Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
2
3         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
4         https://bugs.webkit.org/show_bug.cgi?id=120099
5
6         Reviewed by Mark Hahnenberg.
7         
8         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
9         JSDataView may have ordinary JS indexed properties.
10
11         * runtime/ClassInfo.h:
12         * runtime/JSArrayBufferView.cpp:
13         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
14         (JSC::JSArrayBufferView::finishCreation):
15         * runtime/JSArrayBufferView.h:
16         (JSC::hasArrayBuffer):
17         * runtime/JSArrayBufferViewInlines.h:
18         (JSC::JSArrayBufferView::buffer):
19         (JSC::JSArrayBufferView::neuter):
20         (JSC::JSArrayBufferView::byteOffset):
21         * runtime/JSCell.cpp:
22         (JSC::JSCell::slowDownAndWasteMemory):
23         * runtime/JSCell.h:
24         * runtime/JSDataView.cpp:
25         (JSC::JSDataView::JSDataView):
26         (JSC::JSDataView::create):
27         (JSC::JSDataView::slowDownAndWasteMemory):
28         * runtime/JSDataView.h:
29         (JSC::JSDataView::buffer):
30         * runtime/JSGenericTypedArrayView.h:
31         * runtime/JSGenericTypedArrayViewInlines.h:
32         (JSC::::visitChildren):
33         (JSC::::slowDownAndWasteMemory):
34
35 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
36
37         Remove incorrect ASSERT from CopyVisitor::visitItem
38
39         Rubber stamped by Filip Pizlo.
40
41         * heap/CopyVisitorInlines.h:
42         (JSC::CopyVisitor::visitItem):
43
44 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
45
46         https://bugs.webkit.org/show_bug.cgi?id=120127
47         Remove JSObject::propertyIsEnumerable
48
49         Reviewed by Sam Weinig.
50
51         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
52
53         * runtime/JSObject.cpp:
54         * runtime/JSObject.h:
55             - remove propertyIsEnumerable
56         * runtime/ObjectPrototype.cpp:
57         (JSC::objectProtoFuncPropertyIsEnumerable):
58             - Move implementation here using getOwnPropertyDescriptor directly.
59
60 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
61
62         DFG should inline new typedArray()
63         https://bugs.webkit.org/show_bug.cgi?id=120022
64
65         Reviewed by Oliver Hunt.
66         
67         Adds inlining of typed array allocations in the DFG. Any operation of the
68         form:
69         
70             new foo(blah)
71         
72         or:
73         
74             foo(blah)
75         
76         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
77         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
78         is predicted integer, we generate inline code for an allocation. Otherwise
79         it turns into a call to an operation that behaves like the constructor would
80         if it was passed one argument (i.e. it may wrap a buffer or it may create a
81         copy or another array, or it may allocate an array of that length).
82
83         * bytecode/SpeculatedType.cpp:
84         (JSC::speculationFromTypedArrayType):
85         (JSC::speculationFromClassInfo):
86         * bytecode/SpeculatedType.h:
87         * dfg/DFGAbstractInterpreterInlines.h:
88         (JSC::DFG::::executeEffects):
89         * dfg/DFGBackwardsPropagationPhase.cpp:
90         (JSC::DFG::BackwardsPropagationPhase::propagate):
91         * dfg/DFGByteCodeParser.cpp:
92         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
93         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
94         * dfg/DFGCCallHelpers.h:
95         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
96         * dfg/DFGCSEPhase.cpp:
97         (JSC::DFG::CSEPhase::putStructureStoreElimination):
98         * dfg/DFGClobberize.h:
99         (JSC::DFG::clobberize):
100         * dfg/DFGFixupPhase.cpp:
101         (JSC::DFG::FixupPhase::fixupNode):
102         * dfg/DFGGraph.cpp:
103         (JSC::DFG::Graph::dump):
104         * dfg/DFGNode.h:
105         (JSC::DFG::Node::hasTypedArrayType):
106         (JSC::DFG::Node::typedArrayType):
107         * dfg/DFGNodeType.h:
108         * dfg/DFGOperations.cpp:
109         (JSC::DFG::newTypedArrayWithSize):
110         (JSC::DFG::newTypedArrayWithOneArgument):
111         * dfg/DFGOperations.h:
112         (JSC::DFG::operationNewTypedArrayWithSizeForType):
113         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
114         * dfg/DFGPredictionPropagationPhase.cpp:
115         (JSC::DFG::PredictionPropagationPhase::propagate):
116         * dfg/DFGSafeToExecute.h:
117         (JSC::DFG::safeToExecute):
118         * dfg/DFGSpeculativeJIT.cpp:
119         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
120         * dfg/DFGSpeculativeJIT.h:
121         (JSC::DFG::SpeculativeJIT::callOperation):
122         * dfg/DFGSpeculativeJIT32_64.cpp:
123         (JSC::DFG::SpeculativeJIT::compile):
124         * dfg/DFGSpeculativeJIT64.cpp:
125         (JSC::DFG::SpeculativeJIT::compile):
126         * jit/JITOpcodes.cpp:
127         (JSC::JIT::emit_op_new_object):
128         * jit/JITOpcodes32_64.cpp:
129         (JSC::JIT::emit_op_new_object):
130         * runtime/JSArray.h:
131         (JSC::JSArray::allocationSize):
132         * runtime/JSArrayBufferView.h:
133         (JSC::JSArrayBufferView::allocationSize):
134         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
135         (JSC::constructGenericTypedArrayView):
136         * runtime/JSObject.h:
137         (JSC::JSFinalObject::allocationSize):
138         * runtime/TypedArrayType.cpp:
139         (JSC::constructorClassInfoForType):
140         * runtime/TypedArrayType.h:
141         (JSC::indexToTypedArrayType):
142
143 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
144
145         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
146
147         Reviewed by Geoffrey Garen.
148
149         * dfg/DFGOperations.h:
150
151 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
152
153         https://bugs.webkit.org/show_bug.cgi?id=120093
154         Remove getOwnPropertyDescriptor trap
155
156         Reviewed by Geoff Garen.
157
158         All implementations of this method are now called via the method table, and equivalent in behaviour.
159         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
160
161         * API/JSCallbackObject.h:
162         * API/JSCallbackObjectFunctions.h:
163         * debugger/DebuggerActivation.cpp:
164         * debugger/DebuggerActivation.h:
165         * runtime/Arguments.cpp:
166         * runtime/Arguments.h:
167         * runtime/ArrayConstructor.cpp:
168         * runtime/ArrayConstructor.h:
169         * runtime/ArrayPrototype.cpp:
170         * runtime/ArrayPrototype.h:
171         * runtime/BooleanPrototype.cpp:
172         * runtime/BooleanPrototype.h:
173             - remove getOwnPropertyDescriptor
174         * runtime/ClassInfo.h:
175             - remove getOwnPropertyDescriptor from MethodTable
176         * runtime/DateConstructor.cpp:
177         * runtime/DateConstructor.h:
178         * runtime/DatePrototype.cpp:
179         * runtime/DatePrototype.h:
180         * runtime/ErrorPrototype.cpp:
181         * runtime/ErrorPrototype.h:
182         * runtime/JSActivation.cpp:
183         * runtime/JSActivation.h:
184         * runtime/JSArray.cpp:
185         * runtime/JSArray.h:
186         * runtime/JSArrayBuffer.cpp:
187         * runtime/JSArrayBuffer.h:
188         * runtime/JSArrayBufferView.cpp:
189         * runtime/JSArrayBufferView.h:
190         * runtime/JSCell.cpp:
191         * runtime/JSCell.h:
192         * runtime/JSDataView.cpp:
193         * runtime/JSDataView.h:
194         * runtime/JSDataViewPrototype.cpp:
195         * runtime/JSDataViewPrototype.h:
196         * runtime/JSFunction.cpp:
197         * runtime/JSFunction.h:
198         * runtime/JSGenericTypedArrayView.h:
199         * runtime/JSGenericTypedArrayViewInlines.h:
200         * runtime/JSGlobalObject.cpp:
201         * runtime/JSGlobalObject.h:
202         * runtime/JSNotAnObject.cpp:
203         * runtime/JSNotAnObject.h:
204         * runtime/JSONObject.cpp:
205         * runtime/JSONObject.h:
206             - remove getOwnPropertyDescriptor
207         * runtime/JSObject.cpp:
208         (JSC::JSObject::propertyIsEnumerable):
209             - switch to call new getOwnPropertyDescriptor member function
210         (JSC::JSObject::getOwnPropertyDescriptor):
211             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
212         (JSC::JSObject::defineOwnNonIndexProperty):
213             - switch to call new getOwnPropertyDescriptor member function
214         * runtime/JSObject.h:
215         * runtime/JSProxy.cpp:
216         * runtime/JSProxy.h:
217         * runtime/NamePrototype.cpp:
218         * runtime/NamePrototype.h:
219         * runtime/NumberConstructor.cpp:
220         * runtime/NumberConstructor.h:
221         * runtime/NumberPrototype.cpp:
222         * runtime/NumberPrototype.h:
223             - remove getOwnPropertyDescriptor
224         * runtime/ObjectConstructor.cpp:
225         (JSC::objectConstructorGetOwnPropertyDescriptor):
226         (JSC::objectConstructorSeal):
227         (JSC::objectConstructorFreeze):
228         (JSC::objectConstructorIsSealed):
229         (JSC::objectConstructorIsFrozen):
230             - switch to call new getOwnPropertyDescriptor member function
231         * runtime/ObjectConstructor.h:
232             - remove getOwnPropertyDescriptor
233         * runtime/PropertyDescriptor.h:
234             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
235         * runtime/RegExpConstructor.cpp:
236         * runtime/RegExpConstructor.h:
237         * runtime/RegExpMatchesArray.cpp:
238         * runtime/RegExpMatchesArray.h:
239         * runtime/RegExpObject.cpp:
240         * runtime/RegExpObject.h:
241         * runtime/RegExpPrototype.cpp:
242         * runtime/RegExpPrototype.h:
243         * runtime/StringConstructor.cpp:
244         * runtime/StringConstructor.h:
245         * runtime/StringObject.cpp:
246         * runtime/StringObject.h:
247             - remove getOwnPropertyDescriptor
248
249 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
250
251         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
252
253         Reviewed by Oliver Hunt.
254
255         When we flatten an object in dictionary mode, we compact its properties. If the object 
256         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
257         compaction its properties fit inline, the object's Structure "forgets" that the object 
258         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
259         with bytes = 0, which causes all sorts of badness in CopiedSpace.
260
261         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
262         Butterfly pointer so that the GC doesn't get confused later.
263
264         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
265         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
266         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
267         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
268
269         * heap/SlotVisitorInlines.h:
270         (JSC::SlotVisitor::copyLater):
271         * runtime/JSObject.cpp:
272         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
273         (JSC::JSObject::convertUndecidedToInt32):
274         (JSC::JSObject::convertUndecidedToDouble):
275         (JSC::JSObject::convertUndecidedToContiguous):
276         (JSC::JSObject::convertInt32ToDouble):
277         (JSC::JSObject::convertInt32ToContiguous):
278         (JSC::JSObject::genericConvertDoubleToContiguous):
279         (JSC::JSObject::switchToSlowPutArrayStorage):
280         (JSC::JSObject::setPrototype):
281         (JSC::JSObject::putDirectAccessor):
282         (JSC::JSObject::seal):
283         (JSC::JSObject::freeze):
284         (JSC::JSObject::preventExtensions):
285         (JSC::JSObject::reifyStaticFunctionsForDelete):
286         (JSC::JSObject::removeDirect):
287         * runtime/JSObject.h:
288         (JSC::JSObject::setButterfly):
289         (JSC::JSObject::putDirectInternal):
290         (JSC::JSObject::setStructure):
291         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
292         * runtime/Structure.cpp:
293         (JSC::Structure::flattenDictionaryStructure):
294
295 2013-08-20  Alex Christensen  <achristensen@apple.com>
296
297         Compile fix for Win64 after r154156.
298
299         Rubber stamped by Oliver Hunt.
300
301         * jit/JITStubsMSVC64.asm:
302         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
303         cti_vm_throw_slowpath to cti_vm_handle_exception.
304
305 2013-08-20  Alex Christensen  <achristensen@apple.com>
306
307         <https://webkit.org/b/120076> More work towards a Win64 build
308
309         Reviewed by Brent Fulgham.
310
311         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
312         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
313         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
314         * JavaScriptCore.vcxproj/copy-files.cmd:
315         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
316         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
317         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
318
319 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
320
321         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
322
323         Reviewed by Geoffrey Garen.
324
325         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
326         initializeLazyWriteBarrierFor* wrapper functions more sane. 
327
328         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
329         and index when triggering the WriteBarrier at the end of compilation. 
330
331         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
332         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
333         little extra work that really shouldn't have been its responsibility.
334
335         * dfg/DFGByteCodeParser.cpp:
336         (JSC::DFG::ByteCodeParser::addConstant):
337         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
338         * dfg/DFGDesiredWriteBarriers.cpp:
339         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
340         (JSC::DFG::DesiredWriteBarrier::trigger):
341         * dfg/DFGDesiredWriteBarriers.h:
342         (JSC::DFG::DesiredWriteBarriers::add):
343         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
344         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
345         (JSC::DFG::initializeLazyWriteBarrierForConstant):
346         * dfg/DFGFixupPhase.cpp:
347         (JSC::DFG::FixupPhase::truncateConstantToInt32):
348         * dfg/DFGGraph.h:
349         (JSC::DFG::Graph::constantRegisterForConstant):
350
351 2013-08-20  Michael Saboff  <msaboff@apple.com>
352
353         https://bugs.webkit.org/show_bug.cgi?id=120075
354         REGRESSION (r128400): BBC4 website not displaying pictures
355
356         Reviewed by Oliver Hunt.
357
358         * runtime/RegExpMatchesArray.h:
359         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
360         so that the match results will be reified before any other modification to the results array.
361
362 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
363
364         Incorrect behavior on emscripten-compiled cube2hash
365         https://bugs.webkit.org/show_bug.cgi?id=120033
366
367         Reviewed by Mark Hahnenberg.
368         
369         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
370         then we should bail attempts to CSE.
371
372         * dfg/DFGCSEPhase.cpp:
373         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
374         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
375
376 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
377
378         https://bugs.webkit.org/show_bug.cgi?id=120073
379         Remove use of GOPD from JSFunction::defineProperty
380
381         Reviewed by Oliver Hunt.
382
383         Call getOwnPropertySlot to check for existing properties instead.
384
385         * runtime/JSFunction.cpp:
386         (JSC::JSFunction::defineOwnProperty):
387             - getOwnPropertyDescriptor -> getOwnPropertySlot
388
389 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
390
391         https://bugs.webkit.org/show_bug.cgi?id=120067
392         Remove getPropertyDescriptor
393
394         Reviewed by Oliver Hunt.
395
396         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
397         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
398
399         * runtime/JSObject.cpp:
400         * runtime/JSObject.h:
401             - remove getPropertyDescriptor
402         * runtime/ObjectPrototype.cpp:
403         (JSC::objectProtoFuncLookupGetter):
404         (JSC::objectProtoFuncLookupSetter):
405             - replace call to getPropertyDescriptor with getPropertySlot
406         * runtime/PropertyDescriptor.h:
407         * runtime/PropertySlot.h:
408         (JSC::PropertySlot::isAccessor):
409         (JSC::PropertySlot::isCacheableGetter):
410         (JSC::PropertySlot::getterSetter):
411             - rename isGetter() to isAccessor()
412
413 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
414
415         https://bugs.webkit.org/show_bug.cgi?id=120054
416         Remove some dead code following getOwnPropertyDescriptor cleanup
417
418         Reviewed by Oliver Hunt.
419
420         * runtime/Lookup.h:
421         (JSC::getStaticFunctionSlot):
422             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
423
424 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
425
426         https://bugs.webkit.org/show_bug.cgi?id=120052
427         Remove custom getOwnPropertyDescriptor for JSProxy
428
429         Reviewed by Geoff Garen.
430
431         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
432         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
433         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
434         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
435         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
436
437         * runtime/JSProxy.cpp:
438             - Remove custom getOwnPropertyDescriptor implementation.
439         * runtime/PropertyDescriptor.h:
440             - Modify own property access check to perform toThis conversion.
441
442 2013-08-20  Alex Christensen  <achristensen@apple.com>
443
444         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
445         https://bugs.webkit.org/show_bug.cgi?id=119512
446
447         Reviewed by Brent Fulgham.
448
449         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
450         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
451         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
452         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
453         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
454         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
455         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
456         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
457
458 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
459
460         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
461
462         Reviewed by Allan Sandfeld Jensen.
463
464         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
465         instructions and two constants now DFG is enabled for sh4 architecture.
466         These missing ensureSpace calls lead to random crashes.
467
468         * assembler/MacroAssemblerSH4.h:
469         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
470
471 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
472
473         https://bugs.webkit.org/show_bug.cgi?id=120034
474         Remove custom getOwnPropertyDescriptor for global objects
475
476         Reviewed by Geoff Garen.
477
478         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
479
480         * runtime/JSGlobalObject.cpp:
481             - Remove custom getOwnPropertyDescriptor implementation.
482         * runtime/JSSymbolTableObject.h:
483         (JSC::symbolTableGet):
484             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
485         * runtime/PropertyDescriptor.h:
486             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
487         * runtime/PropertySlot.h:
488         (JSC::PropertySlot::setUndefined):
489             - This is used by WebCore when blocking access to properties on cross-frame access.
490               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
491
492 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
493
494         DFG should inline typedArray.byteOffset
495         https://bugs.webkit.org/show_bug.cgi?id=119962
496
497         Reviewed by Oliver Hunt.
498         
499         This adds a new node, GetTypedArrayByteOffset, which inlines
500         typedArray.byteOffset.
501         
502         Also, I improved a bunch of the clobbering logic related to typed arrays
503         and clobbering in general. For example, PutByOffset/PutStructure are not
504         clobber-world so they can be handled by most default cases in CSE. Also,
505         It's better to use the 'Class_field' notation for typed arrays now that
506         they no longer involve magical descriptor thingies.
