wtf/BitVector.h has a variety of bugs which manifest when the
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
2
3         wtf/BitVector.h has a variety of bugs which manifest when the
4         vector grows beyond 63 bits
5         https://bugs.webkit.org/show_bug.cgi?id=68746
6
7         Reviewed by Oliver Hunt.
8         
9         Out-of-lined slow path code in BitVector so that not every user
10         of CodeBlock ends up having to compile it. Fixed a variety of
11         index computation and size computation bugs.
12         
13         I have not seen these issues manifest themselves, but they are
14         blocking a patch that uses BitVector more aggressively.
15
16         * GNUmakefile.list.am:
17         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
18         * JavaScriptCore.xcodeproj/project.pbxproj:
19         * wtf/BitVector.cpp: Added.
20         (BitVector::BitVector):
21         (BitVector::operator=):
22         (BitVector::resize):
23         (BitVector::clearAll):
24         (BitVector::OutOfLineBits::create):
25         (BitVector::OutOfLineBits::destroy):
26         (BitVector::resizeOutOfLine):
27         * wtf/BitVector.h:
28         (WTF::BitVector::ensureSize):
29         (WTF::BitVector::get):
30         (WTF::BitVector::set):
31         (WTF::BitVector::clear):
32         (WTF::BitVector::byteCount):
33         (WTF::BitVector::OutOfLineBits::numWords):
34         (WTF::BitVector::OutOfLineBits::bits):
35         (WTF::BitVector::outOfLineBits):
36         * wtf/CMakeLists.txt:
37         * wtf/wtf.pri:
38
39 2011-09-23  Adam Klein  <adamk@chromium.org>
40
41         Add ENABLE_MUTATION_OBSERVERS feature flag
42         https://bugs.webkit.org/show_bug.cgi?id=68732
43
44         Reviewed by Ojan Vafai.
45
46         This flag will guard an implementation of the "Mutation Observers" proposed in
47         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
48
49         * Configurations/FeatureDefines.xcconfig:
50
51 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
52
53         De-virtualize JSCell::getJSNumber
54         https://bugs.webkit.org/show_bug.cgi?id=68651
55
56         Reviewed by Oliver Hunt.
57
58         Added a new JSType to check whether or not something is a 
59         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
60         currently a better way to determine whether something is indeed a NumberObject.
61         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
62         for whether the object is a NumberObject or not.  This patch is part of 
63         the larger process of de-virtualizing JSCell.
64
65         * JavaScriptCore.exp:
66         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
67         * runtime/JSCell.cpp:
68         (JSC::JSCell::getJSNumber):
69         * runtime/JSCell.h:
70         (JSC::JSValue::getJSNumber):
71         * runtime/JSType.h:
72         * runtime/JSTypeInfo.h:
73         (JSC::TypeInfo::isNumberObject):
74         * runtime/JSValue.h:
75         * runtime/NumberObject.cpp:
76         (JSC::NumberObject::getJSNumber):
77         * runtime/NumberObject.h:
78         (JSC::NumberObject::createStructure):
79         * runtime/NumberPrototype.h:
80         (JSC::NumberPrototype::createStructure):
81
82 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
83
84         Resolve opcodes should have value profiling.
85         https://bugs.webkit.org/show_bug.cgi?id=68723
86
87         Reviewed by Oliver Hunt.
88         
89         This adds value profiling to all forms of op_resolve in the
90         old JIT, and patches that information into the DFG along with
91         performing the appropriate type propagation.
92
93         * dfg/DFGByteCodeParser.cpp:
94         (JSC::DFG::ByteCodeParser::parseBlock):
95         * dfg/DFGGraph.h:
96         (JSC::DFG::Graph::predict):
97         * dfg/DFGNode.h:
98         (JSC::DFG::Node::hasIdentifier):
99         (JSC::DFG::Node::resolveGlobalDataIndex):
100         (JSC::DFG::Node::hasPrediction):
101         * dfg/DFGPropagator.cpp:
102         (JSC::DFG::Propagator::propagateNodePredictions):
103         * dfg/DFGSpeculativeJIT.cpp:
104         (JSC::DFG::SpeculativeJIT::compile):
105         * jit/JITOpcodes.cpp:
106         (JSC::JIT::emit_op_resolve):
107         (JSC::JIT::emit_op_resolve_base):
108         (JSC::JIT::emit_op_resolve_skip):
109         (JSC::JIT::emit_op_resolve_global):
110         (JSC::JIT::emitSlow_op_resolve_global):
111         (JSC::JIT::emit_op_resolve_with_base):
112         (JSC::JIT::emit_op_resolve_with_this):
113         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
114         * jit/JITStubCall.h:
115         (JSC::JITStubCall::callWithValueProfiling):
116
117 2011-09-23  Oliver Hunt  <oliver@apple.com>
118
119         Fix windows build.
120
121         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
122
123 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
124
125         Strict mode does not work in non-trivial nested functions.
126         https://bugs.webkit.org/show_bug.cgi?id=68740
127
128         Reviewed by Oliver Hunt.
129
130         Function-info caching does not preserve all state that it should.
131
132         * parser/JSParser.cpp:
133         (JSC::JSParser::Scope::saveFunctionInfo):
134         (JSC::JSParser::Scope::restoreFunctionInfo):
135         (JSC::JSParser::parseFunctionInfo):
136         * parser/SourceProviderCacheItem.h:
137
138 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
139
140         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
141         https://bugs.webkit.org/show_bug.cgi?id=68724
142
143         Reviewed by Oliver Hunt.
144
145         * dfg/DFGPropagator.cpp:
146         (JSC::DFG::Propagator::propagateNodePredictions):
147
148 2011-09-23  Oliver Hunt  <oliver@apple.com>
149
150         Build fix.
151
152         * JavaScriptCore.xcodeproj/project.pbxproj:
153
154 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
155
156         DFG implementation of PutScopedVar corrupts register allocation
157         https://bugs.webkit.org/show_bug.cgi?id=68735
158
159         Reviewed by Oliver Hunt.
160
161         * dfg/DFGSpeculativeJIT.cpp:
162         (JSC::DFG::SpeculativeJIT::compile):
163
164 2011-09-23  Oliver Hunt  <oliver@apple.com>
165
166         Make write barriers actually do something when enabled
167         https://bugs.webkit.org/show_bug.cgi?id=68717
168
169         Reviewed by Geoffrey Garen.
170
171         Add a basic card marking style write barrier to JSC (currently
172         turned off).  This requires two scratch registers in the JIT
173         so there was some register re-arranging to satisfy that requirement.
174         Happily this produced a minor perf bump in sunspider (~0.5%).
175
176         Turning the barriers on causes an overall regression of around 1.5%
177
178         * JavaScriptCore.exp:
179         * JavaScriptCore.xcodeproj/project.pbxproj:
180         * assembler/MacroAssemblerX86Common.h:
181         (JSC::MacroAssemblerX86Common::store8):
182         * assembler/X86Assembler.h:
183         (JSC::X86Assembler::movb_i8m):
184         * dfg/DFGJITCodeGenerator.cpp:
185         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
186         (JSC::DFG::JITCodeGenerator::writeBarrier):
187         (JSC::DFG::JITCodeGenerator::markCellCard):
188         (JSC::DFG::JITCodeGenerator::cachedPutById):
189         * dfg/DFGJITCodeGenerator.h:
190         * dfg/DFGRepatch.cpp:
191         (JSC::DFG::tryCachePutByID):
192         * dfg/DFGSpeculativeJIT.cpp:
193         (JSC::DFG::SpeculativeJIT::compile):
194         * heap/CardSet.h: Added.
195         (JSC::CardSet::CardSet):
196         (JSC::::cardForAtom):
197         (JSC::::cardMarkedForAtom):
198         (JSC::::markCardForAtom):
199         * heap/Heap.cpp:
200         * heap/Heap.h:
201         (JSC::Heap::addressOfCardFor):
202         (JSC::Heap::writeBarrierFastCase):
203         * heap/MarkedBlock.h:
204         (JSC::MarkedBlock::setDirtyObject):
205         (JSC::MarkedBlock::addressOfCardFor):
206         (JSC::MarkedBlock::offsetOfCards):
207         * jit/JIT.h:
208         * jit/JITPropertyAccess.cpp:
209         (JSC::JIT::emit_op_put_by_val):
210         (JSC::JIT::emit_op_put_by_id):
211         (JSC::JIT::privateCompilePutByIdTransition):
212         (JSC::JIT::emit_op_put_scoped_var):
213         (JSC::JIT::emit_op_put_global_var):
214         (JSC::JIT::emitWriteBarrier):
215         * jit/JITPropertyAccess32_64.cpp:
216         (JSC::JIT::emit_op_put_by_val):
217         (JSC::JIT::emit_op_put_by_id):
218         (JSC::JIT::emitSlow_op_put_by_id):
219         (JSC::JIT::privateCompilePutByIdTransition):
220         (JSC::JIT::emit_op_put_scoped_var):
221         (JSC::JIT::emit_op_put_global_var):
222
223 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
224
225         https://bugs.webkit.org/show_bug.cgi?id=68077
226         SH4 assemblers doesn't refer to executable memory handle.
227
228         Reviewed by Gavin Barraclough.
229
230         * assembler/MacroAssemblerSH4.h:
231         (JSC::MacroAssemblerSH4::branch8):
232         * assembler/SH4Assembler.h:
233         (JSC::SH4Assembler::executableCopy):
234
235 2011-09-23  Oliver Hunt  <oliver@apple.com>
236
237         PutScopedVar nodes should report that it has a var number
238         https://bugs.webkit.org/show_bug.cgi?id=68721
239
240         Reviewed by Anders Carlsson.
241
242         Another assertion fix.
243
244         * dfg/DFGNode.h:
245         (JSC::DFG::Node::hasVarNumber):
246
247 2011-09-23  Oliver Hunt  <oliver@apple.com>
248
249         Add a bunch of unhandled node types to the propagator
250         https://bugs.webkit.org/show_bug.cgi?id=68716
251
252         Reviewed by Darin Adler.
253
254         Remove the ASSERT_NOT_REACHED() default for debug builds in the
255         prediction propagator, this way unhandled nodes will just cause
256         compile time failures rather than failing at some point in the
257         future.
258
259         * dfg/DFGPropagator.cpp:
260         (JSC::DFG::Propagator::propagateNodePredictions):
261
262 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
263
264         Add static version of JSCell::visitChildren
265         https://bugs.webkit.org/show_bug.cgi?id=68404
266
267         Reviewed by Darin Adler.
268
269         In this patch we just extract the bodies of the virtual visitChildren methods
270         throughout the JSCell inheritance hierarchy out into static methods, which are 
271         now called from the virtual methods.  This is an intermediate step in trying to 
272         move the virtual-ness of visitChildren into our own custom vtable stored in 
273         ClassInfo.  We need to convert the methods to static methods in order to be 
274         able to more easily store and refer to them in our custom vtable since normal 
275         member methods store some implicit information in their types, making it 
276         impossible to store them generically in ClassInfo.
277
278         * API/JSCallbackObject.h:
279         (JSC::JSCallbackObject::visitChildrenVirtual):
280         (JSC::JSCallbackObject::visitChildren):
281         * JavaScriptCore.exp:
282         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
283         * debugger/DebuggerActivation.cpp:
284         (JSC::DebuggerActivation::visitChildrenVirtual):
285         (JSC::DebuggerActivation::visitChildren):
286         * debugger/DebuggerActivation.h:
287         * heap/MarkStack.cpp:
288         (JSC::SlotVisitor::visitChildren):
289         (JSC::SlotVisitor::drain):
290         * runtime/Arguments.cpp:
291         (JSC::Arguments::visitChildrenVirtual):
292         (JSC::Arguments::visitChildren):
293         * runtime/Arguments.h:
294         * runtime/Executable.cpp:
295         (JSC::EvalExecutable::visitChildrenVirtual):
296         (JSC::EvalExecutable::visitChildren):
297         (JSC::ProgramExecutable::visitChildrenVirtual):
298         (JSC::ProgramExecutable::visitChildren):
299         (JSC::FunctionExecutable::visitChildrenVirtual):
300         (JSC::FunctionExecutable::visitChildren):
301         * runtime/Executable.h:
302         * runtime/GetterSetter.cpp:
303         (JSC::GetterSetter::visitChildrenVirtual):
304         (JSC::GetterSetter::visitChildren):
305         * runtime/GetterSetter.h:
306         * runtime/JSActivation.cpp:
307         (JSC::JSActivation::visitChildrenVirtual):
308         (JSC::JSActivation::visitChildren):
309         * runtime/JSActivation.h:
310         * runtime/JSArray.cpp:
311         (JSC::JSArray::visitChildrenVirtual):
312         (JSC::JSArray::visitChildren):
313         * runtime/JSArray.h:
314         * runtime/JSBoundFunction.cpp:
315         (JSC::JSBoundFunction::visitChildrenVirtual):
316         (JSC::JSBoundFunction::visitChildren):
317         * runtime/JSBoundFunction.h:
318         * runtime/JSCell.h:
319         (JSC::JSCell::visitChildrenVirtual):
320         (JSC::JSCell::visitChildren):
321         * runtime/JSFunction.cpp:
322         (JSC::JSFunction::visitChildrenVirtual):
323         (JSC::JSFunction::visitChildren):
324         * runtime/JSFunction.h:
325         * runtime/JSGlobalObject.cpp:
326         (JSC::JSGlobalObject::visitChildrenVirtual):
327         (JSC::JSGlobalObject::visitChildren):
328         * runtime/JSGlobalObject.h:
329         * runtime/JSObject.cpp:
330         (JSC::JSObject::visitChildrenVirtual):
331         (JSC::JSObject::visitChildren):
332         * runtime/JSObject.h:
333         (JSC::JSObject::visitChildrenDirect):
334         * runtime/JSPropertyNameIterator.cpp:
335         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
336         (JSC::JSPropertyNameIterator::visitChildren):
337         * runtime/JSPropertyNameIterator.h:
338         * runtime/JSStaticScopeObject.cpp:
339         (JSC::JSStaticScopeObject::visitChildrenVirtual):
340         (JSC::JSStaticScopeObject::visitChildren):
341         * runtime/JSStaticScopeObject.h:
342         * runtime/JSWrapperObject.cpp:
343         (JSC::JSWrapperObject::visitChildrenVirtual):
344         (JSC::JSWrapperObject::visitChildren):
345         * runtime/JSWrapperObject.h:
346         * runtime/NativeErrorConstructor.cpp:
347         (JSC::NativeErrorConstructor::visitChildrenVirtual):
348         (JSC::NativeErrorConstructor::visitChildren):
349         * runtime/NativeErrorConstructor.h:
350         * runtime/RegExpObject.cpp:
351         (JSC::RegExpObject::visitChildrenVirtual):
352         (JSC::RegExpObject::visitChildren):
353         * runtime/RegExpObject.h:
354         * runtime/ScopeChain.cpp:
355         (JSC::ScopeChainNode::visitChildrenVirtual):
356         (JSC::ScopeChainNode::visitChildren):
357         * runtime/ScopeChain.h:
358         * runtime/Structure.cpp:
359         (JSC::Structure::visitChildrenVirtual):
360         (JSC::Structure::visitChildren):
361         * runtime/Structure.h:
362         * runtime/StructureChain.cpp:
363         (JSC::StructureChain::visitChildrenVirtual):
364         (JSC::StructureChain::visitChildren):
365         * runtime/StructureChain.h:
366
367 2011-09-23  Oliver Hunt  <oliver@apple.com>
368
369         Node propagation doesn't handle PutScopedVar
370         https://bugs.webkit.org/show_bug.cgi?id=68713
371
372         Reviewed by Sam Weinig.
373
374         This was causing assertion failures.
375
376         * dfg/DFGPropagator.cpp:
377         (JSC::DFG::Propagator::propagateNodePredictions):
378
379 2011-09-23  Anders Carlsson  <andersca@apple.com>
380
381         Make sure to define OVERRIDE and FINAL for older builds of clang.
382
383         * wtf/Compiler.h:
384
385 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
386
387         Implement op_resolve_global in the DFG JIT
388         https://bugs.webkit.org/show_bug.cgi?id=68704
389
390         Reviewed by Oliver Hunt.
391
392         This is performance neutral, but increases coverage.
393
394         * dfg/DFGByteCodeParser.cpp:
395         (JSC::DFG::ByteCodeParser::ByteCodeParser):
396         (JSC::DFG::ByteCodeParser::parseBlock):
397         * dfg/DFGNode.h:
398         (JSC::DFG::Node::hasIdentifier):
399         (JSC::DFG::Node::resolveInfoIndex):
400         * dfg/DFGOperations.cpp:
401         * dfg/DFGOperations.h:
402         * dfg/DFGSpeculativeJIT.cpp:
403         (JSC::DFG::SpeculativeJIT::compile):
404
405 2011-09-23  Mark Rowe  <mrowe@apple.com>
406
407         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
408
409         * wtf/Platform.h:
410
411 2011-09-22  Anders Carlsson  <andersca@apple.com>
412
413         We should add support for OVERRIDE and FINAL annotations
414         https://bugs.webkit.org/show_bug.cgi?id=68654
415
416         Reviewed by David Hyatt.
417
418         Add OVERRIDE and FINAL macros for compilers that support them.
419
420         * wtf/Compiler.h:
421
422 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
423
424         GetScopedVar should have value profiling
425         https://bugs.webkit.org/show_bug.cgi?id=68676
426
427         Reviewed by Oliver Hunt.
428         
429         Added GetScopedVar value profiling and predictin propagation.
430         Added GetScopeChain to CSE.
431
432         * dfg/DFGByteCodeParser.cpp:
433         (JSC::DFG::ByteCodeParser::parseBlock):
434         * dfg/DFGGraph.h:
435         (JSC::DFG::Graph::predict):
436         * dfg/DFGNode.h:
437         (JSC::DFG::Node::hasPrediction):
438         * dfg/DFGPropagator.cpp:
439         (JSC::DFG::Propagator::propagateNodePredictions):
440         (JSC::DFG::Propagator::getScopeChainLoadElimination):
441         (JSC::DFG::Propagator::performNodeCSE):
442         * jit/JITPropertyAccess.cpp:
443         (JSC::JIT::emit_op_get_scoped_var):
444
445 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
446
447         PPC build fix, part 3.
448
449         * runtime/Executable.cpp:
450         (JSC::FunctionExecutable::compileForConstructInternal):
451
452 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
453
454         Another PPC build fix.
455
456         * runtime/Executable.cpp:
457         * runtime/Executable.h:
458
459 2011-09-22  Dean Jackson  <dino@apple.com>
460
461         Add ENABLE_CSS_FILTERS
462         https://bugs.webkit.org/show_bug.cgi?id=68652
463
464         Reviewed by Simon Fraser.
465
466         * Configurations/FeatureDefines.xcconfig:
467
468 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
469
470         Incorrect this value passed to callbacks.
471         https://bugs.webkit.org/show_bug.cgi?id=68668
472
473         Reviewed by Oliver Hunt.
474
475         From Array/String prototype function.  Should be undefined, but
476         global object is passed instead (this is visible for strict callbacks).
