferView::offsetOfLength):
518         (JSC::JSArrayBufferView::offsetOfMode):
519         * runtime/JSArrayBufferViewInlines.h: Added.
520         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
521         (JSC::JSArrayBufferView::buffer):
522         (JSC::JSArrayBufferView::impl):
523         (JSC::JSArrayBufferView::neuter):
524         (JSC::JSArrayBufferView::byteOffset):
525         * runtime/JSCell.cpp:
526         (JSC::JSCell::slowDownAndWasteMemory):
527         (JSC::JSCell::getTypedArrayImpl):
528         * runtime/JSCell.h:
529         * runtime/JSDataView.cpp: Added.
530         (JSC::JSDataView::JSDataView):
531         (JSC::JSDataView::create):
532         (JSC::JSDataView::createUninitialized):
533         (JSC::JSDataView::set):
534         (JSC::JSDataView::typedImpl):
535         (JSC::JSDataView::getOwnPropertySlot):
536         (JSC::JSDataView::getOwnPropertyDescriptor):
537         (JSC::JSDataView::slowDownAndWasteMemory):
538         (JSC::JSDataView::getTypedArrayImpl):
539         (JSC::JSDataView::createStructure):
540         * runtime/JSDataView.h: Added.
541         * runtime/JSDataViewPrototype.cpp: Added.
542         (JSC::JSDataViewPrototype::JSDataViewPrototype):
543         (JSC::JSDataViewPrototype::create):
544         (JSC::JSDataViewPrototype::createStructure):
545         (JSC::JSDataViewPrototype::getOwnPropertySlot):
546         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
547         (JSC::getData):
548         (JSC::setData):
549         (JSC::dataViewProtoFuncGetInt8):
550         (JSC::dataViewProtoFuncGetInt16):
551         (JSC::dataViewProtoFuncGetInt32):
552         (JSC::dataViewProtoFuncGetUint8):
553         (JSC::dataViewProtoFuncGetUint16):
554         (JSC::dataViewProtoFuncGetUint32):
555         (JSC::dataViewProtoFuncGetFloat32):
556         (JSC::dataViewProtoFuncGetFloat64):
557         (JSC::dataViewProtoFuncSetInt8):
558         (JSC::dataViewProtoFuncSetInt16):
559         (JSC::dataViewProtoFuncSetInt32):
560         (JSC::dataViewProtoFuncSetUint8):
561         (JSC::dataViewProtoFuncSetUint16):
562         (JSC::dataViewProtoFuncSetUint32):
563         (JSC::dataViewProtoFuncSetFloat32):
564         (JSC::dataViewProtoFuncSetFloat64):
565         * runtime/JSDataViewPrototype.h: Added.
566         * runtime/JSFloat32Array.h: Added.
567         * runtime/JSFloat64Array.h: Added.
568         * runtime/JSGenericTypedArrayView.h: Added.
569         (JSC::JSGenericTypedArrayView::byteLength):
570         (JSC::JSGenericTypedArrayView::byteSize):
571         (JSC::JSGenericTypedArrayView::typedVector):
572         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
573         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
574         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
575         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
576         (JSC::JSGenericTypedArrayView::getIndexQuickly):
577         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
578         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
579         (JSC::JSGenericTypedArrayView::setIndexQuickly):
580         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
581         (JSC::JSGenericTypedArrayView::typedImpl):
582         (JSC::JSGenericTypedArrayView::createStructure):
583         (JSC::JSGenericTypedArrayView::info):
584         (JSC::toNativeTypedView):
585         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
586         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
587         (JSC::::JSGenericTypedArrayViewConstructor):
588         (JSC::::finishCreation):
589         (JSC::::create):
590         (JSC::::createStructure):
591         (JSC::constructGenericTypedArrayView):
592         (JSC::::getConstructData):
593         (JSC::::getCallData):
594         * runtime/JSGenericTypedArrayViewInlines.h: Added.
595         (JSC::::JSGenericTypedArrayView):
596         (JSC::::create):
597         (JSC::::createUninitialized):
598         (JSC::::validateRange):
599         (JSC::::setWithSpecificType):
600         (JSC::::set):
601         (JSC::::getOwnPropertySlot):
602         (JSC::::getOwnPropertyDescriptor):
603         (JSC::::put):
604         (JSC::::defineOwnProperty):
605         (JSC::::deleteProperty):
606         (JSC::::getOwnPropertySlotByIndex):
607         (JSC::::putByIndex):
608         (JSC::::deletePropertyByIndex):
609         (JSC::::getOwnNonIndexPropertyNames):
610         (JSC::::getOwnPropertyNames):
611         (JSC::::visitChildren):
612         (JSC::::copyBackingStore):
613         (JSC::::slowDownAndWasteMemory):
614         (JSC::::getTypedArrayImpl):
615         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
616         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
617         (JSC::genericTypedArrayViewProtoFuncSet):
618         (JSC::genericTypedArrayViewProtoFuncSubarray):
619         (JSC::::JSGenericTypedArrayViewPrototype):
620         (JSC::::finishCreation):
621         (JSC::::create):
622         (JSC::::createStructure):
623         * runtime/JSGlobalObject.cpp:
624         (JSC::JSGlobalObject::reset):
625         (JSC::JSGlobalObject::visitChildren):
626         * runtime/JSGlobalObject.h:
627         (JSC::JSGlobalObject::arrayBufferPrototype):
628         (JSC::JSGlobalObject::arrayBufferStructure):
629         (JSC::JSGlobalObject::typedArrayStructure):
630         * runtime/JSInt16Array.h: Added.
631         * runtime/JSInt32Array.h: Added.
632         * runtime/JSInt8Array.h: Added.
633         * runtime/JSTypedArrayConstructors.cpp: Added.
634         * runtime/JSTypedArrayConstructors.h: Added.
635         * runtime/JSTypedArrayPrototypes.cpp: Added.
636         * runtime/JSTypedArrayPrototypes.h: Added.
637         * runtime/JSTypedArrays.cpp: Added.
638         * runtime/JSTypedArrays.h: Added.
639         * runtime/JSUint16Array.h: Added.
640         * runtime/JSUint32Array.h: Added.
641         * runtime/JSUint8Array.h: Added.
642         * runtime/JSUint8ClampedArray.h: Added.
643         * runtime/Operations.h:
644         * runtime/Options.h:
645         * runtime/SimpleTypedArrayController.cpp: Added.
646         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
647         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
648         (JSC::SimpleTypedArrayController::toJS):
649         * runtime/SimpleTypedArrayController.h: Added.
650         * runtime/Structure.h:
651         (JSC::Structure::couldHaveIndexingHeader):
652         * runtime/StructureInlines.h:
653         (JSC::Structure::hasIndexingHeader):
654         * runtime/TypedArrayAdaptors.h: Added.
655         (JSC::IntegralTypedArrayAdaptor::toNative):
656         (JSC::IntegralTypedArrayAdaptor::toJSValue):
657         (JSC::IntegralTypedArrayAdaptor::toDouble):
658         (JSC::FloatTypedArrayAdaptor::toNative):
659         (JSC::FloatTypedArrayAdaptor::toJSValue):
660         (JSC::FloatTypedArrayAdaptor::toDouble):
661         (JSC::Uint8ClampedAdaptor::toNative):
662         (JSC::Uint8ClampedAdaptor::toJSValue):
663         (JSC::Uint8ClampedAdaptor::toDouble):
664         (JSC::Uint8ClampedAdaptor::clamp):
665         * runtime/TypedArrayController.cpp: Added.
666         (JSC::TypedArrayController::TypedArrayController):
667         (JSC::TypedArrayController::~TypedArrayController):
668         * runtime/TypedArrayController.h: Added.
669         * runtime/TypedArrayDescriptor.h: Removed.
670         * runtime/TypedArrayInlines.h: Added.
671         * runtime/TypedArrayType.cpp: Added.
672         (JSC::classInfoForType):
673         (WTF::printInternal):
674         * runtime/TypedArrayType.h: Added.
675         (JSC::toIndex):
676         (JSC::isTypedView):
677         (JSC::elementSize):
678         (JSC::isInt):
679         (JSC::isFloat):
680         (JSC::isSigned):
681         (JSC::isClamped):
682         * runtime/TypedArrays.h: Added.
683         * runtime/Uint16Array.h:
684         * runtime/Uint32Array.h:
685         * runtime/Uint8Array.h:
686         * runtime/Uint8ClampedArray.h:
687         * runtime/VM.cpp:
688         (JSC::VM::VM):
689         (JSC::VM::~VM):
690         * runtime/VM.h:
691
692 2013-08-15  Oliver Hunt  <oliver@apple.com>
693
694         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
695
696         Reviewed by Filip Pizlo.
697
698         Make sure dfgCapabilities doesn't report a Dynamic put as
699         being compilable when we don't actually support it.  
700
701         * bytecode/CodeBlock.cpp:
702         (JSC::CodeBlock::dumpBytecode):
703         * dfg/DFGCapabilities.cpp:
704         (JSC::DFG::capabilityLevel):
705
706 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
707
708         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
709         https://bugs.webkit.org/show_bug.cgi?id=119847
710
711         Reviewed by Oliver Hunt.
712
713         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
714         * runtime/ArrayBufferView.h: Ditto.
715
716 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
717
718         https://bugs.webkit.org/show_bug.cgi?id=119843
719         PropertySlot::setValue is ambiguous
720
721         Reviewed by Geoff Garen.
722
723         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
724         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
725         Unify on always providing the object, and remove the version that just takes a value.
726         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
727         Provide a version of setValue that takes a JSString as the owner of the property.
728         We won't store this, but it makes it clear that this interface should only be used from JSString.
729
730         * API/JSCallbackObjectFunctions.h:
731         (JSC::::getOwnPropertySlot):
732         * JSCTypedArrayStubs.h:
733         * runtime/Arguments.cpp:
734         (JSC::Arguments::getOwnPropertySlotByIndex):
735         (JSC::Arguments::getOwnPropertySlot):
736         * runtime/JSActivation.cpp:
737         (JSC::JSActivation::symbolTableGet):
738         (JSC::JSActivation::getOwnPropertySlot):
739         * runtime/JSArray.cpp:
740         (JSC::JSArray::getOwnPropertySlot):
741         * runtime/JSObject.cpp:
742         (JSC::JSObject::getOwnPropertySlotByIndex):
743         * runtime/JSString.h:
744         (JSC::JSString::getStringPropertySlot):
745         * runtime/JSSymbolTableObject.h:
746         (JSC::symbolTableGet):
747         * runtime/SparseArrayValueMap.cpp:
748         (JSC::SparseArrayEntry::get):
749             - Pass object containing property to PropertySlot::setValue
750         * runtime/PropertySlot.h:
751         (JSC::PropertySlot::setValue):
752             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
753         (JSC::PropertySlot::setUndefined):
754             - removed setValue(JSValue), added setValue(JSString*, JSValue)
755
756 2013-08-15  Oliver Hunt  <oliver@apple.com>
757
758         Remove bogus assertion.
759
760         RS=Filip Pizlo
761
762         * dfg/DFGAbstractInterpreterInlines.h:
763         (JSC::DFG::::executeEffects):
764
765 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
766
767         REGRESSION(r148790) Made 7 tests fail on x86 32bit
768         https://bugs.webkit.org/show_bug.cgi?id=114913
769
770         Reviewed by Filip Pizlo.
771
772         The X87 register was not freed before some calls. Instead
773         of inserting resetX87Registers to the last call sites,
774         the two X87 registers are now freed in every call.
775
776         * llint/LowLevelInterpreter32_64.asm:
777         * llint/LowLevelInterpreter64.asm:
778         * offlineasm/instructions.rb:
779         * offlineasm/x86.rb:
780
781 2013-08-14  Michael Saboff  <msaboff@apple.com>
782
783         Fixed jit on Win64.
784         https://bugs.webkit.org/show_bug.cgi?id=119601
785
786         Reviewed by Oliver Hunt.
787
788         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
789         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
790         * jit/SlowPathCall.h:
791         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
792
793 2013-08-14  Alex Christensen  <achristensen@apple.com>
794
795         Compile fix for Win64 with jit disabled.
796         https://bugs.webkit.org/show_bug.cgi?id=119804
797
798         Reviewed by Michael Saboff.
799
800         * offlineasm/cloop.rb: Added std:: before isnan.
801
802 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
803
804         DFG_JIT implementation for sh4 architecture.
805         https://bugs.webkit.org/show_bug.cgi?id=119737
806
807         Reviewed by Oliver Hunt.
808
809         * assembler/MacroAssemblerSH4.h:
810         (JSC::MacroAssemblerSH4::invert):
811         (JSC::MacroAssemblerSH4::add32):
812         (JSC::MacroAssemblerSH4::and32):
813         (JSC::MacroAssemblerSH4::lshift32):
814         (JSC::MacroAssemblerSH4::mul32):
815         (JSC::MacroAssemblerSH4::or32):
816         (JSC::MacroAssemblerSH4::rshift32):
817         (JSC::MacroAssemblerSH4::sub32):
818         (JSC::MacroAssemblerSH4::xor32):
819         (JSC::MacroAssemblerSH4::store32):
820         (JSC::MacroAssemblerSH4::swapDouble):
821         (JSC::MacroAssemblerSH4::storeDouble):
822         (JSC::MacroAssemblerSH4::subDouble):
823         (JSC::MacroAssemblerSH4::mulDouble):
824         (JSC::MacroAssemblerSH4::divDouble):
825         (JSC::MacroAssemblerSH4::negateDouble):
826         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
827         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
828         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
829         (JSC::MacroAssemblerSH4::swap):
830         (JSC::MacroAssemblerSH4::jump):
831         (JSC::MacroAssemblerSH4::branchNeg32):
832         (JSC::MacroAssemblerSH4::branchAdd32):
833         (JSC::MacroAssemblerSH4::branchMul32):
834         (JSC::MacroAssemblerSH4::urshift32):
835         * assembler/SH4Assembler.h:
836         (JSC::SH4Assembler::SH4Assembler):
837         (JSC::SH4Assembler::labelForWatchpoint):
838         (JSC::SH4Assembler::label):
839         (JSC::SH4Assembler::debugOffset):
840         * dfg/DFGAssemblyHelpers.h:
841         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
842         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
843         (JSC::DFG::AssemblyHelpers::debugCall):
844         * dfg/DFGCCallHelpers.h:
845         (JSC::DFG::CCallHelpers::setupArguments):
846         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
847         * dfg/DFGFPRInfo.h:
848         (JSC::DFG::FPRInfo::toRegister):
849         (JSC::DFG::FPRInfo::toIndex):
850         (JSC::DFG::FPRInfo::debugName):
851         * dfg/DFGGPRInfo.h:
852         (JSC::DFG::GPRInfo::toRegister):
853         (JSC::DFG::GPRInfo::toIndex):
854         (JSC::DFG::GPRInfo::debugName):
855         * dfg/DFGOperations.cpp:
856         * dfg/DFGSpeculativeJIT.h:
857         (JSC::DFG::SpeculativeJIT::callOperation):
858         * jit/JITStubs.h:
859         * jit/JITStubsSH4.h:
860
861 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
862
863         Unreviewed, fix build.
864
865         * API/JSValue.mm:
866         (isDate):
867         (isArray):
868         * API/JSWrapperMap.mm:
869         (tryUnwrapObjcObject):
870         * API/ObjCCallbackFunction.mm:
871         (tryUnwrapBlock):