507
508         * bytecode/SpeculatedType.h:
509         * dfg/DFGAbstractHeap.h:
510         * dfg/DFGAbstractInterpreterInlines.h:
511         (JSC::DFG::::executeEffects):
512         * dfg/DFGArrayMode.h:
513         (JSC::DFG::neverNeedsStorage):
514         * dfg/DFGCSEPhase.cpp:
515         (JSC::DFG::CSEPhase::getByValLoadElimination):
516         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
517         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
518         (JSC::DFG::CSEPhase::checkArrayElimination):
519         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
520         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
521         (JSC::DFG::CSEPhase::performNodeCSE):
522         * dfg/DFGClobberize.h:
523         (JSC::DFG::clobberize):
524         * dfg/DFGFixupPhase.cpp:
525         (JSC::DFG::FixupPhase::fixupNode):
526         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
527         (JSC::DFG::FixupPhase::convertToGetArrayLength):
528         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
529         * dfg/DFGNodeType.h:
530         * dfg/DFGPredictionPropagationPhase.cpp:
531         (JSC::DFG::PredictionPropagationPhase::propagate):
532         * dfg/DFGSafeToExecute.h:
533         (JSC::DFG::safeToExecute):
534         * dfg/DFGSpeculativeJIT.cpp:
535         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
536         * dfg/DFGSpeculativeJIT.h:
537         * dfg/DFGSpeculativeJIT32_64.cpp:
538         (JSC::DFG::SpeculativeJIT::compile):
539         * dfg/DFGSpeculativeJIT64.cpp:
540         (JSC::DFG::SpeculativeJIT::compile):
541         * dfg/DFGTypeCheckHoistingPhase.cpp:
542         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
543         * runtime/ArrayBuffer.h:
544         (JSC::ArrayBuffer::offsetOfData):
545         * runtime/Butterfly.h:
546         (JSC::Butterfly::offsetOfArrayBuffer):
547         * runtime/IndexingHeader.h:
548         (JSC::IndexingHeader::offsetOfArrayBuffer):
549
550 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
551
552         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
553
554         Reviewed by Geoffrey Garen.
555
556         * dfg/DFGByteCodeParser.cpp:
557         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
558
559 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
560
561         https://bugs.webkit.org/show_bug.cgi?id=119995
562         Start removing custom implementations of getOwnPropertyDescriptor
563
564         Reviewed by Oliver Hunt.
565
566         This can now typically implemented in terms of getOwnPropertySlot.
567         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
568         Switch over most classes in JSC & the WebCore bindings generator to use this.
569
570         * API/JSCallbackObjectFunctions.h:
571         * debugger/DebuggerActivation.cpp:
572         * runtime/Arguments.cpp:
573         * runtime/ArrayConstructor.cpp:
574         * runtime/ArrayPrototype.cpp:
575         * runtime/BooleanPrototype.cpp:
576         * runtime/DateConstructor.cpp:
577         * runtime/DatePrototype.cpp:
578         * runtime/ErrorPrototype.cpp:
579         * runtime/JSActivation.cpp:
580         * runtime/JSArray.cpp:
581         * runtime/JSArrayBuffer.cpp:
582         * runtime/JSArrayBufferView.cpp:
583         * runtime/JSCell.cpp:
584         * runtime/JSDataView.cpp:
585         * runtime/JSDataViewPrototype.cpp:
586         * runtime/JSFunction.cpp:
587         * runtime/JSGenericTypedArrayViewInlines.h:
588         * runtime/JSNotAnObject.cpp:
589         * runtime/JSONObject.cpp:
590         * runtime/JSObject.cpp:
591         * runtime/NamePrototype.cpp:
592         * runtime/NumberConstructor.cpp:
593         * runtime/NumberPrototype.cpp:
594         * runtime/ObjectConstructor.cpp:
595             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
596         * runtime/PropertyDescriptor.h:
597             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
598         * runtime/PropertySlot.h:
599         (JSC::PropertySlot::isValue):
600         (JSC::PropertySlot::isGetter):
601         (JSC::PropertySlot::isCustom):
602         (JSC::PropertySlot::isCacheableValue):
603         (JSC::PropertySlot::isCacheableGetter):
604         (JSC::PropertySlot::isCacheableCustom):
605         (JSC::PropertySlot::attributes):
606         (JSC::PropertySlot::getterSetter):
607             - Add accessors necessary to convert PropertySlot to descriptor.
608         * runtime/RegExpConstructor.cpp:
609         * runtime/RegExpMatchesArray.cpp:
610         * runtime/RegExpMatchesArray.h:
611         * runtime/RegExpObject.cpp:
612         * runtime/RegExpPrototype.cpp:
613         * runtime/StringConstructor.cpp:
614         * runtime/StringObject.cpp:
615             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
616
617 2013-08-19  Michael Saboff  <msaboff@apple.com>
618
619         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
620
621         Reviewed by Sam Weinig.
622
623         * dfg/DFGSpeculativeJIT32_64.cpp:
624         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
625         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
626         all versions of fillSpeculateBoolean().
627
628 2013-08-19  Michael Saboff  <msaboff@apple.com>
629
630         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
631
632         Reviewed by Benjamin Poulain.
633
634         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
635         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
636
637         * assembler/MacroAssemblerX86Common.h:
638         (JSC::MacroAssemblerX86Common::branchTest32):
639
640 2013-08-16  Oliver Hunt  <oliver@apple.com>
641
642         <https://webkit.org/b/119860> Crash during exception unwinding
643
644         Reviewed by Filip Pizlo.
645
646         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
647         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
648
649         We need this so that Throw and ThrowReferenceError no longer need to be treated as
650         terminals and the subsequent flush keeps the activation (and other registers) live.
651
652         * dfg/DFGAbstractInterpreterInlines.h:
653         (JSC::DFG::::executeEffects):
654         * dfg/DFGByteCodeParser.cpp:
655         (JSC::DFG::ByteCodeParser::parseBlock):
656         * dfg/DFGClobberize.h:
657         (JSC::DFG::clobberize):
658         * dfg/DFGFixupPhase.cpp:
659         (JSC::DFG::FixupPhase::fixupNode):
660         * dfg/DFGNode.h:
661         (JSC::DFG::Node::isTerminal):
662         * dfg/DFGNodeType.h:
663         * dfg/DFGPredictionPropagationPhase.cpp:
664         (JSC::DFG::PredictionPropagationPhase::propagate):
665         * dfg/DFGSafeToExecute.h:
666         (JSC::DFG::safeToExecute):
667         * dfg/DFGSpeculativeJIT32_64.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669         * dfg/DFGSpeculativeJIT64.cpp:
670         (JSC::DFG::SpeculativeJIT::compile):
671
672 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
673
674         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
675
676         Reviewed by Oliver Hunt.
677
678         Guard the compilation of these files only if DFG_JIT is enabled.
679
680         * dfg/DFGDesiredTransitions.cpp:
681         * dfg/DFGDesiredTransitions.h:
682         * dfg/DFGDesiredWeakReferences.cpp:
683         * dfg/DFGDesiredWeakReferences.h:
684         * dfg/DFGDesiredWriteBarriers.cpp:
685         * dfg/DFGDesiredWriteBarriers.h:
686
687 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
688
689         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
690         https://bugs.webkit.org/show_bug.cgi?id=119961
691
692         Reviewed by Mark Hahnenberg.
693
694         * dfg/DFGFixupPhase.cpp:
695         (JSC::DFG::FixupPhase::fixupNode):
696
697 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
698
699         https://bugs.webkit.org/show_bug.cgi?id=119972
700         Add attributes field to PropertySlot
701
702         Reviewed by Geoff Garen.
703
704         For all JSC types, this makes getOwnPropertyDescriptor redundant.
705         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
706         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
707
708         No performance impact.
709
710         * runtime/PropertySlot.h:
711         (JSC::PropertySlot::setValue):
712         (JSC::PropertySlot::setCustom):
713         (JSC::PropertySlot::setCacheableCustom):
714         (JSC::PropertySlot::setCustomIndex):
715         (JSC::PropertySlot::setGetterSlot):
716         (JSC::PropertySlot::setCacheableGetterSlot):
717             - These mathods now all require 'attributes'.
718         * runtime/JSObject.h:
719         (JSC::JSObject::getDirect):
720         (JSC::JSObject::getDirectOffset):
721         (JSC::JSObject::inlineGetOwnPropertySlot):
722             - Added variants of getDirect, getDirectOffset that return the attributes.
723         * API/JSCallbackObjectFunctions.h:
724         (JSC::::getOwnPropertySlot):
725         * runtime/Arguments.cpp:
726         (JSC::Arguments::getOwnPropertySlotByIndex):
727         (JSC::Arguments::getOwnPropertySlot):
728         * runtime/JSActivation.cpp:
729         (JSC::JSActivation::symbolTableGet):
730         (JSC::JSActivation::getOwnPropertySlot):
731         * runtime/JSArray.cpp:
732         (JSC::JSArray::getOwnPropertySlot):
733         * runtime/JSArrayBuffer.cpp:
734         (JSC::JSArrayBuffer::getOwnPropertySlot):
735         * runtime/JSArrayBufferView.cpp:
736         (JSC::JSArrayBufferView::getOwnPropertySlot):
737         * runtime/JSDataView.cpp:
738         (JSC::JSDataView::getOwnPropertySlot):
739         * runtime/JSFunction.cpp:
740         (JSC::JSFunction::getOwnPropertySlot):
741         * runtime/JSGenericTypedArrayViewInlines.h:
742         (JSC::::getOwnPropertySlot):
743         (JSC::::getOwnPropertySlotByIndex):
744         * runtime/JSObject.cpp:
745         (JSC::JSObject::getOwnPropertySlotByIndex):
746         (JSC::JSObject::fillGetterPropertySlot):
747         * runtime/JSString.h:
748         (JSC::JSString::getStringPropertySlot):
749         * runtime/JSSymbolTableObject.h:
750         (JSC::symbolTableGet):
751         * runtime/Lookup.cpp:
752         (JSC::setUpStaticFunctionSlot):
753         * runtime/Lookup.h:
754         (JSC::getStaticPropertySlot):
755         (JSC::getStaticPropertyDescriptor):
756         (JSC::getStaticValueSlot):
757         (JSC::getStaticValueDescriptor):
758         * runtime/RegExpObject.cpp:
759         (JSC::RegExpObject::getOwnPropertySlot):
760         * runtime/SparseArrayValueMap.cpp:
761         (JSC::SparseArrayEntry::get):
762             - Pass attributes to PropertySlot::set* methods.
763
764 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
765
766         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
767
768         Reviewed by Filip Pizlo.
769
770         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
771         Vector of WriteBarriers rather than the specific address. The fact that we were 
772         arbitrarily storing into a Vector's backing store for constants at the end of 
773         compilation after the Vector could have resized was causing crashes.
774
775         * bytecode/CodeBlock.h:
776         (JSC::CodeBlock::constants):
777         (JSC::CodeBlock::addConstantLazily):
778         * dfg/DFGByteCodeParser.cpp:
779         (JSC::DFG::ByteCodeParser::addConstant):
780         * dfg/DFGDesiredWriteBarriers.cpp:
781         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
782         (JSC::DFG::DesiredWriteBarrier::trigger):
783         (JSC::DFG::initializeLazyWriteBarrierForConstant):
784         * dfg/DFGDesiredWriteBarriers.h:
785         (JSC::DFG::DesiredWriteBarriers::add):
786         * dfg/DFGFixupPhase.cpp:
787         (JSC::DFG::FixupPhase::truncateConstantToInt32):
788         * dfg/DFGGraph.h:
789         (JSC::DFG::Graph::constantRegisterForConstant):
790
791 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
792
793         DFG should optimize typedArray.byteLength
794         https://bugs.webkit.org/show_bug.cgi?id=119909
795
796         Reviewed by Oliver Hunt.
797         
798         This adds typedArray.byteLength inlining to the DFG, and does so without changing
799         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
800         legal since the byteLength of a typed array cannot exceed
801         numeric_limits<int32_t>::max().
802
803         * bytecode/SpeculatedType.cpp:
804         (JSC::typedArrayTypeFromSpeculation):
805         * bytecode/SpeculatedType.h:
806         * dfg/DFGArrayMode.cpp:
807         (JSC::DFG::toArrayType):
808         * dfg/DFGArrayMode.h:
809         * dfg/DFGFixupPhase.cpp:
810         (JSC::DFG::FixupPhase::fixupNode):
811         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
812         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
813         (JSC::DFG::FixupPhase::convertToGetArrayLength):
814         (JSC::DFG::FixupPhase::prependGetArrayLength):
815         * dfg/DFGGraph.h:
816         (JSC::DFG::Graph::constantRegisterForConstant):
817         (JSC::DFG::Graph::convertToConstant):
818         * runtime/TypedArrayType.h:
819         (JSC::logElementSize):
820         (JSC::elementSize):
821
822 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
823
824         DFG optimizes out strict mode arguments tear off
825         https://bugs.webkit.org/show_bug.cgi?id=119504
826
827         Reviewed by Mark Hahnenberg and Oliver Hunt.
828         
829         Don't do the optimization for strict mode.
830
831         * dfg/DFGArgumentsSimplificationPhase.cpp:
832         (JSC::DFG::ArgumentsSimplificationPhase::run):
833         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
834
835 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
836
837         [JSC] x86: improve code generation for xxxTest32
838         https://bugs.webkit.org/show_bug.cgi?id=119876
839
840         Reviewed by Geoffrey Garen.
841
842         Try to use testb whenever possible when testing for an immediate value.
843
844         When the input is an address and an offset, we can tweak the mask
845         and offset to be able to generate testb for any byte of the mask.
846
847         When the input is a register, we can use testb if we are only interested
848         in testing the low bits.
849
850         * assembler/MacroAssemblerX86Common.h:
851         (JSC::MacroAssemblerX86Common::branchTest32):
852         (JSC::MacroAssemblerX86Common::test32):
853         (JSC::MacroAssemblerX86Common::generateTest32):
854
855 2013-08-16  Mark Lam  <mark.lam@apple.com>
856
857         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
858         error message that an object is not a constructor though it expects a function
859
860         Reviewed by Michael Saboff.
861
862         * jit/JITStubs.cpp:
863         (JSC::DEFINE_STUB_FUNCTION):
864
865 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
866
867         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
868         https://bugs.webkit.org/show_bug.cgi?id=119897
869
870         Reviewed by Oliver Hunt.
871         
872         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
873         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
874         to turn objects into dictionaries when you're storing using bracket syntax or using
875         eval is still in place.
876
877         * bytecode/CodeBlock.h:
878         (JSC::CodeBlock::putByIdContext):
879         * dfg/DFGOperations.cpp:
880         * jit/JITStubs.cpp:
881         (JSC::DEFINE_STUB_FUNCTION):
882         * llint/LLIntSlowPaths.cpp:
883         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
884         * runtime/JSObject.h:
885         (JSC::JSObject::putDirectInternal):
886         * runtime/PutPropertySlot.h:
887         (JSC::PutPropertySlot::PutPropertySlot):
888         (JSC::PutPropertySlot::context):
889         * runtime/Structure.cpp:
890         (JSC::Structure::addPropertyTransition):
891         * runtime/Structure.h:
892
893 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
894
895         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
896
897         Reviewed by Allan Sandfeld Jensen.
898
899         ctiVMHandleException must jump/return using register ra (r31).
900
901         * jit/JITStubsMIPS.h:
902
903 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
904
905         <https://webkit.org/b/119879> Fix sh4 build after r154156.
906
907         Reviewed by Allan Sandfeld Jensen.
908
909         Fix typo in JITStubsSH4.h file.
910
911         * jit/JITStubsSH4.h:
912
913 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
914
915         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
916
917         Reviewed by Oliver Hunt.
918
919         The concurrent compilation thread should interact minimally with the Heap, including not 
920         triggering WriteBarriers. This is a prerequisite for generational GC.
921
922         * JavaScriptCore.xcodeproj/project.pbxproj:
923         * bytecode/CodeBlock.cpp:
924         (JSC::CodeBlock::addOrFindConstant):
925         (JSC::CodeBlock::findConstant):
926         * bytecode/CodeBlock.h:
927         (JSC::CodeBlock::addConstantLazily):
928         * dfg/DFGByteCodeParser.cpp:
929         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
930         (JSC::DFG::ByteCodeParser::constantUndefined):
931         (JSC::DFG::ByteCodeParser::constantNull):
932         (JSC::DFG::ByteCodeParser::one):
933         (JSC::DFG::ByteCodeParser::constantNaN):
934         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
935         * dfg/DFGCommonData.cpp:
936         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
937         * dfg/DFGCommonData.h:
938         * dfg/DFGDesiredTransitions.cpp: Added.
939         (JSC::DFG::DesiredTransition::DesiredTransition):
940         (JSC::DFG::DesiredTransition::reallyAdd):
941         (JSC::DFG::DesiredTransitions::DesiredTransitions):
942         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
943         (JSC::DFG::DesiredTransitions::addLazily):
944         (JSC::DFG::DesiredTransitions::reallyAdd):
945         * dfg/DFGDesiredTransitions.h: Added.
946         * dfg/DFGDesiredWeakReferences.cpp: Added.
947         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
948         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
949         (JSC::DFG::DesiredWeakReferences::addLazily):
950         (JSC::DFG::DesiredWeakReferences::reallyAdd):
951         * dfg/DFGDesiredWeakReferences.h: Added.
952         * dfg/DFGDesiredWriteBarriers.cpp: Added.
953         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
954         (JSC::DFG::DesiredWriteBarrier::trigger):
955         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
956         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
957         (JSC::DFG::DesiredWriteBarriers::addImpl):
958         (JSC::DFG::DesiredWriteBarriers::trigger):
959         * dfg/DFGDesiredWriteBarriers.h: Added.
960         (JSC::DFG::DesiredWriteBarriers::add):
961         (JSC::DFG::initializeLazyWriteBarrier):
962         * dfg/DFGFixupPhase.cpp:
963         (JSC::DFG::FixupPhase::truncateConstantToInt32):
964         * dfg/DFGGraph.h:
965         (JSC::DFG::Graph::convertToConstant):
966         * dfg/DFGJITCompiler.h:
967         (JSC::DFG::JITCompiler::addWeakReference):
968         * dfg/DFGPlan.cpp:
969         (JSC::DFG::Plan::Plan):
970         (JSC::DFG::Plan::reallyAdd):
971         * dfg/DFGPlan.h:
972         * dfg/DFGSpeculativeJIT32_64.cpp:
973         (JSC::DFG::SpeculativeJIT::compile):
974         * dfg/DFGSpeculativeJIT64.cpp:
975         (JSC::DFG::SpeculativeJIT::compile):
976         * runtime/WriteBarrier.h:
977         (JSC::WriteBarrierBase::set):
978         (JSC::WriteBarrier::WriteBarrier):
979
980 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
981
982         Fix x86 32bits build after r154158
983
984         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
985
986 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
987
988         Build fix attempt after r154156.
989
990         * jit/JITStubs.cpp:
991         (JSC::cti_vm_handle_exception): encode!
992
993 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
994
995         [JSC] x86: Use inc and dec when possible
996         https://bugs.webkit.org/show_bug.cgi?id=119831
997
998         Reviewed by Geoffrey Garen.
999
1000         When incrementing or decrementing by an immediate of 1, use the insctructions
1001         inc and dec instead of add and sub.
1002         The instructions have good timing and their encoding is smaller.
1003
1004         * assembler/MacroAssemblerX86Common.h:
1005         (JSC::MacroAssemblerX86_64::add32):
1006         (JSC::MacroAssemblerX86_64::sub32):
1007         * assembler/MacroAssemblerX86_64.h:
1008         (JSC::MacroAssemblerX86_64::add64):
1009         (JSC::MacroAssemblerX86_64::sub64):
1010         * assembler/X86Assembler.h:
1011         (JSC::X86Assembler::dec_r):
1012         (JSC::X86Assembler::decq_r):
1013         (JSC::X86Assembler::inc_r):
1014         (JSC::X86Assembler::incq_r):
1015
1016 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1017
1018         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1019         https://bugs.webkit.org/show_bug.cgi?id=119874
1020
1021         Reviewed by Oliver Hunt and Mark Hahnenberg.
1022         
1023         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1024         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1025         sometimes for typed array length accesses, and the FixupPhase assuming that a
1026         ForceExit ArrayMode means that it should continue using a generic GetById.
1027
1028         This fixes the confusion.
1029
1030         * dfg/DFGFixupPhase.cpp:
1031         (JSC::DFG::FixupPhase::fixupNode):
1032
1033 2013-08-15  Mark Lam  <mark.lam@apple.com>
1034
1035         Fix crash when performing activation tearoff.
1036         https://bugs.webkit.org/show_bug.cgi?id=119848
1037
1038         Reviewed by Oliver Hunt.
1039
1040         The activation tearoff crash was due to a bug in the baseline JIT.
1041         If we have a scenario where the a baseline JIT frame calls a LLINT
1042         frame, an exception may be thrown while in the LLINT.
1043
1044         Interpreter::throwException() which handles the exception will unwind
1045         all frames until it finds a catcher or sees a host frame. When we
1046         return from the LLINT to the baseline JIT code, the baseline JIT code
1047         errorneously sets topCallFrame to the value in its call frame register,
1048         and starts unwinding the stack frames that have already been unwound.
1049
1050         The fix is:
1051         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1052            This is a more accurate description of what this runtime function
1053            is supposed to do i.e. it handles the exception which include doing
1054            nothing (if there are no more frames to unwind).
1055         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1056            set on it.