477
478         * runtime/ArrayPrototype.cpp:
479         (JSC::arrayProtoFuncSort):
480         (JSC::arrayProtoFuncFilter):
481         (JSC::arrayProtoFuncMap):
482         (JSC::arrayProtoFuncEvery):
483         (JSC::arrayProtoFuncForEach):
484         (JSC::arrayProtoFuncSome):
485         * runtime/JSArray.cpp:
486         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
487         (JSC::JSArray::sort):
488         * runtime/StringPrototype.cpp:
489         (JSC::stringProtoFuncReplace):
490
491 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
492
493         Function.prototype.bind.length shoudl be 1.
494
495         Rubber stamped by Olier Hunt.
496
497         * runtime/FunctionPrototype.cpp:
498         (JSC::FunctionPrototype::addFunctionProperties):
499
500 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
501
502         PPC build fix.
503
504         * bytecode/CodeBlock.h:
505
506 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
507
508         Windows build fix pt. 2
509
510         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
511
512 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
513
514         Windows build fix pt. 1
515
516         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
517
518 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
519
520         DFG JIT does not support to_primitive or strcat
521         https://bugs.webkit.org/show_bug.cgi?id=68582
522
523         Reviewed by Darin Adler.
524         
525         This adds functional support for to_primitive and strcat. It focuses
526         on minimizing the amount of code emitted on to_primitive (if we know
527         that it is a primitive or can speculate cheaply, then we omit the
528         slow path) and on keeping the implementation of strcat simple while
529         leveraging whatever optimizations we have already. In particular,
530         unlike the Call and Construct nodes which require extending the size
531         of the DFG's callee registers, StrCat takes advantage of the fact
532         that no JS code can run while StrCat is in progress and uses a
533         scratch buffer, rather than the register file, to store the list of
534         values to concatenate. This was done mainly to keep the code simple,
535         but there are probably other benefits to keeping call frame sizes
536         down. Essentially, this patch ensures that the presence of an
537         op_strcat does not mess up any other optimizations we might do while
538         ensuring that if you do execute it, it'll work about as well as you'd
539         expect.
540         
541         When combined with the previous patch for integer division, this is a
542         14% speed-up on Kraken. Without it, it would have been a 2% loss.
543
544         * assembler/AbstractMacroAssembler.h:
545         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
546         * dfg/DFGByteCodeParser.cpp:
547         (JSC::DFG::ByteCodeParser::parseBlock):
548         * dfg/DFGCapabilities.h:
549         (JSC::DFG::canCompileOpcode):
550         * dfg/DFGJITCodeGenerator.h:
551         (JSC::DFG::JITCodeGenerator::callOperation):
552         * dfg/DFGJITCompiler.cpp:
553         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
554         * dfg/DFGNode.h:
555         * dfg/DFGOperations.cpp:
556         * dfg/DFGOperations.h:
557         * dfg/DFGPropagator.cpp:
558         (JSC::DFG::Propagator::propagateNodePredictions):
559         (JSC::DFG::Propagator::performNodeCSE):
560         * dfg/DFGSpeculativeJIT.cpp:
561         (JSC::DFG::SpeculativeJIT::compile):
562         * runtime/JSGlobalData.cpp:
563         (JSC::JSGlobalData::JSGlobalData):
564         (JSC::JSGlobalData::~JSGlobalData):
565         * runtime/JSGlobalData.h:
566         (JSC::JSGlobalData::scratchBufferForSize):
567
568 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
569
570         DFG JIT should support integer division
571         https://bugs.webkit.org/show_bug.cgi?id=68597
572
573         Reviewed by Darin Adler.
574         
575         This adds support for ArithDiv speculating integer, and speculating
576         that the result is integer (i.e. remainder = 0).
577         
578         This is a 4% win on Kraken and a 1% loss on V8.
579
580         * bytecode/CodeBlock.h:
581         * dfg/DFGByteCodeParser.cpp:
582         (JSC::DFG::ByteCodeParser::makeDivSafe):
583         (JSC::DFG::ByteCodeParser::parseBlock):
584         * dfg/DFGNode.h:
585         (JSC::DFG::Node::hasArithNodeFlags):
586         * dfg/DFGPropagator.cpp:
587         (JSC::DFG::Propagator::propagateArithNodeFlags):
588         (JSC::DFG::Propagator::propagateNodePredictions):
589         (JSC::DFG::Propagator::fixupNode):
590         * dfg/DFGSpeculativeJIT.cpp:
591         (JSC::DFG::SpeculativeJIT::compile):
592         * jit/JITArithmetic.cpp:
593         (JSC::JIT::emit_op_div):
594
595 2011-09-22  Oliver Hunt  <oliver@apple.com>
596
597         Implement put_scoped_var in the DFG jit
598         https://bugs.webkit.org/show_bug.cgi?id=68653
599
600         Reviewed by Gavin Barraclough.
601
602         Naive implementation of put_scoped_var.  Same story as the
603         get_scoped_var implementation, although I've hoisted scope
604         object acquisition into a separate dfg node.  Ideally in the
605         future we would reuse the resolved scope chain object, but
606         for now we don't.
607
608         * dfg/DFGByteCodeParser.cpp:
609         (JSC::DFG::ByteCodeParser::parseBlock):
610         * dfg/DFGCapabilities.h:
611         (JSC::DFG::canCompileOpcode):
612         * dfg/DFGNode.h:
613         (JSC::DFG::Node::hasScopeChainDepth):
614         (JSC::DFG::Node::scopeChainDepth):
615         * dfg/DFGPropagator.cpp:
616         (JSC::DFG::Propagator::propagateNodePredictions):
617         * dfg/DFGSpeculativeJIT.cpp:
618         (JSC::DFG::SpeculativeJIT::compile):
619
620 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
621
622         Implement Function.prototype.bind
623         https://bugs.webkit.org/show_bug.cgi?id=26382
624
625         Reviewed by Sam Weinig.
626
627         This patch provides a basic functional implementation
628         for Function.bind. It should (hopefully!) be fully
629         functionally correct, and the bound functions can be
630         called to quickly (since they are a subclass of
631         JSFunction, not InternalFunction), but we'll probably
632         want to follow up with some optimization work to keep
633         bound calls in JIT code.
634
635         * JavaScriptCore.JSVALUE32_64only.exp:
636         * JavaScriptCore.JSVALUE64only.exp:
637         * JavaScriptCore.exp:
638         * JavaScriptCore.xcodeproj/project.pbxproj:
639         * jit/JITStubs.cpp:
640         (JSC::JITThunks::hostFunctionStub):
641         * jit/JITStubs.h:
642         * jsc.cpp:
643         (GlobalObject::addFunction):
644         * runtime/CommonIdentifiers.h:
645         * runtime/ConstructData.h:
646         * runtime/Executable.h:
647         (JSC::NativeExecutable::NativeExecutable):
648         * runtime/FunctionPrototype.cpp:
649         (JSC::FunctionPrototype::addFunctionProperties):
650         (JSC::functionProtoFuncBind):
651         * runtime/FunctionPrototype.h:
652         * runtime/JSBoundFunction.cpp: Added.
653         (JSC::boundFunctionCall):
654         (JSC::boundFunctionConstruct):
655         (JSC::JSBoundFunction::create):
656         (JSC::JSBoundFunction::hasInstance):
657         (JSC::JSBoundFunction::getOwnPropertySlot):
658         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
659         (JSC::JSBoundFunction::JSBoundFunction):
660         (JSC::JSBoundFunction::finishCreation):
661         * runtime/JSBoundFunction.h: Added.
662         (JSC::JSBoundFunction::targetFunction):
663         (JSC::JSBoundFunction::boundThis):
664         (JSC::JSBoundFunction::boundArgs):
665         (JSC::JSBoundFunction::createStructure):
666         * runtime/JSFunction.cpp:
667         (JSC::JSFunction::create):
668         (JSC::JSFunction::finishCreation):
669         (JSC::createDescriptorForThrowingProperty):
670         (JSC::JSFunction::getOwnPropertySlot):
671         * runtime/JSFunction.h:
672         * runtime/JSGlobalData.cpp:
673         (JSC::JSGlobalData::getHostFunction):
674         * runtime/JSGlobalData.h:
675         * runtime/JSGlobalObject.cpp:
676         (JSC::JSGlobalObject::reset):
677         (JSC::JSGlobalObject::visitChildren):
678         * runtime/JSGlobalObject.h:
679         (JSC::JSGlobalObject::boundFunctionStructure):
680         * runtime/Lookup.cpp:
681         (JSC::setUpStaticFunctionSlot):
682
683 2011-09-22  Oliver Hunt  <oliver@apple.com>
684
685         Implement get_scoped_var in the DFG
686         https://bugs.webkit.org/show_bug.cgi?id=68640
687
688         Reviewed by Gavin Barraclough.
689
690         Naive implementation of get_scoped_var in the DFG.  Essentially this
691         is the bare minimum required to get correct behaviour, so there's no
692         load/store coalescing or type profiling involved, even though these
693         would be wins.  No impact on SunSpider or V8.
694
695         * dfg/DFGByteCodeParser.cpp:
696         (JSC::DFG::ByteCodeParser::parseBlock):
697         * dfg/DFGCapabilities.h:
698         (JSC::DFG::canCompileOpcode):
699         * dfg/DFGNode.h:
700         (JSC::DFG::Node::hasVarNumber):
701         (JSC::DFG::Node::hasScopeChainDepth):
702         (JSC::DFG::Node::scopeChainDepth):
703         * dfg/DFGPropagator.cpp:
704         (JSC::DFG::Propagator::propagateNodePredictions):
705         * dfg/DFGSpeculativeJIT.cpp:
706         (JSC::DFG::SpeculativeJIT::compile):
707
708 2011-09-22  Adam Roben  <aroben@apple.com>
709
710         Remove FindSafari from all our .sln files
711
712         It isn't used anymore, so there's no point in building it.
713
714         Part of <http://webkit.org/b/68628> Remove FindSafari
715
716         Reviewed by Steve Falkenburg.
717
718         * JavaScriptCore.vcproj/JavaScriptCore.sln:
719
720 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
721
722         32-bit call code clobbers the function cell tag
723         https://bugs.webkit.org/show_bug.cgi?id=68606
724
725         Reviewed by Csaba Osztrogonác.
726         
727         This is a minimalistic fix: it simply emits code to restore the
728         cell tag on the slow path, if we know that we failed due to
729         emitCallIfNotType.
730
731         * jit/JITCall32_64.cpp:
732         (JSC::JIT::compileOpCallVarargsSlowCase):
733         (JSC::JIT::compileOpCallSlowCase):
734
735 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
736
737         Add missing addPtr->add32 mapping for X86.
738
739         Rubber stamped by Sam Weinig.
740
741         * assembler/MacroAssembler.h:
742         (JSC::MacroAssembler::addPtr):
743
744 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
745
746         Add missing addDouble for AbsoluteAddress to X86
747
748         Rubber stamped by Geoff Garen.
749
750         * assembler/MacroAssemblerX86.h:
751         (JSC::MacroAssemblerX86::addDouble):
752         * assembler/X86Assembler.h:
753         (JSC::X86Assembler::addsd_mr):
754         (JSC::X86Assembler::cvtsi2sd_rr):
755         (JSC::X86Assembler::cvtsi2sd_mr):
756
757 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
758
759         Build fix following fix for bug #68586.
760
761         * jit/JIT.cpp:
762         * jit/JITInlineMethods.h:
763
764 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
765
766         DFG JIT should be able to compile op_throw
767         https://bugs.webkit.org/show_bug.cgi?id=68571
768
769         Reviewed by Geoffrey Garen.
770         
771         This compiles op_throw in the simplest way possible: it's an OSR
772         point back to the old JIT. This is a good step towards increasing
773         coverage, particularly on Kraken, but it's neutral because the
774         same functions that do throw also use some other unsupported
775         opcodes.
776
777         * dfg/DFGByteCodeParser.cpp:
778         (JSC::DFG::ByteCodeParser::parseBlock):
779         * dfg/DFGCapabilities.h:
780         (JSC::DFG::canCompileOpcode):
781         * dfg/DFGNode.h:
782         * dfg/DFGPropagator.cpp:
783         (JSC::DFG::Propagator::propagateNodePredictions):
784         * dfg/DFGSpeculativeJIT.cpp:
785         (JSC::DFG::SpeculativeJIT::compile):
786
787 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
788
789         DFG should support continuous optimization
790         https://bugs.webkit.org/show_bug.cgi?id=68329
791
792         Reviewed by Geoffrey Garen.
793         
794         This adds the ability to reoptimize a code block if speculation
795         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
796         on V8, neutral on SunSpider.
797
798         * CMakeLists.txt:
799         * GNUmakefile.list.am:
800         * JavaScriptCore.pro:
801         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
802         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
803         * JavaScriptCore.xcodeproj/project.pbxproj:
804         * bytecode/CodeBlock.cpp:
805         (JSC::CodeBlock::CodeBlock):
806         (JSC::ProgramCodeBlock::jettison):
807         (JSC::EvalCodeBlock::jettison):
808         (JSC::FunctionCodeBlock::jettison):
809         (JSC::CodeBlock::shouldOptimizeNow):
810         (JSC::CodeBlock::dumpValueProfiles):
811         * bytecode/CodeBlock.h:
812         * dfg/DFGByteCodeParser.cpp:
813         (JSC::DFG::ByteCodeParser::getStrongPrediction):
814         * dfg/DFGJITCompiler.cpp:
815         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
816         (JSC::DFG::JITCompiler::compileEntry):
817         (JSC::DFG::JITCompiler::compileBody):
818         * dfg/DFGJITCompiler.h:
819         (JSC::DFG::JITCompiler::noticeOSREntry):
820         * dfg/DFGOSREntry.cpp:
821         (JSC::DFG::prepareOSREntry):
822         * dfg/DFGOSREntry.h:
823         (JSC::DFG::getOSREntryDataBytecodeIndex):
824         * dfg/DFGSpeculativeJIT.cpp:
825         (JSC::DFG::SpeculativeJIT::compile):
826         * heap/ConservativeRoots.cpp:
827         (JSC::ConservativeRoots::ConservativeRoots):
828         (JSC::ConservativeRoots::~ConservativeRoots):
829         (JSC::DummyMarkHook::mark):
830         (JSC::ConservativeRoots::genericAddPointer):
831         (JSC::ConservativeRoots::genericAddSpan):
832         (JSC::ConservativeRoots::add):
833         * heap/ConservativeRoots.h:
834         * heap/Heap.cpp:
835         (JSC::Heap::addJettisonCodeBlock):
836         (JSC::Heap::markRoots):
837         * heap/Heap.h:
838         * heap/JettisonedCodeBlocks.cpp: Added.
839         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
840         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
841         (JSC::JettisonedCodeBlocks::addCodeBlock):
842         (JSC::JettisonedCodeBlocks::clearMarks):
843         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
844         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
845         * heap/JettisonedCodeBlocks.h: Added.
846         (JSC::JettisonedCodeBlocks::mark):
847         * interpreter/RegisterFile.cpp:
848         (JSC::RegisterFile::gatherConservativeRoots):
849         * interpreter/RegisterFile.h:
850         * jit/JITStubs.cpp:
851         (JSC::DEFINE_STUB_FUNCTION):
852         * runtime/Executable.cpp:
853         (JSC::jettisonCodeBlock):
854         (JSC::EvalExecutable::jettisonOptimizedCode):
855         (JSC::ProgramExecutable::jettisonOptimizedCode):
856         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
857         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
858         * runtime/Executable.h:
859         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
860         * wtf/BitVector.h: Added.
861         (WTF::BitVector::BitVector):
862         (WTF::BitVector::~BitVector):
863         (WTF::BitVector::operator=):
864         (WTF::BitVector::size):
865         (WTF::BitVector::ensureSize):
866         (WTF::BitVector::resize):
867         (WTF::BitVector::clearAll):
868         (WTF::BitVector::get):
869         (WTF::BitVector::set):
870         (WTF::BitVector::clear):
871         (WTF::BitVector::bitsInPointer):
872         (WTF::BitVector::maxInlineBits):
873         (WTF::BitVector::byteCount):
874         (WTF::BitVector::makeInlineBits):
875         (WTF::BitVector::OutOfLineBits::numBits):
876         (WTF::BitVector::OutOfLineBits::numWords):
877         (WTF::BitVector::OutOfLineBits::bits):
878         (WTF::BitVector::OutOfLineBits::create):
879         (WTF::BitVector::OutOfLineBits::destroy):
880         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
881         (WTF::BitVector::isInline):
882         (WTF::BitVector::outOfLineBits):
883         (WTF::BitVector::resizeOutOfLine):
884         (WTF::BitVector::bits):
885
886 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
887
888         Add X86 GPRInfo for DFG JIT.
889         https://bugs.webkit.org/show_bug.cgi?id=68586
890
891         Reviewed by Geoff Garen.
892
893         * dfg/DFGGPRInfo.h:
894         (JSC::DFG::GPRInfo::toRegister):
895         (JSC::DFG::GPRInfo::toIndex):
896         (JSC::DFG::GPRInfo::debugName):
897
898 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
899
900         Should support value profiling on CPU(X86)
901         https://bugs.webkit.org/show_bug.cgi?id=68575
902
903         Reviewed by Sam Weinig.
904
905         Fix verbose profiling in ToT (SlowCaseProfile had been
906         partially renamed to RareCaseProfile), add in-memory
907         bucket counter for CPU(X86), move JIT::m_canBeOptimized
908         out of the DFG_JIT ifdef.