872
873 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
874
875         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
876         https://bugs.webkit.org/show_bug.cgi?id=119770
877
878         Reviewed by Mark Hahnenberg.
879
880         * API/JSCallbackConstructor.cpp:
881         (JSC::JSCallbackConstructor::finishCreation):
882         * API/JSCallbackConstructor.h:
883         (JSC::JSCallbackConstructor::createStructure):
884         * API/JSCallbackFunction.cpp:
885         (JSC::JSCallbackFunction::finishCreation):
886         * API/JSCallbackFunction.h:
887         (JSC::JSCallbackFunction::createStructure):
888         * API/JSCallbackObject.cpp:
889         (JSC::::createStructure):
890         * API/JSCallbackObject.h:
891         (JSC::JSCallbackObject::visitChildren):
892         * API/JSCallbackObjectFunctions.h:
893         (JSC::::asCallbackObject):
894         (JSC::::finishCreation):
895         * API/JSObjectRef.cpp:
896         (JSObjectGetPrivate):
897         (JSObjectSetPrivate):
898         (JSObjectGetPrivateProperty):
899         (JSObjectSetPrivateProperty):
900         (JSObjectDeletePrivateProperty):
901         * API/JSValueRef.cpp:
902         (JSValueIsObjectOfClass):
903         * API/JSWeakObjectMapRefPrivate.cpp:
904         * API/ObjCCallbackFunction.h:
905         (JSC::ObjCCallbackFunction::createStructure):
906         * JSCTypedArrayStubs.h:
907         * bytecode/CallLinkStatus.cpp:
908         (JSC::CallLinkStatus::CallLinkStatus):
909         (JSC::CallLinkStatus::function):
910         (JSC::CallLinkStatus::internalFunction):
911         * bytecode/CodeBlock.h:
912         (JSC::baselineCodeBlockForInlineCallFrame):
913         * bytecode/SpeculatedType.cpp:
914         (JSC::speculationFromClassInfo):
915         * bytecode/UnlinkedCodeBlock.cpp:
916         (JSC::UnlinkedFunctionExecutable::visitChildren):
917         (JSC::UnlinkedCodeBlock::visitChildren):
918         (JSC::UnlinkedProgramCodeBlock::visitChildren):
919         * bytecode/UnlinkedCodeBlock.h:
920         (JSC::UnlinkedFunctionExecutable::createStructure):
921         (JSC::UnlinkedProgramCodeBlock::createStructure):
922         (JSC::UnlinkedEvalCodeBlock::createStructure):
923         (JSC::UnlinkedFunctionCodeBlock::createStructure):
924         * debugger/Debugger.cpp:
925         * debugger/DebuggerActivation.cpp:
926         (JSC::DebuggerActivation::visitChildren):
927         * debugger/DebuggerActivation.h:
928         (JSC::DebuggerActivation::createStructure):
929         * debugger/DebuggerCallFrame.cpp:
930         (JSC::DebuggerCallFrame::functionName):
931         * dfg/DFGAbstractInterpreterInlines.h:
932         (JSC::DFG::::executeEffects):
933         * dfg/DFGByteCodeParser.cpp:
934         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
935         (JSC::DFG::ByteCodeParser::parseBlock):
936         * dfg/DFGFixupPhase.cpp:
937         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
938         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
939         * dfg/DFGGraph.cpp:
940         (JSC::DFG::Graph::dump):
941         * dfg/DFGGraph.h:
942         (JSC::DFG::Graph::isInternalFunctionConstant):
943         * dfg/DFGOperations.cpp:
944         * dfg/DFGSpeculativeJIT.cpp:
945         (JSC::DFG::SpeculativeJIT::checkArray):
946         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
947         * dfg/DFGThunks.cpp:
948         (JSC::DFG::virtualForThunkGenerator):
949         * interpreter/Interpreter.cpp:
950         (JSC::loadVarargs):
951         * jsc.cpp:
952         (GlobalObject::createStructure):
953         * profiler/LegacyProfiler.cpp:
954         (JSC::LegacyProfiler::createCallIdentifier):
955         * runtime/Arguments.cpp:
956         (JSC::Arguments::visitChildren):
957         * runtime/Arguments.h:
958         (JSC::Arguments::createStructure):
959         (JSC::asArguments):
960         (JSC::Arguments::finishCreation):
961         * runtime/ArrayConstructor.cpp:
962         (JSC::arrayConstructorIsArray):
963         * runtime/ArrayConstructor.h:
964         (JSC::ArrayConstructor::createStructure):
965         * runtime/ArrayPrototype.cpp:
966         (JSC::ArrayPrototype::finishCreation):
967         (JSC::arrayProtoFuncConcat):
968         (JSC::attemptFastSort):
969         * runtime/ArrayPrototype.h:
970         (JSC::ArrayPrototype::createStructure):
971         * runtime/BooleanConstructor.h:
972         (JSC::BooleanConstructor::createStructure):
973         * runtime/BooleanObject.cpp:
974         (JSC::BooleanObject::finishCreation):
975         * runtime/BooleanObject.h:
976         (JSC::BooleanObject::createStructure):
977         (JSC::asBooleanObject):
978         * runtime/BooleanPrototype.cpp:
979         (JSC::BooleanPrototype::finishCreation):
980         (JSC::booleanProtoFuncToString):
981         (JSC::booleanProtoFuncValueOf):
982         * runtime/BooleanPrototype.h:
983         (JSC::BooleanPrototype::createStructure):
984         * runtime/DateConstructor.cpp:
985         (JSC::constructDate):
986         * runtime/DateConstructor.h:
987         (JSC::DateConstructor::createStructure):
988         * runtime/DateInstance.cpp:
989         (JSC::DateInstance::finishCreation):
990         * runtime/DateInstance.h:
991         (JSC::DateInstance::createStructure):
992         (JSC::asDateInstance):
993         * runtime/DatePrototype.cpp:
994         (JSC::formateDateInstance):
995         (JSC::DatePrototype::finishCreation):
996         (JSC::dateProtoFuncToISOString):
997         (JSC::dateProtoFuncToLocaleString):
998         (JSC::dateProtoFuncToLocaleDateString):
999         (JSC::dateProtoFuncToLocaleTimeString):
1000         (JSC::dateProtoFuncGetTime):
1001         (JSC::dateProtoFuncGetFullYear):
1002         (JSC::dateProtoFuncGetUTCFullYear):
1003         (JSC::dateProtoFuncGetMonth):
1004         (JSC::dateProtoFuncGetUTCMonth):
1005         (JSC::dateProtoFuncGetDate):
1006         (JSC::dateProtoFuncGetUTCDate):
1007         (JSC::dateProtoFuncGetDay):
1008         (JSC::dateProtoFuncGetUTCDay):
1009         (JSC::dateProtoFuncGetHours):
1010         (JSC::dateProtoFuncGetUTCHours):
1011         (JSC::dateProtoFuncGetMinutes):
1012         (JSC::dateProtoFuncGetUTCMinutes):
1013         (JSC::dateProtoFuncGetSeconds):
1014         (JSC::dateProtoFuncGetUTCSeconds):
1015         (JSC::dateProtoFuncGetMilliSeconds):
1016         (JSC::dateProtoFuncGetUTCMilliseconds):
1017         (JSC::dateProtoFuncGetTimezoneOffset):
1018         (JSC::dateProtoFuncSetTime):
1019         (JSC::setNewValueFromTimeArgs):
1020         (JSC::setNewValueFromDateArgs):
1021         (JSC::dateProtoFuncSetYear):
1022         (JSC::dateProtoFuncGetYear):
1023         * runtime/DatePrototype.h:
1024         (JSC::DatePrototype::createStructure):
1025         * runtime/Error.h:
1026         (JSC::StrictModeTypeErrorFunction::createStructure):
1027         * runtime/ErrorConstructor.h:
1028         (JSC::ErrorConstructor::createStructure):
1029         * runtime/ErrorInstance.cpp:
1030         (JSC::ErrorInstance::finishCreation):
1031         * runtime/ErrorInstance.h:
1032         (JSC::ErrorInstance::createStructure):
1033         * runtime/ErrorPrototype.cpp:
1034         (JSC::ErrorPrototype::finishCreation):
1035         * runtime/ErrorPrototype.h:
1036         (JSC::ErrorPrototype::createStructure):
1037         * runtime/ExceptionHelpers.cpp:
1038         (JSC::isTerminatedExecutionException):
1039         * runtime/ExceptionHelpers.h:
1040         (JSC::TerminatedExecutionError::createStructure):
1041         * runtime/Executable.cpp:
1042         (JSC::EvalExecutable::visitChildren):
1043         (JSC::ProgramExecutable::visitChildren):
1044         (JSC::FunctionExecutable::visitChildren):
1045         (JSC::ExecutableBase::hashFor):
1046         * runtime/Executable.h:
1047         (JSC::ExecutableBase::createStructure):
1048         (JSC::NativeExecutable::createStructure):
1049         (JSC::EvalExecutable::createStructure):
1050         (JSC::ProgramExecutable::createStructure):
1051         (JSC::FunctionExecutable::compileFor):
1052         (JSC::FunctionExecutable::compileOptimizedFor):
1053         (JSC::FunctionExecutable::createStructure):
1054         * runtime/FunctionConstructor.h:
1055         (JSC::FunctionConstructor::createStructure):
1056         * runtime/FunctionPrototype.cpp:
1057         (JSC::functionProtoFuncToString):
1058         (JSC::functionProtoFuncApply):
1059         (JSC::functionProtoFuncBind):
1060         * runtime/FunctionPrototype.h:
1061         (JSC::FunctionPrototype::createStructure):
1062         * runtime/GetterSetter.cpp:
1063         (JSC::GetterSetter::visitChildren):
1064         * runtime/GetterSetter.h:
1065         (JSC::GetterSetter::createStructure):
1066         * runtime/InternalFunction.cpp:
1067         (JSC::InternalFunction::finishCreation):
1068         * runtime/InternalFunction.h:
1069         (JSC::InternalFunction::createStructure):
1070         (JSC::asInternalFunction):
1071         * runtime/JSAPIValueWrapper.h:
1072         (JSC::JSAPIValueWrapper::createStructure):
1073         * runtime/JSActivation.cpp:
1074         (JSC::JSActivation::visitChildren):
1075         (JSC::JSActivation::argumentsGetter):
1076         * runtime/JSActivation.h:
1077         (JSC::JSActivation::createStructure):
1078         (JSC::asActivation):
1079         * runtime/JSArray.h:
1080         (JSC::JSArray::createStructure):
1081         (JSC::asArray):
1082         (JSC::isJSArray):
1083         * runtime/JSBoundFunction.cpp:
1084         (JSC::JSBoundFunction::finishCreation):
1085         (JSC::JSBoundFunction::visitChildren):
1086         * runtime/JSBoundFunction.h:
1087         (JSC::JSBoundFunction::createStructure):
1088         * runtime/JSCJSValue.cpp:
1089         (JSC::JSValue::dumpInContext):
1090         * runtime/JSCJSValueInlines.h:
1091         (JSC::JSValue::isFunction):
1092         * runtime/JSCell.h:
1093         (JSC::jsCast):
1094         (JSC::jsDynamicCast):
1095         * runtime/JSCellInlines.h:
1096         (JSC::allocateCell):
1097         * runtime/JSFunction.cpp:
1098         (JSC::JSFunction::finishCreation):
1099         (JSC::JSFunction::visitChildren):
1100         (JSC::skipOverBoundFunctions):
1101         (JSC::JSFunction::callerGetter):
1102         * runtime/JSFunction.h:
1103         (JSC::JSFunction::createStructure):
1104         * runtime/JSGlobalObject.cpp:
1105         (JSC::JSGlobalObject::visitChildren):
1106         (JSC::slowValidateCell):
1107         * runtime/JSGlobalObject.h:
1108         (JSC::JSGlobalObject::createStructure):
1109         * runtime/JSNameScope.cpp:
1110         (JSC::JSNameScope::visitChildren):
1111         * runtime/JSNameScope.h:
1112         (JSC::JSNameScope::createStructure):
1113         * runtime/JSNotAnObject.h:
1114         (JSC::JSNotAnObject::createStructure):
1115         * runtime/JSONObject.cpp:
1116         (JSC::JSONObject::finishCreation):
1117         (JSC::unwrapBoxedPrimitive):
1118         (JSC::Stringifier::Stringifier):
1119         (JSC::Stringifier::appendStringifiedValue):
1120         (JSC::Stringifier::Holder::Holder):
1121         (JSC::Walker::walk):
1122         (JSC::JSONProtoFuncStringify):
1123         * runtime/JSONObject.h:
1124         (JSC::JSONObject::createStructure):
1125         * runtime/JSObject.cpp:
1126         (JSC::getCallableObjectSlow):
1127         (JSC::JSObject::visitChildren):
1128         (JSC::JSObject::copyBackingStore):
1129         (JSC::JSFinalObject::visitChildren):
1130         (JSC::JSObject::ensureInt32Slow):
1131         (JSC::JSObject::ensureDoubleSlow):
1132         (JSC::JSObject::ensureContiguousSlow):
1133         (JSC::JSObject::ensureArrayStorageSlow):
1134         * runtime/JSObject.h:
1135         (JSC::JSObject::finishCreation):
1136         (JSC::JSObject::createStructure):
1137         (JSC::JSNonFinalObject::createStructure):
1138         (JSC::JSFinalObject::createStructure):
1139         (JSC::isJSFinalObject):
1140         * runtime/JSPropertyNameIterator.cpp:
1141         (JSC::JSPropertyNameIterator::visitChildren):
1142         * runtime/JSPropertyNameIterator.h:
1143         (JSC::JSPropertyNameIterator::createStructure):
1144         * runtime/JSProxy.cpp:
1145         (JSC::JSProxy::visitChildren):
1146         * runtime/JSProxy.h:
1147         (JSC::JSProxy::createStructure):
1148         * runtime/JSScope.cpp:
1149         (JSC::JSScope::visitChildren):
1150         * runtime/JSSegmentedVariableObject.cpp:
1151         (JSC::JSSegmentedVariableObject::visitChildren):
1152         * runtime/JSString.h:
1153         (JSC::JSString::createStructure):
1154         (JSC::isJSString):
1155         * runtime/JSSymbolTableObject.cpp:
1156         (JSC::JSSymbolTableObject::visitChildren):
1157         * runtime/JSVariableObject.h:
1158         * runtime/JSWithScope.cpp:
1159         (JSC::JSWithScope::visitChildren):
1160         * runtime/JSWithScope.h:
1161         (JSC::JSWithScope::createStructure):
1162         * runtime/JSWrapperObject.cpp:
1163         (JSC::JSWrapperObject::visitChildren):
1164         * runtime/JSWrapperObject.h:
1165         (JSC::JSWrapperObject::createStructure):
1166         * runtime/MathObject.cpp:
1167         (JSC::MathObject::finishCreation):
1168         * runtime/MathObject.h:
1169         (JSC::MathObject::createStructure):
1170         * runtime/NameConstructor.h:
1171         (JSC::NameConstructor::createStructure):
1172         * runtime/NameInstance.h:
1173         (JSC::NameInstance::createStructure):
1174         (JSC::NameInstance::finishCreation):
1175         * runtime/NamePrototype.cpp:
1176         (JSC::NamePrototype::finishCreation):
1177         (JSC::privateNameProtoFuncToString):
1178         * runtime/NamePrototype.h:
1179         (JSC::NamePrototype::createStructure):
1180         * runtime/NativeErrorConstructor.cpp:
1181         (JSC::NativeErrorConstructor::visitChildren):
1182         * runtime/NativeErrorConstructor.h:
1183         (JSC::NativeErrorConstructor::createStructure):
1184         (JSC::NativeErrorConstructor::finishCreation):
1185         * runtime/NumberConstructor.cpp:
1186         (JSC::NumberConstructor::finishCreation):
1187         * runtime/NumberConstructor.h:
1188         (JSC::NumberConstructor::createStructure):
1189         * runtime/NumberObject.cpp:
1190         (JSC::NumberObject::finishCreation):
1191         * runtime/NumberObject.h:
1192         (JSC::NumberObject::createStructure):
1193         * runtime/NumberPrototype.cpp:
1194         (JSC::NumberPrototype::finishCreation):
1195         * runtime/NumberPrototype.h:
1196         (JSC::NumberPrototype::createStructure):
1197         * runtime/ObjectConstructor.h:
1198         (JSC::ObjectConstructor::createStructure):
1199         * runtime/ObjectPrototype.cpp:
1200         (JSC::ObjectPrototype::finishCreation):
1201         * runtime/ObjectPrototype.h:
1202         (JSC::ObjectPrototype::createStructure):
1203         * runtime/PropertyMapHashTable.h:
1204         (JSC::PropertyTable::createStructure):
1205         * runtime/PropertyTable.cpp:
1206         (JSC::PropertyTable::visitChildren):
1207         * runtime/RegExp.h:
1208         (JSC::RegExp::createStructure):
1209         * runtime/RegExpConstructor.cpp:
1210         (JSC::RegExpConstructor::finishCreation):
1211         (JSC::RegExpConstructor::visitChildren):
1212         (JSC::constructRegExp):
1213         * runtime/RegExpConstructor.h:
1214         (JSC::RegExpConstructor::createStructure):
1215         (JSC::asRegExpConstructor):
1216         * runtime/RegExpMatchesArray.cpp:
1217         (JSC::RegExpMatchesArray::visitChildren):
1218         * runtime/RegExpMatchesArray.h:
1219         (JSC::RegExpMatchesArray::createStructure):
1220         * runtime/RegExpObject.cpp:
1221         (JSC::RegExpObject::finishCreation):
1222         (JSC::RegExpObject::visitChildren):
1223         * runtime/RegExpObject.h:
1224         (JSC::RegExpObject::createStructure):
1225         (JSC::asRegExpObject):
1226         * runtime/RegExpPrototype.cpp:
1227         (JSC::regExpProtoFuncTest):
1228         (JSC::regExpProtoFuncExec):
1229         (JSC::regExpProtoFuncCompile):
1230         (JSC::regExpProtoFuncToString):
1231         * runtime/RegExpPrototype.h:
1232         (JSC::RegExpPrototype::createStructure):
1233         * runtime/SparseArrayValueMap.cpp:
1234         (JSC::SparseArrayValueMap::createStructure):
1235         * runtime/SparseArrayValueMap.h:
1236         * runtime/StrictEvalActivation.h:
1237         (JSC::StrictEvalActivation::createStructure):
1238         * runtime/StringConstructor.h:
1239         (JSC::StringConstructor::createStructure):
1240         * runtime/StringObject.cpp:
1241         (JSC::StringObject::finishCreation):
1242         * runtime/StringObject.h:
1243         (JSC::StringObject::createStructure):
1244         (JSC::asStringObject):
1245         * runtime/StringPrototype.cpp:
1246         (JSC::StringPrototype::finishCreation):
1247         (JSC::stringProtoFuncReplace):
1248         (JSC::stringProtoFuncToString):
1249         (JSC::stringProtoFuncMatch):
1250         (JSC::stringProtoFuncSearch):
1251         (JSC::stringProtoFuncSplit):
1252         * runtime/StringPrototype.h:
1253         (JSC::StringPrototype::createStructure):
1254         * runtime/Structure.cpp:
1255         (JSC::Structure::Structure):
1256         (JSC::Structure::materializePropertyMap):
1257         (JSC::Structure::get):
1258         (JSC::Structure::visitChildren):
1259         * runtime/Structure.h:
1260         (JSC::Structure::typeInfo):
1261         (JSC::Structure::previousID):
1262         (JSC::Structure::outOfLineSize):
1263         (JSC::Structure::totalStorageCapacity):
1264         (JSC::Structure::materializePropertyMapIfNecessary):
1265         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1266         * runtime/StructureChain.cpp:
1267         (JSC::StructureChain::visitChildren):
1268         * runtime/StructureChain.h:
1269         (JSC::StructureChain::createStructure):
1270         * runtime/StructureInlines.h:
1271         (JSC::Structure::get):
1272         * runtime/StructureRareData.cpp:
1273         (JSC::StructureRareData::createStructure):
1274         (JSC::StructureRareData::visitChildren):
1275         * runtime/StructureRareData.h:
1276         * runtime/SymbolTable.h:
1277         (JSC::SharedSymbolTable::createStructure):
1278         * runtime/VM.cpp:
1279         (JSC::VM::VM):
1280         (JSC::StackPreservingRecompiler::operator()):
1281         (JSC::VM::releaseExecutableMemory):
1282         * runtime/WriteBarrier.h:
1283         (JSC::validateCell):
1284         * testRegExp.cpp:
1285         (GlobalObject::createStructure):
1286
1287 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1288
1289         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1290         https://bugs.webkit.org/show_bug.cgi?id=119762
1291
1292         Reviewed by Geoffrey Garen.
1293
1294         * heap/Heap.cpp:
1295         (JSC::Heap::Heap):
1296         (JSC::Heap::markRoots):
1297         (JSC::Heap::collect):
1298         * jsc.cpp:
1299         (StopWatch::start):
1300         (StopWatch::stop):
1301         * testRegExp.cpp:
1302         (StopWatch::start):
1303         (StopWatch::stop):
1304
1305 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1306
1307         [sh4] Prepare LLINT for DFG_JIT implementation.