1057         3. Reloading the call frame register from topCallFrame when we're
1058            returning from a callee and detect exception handling in progress.
1059
1060         * interpreter/Interpreter.cpp:
1061         (JSC::Interpreter::unwindCallFrame):
1062         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1063         (JSC::Interpreter::getStackTrace):
1064         * interpreter/Interpreter.h:
1065         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1066         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1067         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1068         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1069         * jit/JIT.h:
1070         * jit/JITExceptions.cpp:
1071         (JSC::uncaughtExceptionHandler):
1072         - Convenience function to get the handler for uncaught exceptions.
1073         * jit/JITExceptions.h:
1074         * jit/JITInlines.h:
1075         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1076         * jit/JITOpcodes32_64.cpp:
1077         (JSC::JIT::privateCompileCTINativeCall):
1078         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1079         * jit/JITStubs.cpp:
1080         (JSC::throwExceptionFromOpCall):
1081         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1082         (JSC::cti_vm_handle_exception):
1083         - Check for the case when there are no more frames to unwind.
1084         * jit/JITStubs.h:
1085         * jit/JITStubsARM.h:
1086         * jit/JITStubsARMv7.h:
1087         * jit/JITStubsMIPS.h:
1088         * jit/JITStubsSH4.h:
1089         * jit/JITStubsX86.h:
1090         * jit/JITStubsX86_64.h:
1091         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1092         * jit/SlowPathCall.h:
1093         (JSC::JITSlowPathCall::call):
1094         - reload cfr from topcallFrame when handling an exception.
1095         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1096         * jit/ThunkGenerators.cpp:
1097         (JSC::nativeForGenerator):
1098         * llint/LowLevelInterpreter32_64.asm:
1099         * llint/LowLevelInterpreter64.asm:
1100         - reload cfr from topcallFrame when handling an exception.
1101         * runtime/VM.cpp:
1102         (JSC::VM::VM):
1103         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1104
1105 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1106
1107         Remove some code duplication.
1108         
1109         Rubber stamped by Mark Hahnenberg.
1110
1111         * runtime/JSDataViewPrototype.cpp:
1112         (JSC::getData):
1113         (JSC::setData):
1114
1115 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1116
1117         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1118         https://bugs.webkit.org/show_bug.cgi?id=119794
1119
1120         Reviewed by Filip Pizlo.
1121
1122         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1123
1124         * dfg/DFGUseKind.h:
1125         (JSC::DFG::isNumerical):
1126         (JSC::DFG::isDouble):
1127
1128 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1129
1130         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1131
1132         Rubber stamped by Oliver Hunt.
1133         
1134         This was causing some test crashes for me.
1135
1136         * dfg/DFGCapabilities.cpp:
1137         (JSC::DFG::capabilityLevel):
1138
1139 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1140
1141         [Windows] Clear up improper export declaration.
1142
1143         * runtime/ArrayBufferView.h:
1144
1145 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1146
1147         Unreviewed, remove some unnecessary periods from exceptions.
1148
1149         * runtime/JSDataViewPrototype.cpp:
1150         (JSC::getData):
1151         (JSC::setData):
1152
1153 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1154
1155         Unreviewed, fix 32-bit build.
1156
1157         * dfg/DFGSpeculativeJIT32_64.cpp:
1158         (JSC::DFG::SpeculativeJIT::compile):
1159
1160 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1161
1162         Typed arrays should be rewritten
1163         https://bugs.webkit.org/show_bug.cgi?id=119064
1164
1165         Reviewed by Oliver Hunt.
1166         
1167         Typed arrays were previously deficient in several major ways:
1168         
1169         - They were defined separately in WebCore and in the jsc shell. The two
1170           implementations were different, and the jsc shell one was basically wrong.
1171           The WebCore one was quite awful, also.
1172         
1173         - Typed arrays were not visible to the JIT except through some weird hooks.
1174           For example, the JIT could not ask "what is the Structure that this typed
1175           array would have if I just allocated it from this global object". Also,
1176           it was difficult to wire any of the typed array intrinsics, because most
1177           of the functionality wasn't visible anywhere in JSC.
1178         
1179         - Typed array allocation was brain-dead. Allocating a typed array involved
1180           two JS objects, two GC weak handles, and three malloc allocations.
1181         
1182         - Neutering. It involved keeping tabs on all native views but not the view
1183           wrappers, even though the native views can autoneuter just by asking the
1184           buffer if it was neutered anytime you touch them; while the JS view
1185           wrappers are the ones that you really want to reach out to.
1186         
1187         - Common case-ing. Most typed arrays have one buffer and one view, and
1188           usually nobody touches the buffer. Yet we created all of that stuff
1189           anyway, using data structures optimized for the case where you had a lot
1190           of views.
1191         
1192         - Semantic goofs. Typed arrays should, in the future, behave like ES
1193           features rather than DOM features, for example when it comes to exceptions.
1194           Firefox already does this and I agree with them.
1195         
1196         This patch cleanses our codebase of these sins:
1197         
1198         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1199           management of native references to buffers is left to WebCore.
1200         
1201         - Allocating a typed array requires either two GC allocations (a cell and a
1202           copied storage vector) or one GC allocation, a malloc allocation, and a
1203           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1204           latter). The latter is only used for oversize arrays. Remember that before
1205           it was 7 allocations no matter what.
1206         
1207         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1208           mode/length, void* vector. Before it was a lot more than that - remember,
1209           there were five additional objects that did absolutely nothing for anybody.
1210         
1211         - Native views aren't tracked by the buffer, or by the wrappers. They are
1212           transient. In the future we'll probably switch to not even having them be
1213           malloc'd.
1214         
1215         - Native array buffers have an efficient way of tracking all of their JS view
1216           wrappers, both for neutering, and for lifecycle management. The GC
1217           special-cases native array buffers. This saves a bunch of grief; for example
1218           it means that a JS view wrapper can refer to its buffer via the butterfly,
1219           which would be dead by the time we went to finalize.
1220         
1221         - Typed array semantics now match Firefox, which also happens to be where the
1222           standards are going. The discussion on webkit-dev seemed to confirm that
1223           Chrome is also heading in this direction. This includes making
1224           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1225           ArrayBufferView as a JS-visible construct.
1226         
1227         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1228         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1229         further typed array optimizations in the JSC JITs, including inlining typed
1230         array allocation, inlining more of the accessors, reducing the cost of type
1231         checks, etc.
1232         
1233         An additional property of this patch is that typed arrays are mostly
1234         implemented using templates. This deduplicates a bunch of code, but does mean
1235         that we need some hacks for exporting s_info's of template classes. See
1236         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1237         low-impact compared to code duplication.
1238         
1239         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1240
1241         * CMakeLists.txt:
1242         * DerivedSources.make:
1243         * GNUmakefile.list.am:
1244         * JSCTypedArrayStubs.h: Removed.
1245         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1246         * JavaScriptCore.xcodeproj/project.pbxproj:
1247         * Target.pri:
1248         * bytecode/ByValInfo.h:
1249         (JSC::hasOptimizableIndexingForClassInfo):
1250         (JSC::jitArrayModeForClassInfo):
1251         (JSC::typedArrayTypeForJITArrayMode):
1252         * bytecode/SpeculatedType.cpp:
1253         (JSC::speculationFromClassInfo):
1254         * dfg/DFGArrayMode.cpp:
1255         (JSC::DFG::toTypedArrayType):
1256         * dfg/DFGArrayMode.h:
1257         (JSC::DFG::ArrayMode::typedArrayType):
1258         * dfg/DFGSpeculativeJIT.cpp:
1259         (JSC::DFG::SpeculativeJIT::checkArray):
1260         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1261         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1262         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1263         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1264         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1265         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1266         * dfg/DFGSpeculativeJIT.h:
1267         * dfg/DFGSpeculativeJIT32_64.cpp:
1268         (JSC::DFG::SpeculativeJIT::compile):
1269         * dfg/DFGSpeculativeJIT64.cpp:
1270         (JSC::DFG::SpeculativeJIT::compile):
1271         * heap/CopyToken.h:
1272         * heap/DeferGC.h:
1273         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1274         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1275         * heap/GCIncomingRefCounted.h: Added.
1276         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1277         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1278         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1279         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1280         (JSC::GCIncomingRefCounted::singletonFlag):
1281         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1282         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1283         (JSC::GCIncomingRefCounted::hasSingleton):
1284         (JSC::GCIncomingRefCounted::singleton):
1285         (JSC::GCIncomingRefCounted::vectorOfCells):
1286         * heap/GCIncomingRefCountedInlines.h: Added.
1287         (JSC::::addIncomingReference):
1288         (JSC::::filterIncomingReferences):
1289         * heap/GCIncomingRefCountedSet.h: Added.
1290         (JSC::GCIncomingRefCountedSet::size):
1291         * heap/GCIncomingRefCountedSetInlines.h: Added.
1292         (JSC::::GCIncomingRefCountedSet):
1293         (JSC::::~GCIncomingRefCountedSet):
1294         (JSC::::addReference):
1295         (JSC::::sweep):
1296         (JSC::::removeAll):
1297         (JSC::::removeDead):
1298         * heap/Heap.cpp:
1299         (JSC::Heap::addReference):
1300         (JSC::Heap::extraSize):
1301         (JSC::Heap::size):
1302         (JSC::Heap::capacity):
1303         (JSC::Heap::collect):
1304         (JSC::Heap::decrementDeferralDepth):
1305         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1306         * heap/Heap.h:
1307         * interpreter/CallFrame.h:
1308         (JSC::ExecState::dataViewTable):
1309         * jit/JIT.h:
1310         * jit/JITPropertyAccess.cpp:
1311         (JSC::JIT::privateCompileGetByVal):
1312         (JSC::JIT::privateCompilePutByVal):
1313         (JSC::JIT::emitIntTypedArrayGetByVal):
1314         (JSC::JIT::emitFloatTypedArrayGetByVal):
1315         (JSC::JIT::emitIntTypedArrayPutByVal):
1316         (JSC::JIT::emitFloatTypedArrayPutByVal):
1317         * jsc.cpp:
1318         (GlobalObject::finishCreation):
1319         * runtime/ArrayBuffer.cpp:
1320         (JSC::ArrayBuffer::transfer):
1321         * runtime/ArrayBuffer.h:
1322         (JSC::ArrayBuffer::createAdopted):
1323         (JSC::ArrayBuffer::ArrayBuffer):
1324         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1325         (JSC::ArrayBuffer::pin):
1326         (JSC::ArrayBuffer::unpin):
1327         (JSC::ArrayBufferContents::tryAllocate):
1328         * runtime/ArrayBufferView.cpp:
1329         (JSC::ArrayBufferView::ArrayBufferView):
1330         (JSC::ArrayBufferView::~ArrayBufferView):
1331         (JSC::ArrayBufferView::setNeuterable):
1332         * runtime/ArrayBufferView.h:
1333         (JSC::ArrayBufferView::isNeutered):
1334         (JSC::ArrayBufferView::buffer):
1335         (JSC::ArrayBufferView::baseAddress):
1336         (JSC::ArrayBufferView::byteOffset):
1337         (JSC::ArrayBufferView::verifySubRange):
1338         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1339         (JSC::ArrayBufferView::calculateOffsetAndLength):
1340         * runtime/ClassInfo.h:
1341         * runtime/CommonIdentifiers.h:
1342         * runtime/DataView.cpp: Added.
1343         (JSC::DataView::DataView):
1344         (JSC::DataView::create):
1345         (JSC::DataView::wrap):
1346         * runtime/DataView.h: Added.
1347         (JSC::DataView::byteLength):
1348         (JSC::DataView::getType):
1349         (JSC::DataView::get):
1350         (JSC::DataView::set):
1351         * runtime/Float32Array.h:
1352         * runtime/Float64Array.h:
1353         * runtime/GenericTypedArrayView.h: Added.
1354         (JSC::GenericTypedArrayView::data):
1355         (JSC::GenericTypedArrayView::set):
1356         (JSC::GenericTypedArrayView::setRange):
1357         (JSC::GenericTypedArrayView::zeroRange):
1358         (JSC::GenericTypedArrayView::zeroFill):
1359         (JSC::GenericTypedArrayView::length):
1360         (JSC::GenericTypedArrayView::byteLength):
1361         (JSC::GenericTypedArrayView::item):
1362         (JSC::GenericTypedArrayView::checkInboundData):
1363         (JSC::GenericTypedArrayView::getType):
1364         * runtime/GenericTypedArrayViewInlines.h: Added.
1365         (JSC::::GenericTypedArrayView):
1366         (JSC::::create):
1367         (JSC::::createUninitialized):
1368         (JSC::::subarray):
1369         (JSC::::wrap):
1370         * runtime/IndexingHeader.h:
1371         (JSC::IndexingHeader::arrayBuffer):
1372         (JSC::IndexingHeader::setArrayBuffer):
1373         * runtime/Int16Array.h:
1374         * runtime/Int32Array.h:
1375         * runtime/Int8Array.h:
1376         * runtime/JSArrayBuffer.cpp: Added.
1377         (JSC::JSArrayBuffer::JSArrayBuffer):
1378         (JSC::JSArrayBuffer::finishCreation):
1379         (JSC::JSArrayBuffer::create):
1380         (JSC::JSArrayBuffer::createStructure):
1381         (JSC::JSArrayBuffer::getOwnPropertySlot):
1382         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1383         (JSC::JSArrayBuffer::put):
1384         (JSC::JSArrayBuffer::defineOwnProperty):
1385         (JSC::JSArrayBuffer::deleteProperty):
1386         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1387         * runtime/JSArrayBuffer.h: Added.
1388         (JSC::JSArrayBuffer::impl):
1389         (JSC::toArrayBuffer):
1390         * runtime/JSArrayBufferConstructor.cpp: Added.
1391         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1392         (JSC::JSArrayBufferConstructor::finishCreation):
1393         (JSC::JSArrayBufferConstructor::create):
1394         (JSC::JSArrayBufferConstructor::createStructure):
1395         (JSC::constructArrayBuffer):
1396         (JSC::JSArrayBufferConstructor::getConstructData):
1397         (JSC::JSArrayBufferConstructor::getCallData):
1398         * runtime/JSArrayBufferConstructor.h: Added.
1399         * runtime/JSArrayBufferPrototype.cpp: Added.
1400         (JSC::arrayBufferProtoFuncSlice):
1401         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1402         (JSC::JSArrayBufferPrototype::finishCreation):
1403         (JSC::JSArrayBufferPrototype::create):
1404         (JSC::JSArrayBufferPrototype::createStructure):
1405         * runtime/JSArrayBufferPrototype.h: Added.
1406         * runtime/JSArrayBufferView.cpp: Added.
1407         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1408         (JSC::JSArrayBufferView::JSArrayBufferView):
1409         (JSC::JSArrayBufferView::finishCreation):
1410         (JSC::JSArrayBufferView::getOwnPropertySlot):
1411         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1412         (JSC::JSArrayBufferView::put):
1413         (JSC::JSArrayBufferView::defineOwnProperty):
1414         (JSC::JSArrayBufferView::deleteProperty):
1415         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1416         (JSC::JSArrayBufferView::finalize):
1417         * runtime/JSArrayBufferView.h: Added.
1418         (JSC::JSArrayBufferView::sizeOf):
1419         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1420         (JSC::JSArrayBufferView::ConstructionContext::structure):
1421         (JSC::JSArrayBufferView::ConstructionContext::vector):
1422         (JSC::JSArrayBufferView::ConstructionContext::length):
1423         (JSC::JSArrayBufferView::ConstructionContext::mode):
1424         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1425         (JSC::JSArrayBufferView::mode):
1426         (JSC::JSArrayBufferView::vector):
1427         (JSC::JSArrayBufferView::length):
1428         (JSC::JSArrayBufferView::offsetOfVector):
1429         (JSC::JSArrayBufferView::offsetOfLength):
1430         (JSC::JSArrayBufferView::offsetOfMode):
1431         * runtime/JSArrayBufferViewInlines.h: Added.
1432         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1433         (JSC::JSArrayBufferView::buffer):
1434         (JSC::JSArrayBufferView::impl):
1435         (JSC::JSArrayBufferView::neuter):
1436         (JSC::JSArrayBufferView::byteOffset):
1437         * runtime/JSCell.cpp:
1438         (JSC::JSCell::slowDownAndWasteMemory):
1439         (JSC::JSCell::getTypedArrayImpl):
1440         * runtime/JSCell.h:
1441         * runtime/JSDataView.cpp: Added.
1442         (JSC::JSDataView::JSDataView):
1443         (JSC::JSDataView::create):
1444         (JSC::JSDataView::createUninitialized):
1445         (JSC::JSDataView::set):
1446         (JSC::JSDataView::typedImpl):
1447         (JSC::JSDataView::getOwnPropertySlot):
1448         (JSC::JSDataView::getOwnPropertyDescriptor):
1449         (JSC::JSDataView::slowDownAndWasteMemory):
1450         (JSC::JSDataView::getTypedArrayImpl):
1451         (JSC::JSDataView::createStructure):
1452         * runtime/JSDataView.h: Added.
1453         * runtime/JSDataViewPrototype.cpp: Added.
1454         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1455         (JSC::JSDataViewPrototype::create):
1456         (JSC::JSDataViewPrototype::createStructure):
1457         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1458         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1459         (JSC::getData):
1460         (JSC::setData):
1461         (JSC::dataViewProtoFuncGetInt8):
1462         (JSC::dataViewProtoFuncGetInt16):
1463         (JSC::dataViewProtoFuncGetInt32):
1464         (JSC::dataViewProtoFuncGetUint8):
1465         (JSC::dataViewProtoFuncGetUint16):
1466         (JSC::dataViewProtoFuncGetUint32):
1467         (JSC::dataViewProtoFuncGetFloat32):
1468         (JSC::dataViewProtoFuncGetFloat64):
1469         (JSC::dataViewProtoFuncSetInt8):
1470         (JSC::dataViewProtoFuncSetInt16):
1471         (JSC::dataViewProtoFuncSetInt32):
1472         (JSC::dataViewProtoFuncSetUint8):
1473         (JSC::dataViewProtoFuncSetUint16):
1474         (JSC::dataViewProtoFuncSetUint32):
1475         (JSC::dataViewProtoFuncSetFloat32):
1476         (JSC::dataViewProtoFuncSetFloat64):
1477         * runtime/JSDataViewPrototype.h: Added.
1478         * runtime/JSFloat32Array.h: Added.
1479         * runtime/JSFloat64Array.h: Added.
1480         * runtime/JSGenericTypedArrayView.h: Added.