909
910         * bytecode/CodeBlock.cpp:
911         (JSC::CodeBlock::resetRareCaseProfiles):
912         (JSC::CodeBlock::dumpValueProfiles):
913         * bytecode/CodeBlock.h:
914         * dfg/DFGByteCodeParser.cpp:
915         (JSC::DFG::ByteCodeParser::makeSafe):
916         * jit/JIT.cpp:
917         (JSC::JIT::privateCompileSlowCases):
918         (JSC::JIT::privateCompile):
919         * jit/JIT.h:
920         * jit/JITInlineMethods.h:
921         (JSC::JIT::emitValueProfilingSite):
922
923 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
924
925         DFG does not support compiling functions as constructors
926         https://bugs.webkit.org/show_bug.cgi?id=68500
927
928         Reviewed by Oliver Hunt.
929         
930         This adds support for compiling constructors to the DFG. It's a
931         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
932         It's also a 13% win on access-binary-trees, but it's neutral in
933         the SunSpider and Kraken averages.
934
935         * dfg/DFGByteCodeParser.cpp:
936         (JSC::DFG::ByteCodeParser::parseBlock):
937         * dfg/DFGCapabilities.h:
938         (JSC::DFG::mightCompileFunctionForConstruct):
939         (JSC::DFG::canCompileOpcode):
940         * dfg/DFGNode.h:
941         * dfg/DFGOperations.cpp:
942         * dfg/DFGOperations.h:
943         * dfg/DFGPropagator.cpp:
944         (JSC::DFG::Propagator::propagateNodePredictions):
945         (JSC::DFG::Propagator::performNodeCSE):
946         * dfg/DFGSpeculativeJIT.cpp:
947         (JSC::DFG::SpeculativeJIT::compile):
948         * runtime/Executable.cpp:
949         (JSC::FunctionExecutable::compileOptimizedForConstruct):
950         (JSC::FunctionExecutable::compileForConstructInternal):
951         * runtime/Executable.h:
952         (JSC::FunctionExecutable::compileForConstruct):
953         (JSC::FunctionExecutable::compileFor):
954         (JSC::FunctionExecutable::compileOptimizedFor):
955
956 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
957
958         Replace jsFunctionVPtr compares with a type check on the Structure.
959         https://bugs.webkit.org/show_bug.cgi?id=68557
960
961         Reviewed by Oliver Hunt.
962
963         This will permit calls to still optimize to subclasses of JSFunction
964         that have the correct type (but a different C++ vptr).
965
966         This patch stops passing the globalData into numerous functions.
967
968         * dfg/DFGByteCodeParser.cpp:
969         (JSC::DFG::ByteCodeParser::parseBlock):
970         * dfg/DFGGraph.h:
971         (JSC::DFG::Graph::isFunctionConstant):
972         (JSC::DFG::Graph::valueOfFunctionConstant):
973         * dfg/DFGJITCompiler.h:
974         (JSC::DFG::JITCompiler::isFunctionConstant):
975         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
976         * dfg/DFGOperations.cpp:
977         * interpreter/Interpreter.cpp:
978         (JSC::Interpreter::privateExecute):
979         * jit/JIT.h:
980         * jit/JITCall.cpp:
981         (JSC::JIT::compileOpCallVarargs):
982         (JSC::JIT::compileOpCallSlowCase):
983         * jit/JITCall32_64.cpp:
984         (JSC::JIT::compileOpCallVarargs):
985         (JSC::JIT::compileOpCallSlowCase):
986         * jit/JITInlineMethods.h:
987         (JSC::JIT::emitJumpIfNotType):
988         * jit/JITStubs.cpp:
989         (JSC::DEFINE_STUB_FUNCTION):
990         * runtime/Executable.h:
991         (JSC::isHostFunction):
992         * runtime/JSFunction.h:
993         (JSC::JSFunction::createStructure):
994         * runtime/JSObject.cpp:
995         (JSC::JSObject::put):
996         (JSC::JSObject::putWithAttributes):
997         * runtime/JSObject.h:
998         (JSC::getJSFunction):
999         (JSC::JSObject::putDirect):
1000         (JSC::JSObject::putDirectWithoutTransition):
1001         * runtime/JSType.h:
1002
1003 2011-09-21  Geoffrey Garen  <ggaren@apple.com>
1004
1005         Removed WTFTHREADDATA_MULTITHREADED, making it always true
1006         https://bugs.webkit.org/show_bug.cgi?id=68549
1007
1008         Reviewed by Darin Adler.
1009         
1010         Another part of making threads exist in WebKit.
1011
1012         * wtf/WTFThreadData.cpp:
1013         * wtf/WTFThreadData.h:
1014         (WTF::wtfThreadData):
1015
1016 2011-09-21  Dan Bernstein  <mitz@apple.com>
1017
1018         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
1019         https://bugs.webkit.org/show_bug.cgi?id=68451
1020
1021         Reviewed by Darin Adler.
1022
1023         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
1024         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
1025
1026 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
1027
1028         MacroAssembler fixes.
1029         https://bugs.webkit.org/show_bug.cgi?id=68494
1030
1031         Reviewed by Sam Weinig.
1032
1033         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
1034
1035         * assembler/MacroAssembler.h:
1036         (JSC::MacroAssembler::orPtr):
1037         (JSC::MacroAssembler::loadPtr):
1038         * assembler/MacroAssemblerARM.h:
1039         (JSC::MacroAssemblerARM::or32):
1040         * assembler/MacroAssemblerARMv7.h:
1041         (JSC::MacroAssemblerARMv7::or32):
1042         * assembler/MacroAssemblerMIPS.h:
1043         (JSC::MacroAssemblerMIPS::or32):
1044         * assembler/MacroAssemblerSH4.h:
1045         (JSC::MacroAssemblerSH4::or32):
1046         (JSC::MacroAssemblerSH4::load32):
1047         * assembler/MacroAssemblerX86.h:
1048         (JSC::MacroAssemblerX86::load32):
1049         * assembler/MacroAssemblerX86_64.h:
1050         (JSC::MacroAssemblerX86_64::load32):
1051
1052 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
1053
1054         Some Heap cleanup.
1055
1056         Reviewed by Beth Dakin.
1057
1058         * heap/MarkedBlock.cpp:
1059         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
1060         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
1061         since there is only one now.
1062
1063         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
1064         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
1065         place where we were recalculating it.
1066
1067         * heap/MarkedSpace.cpp:
1068         (JSC::MarkedSpace::addBlock): Updated for rename.
1069
1070 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1071
1072         DFG JIT always speculates integer on modulo
1073         https://bugs.webkit.org/show_bug.cgi?id=68485
1074
1075         Reviewed by Oliver Hunt.
1076         
1077         Added support for double modulo, which is a call to fmod().
1078         Also added support for recording the old JIT's statistics
1079         on op_mod and propagating them along the graph. Finally,
1080         fixed a goof in the ArithNodeFlags propagation logic that
1081         was made obvious when I started testing ArithMod.
1082
1083         * dfg/DFGByteCodeParser.cpp:
1084         (JSC::DFG::ByteCodeParser::makeSafe):
1085         (JSC::DFG::ByteCodeParser::parseBlock):
1086         * dfg/DFGNode.h:
1087         (JSC::DFG::Node::hasArithNodeFlags):
1088         * dfg/DFGPropagator.cpp:
1089         (JSC::DFG::Propagator::propagateArithNodeFlags):
1090         (JSC::DFG::Propagator::propagateNodePredictions):
1091         (JSC::DFG::Propagator::fixupNode):
1092         * dfg/DFGSpeculativeJIT.cpp:
1093         (JSC::DFG::SpeculativeJIT::compile):
1094
1095 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
1096
1097         [GTK] requestAnimationFrame support for gtk port
1098         https://bugs.webkit.org/show_bug.cgi?id=66280
1099
1100         Reviewed by Martin Robinson.
1101
1102         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
1103
1104         * wtf/Platform.h:
1105
1106 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1107
1108         DFG JIT performs too many negative zero checks, and too many
1109         overflow checks
1110         https://bugs.webkit.org/show_bug.cgi?id=68430
1111
1112         Reviewed by Oliver Hunt.
1113         
1114         This adds comprehensive support for deciding how to perform an
1115         arithmetic operations based on a combination of overflow profiling,
1116         negative zero profiling, value profiling, and a static analysis of
1117         how the results of these operations get used.
1118         
1119         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
1120         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
1121         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
1122         V8-crypto, because apparenty everything we do speeds up crypto.
1123
1124         * dfg/DFGByteCodeParser.cpp:
1125         (JSC::DFG::ByteCodeParser::toInt32):
1126         (JSC::DFG::ByteCodeParser::toNumber):
1127         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
1128         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
1129         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
1130         (JSC::DFG::ByteCodeParser::makeSafe):
1131         (JSC::DFG::ByteCodeParser::handleMinMax):
1132         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1133         (JSC::DFG::ByteCodeParser::parseBlock):
1134         (JSC::DFG::ByteCodeParser::processPhiStack):
1135         (JSC::DFG::ByteCodeParser::parse):
1136         * dfg/DFGGraph.cpp:
1137         (JSC::DFG::Graph::dump):
1138         * dfg/DFGJITCodeGenerator.cpp:
1139         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1140         * dfg/DFGNode.h:
1141         (JSC::DFG::nodeUsedAsNumber):
1142         (JSC::DFG::nodeCanTruncateInteger):
1143         (JSC::DFG::nodeCanIgnoreNegativeZero):
1144         (JSC::DFG::nodeCanSpeculateInteger):
1145         (JSC::DFG::arithNodeFlagsAsString):
1146         (JSC::DFG::Node::Node):
1147         (JSC::DFG::Node::hasArithNodeFlags):
1148         (JSC::DFG::Node::rawArithNodeFlags):
1149         (JSC::DFG::Node::arithNodeFlags):
1150         (JSC::DFG::Node::arithNodeFlagsForCompare):
1151         (JSC::DFG::Node::setArithNodeFlag):
1152         (JSC::DFG::Node::mergeArithNodeFlags):
1153         * dfg/DFGPropagator.cpp:
1154         (JSC::DFG::Propagator::fixpoint):
1155         (JSC::DFG::Propagator::isNotNegZero):
1156         (JSC::DFG::Propagator::isNotZero):
1157         (JSC::DFG::Propagator::propagateArithNodeFlags):
1158         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1159         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1160         (JSC::DFG::Propagator::propagateNodePredictions):
1161         (JSC::DFG::Propagator::propagatePredictionsForward):
1162         (JSC::DFG::Propagator::propagatePredictionsBackward):
1163         (JSC::DFG::Propagator::toDouble):
1164         (JSC::DFG::Propagator::fixupNode):
1165         (JSC::DFG::Propagator::fixup):
1166         (JSC::DFG::Propagator::startIndexForChildren):
1167         (JSC::DFG::Propagator::endIndexForPureCSE):
1168         (JSC::DFG::Propagator::pureCSE):
1169         (JSC::DFG::Propagator::clobbersWorld):
1170         (JSC::DFG::Propagator::setReplacement):
1171         (JSC::DFG::Propagator::performNodeCSE):
1172         (JSC::DFG::Propagator::localCSE):
1173         * dfg/DFGSpeculativeJIT.cpp:
1174         (JSC::DFG::SpeculativeJIT::compile):
1175         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1176
1177 2011-09-19  Oliver Hunt  <oliver@apple.com>
1178
1179         Refactor Heap allocation logic into separate AllocationSpace class
1180         https://bugs.webkit.org/show_bug.cgi?id=68409
1181
1182         Reviewed by Gavin Barraclough.
1183
1184         This patch hoists direct manipulation of the MarkedSpace and related
1185         data out of Heap and into a separate class.  This will allow us to
1186         have multiple allocation spaces in future, so easing the way towards
1187         having GC'd backing stores for objects.
1188
1189         * CMakeLists.txt:
1190         * GNUmakefile.list.am:
1191         * JavaScriptCore.exp:
1192         * JavaScriptCore.gypi:
1193         * JavaScriptCore.pro:
1194         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1195         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1196         * JavaScriptCore.xcodeproj/project.pbxproj:
1197         * debugger/Debugger.cpp:
1198         (JSC::Debugger::recompileAllJSFunctions):
1199         * heap/AllocationSpace.cpp: Added.
1200         (JSC::AllocationSpace::tryAllocate):
1201         (JSC::AllocationSpace::allocateSlowCase):
1202         (JSC::AllocationSpace::allocateBlock):
1203         (JSC::AllocationSpace::freeBlocks):
1204         (JSC::TakeIfEmpty::TakeIfEmpty):
1205         (JSC::TakeIfEmpty::operator()):
1206         (JSC::TakeIfEmpty::returnValue):
1207         (JSC::AllocationSpace::shrink):
1208         * heap/AllocationSpace.h: Added.
1209         (JSC::AllocationSpace::AllocationSpace):
1210         (JSC::AllocationSpace::blocks):
1211         (JSC::AllocationSpace::sizeClassFor):
1212         (JSC::AllocationSpace::setHighWaterMark):
1213         (JSC::AllocationSpace::highWaterMark):
1214         (JSC::AllocationSpace::canonicalizeBlocks):
1215         (JSC::AllocationSpace::resetAllocator):
1216         (JSC::AllocationSpace::forEachCell):
1217         (JSC::AllocationSpace::forEachBlock):
1218         (JSC::AllocationSpace::allocate):
1219         * heap/Heap.cpp:
1220         (JSC::Heap::Heap):
1221         (JSC::Heap::reportExtraMemoryCostSlowCase):
1222         (JSC::Heap::getConservativeRegisterRoots):
1223         (JSC::Heap::markRoots):
1224         (JSC::Heap::clearMarks):
1225         (JSC::Heap::sweep):
1226         (JSC::Heap::objectCount):
1227         (JSC::Heap::size):
1228         (JSC::Heap::capacity):
1229         (JSC::Heap::globalObjectCount):
1230         (JSC::Heap::objectTypeCounts):
1231         (JSC::Heap::collect):
1232         (JSC::Heap::canonicalizeBlocks):
1233         (JSC::Heap::resetAllocator):
1234         (JSC::Heap::freeBlocks):
1235         (JSC::Heap::shrink):
1236         * heap/Heap.h:
1237         (JSC::Heap::objectSpace):
1238         (JSC::Heap::sizeClassForObject):
1239         (JSC::Heap::allocate):
1240         * jit/JITInlineMethods.h:
1241         (JSC::JIT::emitAllocateBasicJSObject):
1242         * runtime/JSGlobalData.cpp:
1243         (JSC::JSGlobalData::recompileAllJSFunctions):
1244         (JSC::JSGlobalData::releaseExecutableMemory):
1245
1246 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1247
1248         Removed BREWMP* platform #ifdefs
1249         https://bugs.webkit.org/show_bug.cgi?id=68425
1250         
1251         BREWMP* has no maintainer, and this is dead code.
1252
1253         Reviewed by Darin Adler.
1254
1255         * heap/MarkStack.h:
1256         (JSC::::shrinkAllocation):
1257         * jit/ExecutableAllocator.h:
1258         (JSC::ExecutableAllocator::cacheFlush):
1259         * runtime/TimeoutChecker.cpp:
1260         (JSC::getCPUTime):
1261         * wtf/Assertions.cpp:
1262         * wtf/Assertions.h:
1263         * wtf/CurrentTime.cpp:
1264         * wtf/DateMath.cpp:
1265         (WTF::calculateUTCOffset):
1266         * wtf/FastMalloc.cpp:
1267         (WTF::fastMalloc):
1268         (WTF::fastCalloc):
1269         (WTF::fastMallocSize):
1270         * wtf/FastMalloc.h:
1271         * wtf/MainThread.cpp:
1272         * wtf/MathExtras.h:
1273         * wtf/OwnPtrCommon.h:
1274         * wtf/Platform.h:
1275         * wtf/RandomNumber.cpp:
1276         (WTF::randomNumber):
1277         * wtf/RandomNumberSeed.h:
1278         (WTF::initializeRandomNumberGenerator):
1279         * wtf/text/WTFString.h:
1280         * wtf/unicode/Unicode.h:
1281
1282 2011-09-20  Adam Roben  <aroben@apple.com>
1283
1284         Windows build fix after r95523
1285
1286         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
1287
1288 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
1289
1290         DFG JIT does not speculate aggressively enough on GetById
1291         https://bugs.webkit.org/show_bug.cgi?id=68320
1292
1293         Reviewed by Oliver Hunt.
1294         
1295         This adds the ability to access properties directly, by offset.
1296         This optimization kicks in when at the time of DFG compilation,
1297         it appears that the given get_by_id is self-cached by the old JIT.
1298         Two new opcodes get introduced: CheckStructure and GetByOffset.
1299         CheckStructure performs a speculation check on the object's
1300         structure, and returns the storage pointer. GetByOffset performs
1301         a direct read of the field from the storage pointer. Both
1302         CheckStructure and GetByOffset can be CSE'd, so that we can
1303         eliminate redundant structure checks, and redundant reads of the
1304         same field.
1305         
1306         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
1307         neutral on SunSpider.