1308         https://bugs.webkit.org/show_bug.cgi?id=119755
1309
1310         Reviewed by Oliver Hunt.
1311
1312         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1313         * offlineasm/sh4.rb:
1314             - Handle storeb opcode.
1315             - Make relative jumps when possible using braf opcode.
1316             - Update bmulio implementation to be consistent with baseline JIT.
1317             - Remove useless code from leap opcode.
1318             - Fix incorrect comment.
1319
1320 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1321
1322         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1323         https://bugs.webkit.org/show_bug.cgi?id=119758
1324
1325         Reviewed by Oliver Hunt.
1326
1327         * assembler/MacroAssemblerSH4.h:
1328             - Introduce a loadEffectiveAddress function to avoid code duplication.
1329             - Add ASSERTs and clean code.
1330         * assembler/SH4Assembler.h:
1331             - Prepare DFG_JIT implementation.
1332             - Add ASSERTs.
1333         * jit/JITStubs.cpp:
1334             - Add SH4 specific call for assertions.
1335         * jit/JITStubs.h:
1336             - Cosmetic change.
1337         * jit/JITStubsSH4.h:
1338             - Use constants to be more flexible with sh4 JIT stack frame.
1339         * jit/JSInterfaceJIT.h:
1340             - Cosmetic change.
1341
1342 2013-08-13  Oliver Hunt  <oliver@apple.com>
1343
1344         Harden executeConstruct against incorrect return types from host functions
1345         https://bugs.webkit.org/show_bug.cgi?id=119757
1346
1347         Reviewed by Mark Hahnenberg.
1348
1349         Add logic to guard against bogus return types.  There doesn't seem to be any
1350         class in webkit that does this wrong, but the typed array stubs in debug JSC
1351         do exhibit this bad behaviour.
1352
1353         * interpreter/Interpreter.cpp:
1354         (JSC::Interpreter::executeConstruct):
1355
1356 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1357
1358         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1359         https://bugs.webkit.org/show_bug.cgi?id=119736
1360
1361         Reviewed by Anders Carlsson.
1362
1363         Don't force C++11 mode off anymore.
1364
1365         * Target.pri:
1366
1367 2013-08-12  Oliver Hunt  <oliver@apple.com>
1368
1369         Remove CodeBlock's notion of adding identifiers entirely
1370         https://bugs.webkit.org/show_bug.cgi?id=119708
1371
1372         Reviewed by Geoffrey Garen.
1373
1374         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1375         Move the addition of identifiers to DFGPlan::reallyAdd
1376
1377         * bytecode/CodeBlock.h:
1378         * dfg/DFGDesiredIdentifiers.cpp:
1379         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1380         * dfg/DFGDesiredIdentifiers.h:
1381         * dfg/DFGPlan.cpp:
1382         (JSC::DFG::Plan::reallyAdd):
1383         (JSC::DFG::Plan::finalize):
1384         * dfg/DFGPlan.h:
1385
1386 2013-08-12  Oliver Hunt  <oliver@apple.com>
1387
1388         Build fix
1389
1390         * runtime/JSCell.h:
1391
1392 2013-08-12  Oliver Hunt  <oliver@apple.com>
1393
1394         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1395         https://bugs.webkit.org/show_bug.cgi?id=119705
1396
1397         Reviewed by Geoffrey Garen.
1398
1399         Relatively trivial refactoring
1400
1401         * bytecode/CodeBlock.h:
1402         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1403         (JSC::CodeBlock::addAdditionalIdentifier):
1404         (JSC::CodeBlock::identifier):
1405         (JSC::CodeBlock::numberOfIdentifiers):
1406         * dfg/DFGCommonData.h:
1407
1408 2013-08-12  Oliver Hunt  <oliver@apple.com>
1409
1410         Stop making unnecessary copy of CodeBlock Identifier Vector
1411         https://bugs.webkit.org/show_bug.cgi?id=119702
1412
1413         Reviewed by Michael Saboff.
1414
1415         Make CodeBlock simply use a separate Vector for additional Identifiers
1416         and use the UnlinkedCodeBlock for the initial set of identifiers.
1417
1418         * bytecode/CodeBlock.cpp:
1419         (JSC::CodeBlock::printGetByIdOp):
1420         (JSC::dumpStructure):
1421         (JSC::dumpChain):
1422         (JSC::CodeBlock::printGetByIdCacheStatus):
1423         (JSC::CodeBlock::printPutByIdOp):
1424         (JSC::CodeBlock::dumpBytecode):
1425         (JSC::CodeBlock::CodeBlock):
1426         (JSC::CodeBlock::shrinkToFit):
1427         * bytecode/CodeBlock.h:
1428         (JSC::CodeBlock::numberOfIdentifiers):
1429         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1430         (JSC::CodeBlock::addAdditionalIdentifier):
1431         (JSC::CodeBlock::identifier):
1432         * dfg/DFGDesiredIdentifiers.cpp:
1433         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1434         * jit/JIT.h:
1435         * jit/JITOpcodes.cpp:
1436         (JSC::JIT::emitSlow_op_get_arguments_length):
1437         * jit/JITPropertyAccess.cpp:
1438         (JSC::JIT::emit_op_get_by_id):
1439         (JSC::JIT::compileGetByIdHotPath):
1440         (JSC::JIT::emitSlow_op_get_by_id):
1441         (JSC::JIT::compileGetByIdSlowCase):
1442         (JSC::JIT::emitSlow_op_put_by_id):
1443         * jit/JITPropertyAccess32_64.cpp:
1444         (JSC::JIT::emit_op_get_by_id):
1445         (JSC::JIT::compileGetByIdHotPath):
1446         (JSC::JIT::compileGetByIdSlowCase):
1447         * jit/JITStubs.cpp:
1448         (JSC::DEFINE_STUB_FUNCTION):
1449         * llint/LLIntSlowPaths.cpp:
1450         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1451
1452 2013-08-08  Mark Lam  <mark.lam@apple.com>
1453
1454         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1455         https://bugs.webkit.org/show_bug.cgi?id=119575.
1456
1457         Reviewed by Oliver Hunt.
1458
1459         * interpreter/Interpreter.h:
1460         - Made getStackTrace() private.
1461         * interpreter/StackIterator.cpp:
1462         (JSC::StackIterator::StackIterator):
1463         (JSC::StackIterator::numberOfFrames):
1464         - Computes the number of frames by iterating through the whole stack
1465           from the starting frame. The iterator will save its current frame
1466           position before counting the frames, and then restoring it after
1467           the counting.
1468         (JSC::StackIterator::gotoFrameAtIndex):
1469         (JSC::StackIterator::gotoNextFrame):
1470         (JSC::StackIterator::resetIterator):
1471         - Points the iterator to the starting frame.
1472         * interpreter/StackIteratorPrivate.h:
1473
1474 2013-08-08  Mark Lam  <mark.lam@apple.com>
1475
1476         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1477         the Interpreter class.
1478         https://bugs.webkit.org/show_bug.cgi?id=119576.
1479
1480         Reviewed by Oliver Hunt.
1481
1482         This change is needed to prepare for making Interpreter::getStackTrace()
1483         private. It does not change the behavior of the code, only the lexical
1484         scoping.
1485
1486         * interpreter/Interpreter.h:
1487         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1488         * runtime/ErrorConstructor.cpp:
1489         (JSC::Interpreter::constructWithErrorConstructor):
1490         (JSC::ErrorConstructor::getConstructData):
1491         (JSC::Interpreter::callErrorConstructor):
1492         (JSC::ErrorConstructor::getCallData):
1493         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1494           directly. So, we moved the helper functions into the Interpreter
1495           class.
1496         * runtime/NativeErrorConstructor.cpp:
1497         (JSC::Interpreter::constructWithNativeErrorConstructor):
1498         (JSC::NativeErrorConstructor::getConstructData):
1499         (JSC::Interpreter::callNativeErrorConstructor):
1500         (JSC::NativeErrorConstructor::getCallData):
1501         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1502           directly. So, we moved the helper functions into the Interpreter
1503           class.
1504
1505 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1506
1507         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1508         https://bugs.webkit.org/show_bug.cgi?id=119555
1509
1510         Reviewed by Geoffrey Garen.
1511
1512         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1513         This was causing crashes on maps.google.com in 32-bit debug builds.
1514
1515         * dfg/DFGSpeculativeJIT32_64.cpp:
1516         (JSC::DFG::SpeculativeJIT::compile):
1517
1518 2013-08-06  Michael Saboff  <msaboff@apple.com>
1519
1520         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1521         https://bugs.webkit.org/show_bug.cgi?id=119405
1522
1523         Reviewed by Geoffrey Garen.
1524
1525         * dfg/DFGSpeculativeJIT.cpp:
1526         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1527         ourselves to save a register and then load from it.
1528
1529 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1530
1531         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1532         https://bugs.webkit.org/show_bug.cgi?id=119528
1533
1534         Reviewed by Geoffrey Garen.
1535
1536         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1537         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1538         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1539         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1540         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1541
1542         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1543
1544         * bytecode/CodeBlock.cpp:
1545         (JSC::CodeBlock::finalizeUnconditionally):
1546         * dfg/DFGDriver.cpp:
1547         (JSC::DFG::compile):
1548         * dfg/DFGFixupPhase.cpp:
1549         (JSC::DFG::FixupPhase::fixupNode):
1550         * dfg/DFGGraph.cpp:
1551         (JSC::DFG::Graph::dump):
1552         * dfg/DFGSpeculativeJIT64.cpp:
1553         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1554         * runtime/JSObject.h:
1555         (JSC::JSObject::getIndexQuickly):
1556         (JSC::JSObject::tryGetIndexQuickly):
1557
1558 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1559
1560         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1561
1562         Unreviewed.
1563
1564         Ensure llint symbols are in source order.
1565
1566         * JavaScriptCore.order:
1567
1568 2013-08-06  Mark Lam  <mark.lam@apple.com>
1569
1570         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1571         https://bugs.webkit.org/show_bug.cgi?id=119532.
1572
1573         Reviewed by Oliver Hunt.
1574
1575         * parser/Parser.cpp:
1576         (JSC::::Parser):
1577         - Just need to initialize the Parser's JSTokenLocation's initial line and
1578           startOffset as well during Parser construction.
1579
1580 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1581
1582         Update Order Files for Safari
1583         <rdar://problem/14517392>
1584
1585         Unreviewed.
1586
1587         * JavaScriptCore.order:
1588
1589 2013-08-04  Sam Weinig  <sam@webkit.org>
1590
1591         Remove support for HTML5 MicroData
1592         https://bugs.webkit.org/show_bug.cgi?id=119480
1593
1594         Reviewed by Anders Carlsson.
1595
1596         * Configurations/FeatureDefines.xcconfig:
1597
1598 2013-08-05  Oliver Hunt  <oliver@apple.com>
1599
1600         Delay Arguments creation in strict mode
1601         https://bugs.webkit.org/show_bug.cgi?id=119505
1602
1603         Reviewed by Geoffrey Garen.
1604
1605         Make use of the write tracking performed by the parser to
1606         allow us to know if we're modifying the parameters to a function.
1607         Then use that information to make strict mode function opt out
1608         of eager arguments creation.
1609
1610         * bytecompiler/BytecodeGenerator.cpp:
1611         (JSC::BytecodeGenerator::BytecodeGenerator):
1612         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1613         (JSC::BytecodeGenerator::emitReturn):
1614         * bytecompiler/BytecodeGenerator.h:
1615         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1616         * parser/Nodes.h:
1617         (JSC::ScopeNode::modifiesParameter):
1618         * parser/Parser.cpp:
1619         (JSC::::parseInner):
1620         * parser/Parser.h:
1621         (JSC::Scope::declareParameter):
1622         (JSC::Scope::getCapturedVariables):
1623         (JSC::Parser::declareWrite):
1624         * parser/ParserModes.h:
1625
1626 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1627
1628         Remove useless code from COMPILER(RVCT) JITStubs
1629         https://bugs.webkit.org/show_bug.cgi?id=119521
1630
1631         Reviewed by Geoffrey Garen.
1632
1633         * jit/JITStubsARMv7.h:
1634         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1635         (JSC::ctiOpThrowNotCaught): Ditto.
1636
1637 2013-07-23  David Farler  <dfarler@apple.com>
1638
1639         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1640         https://bugs.webkit.org/show_bug.cgi?id=117762
1641
1642         Reviewed by Mark Rowe.
1643
1644         * Configurations/DebugRelease.xcconfig:
1645         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1646         * Configurations/JavaScriptCore.xcconfig:
1647         Add ASAN_OTHER_LDFLAGS.
1648         * Configurations/ToolExecutable.xcconfig:
1649         Don't use ASAN for build tools.
1650
1651 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1652
1653         Build fix for ARM MSVC after r153222 and r153648.
1654
1655         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1656
1657 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1658
1659         Build fix for ARM MSVC after r150109.
1660
1661         Read the stub template from a header files instead of the JITStubs.cpp.
1662
1663         * CMakeLists.txt:
1664         * DerivedSources.pri:
1665         * create_jit_stubs:
1666
1667 2013-08-05  Oliver Hunt  <oliver@apple.com>
1668
1669         Move TypedArray implementation into JSC
1670         https://bugs.webkit.org/show_bug.cgi?id=119489
1671
1672         Reviewed by Filip Pizlo.
1673
1674         Move TypedArray implementation into JSC in advance of re-implementation
1675
1676         * GNUmakefile.list.am:
1677         * JSCTypedArrayStubs.h:
1678         * JavaScriptCore.xcodeproj/project.pbxproj:
1679         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1680         (JSC::ArrayBuffer::transfer):
1681         (JSC::ArrayBuffer::addView):
1682         (JSC::ArrayBuffer::removeView):
1683         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1684         (JSC::ArrayBufferContents::ArrayBufferContents):
1685         (JSC::ArrayBufferContents::data):
1686         (JSC::ArrayBufferContents::sizeInBytes):
1687         (JSC::ArrayBufferContents::transfer):
1688         (JSC::ArrayBufferContents::copyTo):
1689         (JSC::ArrayBuffer::isNeutered):
1690         (JSC::ArrayBuffer::~ArrayBuffer):
1691         (JSC::ArrayBuffer::clampValue):
1692         (JSC::ArrayBuffer::create):
1693         (JSC::ArrayBuffer::createUninitialized):
1694         (JSC::ArrayBuffer::ArrayBuffer):
1695         (JSC::ArrayBuffer::data):
1696         (JSC::ArrayBuffer::byteLength):
1697         (JSC::ArrayBuffer::slice):
1698         (JSC::ArrayBuffer::sliceImpl):
1699         (JSC::ArrayBuffer::clampIndex):
1700         (JSC::ArrayBufferContents::tryAllocate):
1701         (JSC::ArrayBufferContents::~ArrayBufferContents):
1702         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1703         (JSC::ArrayBufferView::ArrayBufferView):
1704         (JSC::ArrayBufferView::~ArrayBufferView):
1705         (JSC::ArrayBufferView::neuter):
1706         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1707         (JSC::ArrayBufferView::buffer):
1708         (JSC::ArrayBufferView::baseAddress):
1709         (JSC::ArrayBufferView::byteOffset):
1710         (JSC::ArrayBufferView::setNeuterable):
1711         (JSC::ArrayBufferView::isNeuterable):
1712         (JSC::ArrayBufferView::verifySubRange):
1713         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1714         (JSC::ArrayBufferView::setImpl):
1715         (JSC::ArrayBufferView::setRangeImpl):
1716         (JSC::ArrayBufferView::zeroRangeImpl):
1717         (JSC::ArrayBufferView::calculateOffsetAndLength):
1718         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1719         (JSC::Float32Array::set):
1720         (JSC::Float32Array::getType):
1721         (JSC::Float32Array::create):
1722         (JSC::Float32Array::createUninitialized):
1723         (JSC::Float32Array::Float32Array):
1724         (JSC::Float32Array::subarray):
1725         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1726         (JSC::Float64Array::set):
1727         (JSC::Float64Array::getType):
1728         (JSC::Float64Array::create):
1729         (JSC::Float64Array::createUninitialized):
1730         (JSC::Float64Array::Float64Array):
1731         (JSC::Float64Array::subarray):
1732         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1733         (JSC::Int16Array::getType):
1734         (JSC::Int16Array::create):
1735         (JSC::Int16Array::createUninitialized):
1736         (JSC::Int16Array::Int16Array):
1737         (JSC::Int16Array::subarray):
1738         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1739         (JSC::Int32Array::getType):
1740         (JSC::Int32Array::create):
1741         (JSC::Int32Array::createUninitialized):
1742         (JSC::Int32Array::Int32Array):
1743         (JSC::Int32Array::subarray):
1744         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1745         (JSC::Int8Array::getType):
1746         (JSC::Int8Array::create):
1747         (JSC::Int8Array::createUninitialized):
1748         (JSC::Int8Array::Int8Array):
1749         (JSC::Int8Array::subarray):
1750         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1751         (JSC::IntegralTypedArrayBase::set):
1752         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1753         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1754         (JSC::TypedArrayBase::data):
1755         (JSC::TypedArrayBase::set):
1756         (JSC::TypedArrayBase::setRange):
1757         (JSC::TypedArrayBase::zeroRange):
1758         (JSC::TypedArrayBase::length):
1759         (JSC::TypedArrayBase::byteLength):
1760         (JSC::TypedArrayBase::item):
1761         (JSC::TypedArrayBase::checkInboundData):
1762         (JSC::TypedArrayBase::TypedArrayBase):
1763         (JSC::TypedArrayBase::create):
1764         (JSC::TypedArrayBase::createUninitialized):
1765         (JSC::TypedArrayBase::subarrayImpl):
1766         (JSC::TypedArrayBase::neuter):
1767         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1768         (JSC::Uint16Array::getType):
1769         (JSC::Uint16Array::create):
1770         (JSC::Uint16Array::createUninitialized):
1771         (JSC::Uint16Array::Uint16Array):
1772         (JSC::Uint16Array::subarray):
1773         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1774         (JSC::Uint32Array::getType):
1775         (JSC::Uint32Array::create):
1776         (JSC::Uint32Array::createUninitialized):
1777         (JSC::Uint32Array::Uint32Array):
1778         (JSC::Uint32Array::subarray):
1779         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1780         (JSC::Uint8Array::getType):
1781         (JSC::Uint8Array::create):
1782         (JSC::Uint8Array::createUninitialized):
1783         (JSC::Uint8Array::Uint8Array):
1784         (JSC::Uint8Array::subarray):
1785         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1786         (JSC::Uint8ClampedArray::getType):
1787         (JSC::Uint8ClampedArray::create):
1788         (JSC::Uint8ClampedArray::createUninitialized):
1789         (JSC::Uint8ClampedArray::zeroFill):
1790         (JSC::Uint8ClampedArray::set):
1791         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1792         (JSC::Uint8ClampedArray::subarray):
1793         * runtime/VM.h:
1794
1795 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1796
1797         Copied space should be able to handle more than one copied backing store per JSCell
1798         https://bugs.webkit.org/show_bug.cgi?id=119471
1799
1800         Reviewed by Mark Hahnenberg.
1801         
1802         This allows a cell to call copyLater() multiple times for multiple different
1803         backing stores, and then have copyBackingStore() called exactly once for each
1804         of those. A token tells it which backing store to copy. All backing stores
1805         must be named using the CopyToken, an enumeration which currently cannot
1806         exceed eight entries.
1807         
1808         When copyBackingStore() is called, it's up to the callee to (a) use the token
1809         to decide what to copy and (b) call its base class's copyBackingStore() in
1810         case the base class had something that needed copying. The only exception is
1811         that JSCell never asks anything to be copied, and so if your base is JSCell
1812         then you don't have to do anything.
1813
1814         * GNUmakefile.list.am:
1815         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1816         * JavaScriptCore.xcodeproj/project.pbxproj:
1817         * heap/CopiedBlock.h:
1818         * heap/CopiedBlockInlines.h:
1819         (JSC::CopiedBlock::reportLiveBytes):
1820         * heap/CopyToken.h: Added.
1821         * heap/CopyVisitor.cpp:
1822         (JSC::CopyVisitor::copyFromShared):
1823         * heap/CopyVisitor.h:
1824         * heap/CopyVisitorInlines.h:
1825         (JSC::CopyVisitor::visitItem):
1826         * heap/CopyWorkList.h:
1827         (JSC::CopyWorklistItem::CopyWorklistItem):
1828         (JSC::CopyWorklistItem::cell):
1829         (JSC::CopyWorklistItem::token):
1830         (JSC::CopyWorkListSegment::get):
1831         (JSC::CopyWorkListSegment::append):
1832         (JSC::CopyWorkListSegment::data):
1833         (JSC::CopyWorkListIterator::get):
1834         (JSC::CopyWorkListIterator::operator*):
1835         (JSC::CopyWorkListIterator::operator->):
1836         (JSC::CopyWorkList::append):
1837         * heap/SlotVisitor.h:
1838         * heap/SlotVisitorInlines.h:
1839         (JSC::SlotVisitor::copyLater):
1840         * runtime/ClassInfo.h:
1841         * runtime/JSCell.cpp:
1842         (JSC::JSCell::copyBackingStore):
1843         * runtime/JSCell.h:
1844         * runtime/JSObject.cpp:
1845         (JSC::JSObject::visitButterfly):
1846         (JSC::JSObject::copyBackingStore):
1847         * runtime/JSObject.h:
1848
1849 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1850
1851         [Automake] Define ENABLE_JIT through the Autoconf header
1852         https://bugs.webkit.org/show_bug.cgi?id=119445
1853
1854         Reviewed by Martin Robinson.
1855
1856         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1857
1858 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1859
1860         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1861         https://bugs.webkit.org/show_bug.cgi?id=119470
1862
1863         Reviewed by Oliver Hunt.
1864         
1865         Structure can still tell you if the object "could" (in the conservative sense)
1866         have an indexing header; that's used by the compiler.
1867         
1868         Most of the time if you want to know if there's an indexing header, you ask the
1869         JSObject.
1870         
1871         In some cases, the JSObject wants to know if it would have an indexing header if
1872         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1873
1874         * dfg/DFGRepatch.cpp:
1875         (JSC::DFG::tryCachePutByID):
1876         (JSC::DFG::tryBuildPutByIdList):
1877         * dfg/DFGSpeculativeJIT.cpp:
1878         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1879         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1880         * runtime/ButterflyInlines.h:
1881         (JSC::Butterfly::create):
1882         (JSC::Butterfly::growPropertyStorage):
1883         (JSC::Butterfly::growArrayRight):
1884         (JSC::Butterfly::resizeArray):
1885         * runtime/JSObject.cpp:
1886         (JSC::JSObject::copyButterfly):
1887         (JSC::JSObject::visitButterfly):
1888         * runtime/JSObject.h:
1889         (JSC::JSObject::hasIndexingHeader):
1890         (JSC::JSObject::setButterfly):
1891         * runtime/Structure.h:
1892         (JSC::Structure::couldHaveIndexingHeader):
1893         (JSC::Structure::hasIndexingHeader):
1894
1895 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1896
1897         Give the error object's stack property accessor attributes.
1898         https://bugs.webkit.org/show_bug.cgi?id=119404
1899
1900         Reviewed by Geoffrey Garen.
1901         
1902         Changed the attributes of error object's stack property to allow developers to write
1903         and delete the stack property. This will match the functionality of Chrome. Firefox  
1904         allows developers to write the error's stack, but not delete it. 
1905
1906         * interpreter/Interpreter.cpp:
1907         (JSC::Interpreter::addStackTraceIfNecessary):
1908         * runtime/ErrorInstance.cpp:
1909         (JSC::ErrorInstance::finishCreation):
1910
1911 2013-08-02  Oliver Hunt  <oliver@apple.com>
1912
1913         Incorrect type speculation reported by ToPrimitive
1914         https://bugs.webkit.org/show_bug.cgi?id=119458
1915
1916         Reviewed by Mark Hahnenberg.
1917
1918         Make sure that we report the correct type possibilities for the output
1919         from ToPrimitive
1920
1921         * dfg/DFGAbstractInterpreterInlines.h:
1922         (JSC::DFG::::executeEffects):
1923
1924 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1925
1926         Remove no-arguments constructor to PropertySlot
1927         https://bugs.webkit.org/show_bug.cgi?id=119460
1928
1929         Reviewed by Geoff Garen.
1930
1931         This constructor was unsafe if getValue is subsequently called,
1932         and the property is a getter. Simplest to just remove it.
1933
1934         * runtime/Arguments.cpp:
1935         (JSC::Arguments::defineOwnProperty):
1936         * runtime/JSActivation.cpp:
1937         (JSC::JSActivation::getOwnPropertyDescriptor):
1938         * runtime/JSFunction.cpp:
1939         (JSC::JSFunction::getOwnPropertyDescriptor):
1940         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1941         (JSC::JSFunction::put):
1942         (JSC::JSFunction::defineOwnProperty):
1943         * runtime/JSGlobalObject.cpp:
1944         (JSC::JSGlobalObject::defineOwnProperty):
1945         * runtime/JSGlobalObject.h:
1946         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1947         * runtime/JSNameScope.cpp:
1948         (JSC::JSNameScope::put):
1949         * runtime/JSONObject.cpp:
1950         (JSC::Stringifier::Holder::appendNextProperty):
1951         (JSC::Walker::walk):
1952         * runtime/JSObject.cpp:
1953         (JSC::JSObject::hasProperty):
1954         (JSC::JSObject::hasOwnProperty):
1955         (JSC::JSObject::reifyStaticFunctionsForDelete):
1956         * runtime/Lookup.h:
1957         (JSC::getStaticPropertyDescriptor):
1958         (JSC::getStaticFunctionDescriptor):
1959         (JSC::getStaticValueDescriptor):
1960         * runtime/ObjectConstructor.cpp:
1961         (JSC::defineProperties):
1962         * runtime/PropertySlot.h:
1963
1964 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1965
1966         DFG validation can cause assertion failures due to dumping
1967         https://bugs.webkit.org/show_bug.cgi?id=119456
1968
1969         Reviewed by Geoffrey Garen.
1970
1971         * bytecode/CodeBlock.cpp:
1972         (JSC::CodeBlock::hasHash):
1973         (JSC::CodeBlock::isSafeToComputeHash):
1974         (JSC::CodeBlock::hash):
1975         (JSC::CodeBlock::dumpAssumingJITType):
1976         * bytecode/CodeBlock.h:
1977
1978 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1979
1980         Have vm's exceptionStack match java's vm's exceptionStack.
1981         https://bugs.webkit.org/show_bug.cgi?id=119362
1982
1983         Reviewed by Geoffrey Garen.
1984         
1985         The error object's stack is only updated if it does not exist yet. This matches 
1986         the functionality of other browsers, and Java VMs. 
1987
1988         * interpreter/Interpreter.cpp:
1989         (JSC::Interpreter::addStackTraceIfNecessary):
1990         (JSC::Interpreter::throwException):
1991         * runtime/VM.cpp:
1992         (JSC::VM::clearExceptionStack):
1993         * runtime/VM.h:
1994         (JSC::VM::lastExceptionStack):
1995
1996 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1997
1998         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1999         https://bugs.webkit.org/show_bug.cgi?id=119447
2000
2001         Reviewed by Geoffrey Garen.
2002
2003         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2004         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2005         r153583 (sh4) and r153648 (ARM).
2006
2007         * jit/JITStubsMIPS.h:
2008
2009 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2010
2011         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2012         https://bugs.webkit.org/show_bug.cgi?id=119422
2013
2014         Reviewed by Oliver Hunt.
2015         
2016         This simplifies some code and also allows Structure to claim that an object
2017         has an indexing header even if it doesn't have indexed properties.
2018         
2019         I also changed some calls to use hasIndexedProperties() since in some cases,
2020         that's what we actually meant. Currently the two are synonyms.
2021
2022         * dfg/DFGRepatch.cpp:
2023         (JSC::DFG::tryCachePutByID):
2024         (JSC::DFG::tryBuildPutByIdList):
2025         * dfg/DFGSpeculativeJIT.cpp:
2026         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2027         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2028         * runtime/ButterflyInlines.h:
2029         (JSC::Butterfly::create):
2030         (JSC::Butterfly::growPropertyStorage):
2031         (JSC::Butterfly::growArrayRight):
2032         (JSC::Butterfly::resizeArray):
2033         * runtime/IndexingType.h:
2034         * runtime/JSObject.cpp:
2035         (JSC::JSObject::copyButterfly):
2036         (JSC::JSObject::visitButterfly):
2037         (JSC::JSObject::setPrototype):
2038         * runtime/JSObject.h:
2039         (JSC::JSObject::setButterfly):
2040         * runtime/JSPropertyNameIterator.cpp:
2041         (JSC::JSPropertyNameIterator::create):
2042         * runtime/Structure.h:
2043         (JSC::Structure::hasIndexingHeader):
2044
2045 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2046
2047         REGRESSION: ARM still crashes after change set r153612.
2048         https://bugs.webkit.org/show_bug.cgi?id=119433
2049
2050         Reviewed by Michael Saboff.
2051
2052         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2053         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2054         for sh4 architecture.
2055
2056         * jit/JITStubsARM.h:
2057         * jit/JITStubsARMv7.h:
2058
2059 2013-08-02  Michael Saboff  <msaboff@apple.com>
2060
2061         REGRESSION(r153612): It made jsc and layout tests crash
2062         https://bugs.webkit.org/show_bug.cgi?id=119440
2063
2064         Reviewed by Csaba Osztrogonác.
2065
2066         Made the changes if changeset r153612 only apply to 32 bit builds.
2067
2068         * jit/JITExceptions.cpp:
2069         * jit/JITExceptions.h:
2070         * jit/JITStubs.cpp:
2071         (JSC::cti_vm_throw_slowpath):
2072         * jit/JITStubs.h:
2073
2074 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2075
2076         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2077
2078         * CMakeLists.txt:
2079
2080 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2081
2082         [Forms: color] <input type='color'> popover color well implementation
2083         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2084
2085         Reviewed by Benjamin Poulain.
2086
2087         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2088
2089 2013-08-01  Oliver Hunt  <oliver@apple.com>
2090
2091         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2092         https://bugs.webkit.org/show_bug.cgi?id=119408
2093
2094         Reviewed by Filip Pizlo.
2095
2096         Construct ToString and Phantom nodes in advance of MakeRope
2097         nodes to ensure that ordering is ensured, and correct values
2098         will be reified on OSR exit.
2099
2100         * dfg/DFGByteCodeParser.cpp:
2101         (JSC::DFG::ByteCodeParser::parseBlock):
2102
2103 2013-08-01  Michael Saboff  <msaboff@apple.com>
2104
2105         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2106         https://bugs.webkit.org/show_bug.cgi?id=119140
2107
2108         Reviewed by Filip Pizlo.
2109
2110         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2111
2112         * jit/JITExceptions.cpp:
2113         (JSC::encode):
2114         * jit/JITExceptions.h:
2115         * jit/JITStubs.cpp:
2116         (JSC::cti_vm_throw_slowpath):
2117         * jit/JITStubs.h:
2118
2119 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2120
2121         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2122         https://bugs.webkit.org/show_bug.cgi?id=119391
2123
2124         Reviewed by Csaba Osztrogonác.
2125
2126         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2127             - Call frame is in r14 register.
2128             - Do not restore registers from JIT stack frame here.
2129
2130 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2131
2132         More cleanup in PropertySlot
2133         https://bugs.webkit.org/show_bug.cgi?id=119359
2134
2135         Reviewed by Geoff Garen.
2136
2137         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2138         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2139
2140         * dfg/DFGRepatch.cpp:
2141         (JSC::DFG::tryCacheGetByID):
2142         (JSC::DFG::tryBuildGetByIDList):
2143             - No need to ASSERT slotBase is an object.