1481         (JSC::JSGenericTypedArrayView::byteLength):
1482         (JSC::JSGenericTypedArrayView::byteSize):
1483         (JSC::JSGenericTypedArrayView::typedVector):
1484         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1485         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1486         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1487         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1488         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1489         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1490         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1491         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1492         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1493         (JSC::JSGenericTypedArrayView::typedImpl):
1494         (JSC::JSGenericTypedArrayView::createStructure):
1495         (JSC::JSGenericTypedArrayView::info):
1496         (JSC::toNativeTypedView):
1497         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1498         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1499         (JSC::::JSGenericTypedArrayViewConstructor):
1500         (JSC::::finishCreation):
1501         (JSC::::create):
1502         (JSC::::createStructure):
1503         (JSC::constructGenericTypedArrayView):
1504         (JSC::::getConstructData):
1505         (JSC::::getCallData):
1506         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1507         (JSC::::JSGenericTypedArrayView):
1508         (JSC::::create):
1509         (JSC::::createUninitialized):
1510         (JSC::::validateRange):
1511         (JSC::::setWithSpecificType):
1512         (JSC::::set):
1513         (JSC::::getOwnPropertySlot):
1514         (JSC::::getOwnPropertyDescriptor):
1515         (JSC::::put):
1516         (JSC::::defineOwnProperty):
1517         (JSC::::deleteProperty):
1518         (JSC::::getOwnPropertySlotByIndex):
1519         (JSC::::putByIndex):
1520         (JSC::::deletePropertyByIndex):
1521         (JSC::::getOwnNonIndexPropertyNames):
1522         (JSC::::getOwnPropertyNames):
1523         (JSC::::visitChildren):
1524         (JSC::::copyBackingStore):
1525         (JSC::::slowDownAndWasteMemory):
1526         (JSC::::getTypedArrayImpl):
1527         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1528         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1529         (JSC::genericTypedArrayViewProtoFuncSet):
1530         (JSC::genericTypedArrayViewProtoFuncSubarray):
1531         (JSC::::JSGenericTypedArrayViewPrototype):
1532         (JSC::::finishCreation):
1533         (JSC::::create):
1534         (JSC::::createStructure):
1535         * runtime/JSGlobalObject.cpp:
1536         (JSC::JSGlobalObject::reset):
1537         (JSC::JSGlobalObject::visitChildren):
1538         * runtime/JSGlobalObject.h:
1539         (JSC::JSGlobalObject::arrayBufferPrototype):
1540         (JSC::JSGlobalObject::arrayBufferStructure):
1541         (JSC::JSGlobalObject::typedArrayStructure):
1542         * runtime/JSInt16Array.h: Added.
1543         * runtime/JSInt32Array.h: Added.
1544         * runtime/JSInt8Array.h: Added.
1545         * runtime/JSTypedArrayConstructors.cpp: Added.
1546         * runtime/JSTypedArrayConstructors.h: Added.
1547         * runtime/JSTypedArrayPrototypes.cpp: Added.
1548         * runtime/JSTypedArrayPrototypes.h: Added.
1549         * runtime/JSTypedArrays.cpp: Added.
1550         * runtime/JSTypedArrays.h: Added.
1551         * runtime/JSUint16Array.h: Added.
1552         * runtime/JSUint32Array.h: Added.
1553         * runtime/JSUint8Array.h: Added.
1554         * runtime/JSUint8ClampedArray.h: Added.
1555         * runtime/Operations.h:
1556         * runtime/Options.h:
1557         * runtime/SimpleTypedArrayController.cpp: Added.
1558         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1559         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1560         (JSC::SimpleTypedArrayController::toJS):
1561         * runtime/SimpleTypedArrayController.h: Added.
1562         * runtime/Structure.h:
1563         (JSC::Structure::couldHaveIndexingHeader):
1564         * runtime/StructureInlines.h:
1565         (JSC::Structure::hasIndexingHeader):
1566         * runtime/TypedArrayAdaptors.h: Added.
1567         (JSC::IntegralTypedArrayAdaptor::toNative):
1568         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1569         (JSC::IntegralTypedArrayAdaptor::toDouble):
1570         (JSC::FloatTypedArrayAdaptor::toNative):
1571         (JSC::FloatTypedArrayAdaptor::toJSValue):
1572         (JSC::FloatTypedArrayAdaptor::toDouble):
1573         (JSC::Uint8ClampedAdaptor::toNative):
1574         (JSC::Uint8ClampedAdaptor::toJSValue):
1575         (JSC::Uint8ClampedAdaptor::toDouble):
1576         (JSC::Uint8ClampedAdaptor::clamp):
1577         * runtime/TypedArrayController.cpp: Added.
1578         (JSC::TypedArrayController::TypedArrayController):
1579         (JSC::TypedArrayController::~TypedArrayController):
1580         * runtime/TypedArrayController.h: Added.
1581         * runtime/TypedArrayDescriptor.h: Removed.
1582         * runtime/TypedArrayInlines.h: Added.
1583         * runtime/TypedArrayType.cpp: Added.
1584         (JSC::classInfoForType):
1585         (WTF::printInternal):
1586         * runtime/TypedArrayType.h: Added.
1587         (JSC::toIndex):
1588         (JSC::isTypedView):
1589         (JSC::elementSize):
1590         (JSC::isInt):
1591         (JSC::isFloat):
1592         (JSC::isSigned):
1593         (JSC::isClamped):
1594         * runtime/TypedArrays.h: Added.
1595         * runtime/Uint16Array.h:
1596         * runtime/Uint32Array.h:
1597         * runtime/Uint8Array.h:
1598         * runtime/Uint8ClampedArray.h:
1599         * runtime/VM.cpp:
1600         (JSC::VM::VM):
1601         (JSC::VM::~VM):
1602         * runtime/VM.h:
1603
1604 2013-08-15  Oliver Hunt  <oliver@apple.com>
1605
1606         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1607
1608         Reviewed by Filip Pizlo.
1609
1610         Make sure dfgCapabilities doesn't report a Dynamic put as
1611         being compilable when we don't actually support it.  
1612
1613         * bytecode/CodeBlock.cpp:
1614         (JSC::CodeBlock::dumpBytecode):
1615         * dfg/DFGCapabilities.cpp:
1616         (JSC::DFG::capabilityLevel):
1617
1618 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1619
1620         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1621         https://bugs.webkit.org/show_bug.cgi?id=119847
1622
1623         Reviewed by Oliver Hunt.
1624
1625         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1626         * runtime/ArrayBufferView.h: Ditto.
1627
1628 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1629
1630         https://bugs.webkit.org/show_bug.cgi?id=119843
1631         PropertySlot::setValue is ambiguous
1632
1633         Reviewed by Geoff Garen.
1634
1635         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1636         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1637         Unify on always providing the object, and remove the version that just takes a value.
1638         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1639         Provide a version of setValue that takes a JSString as the owner of the property.
1640         We won't store this, but it makes it clear that this interface should only be used from JSString.
1641
1642         * API/JSCallbackObjectFunctions.h:
1643         (JSC::::getOwnPropertySlot):
1644         * JSCTypedArrayStubs.h:
1645         * runtime/Arguments.cpp:
1646         (JSC::Arguments::getOwnPropertySlotByIndex):
1647         (JSC::Arguments::getOwnPropertySlot):
1648         * runtime/JSActivation.cpp:
1649         (JSC::JSActivation::symbolTableGet):
1650         (JSC::JSActivation::getOwnPropertySlot):
1651         * runtime/JSArray.cpp:
1652         (JSC::JSArray::getOwnPropertySlot):
1653         * runtime/JSObject.cpp:
1654         (JSC::JSObject::getOwnPropertySlotByIndex):
1655         * runtime/JSString.h:
1656         (JSC::JSString::getStringPropertySlot):
1657         * runtime/JSSymbolTableObject.h:
1658         (JSC::symbolTableGet):
1659         * runtime/SparseArrayValueMap.cpp:
1660         (JSC::SparseArrayEntry::get):
1661             - Pass object containing property to PropertySlot::setValue
1662         * runtime/PropertySlot.h:
1663         (JSC::PropertySlot::setValue):
1664             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1665         (JSC::PropertySlot::setUndefined):
1666             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1667
1668 2013-08-15  Oliver Hunt  <oliver@apple.com>
1669
1670         Remove bogus assertion.
1671
1672         RS=Filip Pizlo
1673
1674         * dfg/DFGAbstractInterpreterInlines.h:
1675         (JSC::DFG::::executeEffects):
1676
1677 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1678
1679         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1680         https://bugs.webkit.org/show_bug.cgi?id=114913
1681
1682         Reviewed by Filip Pizlo.
1683
1684         The X87 register was not freed before some calls. Instead
1685         of inserting resetX87Registers to the last call sites,
1686         the two X87 registers are now freed in every call.
1687
1688         * llint/LowLevelInterpreter32_64.asm:
1689         * llint/LowLevelInterpreter64.asm:
1690         * offlineasm/instructions.rb:
1691         * offlineasm/x86.rb:
1692
1693 2013-08-14  Michael Saboff  <msaboff@apple.com>
1694
1695         Fixed jit on Win64.
1696         https://bugs.webkit.org/show_bug.cgi?id=119601
1697
1698         Reviewed by Oliver Hunt.
1699
1700         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1701         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1702         * jit/SlowPathCall.h:
1703         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1704
1705 2013-08-14  Alex Christensen  <achristensen@apple.com>
1706
1707         Compile fix for Win64 with jit disabled.
1708         https://bugs.webkit.org/show_bug.cgi?id=119804
1709
1710         Reviewed by Michael Saboff.
1711
1712         * offlineasm/cloop.rb: Added std:: before isnan.
1713
1714 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1715
1716         DFG_JIT implementation for sh4 architecture.
1717         https://bugs.webkit.org/show_bug.cgi?id=119737
1718
1719         Reviewed by Oliver Hunt.
1720
1721         * assembler/MacroAssemblerSH4.h:
1722         (JSC::MacroAssemblerSH4::invert):
1723         (JSC::MacroAssemblerSH4::add32):
1724         (JSC::MacroAssemblerSH4::and32):
1725         (JSC::MacroAssemblerSH4::lshift32):
1726         (JSC::MacroAssemblerSH4::mul32):
1727         (JSC::MacroAssemblerSH4::or32):
1728         (JSC::MacroAssemblerSH4::rshift32):
1729         (JSC::MacroAssemblerSH4::sub32):
1730         (JSC::MacroAssemblerSH4::xor32):
1731         (JSC::MacroAssemblerSH4::store32):
1732         (JSC::MacroAssemblerSH4::swapDouble):
1733         (JSC::MacroAssemblerSH4::storeDouble):
1734         (JSC::MacroAssemblerSH4::subDouble):
1735         (JSC::MacroAssemblerSH4::mulDouble):
1736         (JSC::MacroAssemblerSH4::divDouble):
1737         (JSC::MacroAssemblerSH4::negateDouble):
1738         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1739         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1740         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1741         (JSC::MacroAssemblerSH4::swap):
1742         (JSC::MacroAssemblerSH4::jump):
1743         (JSC::MacroAssemblerSH4::branchNeg32):
1744         (JSC::MacroAssemblerSH4::branchAdd32):
1745         (JSC::MacroAssemblerSH4::branchMul32):
1746         (JSC::MacroAssemblerSH4::urshift32):
1747         * assembler/SH4Assembler.h:
1748         (JSC::SH4Assembler::SH4Assembler):
1749         (JSC::SH4Assembler::labelForWatchpoint):
1750         (JSC::SH4Assembler::label):
1751         (JSC::SH4Assembler::debugOffset):
1752         * dfg/DFGAssemblyHelpers.h:
1753         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1754         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1755         (JSC::DFG::AssemblyHelpers::debugCall):
1756         * dfg/DFGCCallHelpers.h:
1757         (JSC::DFG::CCallHelpers::setupArguments):
1758         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1759         * dfg/DFGFPRInfo.h:
1760         (JSC::DFG::FPRInfo::toRegister):
1761         (JSC::DFG::FPRInfo::toIndex):
1762         (JSC::DFG::FPRInfo::debugName):
1763         * dfg/DFGGPRInfo.h:
1764         (JSC::DFG::GPRInfo::toRegister):
1765         (JSC::DFG::GPRInfo::toIndex):
1766         (JSC::DFG::GPRInfo::debugName):
1767         * dfg/DFGOperations.cpp:
1768         * dfg/DFGSpeculativeJIT.h:
1769         (JSC::DFG::SpeculativeJIT::callOperation):
1770         * jit/JITStubs.h:
1771         * jit/JITStubsSH4.h:
1772
1773 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1774
1775         Unreviewed, fix build.
1776
1777         * API/JSValue.mm:
1778         (isDate):
1779         (isArray):
1780         * API/JSWrapperMap.mm:
1781         (tryUnwrapObjcObject):
1782         * API/ObjCCallbackFunction.mm:
1783         (tryUnwrapBlock):
1784
1785 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1786
1787         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1788         https://bugs.webkit.org/show_bug.cgi?id=119770
1789
1790         Reviewed by Mark Hahnenberg.
1791
1792         * API/JSCallbackConstructor.cpp:
1793         (JSC::JSCallbackConstructor::finishCreation):
1794         * API/JSCallbackConstructor.h:
1795         (JSC::JSCallbackConstructor::createStructure):
1796         * API/JSCallbackFunction.cpp:
1797         (JSC::JSCallbackFunction::finishCreation):
1798         * API/JSCallbackFunction.h:
1799         (JSC::JSCallbackFunction::createStructure):
1800         * API/JSCallbackObject.cpp:
1801         (JSC::::createStructure):
1802         * API/JSCallbackObject.h:
1803         (JSC::JSCallbackObject::visitChildren):
1804         * API/JSCallbackObjectFunctions.h:
1805         (JSC::::asCallbackObject):
1806         (JSC::::finishCreation):
1807         * API/JSObjectRef.cpp:
1808         (JSObjectGetPrivate):
1809         (JSObjectSetPrivate):
1810         (JSObjectGetPrivateProperty):
1811         (JSObjectSetPrivateProperty):
1812         (JSObjectDeletePrivateProperty):
1813         * API/JSValueRef.cpp:
1814         (JSValueIsObjectOfClass):
1815         * API/JSWeakObjectMapRefPrivate.cpp:
1816         * API/ObjCCallbackFunction.h:
1817         (JSC::ObjCCallbackFunction::createStructure):
1818         * JSCTypedArrayStubs.h:
1819         * bytecode/CallLinkStatus.cpp:
1820         (JSC::CallLinkStatus::CallLinkStatus):
1821         (JSC::CallLinkStatus::function):
1822         (JSC::CallLinkStatus::internalFunction):
1823         * bytecode/CodeBlock.h:
1824         (JSC::baselineCodeBlockForInlineCallFrame):
1825         * bytecode/SpeculatedType.cpp:
1826         (JSC::speculationFromClassInfo):
1827         * bytecode/UnlinkedCodeBlock.cpp:
1828         (JSC::UnlinkedFunctionExecutable::visitChildren):
1829         (JSC::UnlinkedCodeBlock::visitChildren):
1830         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1831         * bytecode/UnlinkedCodeBlock.h:
1832         (JSC::UnlinkedFunctionExecutable::createStructure):
1833         (JSC::UnlinkedProgramCodeBlock::createStructure):
1834         (JSC::UnlinkedEvalCodeBlock::createStructure):
1835         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1836         * debugger/Debugger.cpp:
1837         * debugger/DebuggerActivation.cpp:
1838         (JSC::DebuggerActivation::visitChildren):
1839         * debugger/DebuggerActivation.h:
1840         (JSC::DebuggerActivation::createStructure):
1841         * debugger/DebuggerCallFrame.cpp:
1842         (JSC::DebuggerCallFrame::functionName):
1843         * dfg/DFGAbstractInterpreterInlines.h:
1844         (JSC::DFG::::executeEffects):
1845         * dfg/DFGByteCodeParser.cpp:
1846         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1847         (JSC::DFG::ByteCodeParser::parseBlock):
1848         * dfg/DFGFixupPhase.cpp:
1849         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1850         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1851         * dfg/DFGGraph.cpp:
1852         (JSC::DFG::Graph::dump):
1853         * dfg/DFGGraph.h:
1854         (JSC::DFG::Graph::isInternalFunctionConstant):
1855         * dfg/DFGOperations.cpp:
1856         * dfg/DFGSpeculativeJIT.cpp:
1857         (JSC::DFG::SpeculativeJIT::checkArray):
1858         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1859         * dfg/DFGThunks.cpp:
1860         (JSC::DFG::virtualForThunkGenerator):
1861         * interpreter/Interpreter.cpp:
1862         (JSC::loadVarargs):
1863         * jsc.cpp:
1864         (GlobalObject::createStructure):
1865         * profiler/LegacyProfiler.cpp:
1866         (JSC::LegacyProfiler::createCallIdentifier):
1867         * runtime/Arguments.cpp:
1868         (JSC::Arguments::visitChildren):
1869         * runtime/Arguments.h:
1870         (JSC::Arguments::createStructure):
1871         (JSC::asArguments):
1872         (JSC::Arguments::finishCreation):
1873         * runtime/ArrayConstructor.cpp:
1874         (JSC::arrayConstructorIsArray):
1875         * runtime/ArrayConstructor.h:
1876         (JSC::ArrayConstructor::createStructure):
1877         * runtime/ArrayPrototype.cpp:
1878         (JSC::ArrayPrototype::finishCreation):
1879         (JSC::arrayProtoFuncConcat):
1880         (JSC::attemptFastSort):
1881         * runtime/ArrayPrototype.h:
1882         (JSC::ArrayPrototype::createStructure):
1883         * runtime/BooleanConstructor.h:
1884         (JSC::BooleanConstructor::createStructure):
1885         * runtime/BooleanObject.cpp:
1886         (JSC::BooleanObject::finishCreation):
1887         * runtime/BooleanObject.h:
1888         (JSC::BooleanObject::createStructure):
1889         (JSC::asBooleanObject):
1890         * runtime/BooleanPrototype.cpp:
1891         (JSC::BooleanPrototype::finishCreation):
1892         (JSC::booleanProtoFuncToString):
1893         (JSC::booleanProtoFuncValueOf):
1894         * runtime/BooleanPrototype.h:
1895         (JSC::BooleanPrototype::createStructure):
1896         * runtime/DateConstructor.cpp:
1897         (JSC::constructDate):
1898         * runtime/DateConstructor.h:
1899         (JSC::DateConstructor::createStructure):
1900         * runtime/DateInstance.cpp:
1901         (JSC::DateInstance::finishCreation):
1902         * runtime/DateInstance.h:
1903         (JSC::DateInstance::createStructure):
1904         (JSC::asDateInstance):
1905         * runtime/DatePrototype.cpp:
1906         (JSC::formateDateInstance):
1907         (JSC::DatePrototype::finishCreation):
1908         (JSC::dateProtoFuncToISOString):
1909         (JSC::dateProtoFuncToLocaleString):
1910         (JSC::dateProtoFuncToLocaleDateString):
1911         (JSC::dateProtoFuncToLocaleTimeString):
1912         (JSC::dateProtoFuncGetTime):
1913         (JSC::dateProtoFuncGetFullYear):
1914         (JSC::dateProtoFuncGetUTCFullYear):
1915         (JSC::dateProtoFuncGetMonth):
1916         (JSC::dateProtoFuncGetUTCMonth):
1917         (JSC::dateProtoFuncGetDate):
1918         (JSC::dateProtoFuncGetUTCDate):
1919         (JSC::dateProtoFuncGetDay):
1920         (JSC::dateProtoFuncGetUTCDay):
1921         (JSC::dateProtoFuncGetHours):
1922         (JSC::dateProtoFuncGetUTCHours):
1923         (JSC::dateProtoFuncGetMinutes):
1924         (JSC::dateProtoFuncGetUTCMinutes):
1925         (JSC::dateProtoFuncGetSeconds):
1926         (JSC::dateProtoFuncGetUTCSeconds):