1308
1309         * bytecode/PredictedType.cpp:
1310         (JSC::predictionFromClassInfo):
1311         (JSC::predictionFromStructure):
1312         (JSC::predictionFromCell):
1313         * bytecode/PredictedType.h:
1314         * dfg/DFGByteCodeParser.cpp:
1315         (JSC::DFG::ByteCodeParser::parseBlock):
1316         * dfg/DFGGenerationInfo.h:
1317         (JSC::DFG::dataFormatToString):
1318         (JSC::DFG::needDataFormatConversion):
1319         (JSC::DFG::GenerationInfo::initStorage):
1320         (JSC::DFG::GenerationInfo::spill):
1321         (JSC::DFG::GenerationInfo::fillStorage):
1322         * dfg/DFGGraph.h:
1323         (JSC::DFG::Graph::predict):
1324         (JSC::DFG::Graph::getPrediction):
1325         * dfg/DFGJITCodeGenerator.cpp:
1326         (JSC::DFG::JITCodeGenerator::fillInteger):
1327         (JSC::DFG::JITCodeGenerator::fillDouble):
1328         (JSC::DFG::JITCodeGenerator::fillJSValue):
1329         (JSC::DFG::JITCodeGenerator::fillStorage):
1330         (JSC::DFG::GPRTemporary::GPRTemporary):
1331         * dfg/DFGJITCodeGenerator.h:
1332         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
1333         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1334         (JSC::DFG::JITCodeGenerator::spill):
1335         (JSC::DFG::JITCodeGenerator::storageResult):
1336         (JSC::DFG::StorageOperand::StorageOperand):
1337         (JSC::DFG::StorageOperand::~StorageOperand):
1338         (JSC::DFG::StorageOperand::index):
1339         (JSC::DFG::StorageOperand::gpr):
1340         (JSC::DFG::StorageOperand::use):
1341         * dfg/DFGNode.h:
1342         (JSC::DFG::OpInfo::OpInfo):
1343         (JSC::DFG::Node::Node):
1344         (JSC::DFG::Node::hasPrediction):
1345         (JSC::DFG::Node::hasStructure):
1346         (JSC::DFG::Node::structure):
1347         (JSC::DFG::Node::hasStorageAccessData):
1348         (JSC::DFG::Node::storageAccessDataIndex):
1349         * dfg/DFGPropagator.cpp:
1350         (JSC::DFG::Propagator::propagateNode):
1351         (JSC::DFG::Propagator::globalVarLoadElimination):
1352         (JSC::DFG::Propagator::getMethodLoadElimination):
1353         (JSC::DFG::Propagator::checkStructureLoadElimination):
1354         (JSC::DFG::Propagator::getByOffsetLoadElimination):
1355         (JSC::DFG::Propagator::performNodeCSE):
1356         * dfg/DFGSpeculativeJIT.cpp:
1357         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1358         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1359         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1360         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1361         (JSC::DFG::SpeculativeJIT::compile):
1362         * wtf/StdLibExtras.h:
1363         (WTF::safeCast):
1364
1365 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1366
1367         Remove toPrimitive from JSCell
1368         https://bugs.webkit.org/show_bug.cgi?id=67875
1369
1370         Reviewed by Darin Adler.
1371
1372         Part of the refactoring process to un-virtualize JSCell.  We move 
1373         all of the implicit functionality provided by the virtual toPrimitive method 
1374         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
1375         also de-virtualizing JSCell::toPrimitive.
1376
1377         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1378         * runtime/JSCell.cpp:
1379         (JSC::JSCell::toPrimitive):
1380         * runtime/JSCell.h:
1381
1382         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
1383         JSObject.  This pushes the virtual method further down, enabling us to get rid 
1384         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
1385         again, but we'll cross that bridge when we come to it.
1386         * runtime/JSNotAnObject.cpp:
1387         (JSC::JSNotAnObject::defaultValue):
1388         * runtime/JSNotAnObject.h:
1389         * runtime/JSObject.h:
1390         * runtime/JSString.h:
1391
1392 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1393
1394         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
1395         https://bugs.webkit.org/show_bug.cgi?id=68424
1396
1397         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
1398         
1399         This may break WinCE and other ports that have not built and tested with
1400         this configuration. I've filed bugs for port maintainers. It's time for
1401         WebKit to move forward.
1402
1403         Reviewed by Mark Rowe.
1404
1405         * heap/Heap.cpp:
1406         (JSC::Heap::Heap):
1407         (JSC::Heap::~Heap):
1408         (JSC::Heap::destroy):
1409         (JSC::Heap::blockFreeingThreadMain):
1410         (JSC::Heap::allocateBlock):
1411         (JSC::Heap::freeBlocks):
1412         (JSC::Heap::releaseFreeBlocks):
1413         * heap/Heap.h:
1414         * wtf/Platform.h:
1415
1416 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1417
1418         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
1419         https://bugs.webkit.org/show_bug.cgi?id=68423
1420
1421         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
1422         
1423         This may break WinCE and other ports that have not built and tested with
1424         this configuration. I've filed bugs for port maintainers. It's time for
1425         WebKit to move forward.
1426
1427         Reviewed by Mark Rowe.
1428
1429         * wtf/CryptographicallyRandomNumber.cpp:
1430         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
1431         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
1432         * wtf/FastMalloc.cpp:
1433         * wtf/Platform.h:
1434         * wtf/RandomNumber.cpp:
1435         (WTF::randomNumber):
1436         * wtf/RefCountedLeakCounter.cpp:
1437         (WTF::RefCountedLeakCounter::increment):
1438         (WTF::RefCountedLeakCounter::decrement):
1439         * wtf/ThreadingPthreads.cpp:
1440         (WTF::initializeThreading):
1441         * wtf/ThreadingWin.cpp:
1442         (WTF::initializeThreading):
1443         * wtf/dtoa.cpp:
1444         (WTF::pow5mult):
1445         * wtf/gtk/ThreadingGtk.cpp:
1446         (WTF::initializeThreading):
1447         * wtf/qt/ThreadingQt.cpp:
1448         (WTF::initializeThreading):
1449
1450 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1451
1452         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
1453         https://bugs.webkit.org/show_bug.cgi?id=68422
1454         
1455         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
1456         
1457         This may break WinCE and other ports that have not built and tested with
1458         this configuration. I've filed bugs for port maintainers. It's time for
1459         WebKit to move forward.
1460
1461         Reviewed by Sam Weinig.
1462
1463         * API/APIShims.h:
1464         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
1465         * API/JSContextRef.cpp:
1466         * heap/MachineStackMarker.cpp:
1467         (JSC::MachineThreads::MachineThreads):
1468         (JSC::MachineThreads::~MachineThreads):
1469         (JSC::MachineThreads::gatherConservativeRoots):
1470         * heap/MachineStackMarker.h:
1471         * runtime/InitializeThreading.cpp:
1472         (JSC::initializeThreadingOnce):
1473         (JSC::initializeThreading):
1474         * runtime/JSGlobalData.cpp:
1475         (JSC::JSGlobalData::sharedInstance):
1476         * runtime/JSGlobalData.h:
1477         (JSC::JSGlobalData::makeUsableFromMultipleThreads):
1478         * runtime/JSLock.cpp:
1479         * runtime/Structure.cpp:
1480         * wtf/Platform.h:
1481
1482 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
1483
1484         Unreviewed, rolling out r95493 and r95496.
1485         http://trac.webkit.org/changeset/95493
1486         http://trac.webkit.org/changeset/95496
1487         https://bugs.webkit.org/show_bug.cgi?id=68418
1488
1489         Broke Windows build (Requested by rniwa on #webkit).
1490
1491         * CMakeLists.txt:
1492         * GNUmakefile.list.am:
1493         * JavaScriptCore.exp:
1494         * JavaScriptCore.gypi:
1495         * JavaScriptCore.pro:
1496         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1497         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1498         * JavaScriptCore.xcodeproj/project.pbxproj:
1499         * debugger/Debugger.cpp:
1500         (JSC::Debugger::recompileAllJSFunctions):
1501         * heap/AllocationSpace.cpp: Removed.
1502         * heap/AllocationSpace.h: Removed.
1503         * heap/Heap.cpp:
1504         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
1505         (JSC::CountFunctor::TakeIfEmpty::operator()):
1506         (JSC::CountFunctor::TakeIfEmpty::returnValue):
1507         (JSC::Heap::Heap):
1508         (JSC::Heap::reportExtraMemoryCostSlowCase):
1509         (JSC::Heap::tryAllocate):
1510         (JSC::Heap::allocateSlowCase):
1511         (JSC::Heap::getConservativeRegisterRoots):
1512         (JSC::Heap::markRoots):
1513         (JSC::Heap::clearMarks):
1514         (JSC::Heap::sweep):
1515         (JSC::Heap::objectCount):
1516         (JSC::Heap::size):
1517         (JSC::Heap::capacity):
1518         (JSC::Heap::globalObjectCount):
1519         (JSC::Heap::objectTypeCounts):
1520         (JSC::Heap::collect):
1521         (JSC::Heap::canonicalizeBlocks):
1522         (JSC::Heap::resetAllocator):
1523         (JSC::Heap::allocateBlock):
1524         (JSC::Heap::freeBlocks):
1525         (JSC::Heap::shrink):
1526         * heap/Heap.h:
1527         (JSC::Heap::markedSpace):
1528         (JSC::Heap::forEachCell):
1529         (JSC::Heap::forEachBlock):
1530         (JSC::Heap::sizeClassFor):
1531         (JSC::Heap::allocate):
1532         * jit/JITInlineMethods.h:
1533         (JSC::JIT::emitAllocateBasicJSObject):
1534         * runtime/JSGlobalData.cpp:
1535         (JSC::JSGlobalData::recompileAllJSFunctions):
1536         (JSC::JSGlobalData::releaseExecutableMemory):
1537
1538 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
1539
1540         Errrk, missed stylebot comments in last commit.
1541
1542         * runtime/StringPrototype.cpp:
1543         (JSC::stringProtoFuncSplit):
1544
1545 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
1546
1547         String#split is buggy
1548         https://bugs.webkit.org/show_bug.cgi?id=68348
1549
1550         Reviewed by Sam Weinig.
1551
1552         * runtime/StringPrototype.cpp:
1553         (JSC::jsStringWithReuse):
1554             - added helper function to reuse original JSString value.
1555         (JSC::stringProtoFuncSplit):
1556             - Rewritten from the spec.
1557         * tests/mozilla/ecma/String/15.5.4.8-2.js:
1558         (getTestCases):
1559             - This test is not ES5 compliant.
1560
1561 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1562
1563         Removed lots of friend declarations from JSCell, so we can more
1564         effectively make use of private and protected.
1565
1566         Reviewed by Sam Weinig.
1567
1568         * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
1569         confusion for not much safety.
1570         (JSC::JSCell::operator new): Made this public because it is used by a
1571         few clients, and not really dangerous.
1572
1573         * runtime/JSObject.cpp:
1574         (JSC::JSObject::put):
1575         (JSC::JSObject::deleteProperty):
1576         (JSC::JSObject::defineGetter):
1577         (JSC::JSObject::defineSetter):
1578         (JSC::JSObject::getPropertySpecificValue):
1579         (JSC::JSObject::getOwnPropertyNames):
1580         (JSC::JSObject::seal):
1581         (JSC::JSObject::freeze):
1582         (JSC::JSObject::preventExtensions):
1583         (JSC::JSObject::removeDirect):
1584         (JSC::JSObject::createInheritorID):
1585         (JSC::JSObject::allocatePropertyStorage):
1586         (JSC::JSObject::getOwnPropertyDescriptor):
1587         * runtime/JSObject.h:
1588         (JSC::JSObject::getDirect):
1589         (JSC::JSObject::getDirectLocation):
1590         (JSC::JSObject::hasCustomProperties):
1591         (JSC::JSObject::hasGetterSetterProperties):
1592         (JSC::JSObject::isSealed):
1593         (JSC::JSObject::isFrozen):
1594         (JSC::JSObject::isExtensible):
1595         (JSC::JSObject::flattenDictionaryObject):
1596         (JSC::JSObject::finishCreation):
1597         (JSC::JSObject::prototype):
1598         (JSC::JSObject::setPrototype):
1599         (JSC::JSObject::inlineGetOwnPropertySlot):
1600         (JSC::JSCell::fastGetOwnProperty):
1601         (JSC::JSObject::putDirectInternal):
1602         (JSC::JSObject::putDirectWithoutTransition):
1603         (JSC::JSObject::transitionTo):
1604         (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
1605         structure() / setStructure(), so we don't have to be a friend of JSCell.
1606
1607         * runtime/Structure.h:
1608         (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
1609         to JSCell::m_structure.
1610
1611 2011-09-19  Adam Barth  <abarth@webkit.org>
1612
1613         Always enable ENABLE(EVENTSOURCE)
1614         https://bugs.webkit.org/show_bug.cgi?id=68414
1615
1616         Reviewed by Eric Seidel.
1617
1618         * Configurations/FeatureDefines.xcconfig:
1619
1620 2011-09-19  Eli Fidler  <efidler@rim.com>
1621
1622         Enable JSC_MULTIPLE_THREADS for OS(QNX).
1623         https://bugs.webkit.org/show_bug.cgi?id=68047
1624
1625         Reviewed by Daniel Bates.
1626
1627         SA_RESTART was required for SIGUSR2-based debugging, but is not
1628         present on QNX. This debugging doesn't seem critical to
1629         JSC_MULTIPLE_THREADS, so allow it to proceed.
1630
1631         * heap/MachineStackMarker.cpp:
1632         (JSC::MachineThreads::Thread::Thread):
1633         (JSC::getPlatformThreadRegisters):
1634         (JSC::otherThreadStackPointer):
1635         (JSC::freePlatformThreadRegisters):
1636         * wtf/Platform.h: enable PTHREADS for OS(QNX)
1637
1638 2011-09-19  Oliver Hunt  <oliver@apple.com>
1639
1640         Windows build fix.
1641
1642         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1643
1644 2011-09-19  Oliver Hunt  <oliver@apple.com>
1645
1646         Refactor Heap allocation logic into separate AllocationSpace class
1647         https://bugs.webkit.org/show_bug.cgi?id=68409
1648
1649         Reviewed by Gavin Barraclough.
1650
1651         This patch hoists direct manipulation of the MarkedSpace and related
1652         data out of Heap and into a separate class.  This will allow us to
1653         have multiple allocation spaces in future, so easing the way towards
1654         having GC'd backing stores for objects.
1655
1656         * CMakeLists.txt:
1657         * GNUmakefile.list.am:
1658         * JavaScriptCore.exp:
1659         * JavaScriptCore.gypi:
1660         * JavaScriptCore.pro:
1661         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1662         * JavaScriptCore.xcodeproj/project.pbxproj:
1663         * debugger/Debugger.cpp:
1664         (JSC::Debugger::recompileAllJSFunctions):
1665         * heap/AllocationSpace.cpp: Added.
1666         (JSC::AllocationSpace::tryAllocate):
1667         (JSC::AllocationSpace::allocateSlowCase):
1668         (JSC::AllocationSpace::allocateBlock):
1669         (JSC::AllocationSpace::freeBlocks):
1670         (JSC::TakeIfEmpty::TakeIfEmpty):
1671         (JSC::TakeIfEmpty::operator()):
1672         (JSC::TakeIfEmpty::returnValue):
1673         (JSC::AllocationSpace::shrink):
1674         * heap/AllocationSpace.h: Added.
1675         (JSC::AllocationSpace::AllocationSpace):
1676         (JSC::AllocationSpace::blocks):
1677         (JSC::AllocationSpace::sizeClassFor):
1678         (JSC::AllocationSpace::setHighWaterMark):
1679         (JSC::AllocationSpace::highWaterMark):
1680         (JSC::AllocationSpace::canonicalizeBlocks):
1681         (JSC::AllocationSpace::resetAllocator):
1682         (JSC::AllocationSpace::forEachCell):
1683         (JSC::AllocationSpace::forEachBlock):
1684         (JSC::AllocationSpace::allocate):
1685         * heap/Heap.cpp:
1686         (JSC::Heap::Heap):
1687         (JSC::Heap::reportExtraMemoryCostSlowCase):
1688         (JSC::Heap::getConservativeRegisterRoots):
1689         (JSC::Heap::markRoots):
1690         (JSC::Heap::clearMarks):
1691         (JSC::Heap::sweep):
1692         (JSC::Heap::objectCount):
1693         (JSC::Heap::size):
1694         (JSC::Heap::capacity):
1695         (JSC::Heap::globalObjectCount):
1696         (JSC::Heap::objectTypeCounts):
1697         (JSC::Heap::collect):
1698         (JSC::Heap::canonicalizeBlocks):
1699         (JSC::Heap::resetAllocator):
1700         (JSC::Heap::freeBlocks):
1701         (JSC::Heap::shrink):
1702         * heap/Heap.h:
1703         (JSC::Heap::objectSpace):
1704         (JSC::Heap::sizeClassForObject):
1705         (JSC::Heap::allocate):
1706         * jit/JITInlineMethods.h:
1707         (JSC::JIT::emitAllocateBasicJSObject):
1708         * runtime/JSGlobalData.cpp:
1709         (JSC::JSGlobalData::recompileAllJSFunctions):
1710         (JSC::JSGlobalData::releaseExecutableMemory):
1711
1712 2011-09-19  Adam Roben  <aroben@apple.com>
1713
1714         Windows build fix after r95310
1715
1716         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
1717         include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.
1718
1719 2011-09-19  Filip Pizlo  <fpizlo@apple.com>
1720
1721         DFG speculation failures should act as additional value profiles
1722         https://bugs.webkit.org/show_bug.cgi?id=68335
1723
1724         Reviewed by Oliver Hunt.
1725         
1726         This adds slow-case counters to the old JIT. It also ensures that
1727         negative zero in multiply is handled carefully. The old JIT
1728         previously took slow path if the result of a multiply was zero,
1729         which, without any changes, would cause the DFG to think that
1730         every such multiply produced a double result.