2144         * jit/JITStubs.cpp:
2145         (JSC::tryCacheGetByID):
2146         (JSC::DEFINE_STUB_FUNCTION):
2147             - No need to ASSERT slotBase is an object.
2148         * runtime/JSObject.cpp:
2149         (JSC::JSObject::getOwnPropertySlotByIndex):
2150         (JSC::JSObject::fillGetterPropertySlot):
2151             - Pass an object through to setGetterSlot.
2152         * runtime/JSObject.h:
2153         (JSC::PropertySlot::getValue):
2154             - Moved from PropertySlot (need to know anout JSObject).
2155         * runtime/PropertySlot.cpp:
2156         (JSC::PropertySlot::functionGetter):
2157             - update per member name changes
2158         * runtime/PropertySlot.h:
2159         (JSC::PropertySlot::PropertySlot):
2160             - Argument to constructor set to 'thisValue'.
2161         (JSC::PropertySlot::slotBase):
2162             - This returns a JSObject*.
2163         (JSC::PropertySlot::setValue):
2164         (JSC::PropertySlot::setCustom):
2165         (JSC::PropertySlot::setCacheableCustom):
2166         (JSC::PropertySlot::setCustomIndex):
2167         (JSC::PropertySlot::setGetterSlot):
2168         (JSC::PropertySlot::setCacheableGetterSlot):
2169             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2170         * runtime/SparseArrayValueMap.cpp:
2171         (JSC::SparseArrayEntry::get):
2172             - Pass an object through to setGetterSlot.
2173         * runtime/SparseArrayValueMap.h:
2174             - Pass an object through to setGetterSlot.
2175
2176 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2177
2178         Reduce JSC API static value setter/getter overhead.
2179         https://bugs.webkit.org/show_bug.cgi?id=119277
2180
2181         Reviewed by Geoffrey Garen.
2182
2183         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2184         need to get called every time when set or get the static value.
2185
2186         * API/JSCallbackObjectFunctions.h:
2187         (JSC::::put):
2188         (JSC::::putByIndex):
2189         (JSC::::getStaticValue):
2190         * API/JSClassRef.cpp:
2191         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2192         * API/JSClassRef.h:
2193         (StaticValueEntry::StaticValueEntry):
2194
2195 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2196
2197         Use emptyString instead of String("")
2198         https://bugs.webkit.org/show_bug.cgi?id=119335
2199
2200         Reviewed by Darin Adler.
2201
2202         Use emptyString() instead of String("") because it is better style and
2203         faster. This is a followup to r116908, removing all occurrences of
2204         String("") from WebKit.
2205
2206         * runtime/RegExpConstructor.cpp:
2207         (JSC::constructRegExp):
2208         * runtime/RegExpPrototype.cpp:
2209         (JSC::regExpProtoFuncCompile):
2210         * runtime/StringPrototype.cpp:
2211         (JSC::stringProtoFuncMatch):
2212         (JSC::stringProtoFuncSearch):
2213
2214 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2215
2216         <input type=color> Mac UI behaviour
2217         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2218
2219         Reviewed by Brady Eidson.
2220
2221         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2222
2223 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2224
2225         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2226         https://bugs.webkit.org/show_bug.cgi?id=119349
2227
2228         Reviewed by Geoffrey Garen.
2229
2230         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2231         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2232         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2233         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2234         JIT then this resizing never happens and we crash at link time in the DFG.
2235
2236         We can fix this by also doing the resize in the DFG to catch this case.
2237
2238         * dfg/DFGJITCompiler.cpp:
2239         (JSC::DFG::JITCompiler::link):
2240
2241 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2242
2243         Speculative Windows build fix.
2244
2245         Reviewed by NOBODY
2246
2247         * runtime/JSString.cpp:
2248         (JSC::JSRopeString::getIndexSlowCase):
2249         * runtime/JSString.h:
2250
2251 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2252
2253         Some cleanup in JSValue::get
2254         https://bugs.webkit.org/show_bug.cgi?id=119343
2255
2256         Reviewed by Geoff Garen.
2257
2258         JSValue::get is implemented to:
2259             1) Check if the value is a cell – if not, synthesize a prototype to search,
2260             2) call getOwnPropertySlot on the cell,
2261             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2262         By all rights this should crash when passed a string and accessing a property that does not exist, because
2263         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2264         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2265         prototype chain, and faking out a return value of undefined if no property is found.
2266
2267         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2268         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2269
2270         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2271         slots anyway.
2272
2273         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2274
2275 2013-07-31  Michael Saboff  <msaboff@apple.com>
2276
2277         [Win] JavaScript crash.
2278         https://bugs.webkit.org/show_bug.cgi?id=119339
2279
2280         Reviewed by Mark Hahnenberg.
2281
2282         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2283         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2284
2285 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2286
2287         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2288         https://bugs.webkit.org/show_bug.cgi?id=119281
2289
2290         Reviewed by Geoffrey Garen.
2291
2292         This leads to out of bounds accesses and subsequent crashes.
2293
2294         * dfg/DFGSpeculativeJIT.cpp:
2295         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2296         * dfg/DFGSpeculativeJIT64.cpp:
2297         (JSC::DFG::SpeculativeJIT::compile):
2298
2299 2013-07-30  Oliver Hunt  <oliver@apple.com>
2300
2301         Add an assertion to SpeculateCellOperand
2302         https://bugs.webkit.org/show_bug.cgi?id=119276
2303
2304         Reviewed by Michael Saboff.
2305
2306         More assertions are better
2307
2308         * dfg/DFGSpeculativeJIT64.cpp:
2309         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2310         (JSC::DFG::SpeculativeJIT::compile):
2311
2312 2013-07-30  Mark Lam  <mark.lam@apple.com>
2313
2314         Fix problems with divot and lineStart mismatches.
2315         https://bugs.webkit.org/show_bug.cgi?id=118662.
2316
2317         Reviewed by Oliver Hunt.
2318
2319         r152494 added the recording of lineStart values for divot positions.
2320         This is needed for the computation of column numbers. Similarly, it also
2321         added the recording of line numbers for the divot positions. One problem
2322         with the approach taken was that the line and lineStart values were
2323         recorded independently, and hence were not always guaranteed to be
2324         sampled at the same place that the divot position is recorded. This
2325         resulted in potential mismatches that cause some assertions to fail.
2326
2327         The solution is to introduce a JSTextPosition abstraction that records
2328         the divot position, line, and lineStart as a single quantity. Wherever
2329         we record the divot position as an unsigned int previously, we now record
2330         its JSTextPosition which captures all 3 values in one go. This ensures
2331         that the captured line and lineStart will always match the captured divot
2332         position.
2333
2334         * bytecompiler/BytecodeGenerator.cpp:
2335         (JSC::BytecodeGenerator::emitCall):
2336         (JSC::BytecodeGenerator::emitCallEval):
2337         (JSC::BytecodeGenerator::emitCallVarargs):
2338         (JSC::BytecodeGenerator::emitConstruct):
2339         (JSC::BytecodeGenerator::emitDebugHook):
2340         - Use JSTextPosition instead of passing line and lineStart explicitly.
2341         * bytecompiler/BytecodeGenerator.h:
2342         (JSC::BytecodeGenerator::emitExpressionInfo):
2343         - Use JSTextPosition instead of passing line and lineStart explicitly.
2344         * bytecompiler/NodesCodegen.cpp:
2345         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2346         (JSC::ResolveNode::emitBytecode):
2347         (JSC::BracketAccessorNode::emitBytecode):
2348         (JSC::DotAccessorNode::emitBytecode):
2349         (JSC::NewExprNode::emitBytecode):
2350         (JSC::EvalFunctionCallNode::emitBytecode):
2351         (JSC::FunctionCallValueNode::emitBytecode):
2352         (JSC::FunctionCallResolveNode::emitBytecode):
2353         (JSC::FunctionCallBracketNode::emitBytecode):
2354         (JSC::FunctionCallDotNode::emitBytecode):
2355         (JSC::CallFunctionCallDotNode::emitBytecode):
2356         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2357         (JSC::PostfixNode::emitResolve):
2358         (JSC::PostfixNode::emitBracket):
2359         (JSC::PostfixNode::emitDot):
2360         (JSC::DeleteResolveNode::emitBytecode):
2361         (JSC::DeleteBracketNode::emitBytecode):
2362         (JSC::DeleteDotNode::emitBytecode):
2363         (JSC::PrefixNode::emitResolve):
2364         (JSC::PrefixNode::emitBracket):
2365         (JSC::PrefixNode::emitDot):
2366         (JSC::UnaryOpNode::emitBytecode):
2367         (JSC::BinaryOpNode::emitStrcat):
2368         (JSC::BinaryOpNode::emitBytecode):
2369         (JSC::ThrowableBinaryOpNode::emitBytecode):
2370         (JSC::InstanceOfNode::emitBytecode):
2371         (JSC::emitReadModifyAssignment):
2372         (JSC::ReadModifyResolveNode::emitBytecode):
2373         (JSC::AssignResolveNode::emitBytecode):
2374         (JSC::AssignDotNode::emitBytecode):
2375         (JSC::ReadModifyDotNode::emitBytecode):
2376         (JSC::AssignBracketNode::emitBytecode):
2377         (JSC::ReadModifyBracketNode::emitBytecode):
2378         (JSC::ForInNode::emitBytecode):
2379         (JSC::WithNode::emitBytecode):
2380         (JSC::ThrowNode::emitBytecode):
2381         - Use JSTextPosition instead of passing line and lineStart explicitly.
2382         * parser/ASTBuilder.h:
2383         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2384         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2385         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2386         (JSC::ASTBuilder::createResolve):
2387         (JSC::ASTBuilder::createBracketAccess):
2388         (JSC::ASTBuilder::createDotAccess):
2389         (JSC::ASTBuilder::createRegExp):
2390         (JSC::ASTBuilder::createNewExpr):
2391         (JSC::ASTBuilder::createAssignResolve):
2392         (JSC::ASTBuilder::createExprStatement):
2393         (JSC::ASTBuilder::createForInLoop):
2394         (JSC::ASTBuilder::createReturnStatement):
2395         (JSC::ASTBuilder::createBreakStatement):
2396         (JSC::ASTBuilder::createContinueStatement):
2397         (JSC::ASTBuilder::createLabelStatement):
2398         (JSC::ASTBuilder::createWithStatement):
2399         (JSC::ASTBuilder::createThrowStatement):
2400         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2401         (JSC::ASTBuilder::appendUnaryToken):
2402         (JSC::ASTBuilder::unaryTokenStackLastStart):
2403         (JSC::ASTBuilder::assignmentStackAppend):
2404         (JSC::ASTBuilder::createAssignment):
2405         (JSC::ASTBuilder::setExceptionLocation):
2406         (JSC::ASTBuilder::makeDeleteNode):
2407         (JSC::ASTBuilder::makeFunctionCallNode):
2408         (JSC::ASTBuilder::makeBinaryNode):
2409         (JSC::ASTBuilder::makeAssignNode):
2410         (JSC::ASTBuilder::makePrefixNode):
2411         (JSC::ASTBuilder::makePostfixNode):
2412         - Use JSTextPosition instead of passing line and lineStart explicitly.
2413         * parser/Lexer.cpp:
2414         (JSC::::lex):
2415         - Added support for capturing the appropriate JSTextPositions instead
2416           of just the character offset.
2417         * parser/Lexer.h:
2418         (JSC::Lexer::currentPosition):
2419         (JSC::::lexExpectIdentifier):
2420         - Added support for capturing the appropriate JSTextPositions instead
2421           of just the character offset.
2422         * parser/NodeConstructors.h:
2423         (JSC::Node::Node):
2424         (JSC::ResolveNode::ResolveNode):
2425         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2426         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2427         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2428         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2429         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2430         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2431         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2432         (JSC::PostfixNode::PostfixNode):
2433         (JSC::DeleteResolveNode::DeleteResolveNode):
2434         (JSC::DeleteBracketNode::DeleteBracketNode):
2435         (JSC::DeleteDotNode::DeleteDotNode):
2436         (JSC::PrefixNode::PrefixNode):
2437         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2438         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2439         (JSC::AssignBracketNode::AssignBracketNode):
2440         (JSC::AssignDotNode::AssignDotNode):
2441         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2442         (JSC::AssignErrorNode::AssignErrorNode):
2443         (JSC::WithNode::WithNode):
2444         (JSC::ForInNode::ForInNode):
2445         - Use JSTextPosition instead of passing line and lineStart explicitly.
2446         * parser/Nodes.cpp:
2447         (JSC::StatementNode::setLoc):
2448         - Use JSTextPosition instead of passing line and lineStart explicitly.
2449         * parser/Nodes.h:
2450         (JSC::Node::lineNo):
2451         (JSC::Node::startOffset):
2452         (JSC::Node::lineStartOffset):
2453         (JSC::Node::position):
2454         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2455         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2456         (JSC::ThrowableExpressionData::divot):
2457         (JSC::ThrowableExpressionData::divotStart):
2458         (JSC::ThrowableExpressionData::divotEnd):
2459         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2460         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2461         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2462         (JSC::ThrowableSubExpressionData::subexpressionStart):
2463         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2464         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2465         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2466         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2467         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2468         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2469         - Use JSTextPosition instead of passing line and lineStart explicitly.
2470         * parser/Parser.cpp:
2471         (JSC::::Parser):
2472         (JSC::::parseInner):
2473         - Use JSTextPosition instead of passing line and lineStart explicitly.
2474         (JSC::::didFinishParsing):
2475         - Remove setting of m_lastLine value. We always pass in the value from
2476           m_lastLine anyway. So, this assignment is effectively a nop.
2477         (JSC::::parseVarDeclaration):
2478         (JSC::::parseVarDeclarationList):
2479         (JSC::::parseForStatement):
2480         (JSC::::parseBreakStatement):
2481         (JSC::::parseContinueStatement):
2482         (JSC::::parseReturnStatement):
2483         (JSC::::parseThrowStatement):
2484         (JSC::::parseWithStatement):
2485         (JSC::::parseTryStatement):
2486         (JSC::::parseBlockStatement):
2487         (JSC::::parseFunctionDeclaration):
2488         (JSC::LabelInfo::LabelInfo):
2489         (JSC::::parseExpressionOrLabelStatement):
2490         (JSC::::parseExpressionStatement):
2491         (JSC::::parseAssignmentExpression):
2492         (JSC::::parseBinaryExpression):
2493         (JSC::::parseProperty):
2494         (JSC::::parsePrimaryExpression):
2495         (JSC::::parseMemberExpression):
2496         (JSC::::parseUnaryExpression):
2497         - Use JSTextPosition instead of passing line and lineStart explicitly.
2498         * parser/Parser.h:
2499         (JSC::Parser::next):
2500         (JSC::Parser::nextExpectIdentifier):
2501         (JSC::Parser::getToken):
2502         (JSC::Parser::tokenStartPosition):
2503         (JSC::Parser::tokenEndPosition):
2504         (JSC::Parser::lastTokenEndPosition):
2505         (JSC::::parse):
2506         - Use JSTextPosition instead of passing line and lineStart explicitly.
2507         * parser/ParserTokens.h:
2508         (JSC::JSTextPosition::JSTextPosition):
2509         (JSC::JSTextPosition::operator+):
2510         (JSC::JSTextPosition::operator-):
2511         (JSC::JSTextPosition::operator int):
2512         - Added JSTextPosition.
2513         * parser/SyntaxChecker.h:
2514         (JSC::SyntaxChecker::makeFunctionCallNode):
2515         (JSC::SyntaxChecker::makeAssignNode):
2516         (JSC::SyntaxChecker::makePrefixNode):
2517         (JSC::SyntaxChecker::makePostfixNode):
2518         (JSC::SyntaxChecker::makeDeleteNode):
2519         (JSC::SyntaxChecker::createResolve):
2520         (JSC::SyntaxChecker::createBracketAccess):
2521         (JSC::SyntaxChecker::createDotAccess):
2522         (JSC::SyntaxChecker::createRegExp):
2523         (JSC::SyntaxChecker::createNewExpr):
2524         (JSC::SyntaxChecker::createAssignResolve):
2525         (JSC::SyntaxChecker::createForInLoop):
2526         (JSC::SyntaxChecker::createReturnStatement):
2527         (JSC::SyntaxChecker::createBreakStatement):
2528         (JSC::SyntaxChecker::createContinueStatement):
2529         (JSC::SyntaxChecker::createWithStatement):
2530         (JSC::SyntaxChecker::createLabelStatement):
2531         (JSC::SyntaxChecker::createThrowStatement):
2532         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2533         (JSC::SyntaxChecker::operatorStackPop):
2534         - Use JSTextPosition instead of passing line and lineStart explicitly.
2535
2536 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2537
2538         Unreviewed. Fix make distcheck.
2539
2540         * GNUmakefile.list.am: Add missing files to compilation.
2541         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2542         include FTL header files not included in the compilation.
2543         * dfg/DFGDriver.cpp: Ditto.
2544         * dfg/DFGPlan.cpp: Ditto.
2545
2546 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2547
2548         Eager stack trace for error objects.
2549         https://bugs.webkit.org/show_bug.cgi?id=118918
2550
2551         Reviewed by Geoffrey Garen.
2552         
2553         Chrome and Firefox give error objects the stack property and we wanted to match
2554         that functionality. This allows developers to see the stack without throwing an object.
2555
2556         * runtime/ErrorInstance.cpp:
2557         (JSC::ErrorInstance::finishCreation):
2558          For error objects that are not thrown as an exception, we pass the stackTrace in 
2559          as a parameter. This allows the error object to have the stack property.
2560         
2561         * interpreter/Interpreter.cpp:
2562         (JSC::stackTraceAsString):
2563         Helper function used to eliminate duplicate code.
2564
2565         (JSC::Interpreter::addStackTraceIfNecessary):
2566         When an error object is created by the user the vm->exceptionStack is not set.
2567         If the user throws this error object later the stack that is in the error object 
2568         may not be the correct stack for the throw, so when we set the vm->exception stack,
2569         the stack property on the error object is set as well.
2570         
2571         * runtime/ErrorConstructor.cpp:
2572         (JSC::constructWithErrorConstructor):
2573         (JSC::callErrorConstructor):
2574         * runtime/NativeErrorConstructor.cpp:
2575         (JSC::constructWithNativeErrorConstructor):
2576         (JSC::callNativeErrorConstructor):
2577         These functions indicate that the user created an error object. For all error objects 
2578         that the user explicitly creates, the topCallFrame is at a new frame created to 
2579         handle the user's call. In this case though, the error object needs the caller's 
2580         frame to create the stack trace correctly.
2581         
2582         * interpreter/Interpreter.h:
2583         * runtime/ErrorInstance.h:
2584         (JSC::ErrorInstance::create):
2585
2586 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2587
2588         Some cleanup in PropertySlot
2589         https://bugs.webkit.org/show_bug.cgi?id=119189
2590
2591         Reviewed by Geoff Garen.
2592
2593         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2594         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2595         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2596         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2597         (this is invalidOffset if not cacheable).
2598
2599             * Internally, always track the type of the property using an enum value, PropertyType.
2600             * Use m_offset to indicate cacheable.
2601             * Keep the external interface (CachedPropertyType) unchanged.
2602             * Better pack data into the m_data union.
2603
2604         Performance neutral.
2605
2606         * dfg/DFGRepatch.cpp:
2607         (JSC::DFG::tryCacheGetByID):
2608         (JSC::DFG::tryBuildGetByIDList):
2609             - cachedPropertyType() -> isCacheable*()
2610         * jit/JITPropertyAccess.cpp:
2611         (JSC::JIT::privateCompileGetByIdProto):
2612         (JSC::JIT::privateCompileGetByIdSelfList):
2613         (JSC::JIT::privateCompileGetByIdProtoList):
2614         (JSC::JIT::privateCompileGetByIdChainList):
2615         (JSC::JIT::privateCompileGetByIdChain):
2616             - cachedPropertyType() -> isCacheable*()
2617         * jit/JITPropertyAccess32_64.cpp:
2618         (JSC::JIT::privateCompileGetByIdProto):
2619         (JSC::JIT::privateCompileGetByIdSelfList):
2620         (JSC::JIT::privateCompileGetByIdProtoList):
2621         (JSC::JIT::privateCompileGetByIdChainList):
2622         (JSC::JIT::privateCompileGetByIdChain):
2623             - cachedPropertyType() -> isCacheable*()
2624         * jit/JITStubs.cpp:
2625         (JSC::tryCacheGetByID):
2626             - cachedPropertyType() -> isCacheable*()
2627         * llint/LLIntSlowPaths.cpp:
2628         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2629             - cachedPropertyType() -> isCacheable*()
2630         * runtime/PropertySlot.cpp:
2631         (JSC::PropertySlot::functionGetter):
2632             - refactoring described above.
2633         * runtime/PropertySlot.h:
2634         (JSC::PropertySlot::PropertySlot):
2635         (JSC::PropertySlot::getValue):
2636         (JSC::PropertySlot::isCacheable):
2637         (JSC::PropertySlot::isCacheableValue):
2638         (JSC::PropertySlot::isCacheableGetter):
2639         (JSC::PropertySlot::isCacheableCustom):
2640         (JSC::PropertySlot::cachedOffset):
2641         (JSC::PropertySlot::customGetter):
2642         (JSC::PropertySlot::setValue):
2643         (JSC::PropertySlot::setCustom):
2644         (JSC::PropertySlot::setCacheableCustom):
2645         (JSC::PropertySlot::setCustomIndex):
2646         (JSC::PropertySlot::setGetterSlot):
2647         (JSC::PropertySlot::setCacheableGetterSlot):
2648         (JSC::PropertySlot::setUndefined):
2649         (JSC::PropertySlot::slotBase):
2650         (JSC::PropertySlot::setBase):
2651             - refactoring described above.
2652
2653 2013-07-28  Oliver Hunt  <oliver@apple.com>
2654
2655         REGRESSION: Crash when opening Facebook.com
2656         https://bugs.webkit.org/show_bug.cgi?id=119155
2657
2658         Reviewed by Andreas Kling.
2659
2660         Scope nodes are always objects, so we should be using SpecObjectOther
2661         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2662         contradiction in the CFA, resulting in bogus codegen.
2663
2664         * dfg/DFGAbstractInterpreterInlines.h:
2665         (JSC::DFG::::executeEffects):
2666         * dfg/DFGPredictionPropagationPhase.cpp:
2667         (JSC::DFG::PredictionPropagationPhase::propagate):
2668
2669 2013-07-26  Oliver Hunt  <oliver@apple.com>
2670
2671         REGRESSION(FTL?): Crashes in plugin tests
2672         https://bugs.webkit.org/show_bug.cgi?id=119141
2673
2674         Reviewed by Michael Saboff.
2675
2676         Re-export getStackTrace
2677
2678         * interpreter/Interpreter.h:
2679
2680 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2681
2682         REGRESSION: Crash when opening a message on Gmail
2683         https://bugs.webkit.org/show_bug.cgi?id=119105
2684
2685         Reviewed by Oliver Hunt and Mark Hahnenberg.
2686         
2687         - GetById patching in the DFG needs to be more disciplined about how it derives the
2688           slow path.
2689         
2690         - Fix some dumping code thread safety issues.
2691
2692         * bytecode/CallLinkStatus.cpp:
2693         (JSC::CallLinkStatus::dump):
2694         * bytecode/CodeBlock.cpp:
2695         (JSC::CodeBlock::dumpBytecode):
2696         * dfg/DFGRepatch.cpp:
2697         (JSC::DFG::getPolymorphicStructureList):
2698         (JSC::DFG::tryBuildGetByIDList):
2699
2700 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2701
2702         [mips] Fix LLINT build for mips backend
2703         https://bugs.webkit.org/show_bug.cgi?id=119152
2704
2705         Reviewed by Oliver Hunt.
2706
2707         * offlineasm/mips.rb:
2708
2709 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2710
2711         Setting a large numeric property on an object causes it to allocate a huge backing store
2712         https://bugs.webkit.org/show_bug.cgi?id=118914
2713
2714         Reviewed by Geoffrey Garen.
2715
2716         There are two distinct actions that we're trying to optimize for:
2717
2718         new Array(100000);
2719
2720         and:
2721
2722         a = [];
2723         a[100000] = 42;
2724         
2725         In the first case, the programmer has indicated that they expect this Array to be very big, 
2726         so they should get a contiguous array up until some threshold, above which we perform density 
2727         calculations to see if it is indeed dense enough to warrant being contiguous.
2728         
2729         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2730         we should be more conservative and assume it should be sparse until we've proven otherwise.
2731         
2732         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2733         between them for the purposes of not over-allocating large backing stores like we see on 
2734         http://www.peekanalytics.com/burgerjoints/
2735         
2736         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2737         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2738         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2739         map instead. So for example, in the second case above the empty array has a blank indexing 
2740         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2741
2742         This fix is ~800x speedup on the accompanying regression test :-o
2743
2744         * runtime/ArrayConventions.h:
2745         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2746         * runtime/JSObject.cpp:
2747         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2748         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2749         (JSC::JSObject::putByIndexBeyondVectorLength):
2750         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2751
2752 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2753
2754         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2755         https://bugs.webkit.org/show_bug.cgi?id=119148
2756
2757         Reviewed by Csaba Osztrogonác.
2758
2759         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2760         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2761         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2762         code duplication.
2763
2764 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2765
2766         REGRESSION(FTL): Crash in sh4 baseline JIT.
2767         https://bugs.webkit.org/show_bug.cgi?id=119138
2768
2769         Reviewed by Csaba Osztrogonác.
2770
2771         This crash is due to incomplete report of r150146 and r148474.
2772
2773         * jit/JITStubsSH4.h:
2774
2775 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2776
2777         Unreviewed.
2778
2779         * Target.pri: Adding missing DFG files to the Qt build.
2780
2781 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2782
2783         GTK and Qt buildfix after the intrusive win buildfix r153360.
2784
2785         * GNUmakefile.list.am:
2786         * Target.pri:
2787
2788 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2789
2790         Unreviewed, fix build break after r153360.
2791
2792         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2793
2794 2013-07-25  Roger Fong  <roger_fong@apple.com>
2795
2796         Unreviewed build fix, AppleWin port.
2797
2798         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2799         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2800         * JavaScriptCore.vcxproj/copy-files.cmd:
2801
2802 2013-07-25  Roger Fong  <roger_fong@apple.com>
2803
2804         Unreviewed. Followup to r153360.
2805
2806         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2807         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2808
2809 2013-07-25  Michael Saboff  <msaboff@apple.com>
2810
2811         [Windows] Speculative build fix.
2812
2813         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2814         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2815
2816         * JavaScriptCore.xcodeproj/project.pbxproj:
2817         * llint/LLIntExceptions.cpp:
2818         * llint/LLIntExceptions.h:
2819         * llint/LLIntSlowPaths.cpp:
2820         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2821         * runtime/CommonSlowPaths.cpp:
2822         (JSC::SLOW_PATH_DECL):
2823         * runtime/CommonSlowPathsExceptions.cpp: Added.
2824         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2825         * runtime/CommonSlowPathsExceptions.h: Added.
2826
2827 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2828
2829         [Windows] Unreviewed build fix.
2830
2831         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2832         parser/SourceCode.h,.cpp.
2833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2834
2835 2013-07-25  Anders Carlsson  <andersca@apple.com>
2836
2837         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2838         https://bugs.webkit.org/show_bug.cgi?id=119108
2839
2840         Reviewed by Mark Hahnenberg.
2841
2842         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2843
2844         * heap/CopiedSpace.cpp:
2845         (JSC::CopiedSpace::tryAllocateSlowCase):
2846         * heap/Heap.cpp:
2847         (JSC::Heap::protect):
2848         (JSC::Heap::unprotect):
2849         (JSC::Heap::collect):
2850         * heap/MarkedAllocator.cpp:
2851         (JSC::MarkedAllocator::allocateSlowCase):
2852         * runtime/JSGlobalObject.cpp:
2853         (JSC::JSGlobalObject::init):
2854         * runtime/VM.h:
2855         (JSC::VM::currentThreadIsHoldingAPILock):
2856
2857 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2858
2859         REGRESSION(FTL): Most layout tests crashes
2860         https://bugs.webkit.org/show_bug.cgi?id=119089
2861
2862         Reviewed by Oliver Hunt.
2863
2864         * runtime/ExecutionHarness.h:
2865         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2866         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2867         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2868         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2869         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2870         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2871
2872 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2873
2874         [Windows] Unreviewed build fix.
2875
2876         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2877         include path.
2878
2879 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2880
2881         [Windows] Unreviewed build fix.
2882
2883         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2884         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2885         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2886
2887 2013-07-25  Oliver Hunt  <oliver@apple.com>
2888
2889         Make all jit & non-jit combos build cleanly
2890         https://bugs.webkit.org/show_bug.cgi?id=119102
2891
2892         Reviewed by Anders Carlsson.
2893
2894         * bytecode/CodeBlock.cpp:
2895         (JSC::CodeBlock::counterValueForOptimizeSoon):
2896         * bytecode/CodeBlock.h:
2897         (JSC::CodeBlock::optimizeAfterWarmUp):
2898         (JSC::CodeBlock::numberOfDFGCompiles):
2899
2900 2013-07-25  Oliver Hunt  <oliver@apple.com>
2901
2902         32 bit portion of load validation logic
2903         https://bugs.webkit.org/show_bug.cgi?id=118878
2904
2905         Reviewed by NOBODY (Build fix).
2906
2907         * dfg/DFGSpeculativeJIT32_64.cpp:
2908         (JSC::DFG::SpeculativeJIT::compile):
2909
2910 2013-07-25  Oliver Hunt  <oliver@apple.com>
2911
2912         More 32bit build fixes
2913
2914         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2915
2916         * API/APICallbackFunction.h:
2917         (JSC::APICallbackFunction::call):
2918         * bytecode/CodeBlock.cpp:
2919         * runtime/Structure.cpp:
2920
2921 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2922
2923         Optimize the thread locks for API Shims
2924         https://bugs.webkit.org/show_bug.cgi?id=118573
2925
2926         Reviewed by Geoffrey Garen.
2927
2928         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2929         only used by WebCore's main thread).
2930
2931         * API/APIShims.h:
2932         (JSC::APIEntryShim::APIEntryShim):
2933         (JSC::APICallbackShim::APICallbackShim):
2934         * runtime/JSLock.cpp:
2935         (JSC::JSLockHolder::JSLockHolder):
2936         (JSC::JSLockHolder::init):
2937         (JSC::JSLockHolder::~JSLockHolder):
2938         (JSC::JSLock::DropAllLocks::DropAllLocks):
2939         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2940         * runtime/VM.cpp:
2941         (JSC::VM::VM):
2942         * runtime/VM.h:
2943
2944 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2945
2946         Unreviewed build fix after r153218.
2947
2948         Broke the EFL port build with gcc 4.7.
2949
2950         * interpreter/StackIterator.cpp:
2951         (JSC::printif):
2952
2953 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2954
2955         Build fix: add missing #include.
2956         https://bugs.webkit.org/show_bug.cgi?id=119087
2957
2958         Reviewed by Allan Sandfeld Jensen.
2959
2960         * bytecode/ArrayProfile.cpp:
2961
2962 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2963
2964         Unreviewed, build fix on the EFL port.
2965
2966         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2967
2968 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2969
2970         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2971         https://bugs.webkit.org/show_bug.cgi?id=119083
2972
2973         Reviewed by Allan Sandfeld Jensen.
2974
2975         * assembler/MacroAssemblerSH4.h:
2976         (JSC::MacroAssemblerSH4::store8):
2977
2978 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2979
2980         [Qt] Fix test build after FTL upstream
2981
2982         Unreviewed build fix.
2983
2984         * Target.pri:
2985
2986 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2987
2988         [Qt] Build fix after FTL.
2989
2990         Un Reviewed build fix.
2991
2992         * Target.pri:
2993         * interpreter/StackIterator.cpp:
2994         (JSC::StackIterator::Frame::print):
2995
2996 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2997
2998         Unreviewed build fix after FTL upstream.
2999
3000         * dfg/DFGWorklist.cpp:
3001         (JSC::DFG::Worklist::~Worklist):
3002
3003 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3004
3005         Unreviewed, build fix on the EFL port.
3006
3007         * CMakeLists.txt:
3008         Added SourceCode.cpp and removed BlackBerry file.
3009         * jit/JITCode.h:
3010         (JSC::JITCode::nextTierJIT):
3011         Fixed to build break because of -Werror=return-type
3012         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3013         * runtime/JSScope.h:
3014         (JSC::makeType):
3015         Fixed to build break because of -Werror=return-type
3016
3017 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3018
3019         Unreviewed build fixing after FTL upstream.
3020
3021         * runtime/Executable.cpp:
3022         (JSC::FunctionExecutable::produceCodeBlockFor):
3023
3024 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3025
3026         Add missing implementation of bxxxnz in sh4 LLINT.
3027         https://bugs.webkit.org/show_bug.cgi?id=119079
3028
3029         Reviewed by Allan Sandfeld Jensen.
3030
3031         * offlineasm/sh4.rb:
3032
3033 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3034
3035         Unreviewed, build fix on the Qt port.
3036
3037         * Target.pri: Add additional build files for the FTL.
3038
3039 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3040
3041         Unreviewed buildfix after FTL upstream..
3042
3043         * interpreter/StackIterator.cpp:
3044         (JSC::StackIterator::Frame::codeType):
3045         (JSC::StackIterator::Frame::functionName):
3046         (JSC::StackIterator::Frame::sourceURL):
3047         (JSC::StackIterator::Frame::logicalFrame):
3048
3049 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3050
3051         Unreviewed.
3052
3053         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3054         method is not left undefined, causing build failures on (at least) the GTK port.
3055
3056 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3057
3058         Unreviewed, further build fixing on the GTK port.
3059
3060         * GNUmakefile.list.am: Add CompilationResult source files to the build.
3061
3062 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3063
3064         Unreviewed GTK build fixing.
3065
3066         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
3067         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
3068
3069 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3070
3071         Buildfix after this error:
3072         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3073
3074         * dfg/DFGPlan.cpp:
3075         (JSC::DFG::Plan::compileInThread):
3076
3077 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3078
3079         One more buildfix after FTL upstream.
3080
3081         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3082
3083         * dfg/DFGLazyJSValue.cpp:
3084         (JSC::DFG::LazyJSValue::getValue):
3085         (JSC::DFG::LazyJSValue::strictEqual):
3086
3087 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3088
3089         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3090         https://bugs.webkit.org/show_bug.cgi?id=119076
3091
3092         Reviewed by Allan Sandfeld Jensen.
3093
3094         * offlineasm/mips.rb:
3095         * offlineasm/sh4.rb:
3096
3097 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3098
3099         Unreviewed GTK build fix.
3100
3101         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3102
3103 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3104
3105         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3106         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3107
3108         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3109
3110 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3111
3112         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3113
3114         * GNUmakefile.am:
3115         * GNUmakefile.list.am:
3116
3117 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3118
3119         Unreviewed buildfix after FTL upstream.
3120
3121         * runtime/JSScope.h:
3122         (JSC::needsVarInjectionChecks):
3123
3124 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3125
3126         One more fix after FTL upstream.
3127
3128         * Target.pri:
3129         * bytecode/CodeBlock.h:
3130         * bytecode/GetByIdStatus.h:
3131         (JSC::GetByIdStatus::GetByIdStatus):
3132
3133 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3134
3135         Unreviewed buildfix after FTL upstream.
3136
3137         Add ftl directory as include path.
3138
3139         * CMakeLists.txt:
3140         * JavaScriptCore.pri:
3141
3142 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3143
3144         Unreviewed buildfix after FTL upstream for non C++11 builds.
3145
3146         * interpreter/CallFrame.h:
3147         * interpreter/StackIteratorPrivate.h:
3148         (JSC::StackIterator::end):
3149
3150 2013-07-24  Oliver Hunt  <oliver@apple.com>
3151
3152         Endeavour to fix CMakelist builds
3153
3154         * CMakeLists.txt:
3155
3156 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3157
3158         fourthTier: DFG IR dumps should be easier to read
3159         https://bugs.webkit.org/show_bug.cgi?id=119050
3160
3161         Reviewed by Mark Hahnenberg.
3162         
3163         Added a DumpContext that includes support for printing an endnote
3164         that describes all structures in full, while the main flow of the
3165         dump just uses made-up names for the structures. This is helpful
3166         since Structure::dump() may print a lot. The stuff it prints is
3167         useful, but if it's all inline with the surrounding thing you're        
3168         dumping (often, a node in the DFG), then you get a ridiculously
3169         long print-out. All classes that dump structures (including
3170         Structure itself) now have dumpInContext() methods that use
3171         inContext() for dumping anything that might transitively print a
3172         structure. If Structure::dumpInContext() is called with a NULL
3173         context, it just uses dump() like before. Hence you don't have to
3174         know anything about DumpContext unless you want to.
3175         
3176         inContext(*structure, context) dumps something like %B4:Array,
3177         and the endnote will have something like:
3178         
3179             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3180         
3181         where B4 is the inferred name that StringHashDumpContext came up
3182         with.
3183         
3184         Also shortened a bunch of other dumps, removing information that
3185         isn't so important.
3186         
3187         * JavaScriptCore.xcodeproj/project.pbxproj:
3188         * bytecode/ArrayProfile.cpp:
3189         (JSC::dumpArrayModes):
3190         * bytecode/CodeBlockHash.cpp:
3191         (JSC):
3192         (JSC::CodeBlockHash::CodeBlockHash):
3193         (JSC::CodeBlockHash::dump):
3194         * bytecode/CodeOrigin.cpp:
3195         (JSC::CodeOrigin::dumpInContext):
3196         (JSC):
3197         (JSC::InlineCallFrame::dumpInContext):
3198         (JSC::InlineCallFrame::dump):
3199         * bytecode/CodeOrigin.h:
3200         (CodeOrigin):
3201         (InlineCallFrame):
3202         * bytecode/Operands.h:
3203         (JSC::OperandValueTraits::isEmptyForDump):
3204         (Operands):
3205         (JSC::Operands::dump):
3206         (JSC):
3207         * bytecode/OperandsInlines.h: Added.
3208         (JSC):
3209         (JSC::::dumpInContext):
3210         * bytecode/StructureSet.h:
3211         (JSC::StructureSet::dumpInContext):
3212         (JSC::StructureSet::dump):
3213         (StructureSet):
3214         * dfg/DFGAbstractValue.cpp:
3215         (JSC::DFG::AbstractValue::dump):
3216         (DFG):
3217         (JSC::DFG::AbstractValue::dumpInContext):
3218         * dfg/DFGAbstractValue.h:
3219         (JSC::DFG::AbstractValue::operator!):
3220         (AbstractValue):
3221         * dfg/DFGCFAPhase.cpp:
3222         (JSC::DFG::CFAPhase::performBlockCFA):
3223         * dfg/DFGCommon.cpp:
3224         * dfg/DFGCommon.h:
3225         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3226         * dfg/DFGDisassembler.cpp:
3227         (JSC::DFG::Disassembler::createDumpList):
3228         * dfg/DFGDisassembler.h:
3229         (Disassembler):
3230         * dfg/DFGFlushFormat.h:
3231         (WTF::inContext):
3232         (WTF):
3233         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3234         * dfg/DFGGraph.cpp:
3235         (JSC::DFG::Graph::dumpCodeOrigin):
3236         (JSC::DFG::Graph::dump):
3237         (JSC::DFG::Graph::dumpBlockHeader):
3238         * dfg/DFGGraph.h:
3239         (Graph):
3240         * dfg/DFGLazyJSValue.cpp:
3241         (JSC::DFG::LazyJSValue::dumpInContext):
3242         (JSC::DFG::LazyJSValue::dump):
3243         (DFG):
3244         * dfg/DFGLazyJSValue.h:
3245         (LazyJSValue):
3246         * dfg/DFGNode.h:
3247         (JSC::DFG::nodeMapDump):
3248         (WTF::inContext):
3249         (WTF):
3250         * dfg/DFGOSRExitCompiler32_64.cpp:
3251         (JSC::DFG::OSRExitCompiler::compileExit):
3252         * dfg/DFGOSRExitCompiler64.cpp:
3253         (JSC::DFG::OSRExitCompiler::compileExit):
3254         * dfg/DFGStructureAbstractValue.h:
3255         (JSC::DFG::StructureAbstractValue::dumpInContext):
3256         (JSC::DFG::StructureAbstractValue::dump):
3257         (StructureAbstractValue):
3258         * ftl/FTLExitValue.cpp:
3259         (JSC::FTL::ExitValue::dumpInContext):
3260         (JSC::FTL::ExitValue::dump):
3261         (FTL):
3262         * ftl/FTLExitValue.h:
3263         (ExitValue):
3264         * ftl/FTLLowerDFGToLLVM.cpp:
3265         * ftl/FTLValueSource.cpp:
3266         (JSC::FTL::ValueSource::dumpInContext):
3267         (FTL):
3268         * ftl/FTLValueSource.h:
3269         (ValueSource):
3270         * runtime/DumpContext.cpp: Added.
3271         (JSC):
3272         (JSC::DumpContext::DumpContext):
3273         (JSC::DumpContext::~DumpContext):
3274         (JSC::DumpContext::isEmpty):
3275         (JSC::DumpContext::dump):
3276         * runtime/DumpContext.h: Added.
3277         (JSC):
3278         (DumpContext):
3279         * runtime/JSCJSValue.cpp:
3280         (JSC::JSValue::dump):
3281         (JSC):
3282         (JSC::JSValue::dumpInContext):
3283         * runtime/JSCJSValue.h:
3284         (JSC):
3285         (JSValue):
3286         * runtime/Structure.cpp:
3287         (JSC::Structure::dumpInContext):
3288         (JSC):
3289         (JSC::Structure::dumpBrief):
3290         (JSC::Structure::dumpContextHeader):
3291         * runtime/Structure.h:
3292         (JSC):
3293         (Structure):
3294
3295 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3296
3297         fourthTier: DFG should do a high-level LICM before going to FTL
3298         https://bugs.webkit.org/show_bug.cgi?id=118749
3299
3300         Reviewed by Oliver Hunt.
3301         
3302         Implements LICM hoisting for nodes that never write anything and never read
3303         things that are clobbered by the loop. There are some other preconditions for
3304         hoisting, see DFGLICMPhase.cpp.
3305
3306         Also did a few fixes:
3307         
3308         - ClobberSet::add was failing to switch Super entries to Direct entries in
3309           some cases.
3310         
3311         - DFGClobberize.cpp needed to #include "Operations.h".
3312         
3313         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3314         
3315         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3316           Knowing the indexInBlock is an optional optimization that all other clients
3317           of AI still opt into, but LICM doesn't.
3318         
3319         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3320
3321         * JavaScriptCore.xcodeproj/project.pbxproj:
3322         * dfg/DFGAbstractInterpreter.h:
3323         (AbstractInterpreter):
3324         * dfg/DFGAbstractInterpreterInlines.h:
3325         (JSC::DFG::::executeEffects):
3326         (JSC::DFG::::execute):
3327         (DFG):
3328         (JSC::DFG::::clobberWorld):
3329         (JSC::DFG::::clobberStructures):
3330         * dfg/DFGAtTailAbstractState.cpp: Added.
3331         (DFG):
3332         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3333         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3334         (JSC::DFG::AtTailAbstractState::createValueForNode):
3335         (JSC::DFG::AtTailAbstractState::forNode):
3336         * dfg/DFGAtTailAbstractState.h: Added.
3337         (DFG):
3338         (AtTailAbstractState):
3339         (JSC::DFG::AtTailAbstractState::initializeTo):
3340         (JSC::DFG::AtTailAbstractState::forNode):
3341         (JSC::DFG::AtTailAbstractState::variables):
3342         (JSC::DFG::AtTailAbstractState::block):
3343         (JSC::DFG::AtTailAbstractState::isValid):
3344         (JSC::DFG::AtTailAbstractState::setDidClobber):
3345         (JSC::DFG::AtTailAbstractState::setIsValid):
3346         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3347         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3348         (JSC::DFG::AtTailAbstractState::haveStructures):
3349         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3350         * dfg/DFGBasicBlock.h:
3351         (JSC::DFG::BasicBlock::insertBeforeLast):
3352         * dfg/DFGBasicBlockInlines.h:
3353         (DFG):
3354         * dfg/DFGClobberSet.cpp:
3355         (JSC::DFG::ClobberSet::add):
3356         (JSC::DFG::ClobberSet::addAll):
3357         * dfg/DFGClobberize.cpp:
3358         (JSC::DFG::doesWrites):
3359         * dfg/DFGClobberize.h:
3360         (DFG):
3361         * dfg/DFGDCEPhase.cpp:
3362         (JSC::DFG::DCEPhase::DCEPhase):
3363         (JSC::DFG::DCEPhase::run):
3364         (JSC::DFG::DCEPhase::fixupBlock):
3365         (DCEPhase):
3366         * dfg/DFGEdgeDominates.h: Added.
3367         (DFG):
3368         (EdgeDominates):
3369         (JSC::DFG::EdgeDominates::EdgeDominates):
3370         (JSC::DFG::EdgeDominates::operator()):
3371         (JSC::DFG::EdgeDominates::result):
3372         (JSC::DFG::edgesDominate):
3373         * dfg/DFGFixupPhase.cpp:
3374         (JSC::DFG::FixupPhase::fixupNode):
3375         (JSC::DFG::FixupPhase::checkArray):
3376         * dfg/DFGLICMPhase.cpp: Added.
3377         (LICMPhase):
3378         (JSC::DFG::LICMPhase::LICMPhase):
3379         (JSC::DFG::LICMPhase::run):
3380         (JSC::DFG::LICMPhase::attemptHoist):
3381         (DFG):
3382         (JSC::DFG::performLICM):
3383         * dfg/DFGLICMPhase.h: Added.
3384         (DFG):
3385         * dfg/DFGPlan.cpp:
3386         (JSC::DFG::Plan::compileInThreadImpl):
3387
3388 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3389
3390         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3391         https://bugs.webkit.org/show_bug.cgi?id=118910
3392
3393         Reviewed by Sam Weinig.
3394         
3395         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3396         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3397         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3398         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3399         create them all up front). FTL AbstractHeaps also don't actually give you the
3400         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3401         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3402         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3403         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3404         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3405         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3406         payload is the direct subtype of its corresponding TOP Kind).
3407         
3408         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3409         clobbered. It represents the set that results from unifying a bunch of
3410         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3411         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3412         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3413         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3414         member is equal to it, or if any of its ancestors are equal to a direct member.
3415         
3416         Example #1:
3417         
3418             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3419               is a subtype of Variables, which is a subtype of World.
3420             - You query Variables. I.e. Variables with a TOP payload, which is the
3421               supertype of Variables(X) for any X, and a subtype of World.
3422             
3423             The set will have Variables(5) as a direct member, and Variables and World as
3424             super members. The Variables query will immediately return true, because
3425             Variables is indeed a super member.
3426         
3427         Example #2:
3428         
3429             - I add Variables(5)
3430             - You query NamedProperties
3431             
3432             NamedProperties is not a member at all (neither direct or super). We next
3433             query World. World is a member, but it's a super member, so we return false.
3434         
3435         Example #3:
3436         
3437             - I add Variables
3438             - You query Variables(5)
3439             
3440             The set will have Variables as a direct member, and World as a super member.
3441             The Variables(5) query will not find Variables(5) in the set, but then it
3442             will query Variables. Variables is a direct member, so we return true.
3443         
3444         Example #4:
3445         
3446             - I add Variables
3447             - You query NamedProperties(5)
3448             
3449             Neither NamedProperties nor NamedProperties(5) are members. We next query
3450             World. World is a member, but it's a super member, so we return false.
3451         
3452         Overlap queries require that either the heap being queried is in the set (either
3453         direct or super), or that one of its ancestors is a direct member. Another way to
3454         think about how this works is that two heaps A and B are said to overlap if
3455         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3456         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3457         heaps and answers the question, "is any member in the set an ancestor (i.e.
3458         supertype) of some other heap". We would have the set contain the heaps themselves,
3459         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3460         chain of A, and repeatedly querying its membership in the set. This is what the
3461         "direct" members of our set do. Now consider the other part, where we want to ask if
3462         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3463         would implement this by implementing set.add(B) as adding not just B but also all of
3464         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3465         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3466         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3467         heap" question. ClobberSet does this, but combines the two sets into a single
3468         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3469         supertype set and the subtype set; if it's false then it's only a member of one of
3470         them.
3471         
3472         Finally, this adds a functorized clobberize() method that adds the read and write
3473         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3474         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3475         are also provided. This allows you to say things like:
3476         
3477             ClobberSet set;
3478             addWrites(graph, node1, set);
3479             if (readsOverlap(graph, node2, set))
3480                 // We know that node1 may write to something that node2 may read from.
3481         
3482         Currently this facility is only used to improve graph dumping, but it will be
3483         instrumental in both LICM and GVN. In the future, I want to completely kill the
3484         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
3485         of accomplishing almost exactly what AbstractHeap gives you.
3486
3487         * JavaScriptCore.xcodeproj/project.pbxproj:
3488         * dfg/DFGAbstractHeap.cpp: Added.
3489         (DFG):
3490         (JSC::DFG::AbstractHeap::Payload::dump):
3491         (JSC::DFG::AbstractHeap::dump):
3492         (WTF):
3493         (WTF::printInternal):
3494         * dfg/DFGAbstractHeap.h: Added.
3495         (DFG):
3496         (AbstractHeap):
3497         (Payload):
3498         (JSC::DFG::AbstractHeap::Payload::Payload):
3499         (JSC::DFG::AbstractHeap::Payload::top):
3500         (JSC::DFG::AbstractHeap::Payload::isTop):
3501         (JSC::DFG::AbstractHeap::Payload::value):
3502         (JSC::DFG::AbstractHeap::Payload::valueImpl):
3503         (JSC::DFG::AbstractHeap::Payload::operator==):
3504         (JSC::DFG::AbstractHeap::Payload::operator!=):
3505         (JSC::DFG::AbstractHeap::Payload::operator<):
3506         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
3507         (JSC::DFG::AbstractHeap::Payload::overlaps):
3508         (JSC::DFG::AbstractHeap::AbstractHeap):
3509         (JSC::DFG::AbstractHeap::operator!):
3510         (JSC::DFG::AbstractHeap::kind):
3511         (JSC::DFG::AbstractHeap::payload):
3512         (JSC::DFG::AbstractHeap::isDisjoint):
3513         (JSC::DFG::AbstractHeap::overlaps):
3514         (JSC::DFG::AbstractHeap::supertype):
3515         (JSC::DFG::AbstractHeap::hash):
3516         (JSC::DFG::AbstractHeap::operator==):
3517         (JSC::DFG::AbstractHeap::operator!=):
3518         (JSC::DFG::AbstractHeap::operator<):
3519         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
3520         (JSC::DFG::AbstractHeap::payloadImpl):
3521         (JSC::DFG::AbstractHeap::encode):
3522         (JSC::DFG::AbstractHeapHash::hash):
3523         (JSC::DFG::AbstractHeapHash::equal):
3524         (AbstractHeapHash):
3525         (WTF):
3526         * dfg/DFGClobberSet.cpp: Added.
3527         (DFG):
3528         (JSC::DFG::ClobberSet::ClobberSet):
3529         (JSC::DFG::ClobberSet::~ClobberSet):
3530         (JSC::DFG::ClobberSet::add):
3531         (JSC::DFG::ClobberSet::addAll):
3532         (JSC::DFG::ClobberSet::contains):
3533         (JSC::DFG::ClobberSet::overlaps):
3534         (JSC::DFG::ClobberSet::clear):
3535         (JSC::DFG::ClobberSet::direct):
3536         (JSC::DFG::ClobberSet::super):
3537         (JSC::DFG::ClobberSet::dump):
3538         (JSC::DFG::ClobberSet::setOf):
3539         (JSC::DFG::addReads):
3540         (JSC::DFG::addWrites):
3541         (JSC::DFG::addReadsAndWrites):
3542         (JSC::DFG::readsOverlap):
3543         (JSC::DFG::writesOverlap):
3544         * dfg/DFGClobberSet.h: Added.
3545         (DFG):
3546         (ClobberSet):
3547         (JSC::DFG::ClobberSet::isEmpty):
3548         (ClobberSetAdd):
3549         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
3550         (JSC::DFG::ClobberSetAdd::operator()):
3551         (ClobberSetOverlaps):
3552         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
3553         (JSC::DFG::ClobberSetOverlaps::operator()):
3554         (JSC::DFG::ClobberSetOverlaps::result):
3555         * dfg/DFGClobberize.cpp: Added.
3556         (DFG):
3557         (JSC::DFG::didWrites):
3558         * dfg/DFGClobberize.h: Added.
3559         (DFG):
3560         (JSC::DFG::clobberize):
3561         (NoOpClobberize):
3562         (JSC::DFG::NoOpClobberize::NoOpClobberize):
3563         (JSC::DFG::NoOpClobberize::operator()):
3564         (CheckClobberize):
3565         (JSC::DFG::CheckClobberize::CheckClobberize):
3566         (JSC::DFG::CheckClobberize::operator()):
3567         (JSC::DFG::CheckClobberize::result):
3568         * dfg/DFGGraph.cpp:
3569         (JSC::DFG::Graph::dump):
3570
3571 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3572
3573         fourthTier: It should be easy to figure out which blocks nodes belong to
3574         https://bugs.webkit.org/show_bug.cgi?id=118957
3575
3576         Reviewed by Sam Weinig.
3577
3578         * dfg/DFGGraph.cpp:
3579         (DFG):
3580         (JSC::DFG::Graph::initializeNodeOwners):
3581         * dfg/DFGGraph.h:
3582         (Graph):
3583         * dfg/DFGNode.h:
3584
3585 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3586
3587         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
3588         https://bugs.webkit.org/show_bug.cgi?id=118956
3589
3590         Reviewed by Sam Weinig.
3591         
3592         We had two way of expressing that something exits forward: the NodeExitsForward
3593         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
3594         makes it just be a flag.
3595
3596         * dfg/DFGAbstractInterpreterInlines.h:
3597         (JSC::DFG::::executeEffects):
3598         * dfg/DFGArgumentsSimplificationPhase.cpp:
3599         (JSC::DFG::ArgumentsSimplificationPhase::run):
3600         * dfg/DFGCSEPhase.cpp:
3601         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
3602         (JSC::DFG::CSEPhase::checkStructureElimination):
3603         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3604         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3605         (JSC::DFG::CSEPhase::checkArrayElimination):
3606         (JSC::DFG::CSEPhase::performNodeCSE):
3607         * dfg/DFGConstantFoldingPhase.cpp:
3608         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3609         * dfg/DFGFixupPhase.cpp:
3610         (JSC::DFG::FixupPhase::fixupNode):
3611         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3612         * dfg/DFGMinifiedNode.h:
3613         (JSC::DFG::belongsInMinifiedGraph):
3614         (JSC::DFG::MinifiedNode::hasChild):
3615         * dfg/DFGNode.h:
3616         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3617         (JSC::DFG::Node::hasStructureSet):
3618         (JSC::DFG::Node::hasStructure):
3619         (JSC::DFG::Node::hasArrayMode):
3620         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3621         * dfg/DFGNodeType.h:
3622         (DFG):
3623         (JSC::DFG::needsOSRForwardRewiring):
3624         * dfg/DFGPredictionPropagationPhase.cpp:
3625         (JSC::DFG::PredictionPropagationPhase::propagate):
3626         * dfg/DFGSafeToExecute.h:
3627         (JSC::DFG::safeToExecute):
3628         * dfg/DFGSpeculativeJIT.cpp:
3629         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3630         * dfg/DFGSpeculativeJIT32_64.cpp:
3631         (JSC::DFG::SpeculativeJIT::compile):
3632         * dfg/DFGSpeculativeJIT64.cpp:
3633         (JSC::DFG::SpeculativeJIT::compile):
3634         * dfg/DFGTypeCheckHoistingPhase.cpp:
3635         (JSC::DFG::TypeCheckHoistingPhase::run):
3636         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3637         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3638         * dfg/DFGVariableEventStream.cpp:
3639         (JSC::DFG::VariableEventStream::reconstruct):
3640         * ftl/FTLCapabilities.cpp:
3641         (JSC::FTL::canCompile):
3642         * ftl/FTLLowerDFGToLLVM.cpp:
3643         (JSC::FTL::LowerDFGToLLVM::compileNode):
3644         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
3645
3646 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3647
3648         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
3649         https://bugs.webkit.org/show_bug.cgi?id=118946
3650
3651         Reviewed by Geoffrey Garen.
3652         
3653         We want to decouple the exit target code origin of a node from the code origin
3654         for all other purposes. The purposes of code origins are:
3655         
3656         - Where the node will exit, if it exits. The exit target should be consistent with
3657           the surrounding nodes, in that if you just looked at the code origins of nodes in
3658           the graph, they would be consistent with the code origins in bytecode. This is
3659           necessary for live-at-bytecode analyses to work, and to preserve the original
3660           bytecode semantics when exiting.
3661         
3662         - What kind of code the node came from, for semantics thingies. For example, we
3663           might use the code origin to find the node's global object for doing an original
3664           array check. Or we might use it to determine if the code is in strict mode. Or
3665           other similar things. When we use the code origin in this way, we're basically
3666           using it as a way of describing the node's meta-data without putting it into the
3667           node directly, to save space. In the absurd extreme you could imagine nodes not
3668           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
3669           what bytecode the node originated from. We won't do that, but you can think of
3670           this use of code origins as just a way of compressing meta-data.
3671         
3672         - What code origin we should supply profiling to, if we exit. This is closely
3673           related to the semantics thingies, in that the exit profiling is a persistent
3674           kind of semantic meta-data that survives between recompiles, and the only way to
3675           do that is to ascribe it to the original bytecode via the code origin.
3676         
3677         If we hoist a node, we need to change the exit target code origin, but we must not
3678         change the code origin for other purposes. The best way to do this is to decouple
3679         the two kinds of code origin.
3680         
3681         OSR exit data structures already do this, because they may edit the exit target
3682         code origin while keeping the code origin for profiling intact. This happens for
3683         forward exits. So, we just need to thread separation all the way back to DFG::Node.
3684         That's what this patch does.
3685
3686         * dfg/DFGNode.h:
3687         (JSC::DFG::Node::Node):
3688         (Node):
3689         * dfg/DFGOSRExit.cpp:
3690         (JSC::DFG::OSRExit::OSRExit):
3691         * dfg/DFGOSRExitBase.h:
3692         (JSC::DFG::OSRExitBase::OSRExitBase):
3693         * dfg/DFGSpeculativeJIT.cpp:
3694         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3695         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3696         * dfg/DFGSpeculativeJIT.h:
3697         (SpeculativeJIT):
3698         * ftl/FTLLowerDFGToLLVM.cpp:
3699         (JSC::FTL::LowerDFGToLLVM::compileNode):
3700         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3701         (LowerDFGToLLVM):
3702         * ftl/FTLOSRExit.cpp:
3703         (JSC::FTL::OSRExit::OSRExit):
3704         * ftl/FTLOSRExit.h:
3705         (OSRExit):
3706
3707 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3708
3709         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
3710         https://bugs.webkit.org/show_bug.cgi?id=118866
3711
3712         Reviewed by Sam Weinig.
3713         
3714         Adds a safeToExecute() method that takes a node and an abstract state and tells you
3715         if the node will run without crashing under that state.
3716
3717         * JavaScriptCore.xcodeproj/project.pbxproj:
3718         * bytecode/CodeBlock.cpp:
3719         (JSC::CodeBlock::CodeBlock):
3720         * dfg/DFGCFAPhase.cpp:
3721         (CFAPhase):
3722         (JSC::DFG::CFAPhase::CFAPhase):
3723         (JSC::DFG::CFAPhase::run):
3724         (JSC::DFG::CFAPhase::performBlockCFA):
3725         (JSC::DFG::CFAPhase::performForwardCFA):
3726         * dfg/DFGSafeToExecute.h: Added.
3727         (DFG):
3728         (SafeToExecuteEdge):
3729         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
3730         (JSC::DFG::SafeToExecuteEdge::operator()):
3731         (JSC::DFG::SafeToExecuteEdge::result):
3732         (JSC::DFG::safeToExecute):
3733         * dfg/DFGStructureAbstractValue.h:
3734         (JSC::DFG::StructureAbstractValue::isValidOffset):
3735         (StructureAbstractValue):
3736         * runtime/Options.h:
3737         (JSC):
3738
3739 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
3740
3741         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
3742         https://bugs.webkit.org/show_bug.cgi?id=118948
3743
3744         Reviewed by Sam Weinig.
3745         
3746         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
3747           This allows doing "what if" experiments with IR generation, even if the generated IR
3748           can't yet execute.
3749         
3750         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
3751           off-ramp.
3752
3753         * JavaScriptCore.xcodeproj/project.pbxproj:
3754         * dfg/DFGPlan.cpp:
3755         (JSC::DFG::Plan::compileInThreadImpl):
3756         * ftl/FTLFail.cpp: Added.
3757         (FTL):
3758         (JSC::FTL::fail):
3759         * ftl/FTLFail.h: Added.
3760         (FTL):
3761         * ftl/FTLIntrinsicRepository.h:
3762         (FTL):
3763         * ftl/FTLLowerDFGToLLVM.cpp:
3764         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3765         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
3766         * runtime/Options.h:
3767         (JSC):
3768
3769 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3770
3771         fourthTier: StringObjectUse uses structures, and CSE should know that
3772         https://bugs.webkit.org/show_bug.cgi?id=118940
3773
3774         Reviewed by Geoffrey Garen.
3775         
3776         This is asymptomatic right now, but we should fix it.
3777
3778         * JavaScriptCore.xcodeproj/project.pbxproj:
3779         * dfg/DFGCSEPhase.cpp:
3780         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3781         * dfg/DFGEdgeUsesStructure.h: Added.
3782         (DFG):
3783         (EdgeUsesStructure):
3784         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
3785         (JSC::DFG::EdgeUsesStructure::operator()):
3786         (JSC::DFG::EdgeUsesStructure::result):
3787         (JSC::DFG::edgesUseStructure):
3788         * dfg/DFGUseKind.h:
3789         (DFG):
3790         (JSC::DFG::usesStructure):
3791
3792 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3793
3794         fourthTier: String GetByVal out-of-bounds handling is so wrong
3795         https://bugs.webkit.org/show_bug.cgi?id=118935
3796
3797         Reviewed by Geoffrey Garen.
3798         
3799         Bunch of String GetByVal out-of-bounds fixes:
3800         
3801         - Even if the string proto chain is sane, we need to watch out for negative
3802           indices. They may get values or call getters in the prototypes, since proto
3803           sanity doesn't check for negative indexed properties, as they are not
3804           technically indexed properties.
3805         
3806         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
3807           given this information.
3808         
3809         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
3810           given this information.
3811         
3812         Also fixed some other things:
3813         
3814         - If the DFG is disabled, the testRunner should pretend that we've done a
3815           bunch of DFG compiles. That's necessary to prevent the tests from timing
3816           out.
3817         
3818         - Disassembler shouldn't try to dump source code since it's not safe in the
3819           concurrent JIT.
3820
3821         * API/JSCTestRunnerUtils.cpp:
3822         (JSC::numberOfDFGCompiles):
3823         * JavaScriptCore.xcodeproj/project.pbxproj:
3824         * dfg/DFGAbstractInterpreterInlines.h:
3825         (JSC::DFG::::executeEffects):
3826         * dfg/DFGDisassembler.cpp:
3827         (JSC::DFG::Disassembler::dumpHeader):
3828         * dfg/DFGGraph.h:
3829         (JSC::DFG::Graph::byValIsPure):
3830         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
3831         (DFG):
3832         (SaneStringGetByValSlowPathGenerator):
3833         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
3834         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
3835         * dfg/DFGSpeculativeJIT.cpp:
3836         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3837
3838 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3839
3840         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
3841         https://bugs.webkit.org/show_bug.cgi?id=118911
3842
3843         Reviewed by Geoffrey Garen.
3844         
3845         We could also have a separate method like "willNotCrash(offset)", but that's not
3846         what isValidOffset() is intended to mean.
3847
3848         * runtime/Structure.h:
3849         (JSC::Structure::isValidOffset):
3850
3851 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
3852
3853         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
3854         https://bugs.webkit.org/show_bug.cgi?id=118878
3855
3856         Reviewed by Oliver Hunt.
3857         
3858         - Change Structure::isValidOffset() to actually answer the question "If I attempted
3859           to load from an object of this structure, at this offset, would I commit suicide
3860           or would I get back some kind of value?"
3861         
3862         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3863           way from the start.
3864         
3865         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3866         
3867         - Make GetByOffset also reference the base object in addition to the butterfly.
3868         
3869         The future use of this power will be to answer questions like "If I hoisted this
3870         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3871         fine?"
3872         
3873         I don't currently plan to use this power to perform validation, since the CSE has
3874         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3875         remove - both in the case of StructureSets where size >= 2 and in the case of
3876         CheckStructures that match across PutStructures. At first I tried to write a
3877         validator that was aware of this, but the validation code got way too complicated
3878         and I started having nightmares of spurious assertion bugs being filed against me.
3879         
3880         This also changes some of the code for how we hash FunctionExecutable's for debug
3881         dumps, since that code still had some thread-safety issues. Basically, the
3882         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3883         that could transitively try to compute the hash from the source code. The source
3884         code is a string that may be lazily computed, and that involves all manner of thread
3885         unsafe things.
3886
3887         * bytecode/CodeOrigin.cpp:
3888         (JSC::InlineCallFrame::hash):
3889         * dfg/DFGAbstractInterpreterInlines.h:
3890         (JSC::DFG::::executeEffects):
3891         * dfg/DFGByteCodeParser.cpp:
3892         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3893         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3894         (JSC::DFG::ByteCodeParser::parseBlock):
3895         * dfg/DFGCFAPhase.cpp:
3896         (JSC::DFG::CFAPhase::performBlockCFA):
3897         * dfg/DFGConstantFoldingPhase.cpp:
3898         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3899         * dfg/DFGFixupPhase.cpp:
3900         (JSC::DFG::FixupPhase::fixupNode):
3901         * dfg/DFGGraph.h:
3902         (StorageAccessData):
3903         * dfg/DFGNode.h:
3904         (JSC::DFG::Node::convertToGetByOffset):
3905         * dfg/DFGSpeculativeJIT64.cpp:
3906         (JSC::DFG::SpeculativeJIT::compile):
3907         * ftl/FTLLowerDFGToLLVM.cpp:
3908         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3909         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3910         * runtime/FunctionExecutableDump.cpp:
3911         (JSC::FunctionExecutableDump::dump):
3912         * runtime/Structure.h:
3913         (Structure):
3914         (JSC::Structure::isValidOffset):
3915
3916 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3917
3918         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3919         https://bugs.webkit.org/show_bug.cgi?id=118880
3920
3921         Reviewed by Sam Weinig.
3922         
3923         It should be possible to have an AbstractState that is backed by a HashMap. But to
3924         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3925         the map, since otherwise the idiom of getting a reference to the AbstractValue
3926         returned by forNode() would cause really subtle memory corruption bugs.
3927
3928         * dfg/DFGAbstractInterpreterInlines.h:
3929         (JSC::DFG::::executeEffects):
3930         * dfg/DFGInPlaceAbstractState.h:
3931         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3932         (InPlaceAbstractState):
3933
3934 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3935
3936         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3937         https://bugs.webkit.org/show_bug.cgi?id=118835
3938
3939         Reviewed by Oliver Hunt.
3940         
3941         This separates AbstractState into two things:
3942         
3943         - InPlaceAbstractState, which can tell you the abstract state of anything you
3944           might care about, and uses the old AbstractState's algorit