1927         (JSC::dateProtoFuncGetMilliSeconds):
1928         (JSC::dateProtoFuncGetUTCMilliseconds):
1929         (JSC::dateProtoFuncGetTimezoneOffset):
1930         (JSC::dateProtoFuncSetTime):
1931         (JSC::setNewValueFromTimeArgs):
1932         (JSC::setNewValueFromDateArgs):
1933         (JSC::dateProtoFuncSetYear):
1934         (JSC::dateProtoFuncGetYear):
1935         * runtime/DatePrototype.h:
1936         (JSC::DatePrototype::createStructure):
1937         * runtime/Error.h:
1938         (JSC::StrictModeTypeErrorFunction::createStructure):
1939         * runtime/ErrorConstructor.h:
1940         (JSC::ErrorConstructor::createStructure):
1941         * runtime/ErrorInstance.cpp:
1942         (JSC::ErrorInstance::finishCreation):
1943         * runtime/ErrorInstance.h:
1944         (JSC::ErrorInstance::createStructure):
1945         * runtime/ErrorPrototype.cpp:
1946         (JSC::ErrorPrototype::finishCreation):
1947         * runtime/ErrorPrototype.h:
1948         (JSC::ErrorPrototype::createStructure):
1949         * runtime/ExceptionHelpers.cpp:
1950         (JSC::isTerminatedExecutionException):
1951         * runtime/ExceptionHelpers.h:
1952         (JSC::TerminatedExecutionError::createStructure):
1953         * runtime/Executable.cpp:
1954         (JSC::EvalExecutable::visitChildren):
1955         (JSC::ProgramExecutable::visitChildren):
1956         (JSC::FunctionExecutable::visitChildren):
1957         (JSC::ExecutableBase::hashFor):
1958         * runtime/Executable.h:
1959         (JSC::ExecutableBase::createStructure):
1960         (JSC::NativeExecutable::createStructure):
1961         (JSC::EvalExecutable::createStructure):
1962         (JSC::ProgramExecutable::createStructure):
1963         (JSC::FunctionExecutable::compileFor):
1964         (JSC::FunctionExecutable::compileOptimizedFor):
1965         (JSC::FunctionExecutable::createStructure):
1966         * runtime/FunctionConstructor.h:
1967         (JSC::FunctionConstructor::createStructure):
1968         * runtime/FunctionPrototype.cpp:
1969         (JSC::functionProtoFuncToString):
1970         (JSC::functionProtoFuncApply):
1971         (JSC::functionProtoFuncBind):
1972         * runtime/FunctionPrototype.h:
1973         (JSC::FunctionPrototype::createStructure):
1974         * runtime/GetterSetter.cpp:
1975         (JSC::GetterSetter::visitChildren):
1976         * runtime/GetterSetter.h:
1977         (JSC::GetterSetter::createStructure):
1978         * runtime/InternalFunction.cpp:
1979         (JSC::InternalFunction::finishCreation):
1980         * runtime/InternalFunction.h:
1981         (JSC::InternalFunction::createStructure):
1982         (JSC::asInternalFunction):
1983         * runtime/JSAPIValueWrapper.h:
1984         (JSC::JSAPIValueWrapper::createStructure):
1985         * runtime/JSActivation.cpp:
1986         (JSC::JSActivation::visitChildren):
1987         (JSC::JSActivation::argumentsGetter):
1988         * runtime/JSActivation.h:
1989         (JSC::JSActivation::createStructure):
1990         (JSC::asActivation):
1991         * runtime/JSArray.h:
1992         (JSC::JSArray::createStructure):
1993         (JSC::asArray):
1994         (JSC::isJSArray):
1995         * runtime/JSBoundFunction.cpp:
1996         (JSC::JSBoundFunction::finishCreation):
1997         (JSC::JSBoundFunction::visitChildren):
1998         * runtime/JSBoundFunction.h:
1999         (JSC::JSBoundFunction::createStructure):
2000         * runtime/JSCJSValue.cpp:
2001         (JSC::JSValue::dumpInContext):
2002         * runtime/JSCJSValueInlines.h:
2003         (JSC::JSValue::isFunction):
2004         * runtime/JSCell.h:
2005         (JSC::jsCast):
2006         (JSC::jsDynamicCast):
2007         * runtime/JSCellInlines.h:
2008         (JSC::allocateCell):
2009         * runtime/JSFunction.cpp:
2010         (JSC::JSFunction::finishCreation):
2011         (JSC::JSFunction::visitChildren):
2012         (JSC::skipOverBoundFunctions):
2013         (JSC::JSFunction::callerGetter):
2014         * runtime/JSFunction.h:
2015         (JSC::JSFunction::createStructure):
2016         * runtime/JSGlobalObject.cpp:
2017         (JSC::JSGlobalObject::visitChildren):
2018         (JSC::slowValidateCell):
2019         * runtime/JSGlobalObject.h:
2020         (JSC::JSGlobalObject::createStructure):
2021         * runtime/JSNameScope.cpp:
2022         (JSC::JSNameScope::visitChildren):
2023         * runtime/JSNameScope.h:
2024         (JSC::JSNameScope::createStructure):
2025         * runtime/JSNotAnObject.h:
2026         (JSC::JSNotAnObject::createStructure):
2027         * runtime/JSONObject.cpp:
2028         (JSC::JSONObject::finishCreation):
2029         (JSC::unwrapBoxedPrimitive):
2030         (JSC::Stringifier::Stringifier):
2031         (JSC::Stringifier::appendStringifiedValue):
2032         (JSC::Stringifier::Holder::Holder):
2033         (JSC::Walker::walk):
2034         (JSC::JSONProtoFuncStringify):
2035         * runtime/JSONObject.h:
2036         (JSC::JSONObject::createStructure):
2037         * runtime/JSObject.cpp:
2038         (JSC::getCallableObjectSlow):
2039         (JSC::JSObject::visitChildren):
2040         (JSC::JSObject::copyBackingStore):
2041         (JSC::JSFinalObject::visitChildren):
2042         (JSC::JSObject::ensureInt32Slow):
2043         (JSC::JSObject::ensureDoubleSlow):
2044         (JSC::JSObject::ensureContiguousSlow):
2045         (JSC::JSObject::ensureArrayStorageSlow):
2046         * runtime/JSObject.h:
2047         (JSC::JSObject::finishCreation):
2048         (JSC::JSObject::createStructure):
2049         (JSC::JSNonFinalObject::createStructure):
2050         (JSC::JSFinalObject::createStructure):
2051         (JSC::isJSFinalObject):
2052         * runtime/JSPropertyNameIterator.cpp:
2053         (JSC::JSPropertyNameIterator::visitChildren):
2054         * runtime/JSPropertyNameIterator.h:
2055         (JSC::JSPropertyNameIterator::createStructure):
2056         * runtime/JSProxy.cpp:
2057         (JSC::JSProxy::visitChildren):
2058         * runtime/JSProxy.h:
2059         (JSC::JSProxy::createStructure):
2060         * runtime/JSScope.cpp:
2061         (JSC::JSScope::visitChildren):
2062         * runtime/JSSegmentedVariableObject.cpp:
2063         (JSC::JSSegmentedVariableObject::visitChildren):
2064         * runtime/JSString.h:
2065         (JSC::JSString::createStructure):
2066         (JSC::isJSString):
2067         * runtime/JSSymbolTableObject.cpp:
2068         (JSC::JSSymbolTableObject::visitChildren):
2069         * runtime/JSVariableObject.h:
2070         * runtime/JSWithScope.cpp:
2071         (JSC::JSWithScope::visitChildren):
2072         * runtime/JSWithScope.h:
2073         (JSC::JSWithScope::createStructure):
2074         * runtime/JSWrapperObject.cpp:
2075         (JSC::JSWrapperObject::visitChildren):
2076         * runtime/JSWrapperObject.h:
2077         (JSC::JSWrapperObject::createStructure):
2078         * runtime/MathObject.cpp:
2079         (JSC::MathObject::finishCreation):
2080         * runtime/MathObject.h:
2081         (JSC::MathObject::createStructure):
2082         * runtime/NameConstructor.h:
2083         (JSC::NameConstructor::createStructure):
2084         * runtime/NameInstance.h:
2085         (JSC::NameInstance::createStructure):
2086         (JSC::NameInstance::finishCreation):
2087         * runtime/NamePrototype.cpp:
2088         (JSC::NamePrototype::finishCreation):
2089         (JSC::privateNameProtoFuncToString):
2090         * runtime/NamePrototype.h:
2091         (JSC::NamePrototype::createStructure):
2092         * runtime/NativeErrorConstructor.cpp:
2093         (JSC::NativeErrorConstructor::visitChildren):
2094         * runtime/NativeErrorConstructor.h:
2095         (JSC::NativeErrorConstructor::createStructure):
2096         (JSC::NativeErrorConstructor::finishCreation):
2097         * runtime/NumberConstructor.cpp:
2098         (JSC::NumberConstructor::finishCreation):
2099         * runtime/NumberConstructor.h:
2100         (JSC::NumberConstructor::createStructure):
2101         * runtime/NumberObject.cpp:
2102         (JSC::NumberObject::finishCreation):
2103         * runtime/NumberObject.h:
2104         (JSC::NumberObject::createStructure):
2105         * runtime/NumberPrototype.cpp:
2106         (JSC::NumberPrototype::finishCreation):
2107         * runtime/NumberPrototype.h:
2108         (JSC::NumberPrototype::createStructure):
2109         * runtime/ObjectConstructor.h:
2110         (JSC::ObjectConstructor::createStructure):
2111         * runtime/ObjectPrototype.cpp:
2112         (JSC::ObjectPrototype::finishCreation):
2113         * runtime/ObjectPrototype.h:
2114         (JSC::ObjectPrototype::createStructure):
2115         * runtime/PropertyMapHashTable.h:
2116         (JSC::PropertyTable::createStructure):
2117         * runtime/PropertyTable.cpp:
2118         (JSC::PropertyTable::visitChildren):
2119         * runtime/RegExp.h:
2120         (JSC::RegExp::createStructure):
2121         * runtime/RegExpConstructor.cpp:
2122         (JSC::RegExpConstructor::finishCreation):
2123         (JSC::RegExpConstructor::visitChildren):
2124         (JSC::constructRegExp):
2125         * runtime/RegExpConstructor.h:
2126         (JSC::RegExpConstructor::createStructure):
2127         (JSC::asRegExpConstructor):
2128         * runtime/RegExpMatchesArray.cpp:
2129         (JSC::RegExpMatchesArray::visitChildren):
2130         * runtime/RegExpMatchesArray.h:
2131         (JSC::RegExpMatchesArray::createStructure):
2132         * runtime/RegExpObject.cpp:
2133         (JSC::RegExpObject::finishCreation):
2134         (JSC::RegExpObject::visitChildren):
2135         * runtime/RegExpObject.h:
2136         (JSC::RegExpObject::createStructure):
2137         (JSC::asRegExpObject):
2138         * runtime/RegExpPrototype.cpp:
2139         (JSC::regExpProtoFuncTest):
2140         (JSC::regExpProtoFuncExec):
2141         (JSC::regExpProtoFuncCompile):
2142         (JSC::regExpProtoFuncToString):
2143         * runtime/RegExpPrototype.h:
2144         (JSC::RegExpPrototype::createStructure):
2145         * runtime/SparseArrayValueMap.cpp:
2146         (JSC::SparseArrayValueMap::createStructure):
2147         * runtime/SparseArrayValueMap.h:
2148         * runtime/StrictEvalActivation.h:
2149         (JSC::StrictEvalActivation::createStructure):
2150         * runtime/StringConstructor.h:
2151         (JSC::StringConstructor::createStructure):
2152         * runtime/StringObject.cpp:
2153         (JSC::StringObject::finishCreation):
2154         * runtime/StringObject.h:
2155         (JSC::StringObject::createStructure):
2156         (JSC::asStringObject):
2157         * runtime/StringPrototype.cpp:
2158         (JSC::StringPrototype::finishCreation):
2159         (JSC::stringProtoFuncReplace):
2160         (JSC::stringProtoFuncToString):
2161         (JSC::stringProtoFuncMatch):
2162         (JSC::stringProtoFuncSearch):
2163         (JSC::stringProtoFuncSplit):
2164         * runtime/StringPrototype.h:
2165         (JSC::StringPrototype::createStructure):
2166         * runtime/Structure.cpp:
2167         (JSC::Structure::Structure):
2168         (JSC::Structure::materializePropertyMap):
2169         (JSC::Structure::get):
2170         (JSC::Structure::visitChildren):
2171         * runtime/Structure.h:
2172         (JSC::Structure::typeInfo):
2173         (JSC::Structure::previousID):
2174         (JSC::Structure::outOfLineSize):
2175         (JSC::Structure::totalStorageCapacity):
2176         (JSC::Structure::materializePropertyMapIfNecessary):
2177         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2178         * runtime/StructureChain.cpp:
2179         (JSC::StructureChain::visitChildren):
2180         * runtime/StructureChain.h:
2181         (JSC::StructureChain::createStructure):
2182         * runtime/StructureInlines.h:
2183         (JSC::Structure::get):
2184         * runtime/StructureRareData.cpp:
2185         (JSC::StructureRareData::createStructure):
2186         (JSC::StructureRareData::visitChildren):
2187         * runtime/StructureRareData.h:
2188         * runtime/SymbolTable.h:
2189         (JSC::SharedSymbolTable::createStructure):
2190         * runtime/VM.cpp:
2191         (JSC::VM::VM):
2192         (JSC::StackPreservingRecompiler::operator()):
2193         (JSC::VM::releaseExecutableMemory):
2194         * runtime/WriteBarrier.h:
2195         (JSC::validateCell):
2196         * testRegExp.cpp:
2197         (GlobalObject::createStructure):
2198
2199 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2200
2201         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2202         https://bugs.webkit.org/show_bug.cgi?id=119762
2203
2204         Reviewed by Geoffrey Garen.
2205
2206         * heap/Heap.cpp:
2207         (JSC::Heap::Heap):
2208         (JSC::Heap::markRoots):
2209         (JSC::Heap::collect):
2210         * jsc.cpp:
2211         (StopWatch::start):
2212         (StopWatch::stop):
2213         * testRegExp.cpp:
2214         (StopWatch::start):
2215         (StopWatch::stop):
2216
2217 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2218
2219         [sh4] Prepare LLINT for DFG_JIT implementation.
2220         https://bugs.webkit.org/show_bug.cgi?id=119755
2221
2222         Reviewed by Oliver Hunt.
2223
2224         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2225         * offlineasm/sh4.rb:
2226             - Handle storeb opcode.
2227             - Make relative jumps when possible using braf opcode.
2228             - Update bmulio implementation to be consistent with baseline JIT.
2229             - Remove useless code from leap opcode.
2230             - Fix incorrect comment.
2231
2232 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2233
2234         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2235         https://bugs.webkit.org/show_bug.cgi?id=119758
2236
2237         Reviewed by Oliver Hunt.
2238
2239         * assembler/MacroAssemblerSH4.h:
2240             - Introduce a loadEffectiveAddress function to avoid code duplication.
2241             - Add ASSERTs and clean code.
2242         * assembler/SH4Assembler.h:
2243             - Prepare DFG_JIT implementation.
2244             - Add ASSERTs.
2245         * jit/JITStubs.cpp:
2246             - Add SH4 specific call for assertions.
2247         * jit/JITStubs.h:
2248             - Cosmetic change.
2249         * jit/JITStubsSH4.h:
2250             - Use constants to be more flexible with sh4 JIT stack frame.
2251         * jit/JSInterfaceJIT.h:
2252             - Cosmetic change.
2253
2254 2013-08-13  Oliver Hunt  <oliver@apple.com>
2255
2256         Harden executeConstruct against incorrect return types from host functions
2257         https://bugs.webkit.org/show_bug.cgi?id=119757
2258
2259         Reviewed by Mark Hahnenberg.
2260
2261         Add logic to guard against bogus return types.  There doesn't seem to be any
2262         class in webkit that does this wrong, but the typed array stubs in debug JSC
2263         do exhibit this bad behaviour.
2264
2265         * interpreter/Interpreter.cpp:
2266         (JSC::Interpreter::executeConstruct):
2267
2268 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2269
2270         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2271         https://bugs.webkit.org/show_bug.cgi?id=119736
2272
2273         Reviewed by Anders Carlsson.
2274
2275         Don't force C++11 mode off anymore.
2276
2277         * Target.pri:
2278
2279 2013-08-12  Oliver Hunt  <oliver@apple.com>
2280
2281         Remove CodeBlock's notion of adding identifiers entirely
2282         https://bugs.webkit.org/show_bug.cgi?id=119708
2283
2284         Reviewed by Geoffrey Garen.
2285
2286         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2287         Move the addition of identifiers to DFGPlan::reallyAdd
2288
2289         * bytecode/CodeBlock.h:
2290         * dfg/DFGDesiredIdentifiers.cpp:
2291         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2292         * dfg/DFGDesiredIdentifiers.h:
2293         * dfg/DFGPlan.cpp:
2294         (JSC::DFG::Plan::reallyAdd):
2295         (JSC::DFG::Plan::finalize):
2296         * dfg/DFGPlan.h:
2297
2298 2013-08-12  Oliver Hunt  <oliver@apple.com>
2299
2300         Build fix
2301
2302         * runtime/JSCell.h:
2303
2304 2013-08-12  Oliver Hunt  <oliver@apple.com>
2305
2306         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2307         https://bugs.webkit.org/show_bug.cgi?id=119705
2308
2309         Reviewed by Geoffrey Garen.
2310
2311         Relatively trivial refactoring
2312
2313         * bytecode/CodeBlock.h:
2314         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2315         (JSC::CodeBlock::addAdditionalIdentifier):
2316         (JSC::CodeBlock::identifier):
2317         (JSC::CodeBlock::numberOfIdentifiers):
2318         * dfg/DFGCommonData.h:
2319
2320 2013-08-12  Oliver Hunt  <oliver@apple.com>
2321
2322         Stop making unnecessary copy of CodeBlock Identifier Vector
2323         https://bugs.webkit.org/show_bug.cgi?id=119702
2324
2325         Reviewed by Michael Saboff.
2326
2327         Make CodeBlock simply use a separate Vector for additional Identifiers
2328         and use the UnlinkedCodeBlock for the initial set of identifiers.
2329
2330         * bytecode/CodeBlock.cpp:
2331         (JSC::CodeBlock::printGetByIdOp):
2332         (JSC::dumpStructure):
2333         (JSC::dumpChain):
2334         (JSC::CodeBlock::printGetByIdCacheStatus):
2335         (JSC::CodeBlock::printPutByIdOp):
2336         (JSC::CodeBlock::dumpBytecode):
2337         (JSC::CodeBlock::CodeBlock):
2338         (JSC::CodeBlock::shrinkToFit):
2339         * bytecode/CodeBlock.h:
2340         (JSC::CodeBlock::numberOfIdentifiers):
2341         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2342         (JSC::CodeBlock::addAdditionalIdentifier):
2343         (JSC::CodeBlock::identifier):
2344         * dfg/DFGDesiredIdentifiers.cpp:
2345         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2346         * jit/JIT.h:
2347         * jit/JITOpcodes.cpp:
2348         (JSC::JIT::emitSlow_op_get_arguments_length):
2349         * jit/JITPropertyAccess.cpp:
2350         (JSC::JIT::emit_op_get_by_id):
2351         (JSC::JIT::compileGetByIdHotPath):
2352         (JSC::JIT::emitSlow_op_get_by_id):
2353         (JSC::JIT::compileGetByIdSlowCase):
2354         (JSC::JIT::emitSlow_op_put_by_id):
2355         * jit/JITPropertyAccess32_64.cpp:
2356         (JSC::JIT::emit_op_get_by_id):
2357         (JSC::JIT::compileGetByIdHotPath):
2358         (JSC::JIT::compileGetByIdSlowCase):
2359         * jit/JITStubs.cpp:
2360         (JSC::DEFINE_STUB_FUNCTION):
2361         * llint/LLIntSlowPaths.cpp:
2362         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2363
2364 2013-08-08  Mark Lam  <mark.lam@apple.com>
2365
2366         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2367         https://bugs.webkit.org/show_bug.cgi?id=119575.
2368
2369         Reviewed by Oliver Hunt.
2370
2371         * interpreter/Interpreter.h:
2372         - Made getStackTrace() private.
2373         * interpreter/StackIterator.cpp:
2374         (JSC::StackIterator::StackIterator):
2375         (JSC::StackIterator::numberOfFrames):
2376         - Computes the number of frames by iterating through the whole stack
2377           from the starting frame. The iterator will save its current frame
2378           position before counting the frames, and then restoring it after
2379           the counting.
2380         (JSC::StackIterator::gotoFrameAtIndex):
2381         (JSC::StackIterator::gotoNextFrame):
2382         (JSC::StackIterator::resetIterator):
2383         - Points the iterator to the starting frame.