1731         
1732         This also fixes a bug in the old JIT's handling of decrements. It
1733         would take the slow path if the result was zero, but not if it
1734         underflowed.
1735         
1736         By itself, this would be a 1% slow-down on V8 and Kraken. But then
1737         I wrote optimizations in the DFG that take advantage of this new
1738         information. It's no longer the case that every multiply needs to
1739         do a check for negative zero; it only happens if the negative
1740         zero is ignored.
1741         
1742         This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
1743         speed-up in V8. It's mostly neutral on Kraken. I can see an
1744         0.5% slow-down and it appears to be significant.
1745
1746         * bytecode/CodeBlock.cpp:
1747         (JSC::CodeBlock::resetRareCaseProfiles):
1748         (JSC::CodeBlock::dumpValueProfiles):
1749         * bytecode/CodeBlock.h:
1750         * bytecode/ValueProfile.h:
1751         (JSC::RareCaseProfile::RareCaseProfile):
1752         (JSC::getRareCaseProfileBytecodeOffset):
1753         * dfg/DFGByteCodeParser.cpp:
1754         (JSC::DFG::ByteCodeParser::toInt32):
1755         (JSC::DFG::ByteCodeParser::makeSafe):
1756         (JSC::DFG::ByteCodeParser::parseBlock):
1757         * dfg/DFGJITCodeGenerator.cpp:
1758         (JSC::DFG::GPRTemporary::GPRTemporary):
1759         * dfg/DFGJITCodeGenerator.h:
1760         * dfg/DFGNode.h:
1761         * dfg/DFGPropagator.cpp:
1762         (JSC::DFG::Propagator::propagateNode):
1763         (JSC::DFG::Propagator::fixupNode):
1764         (JSC::DFG::Propagator::clobbersWorld):
1765         (JSC::DFG::Propagator::performNodeCSE):
1766         * dfg/DFGSpeculativeJIT.cpp:
1767         (JSC::DFG::SpeculativeJIT::compile):
1768         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1769         * jit/JIT.cpp:
1770         (JSC::JIT::privateCompileSlowCases):
1771         * jit/JIT.h:
1772         (JSC::JIT::linkDummySlowCase):
1773         * jit/JITArithmetic.cpp:
1774         (JSC::JIT::emit_op_post_dec):
1775         (JSC::JIT::emit_op_pre_dec):
1776         (JSC::JIT::compileBinaryArithOp):
1777         (JSC::JIT::emit_op_add):
1778         (JSC::JIT::emitSlow_op_add):
1779         * jit/JITInlineMethods.h:
1780         (JSC::JIT::addSlowCase):
1781
1782 2011-09-19  Adam Roben  <aroben@apple.com>
1783
1784         Windows build fix after r94575
1785
1786         * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
1787         now builds just before FindSafari.
1788
1789 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
1790
1791         Unreviewed, rolling out r95466.
1792         http://trac.webkit.org/changeset/95466
1793         https://bugs.webkit.org/show_bug.cgi?id=68389
1794
1795         Incorrect version of the patch. (Requested by mhahnenberg on
1796         #webkit).
1797
1798         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1799         * runtime/JSCell.cpp:
1800         (JSC::JSCell::toPrimitive):
1801         * runtime/JSCell.h:
1802         (JSC::JSCell::JSValue::toPrimitive):
1803         * runtime/JSNotAnObject.cpp:
1804         (JSC::JSNotAnObject::toPrimitive):
1805         * runtime/JSNotAnObject.h:
1806         * runtime/JSObject.h:
1807         * runtime/JSString.h:
1808
1809 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1810
1811         Remove toPrimitive from JSCell
1812         https://bugs.webkit.org/show_bug.cgi?id=67875
1813
1814         Reviewed by Geoffrey Garen.
1815
1816         Part of the refactoring process to un-virtualize JSCell.  We move 
1817         all of the implicit functionality provided by the virtual toPrimitive method 
1818         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
1819         also de-virtualizing JSCell::toPrimitive.
1820
1821         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1822         * runtime/JSCell.cpp:
1823         (JSC::JSCell::toPrimitive):
1824         * runtime/JSCell.h:
1825
1826         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
1827         JSObject.  This pushes the virtual method further down, enabling us to get rid 
1828         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
1829         again, but we'll cross that bridge when we come to it.
1830         * runtime/JSNotAnObject.cpp:
1831         (JSC::JSNotAnObject::defaultValue):
1832         * runtime/JSNotAnObject.h:
1833         * runtime/JSObject.h:
1834         * runtime/JSString.h:
1835         (JSC::JSValue::toPrimitive):
1836
1837 2011-09-19  Oliver Hunt  <oliver@apple.com>
1838
1839         Build fix.
1840
1841         * jit/JITPropertyAccess32_64.cpp:
1842         (JSC::JIT::compileGetDirectOffset):
1843
1844 2011-09-19  Oliver Hunt  <oliver@apple.com>
1845
1846         Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
1847         https://bugs.webkit.org/show_bug.cgi?id=68376
1848
1849         Reviewed by Gavin Barraclough.
1850
1851         Renamed the the MarkedSpace files to match new name, and
1852         updated the relevant references.
1853
1854         * CMakeLists.txt:
1855         * GNUmakefile.list.am:
1856         * JavaScriptCore.gypi:
1857         * JavaScriptCore.pro:
1858         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1859         * JavaScriptCore.xcodeproj/project.pbxproj:
1860         * heap/Heap.h:
1861         * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
1862         (JSC::MarkedSpace::MarkedSpace):
1863         (JSC::MarkedSpace::addBlock):
1864         (JSC::MarkedSpace::removeBlock):
1865         (JSC::MarkedSpace::resetAllocator):
1866         (JSC::MarkedSpace::canonicalizeBlocks):
1867         * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
1868         (JSC::MarkedSpace::waterMark):
1869         (JSC::MarkedSpace::highWaterMark):
1870         (JSC::MarkedSpace::setHighWaterMark):
1871         (JSC::MarkedSpace::sizeClassFor):
1872         (JSC::MarkedSpace::allocate):
1873         (JSC::MarkedSpace::forEachBlock):
1874         (JSC::MarkedSpace::SizeClass::SizeClass):
1875         (JSC::MarkedSpace::SizeClass::resetAllocator):
1876         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
1877         * runtime/JSCell.h:
1878
1879 2011-09-19  Oliver Hunt  <oliver@apple.com>
1880
1881         Rename NewSpace to MarkedSpace
1882         https://bugs.webkit.org/show_bug.cgi?id=68375
1883
1884         Reviewed by Gavin Barraclough.
1885
1886         Rename NewSpace to a more accurate name, and update all uses.
1887         This patch doesn't rename the files themselves as that will
1888         just make the patch appear bigger than it is.
1889
1890         * JavaScriptCore.exp:
1891         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1892         * heap/Heap.cpp:
1893         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
1894         (JSC::CountFunctor::TakeIfEmpty::operator()):
1895         (JSC::Heap::Heap):
1896         (JSC::Heap::reportExtraMemoryCostSlowCase):
1897         (JSC::Heap::tryAllocate):
1898         (JSC::Heap::allocateSlowCase):
1899         (JSC::Heap::collect):
1900         (JSC::Heap::canonicalizeBlocks):
1901         (JSC::Heap::resetAllocator):
1902         (JSC::Heap::isValidAllocation):
1903         (JSC::Heap::shrink):
1904         * heap/Heap.h:
1905         (JSC::Heap::markedSpace):
1906         (JSC::Heap::sizeClassFor):
1907         (JSC::Heap::allocate):
1908         * heap/NewSpace.cpp:
1909         (JSC::MarkedSpace::MarkedSpace):
1910         (JSC::MarkedSpace::addBlock):
1911         (JSC::MarkedSpace::removeBlock):
1912         (JSC::MarkedSpace::resetAllocator):
1913         (JSC::MarkedSpace::canonicalizeBlocks):
1914         * heap/NewSpace.h:
1915         (JSC::MarkedSpace::waterMark):
1916         (JSC::MarkedSpace::highWaterMark):
1917         (JSC::MarkedSpace::setHighWaterMark):
1918         (JSC::MarkedSpace::sizeClassFor):
1919         (JSC::MarkedSpace::allocate):
1920         (JSC::MarkedSpace::forEachBlock):
1921         (JSC::MarkedSpace::SizeClass::SizeClass):
1922         (JSC::MarkedSpace::SizeClass::resetAllocator):
1923         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
1924         * jit/JITInlineMethods.h:
1925         (JSC::JIT::emitAllocateBasicJSObject):
1926
1927 2011-09-19  Peter Rybin  <peter.rybin@gmail.com>
1928
1929         TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
1930         https://bugs.webkit.org/show_bug.cgi?id=63541
1931
1932         Reviewed by Adam Barth.
1933
1934         * parser/SourceProvider.h:
1935         (JSC::SourceProvider::startPosition):
1936         * wtf/text/TextPosition.h:
1937         (WTF::OrdinalNumber::fromZeroBasedInt):
1938         (WTF::OrdinalNumber::fromOneBasedInt):
1939         (WTF::OrdinalNumber::OrdinalNumber):
1940         (WTF::OrdinalNumber::zeroBasedInt):
1941         (WTF::OrdinalNumber::oneBasedInt):
1942         (WTF::OrdinalNumber::operator==):
1943         (WTF::OrdinalNumber::operator!=):
1944         (WTF::OrdinalNumber::first):
1945         (WTF::OrdinalNumber::beforeFirst):
1946         (WTF::TextPosition::TextPosition):
1947         (WTF::TextPosition::minimumPosition):
1948         (WTF::TextPosition::belowRangePosition):
1949
1950 2011-09-19  Dan Bernstein  <mitz@apple.com>
1951
1952         JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
1953         https://bugs.webkit.org/show_bug.cgi?id=68323
1954
1955         Reviewed by Sam Weinig.
1956
1957         Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.
1958
1959         * wtf/mac/MainThreadMac.mm:
1960         (WTF::initializeMainThreadPlatform):
1961         (WTF::initializeMainThreadToProcessMainThreadPlatform):
1962
1963 2011-09-19  Oliver Hunt  <oliver@apple.com>
1964
1965         Remove direct property slot pointers from the instruction stream
1966         https://bugs.webkit.org/show_bug.cgi?id=68373
1967
1968         Reviewed by Gavin Barraclough.
1969
1970         Use an indirect load to access prototype properties rather than directly
1971         storing the property address in the instruction stream.  This should allow
1972         further optimisations in future, and also provides a 0.5% win to sunspider.
1973
1974         * dfg/DFGRepatch.cpp:
1975         (JSC::DFG::generateProtoChainAccessStub):
1976         * jit/JITPropertyAccess.cpp:
1977         (JSC::JIT::compileGetDirectOffset):
1978         * jit/JITPropertyAccess32_64.cpp:
1979         (JSC::JIT::compileGetDirectOffset):
1980         * runtime/JSObject.h:
1981         (JSC::JSObject::addressOfPropertyStorage):
1982
1983 2011-09-19  Oliver Hunt  <oliver@apple.com>
1984
1985         Remove bump allocator
1986         https://bugs.webkit.org/show_bug.cgi?id=68370
1987
1988         Reviewed by Sam Weinig.
1989
1990         Can't do anything with this allocator currently, and it's
1991         increasing the complexity of the GC code.  Slight progression
1992         on SunSpider, slight regression (undoing the original progression)
1993         in V8.
1994
1995         * heap/Heap.cpp:
1996         (JSC::Heap::collect):
1997         * heap/Heap.h:
1998         * heap/NewSpace.cpp:
1999         (JSC::NewSpace::NewSpace):
2000         * heap/NewSpace.h:
2001         (JSC::NewSpace::allocate):
2002         * runtime/JSObject.cpp:
2003         (JSC::JSObject::allocatePropertyStorage):
2004         * runtime/JSObject.h:
2005         (JSC::JSObject::~JSObject):
2006         (JSC::JSObject::visitChildrenDirect):
2007         * runtime/StorageBarrier.h:
2008         (JSC::StorageBarrier::set):
2009
2010 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2011
2012         [GTK] Fix distcheck build
2013         https://bugs.webkit.org/show_bug.cgi?id=68346
2014
2015         Reviewed by Philippe Normand.
2016
2017         * GNUmakefile.list.am:
2018
2019 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2020
2021         [GTK] Fix distcheck build
2022         https://bugs.webkit.org/show_bug.cgi?id=68241
2023
2024         Reviewed by Martin Robinson.
2025
2026         * GNUmakefile.list.am:
2027
2028 2011-09-18  Dan Bernstein  <mitz@apple.com>
2029
2030         Removed ProfilerServer.
2031
2032         Reviewed by Mark Rowe.
2033
2034         * JavaScriptCore.gypi:
2035         * JavaScriptCore.xcodeproj/project.pbxproj:
2036         * profiler/ProfilerServer.h: Removed.
2037         * profiler/ProfilerServer.mm: Removed.
2038         * runtime/JSGlobalData.cpp:
2039         (JSC::JSGlobalData::JSGlobalData):
2040         * wscript:
2041
2042 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2043
2044         DFG JIT should inline Math.min, Math.max, and Math.sqrt
2045         https://bugs.webkit.org/show_bug.cgi?id=68318
2046
2047         Reviewed by Gavin Barraclough.
2048         
2049         Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
2050         a function to have an intrinsic but not a thunk generator. This is
2051         a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
2052         we're still not DFG compiling the bulk of the hot code in Kraken audio
2053         benchmarks.
2054
2055         * create_hash_table:
2056         * dfg/DFGByteCodeParser.cpp:
2057         (JSC::DFG::ByteCodeParser::handleMinMax):
2058         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2059         * dfg/DFGIntrinsic.h:
2060         * dfg/DFGNode.h:
2061         * dfg/DFGPropagator.cpp:
2062         (JSC::DFG::Propagator::propagateNode):
2063         (JSC::DFG::Propagator::fixupNode):
2064         * dfg/DFGSpeculativeJIT.cpp:
2065         (JSC::DFG::SpeculativeJIT::compile):
2066         * jit/JITStubs.cpp:
2067         (JSC::JITThunks::hostFunctionStub):
2068         * runtime/Lookup.cpp:
2069         (JSC::setUpStaticFunctionSlot):
2070
2071 2011-09-18  Nico Weber  <thakis@chromium.org>
2072
2073         Remove two files from JavaScriptCore.gypi that were removed in r95240
2074         https://bugs.webkit.org/show_bug.cgi?id=68327
2075
2076         Unreviewed, build warning fix.
2077
2078         * JavaScriptCore.gypi:
2079
2080 2011-09-17  Oliver Hunt  <oliver@apple.com>
2081
2082         Remove special case handling of inline storage from the JIT
2083         https://bugs.webkit.org/show_bug.cgi?id=68319
2084
2085         Reviewed by Gavin Barraclough.
2086
2087         Simplify logic used for reading and writing to property storage
2088         by removing the special cases for inline storage.  This has no
2089         perf impact.
2090
2091         * dfg/DFGRepatch.cpp:
2092         (JSC::DFG::generateProtoChainAccessStub):
2093         (JSC::DFG::tryBuildGetByIDList):
2094         * jit/JIT.h:
2095         * jit/JITPropertyAccess.cpp:
2096         (JSC::JIT::compilePutDirectOffset):
2097         (JSC::JIT::compileGetDirectOffset):
2098         (JSC::JIT::privateCompilePutByIdTransition):
2099         (JSC::JIT::privateCompileGetByIdSelfList):
2100         * jit/JITPropertyAccess32_64.cpp:
2101         (JSC::JIT::compilePutDirectOffset):
2102         (JSC::JIT::compileGetDirectOffset):
2103         (JSC::JIT::privateCompilePutByIdTransition):
2104         (JSC::JIT::privateCompileGetByIdSelfList):
2105
2106 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2107
2108         DFG JIT does not have full block-local CSE
2109         https://bugs.webkit.org/show_bug.cgi?id=68316
2110
2111         Reviewed by Oliver Hunt.
2112         
2113         This adds block-local CSE to the DFG. CSE runs in the propagator just after
2114         type propagation. It is part of the propagator itself because it needs to
2115         use the propagator's internal data structures to determine which operations
2116         may have side effects. Because it changes the live-ranges of nodes, the
2117         virtual register allocator had to be moved into the propagator so that it
2118         runs after CSE. To ensure that the back-end knows to keep the inputs to
2119         any eliminated node alive for OSR, a new node type, Phantom, was introduced.
2120         It is a no-op but prolonges the live-range of its inputs.
2121         
2122         This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
2123         Kraken.
2124         
2125         * JavaScriptCore.xcodeproj/project.pbxproj:
2126         * dfg/DFGAliasTracker.h: Removed.
2127         * dfg/DFGByteCodeParser.cpp:
2128         (JSC::DFG::ByteCodeParser::parseBlock):
2129         (JSC::DFG::ByteCodeParser::parse):
2130         * dfg/DFGGraph.cpp:
2131         (JSC::DFG::Graph::dump):
2132         * dfg/DFGGraph.h:
2133         (JSC::DFG::MethodCheckData::operator==):
2134         (JSC::DFG::MethodCheckData::operator!=):
2135         * dfg/DFGNode.h:
2136         (JSC::DFG::Node::hasVirtualRegister):
2137         (JSC::DFG::Node::setRefCount):
2138         * dfg/DFGPropagator.cpp:
2139         (JSC::DFG::Propagator::Propagator):
2140         (JSC::DFG::Propagator::fixpoint):
2141         (JSC::DFG::Propagator::propagateNode):
2142         (JSC::DFG::Propagator::canonicalize):
2143         (JSC::DFG::Propagator::computeStartIndex):
2144         (JSC::DFG::Propagator::startIndex):
2145         (JSC::DFG::Propagator::pureCSE):
2146         (JSC::DFG::Propagator::globalVarLoadElimination):
2147         (JSC::DFG::Propagator::getByValLoadElimination):
2148         (JSC::DFG::Propagator::getMethodLoadElimination):
2149         (JSC::DFG::Propagator::performSubstitution):
2150         (JSC::DFG::Propagator::setReplacement):
2151         (JSC::DFG::Propagator::performNodeCSE):
2152         (JSC::DFG::Propagator::performBlockCSE):
2153         (JSC::DFG::Propagator::localCSE):
2154         (JSC::DFG::Propagator::allocateVirtualRegisters):
2155         (JSC::DFG::propagate):
2156         * dfg/DFGSpeculativeJIT.cpp:
2157         (JSC::DFG::SpeculativeJIT::compile):
2158
2159 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2160
2161         method_check should repatch itself if it finds that the new structure(s)
2162         are the result of transitions from the old structure(s)
2163         https://bugs.webkit.org/show_bug.cgi?id=68294
2164
2165         Reviewed by Gavin Barraclough.
2166         
2167         Previously a patched method_check would slow-path to get_by_id. Now it
2168         slow-paths to method_check_update, which attempts to correct the
2169         method_check due to structure transitions before bailing to get_by_id.
2170         
2171         This is a 1-2% speed-up on some benchmarks and is not a slow-down
2172         anywhere, leading to a 0.6% speed-up on the Kraken geomean.
2173
2174         * jit/JITPropertyAccess.cpp:
2175         (JSC::JIT::patchMethodCallProto):
2176         * jit/JITStubs.cpp:
2177         (JSC::DEFINE_STUB_FUNCTION):
2178         * jit/JITStubs.h:
2179         * runtime/Structure.h:
2180         (JSC::Structure::transitivelyTransitionedFrom):
2181
2182 2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>
2183
2184         Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).
2185
2186         * wtf/Platform.h:
2187
2188 2011-09-16  Sam Weinig  <sam@webkit.org>
2189
2190         Rename APIValueWrapper type to APIValueWrapperType for consistency
2191         https://bugs.webkit.org/show_bug.cgi?id=68306
2192
2193         Reviewed by Anders Carlsson.
2194
2195         * runtime/JSAPIValueWrapper.h:
2196         (JSC::JSAPIValueWrapper::createStructure):
2197         Update name.
2198
2199         * runtime/JSType.h:
2200         Update name and un-indent.
2201
2202         * runtime/Structure.h:
2203         (JSC::JSCell::isAPIValueWrapper):
2204         Update name.
2205
2206 2011-09-16  Sam Weinig  <sam@webkit.org>
2207
2208         Remove unused isStrictModeFunction function
2209         https://bugs.webkit.org/show_bug.cgi?id=68305
2210
2211         Reviewed by Anders Carlsson.
2212
2213         * runtime/JSObject.h:
2214         (JSC::JSObject::isStrictModeFunction):
2215
2216 2011-09-16  Sam Weinig  <sam@webkit.org>
2217
2218         Cleanup JSTypeInfo a bit
2219         https://bugs.webkit.org/show_bug.cgi?id=68289
2220
2221         Reviewed by Anders Carlsson.
2222
2223         * dfg/DFGOperations.cpp:
2224         * jit/JITStubs.cpp:
2225         (JSC::DEFINE_STUB_FUNCTION):
2226         Replace direct access to flags() with predicate.
2227
2228         * runtime/JSObject.h:
2229         (JSC::JSFinalObject::createStructure):
2230         Pass FinalObjectType instead of using special IsJSFinalObject.
2231
2232         * runtime/JSTypeInfo.h:
2233         (JSC::TypeInfo::TypeInfo):
2234         Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.
2235
2236         (JSC::TypeInfo::isFinalObject):
2237         Added.
2238
2239         (JSC::TypeInfo::masqueradesAsUndefined):
2240         (JSC::TypeInfo::implementsHasInstance):
2241         (JSC::TypeInfo::isEnvironmentRecord):
2242         (JSC::TypeInfo::overridesHasInstance):
2243         (JSC::TypeInfo::implementsDefaultHasInstance):
2244         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2245         (JSC::TypeInfo::overridesVisitChildren):
2246         (JSC::TypeInfo::overridesGetPropertyNames):
2247         (JSC::TypeInfo::prohibitsPropertyCaching):
2248         (JSC::TypeInfo::isSetOnFlags1):
2249         (JSC::TypeInfo::isSetOnFlags2):
2250         Replace direct bit twiddling with helper functions.
2251
2252         * runtime/Structure.cpp:
2253         (JSC::Structure::Structure):
2254         Use new isFinalObject() predicate.
2255
2256 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
2257
2258         Unsigned bit shift fails under certain conditions in 32 bit builds
2259         https://bugs.webkit.org/show_bug.cgi?id=68166
2260
2261         Reviewed by Geoff Garen.
2262
2263         The major bug here is that the slow case (which handles shifts of
2264         doubles) doesn't check for negative results from an unsigned shift
2265         (which should be unsigned, and as such can't be represented by a
2266         signed integer immediate).  The implementation is also flawed for
2267         shifts by negative shift amounts (treats as shift by zero).
2268
2269         * jit/JITArithmetic32_64.cpp:
2270         (JSC::JIT::emitRightShift):
2271         (JSC::JIT::emitRightShiftSlowCase):
2272
2273 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
2274
2275         Removed undetectable style.filter.
2276
2277         Reviewed by Sam Weinig.
2278         
2279         This feature was added in http://trac.webkit.org/changeset/15557 to
2280         support housingmaps.com. But housingmaps.com no longer needs this hack,
2281         we don't know of other websites that need it, and we don't know of
2282         any other browsers that have implemented this feature.
2283
2284         * GNUmakefile.list.am:
2285         * JavaScriptCore.gypi:
2286         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2287         * JavaScriptCore.xcodeproj/project.pbxproj:
2288         * runtime/JSTypeInfo.h:
2289         * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.
2290
2291 2011-09-15  Sam Weinig  <sam@webkit.org>
2292
2293         Prepare JSTypes for more Object subtypes
2294         https://bugs.webkit.org/show_bug.cgi?id=68200
2295
2296         Reviewed by Gavin Barraclough.
2297
2298         * dfg/DFGJITCompiler.h:
2299         (JSC::DFG::JITCompiler::branchIfNotObject):
2300         * jit/JITInlineMethods.h:
2301         (JSC::JIT::emitJumpIfNotObject):
2302         * runtime/JSGlobalObject.h:
2303         (JSC::Structure::prototypeForLookup):
2304         * runtime/JSObject.h:
2305         (JSC::JSObject::finishCreation):
2306         * runtime/JSType.h:
2307         * runtime/JSTypeInfo.h:
2308         (JSC::TypeInfo::type):
2309         (JSC::TypeInfo::isObject):
2310         (JSC::TypeInfo::isFinal):
2311         (JSC::TypeInfo::prohibitsPropertyCaching):
2312         * runtime/NativeErrorConstructor.h:
2313         (JSC::NativeErrorConstructor::finishCreation):
2314         * runtime/Operations.cpp:
2315         (JSC::jsIsObjectType):
2316         * runtime/Structure.cpp:
2317         (JSC::Structure::addPropertyTransitionToExistingStructure):
2318         (JSC::Structure::addPropertyTransition):
2319         * runtime/Structure.h:
2320         (JSC::Structure::isObject):
2321         (JSC::JSCell::isObject):
2322
2323 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
2324
2325         Rolled back in r95201 with test failure fixed.
2326         
2327         I missed two cases of jumpSlowToHot in rshift -- these cases need to be
2328         sure to initialize regT1 to the int tag, since it will otherwise hold
2329         the top 32 bits of a double.
2330
2331         * jit/JIT.h:
2332         * jit/JITArithmetic32_64.cpp:
2333         (JSC::JIT::emit_op_lshift):
2334         (JSC::JIT::emitRightShift):
2335         (JSC::JIT::emitRightShiftSlowCase):
2336         (JSC::JIT::emit_op_bitand):
2337         (JSC::JIT::emit_op_bitor):
2338         (JSC::JIT::emit_op_bitxor):
2339         (JSC::JIT::emit_op_bitnot):
2340         (JSC::JIT::emit_op_post_inc):
2341         (JSC::JIT::emit_op_post_dec):
2342         (JSC::JIT::emit_op_pre_inc):
2343         (JSC::JIT::emit_op_pre_dec):
2344         * jit/JITInlineMethods.h:
2345         (JSC::JIT::emitStoreAndMapInt32):
2346
2347 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2348
2349         Unreviewed Windows build fix after 95318.
2350
2351         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2352
2353 2011-09-16  Adam Roben  <aroben@apple.com>
2354
2355         Windows build fix after r95310
2356
2357         * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
2358         include path so DFGIntrinsic.h can be found.
2359
2360 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
2361
2362         Rationalize JSObject::putDirect* methods
2363         https://bugs.webkit.org/show_bug.cgi?id=68274
2364
2365         Reviewed by Sam Weinig.
2366         
2367         Delete the *Function variants. These are overall inefficient,
2368         in the way they get the name back from the function rather
2369         than just passing it in.
2370
2371         * JavaScriptCore.exp:
2372         * jsc.cpp:
2373         (GlobalObject::finishCreation):
2374         (GlobalObject::addFunction):
2375         * runtime/FunctionPrototype.cpp:
2376         (JSC::FunctionPrototype::addFunctionProperties):
2377         * runtime/JSGlobalObject.cpp:
2378         (JSC::JSGlobalObject::reset):
2379         * runtime/JSObject.cpp:
2380         (JSC::JSObject::put):
2381         (JSC::JSObject::putWithAttributes):
2382         (JSC::JSObject::defineGetter):
2383         (JSC::JSObject::defineSetter):
2384         * runtime/JSObject.h:
2385         (JSC::JSObject::putDirect):
2386         (JSC::JSObject::putDirectWithoutTransition):
2387         * runtime/Lookup.cpp:
2388         (JSC::setUpStaticFunctionSlot):
2389         * runtime/Lookup.h:
2390         (JSC::lookupPut):
2391
2392 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2393
2394         Unreviewed build fix for Windows.
2395
2396         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2397
2398 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2399
2400         Unreviewed build fix for non-DFG builds.
2401
2402         * runtime/Executable.h:
2403         (JSC::NativeExecutable::finishCreation):
2404
2405 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2406
2407         DFG JIT should inline Math.abs
2408         https://bugs.webkit.org/show_bug.cgi?id=68227
2409
2410         Reviewed by Oliver Hunt.
2411         
2412         This adds the ability to track intrinsic functions throughout the
2413         host function infrastructure, so that the DFG can easily query
2414         whether or not a call's target is intrinsic, and if so, which
2415         intrinsic it is.
2416         
2417         On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
2418         is transformed into ValueToNumber<-ArithAbs nodes. These nodes
2419         then get optimized using the usual tricks.
2420         
2421         Also had to make a completely unrelated change to
2422         DateInstanceCache.h in order to fix a preexisting alphabetical
2423         sorting problem in JSGlobalData.h
2424         
2425         This results in a big win in imaging-gaussian-blur: 61% faster
2426         than before. The net win on Kraken is around 13%.
2427
2428         * JavaScriptCore.xcodeproj/project.pbxproj:
2429         * create_hash_table:
2430         * dfg/DFGByteCodeParser.cpp:
2431         (JSC::DFG::ByteCodeParser::parseBlock):
2432         * dfg/DFGGraph.h:
2433         (JSC::DFG::Graph::isFunctionConstant):
2434         (JSC::DFG::Graph::valueOfFunctionConstant):
2435         * dfg/DFGIntrinsic.h: Added.
2436         * dfg/DFGJITCodeGenerator.h:
2437         (JSC::DFG::JITCodeGenerator::isFunctionConstant):
2438         (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
2439         * dfg/DFGJITCompiler.h:
2440         (JSC::DFG::JITCompiler::isFunctionConstant):
2441         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
2442         * dfg/DFGNode.h:
2443         * dfg/DFGPropagator.cpp:
2444         (JSC::DFG::Propagator::propagateNode):
2445         * dfg/DFGSpeculativeJIT.cpp:
2446         (JSC::DFG::SpeculativeJIT::compile):
2447         * jit/JITStubs.cpp:
2448         (JSC::JITThunks::hostFunctionStub):
2449         * jit/JITStubs.h:
2450         * runtime/DateInstanceCache.h:
2451         * runtime/Executable.cpp:
2452         (JSC::ExecutableBase::intrinsic):
2453         (JSC::NativeExecutable::intrinsic):
2454         * runtime/Executable.h:
2455         (JSC::NativeExecutable::create):
2456         (JSC::NativeExecutable::finishCreation):
2457         * runtime/JSGlobalData.cpp:
2458         (JSC::JSGlobalData::getHostFunction):
2459         * runtime/JSGlobalData.h:
2460         * runtime/Lookup.cpp:
2461         (JSC::HashTable::createTable):
2462         (JSC::setUpStaticFunctionSlot):
2463         * runtime/Lookup.h:
2464         (JSC::HashEntry::initialize):
2465         (JSC::HashEntry::intrinsic):
2466
2467 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2468
2469         REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
2470         using Domino's online ordering
2471         https://bugs.webkit.org/show_bug.cgi?id=68220
2472
2473         Reviewed by Oliver Hunt.
2474         
2475         Weak handle processing can result in new objects being marked, which
2476         results in new WeakReferencesHarvesters being added. But weak
2477         reference harvesters are only processed before weak handle processing,
2478         so there's the risk that a weak reference harvester will persist
2479         until the next collection, by which time it may have been deleted.
2480
2481         * heap/Heap.cpp:
2482         (JSC::Heap::markRoots):
2483
2484 2011-09-16  Csaba Osztrogonác  <ossy@webkit.org>
2485
2486         REGRESSION(r95201): It made two tests fail
2487         https://bugs.webkit.org/show_bug.cgi?id=68230
2488
2489         Unreviewed rolling out r95201.
2490
2491         * jit/JIT.h:
2492         * jit/JITArithmetic32_64.cpp:
2493         (JSC::JIT::emit_op_lshift):
2494         (JSC::JIT::emitRightShift):
2495         (JSC::JIT::emit_op_bitand):
2496         (JSC::JIT::emit_op_bitor):
2497         (JSC::JIT::emit_op_bitxor):
2498         (JSC::JIT::emit_op_bitnot):
2499         (JSC::JIT::emit_op_post_inc):
2500         (JSC::JIT::emit_op_post_dec):
2501         (JSC::JIT::emit_op_pre_inc):
2502         (JSC::JIT::emit_op_pre_dec):
2503         * jit/JITInlineMethods.h:
2504
2505 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2506
2507         DFG JIT does not optimize method_check
2508         https://bugs.webkit.org/show_bug.cgi?id=68215
2509
2510         Reviewed by Oliver Hunt.
2511         
2512         MethodCallLinkInfo and StructureStubInfo are now searchable by
2513         bytecodeIndex, so that DFG::ByteCodeParser can use that information
2514         to determine how to optimize GetMethod.
2515         
2516         A new node op has been added to DFG: CheckMethod. This is a variant
2517         of GetMethod that has been optimized for the case that GetMethod
2518         always takes the fast path. CheckMethod results in only a very
2519         small amount of code (two loads and two branches in the worst case,
2520         one load and one branch in the best case). CheckMethod behaves as
2521         if it were a constant.  
2522         
2523         Introduced the notion that a DFG node that is not JSConstant
2524         behaves as a constant. CheckMethod uses this functionality.
2525         
2526         This is a 3% speed-up on Kraken, and a small speed-up on V8.
2527         Appears to be neutral on SunSpider.
2528
2529         * bytecode/CodeBlock.h:
2530         (JSC::getStructureStubInfoBytecodeIndex):
2531         (JSC::getMethodCallLinkInfoBytecodeIndex):
2532         * bytecode/PredictedType.cpp:
2533         (JSC::predictionFromCell):
2534         (JSC::predictionFromValue):
2535         * bytecode/PredictedType.h:
2536         * bytecode/StructureStubInfo.h:
2537         * dfg/DFGAliasTracker.h:
2538         (JSC::DFG::AliasTracker::recordGetMethod):
2539         * dfg/DFGByteCodeParser.cpp:
2540         (JSC::DFG::ByteCodeParser::parseBlock):
2541         * dfg/DFGGraph.cpp:
2542         (JSC::DFG::Graph::dump):
2543         * dfg/DFGGraph.h:
2544         (JSC::DFG::Graph::getMethodCheckPrediction):
2545         (JSC::DFG::Graph::getPrediction):
2546         (JSC::DFG::Graph::isConstant):
2547         (JSC::DFG::Graph::isJSConstant):
2548         (JSC::DFG::Graph::valueOfJSConstant):
2549         (JSC::DFG::Graph::valueOfInt32Constant):
2550         (JSC::DFG::Graph::valueOfNumberConstant):
2551         (JSC::DFG::Graph::valueOfBooleanConstant):
2552         (JSC::DFG::Graph::valueOfJSConstantNode):
2553         * dfg/DFGJITCodeGenerator.cpp:
2554         (JSC::DFG::JITCodeGenerator::fillInteger):
2555         (JSC::DFG::JITCodeGenerator::fillDouble):
2556         (JSC::DFG::JITCodeGenerator::fillJSValue):
2557         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
2558         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2559         * dfg/DFGJITCodeGenerator.h:
2560         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
2561         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2562         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2563         * dfg/DFGJITCompiler.cpp:
2564         (JSC::DFG::JITCompiler::fillNumericToDouble):
2565         (JSC::DFG::JITCompiler::fillInt32ToInteger):
2566         (JSC::DFG::JITCompiler::fillToJS):
2567         * dfg/DFGNode.h:
2568         (JSC::DFG::Node::hasConstant):
2569         (JSC::DFG::Node::hasIdentifier):
2570         (JSC::DFG::Node::hasMethodCheckData):
2571         (JSC::DFG::Node::methodCheckDataIndex):
2572         (JSC::DFG::Node::valueOfJSConstant):
2573         * dfg/DFGPropagator.cpp:
2574         (JSC::DFG::Propagator::propagateNode):
2575         * dfg/DFGSpeculativeJIT.cpp:
2576         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2577         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2578         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2579         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2580         (JSC::DFG::SpeculativeJIT::compile):
2581         * jit/JIT.cpp:
2582         (JSC::JIT::privateCompile):
2583         * jit/JIT.h:
2584         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2585         (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
2586         * jit/JITPropertyAccess.cpp:
2587         (JSC::JIT::emit_op_method_check):
2588         (JSC::JIT::compileGetByIdHotPath):
2589         (JSC::JIT::emit_op_put_by_id):
2590         * jit/JITPropertyAccess32_64.cpp:
2591         (JSC::JIT::emit_op_method_check):
2592         (JSC::JIT::compileGetByIdHotPath):
2593         (JSC::JIT::emit_op_put_by_id):
2594         * runtime/JSCell.h:
2595         (JSC::JSCell::JSCell::structureAddress):
2596
2597 2011-09-15  Adam Barth  <abarth@webkit.org>
2598
2599         Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
2600         https://bugs.webkit.org/show_bug.cgi?id=68205
2601
2602         Reviewed by Eric Seidel.
2603
2604         * Configurations/FeatureDefines.xcconfig:
2605         * wtf/Platform.h:
2606
2607 2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2608
2609         Unzip initialization lists and constructors in JSCell hierarchy (7/7)
2610         https://bugs.webkit.org/show_bug.cgi?id=68122
2611
2612         Reviewed by Geoffrey Garen.
2613
2614         Completed the seventh and final level of the refactoring to add finishCreation() 
2615         methods to all classes within the JSCell hierarchy with non-trivial 
2616         constructor bodies.