2384         * interpreter/StackIteratorPrivate.h:
2385
2386 2013-08-08  Mark Lam  <mark.lam@apple.com>
2387
2388         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2389         the Interpreter class.
2390         https://bugs.webkit.org/show_bug.cgi?id=119576.
2391
2392         Reviewed by Oliver Hunt.
2393
2394         This change is needed to prepare for making Interpreter::getStackTrace()
2395         private. It does not change the behavior of the code, only the lexical
2396         scoping.
2397
2398         * interpreter/Interpreter.h:
2399         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2400         * runtime/ErrorConstructor.cpp:
2401         (JSC::Interpreter::constructWithErrorConstructor):
2402         (JSC::ErrorConstructor::getConstructData):
2403         (JSC::Interpreter::callErrorConstructor):
2404         (JSC::ErrorConstructor::getCallData):
2405         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2406           directly. So, we moved the helper functions into the Interpreter
2407           class.
2408         * runtime/NativeErrorConstructor.cpp:
2409         (JSC::Interpreter::constructWithNativeErrorConstructor):
2410         (JSC::NativeErrorConstructor::getConstructData):
2411         (JSC::Interpreter::callNativeErrorConstructor):
2412         (JSC::NativeErrorConstructor::getCallData):
2413         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2414           directly. So, we moved the helper functions into the Interpreter
2415           class.
2416
2417 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2418
2419         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2420         https://bugs.webkit.org/show_bug.cgi?id=119555
2421
2422         Reviewed by Geoffrey Garen.
2423
2424         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2425         This was causing crashes on maps.google.com in 32-bit debug builds.
2426
2427         * dfg/DFGSpeculativeJIT32_64.cpp:
2428         (JSC::DFG::SpeculativeJIT::compile):
2429
2430 2013-08-06  Michael Saboff  <msaboff@apple.com>
2431
2432         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2433         https://bugs.webkit.org/show_bug.cgi?id=119405
2434
2435         Reviewed by Geoffrey Garen.
2436
2437         * dfg/DFGSpeculativeJIT.cpp:
2438         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2439         ourselves to save a register and then load from it.
2440
2441 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2442
2443         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2444         https://bugs.webkit.org/show_bug.cgi?id=119528
2445
2446         Reviewed by Geoffrey Garen.
2447
2448         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2449         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2450         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2451         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2452         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2453
2454         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2455
2456         * bytecode/CodeBlock.cpp:
2457         (JSC::CodeBlock::finalizeUnconditionally):
2458         * dfg/DFGDriver.cpp:
2459         (JSC::DFG::compile):
2460         * dfg/DFGFixupPhase.cpp:
2461         (JSC::DFG::FixupPhase::fixupNode):
2462         * dfg/DFGGraph.cpp:
2463         (JSC::DFG::Graph::dump):
2464         * dfg/DFGSpeculativeJIT64.cpp:
2465         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2466         * runtime/JSObject.h:
2467         (JSC::JSObject::getIndexQuickly):
2468         (JSC::JSObject::tryGetIndexQuickly):
2469
2470 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2471
2472         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2473
2474         Unreviewed.
2475
2476         Ensure llint symbols are in source order.
2477
2478         * JavaScriptCore.order:
2479
2480 2013-08-06  Mark Lam  <mark.lam@apple.com>
2481
2482         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2483         https://bugs.webkit.org/show_bug.cgi?id=119532.
2484
2485         Reviewed by Oliver Hunt.
2486
2487         * parser/Parser.cpp:
2488         (JSC::::Parser):
2489         - Just need to initialize the Parser's JSTokenLocation's initial line and
2490           startOffset as well during Parser construction.
2491
2492 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2493
2494         Update Order Files for Safari
2495         <rdar://problem/14517392>
2496
2497         Unreviewed.
2498
2499         * JavaScriptCore.order:
2500
2501 2013-08-04  Sam Weinig  <sam@webkit.org>
2502
2503         Remove support for HTML5 MicroData
2504         https://bugs.webkit.org/show_bug.cgi?id=119480
2505
2506         Reviewed by Anders Carlsson.
2507
2508         * Configurations/FeatureDefines.xcconfig:
2509
2510 2013-08-05  Oliver Hunt  <oliver@apple.com>
2511
2512         Delay Arguments creation in strict mode
2513         https://bugs.webkit.org/show_bug.cgi?id=119505
2514
2515         Reviewed by Geoffrey Garen.
2516
2517         Make use of the write tracking performed by the parser to
2518         allow us to know if we're modifying the parameters to a function.
2519         Then use that information to make strict mode function opt out
2520         of eager arguments creation.
2521
2522         * bytecompiler/BytecodeGenerator.cpp:
2523         (JSC::BytecodeGenerator::BytecodeGenerator):
2524         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2525         (JSC::BytecodeGenerator::emitReturn):
2526         * bytecompiler/BytecodeGenerator.h:
2527         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2528         * parser/Nodes.h:
2529         (JSC::ScopeNode::modifiesParameter):
2530         * parser/Parser.cpp:
2531         (JSC::::parseInner):
2532         * parser/Parser.h:
2533         (JSC::Scope::declareParameter):
2534         (JSC::Scope::getCapturedVariables):
2535         (JSC::Parser::declareWrite):
2536         * parser/ParserModes.h:
2537
2538 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2539
2540         Remove useless code from COMPILER(RVCT) JITStubs
2541         https://bugs.webkit.org/show_bug.cgi?id=119521
2542
2543         Reviewed by Geoffrey Garen.
2544
2545         * jit/JITStubsARMv7.h:
2546         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2547         (JSC::ctiOpThrowNotCaught): Ditto.
2548
2549 2013-07-23  David Farler  <dfarler@apple.com>
2550
2551         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2552         https://bugs.webkit.org/show_bug.cgi?id=117762
2553
2554         Reviewed by Mark Rowe.
2555
2556         * Configurations/DebugRelease.xcconfig:
2557         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2558         * Configurations/JavaScriptCore.xcconfig:
2559         Add ASAN_OTHER_LDFLAGS.
2560         * Configurations/ToolExecutable.xcconfig:
2561         Don't use ASAN for build tools.
2562
2563 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2564
2565         Build fix for ARM MSVC after r153222 and r153648.
2566
2567         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2568
2569 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2570
2571         Build fix for ARM MSVC after r150109.
2572
2573         Read the stub template from a header files instead of the JITStubs.cpp.
2574
2575         * CMakeLists.txt:
2576         * DerivedSources.pri:
2577         * create_jit_stubs:
2578
2579 2013-08-05  Oliver Hunt  <oliver@apple.com>
2580
2581         Move TypedArray implementation into JSC
2582         https://bugs.webkit.org/show_bug.cgi?id=119489
2583
2584         Reviewed by Filip Pizlo.
2585
2586         Move TypedArray implementation into JSC in advance of re-implementation
2587
2588         * GNUmakefile.list.am:
2589         * JSCTypedArrayStubs.h:
2590         * JavaScriptCore.xcodeproj/project.pbxproj:
2591         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2592         (JSC::ArrayBuffer::transfer):
2593         (JSC::ArrayBuffer::addView):
2594         (JSC::ArrayBuffer::removeView):
2595         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2596         (JSC::ArrayBufferContents::ArrayBufferContents):
2597         (JSC::ArrayBufferContents::data):
2598         (JSC::ArrayBufferContents::sizeInBytes):
2599         (JSC::ArrayBufferContents::transfer):
2600         (JSC::ArrayBufferContents::copyTo):
2601         (JSC::ArrayBuffer::isNeutered):
2602         (JSC::ArrayBuffer::~ArrayBuffer):
2603         (JSC::ArrayBuffer::clampValue):
2604         (JSC::ArrayBuffer::create):
2605         (JSC::ArrayBuffer::createUninitialized):
2606         (JSC::ArrayBuffer::ArrayBuffer):
2607         (JSC::ArrayBuffer::data):
2608         (JSC::ArrayBuffer::byteLength):
2609         (JSC::ArrayBuffer::slice):
2610         (JSC::ArrayBuffer::sliceImpl):
2611         (JSC::ArrayBuffer::clampIndex):
2612         (JSC::ArrayBufferContents::tryAllocate):
2613         (JSC::ArrayBufferContents::~ArrayBufferContents):
2614         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2615         (JSC::ArrayBufferView::ArrayBufferView):
2616         (JSC::ArrayBufferView::~ArrayBufferView):
2617         (JSC::ArrayBufferView::neuter):
2618         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2619         (JSC::ArrayBufferView::buffer):
2620         (JSC::ArrayBufferView::baseAddress):
2621         (JSC::ArrayBufferView::byteOffset):
2622         (JSC::ArrayBufferView::setNeuterable):
2623         (JSC::ArrayBufferView::isNeuterable):
2624         (JSC::ArrayBufferView::verifySubRange):
2625         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2626         (JSC::ArrayBufferView::setImpl):
2627         (JSC::ArrayBufferView::setRangeImpl):
2628         (JSC::ArrayBufferView::zeroRangeImpl):
2629         (JSC::ArrayBufferView::calculateOffsetAndLength):
2630         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2631         (JSC::Float32Array::set):
2632         (JSC::Float32Array::getType):
2633         (JSC::Float32Array::create):
2634         (JSC::Float32Array::createUninitialized):
2635         (JSC::Float32Array::Float32Array):
2636         (JSC::Float32Array::subarray):
2637         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2638         (JSC::Float64Array::set):
2639         (JSC::Float64Array::getType):
2640         (JSC::Float64Array::create):
2641         (JSC::Float64Array::createUninitialized):
2642         (JSC::Float64Array::Float64Array):
2643         (JSC::Float64Array::subarray):
2644         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2645         (JSC::Int16Array::getType):
2646         (JSC::Int16Array::create):
2647         (JSC::Int16Array::createUninitialized):
2648         (JSC::Int16Array::Int16Array):
2649         (JSC::Int16Array::subarray):
2650         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2651         (JSC::Int32Array::getType):
2652         (JSC::Int32Array::create):
2653         (JSC::Int32Array::createUninitialized):
2654         (JSC::Int32Array::Int32Array):
2655         (JSC::Int32Array::subarray):
2656         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2657         (JSC::Int8Array::getType):
2658         (JSC::Int8Array::create):
2659         (JSC::Int8Array::createUninitialized):
2660         (JSC::Int8Array::Int8Array):
2661         (JSC::Int8Array::subarray):
2662         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2663         (JSC::IntegralTypedArrayBase::set):
2664         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2665         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2666         (JSC::TypedArrayBase::data):
2667         (JSC::TypedArrayBase::set):
2668         (JSC::TypedArrayBase::setRange):
2669         (JSC::TypedArrayBase::zeroRange):
2670         (JSC::TypedArrayBase::length):
2671         (JSC::TypedArrayBase::byteLength):
2672         (JSC::TypedArrayBase::item):
2673         (JSC::TypedArrayBase::checkInboundData):
2674         (JSC::TypedArrayBase::TypedArrayBase):
2675         (JSC::TypedArrayBase::create):
2676         (JSC::TypedArrayBase::createUninitialized):
2677         (JSC::TypedArrayBase::subarrayImpl):
2678         (JSC::TypedArrayBase::neuter):
2679         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2680         (JSC::Uint16Array::getType):
2681         (JSC::Uint16Array::create):
2682         (JSC::Uint16Array::createUninitialized):
2683         (JSC::Uint16Array::Uint16Array):
2684         (JSC::Uint16Array::subarray):
2685         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2686         (JSC::Uint32Array::getType):
2687         (JSC::Uint32Array::create):
2688         (JSC::Uint32Array::createUninitialized):
2689         (JSC::Uint32Array::Uint32Array):
2690         (JSC::Uint32Array::subarray):
2691         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2692         (JSC::Uint8Array::getType):
2693         (JSC::Uint8Array::create):
2694         (JSC::Uint8Array::createUninitialized):
2695         (JSC::Uint8Array::Uint8Array):
2696         (JSC::Uint8Array::subarray):
2697         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2698         (JSC::Uint8ClampedArray::getType):
2699         (JSC::Uint8ClampedArray::create):
2700         (JSC::Uint8ClampedArray::createUninitialized):
2701         (JSC::Uint8ClampedArray::zeroFill):
2702         (JSC::Uint8ClampedArray::set):
2703         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2704         (JSC::Uint8ClampedArray::subarray):
2705         * runtime/VM.h:
2706
2707 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2708
2709         Copied space should be able to handle more than one copied backing store per JSCell
2710         https://bugs.webkit.org/show_bug.cgi?id=119471
2711
2712         Reviewed by Mark Hahnenberg.
2713         
2714         This allows a cell to call copyLater() multiple times for multiple different
2715         backing stores, and then have copyBackingStore() called exactly once for each
2716         of those. A token tells it which backing store to copy. All backing stores
2717         must be named using the CopyToken, an enumeration which currently cannot
2718         exceed eight entries.
2719         
2720         When copyBackingStore() is called, it's up to the callee to (a) use the token
2721         to decide what to copy and (b) call its base class's copyBackingStore() in
2722         case the base class had something that needed copying. The only exception is
2723         that JSCell never asks anything to be copied, and so if your base is JSCell
2724         then you don't have to do anything.
2725
2726         * GNUmakefile.list.am:
2727         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2728         * JavaScriptCore.xcodeproj/project.pbxproj:
2729         * heap/CopiedBlock.h:
2730         * heap/CopiedBlockInlines.h:
2731         (JSC::CopiedBlock::reportLiveBytes):
2732         * heap/CopyToken.h: Added.
2733         * heap/CopyVisitor.cpp:
2734         (JSC::CopyVisitor::copyFromShared):
2735         * heap/CopyVisitor.h:
2736         * heap/CopyVisitorInlines.h:
2737         (JSC::CopyVisitor::visitItem):
2738         * heap/CopyWorkList.h:
2739         (JSC::CopyWorklistItem::CopyWorklistItem):
2740         (JSC::CopyWorklistItem::cell):
2741         (JSC::CopyWorklistItem::token):
2742         (JSC::CopyWorkListSegment::get):
2743         (JSC::CopyWorkListSegment::append):
2744         (JSC::CopyWorkListSegment::data):
2745         (JSC::CopyWorkListIterator::get):
2746         (JSC::CopyWorkListIterator::operator*):
2747         (JSC::CopyWorkListIterator::operator->):
2748         (JSC::CopyWorkList::append):
2749         * heap/SlotVisitor.h:
2750         * heap/SlotVisitorInlines.h:
2751         (JSC::SlotVisitor::copyLater):
2752         * runtime/ClassInfo.h:
2753         * runtime/JSCell.cpp:
2754         (JSC::JSCell::copyBackingStore):
2755         * runtime/JSCell.h:
2756         * runtime/JSObject.cpp:
2757         (JSC::JSObject::visitButterfly):
2758         (JSC::JSObject::copyBackingStore):
2759         * runtime/JSObject.h:
2760
2761 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2762
2763         [Automake] Define ENABLE_JIT through the Autoconf header
2764         https://bugs.webkit.org/show_bug.cgi?id=119445
2765
2766         Reviewed by Martin Robinson.
2767
2768         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2769
2770 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2771
2772         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2773         https://bugs.webkit.org/show_bug.cgi?id=119470
2774
2775         Reviewed by Oliver Hunt.
2776         
2777         Structure can still tell you if the object "could" (in the conservative sense)
2778         have an indexing header; that's used by the compiler.
2779         
2780         Most of the time if you want to know if there's an indexing header, you ask the
2781         JSObject.
2782         
2783         In some cases, the JSObject wants to know if it would have an indexing header if
2784         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2785
2786         * dfg/DFGRepatch.cpp:
2787         (JSC::DFG::tryCachePutByID):
2788         (JSC::DFG::tryBuildPutByIdList):
2789         * dfg/DFGSpeculativeJIT.cpp:
2790         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2791         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2792         * runtime/ButterflyInlines.h:
2793         (JSC::Butterfly::create):
2794         (JSC::Butterfly::growPropertyStorage):
2795         (JSC::Butterfly::growArrayRight):
2796         (JSC::Butterfly::resizeArray):
2797         * runtime/JSObject.cpp:
2798         (JSC::JSObject::copyButterfly):
2799         (JSC::JSObject::visitButterfly):
2800         * runtime/JSObject.h:
2801         (JSC::JSObject::hasIndexingHeader):
2802         (JSC::JSObject::setButterfly):
2803         * runtime/Structure.h:
2804         (JSC::Structure::couldHaveIndexingHeader):
2805         (JSC::Structure::hasIndexingHeader):
2806
2807 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2808
2809         Give the error object's stack property accessor attributes.
2810         https://bugs.webkit.org/show_bug.cgi?id=119404
2811
2812         Reviewed by Geoffrey Garen.
2813         
2814         Changed the attributes of error object's stack property to allow developers to write
2815         and delete the stack property. This will match the functionality of Chrome. Firefox  
2816         allows developers to write the error's stack, but not delete it. 
2817
2818         * interpreter/Interpreter.cpp:
2819         (JSC::Interpreter::addStackTraceIfNecessary):
2820         * runtime/ErrorInstance.cpp:
2821         (JSC::ErrorInstance::finishCreation):
2822
2823 2013-08-02  Oliver Hunt  <oliver@apple.com>
2824
2825         Incorrect type speculation reported by ToPrimitive
2826         https://bugs.webkit.org/show_bug.cgi?id=119458
2827
2828         Reviewed by Mark Hahnenberg.
2829
2830         Make sure that we report the correct type possibilities for the output
2831         from ToPrimitive
2832
2833         * dfg/DFGAbstractInterpreterInlines.h:
2834         (JSC::DFG::::executeEffects):
2835
2836 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2837
2838         Remove no-arguments constructor to PropertySlot
2839         https://bugs.webkit.org/show_bug.cgi?id=119460
2840
2841         Reviewed by Geoff Garen.
2842
2843         This constructor was unsafe if getValue is subsequently called,
2844         and the property is a getter. Simplest to just remove it.
2845
2846         * runtime/Arguments.cpp:
2847         (JSC::Arguments::defineOwnProperty):
2848         * runtime/JSActivation.cpp:
2849         (JSC::JSActivation::getOwnPropertyDescriptor):
2850         * runtime/JSFunction.cpp:
2851         (JSC::JSFunction::getOwnPropertyDescriptor):
2852         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2853         (JSC::JSFunction::put):
2854         (JSC::JSFunction::defineOwnProperty):
2855         * runtime/JSGlobalObject.cpp:
2856         (JSC::JSGlobalObject::defineOwnProperty):
2857         * runtime/JSGlobalObject.h:
2858         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
2859         * runtime/JSNameScope.cpp:
2860         (JSC::JSNameScope::put):
2861         * runtime/JSONObject.cpp:
2862         (JSC::Stringifier::Holder::appendNextProperty):
2863         (JSC::Walker::walk):
2864         * runtime/JSObject.cpp:
2865         (JSC::JSObject::hasProperty):
2866         (JSC::JSObject::hasOwnProperty):
2867         (JSC::JSObject::reifyStaticFunctionsForDelete):
2868         * runtime/Lookup.h:
2869         (JSC::getStaticPropertyDescriptor):
2870         (JSC::getStaticFunctionDescriptor):
2871         (JSC::getStaticValueDescriptor):
2872         * runtime/ObjectConstructor.cpp:
2873         (JSC::defineProperties):
2874         * runtime/PropertySlot.h:
2875
2876 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
2877
2878         DFG validation can cause assertion failures due to dumping
2879         https://bugs.webkit.org/show_bug.cgi?id=119456
2880
2881         Reviewed by Geoffrey Garen.
2882
2883         * bytecode/CodeBlock.cpp:
2884         (JSC::CodeBlock::hasHash):
2885         (JSC::CodeBlock::isSafeToComputeHash):
2886         (JSC::CodeBlock::hash):
2887         (JSC::CodeBlock::dumpAssumingJITType):
2888         * bytecode/CodeBlock.h:
2889
2890 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2891
2892         Have vm's exceptionStack match java's vm's exceptionStack.
2893         https://bugs.webkit.org/show_bug.cgi?id=119362
2894
2895         Reviewed by Geoffrey Garen.
2896         
2897         The error object's stack is only updated if it does not exist yet. This matches 
2898         the functionality of other browsers, and Java VMs. 
2899
2900         * interpreter/Interpreter.cpp:
2901         (JSC::Interpreter::addStackTraceIfNecessary):
2902         (JSC::Interpreter::throwException):
2903         * runtime/VM.cpp:
2904         (JSC::VM::clearExceptionStack):
2905         * runtime/VM.h:
2906         (JSC::VM::lastExceptionStack):
2907
2908 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2909
2910         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
2911         https://bugs.webkit.org/show_bug.cgi?id=119447
2912
2913         Reviewed by Geoffrey Garen.
2914
2915         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
2916         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
2917         r153583 (sh4) and r153648 (ARM).
2918
2919         * jit/JITStubsMIPS.h:
2920
2921 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
2922
2923         hasIndexingHeader should be a property of the Structure, not just the IndexingType
2924         https://bugs.webkit.org/show_bug.cgi?id=119422
2925
2926         Reviewed by Oliver Hunt.
2927         
2928         This simplifies some code and also allows Structure to claim that an object
2929         has an indexing header even if it doesn't have indexed properties.
2930         
2931         I also changed some calls to use hasIndexedProperties() since in some cases,
2932         that's what we actually meant. Currently the two are synonyms.
2933
2934         * dfg/DFGRepatch.cpp:
2935         (JSC::DFG::tryCachePutByID):
2936         (JSC::DFG::tryBuildPutByIdList):
2937         * dfg/DFGSpeculativeJIT.cpp:
2938         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2939         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2940         * runtime/ButterflyInlines.h:
2941         (JSC::Butterfly::create):
2942         (JSC::Butterfly::growPropertyStorage):
2943         (JSC::Butterfly::growArrayRight):
2944         (JSC::Butterfly::resizeArray):
2945         * runtime/IndexingType.h:
2946         * runtime/JSObject.cpp:
2947         (JSC::JSObject::copyButterfly):
2948         (JSC::JSObject::visitButterfly):
2949         (JSC::JSObject::setPrototype):
2950         * runtime/JSObject.h:
2951         (JSC::JSObject::setButterfly):
2952         * runtime/JSPropertyNameIterator.cpp:
2953         (JSC::JSPropertyNameIterator::create):
2954         * runtime/Structure.h:
2955         (JSC::Structure::hasIndexingHeader):
2956
2957 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
2958
2959         REGRESSION: ARM still crashes after change set r153612.
2960         https://bugs.webkit.org/show_bug.cgi?id=119433
2961
2962         Reviewed by Michael Saboff.
2963
2964         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
2965         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
2966         for sh4 architecture.
2967
2968         * jit/JITStubsARM.h:
2969         * jit/JITStubsARMv7.h:
2970
2971 2013-08-02  Michael Saboff  <msaboff@apple.com>
2972
2973         REGRESSION(r153612): It made jsc and layout tests crash
2974         https://bugs.webkit.org/show_bug.cgi?id=119440
2975
2976         Reviewed by Csaba Osztrogonác.
2977
2978         Made the changes if changeset r153612 only apply to 32 bit builds.
2979
2980         * jit/JITExceptions.cpp:
2981         * jit/JITExceptions.h:
2982         * jit/JITStubs.cpp:
2983         (JSC::cti_vm_throw_slowpath):
2984         * jit/JITStubs.h:
2985
2986 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2987
2988         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2989
2990         * CMakeLists.txt:
2991
2992 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2993
2994         [Forms: color] <input type='color'> popover color well implementation
2995         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2996
2997         Reviewed by Benjamin Poulain.
2998
2999         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3000
3001 2013-08-01  Oliver Hunt  <oliver@apple.com>
3002
3003         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3004         https://bugs.webkit.org/show_bug.cgi?id=119408
3005
3006         Reviewed by Filip Pizlo.
3007
3008         Construct ToString and Phantom nodes in advance of MakeRope
3009         nodes to ensure that ordering is ensured, and correct values
3010         will be reified on OSR exit.
3011
3012         * dfg/DFGByteCodeParser.cpp:
3013         (JSC::DFG::ByteCodeParser::parseBlock):
3014
3015 2013-08-01  Michael Saboff  <msaboff@apple.com>
3016
3017         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3018         https://bugs.webkit.org/show_bug.cgi?id=119140
3019
3020         Reviewed by Filip Pizlo.
3021
3022         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3023
3024         * jit/JITExceptions.cpp:
3025         (JSC::encode):
3026         * jit/JITExceptions.h:
3027         * jit/JITStubs.cpp:
3028         (JSC::cti_vm_throw_slowpath):
3029         * jit/JITStubs.h:
3030
3031 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3032
3033         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3034         https://bugs.webkit.org/show_bug.cgi?id=119391
3035
3036         Reviewed by Csaba Osztrogonác.
3037
3038         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3039             - Call frame is in r14 register.
3040             - Do not restore registers from JIT stack frame here.
3041
3042 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3043
3044         More cleanup in PropertySlot
3045         https://bugs.webkit.org/show_bug.cgi?id=119359
3046
3047         Reviewed by Geoff Garen.
3048
3049         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3050         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3051
3052         * dfg/DFGRepatch.cpp:
3053         (JSC::DFG::tryCacheGetByID):
3054         (JSC::DFG::tryBuildGetByIDList):
3055             - No need to ASSERT slotBase is an object.
3056         * jit/JITStubs.cpp:
3057         (JSC::tryCacheGetByID):
3058         (JSC::DEFINE_STUB_FUNCTION):
3059             - No need to ASSERT slotBase is an object.
3060         * runtime/JSObject.cpp:
3061         (JSC::JSObject::getOwnPropertySlotByIndex):
3062         (JSC::JSObject::fillGetterPropertySlot):
3063             - Pass an object through to setGetterSlot.
3064         * runtime/JSObject.h:
3065         (JSC::PropertySlot::getValue):
3066             - Moved from PropertySlot (need to know anout JSObject).
3067         * runtime/PropertySlot.cpp:
3068         (JSC::PropertySlot::functionGetter):
3069             - update per member name changes
3070         * runtime/PropertySlot.h:
3071         (JSC::PropertySlot::PropertySlot):
3072             - Argument to constructor set to 'thisValue'.
3073         (JSC::PropertySlot::slotBase):
3074             - This returns a JSObject*.
3075         (JSC::PropertySlot::setValue):
3076         (JSC::PropertySlot::setCustom):
3077         (JSC::PropertySlot::setCacheableCustom):
3078         (JSC::PropertySlot::setCustomIndex):
3079         (JSC::PropertySlot::setGetterSlot):
3080         (JSC::PropertySlot::setCacheableGetterSlot):
3081             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3082         * runtime/SparseArrayValueMap.cpp:
3083         (JSC::SparseArrayEntry::get):
3084             - Pass an object through to setGetterSlot.
3085         * runtime/SparseArrayValueMap.h:
3086             - Pass an object through to setGetterSlot.
3087
3088 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3089
3090         Reduce JSC API static value setter/getter overhead.
3091         https://bugs.webkit.org/show_bug.cgi?id=119277
3092
3093         Reviewed by Geoffrey Garen.
3094
3095         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3096         need to get called every time when set or get the static value.
3097
3098         * API/JSCallbackObjectFunctions.h:
3099         (JSC::::put):
3100         (JSC::::putByIndex):
3101         (JSC::::getStaticValue):
3102         * API/JSClassRef.cpp:
3103         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3104         * API/JSClassRef.h:
3105         (StaticValueEntry::StaticValueEntry):
3106
3107 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3108
3109         Use emptyString instead of String("")
3110         https://bugs.webkit.org/show_bug.cgi?id=119335
3111
3112         Reviewed by Darin Adler.
3113
3114         Use emptyString() instead of String("") because it is better style and
3115         faster. This is a followup to r116908, removing all occurrences of
3116         String("") from WebKit.
3117
3118         * runtime/RegExpConstructor.cpp:
3119         (JSC::constructRegExp):
3120         * runtime/RegExpPrototype.cpp:
3121         (JSC::regExpProtoFuncCompile):
3122         * runtime/StringPrototype.cpp:
3123         (JSC::stringProtoFuncMatch):
3124         (JSC::stringProtoFuncSearch):
3125
3126 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3127
3128         <input type=color> Mac UI behaviour
3129         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3130
3131         Reviewed by Brady Eidson.
3132
3133         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3134
3135 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3136
3137         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3138         https://bugs.webkit.org/show_bug.cgi?id=119349
3139
3140         Reviewed by Geoffrey Garen.
3141
3142         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3143         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3144         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3145         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3146         JIT then this resizing never happens and we crash at link time in the DFG.
3147
3148         We can fix this by also doing the resize in the DFG to catch this case.
3149
3150         * dfg/DFGJITCompiler.cpp:
3151         (JSC::DFG::JITCompiler::link):
3152
3153 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3154
3155         Speculative Windows build fix.
3156
3157         Reviewed by NOBODY
3158
3159         * runtime/JSString.cpp:
3160         (JSC::JSRopeString::getIndexSlowCase):
3161         * runtime/JSString.h:
3162
3163 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3164
3165         Some cleanup in JSValue::get
3166         https://bugs.webkit.org/show_bug.cgi?id=119343
3167
3168         Reviewed by Geoff Garen.
3169
3170         JSValue::get is implemented to:
3171             1) Check if the value is a cell – if not, synthesize a prototype to search,
3172             2) call getOwnPropertySlot on the cell,
3173             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3174         By all rights this should crash when passed a string and accessing a property that does not exist, because
3175         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3176         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3177         prototype chain, and faking out a return value of undefined if no property is found.
3178
3179         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3180         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3181
3182         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3183         slots anyway.
3184
3185         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3186
3187 2013-07-31  Michael Saboff  <msaboff@apple.com>
3188
3189         [Win] JavaScript crash.
3190         https://bugs.webkit.org/show_bug.cgi?id=119339
3191
3192         Reviewed by Mark Hahnenberg.
3193
3194         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3195         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3196
3197 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3198
3199         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3200         https://bugs.webkit.org/show_bug.cgi?id=119281
3201
3202         Reviewed by Geoffrey Garen.
3203
3204         This leads to out of bounds accesses and subsequent crashes.
3205
3206         * dfg/DFGSpeculativeJIT.cpp:
3207         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3208         * dfg/DFGSpeculativeJIT64.cpp:
3209         (JSC::DFG::SpeculativeJIT::compile):
3210
3211 2013-07-30  Oliver Hunt  <oliver@apple.com>
3212
3213         Add an assertion to SpeculateCellOperand
3214         https://bugs.webkit.org/show_bug.cgi?id=119276
3215
3216         Reviewed by Michael Saboff.
3217
3218         More assertions are better
3219
3220         * dfg/DFGSpeculativeJIT64.cpp:
3221         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3222         (JSC::DFG::SpeculativeJIT::compile):
3223
3224 2013-07-30  Mark Lam  <mark.lam@apple.com>
3225
3226         Fix problems with divot and lineStart mismatches.
3227         https://bugs.webkit.org/show_bug.cgi?id=118662.
3228
3229         Reviewed by Oliver Hunt.
3230
3231         r152494 added the recording of lineStart values for divot positions.
3232         This is needed for the computation of column numbers. Similarly, it also
3233         added the recording of line numbers for the divot positions. One problem
3234         with the approach taken was that the line and lineStart values were
3235         recorded independently, and hence were not always guaranteed to be
3236         sampled at the same place that the divot position is recorded. This
3237         resulted in potential mismatches that cause some assertions to fail.
3238
3239         The solution is to introduce a JSTextPosition abstraction that records
3240         the divot position, line, and lineStart as a single quantity. Wherever
3241         we record the divot position as an unsigned int previously, we now record
3242         its JSTextPosition which captures all 3 values in one go. This ensures
3243         that the captured line and lineStart will always match the captured divot
3244         position.
3245
3246         * bytecompiler/BytecodeGenerator.cpp:
3247         (JSC::BytecodeGenerator::emitCall):
3248         (JSC::BytecodeGenerator::emitCallEval):
3249         (JSC::BytecodeGenerator::emitCallVarargs):
3250         (JSC::BytecodeGenerator::emitConstruct):
3251         (JSC::BytecodeGenerator::emitDebugHook):
3252         - Use JSTextPosition instead of passing line and lineStart explicitly.
3253         * bytecompiler/BytecodeGenerator.h:
3254         (JSC::BytecodeGenerator::emitExpressionInfo):
3255         - Use JSTextPosition instead of passing line and lineStart explicitly.
3256         * bytecompiler/NodesCodegen.cpp:
3257         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3258         (JSC::ResolveNode::emitBytecode):
3259         (JSC::BracketAccessorNode::emitBytecode):
3260         (JSC::DotAccessorNode::emitBytecode):
3261         (JSC::NewExprNode::emitBytecode):
3262         (JSC::EvalFunctionCallNode::emitBytecode):
3263         (JSC::FunctionCallValueNode::emitBytecode):
3264         (JSC::FunctionCallResolveNode::emitBytecode):
3265         (JSC::FunctionCallBracketNode::emitBytecode):
3266         (JSC::FunctionCallDotNode::emitBytecode):
3267         (JSC::CallFunctionCallDotNode::emitBytecode):
3268         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3269         (JSC::PostfixNode::emitResolve):
3270         (JSC::PostfixNode::emitBracket):
3271         (JSC::PostfixNode::emitDot):
3272         (JSC::DeleteResolveNode::emitBytecode):
3273         (JSC::DeleteBracketNode::emitBytecode):
3274         (JSC::DeleteDotNode::emitBytecode):
3275         (JSC::PrefixNode::emitResolve):
3276         (JSC::PrefixNode::emitBracket):
3277         (JSC::PrefixNode::emitDot):
3278         (JSC::UnaryOpNode::emitBytecode):
3279         (JSC::BinaryOpNode::emitStrcat):
3280         (JSC::BinaryOpNode::emitBytecode):
3281         (JSC::ThrowableBinaryOpNode::emitBytecode):
3282         (JSC::InstanceOfNode::emitBytecode):
3283         (JSC::emitReadModifyAssignment):
3284         (JSC::ReadModifyResolveNode::emitBytecode):
3285         (JSC::AssignResolveNode::emitBytecode):
3286         (JSC::AssignDotNode::emitBytecode):
3287         (JSC::ReadModifyDotNode::emitBytecode):
3288         (JSC::AssignBracketNode::emitBytecode):
3289         (JSC::ReadModifyBracketNode::emitBytecode):
3290         (JSC::ForInNode::emitBytecode):
3291         (JSC::WithNode::emitBytecode):
3292         (JSC::ThrowNode::emitBytecode):
3293         - Use JSTextPosition instead of passing line and lineStart explicitly.
3294         * parser/ASTBuilder.h:
3295         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3296         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
3297         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
3298         (JSC::ASTBuilder::createResolve):
3299         (JSC::ASTBuilder::createBracketAccess):
3300         (JSC::ASTBuilder::createDotAccess):
3301         (JSC::ASTBuilder::createRegExp):
3302         (JSC::ASTBuilder::createNewExpr):
3303         (JSC::ASTBuilder::createAssignResolve):
3304         (JSC::ASTBuilder::createExprStatement):
3305         (JSC::ASTBuilder::createForInLoop):
3306         (JSC::ASTBuilder::createReturnStatement):
3307         (JSC::ASTBuilder::createBreakStatement):
3308         (JSC::ASTBuilder::createContinueStatement):
3309         (JSC::ASTBuilder::createLabelStatement):
3310         (JSC::ASTBuilder::createWithStatement):
3311         (JSC::ASTBuilder::createThrowStatement):
3312         (JSC::ASTBuilder::appendBinaryExpressionInfo):
3313         (JSC::ASTBuilder::appendUnaryToken):
3314         (JSC::ASTBuilder::unaryTokenStackLastStart):
3315         (JSC::ASTBuilder::assignmentStackAppend):
3316         (JSC::ASTBuilder::createAssignment):
3317         (JSC::ASTBuilder::setExceptionLocation):
3318         (JSC::ASTBuilder::makeDeleteNode):
3319         (JSC::ASTBuilder::makeFunctionCallNode):
3320         (JSC::ASTBuilder::makeBinaryNode):
3321         (JSC::ASTBuilder::makeAssignNode):
3322         (JSC::ASTBuilder::makePrefixNode):
3323         (JSC::ASTBuilder::makePostfixNode):
3324         - Use JSTextPosition instead of passing line and lineStart explicitly.
3325         * parser/Lexer.cpp:
3326         (JSC::::lex):
3327         - Added support for capturing the appropriate JSTextPositions instead
3328           of just the character offset.
3329         * parser/Lexer.h:
3330         (JSC::Lexer::currentPosition):
3331         (JSC::::lexExpectIdentifier):
3332         - Added support for capturing the appropriate JSTextPositions instead
3333           of just the character offset.
3334         * parser/NodeConstructors.h:
3335         (JSC::Node::Node):
3336         (JSC::ResolveNode::ResolveNode):
3337         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3338         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3339         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3340         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3341         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3342         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3343         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3344         (JSC::PostfixNode::PostfixNode):
3345         (JSC::DeleteResolveNode::DeleteResolveNode):
3346         (JSC::DeleteBracketNode::DeleteBracketNode):
3347         (JSC::DeleteDotNode::DeleteDotNode):
3348         (JSC::PrefixNode::PrefixNode):
3349         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3350         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3351         (JSC::AssignBracketNode::AssignBracketNode):
3352         (JSC::AssignDotNode::AssignDotNode):
3353         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3354         (JSC::AssignErrorNode::AssignErrorNode):
3355         (JSC::WithNode::WithNode):
3356         (JSC::ForInNode::ForInNode):
3357         - Use JSTextPosition instead of passing line and lineStart explicitly.
3358         * parser/Nodes.cpp:
3359         (JSC::StatementNode::setLoc):
3360         - Use JSTextPosition instead of passing line and lineStart explicitly.
3361         * parser/Nodes.h:
3362         (JSC::Node::lineNo):
3363         (JSC::Node::startOffset):
3364         (JSC::Node::lineStartOffset):
3365         (JSC::Node::position):
3366         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3367         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3368         (JSC::ThrowableExpressionData::divot):
3369         (JSC::ThrowableExpressionData::divotStart):
3370         (JSC::ThrowableExpressionData::divotEnd):
3371         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3372         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3373         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3374         (JSC::ThrowableSubExpressionData::subexpressionStart):
3375         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3376         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3377         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3378         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3379         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3380         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3381         - Use JSTextPosition instead of passing line and lineStart explicitly.
3382         * parser/Parser.cpp:
3383         (JSC::::Parser):
3384         (JSC::::parseInner):
3385         - Use JSTextPosition instead of passing line and lineStart explicitly.
3386         (JSC::::didFinishParsing):
3387         - Remove setting of m_lastLine value. We always pass in the value from
3388           m_lastLine anyway. So, this assignment is effectively a nop.
3389         (JSC::::parseVarDeclaration):
3390         (JSC::::parseVarDeclarationList):
3391         (JSC::::parseForStatement):
3392         (JSC::::parseBreakStatement):
3393         (JSC::::parseContinueStatement):
3394         (JSC::::parseReturnStatement):
3395         (JSC::::parseThrowStatement):
3396         (JSC::::parseWithStatement):
3397         (JSC::::parseTryStatement):
3398         (JSC::::parseBlockStatement):
3399         (JSC::::parseFunctionDeclaration):
3400         (JSC::LabelInfo::LabelInfo):
3401         (JSC::::parseExpressionOrLabelStatement):
3402         (JSC::::parseExpressionStatement):
3403         (JSC::::parseAssignmentExpression):
3404         (JSC::::parseBinaryExpression):
3405         (JSC::::parseProperty):
3406         (JSC::::parsePrimaryExpression):
3407         (JSC::::parseMemberExpression):
3408         (JSC::::parseUnaryExpression):
3409         - Use JSTextPosition instead of passing line and lineStart explicitly.
3410         * parser/Parser.h:
3411         (JSC::Parser::next):
3412         (JSC::Parser::nextExpectIdentifier):
3413         (JSC::Parser::getToken):
3414         (JSC::Parser::tokenStartPosition):
3415         (JSC::Parser::tokenEndPosition):
3416         (JSC::Parser::lastTokenEndPosition):
3417         (JSC::::parse):
3418         - Use JSTextPosition instead of passing line and lineStart explicitly.
3419         * parser/ParserTokens.h:
3420         (JSC::JSTextPosition::JSTextPosition):
3421         (JSC::JSTextPosition::operator+):
3422         (JSC::JSTextPosition::operator-):
3423         (JSC::JSTextPosition::operator int):
3424         - Added JSTextPosition.
3425         * parser/SyntaxChecker.h:
3426         (JSC::SyntaxChecker::makeFunctionCallNode):
3427         (JSC::SyntaxChecker::makeAssignNode):
3428         (JSC::SyntaxChecker::makePrefixNode):
3429         (JSC::SyntaxChecker::makePostfixNode):
3430         (JSC::SyntaxChecker::makeDeleteNode):
3431         (JSC::SyntaxChecker::createResolve):
3432         (JSC::SyntaxChecker::createBracketAccess):
3433         (JSC::SyntaxChecker::createDotAccess):
3434         (JSC::SyntaxChecker::createRegExp):
3435         (JSC::SyntaxChecker::createNewExpr):
3436         (JSC::SyntaxChecker::createAssignResolve):
3437         (JSC::SyntaxChecker::createForInLoop):
3438         (JSC::SyntaxChecker::createReturnStatement):
3439         (JSC::SyntaxChecker::createBreakStatement):
3440         (JSC::SyntaxChecker::createContinueStatement):
3441         (JSC::SyntaxChecker::createWithStatement):
3442         (JSC::SyntaxChecker::createLabelStatement):
3443         (JSC::SyntaxChecker::createThrowStatement):
3444         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3445         (JSC::SyntaxChecker::operatorStackPop):
3446         - Use JSTextPosition instead of passing line and lineStart explicitly.
3447
3448 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3449
3450         Unreviewed. Fix make distcheck.
3451
3452         * GNUmakefile.list.am: Add missing files to compilation.
3453         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3454         include FTL header files not included in the compilation.
3455         * dfg/DFGDriver.cpp: Ditto.
3456         * dfg/DFGPlan.cpp: Ditto.
3457
3458 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3459
3460         Eager stack trace for error objects.
3461         https://bugs.webkit.org/show_bug.cgi?id=118918
3462
3463         Reviewed by Geoffrey Garen.
3464         
3465         Chrome and Firefox give error objects the stack property and we wanted to match
3466         that functionality. This allows developers to see the stack without throwing an object.
3467
3468         * runtime/ErrorInstance.cpp:
3469         (JSC::ErrorInstance::finishCreation):
3470          For error objects that are not thrown as an exception, we pass the stackTrace in 
3471          as a parameter. This allows the error object to have the stack property.
3472         
3473         * interpreter/Interpreter.cpp:
3474         (JSC::stackTraceAsString):
3475         Helper function used to eliminate duplicate code.
3476
3477         (JSC::Interpreter::addStackTraceIfNecessary):
3478         When an error object is created by the user the vm->exceptionStack is not set.
3479         If the user throws this error object later the stack that is in the error object 
3480         may not be the correct stack for the throw, so when we set the vm->exception stack,
3481         the stack property on the error object is set as well.
3482         
3483         * runtime/ErrorConstructor.cpp:
3484         (JSC::constructWithErrorConstructor):
3485         (JSC::callErrorConstructor):
3486         * runtime/NativeErrorConstructor.cpp:
3487         (JSC::constructWithNativeErrorConstructor):
3488         (JSC::callNativeErrorConstructor):
3489         These functions indicate that the user created an error object. For all error objects 
3490         that the user explicitly creates, the topCallFrame is at a new frame created to 
3491         handle the user's call. In this case though, the error object needs the caller's 
3492         frame to create the stack trace correctly.
3493         
3494         * interpreter/Interpreter.h:
3495         * runtime/ErrorInstance.h:
3496         (JSC::ErrorInstance::create):
3497
3498 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3499
3500         Some cleanup in PropertySlot
3501         https://bugs.webkit.org/show_bug.cgi?id=119189
3502
3503         Reviewed by Geoff Garen.
3504
3505         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3506         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3507         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3508         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3509         (this is invalidOffset if not cacheable).
3510
3511             * Internally, always track the type of the property using an enum value, PropertyType.
3512             * Use m_offset to indicate cacheable.
3513             * Keep the external interface (CachedPropertyType) unchanged.
3514             * Better pack data into the m_data union.
3515
3516         Performance neutral.
3517
3518         * dfg/DFGRepatch.cpp:
3519         (JSC::DFG::tryCacheGetByID):
3520         (JSC::DFG::tryBuildGetByIDList):
3521             - cachedPropertyType() -> isCacheable*()
3522         * jit/JITPropertyAccess.cpp:
3523         (JSC::JIT::privateCompileGetByIdProto):
3524         (JSC::JIT::privateCompileGetByIdSelfList):
3525         (JSC::JIT::privateCompileGetByIdProtoList):
3526         (JSC::JIT::privateCompileGetByIdChainList):
3527         (JSC::JIT::privateCompileGetByIdChain):
3528             - cachedPropertyType() -> isCacheable*()
3529         * jit/JITPropertyAccess32_64.cpp:
3530         (JSC::JIT::privateCompileGetByIdProto):
3531         (JSC::JIT::privateCompileGetByIdSelfList):
3532         (JSC::JIT::privateCompileGetByIdProtoList):
3533         (JSC::JIT::privateCompileGetByIdChainList):
3534         (JSC::JIT::privateCompileGetByIdChain):
3535             - cachedPropertyType() -> isCacheable*()
3536         * jit/JITStubs.cpp:
3537         (JSC::tryCacheGetByID):
3538             - cachedPropertyType() -> isCacheable*()
3539         * llint/LLIntSlowPaths.cpp:
3540         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3541             - cachedPropertyType() -> isCacheable*()
3542         * runtime/PropertySlot.cpp:
3543         (JSC::PropertySlot::functionGetter):
3544             - refactoring described above.
3545         * runtime/PropertySlot.h:
3546         (JSC::PropertySlot::PropertySlot):
3547         (JSC::PropertySlot::getValue):
3548         (JSC::PropertySlot::isCacheable):
3549         (JSC::PropertySlot::isCacheableValue):
3550         (JSC::PropertySlot::isCacheableGetter):
3551         (JSC::PropertySlot::isCacheableCustom):
3552         (JSC::PropertySlot::cachedOffset):
3553         (JSC::PropertySlot::customGetter):
3554         (JSC::PropertySlot::setValue):
3555         (JSC::PropertySlot::setCustom):
3556         (JSC::PropertySlot::setCacheableCustom):
3557         (JSC::PropertySlot::setCustomIndex):
3558         (JSC::PropertySlot::setGetterSlot):
3559         (JSC::PropertySlot::setCacheableGetterSlot):
3560         (JSC::PropertySlot::setUndefined):
3561         (JSC::PropertySlot::slotBase):
3562         (JSC::PropertySlot::setBase):
3563             - refactoring described above.
3564
3565 2013-07-28  Oliver Hunt  <oliver@apple.com>
3566
3567         REGRESSION: Crash when opening Facebook.com
3568         https://bugs.webkit.org/show_bug.cgi?id=119155
3569
3570         Reviewed by Andreas Kling.
3571
3572         Scope nodes are always objects, so we should be using SpecObjectOther
3573         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3574         contradiction in the CFA, resulting in bogus codegen.
3575
3576         * dfg/DFGAbstractInterpreterInlines.h:
3577         (JSC::DFG::::executeEffects):
3578         * dfg/DFGPredictionPropagationPhase.cpp:
3579         (JSC::DFG::PredictionPropagationPhase::propagate):
3580
3581 2013-07-26  Oliver Hunt  <oliver@apple.com>
3582
3583         REGRESSION(FTL?): Crashes in plugin tests
3584         https://bugs.webkit.org/show_bug.cgi?id=119141
3585
3586         Reviewed by Michael Saboff.
3587
3588         Re-export getStackTrace
3589
3590         * interpreter/Interpreter.h:
3591
3592 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3593
3594         REGRESSION: Crash when opening a message on Gmail
3595         https://bugs.webkit.org/show_bug.cgi?id=119105
3596
3597         Reviewed by Oliver Hunt and Mark Hahnenberg.
3598         
3599         - GetById patching in the DFG needs to be more disciplined about how it derives the
3600           slow path.
3601         
3602         - Fix some dumping code thread safety issues.
3603
3604         * bytecode/CallLinkStatus.cpp:
3605         (JSC::CallLinkStatus::dump):
3606         * bytecode/CodeBlock.cpp:
3607         (JSC::CodeBlock::dumpBytecode):
3608         * dfg/DFGRepatch.cpp:
3609         (JSC::DFG::getPolymorphicStructureList):
3610         (JSC::DFG::tryBuildGetByIDList):
3611
3612 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3613
3614         [mips] Fix LLINT build for mips backend
3615         https://bugs.webkit.org/show_bug.cgi?id=119152
3616
3617         Reviewed by Oliver Hunt.
3618
3619         * offlineasm/mips.rb:
3620
3621 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3622
3623         Setting a large numeric property on an object causes it to allocate a huge backing store
3624         https://bugs.webkit.org/show_bug.cgi?id=118914
3625
3626         Reviewed by Geoffrey Garen.
3627
3628         There are two distinct actions that we're trying to optimize for:
3629
3630         new Array(100000);
3631
3632         and:
3633
3634         a = [];
3635         a[100000] = 42;
3636         
3637         In the first case, the programmer has indicated that they expect this Array to be very big, 
3638         so they should get a contiguous array up until some threshold, above which we perform density 
3639         calculations to see if it is indeed dense enough to warrant being contiguous.
3640         
3641         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3642         we should be more conservative and assume it should be sparse until we've proven otherwise.
3643         
3644         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3645         between them for the purposes of not over-allocating large backing stores like we see on 
3646         http://www.peekanalytics.com/burgerjoints/
3647         
3648         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3649         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3650         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3651         map instead. So for example, in the second case above the empty array has a blank indexing 
3652         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3653
3654         This fix is ~800x speedup on the accompanying regression test :-o
3655
3656         * runtime/ArrayConventions.h:
3657         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3658         * runtime/JSObject.cpp:
3659         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3660         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3661         (JSC::JSObject::putByIndexBeyondVectorLength):
3662         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3663
3664 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3665
3666         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3667         https://bugs.webkit.org/show_bug.cgi?id=119148
3668
3669         Reviewed by Csaba Osztrogonác.
3670
3671         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3672         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3673         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3674         code duplication.
3675
3676 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3677
3678         REGRESSION(FTL): Crash in sh4 baseline JIT.
3679         https://bugs.webkit.org/show_bug.cgi?id=119138
3680
3681         Reviewed by Csaba Osztrogonác.
3682
3683         This crash is due to incomplete report of r150146 and r148474.
3684
3685         * jit/JITStubsSH4.h:
3686
3687 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3688
3689         Unreviewed.
3690
3691         * Target.pri: Adding missing DFG files to the Qt build.
3692
3693 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3694
3695         GTK and Qt buildfix after the intrusive win buildfix r153360.
3696
3697         * GNUmakefile.list.am:
3698         * Target.pri:
3699
3700 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3701
3702         Unreviewed, fix build break after r153360.
3703
3704         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3705
3706 2013-07-25  Roger Fong  <roger_fong@apple.com>
3707
3708         Unreviewed build fix, AppleWin port.
3709
3710         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3711         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3712         * JavaScriptCore.vcxproj/copy-files.cmd:
3713
3714 2013-07-25  Roger Fong  <roger_fong@apple.com>
3715
3716         Unreviewed. Followup to r153360.
3717
3718         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3719         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3720
3721 2013-07-25  Michael Saboff  <msaboff@apple.com>
3722
3723         [Windows] Speculative build fix.
3724
3725         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3726         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3727
3728         * JavaScriptCore.xcodeproj/project.pbxproj:
3729         * llint/LLIntExceptions.cpp:
3730         * llint/LLIntExceptions.h:
3731         * llint/LLIntSlowPaths.cpp:
3732         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3733         * runtime/CommonSlowPaths.cpp:
3734         (JSC::SLOW_PATH_DECL):
3735         * runtime/CommonSlowPathsExceptions.cpp: Added.
3736         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3737         * runtime/CommonSlowPathsExceptions.h: Added.
3738
3739 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3740
3741         [Windows] Unreviewed build fix.
3742
3743         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3744         parser/SourceCode.h,.cpp.
3745         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3746
3747 2013-07-25  Anders Carlsson  <andersca@apple.com>
3748
3749         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3750         https://bugs.webkit.org/show_bug.cgi?id=119108
3751
3752         Reviewed by Mark Hahnenberg.
3753
3754         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3755
3756         * heap/CopiedSpace.cpp:
3757         (JSC::CopiedSpace::tryAllocateSlowCase):
3758         * heap/Heap.cpp:
3759         (JSC::Heap::protect):
3760         (JSC::Heap::unprotect):
3761         (JSC::Heap::collect):
3762         * heap/MarkedAllocator.cpp:
3763         (JSC::MarkedAllocator::allocateSlowCase):
3764         * runtime/JSGlobalObject.cpp:
3765         (JSC::JSGlobalObject::init):
3766         * runtime/VM.h:
3767         (JSC::VM::currentThreadIsHoldingAPILock):
3768
3769 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3770
3771         REGRESSION(FTL): Most layout tests crashes
3772         https://bugs.webkit.org/show_bug.cgi?id=119089
3773
3774         Reviewed by Oliver Hunt.
3775
3776         * runtime/ExecutionHarness.h:
3777         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3778         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3779         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3780         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3781         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3782         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3783
3784 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3785
3786         [Windows] Unreviewed build fix.
3787
3788         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3789         include path.
3790
3791 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3792
3793         [Windows] Unreviewed build fix.
3794
3795         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3796         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3797         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3798
3799 2013-07-25  Oliver Hunt  <oliver@apple.com>
3800
3801         Make all jit & non-jit combos build cleanly
3802         https://bugs.webkit.org/show_bug.cgi?id=119102
3803
3804         Reviewed by Anders Carlsson.
3805
3806         * bytecode/CodeBlock.cpp:
3807         (JSC::CodeBlock::counterValueForOptimizeSoon):
3808         * bytecode/CodeBlock.h:
3809         (JSC::CodeBlock::optimizeAfterWarmUp):
3810         (JSC::CodeBlock::numberOfDFGCompiles):
3811
3812 2013-07-25  Oliver Hunt  <oliver@apple.com>
3813
3814         32 bit portion of load validation logic
3815         https://bugs.webkit.org/show_bug.cgi?id=118878
3816
3817         Reviewed by NOBODY (Build fix).
3818
3819         * dfg/DFGSpeculativeJIT32_64.cpp:
3820         (JSC::DFG::SpeculativeJIT::compile):
3821
3822 2013-07-25  Oliver Hunt  <oliver@apple.com>
3823
3824         More 32bit build fixes
3825
3826         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3827
3828         * API/APICallbackFunction.h:
3829         (JSC::APICallbackFunction::call):
3830         * bytecode/CodeBlock.cpp:
3831         * runtime/Structure.cpp:
3832
3833 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3834
3835         Optimize the thread locks for API Shims
3836         https://bugs.webkit.org/show_bug.cgi?id=118573
3837
3838         Reviewed by Geoffrey Garen.
3839
3840         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
3841         only used by WebCore's main thread).
3842
3843         * API/APIShims.h:
3844         (JSC::APIEntryShim::APIEntryShim):
3845         (JSC::APICallbackShim::APICallbackShim):
3846         * runtime/JSLock.cpp:
3847         (JSC::JSLockHolder::JSLockHolder):
3848         (JSC::JSLockHolder::init):
3849         (JSC::JSLockHolder::~JSLockHolder):
3850         (JSC::JSLock::DropAllLocks::DropAllLocks):
3851         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3852         * runtime/VM.cpp:
3853         (JSC::VM::VM):
3854         * runtime/VM.h:
3855
3856 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
3857
3858         Unreviewed build fix after r153218.
3859
3860         Broke the EFL port build with gcc 4.7.
3861
3862         * interpreter/StackIterator.cpp:
3863         (JSC::printif):
3864
3865 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3866
3867         Build fix: add missing #include.
3868         https://bugs.webkit.org/show_bug.cgi?id=119087
3869
3870         Reviewed by Allan Sandfeld Jensen.
3871
3872         * bytecode/ArrayProfile.cpp:
3873
3874 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3875
3876         Unreviewed, build fix on the EFL port.
3877
3878         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
3879
3880 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3881
3882         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
3883         https://bugs.webkit.org/show_bug.cgi?id=119083
3884
3885         Reviewed by Allan Sandfeld Jensen.
3886
3887         * assembler/MacroAssemblerSH4.h:
3888         (JSC::MacroAssemblerSH4::store8):
3889
3890 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3891
3892         [Qt] Fix test build after FTL upstream
3893
3894         Unreviewed build fix.
3895
3896         * Target.pri:
3897
3898 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3899
3900         [Qt] Build fix after FTL.
3901
3902         Un Reviewed build fix.
3903
3904         * Target.pri:
3905         * interpreter/StackIterator.cpp:
3906         (JSC::StackIterator::Frame::print):
3907
3908 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3909
3910         Unreviewed build fix after FTL upstream.
3911
3912         * dfg/DFGWorklist.cpp:
3913         (JSC::DFG::Worklist::~Worklist):
3914
3915 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
3916
3917         Unreviewed, build fix on the EFL port.
3918
3919         * CMakeLists.txt:
3920         Added SourceCode.cpp and removed BlackBerry file.
3921         * jit/JITCode.h:
3922         (JSC::JITCode::nextTierJIT):
3923         Fixed to build break because of -Werror=return-type
3924         * parser/Lexer.cpp: Includes JSFunctionInlines.h
3925         * runtime/JSScope.h:
3926         (JSC::makeType):
3927         Fixed to build break because of -Werror=return-type
3928
3929 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3930
3931         Unreviewed build fixing after FTL upstream.
3932
3933         * runtime/Executable.cpp:
3934         (JSC::FunctionExecutable::produceCodeBlockFor):
3935
3936 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3937
3938         Add missing implementation of bxxxnz in sh4 LLINT.
3939         https://bugs.webkit.org/show_bug.cgi?id=119079
3940
3941         Reviewed by Allan Sandfeld Jensen.
3942
3943         * offlineasm/sh4.rb:
3944
3945 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
3946
3947         Unreviewed, build fix on the Qt port.
3948
3949         * Target.pri: Add additional build files for the FTL.
3950
3951 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3952
3953         Unreviewed buildfix after FTL upstream..
3954
3955         * interpreter/StackIterator.cpp:
3956         (JSC::StackIterator::Frame::codeType):
3957         (JSC::StackIterator::Frame::functionName):
3958         (JSC::StackIterator::Frame::sourceURL):
3959         (JSC::StackIterator::Frame::logicalFrame):
3960
3961 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3962
3963         Unreviewed.
3964
3965         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
3966         method is not left undefined, causing build failures on (at least) the GTK port.
3967
3968 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3969
3970         Unreviewed, further build fixing on the GTK port.