2617
2618         JSCallbackObject was missed in previous patches due to the fact that 
2619         it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
2620         this is just a bit of retroactive cleanup.
2621
2622         * API/JSCallbackObject.h:
2623         (JSC::JSCallbackObject::create):
2624         * API/JSCallbackObjectFunctions.h:
2625         (JSC::::JSCallbackObject):
2626
2627 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2628
2629         The DFG non-speculative JIT is no longer used and should be removed.
2630         https://bugs.webkit.org/show_bug.cgi?id=68177
2631
2632         Reviewed by Geoffrey Garen.
2633         
2634         This removes the non-speculative JIT and everything that relied on it,
2635         including the ability to turn on DFG but not tiered compilation the,
2636         ability to perform speculation failure into non-speculative JIT code,
2637         and the ability to statically terminate speculation.
2638
2639         * GNUmakefile.list.am:
2640         * JavaScriptCore.pro:
2641         * JavaScriptCore.xcodeproj/project.pbxproj:
2642         * bytecode/CodeBlock.h:
2643         * bytecompiler/BytecodeGenerator.cpp:
2644         (JSC::BytecodeGenerator::emitLoopHint):
2645         * dfg/DFGByteCodeParser.cpp:
2646         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2647         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2648         (JSC::DFG::ByteCodeParser::parseBlock):
2649         * dfg/DFGDriver.cpp:
2650         (JSC::DFG::compile):
2651         * dfg/DFGGenerationInfo.h:
2652         * dfg/DFGGraph.cpp:
2653         (JSC::DFG::Graph::predictArgumentTypes):
2654         * dfg/DFGJITCodeGenerator.cpp:
2655         * dfg/DFGJITCompiler.cpp:
2656         (JSC::DFG::JITCompiler::linkOSRExits):
2657         (JSC::DFG::JITCompiler::compileBody):
2658         * dfg/DFGJITCompiler.h:
2659         * dfg/DFGNode.h:
2660         * dfg/DFGNonSpeculativeJIT.cpp: Removed.
2661         * dfg/DFGNonSpeculativeJIT.h: Removed.
2662         * dfg/DFGOSREntry.cpp:
2663         (JSC::DFG::prepareOSREntry):
2664         * dfg/DFGPropagator.cpp:
2665         * dfg/DFGPropagator.h:
2666         * dfg/DFGSpeculativeJIT.cpp:
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         * dfg/DFGSpeculativeJIT.h:
2669         (JSC::DFG::SpeculativeJIT::osrExits):
2670         (JSC::DFG::SpeculativeJIT::speculationRecovery):
2671         (JSC::DFG::SpeculativeJIT::speculationCheck):
2672         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2673         * jit/JIT.cpp:
2674         (JSC::JIT::privateCompileMainPass):
2675         (JSC::JIT::privateCompile):
2676         * jit/JIT.h:
2677         * jit/JITCode.h:
2678         (JSC::JITCode::bottomTierJIT):
2679         * runtime/JSGlobalData.cpp:
2680         (JSC::JSGlobalData::JSGlobalData):
2681         (JSC::JSGlobalData::~JSGlobalData):
2682         * runtime/JSGlobalData.h:
2683         * wtf/Platform.h:
2684
2685 2011-09-15  Eric Seidel  <eric@webkit.org>
2686
2687         Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
2688         https://bugs.webkit.org/show_bug.cgi?id=68182
2689
2690         Reviewed by Adam Barth.
2691
2692         * Configurations/FeatureDefines.xcconfig:
2693
2694 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2695
2696         DFG speculative JIT sometimes asserts that a value is not a number
2697         even when it doesn't know anything about the number
2698         https://bugs.webkit.org/show_bug.cgi?id=68189
2699
2700         Reviewed by Oliver Hunt.
2701
2702         * dfg/DFGGenerationInfo.h:
2703         (JSC::DFG::GenerationInfo::isUnknownJS):
2704         * dfg/DFGJITCodeGenerator.cpp:
2705         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2706
2707 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2708
2709         All of the functionality in the non-speculative JIT should be
2710         available to the speculative JIT via helper methods
2711         https://bugs.webkit.org/show_bug.cgi?id=68186
2712
2713         Reviewed by Oliver Hunt.
2714         
2715         Stole all of the goodness from NonSpeculativeJIT and placed it
2716         in JITCodeGenerator.  Left all of the badness (i.e. subtle code
2717         duplication with SpeculativeJIT, etc).  This is in preparation
2718         for removing the NonSpeculativeJIT entirely, but having its
2719         goodness available for reuse in the SpeculativeJIT if necessary.
2720
2721         * dfg/DFGJITCodeGenerator.cpp:
2722         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2723         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2724         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
2725         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2726         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2727         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2728         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
2729         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
2730         * dfg/DFGJITCodeGenerator.h:
2731         (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
2732         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
2733         * dfg/DFGNonSpeculativeJIT.cpp:
2734         (JSC::DFG::NonSpeculativeJIT::compile):
2735         * dfg/DFGNonSpeculativeJIT.h:
2736
2737 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
2738
2739         Unreviewed, rolling out r95167.
2740         http://trac.webkit.org/changeset/95167
2741         https://bugs.webkit.org/show_bug.cgi?id=68191
2742
2743         Patch needs further work. (Requested by mhahnenberg on
2744         #webkit).
2745
2746         * JavaScriptCore.exp:
2747         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2748         * runtime/JSCell.cpp:
2749         (JSC::JSCell::toBoolean):
2750         * runtime/JSCell.h:
2751         (JSC::JSCell::JSValue::toBoolean):
2752         * runtime/JSNotAnObject.cpp:
2753         (JSC::JSNotAnObject::toBoolean):
2754         * runtime/JSNotAnObject.h:
2755         * runtime/JSObject.h:
2756         * runtime/JSString.h:
2757         * runtime/StringObjectThatMasqueradesAsUndefined.h:
2758         (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):
2759
2760 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2761
2762         Unreviewed build fix for platforms that expect a linkable symbol
2763         for primitive static const's.
2764
2765         * bytecode/CodeBlock.h:
2766         * jit/JIT.cpp:
2767         (JSC::JIT::emitOptimizationCheck):
2768
2769 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2770
2771         Unreviewed build fix for assertion on existence of alternative
2772         CodeBlock.
2773
2774         * dfg/DFGGraph.cpp:
2775         (JSC::DFG::Graph::predictArgumentTypes):
2776
2777 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2778
2779         Value profiles collect no information for global variables
2780         https://bugs.webkit.org/show_bug.cgi?id=68143
2781
2782         Reviewed by Geoffrey Garen.
2783         
2784         17% speed-up on string-fasta.  Neutral elsewhere.
2785
2786         * dfg/DFGByteCodeParser.cpp:
2787         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2788         (JSC::DFG::ByteCodeParser::stronglyPredict):
2789         (JSC::DFG::ByteCodeParser::parseBlock):
2790         * jit/JITPropertyAccess.cpp:
2791         (JSC::JIT::emit_op_get_global_var):
2792
2793 2011-09-15  Eric Seidel  <eric@webkit.org>
2794
2795         Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
2796         https://bugs.webkit.org/show_bug.cgi?id=68022
2797
2798         Reviewed by Ryosuke Niwa.
2799
2800         * Configurations/FeatureDefines.xcconfig:
2801
2802 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2803
2804         Ooops, revert accidentally commited unreviewed changes.
2805
2806         * jit/JITOpcodes32_64.cpp:
2807         (JSC::JIT::emit_op_jfalse):
2808         (JSC::JIT::emit_op_jtrue):
2809         * jit/JSInterfaceJIT.h:
2810         * runtime/JSValue.h:
2811
2812 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
2813
2814         Unreviewed, rolling out r95163.
2815         http://trac.webkit.org/changeset/95163
2816         https://bugs.webkit.org/show_bug.cgi?id=68180
2817
2818         [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
2819         (Requested by darktears on #webkit).
2820
2821         * JavaScriptCore.pro:
2822
2823 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2824
2825         Windows build fix p1.
2826
2827         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2828         * jit/JITOpcodes32_64.cpp:
2829         (JSC::JIT::emit_op_jfalse):
2830         (JSC::JIT::emit_op_jtrue):
2831         * jit/JSInterfaceJIT.h:
2832         * runtime/JSValue.h:
2833
2834 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2835
2836         Tiered compilation should be enabled by default on platforms
2837         that support the DFG JIT
2838         https://bugs.webkit.org/show_bug.cgi?id=68136
2839
2840         Reviewed by Sam Weinig.
2841         
2842         Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
2843         Kraken.  Large progressions on some benchmarks, including
2844         3x on imaging-desaturate.
2845
2846         * wtf/Platform.h:
2847
2848 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2849
2850         devirtualize preventExtensions
2851         https://bugs.webkit.org/show_bug.cgi?id=68176
2852
2853         Reviewed by Oliver Hunt.
2854
2855         This is virtual due to problems in JSFunction putting the prototype
2856         property, but we can fix this problem a different way, just setting
2857         the checkReadOnly flag to false in the put.
2858
2859         * runtime/JSFunction.cpp:
2860         (JSC::JSFunction::getOwnPropertySlot):
2861         * runtime/JSFunction.h:
2862         * runtime/JSObject.h:
2863
2864 2011-09-15  Geoffrey Garen  <ggaren@apple.com>
2865
2866         Value chaining for JSValue32_64 bitops.
2867
2868         Reviewed by Sam Weinig.
2869         
2870         SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).
2871
2872         * jit/JIT.h:
2873         * jit/JITInlineMethods.h:
2874         (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
2875         that can chain their results, which is the common case.
2876
2877         * jit/JITArithmetic32_64.cpp:
2878         (JSC::JIT::emit_op_lshift):
2879         (JSC::JIT::emitRightShift):
2880         (JSC::JIT::emit_op_bitand):
2881         (JSC::JIT::emit_op_bitor):
2882         (JSC::JIT::emit_op_bitxor):
2883         (JSC::JIT::emit_op_bitnot):
2884         (JSC::JIT::emit_op_pre_inc):
2885         (JSC::JIT::emit_op_pre_dec): Deployed new function.
2886         (JSC::JIT::emit_op_post_inc):
2887         (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
2888         computed their result values last, to make them elligible for chaining.
2889
2890 2011-09-15  Adam Roben  <aroben@apple.com>
2891
2892         Clang build fix after r95172
2893
2894         * dfg/DFGSpeculativeJIT.h:
2895         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
2896         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
2897         Added parentheses to make precendence clear.
2898
2899 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2900
2901         DFG does not speculate aggressively enough on comparisons
2902         https://bugs.webkit.org/show_bug.cgi?id=68138
2903
2904         Reviewed by Oliver Hunt.
2905         
2906         This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
2907         V8 and an 8.5% win on Kraken.  Neutral on SunSpider.
2908
2909         * dfg/DFGSpeculativeJIT.cpp:
2910         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2911         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2912         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2913         (JSC::DFG::SpeculativeJIT::compare):
2914         * dfg/DFGSpeculativeJIT.h:
2915         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
2916         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
2917         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
2918         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
2919
2920 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2921
2922         DFG JIT does not leverage integer speculations on branches
2923         https://bugs.webkit.org/show_bug.cgi?id=68140
2924
2925         Reviewed by Oliver Hunt.
2926
2927         * dfg/DFGJITCodeGenerator.cpp:
2928         (JSC::DFG::JITCodeGenerator::isStrictInt32):
2929         * dfg/DFGJITCodeGenerator.h:
2930         * dfg/DFGSpeculativeJIT.cpp:
2931         (JSC::DFG::SpeculativeJIT::compile):
2932
2933 2011-09-14  Gavin Barraclough  <barraclough@apple.com>
2934
2935         [n]stricteq code is bogus in JSValue32_64 JIT
2936         https://bugs.webkit.org/show_bug.cgi?id=68141
2937
2938         Reviewed by Sam Weinig.
2939
2940         The code tries to check for both ints or cells, but this check also
2941         catches cases where values that are undefined, null, etc (probably
2942         was incorrectly assuming cell was the 2nd highest tag?).
2943
2944         Also, there is no need not to handle int on the fast path.
2945         stricteq is just a case of comparing the payloads, if we:
2946             * handle cases of differing tags on a slow path
2947             * handle doubles a slow path
2948             * handle both-are-string on a slow path
2949
2950         * jit/JITOpcodes32_64.cpp:
2951         (JSC::JIT::compileOpStrictEq):
2952         (JSC::JIT::emitSlow_op_stricteq):
2953         (JSC::JIT::emitSlow_op_nstricteq):
2954
2955 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2956
2957         Make JSCell::toBoolean non-virtual
2958         https://bugs.webkit.org/show_bug.cgi?id=67727
2959
2960         Reviewed by Sam Weinig.
2961
2962         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
2963         before it was simply virtual and would crash if its implementation was called). 
2964         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
2965         explicitly covers all cases of toBoolean, so having a virtual implementation of 
2966         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
2967
2968         * JavaScriptCore.exp:
2969         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2970         * runtime/JSCell.cpp:
2971         * runtime/JSCell.h:
2972         * runtime/JSNotAnObject.cpp:
2973         * runtime/JSNotAnObject.h:
2974         * runtime/JSObject.h:
2975         * runtime/JSString.h:
2976         (JSC::JSCell::toBoolean):
2977         (JSC::JSValue::toBoolean):
2978         * runtime/StringObjectThatMasqueradesAsUndefined.h:
2979
2980 2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>
2981
2982         [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
2983         https://bugs.webkit.org/show_bug.cgi?id=68114
2984
2985         Reviewed by Kenneth Rohde Christiansen.
2986
2987         Use the new GCC_X variables defined in WebKit.pri to replace
2988         the usage of QT_GCC_X.
2989
2990         * JavaScriptCore.pro:
2991
2992 2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>
2993
2994         Unreviewed, rolling out r95145.
2995         http://trac.webkit.org/changeset/95145
2996         https://bugs.webkit.org/show_bug.cgi?id=68139
2997
2998         The GTK+ build is working now, so revert this trial build fix.
2999         (Requested by mrobinson on #webkit).
3000
3001         * GNUmakefile.list.am:
3002
3003 2011-09-14  Patrick Gansterer  <paroga@webkit.org>
3004
3005         Port MachineStackMarker to Windows ARM and MIPS
3006         https://bugs.webkit.org/show_bug.cgi?id=68068
3007
3008         Reviewed by Geoffrey Garen.
3009
3010         Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
3011         Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
3012         CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
3013         CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).
3014
3015         * heap/MachineStackMarker.cpp:
3016         (JSC::getPlatformThreadRegisters):
3017         (JSC::otherThreadStackPointer):
3018
3019 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
3020
3021         DFG JIT always speculates that ValueAdd is a numeric addition
3022         https://bugs.webkit.org/show_bug.cgi?id=67956
3023
3024         Reviewed by Geoffrey Garen.
3025
3026         * dfg/DFGJITCodeGenerator.cpp:
3027         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
3028         * dfg/DFGJITCodeGenerator.h:
3029         * dfg/DFGNonSpeculativeJIT.cpp:
3030         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
3031         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
3032         * dfg/DFGOperations.cpp:
3033         * dfg/DFGOperations.h:
3034         * dfg/DFGSpeculativeJIT.cpp:
3035         (JSC::DFG::SpeculativeJIT::compile):
3036         * dfg/DFGSpeculativeJIT.h:
3037         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
3038
3039 2011-09-14  Anders Carlsson  <andersca@apple.com>
3040
3041         Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.
3042
3043         * GNUmakefile.list.am:
3044
3045 2011-09-14  Anders Carlsson  <andersca@apple.com>
3046
3047         This is getting old. Yet another build fix attempt.
3048
3049         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3050
3051 2011-09-14  Anders Carlsson  <andersca@apple.com>
3052
3053         Yet another build fix attempt.
3054
3055         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
3056
3057 2011-09-14  Anders Carlsson  <andersca@apple.com>
3058
3059         How I &quot;love&quot; Visual Studio...
3060
3061         Try to fix build again.
3062
3063         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3064
3065 2011-09-14  Anders Carlsson  <andersca@apple.com>
3066
3067         Try to fix Windows build.
3068
3069         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3070
3071 2011-09-14  Anders Carlsson  <andersca@apple.com>
3072
3073         Add BinarySemaphore class from WebKit2 to WTF
3074         https://bugs.webkit.org/show_bug.cgi?id=68132
3075
3076         Reviewed by Sam Weinig.
3077
3078         * GNUmakefile.list.am:
3079         * JavaScriptCore.gypi:
3080         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3081         * JavaScriptCore.xcodeproj/project.pbxproj:
3082         * wtf/CMakeLists.txt:
3083         Update build systems.
3084
3085         * wtf/threads: Added.
3086         * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
3087         * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
3088         * wtf/threads/win: Added.
3089         * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.
3090
3091 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3092
3093         Unreviewed build fix for Interpreter.
3094
3095         * interpreter/Interpreter.cpp:
3096         (JSC::Interpreter::privateExecute):
3097
3098 2011-09-14  Anders Carlsson  <andersca@apple.com>
3099
3100         Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
3101         bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132
3102
3103         Rubber-stamped by Sam Weinig.
3104
3105         * wtf/threads: Added.
3106         * wtf/threads/win: Added.
3107
3108 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3109
3110         DFG JIT should not speculate integer if the value is always going to be
3111         used as a double anyway
3112         https://bugs.webkit.org/show_bug.cgi?id=68127
3113
3114         Reviewed by Oliver Hunt.
3115         
3116         Added a ValueToDouble node, which is a variant of ValueToNumber that
3117         hints that it will only be used as a double and never as an integer.
3118         Thus, it turns off integer speculation even if the value profiler
3119         told us that the value source is an int. The logic for converting a
3120         ValueToNumber into a ValueToDouble is found in Propagator.
3121         
3122         This appears to be a 22% speed-up in imaging-darkroom.
3123
3124         * dfg/DFGNode.h:
3125         * dfg/DFGNonSpeculativeJIT.cpp:
3126         (JSC::DFG::NonSpeculativeJIT::compile):
3127         * dfg/DFGPropagator.cpp:
3128         (JSC::DFG::Propagator::fixpoint):
3129         (JSC::DFG::Propagator::toDouble):
3130         (JSC::DFG::Propagator::fixupNode):
3131         (JSC::DFG::Propagator::fixup):
3132         * dfg/DFGSpeculativeJIT.cpp:
3133         (JSC::DFG::SpeculativeJIT::compile):
3134         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3135
3136 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3137
3138         Tiered compilation heuristics do not account for value profile fullness
3139         https://bugs.webkit.org/show_bug.cgi?id=68116
3140
3141         Reviewed by Oliver Hunt.
3142         
3143         Tiered compilation avoids invoking the DFG JIT if it finds that value
3144         profiles contain insufficient information. Instead, it produces a
3145         prediction from the current value profile, and then clears the value
3146         profile. This allows the value profile to heat up from scratch for
3147         some number of additional executions. The new profiles will then be
3148         merged with the previous prediction. Once the amount of information
3149         in predictions is enough according to heuristics in CodeBlock.cpp,
3150         DFG optimization is allowed to proceed.
3151
3152         * CMakeLists.txt:
3153         * GNUmakefile.list.am:
3154         * JavaScriptCore.pro:
3155         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3156         * JavaScriptCore.xcodeproj/project.pbxproj:
3157         * bytecode/CodeBlock.cpp:
3158         (JSC::CodeBlock::CodeBlock):
3159         (JSC::CodeBlock::~CodeBlock):
3160         (JSC::CodeBlock::visitAggregate):
3161         (JSC::CodeBlock::visitWeakReferences):
3162         (JSC::CodeBlock::shouldOptimizeNow):
3163         (JSC::CodeBlock::dumpValueProfiles):
3164         * bytecode/CodeBlock.h:
3165         * bytecode/PredictedType.cpp:
3166         (JSC::predictionToString):
3167         * bytecode/PredictedType.h:
3168         * bytecode/ValueProfile.cpp: Added.
3169         (JSC::ValueProfile::computeStatistics):
3170         (JSC::ValueProfile::computeUpdatedPrediction):
3171         * bytecode/ValueProfile.h:
3172         (JSC::ValueProfile::ValueProfile):
3173         (JSC::ValueProfile::classInfo):
3174         (JSC::ValueProfile::numberOfSamples):
3175         (JSC::ValueProfile::totalNumberOfSamples):
3176         (JSC::ValueProfile::isLive):
3177         (JSC::ValueProfile::numberOfInt32s):
3178         (JSC::ValueProfile::numberOfDoubles):
3179         (JSC::ValueProfile::numberOfBooleans):
3180         (JSC::ValueProfile::dump):
3181         (JSC::getValueProfileBytecodeOffset):
3182         * dfg/DFGByteCodeParser.cpp:
3183         (JSC::DFG::ByteCodeParser::stronglyPredict):
3184         * dfg/DFGGraph.cpp:
3185         (JSC::DFG::Graph::predictArgumentTypes):
3186         * dfg/DFGJITCompiler.cpp:
3187         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3188         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
3189         * jit/JIT.cpp:
3190         (JSC::JIT::emitOptimizationCheck):
3191         * jit/JITInlineMethods.h:
3192         (JSC::JIT::emitValueProfilingSite):
3193         * jit/JITStubs.cpp:
3194         (JSC::DEFINE_STUB_FUNCTION):
3195
3196 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3197
3198         DFG should not speculate that the child of LogicalNot is a boolean if
3199         predictions tell us otherwise
3200         https://bugs.webkit.org/show_bug.cgi?id=68118
3201
3202         Reviewed by Geoffrey Garen.
3203
3204         * dfg/DFGJITCodeGenerator.cpp:
3205         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
3206         * dfg/DFGJITCodeGenerator.h:
3207         * dfg/DFGNonSpeculativeJIT.cpp:
3208         (JSC::DFG::NonSpeculativeJIT::compile):
3209         * dfg/DFGSpeculativeJIT.cpp:
3210         (JSC::DFG::SpeculativeJIT::compile):
3211
3212 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3213
3214         Unreviewed build fix.  Turn off tiered compilation.
3215
3216         * wtf/Platform.h:
3217
3218 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
3219
3220         Prediction tracking is not precise enough
3221         https://bugs.webkit.org/show_bug.cgi?id=67993
3222
3223         Reviewed by Oliver Hunt.
3224         
3225         Added a richer set of type predictions, including JSFinalObject, JSString,
3226         object that is not a JSFinalObject or JSArray (ObjectOther), some object
3227         but we don't or care know what kind (SomeObject), definitely an object,
3228         cell that is not an object or JSString, an value that is none of the above
3229         (so either Undefined or Null). Made the propagator and value profiler work
3230         with the new types.
3231         
3232         Performance is neutral, because the DFG JIT does not take advantage of this
3233         new knowledge yet.
3234         
3235         In the process of writing predictionToString() (which is now considerably
3236         more complex) I decided to finally add a BoundsCheckedPointer, which
3237         should come in handy in other places, like at least the OSR scratch buffer
3238         and the CompactJITCodeMap. It's great for cases where you want to
3239         do pointer arithmetic, you want to have assertions about the
3240         pointer not going out of bounds, but you don't want to write those
3241         assertions yourself.
3242         
3243         This also required refactoring inherits(), since the ValueProfiler may
3244         want to do the equivalent of inherits() but given two ClassInfo's.
3245
3246         * GNUmakefile.list.am:
3247         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3248         * JavaScriptCore.xcodeproj/project.pbxproj:
3249         * bytecode/PredictedType.cpp: Added.
3250         (JSC::predictionToString):
3251         (JSC::makePrediction):
3252         (JSC::predictionFromValue):
3253         * bytecode/PredictedType.h:
3254         (JSC::isCellPrediction):
3255         (JSC::isObjectPrediction):
3256         (JSC::isFinalObjectPrediction):
3257         (JSC::isStringPrediction):
3258         (JSC::mergePredictions):
3259         * bytecode/ValueProfile.h:
3260         (JSC::ValueProfile::numberOfObjects):
3261         (JSC::ValueProfile::numberOfFinalObjects):
3262         (JSC::ValueProfile::numberOfStrings):
3263         (JSC::ValueProfile::probabilityOfObject):
3264         (JSC::ValueProfile::probabilityOfFinalObject):
3265         (JSC::ValueProfile::probabilityOfString):
3266         (JSC::ValueProfile::dump):
3267         (JSC::ValueProfile::Statistics::Statistics):
3268         (JSC::ValueProfile::computeStatistics):
3269         * dfg/DFGByteCodeParser.cpp:
3270         (JSC::DFG::ByteCodeParser::stronglyPredict):
3271         * dfg/DFGGraph.cpp:
3272         (JSC::DFG::Graph::dump):
3273         (JSC::DFG::Graph::predictArgumentTypes):
3274         * dfg/DFGNode.h:
3275         (JSC::DFG::Node::predict):
3276         * dfg/DFGPropagator.cpp:
3277         (JSC::DFG::Propagator::propagateNode):
3278         * runtime/ClassInfo.h:
3279         (JSC::ClassInfo::isSubClassOf):
3280         * runtime/JSObject.h:
3281         (JSC::JSCell::inherits):
3282         * wtf/BoundsCheckedPointer.h: Added.
3283         (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
3284         (WTF::BoundsCheckedPointer::operator=):
3285         (WTF::BoundsCheckedPointer::operator+=):
3286         (WTF::BoundsCheckedPointer::operator-=):
3287         (WTF::BoundsCheckedPointer::operator+):
3288         (WTF::BoundsCheckedPointer::operator-):
3289         (WTF::BoundsCheckedPointer::operator++):
3290         (WTF::BoundsCheckedPointer::operator--):
3291         (WTF::BoundsCheckedPointer::operator<):
3292         (WTF::BoundsCheckedPointer::operator<=):
3293         (WTF::BoundsCheckedPointer::operator>):
3294         (WTF::BoundsCheckedPointer::operator>=):
3295         (WTF::BoundsCheckedPointer::operator==):
3296         (WTF::BoundsCheckedPointer::operator!=):
3297         (WTF::BoundsCheckedPointer::operator!):
3298         (WTF::BoundsCheckedPointer::get):
3299         (WTF::BoundsCheckedPointer::operator*):
3300         (WTF::BoundsCheckedPointer::operator[]):
3301         (WTF::BoundsCheckedPointer::strcat):
3302         (WTF::BoundsCheckedPointer::validate):
3303         * wtf/CMakeLists.txt:
3304
3305 2011-09-14  Csaba Osztrogonác  <ossy@webkit.org>
3306
3307         [Qt] Win32 builds with threads turned off
3308         https://bugs.webkit.org/show_bug.cgi?id=67864
3309
3310         Reviewed by Geoffrey Garen.
3311
3312         * JavaScriptCore.pri: Link pthread library on Windows platform.
3313         * wtf/Platform.h: Enable multiple threads.
3314
3315 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3316
3317         Unzip initialization lists and constructors in JSCell hierarchy (6/7)
3318         https://bugs.webkit.org/show_bug.cgi?id=67692
3319
3320         Reviewed by Geoffrey Garen.
3321
3322         Completed the sixth level of the refactoring to add finishCreation() 
3323         methods to all classes within the JSCell hierarchy with non-trivial 
3324         constructor bodies.
3325
3326         This primarily consists of pushing the calls to finishCreation() down 
3327         into the constructors of the subclasses of the fifth level of the hierarchy 
3328         as well as pulling the finishCreation() calls out into the class's corresponding
3329         create() method if it has one.  Doing both simultaneously allows us to 
3330         maintain the invariant that the finishCreation() method chain is called exactly 
3331         once during the creation of an object, since calling it any other number of 
3332         times (0, 2, or more) will cause an assertion failure.
3333
3334         * API/JSCallbackFunction.cpp:
3335         (JSC::JSCallbackFunction::JSCallbackFunction):
3336         * API/JSCallbackFunction.h:
3337         (JSC::JSCallbackFunction::create):
3338         * jsc.cpp:
3339         (GlobalObject::create):
3340         (GlobalObject::GlobalObject):
3341         * runtime/ArrayConstructor.cpp:
3342         (JSC::ArrayConstructor::ArrayConstructor):
3343         * runtime/ArrayConstructor.h:
3344         (JSC::ArrayConstructor::create):
3345         * runtime/BooleanConstructor.cpp:
3346         (JSC::BooleanConstructor::BooleanConstructor):
3347         * runtime/BooleanConstructor.h:
3348         (JSC::BooleanConstructor::create):
3349         * runtime/BooleanPrototype.cpp:
3350         (JSC::BooleanPrototype::BooleanPrototype):
3351         * runtime/BooleanPrototype.h:
3352         (JSC::BooleanPrototype::create):
3353         * runtime/DateConstructor.cpp:
3354         (JSC::DateConstructor::DateConstructor):
3355         * runtime/DateConstructor.h:
3356         (JSC::DateConstructor::create):
3357         * runtime/DatePrototype.cpp:
3358         (JSC::DatePrototype::DatePrototype):
3359         * runtime/DatePrototype.h:
3360         (JSC::DatePrototype::create):
3361         * runtime/Error.cpp:
3362         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3363         (JSC::StrictModeTypeErrorFunction::create):
3364         * runtime/ErrorConstructor.cpp:
3365         (JSC::ErrorConstructor::ErrorConstructor):
3366         * runtime/ErrorConstructor.h:
3367         (JSC::ErrorConstructor::create):
3368         * runtime/FunctionConstructor.cpp:
3369         (JSC::FunctionConstructor::FunctionConstructor):
3370         * runtime/FunctionConstructor.h:
3371         (JSC::FunctionConstructor::create):
3372         * runtime/FunctionPrototype.cpp:
3373         (JSC::FunctionPrototype::FunctionPrototype):
3374         * runtime/FunctionPrototype.h:
3375         (JSC::FunctionPrototype::create):
3376         * runtime/NativeErrorConstructor.cpp:
3377         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3378         * runtime/NativeErrorConstructor.h:
3379         (JSC::NativeErrorConstructor::create):
3380         * runtime/NativeErrorPrototype.cpp:
3381         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3382         (JSC::NativeErrorPrototype::finishCreation):
3383         * runtime/NativeErrorPrototype.h:
3384         (JSC::NativeErrorPrototype::create):
3385         * runtime/NumberConstructor.cpp:
3386         (JSC::NumberConstructor::NumberConstructor):
3387         * runtime/NumberConstructor.h:
3388         (JSC::NumberConstructor::create):
3389         * runtime/NumberPrototype.cpp:
3390         (JSC::NumberPrototype::NumberPrototype):
3391         * runtime/NumberPrototype.h:
3392         (JSC::NumberPrototype::create):
3393         * runtime/ObjectConstructor.cpp:
3394         (JSC::ObjectConstructor::ObjectConstructor):
3395         * runtime/ObjectConstructor.h:
3396         (JSC::ObjectConstructor::create):
3397         * runtime/RegExpConstructor.cpp:
3398         (JSC::RegExpConstructor::RegExpConstructor):
3399         * runtime/RegExpConstructor.h:
3400         (JSC::RegExpConstructor::create):
3401         * runtime/RegExpPrototype.cpp:
3402         (JSC::RegExpPrototype::RegExpPrototype):
3403         * runtime/RegExpPrototype.h:
3404         (JSC::RegExpPrototype::create):
3405         * runtime/StringConstructor.cpp:
3406         (JSC::StringConstructor::StringConstructor):
3407         * runtime/StringConstructor.h:
3408         (JSC::StringConstructor::create):
3409         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3410         (JSC::StringObjectThatMasqueradesAsUndefined::create):
3411         (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
3412         * runtime/StringPrototype.cpp:
3413         (JSC::StringPrototype::StringPrototype):
3414         * runtime/StringPrototype.h:
3415         (JSC::StringPrototype::create):
3416
3417 2011-09-13  Eric Seidel  <eric@webkit.org>
3418
3419         Remove ENABLE_SVG_USE as <use> is required by HTML5
3420         https://bugs.webkit.org/show_bug.cgi?id=68019
3421
3422         Reviewed by Ryosuke Niwa.
3423
3424         * Configurations/FeatureDefines.xcconfig:
3425
3426 2011-09-14  Iain Merrick  <husky@google.com>
3427
3428         HashTraits.h should include template specialization for WTF::String
3429         https://bugs.webkit.org/show_bug.cgi?id=67851
3430
3431         Ensure that the template specialization for HashTraits<String> is always
3432         picked up. (Previously it was possible to include HashSet and String but
3433         not the correct HashTraits, so you would get an inefficient template
3434         instantiation.)
3435
3436         Reviewed by Darin Adler.
3437
3438         * wtf/HashTraits.h:
3439         * wtf/text/StringHash.h:
3440
3441 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
3442
3443         SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should
3444         return false if either node can be double
3445         https://bugs.webkit.org/show_bug.cgi?id=67985
3446
3447         Reviewed by Geoffrey Garen.
3448         
3449         This is a 17% speed-up on 3d-cube.
3450         
3451         This required allowing us to check if a constant is double but not
3452         integer, and making the shouldSpeculateInteger() check test for
3453         any hints of doubly-ness in its operands. This also required
3454         changing some terminology: previously "isDouble" often meant
3455         "isDouble or isInt32".  Now "isDouble" means exactly what the name
3456         suggests, and "isNumber" means "isDouble or isInt32".
3457
3458         * dfg/DFGByteCodeParser.cpp:
3459         (JSC::DFG::ByteCodeParser::toNumber):
3460         (JSC::DFG::ByteCodeParser::parseBlock):
3461         * dfg/DFGGenerationInfo.h:
3462         (JSC::DFG::isJSFormat):
3463         (JSC::DFG::isJSInteger):
3464         (JSC::DFG::isJSDouble):
3465         (JSC::DFG::isJSCell):
3466         (JSC::DFG::isJSBoolean):
3467         (JSC::DFG::GenerationInfo::isJSFormat):
3468         (JSC::DFG::GenerationInfo::isJSInteger):
3469         (JSC::DFG::GenerationInfo::isJSDouble):
3470         (JSC::DFG::GenerationInfo::isJSCell):
3471         (JSC::DFG::GenerationInfo::isJSBoolean):
3472         * dfg/DFGGraph.h: