The length of scheme is at least five characters even when the scheme has 'web+'...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
2
3         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
4         https://bugs.webkit.org/show_bug.cgi?id=119770
5
6         Reviewed by Mark Hahnenberg.
7
8         * API/JSCallbackConstructor.cpp:
9         (JSC::JSCallbackConstructor::finishCreation):
10         * API/JSCallbackConstructor.h:
11         (JSC::JSCallbackConstructor::createStructure):
12         * API/JSCallbackFunction.cpp:
13         (JSC::JSCallbackFunction::finishCreation):
14         * API/JSCallbackFunction.h:
15         (JSC::JSCallbackFunction::createStructure):
16         * API/JSCallbackObject.cpp:
17         (JSC::::createStructure):
18         * API/JSCallbackObject.h:
19         (JSC::JSCallbackObject::visitChildren):
20         * API/JSCallbackObjectFunctions.h:
21         (JSC::::asCallbackObject):
22         (JSC::::finishCreation):
23         * API/JSObjectRef.cpp:
24         (JSObjectGetPrivate):
25         (JSObjectSetPrivate):
26         (JSObjectGetPrivateProperty):
27         (JSObjectSetPrivateProperty):
28         (JSObjectDeletePrivateProperty):
29         * API/JSValueRef.cpp:
30         (JSValueIsObjectOfClass):
31         * API/JSWeakObjectMapRefPrivate.cpp:
32         * API/ObjCCallbackFunction.h:
33         (JSC::ObjCCallbackFunction::createStructure):
34         * JSCTypedArrayStubs.h:
35         * bytecode/CallLinkStatus.cpp:
36         (JSC::CallLinkStatus::CallLinkStatus):
37         (JSC::CallLinkStatus::function):
38         (JSC::CallLinkStatus::internalFunction):
39         * bytecode/CodeBlock.h:
40         (JSC::baselineCodeBlockForInlineCallFrame):
41         * bytecode/SpeculatedType.cpp:
42         (JSC::speculationFromClassInfo):
43         * bytecode/UnlinkedCodeBlock.cpp:
44         (JSC::UnlinkedFunctionExecutable::visitChildren):
45         (JSC::UnlinkedCodeBlock::visitChildren):
46         (JSC::UnlinkedProgramCodeBlock::visitChildren):
47         * bytecode/UnlinkedCodeBlock.h:
48         (JSC::UnlinkedFunctionExecutable::createStructure):
49         (JSC::UnlinkedProgramCodeBlock::createStructure):
50         (JSC::UnlinkedEvalCodeBlock::createStructure):
51         (JSC::UnlinkedFunctionCodeBlock::createStructure):
52         * debugger/Debugger.cpp:
53         * debugger/DebuggerActivation.cpp:
54         (JSC::DebuggerActivation::visitChildren):
55         * debugger/DebuggerActivation.h:
56         (JSC::DebuggerActivation::createStructure):
57         * debugger/DebuggerCallFrame.cpp:
58         (JSC::DebuggerCallFrame::functionName):
59         * dfg/DFGAbstractInterpreterInlines.h:
60         (JSC::DFG::::executeEffects):
61         * dfg/DFGByteCodeParser.cpp:
62         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
63         (JSC::DFG::ByteCodeParser::parseBlock):
64         * dfg/DFGFixupPhase.cpp:
65         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
66         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
67         * dfg/DFGGraph.cpp:
68         (JSC::DFG::Graph::dump):
69         * dfg/DFGGraph.h:
70         (JSC::DFG::Graph::isInternalFunctionConstant):
71         * dfg/DFGOperations.cpp:
72         * dfg/DFGSpeculativeJIT.cpp:
73         (JSC::DFG::SpeculativeJIT::checkArray):
74         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
75         * dfg/DFGThunks.cpp:
76         (JSC::DFG::virtualForThunkGenerator):
77         * interpreter/Interpreter.cpp:
78         (JSC::loadVarargs):
79         * jsc.cpp:
80         (GlobalObject::createStructure):
81         * profiler/LegacyProfiler.cpp:
82         (JSC::LegacyProfiler::createCallIdentifier):
83         * runtime/Arguments.cpp:
84         (JSC::Arguments::visitChildren):
85         * runtime/Arguments.h:
86         (JSC::Arguments::createStructure):
87         (JSC::asArguments):
88         (JSC::Arguments::finishCreation):
89         * runtime/ArrayConstructor.cpp:
90         (JSC::arrayConstructorIsArray):
91         * runtime/ArrayConstructor.h:
92         (JSC::ArrayConstructor::createStructure):
93         * runtime/ArrayPrototype.cpp:
94         (JSC::ArrayPrototype::finishCreation):
95         (JSC::arrayProtoFuncConcat):
96         (JSC::attemptFastSort):
97         * runtime/ArrayPrototype.h:
98         (JSC::ArrayPrototype::createStructure):
99         * runtime/BooleanConstructor.h:
100         (JSC::BooleanConstructor::createStructure):
101         * runtime/BooleanObject.cpp:
102         (JSC::BooleanObject::finishCreation):
103         * runtime/BooleanObject.h:
104         (JSC::BooleanObject::createStructure):
105         (JSC::asBooleanObject):
106         * runtime/BooleanPrototype.cpp:
107         (JSC::BooleanPrototype::finishCreation):
108         (JSC::booleanProtoFuncToString):
109         (JSC::booleanProtoFuncValueOf):
110         * runtime/BooleanPrototype.h:
111         (JSC::BooleanPrototype::createStructure):
112         * runtime/DateConstructor.cpp:
113         (JSC::constructDate):
114         * runtime/DateConstructor.h:
115         (JSC::DateConstructor::createStructure):
116         * runtime/DateInstance.cpp:
117         (JSC::DateInstance::finishCreation):
118         * runtime/DateInstance.h:
119         (JSC::DateInstance::createStructure):
120         (JSC::asDateInstance):
121         * runtime/DatePrototype.cpp:
122         (JSC::formateDateInstance):
123         (JSC::DatePrototype::finishCreation):
124         (JSC::dateProtoFuncToISOString):
125         (JSC::dateProtoFuncToLocaleString):
126         (JSC::dateProtoFuncToLocaleDateString):
127         (JSC::dateProtoFuncToLocaleTimeString):
128         (JSC::dateProtoFuncGetTime):
129         (JSC::dateProtoFuncGetFullYear):
130         (JSC::dateProtoFuncGetUTCFullYear):
131         (JSC::dateProtoFuncGetMonth):
132         (JSC::dateProtoFuncGetUTCMonth):
133         (JSC::dateProtoFuncGetDate):
134         (JSC::dateProtoFuncGetUTCDate):
135         (JSC::dateProtoFuncGetDay):
136         (JSC::dateProtoFuncGetUTCDay):
137         (JSC::dateProtoFuncGetHours):
138         (JSC::dateProtoFuncGetUTCHours):
139         (JSC::dateProtoFuncGetMinutes):
140         (JSC::dateProtoFuncGetUTCMinutes):
141         (JSC::dateProtoFuncGetSeconds):
142         (JSC::dateProtoFuncGetUTCSeconds):
143         (JSC::dateProtoFuncGetMilliSeconds):
144         (JSC::dateProtoFuncGetUTCMilliseconds):
145         (JSC::dateProtoFuncGetTimezoneOffset):
146         (JSC::dateProtoFuncSetTime):
147         (JSC::setNewValueFromTimeArgs):
148         (JSC::setNewValueFromDateArgs):
149         (JSC::dateProtoFuncSetYear):
150         (JSC::dateProtoFuncGetYear):
151         * runtime/DatePrototype.h:
152         (JSC::DatePrototype::createStructure):
153         * runtime/Error.h:
154         (JSC::StrictModeTypeErrorFunction::createStructure):
155         * runtime/ErrorConstructor.h:
156         (JSC::ErrorConstructor::createStructure):
157         * runtime/ErrorInstance.cpp:
158         (JSC::ErrorInstance::finishCreation):
159         * runtime/ErrorInstance.h:
160         (JSC::ErrorInstance::createStructure):
161         * runtime/ErrorPrototype.cpp:
162         (JSC::ErrorPrototype::finishCreation):
163         * runtime/ErrorPrototype.h:
164         (JSC::ErrorPrototype::createStructure):
165         * runtime/ExceptionHelpers.cpp:
166         (JSC::isTerminatedExecutionException):
167         * runtime/ExceptionHelpers.h:
168         (JSC::TerminatedExecutionError::createStructure):
169         * runtime/Executable.cpp:
170         (JSC::EvalExecutable::visitChildren):
171         (JSC::ProgramExecutable::visitChildren):
172         (JSC::FunctionExecutable::visitChildren):
173         (JSC::ExecutableBase::hashFor):
174         * runtime/Executable.h:
175         (JSC::ExecutableBase::createStructure):
176         (JSC::NativeExecutable::createStructure):
177         (JSC::EvalExecutable::createStructure):
178         (JSC::ProgramExecutable::createStructure):
179         (JSC::FunctionExecutable::compileFor):
180         (JSC::FunctionExecutable::compileOptimizedFor):
181         (JSC::FunctionExecutable::createStructure):
182         * runtime/FunctionConstructor.h:
183         (JSC::FunctionConstructor::createStructure):
184         * runtime/FunctionPrototype.cpp:
185         (JSC::functionProtoFuncToString):
186         (JSC::functionProtoFuncApply):
187         (JSC::functionProtoFuncBind):
188         * runtime/FunctionPrototype.h:
189         (JSC::FunctionPrototype::createStructure):
190         * runtime/GetterSetter.cpp:
191         (JSC::GetterSetter::visitChildren):
192         * runtime/GetterSetter.h:
193         (JSC::GetterSetter::createStructure):
194         * runtime/InternalFunction.cpp:
195         (JSC::InternalFunction::finishCreation):
196         * runtime/InternalFunction.h:
197         (JSC::InternalFunction::createStructure):
198         (JSC::asInternalFunction):
199         * runtime/JSAPIValueWrapper.h:
200         (JSC::JSAPIValueWrapper::createStructure):
201         * runtime/JSActivation.cpp:
202         (JSC::JSActivation::visitChildren):
203         (JSC::JSActivation::argumentsGetter):
204         * runtime/JSActivation.h:
205         (JSC::JSActivation::createStructure):
206         (JSC::asActivation):
207         * runtime/JSArray.h:
208         (JSC::JSArray::createStructure):
209         (JSC::asArray):
210         (JSC::isJSArray):
211         * runtime/JSBoundFunction.cpp:
212         (JSC::JSBoundFunction::finishCreation):
213         (JSC::JSBoundFunction::visitChildren):
214         * runtime/JSBoundFunction.h:
215         (JSC::JSBoundFunction::createStructure):
216         * runtime/JSCJSValue.cpp:
217         (JSC::JSValue::dumpInContext):
218         * runtime/JSCJSValueInlines.h:
219         (JSC::JSValue::isFunction):
220         * runtime/JSCell.h:
221         (JSC::jsCast):
222         (JSC::jsDynamicCast):
223         * runtime/JSCellInlines.h:
224         (JSC::allocateCell):
225         * runtime/JSFunction.cpp:
226         (JSC::JSFunction::finishCreation):
227         (JSC::JSFunction::visitChildren):
228         (JSC::skipOverBoundFunctions):
229         (JSC::JSFunction::callerGetter):
230         * runtime/JSFunction.h:
231         (JSC::JSFunction::createStructure):
232         * runtime/JSGlobalObject.cpp:
233         (JSC::JSGlobalObject::visitChildren):
234         (JSC::slowValidateCell):
235         * runtime/JSGlobalObject.h:
236         (JSC::JSGlobalObject::createStructure):
237         * runtime/JSNameScope.cpp:
238         (JSC::JSNameScope::visitChildren):
239         * runtime/JSNameScope.h:
240         (JSC::JSNameScope::createStructure):
241         * runtime/JSNotAnObject.h:
242         (JSC::JSNotAnObject::createStructure):
243         * runtime/JSONObject.cpp:
244         (JSC::JSONObject::finishCreation):
245         (JSC::unwrapBoxedPrimitive):
246         (JSC::Stringifier::Stringifier):
247         (JSC::Stringifier::appendStringifiedValue):
248         (JSC::Stringifier::Holder::Holder):
249         (JSC::Walker::walk):
250         (JSC::JSONProtoFuncStringify):
251         * runtime/JSONObject.h:
252         (JSC::JSONObject::createStructure):
253         * runtime/JSObject.cpp:
254         (JSC::getCallableObjectSlow):
255         (JSC::JSObject::visitChildren):
256         (JSC::JSObject::copyBackingStore):
257         (JSC::JSFinalObject::visitChildren):
258         (JSC::JSObject::ensureInt32Slow):
259         (JSC::JSObject::ensureDoubleSlow):
260         (JSC::JSObject::ensureContiguousSlow):
261         (JSC::JSObject::ensureArrayStorageSlow):
262         * runtime/JSObject.h:
263         (JSC::JSObject::finishCreation):
264         (JSC::JSObject::createStructure):
265         (JSC::JSNonFinalObject::createStructure):
266         (JSC::JSFinalObject::createStructure):
267         (JSC::isJSFinalObject):
268         * runtime/JSPropertyNameIterator.cpp:
269         (JSC::JSPropertyNameIterator::visitChildren):
270         * runtime/JSPropertyNameIterator.h:
271         (JSC::JSPropertyNameIterator::createStructure):
272         * runtime/JSProxy.cpp:
273         (JSC::JSProxy::visitChildren):
274         * runtime/JSProxy.h:
275         (JSC::JSProxy::createStructure):
276         * runtime/JSScope.cpp:
277         (JSC::JSScope::visitChildren):
278         * runtime/JSSegmentedVariableObject.cpp:
279         (JSC::JSSegmentedVariableObject::visitChildren):
280         * runtime/JSString.h:
281         (JSC::JSString::createStructure):
282         (JSC::isJSString):
283         * runtime/JSSymbolTableObject.cpp:
284         (JSC::JSSymbolTableObject::visitChildren):
285         * runtime/JSVariableObject.h:
286         * runtime/JSWithScope.cpp:
287         (JSC::JSWithScope::visitChildren):
288         * runtime/JSWithScope.h:
289         (JSC::JSWithScope::createStructure):
290         * runtime/JSWrapperObject.cpp:
291         (JSC::JSWrapperObject::visitChildren):
292         * runtime/JSWrapperObject.h:
293         (JSC::JSWrapperObject::createStructure):
294         * runtime/MathObject.cpp:
295         (JSC::MathObject::finishCreation):
296         * runtime/MathObject.h:
297         (JSC::MathObject::createStructure):
298         * runtime/NameConstructor.h:
299         (JSC::NameConstructor::createStructure):
300         * runtime/NameInstance.h:
301         (JSC::NameInstance::createStructure):
302         (JSC::NameInstance::finishCreation):
303         * runtime/NamePrototype.cpp:
304         (JSC::NamePrototype::finishCreation):
305         (JSC::privateNameProtoFuncToString):
306         * runtime/NamePrototype.h:
307         (JSC::NamePrototype::createStructure):
308         * runtime/NativeErrorConstructor.cpp:
309         (JSC::NativeErrorConstructor::visitChildren):
310         * runtime/NativeErrorConstructor.h:
311         (JSC::NativeErrorConstructor::createStructure):
312         (JSC::NativeErrorConstructor::finishCreation):
313         * runtime/NumberConstructor.cpp:
314         (JSC::NumberConstructor::finishCreation):
315         * runtime/NumberConstructor.h:
316         (JSC::NumberConstructor::createStructure):
317         * runtime/NumberObject.cpp:
318         (JSC::NumberObject::finishCreation):
319         * runtime/NumberObject.h:
320         (JSC::NumberObject::createStructure):
321         * runtime/NumberPrototype.cpp:
322         (JSC::NumberPrototype::finishCreation):
323         * runtime/NumberPrototype.h:
324         (JSC::NumberPrototype::createStructure):
325         * runtime/ObjectConstructor.h:
326         (JSC::ObjectConstructor::createStructure):
327         * runtime/ObjectPrototype.cpp:
328         (JSC::ObjectPrototype::finishCreation):
329         * runtime/ObjectPrototype.h:
330         (JSC::ObjectPrototype::createStructure):
331         * runtime/PropertyMapHashTable.h:
332         (JSC::PropertyTable::createStructure):
333         * runtime/PropertyTable.cpp:
334         (JSC::PropertyTable::visitChildren):
335         * runtime/RegExp.h:
336         (JSC::RegExp::createStructure):
337         * runtime/RegExpConstructor.cpp:
338         (JSC::RegExpConstructor::finishCreation):
339         (JSC::RegExpConstructor::visitChildren):
340         (JSC::constructRegExp):
341         * runtime/RegExpConstructor.h:
342         (JSC::RegExpConstructor::createStructure):
343         (JSC::asRegExpConstructor):
344         * runtime/RegExpMatchesArray.cpp:
345         (JSC::RegExpMatchesArray::visitChildren):
346         * runtime/RegExpMatchesArray.h:
347         (JSC::RegExpMatchesArray::createStructure):
348         * runtime/RegExpObject.cpp:
349         (JSC::RegExpObject::finishCreation):
350         (JSC::RegExpObject::visitChildren):
351         * runtime/RegExpObject.h:
352         (JSC::RegExpObject::createStructure):
353         (JSC::asRegExpObject):
354         * runtime/RegExpPrototype.cpp:
355         (JSC::regExpProtoFuncTest):
356         (JSC::regExpProtoFuncExec):
357         (JSC::regExpProtoFuncCompile):
358         (JSC::regExpProtoFuncToString):
359         * runtime/RegExpPrototype.h:
360         (JSC::RegExpPrototype::createStructure):
361         * runtime/SparseArrayValueMap.cpp:
362         (JSC::SparseArrayValueMap::createStructure):
363         * runtime/SparseArrayValueMap.h:
364         * runtime/StrictEvalActivation.h:
365         (JSC::StrictEvalActivation::createStructure):
366         * runtime/StringConstructor.h:
367         (JSC::StringConstructor::createStructure):
368         * runtime/StringObject.cpp:
369         (JSC::StringObject::finishCreation):
370         * runtime/StringObject.h:
371         (JSC::StringObject::createStructure):
372         (JSC::asStringObject):
373         * runtime/StringPrototype.cpp:
374         (JSC::StringPrototype::finishCreation):
375         (JSC::stringProtoFuncReplace):
376         (JSC::stringProtoFuncToString):
377         (JSC::stringProtoFuncMatch):
378         (JSC::stringProtoFuncSearch):
379         (JSC::stringProtoFuncSplit):
380         * runtime/StringPrototype.h:
381         (JSC::StringPrototype::createStructure):
382         * runtime/Structure.cpp:
383         (JSC::Structure::Structure):
384         (JSC::Structure::materializePropertyMap):
385         (JSC::Structure::get):
386         (JSC::Structure::visitChildren):
387         * runtime/Structure.h:
388         (JSC::Structure::typeInfo):
389         (JSC::Structure::previousID):
390         (JSC::Structure::outOfLineSize):
391         (JSC::Structure::totalStorageCapacity):
392         (JSC::Structure::materializePropertyMapIfNecessary):
393         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
394         * runtime/StructureChain.cpp:
395         (JSC::StructureChain::visitChildren):
396         * runtime/StructureChain.h:
397         (JSC::StructureChain::createStructure):
398         * runtime/StructureInlines.h:
399         (JSC::Structure::get):
400         * runtime/StructureRareData.cpp:
401         (JSC::StructureRareData::createStructure):
402         (JSC::StructureRareData::visitChildren):
403         * runtime/StructureRareData.h:
404         * runtime/SymbolTable.h:
405         (JSC::SharedSymbolTable::createStructure):
406         * runtime/VM.cpp:
407         (JSC::VM::VM):
408         (JSC::StackPreservingRecompiler::operator()):
409         (JSC::VM::releaseExecutableMemory):
410         * runtime/WriteBarrier.h:
411         (JSC::validateCell):
412         * testRegExp.cpp:
413         (GlobalObject::createStructure):
414
415 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
416
417         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
418         https://bugs.webkit.org/show_bug.cgi?id=119762
419
420         Reviewed by Geoffrey Garen.
421
422         * heap/Heap.cpp:
423         (JSC::Heap::Heap):
424         (JSC::Heap::markRoots):
425         (JSC::Heap::collect):
426         * jsc.cpp:
427         (StopWatch::start):
428         (StopWatch::stop):
429         * testRegExp.cpp:
430         (StopWatch::start):
431         (StopWatch::stop):
432
433 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
434
435         [sh4] Prepare LLINT for DFG_JIT implementation.
436         https://bugs.webkit.org/show_bug.cgi?id=119755
437
438         Reviewed by Oliver Hunt.
439
440         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
441         * offlineasm/sh4.rb:
442             - Handle storeb opcode.
443             - Make relative jumps when possible using braf opcode.
444             - Update bmulio implementation to be consistent with baseline JIT.
445             - Remove useless code from leap opcode.
446             - Fix incorrect comment.
447
448 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
449
450         [sh4] Prepare baseline JIT for DFG_JIT implementation.
451         https://bugs.webkit.org/show_bug.cgi?id=119758
452
453         Reviewed by Oliver Hunt.
454
455         * assembler/MacroAssemblerSH4.h:
456             - Introduce a loadEffectiveAddress function to avoid code duplication.
457             - Add ASSERTs and clean code.
458         * assembler/SH4Assembler.h:
459             - Prepare DFG_JIT implementation.
460             - Add ASSERTs.
461         * jit/JITStubs.cpp:
462             - Add SH4 specific call for assertions.
463         * jit/JITStubs.h:
464             - Cosmetic change.
465         * jit/JITStubsSH4.h:
466             - Use constants to be more flexible with sh4 JIT stack frame.
467         * jit/JSInterfaceJIT.h:
468             - Cosmetic change.
469
470 2013-08-13  Oliver Hunt  <oliver@apple.com>
471
472         Harden executeConstruct against incorrect return types from host functions
473         https://bugs.webkit.org/show_bug.cgi?id=119757
474
475         Reviewed by Mark Hahnenberg.
476
477         Add logic to guard against bogus return types.  There doesn't seem to be any
478         class in webkit that does this wrong, but the typed array stubs in debug JSC
479         do exhibit this bad behaviour.
480
481         * interpreter/Interpreter.cpp:
482         (JSC::Interpreter::executeConstruct):
483
484 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
485
486         [Qt] Fix C++11 build with gcc 4.4 and 4.5
487         https://bugs.webkit.org/show_bug.cgi?id=119736
488
489         Reviewed by Anders Carlsson.
490
491         Don't force C++11 mode off anymore.
492
493         * Target.pri:
494
495 2013-08-12  Oliver Hunt  <oliver@apple.com>
496
497         Remove CodeBlock's notion of adding identifiers entirely
498         https://bugs.webkit.org/show_bug.cgi?id=119708
499
500         Reviewed by Geoffrey Garen.
501
502         Remove addAdditionalIdentifier entirely, including the bogus assertion.
503         Move the addition of identifiers to DFGPlan::reallyAdd
504
505         * bytecode/CodeBlock.h:
506         * dfg/DFGDesiredIdentifiers.cpp:
507         (JSC::DFG::DesiredIdentifiers::reallyAdd):
508         * dfg/DFGDesiredIdentifiers.h:
509         * dfg/DFGPlan.cpp:
510         (JSC::DFG::Plan::reallyAdd):
511         (JSC::DFG::Plan::finalize):
512         * dfg/DFGPlan.h:
513
514 2013-08-12  Oliver Hunt  <oliver@apple.com>
515
516         Build fix
517
518         * runtime/JSCell.h:
519
520 2013-08-12  Oliver Hunt  <oliver@apple.com>
521
522         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
523         https://bugs.webkit.org/show_bug.cgi?id=119705
524
525         Reviewed by Geoffrey Garen.
526
527         Relatively trivial refactoring
528
529         * bytecode/CodeBlock.h:
530         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
531         (JSC::CodeBlock::addAdditionalIdentifier):
532         (JSC::CodeBlock::identifier):
533         (JSC::CodeBlock::numberOfIdentifiers):
534         * dfg/DFGCommonData.h:
535
536 2013-08-12  Oliver Hunt  <oliver@apple.com>
537
538         Stop making unnecessary copy of CodeBlock Identifier Vector
539         https://bugs.webkit.org/show_bug.cgi?id=119702
540
541         Reviewed by Michael Saboff.
542
543         Make CodeBlock simply use a separate Vector for additional Identifiers
544         and use the UnlinkedCodeBlock for the initial set of identifiers.
545
546         * bytecode/CodeBlock.cpp:
547         (JSC::CodeBlock::printGetByIdOp):
548         (JSC::dumpStructure):
549         (JSC::dumpChain):
550         (JSC::CodeBlock::printGetByIdCacheStatus):
551         (JSC::CodeBlock::printPutByIdOp):
552         (JSC::CodeBlock::dumpBytecode):
553         (JSC::CodeBlock::CodeBlock):
554         (JSC::CodeBlock::shrinkToFit):
555         * bytecode/CodeBlock.h:
556         (JSC::CodeBlock::numberOfIdentifiers):
557         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
558         (JSC::CodeBlock::addAdditionalIdentifier):
559         (JSC::CodeBlock::identifier):
560         * dfg/DFGDesiredIdentifiers.cpp:
561         (JSC::DFG::DesiredIdentifiers::reallyAdd):
562         * jit/JIT.h:
563         * jit/JITOpcodes.cpp:
564         (JSC::JIT::emitSlow_op_get_arguments_length):
565         * jit/JITPropertyAccess.cpp:
566         (JSC::JIT::emit_op_get_by_id):
567         (JSC::JIT::compileGetByIdHotPath):
568         (JSC::JIT::emitSlow_op_get_by_id):
569         (JSC::JIT::compileGetByIdSlowCase):
570         (JSC::JIT::emitSlow_op_put_by_id):
571         * jit/JITPropertyAccess32_64.cpp:
572         (JSC::JIT::emit_op_get_by_id):
573         (JSC::JIT::compileGetByIdHotPath):
574         (JSC::JIT::compileGetByIdSlowCase):
575         * jit/JITStubs.cpp:
576         (JSC::DEFINE_STUB_FUNCTION):
577         * llint/LLIntSlowPaths.cpp:
578         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
579
580 2013-08-08  Mark Lam  <mark.lam@apple.com>
581
582         Restoring use of StackIterator instead of Interpreter::getStacktrace().
583         https://bugs.webkit.org/show_bug.cgi?id=119575.
584
585         Reviewed by Oliver Hunt.
586
587         * interpreter/Interpreter.h:
588         - Made getStackTrace() private.
589         * interpreter/StackIterator.cpp:
590         (JSC::StackIterator::StackIterator):
591         (JSC::StackIterator::numberOfFrames):
592         - Computes the number of frames by iterating through the whole stack
593           from the starting frame. The iterator will save its current frame
594           position before counting the frames, and then restoring it after
595           the counting.
596         (JSC::StackIterator::gotoFrameAtIndex):
597         (JSC::StackIterator::gotoNextFrame):
598         (JSC::StackIterator::resetIterator):
599         - Points the iterator to the starting frame.
600         * interpreter/StackIteratorPrivate.h:
601
602 2013-08-08  Mark Lam  <mark.lam@apple.com>
603
604         Moved ErrorConstructor and NativeErrorConstructor helper functions into
605         the Interpreter class.
606         https://bugs.webkit.org/show_bug.cgi?id=119576.
607
608         Reviewed by Oliver Hunt.
609
610         This change is needed to prepare for making Interpreter::getStackTrace()
611         private. It does not change the behavior of the code, only the lexical
612         scoping.
613
614         * interpreter/Interpreter.h:
615         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
616         * runtime/ErrorConstructor.cpp:
617         (JSC::Interpreter::constructWithErrorConstructor):
618         (JSC::ErrorConstructor::getConstructData):
619         (JSC::Interpreter::callErrorConstructor):
620         (JSC::ErrorConstructor::getCallData):
621         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
622           directly. So, we moved the helper functions into the Interpreter
623           class.
624         * runtime/NativeErrorConstructor.cpp:
625         (JSC::Interpreter::constructWithNativeErrorConstructor):
626         (JSC::NativeErrorConstructor::getConstructData):
627         (JSC::Interpreter::callNativeErrorConstructor):
628         (JSC::NativeErrorConstructor::getCallData):
629         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
630           directly. So, we moved the helper functions into the Interpreter
631           class.
632
633 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
634
635         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
636         https://bugs.webkit.org/show_bug.cgi?id=119555
637
638         Reviewed by Geoffrey Garen.
639
640         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
641         This was causing crashes on maps.google.com in 32-bit debug builds.
642
643         * dfg/DFGSpeculativeJIT32_64.cpp:
644         (JSC::DFG::SpeculativeJIT::compile):
645
646 2013-08-06  Michael Saboff  <msaboff@apple.com>
647
648         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
649         https://bugs.webkit.org/show_bug.cgi?id=119405
650
651         Reviewed by Geoffrey Garen.
652
653         * dfg/DFGSpeculativeJIT.cpp:
654         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
655         ourselves to save a register and then load from it.
656
657 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
658
659         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
660         https://bugs.webkit.org/show_bug.cgi?id=119528
661
662         Reviewed by Geoffrey Garen.
663
664         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
665         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
666         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
667         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
668         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
669
670         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
671
672         * bytecode/CodeBlock.cpp:
673         (JSC::CodeBlock::finalizeUnconditionally):
674         * dfg/DFGDriver.cpp:
675         (JSC::DFG::compile):
676         * dfg/DFGFixupPhase.cpp:
677         (JSC::DFG::FixupPhase::fixupNode):
678         * dfg/DFGGraph.cpp:
679         (JSC::DFG::Graph::dump):
680         * dfg/DFGSpeculativeJIT64.cpp:
681         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
682         * runtime/JSObject.h:
683         (JSC::JSObject::getIndexQuickly):
684         (JSC::JSObject::tryGetIndexQuickly):
685
686 2013-08-08  Stephanie Lewis  <slewis@apple.com>
687
688         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
689
690         Unreviewed.
691
692         Ensure llint symbols are in source order.
693
694         * JavaScriptCore.order:
695
696 2013-08-06  Mark Lam  <mark.lam@apple.com>
697
698         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
699         https://bugs.webkit.org/show_bug.cgi?id=119532.
700
701         Reviewed by Oliver Hunt.
702
703         * parser/Parser.cpp:
704         (JSC::::Parser):
705         - Just need to initialize the Parser's JSTokenLocation's initial line and
706           startOffset as well during Parser construction.
707
708 2013-08-06  Stephanie Lewis  <slewis@apple.com>
709
710         Update Order Files for Safari
711         <rdar://problem/14517392>
712
713         Unreviewed.
714
715         * JavaScriptCore.order:
716
717 2013-08-04  Sam Weinig  <sam@webkit.org>
718
719         Remove support for HTML5 MicroData
720         https://bugs.webkit.org/show_bug.cgi?id=119480
721
722         Reviewed by Anders Carlsson.
723
724         * Configurations/FeatureDefines.xcconfig:
725
726 2013-08-05  Oliver Hunt  <oliver@apple.com>
727
728         Delay Arguments creation in strict mode
729         https://bugs.webkit.org/show_bug.cgi?id=119505
730
731         Reviewed by Geoffrey Garen.
732
733         Make use of the write tracking performed by the parser to
734         allow us to know if we're modifying the parameters to a function.
735         Then use that information to make strict mode function opt out
736         of eager arguments creation.
737
738         * bytecompiler/BytecodeGenerator.cpp:
739         (JSC::BytecodeGenerator::BytecodeGenerator):
740         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
741         (JSC::BytecodeGenerator::emitReturn):
742         * bytecompiler/BytecodeGenerator.h:
743         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
744         * parser/Nodes.h:
745         (JSC::ScopeNode::modifiesParameter):
746         * parser/Parser.cpp:
747         (JSC::::parseInner):
748         * parser/Parser.h:
749         (JSC::Scope::declareParameter):
750         (JSC::Scope::getCapturedVariables):
751         (JSC::Parser::declareWrite):
752         * parser/ParserModes.h:
753
754 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
755
756         Remove useless code from COMPILER(RVCT) JITStubs
757         https://bugs.webkit.org/show_bug.cgi?id=119521
758
759         Reviewed by Geoffrey Garen.
760
761         * jit/JITStubsARMv7.h:
762         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
763         (JSC::ctiOpThrowNotCaught): Ditto.
764
765 2013-07-23  David Farler  <dfarler@apple.com>
766
767         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
768         https://bugs.webkit.org/show_bug.cgi?id=117762
769
770         Reviewed by Mark Rowe.
771
772         * Configurations/DebugRelease.xcconfig:
773         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
774         * Configurations/JavaScriptCore.xcconfig:
775         Add ASAN_OTHER_LDFLAGS.
776         * Configurations/ToolExecutable.xcconfig:
777         Don't use ASAN for build tools.
778
779 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
780
781         Build fix for ARM MSVC after r153222 and r153648.
782
783         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
784
785 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
786
787         Build fix for ARM MSVC after r150109.
788
789         Read the stub template from a header files instead of the JITStubs.cpp.
790
791         * CMakeLists.txt:
792         * DerivedSources.pri:
793         * create_jit_stubs:
794
795 2013-08-05  Oliver Hunt  <oliver@apple.com>
796
797         Move TypedArray implementation into JSC
798         https://bugs.webkit.org/show_bug.cgi?id=119489
799
800         Reviewed by Filip Pizlo.
801
802         Move TypedArray implementation into JSC in advance of re-implementation
803
804         * GNUmakefile.list.am:
805         * JSCTypedArrayStubs.h:
806         * JavaScriptCore.xcodeproj/project.pbxproj:
807         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
808         (JSC::ArrayBuffer::transfer):
809         (JSC::ArrayBuffer::addView):
810         (JSC::ArrayBuffer::removeView):
811         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
812         (JSC::ArrayBufferContents::ArrayBufferContents):
813         (JSC::ArrayBufferContents::data):
814         (JSC::ArrayBufferContents::sizeInBytes):
815         (JSC::ArrayBufferContents::transfer):
816         (JSC::ArrayBufferContents::copyTo):
817         (JSC::ArrayBuffer::isNeutered):
818         (JSC::ArrayBuffer::~ArrayBuffer):
819         (JSC::ArrayBuffer::clampValue):
820         (JSC::ArrayBuffer::create):
821         (JSC::ArrayBuffer::createUninitialized):
822         (JSC::ArrayBuffer::ArrayBuffer):
823         (JSC::ArrayBuffer::data):
824         (JSC::ArrayBuffer::byteLength):
825         (JSC::ArrayBuffer::slice):
826         (JSC::ArrayBuffer::sliceImpl):
827         (JSC::ArrayBuffer::clampIndex):
828         (JSC::ArrayBufferContents::tryAllocate):
829         (JSC::ArrayBufferContents::~ArrayBufferContents):
830         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
831         (JSC::ArrayBufferView::ArrayBufferView):
832         (JSC::ArrayBufferView::~ArrayBufferView):
833         (JSC::ArrayBufferView::neuter):
834         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
835         (JSC::ArrayBufferView::buffer):
836         (JSC::ArrayBufferView::baseAddress):
837         (JSC::ArrayBufferView::byteOffset):
838         (JSC::ArrayBufferView::setNeuterable):
839         (JSC::ArrayBufferView::isNeuterable):
840         (JSC::ArrayBufferView::verifySubRange):
841         (JSC::ArrayBufferView::clampOffsetAndNumElements):
842         (JSC::ArrayBufferView::setImpl):
843         (JSC::ArrayBufferView::setRangeImpl):
844         (JSC::ArrayBufferView::zeroRangeImpl):
845         (JSC::ArrayBufferView::calculateOffsetAndLength):
846         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
847         (JSC::Float32Array::set):
848         (JSC::Float32Array::getType):
849         (JSC::Float32Array::create):
850         (JSC::Float32Array::createUninitialized):
851         (JSC::Float32Array::Float32Array):
852         (JSC::Float32Array::subarray):
853         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
854         (JSC::Float64Array::set):
855         (JSC::Float64Array::getType):
856         (JSC::Float64Array::create):
857         (JSC::Float64Array::createUninitialized):
858         (JSC::Float64Array::Float64Array):
859         (JSC::Float64Array::subarray):
860         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
861         (JSC::Int16Array::getType):
862         (JSC::Int16Array::create):
863         (JSC::Int16Array::createUninitialized):
864         (JSC::Int16Array::Int16Array):
865         (JSC::Int16Array::subarray):
866         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
867         (JSC::Int32Array::getType):
868         (JSC::Int32Array::create):
869         (JSC::Int32Array::createUninitialized):
870         (JSC::Int32Array::Int32Array):
871         (JSC::Int32Array::subarray):
872         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
873         (JSC::Int8Array::getType):
874         (JSC::Int8Array::create):
875         (JSC::Int8Array::createUninitialized):
876         (JSC::Int8Array::Int8Array):
877         (JSC::Int8Array::subarray):
878         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
879         (JSC::IntegralTypedArrayBase::set):
880         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
881         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
882         (JSC::TypedArrayBase::data):
883         (JSC::TypedArrayBase::set):
884         (JSC::TypedArrayBase::setRange):
885         (JSC::TypedArrayBase::zeroRange):
886         (JSC::TypedArrayBase::length):
887         (JSC::TypedArrayBase::byteLength):
888         (JSC::TypedArrayBase::item):
889         (JSC::TypedArrayBase::checkInboundData):
890         (JSC::TypedArrayBase::TypedArrayBase):
891         (JSC::TypedArrayBase::create):
892         (JSC::TypedArrayBase::createUninitialized):
893         (JSC::TypedArrayBase::subarrayImpl):
894         (JSC::TypedArrayBase::neuter):
895         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
896         (JSC::Uint16Array::getType):
897         (JSC::Uint16Array::create):
898         (JSC::Uint16Array::createUninitialized):
899         (JSC::Uint16Array::Uint16Array):
900         (JSC::Uint16Array::subarray):
901         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
902         (JSC::Uint32Array::getType):
903         (JSC::Uint32Array::create):
904         (JSC::Uint32Array::createUninitialized):
905         (JSC::Uint32Array::Uint32Array):
906         (JSC::Uint32Array::subarray):
907         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
908         (JSC::Uint8Array::getType):
909         (JSC::Uint8Array::create):
910         (JSC::Uint8Array::createUninitialized):
911         (JSC::Uint8Array::Uint8Array):
912         (JSC::Uint8Array::subarray):
913         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
914         (JSC::Uint8ClampedArray::getType):
915         (JSC::Uint8ClampedArray::create):
916         (JSC::Uint8ClampedArray::createUninitialized):
917         (JSC::Uint8ClampedArray::zeroFill):
918         (JSC::Uint8ClampedArray::set):
919         (JSC::Uint8ClampedArray::Uint8ClampedArray):
920         (JSC::Uint8ClampedArray::subarray):
921         * runtime/VM.h:
922
923 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
924
925         Copied space should be able to handle more than one copied backing store per JSCell
926         https://bugs.webkit.org/show_bug.cgi?id=119471
927
928         Reviewed by Mark Hahnenberg.
929         
930         This allows a cell to call copyLater() multiple times for multiple different
931         backing stores, and then have copyBackingStore() called exactly once for each
932         of those. A token tells it which backing store to copy. All backing stores
933         must be named using the CopyToken, an enumeration which currently cannot
934         exceed eight entries.
935         
936         When copyBackingStore() is called, it's up to the callee to (a) use the token
937         to decide what to copy and (b) call its base class's copyBackingStore() in
938         case the base class had something that needed copying. The only exception is
939         that JSCell never asks anything to be copied, and so if your base is JSCell
940         then you don't have to do anything.
941
942         * GNUmakefile.list.am:
943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
944         * JavaScriptCore.xcodeproj/project.pbxproj:
945         * heap/CopiedBlock.h:
946         * heap/CopiedBlockInlines.h:
947         (JSC::CopiedBlock::reportLiveBytes):
948         * heap/CopyToken.h: Added.
949         * heap/CopyVisitor.cpp:
950         (JSC::CopyVisitor::copyFromShared):
951         * heap/CopyVisitor.h:
952         * heap/CopyVisitorInlines.h:
953         (JSC::CopyVisitor::visitItem):
954         * heap/CopyWorkList.h:
955         (JSC::CopyWorklistItem::CopyWorklistItem):
956         (JSC::CopyWorklistItem::cell):
957         (JSC::CopyWorklistItem::token):
958         (JSC::CopyWorkListSegment::get):
959         (JSC::CopyWorkListSegment::append):
960         (JSC::CopyWorkListSegment::data):
961         (JSC::CopyWorkListIterator::get):
962         (JSC::CopyWorkListIterator::operator*):
963         (JSC::CopyWorkListIterator::operator->):
964         (JSC::CopyWorkList::append):
965         * heap/SlotVisitor.h:
966         * heap/SlotVisitorInlines.h:
967         (JSC::SlotVisitor::copyLater):
968         * runtime/ClassInfo.h:
969         * runtime/JSCell.cpp:
970         (JSC::JSCell::copyBackingStore):
971         * runtime/JSCell.h:
972         * runtime/JSObject.cpp:
973         (JSC::JSObject::visitButterfly):
974         (JSC::JSObject::copyBackingStore):
975         * runtime/JSObject.h:
976
977 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
978
979         [Automake] Define ENABLE_JIT through the Autoconf header
980         https://bugs.webkit.org/show_bug.cgi?id=119445
981
982         Reviewed by Martin Robinson.
983
984         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
985
986 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
987
988         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
989         https://bugs.webkit.org/show_bug.cgi?id=119470
990
991         Reviewed by Oliver Hunt.
992         
993         Structure can still tell you if the object "could" (in the conservative sense)
994         have an indexing header; that's used by the compiler.
995         
996         Most of the time if you want to know if there's an indexing header, you ask the
997         JSObject.
998         
999         In some cases, the JSObject wants to know if it would have an indexing header if
1000         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1001
1002         * dfg/DFGRepatch.cpp:
1003         (JSC::DFG::tryCachePutByID):
1004         (JSC::DFG::tryBuildPutByIdList):
1005         * dfg/DFGSpeculativeJIT.cpp:
1006         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1007         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1008         * runtime/ButterflyInlines.h:
1009         (JSC::Butterfly::create):
1010         (JSC::Butterfly::growPropertyStorage):
1011         (JSC::Butterfly::growArrayRight):
1012         (JSC::Butterfly::resizeArray):
1013         * runtime/JSObject.cpp:
1014         (JSC::JSObject::copyButterfly):
1015         (JSC::JSObject::visitButterfly):
1016         * runtime/JSObject.h:
1017         (JSC::JSObject::hasIndexingHeader):
1018         (JSC::JSObject::setButterfly):
1019         * runtime/Structure.h:
1020         (JSC::Structure::couldHaveIndexingHeader):
1021         (JSC::Structure::hasIndexingHeader):
1022
1023 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1024
1025         Give the error object's stack property accessor attributes.
1026         https://bugs.webkit.org/show_bug.cgi?id=119404
1027
1028         Reviewed by Geoffrey Garen.
1029         
1030         Changed the attributes of error object's stack property to allow developers to write
1031         and delete the stack property. This will match the functionality of Chrome. Firefox  
1032         allows developers to write the error's stack, but not delete it. 
1033
1034         * interpreter/Interpreter.cpp:
1035         (JSC::Interpreter::addStackTraceIfNecessary):
1036         * runtime/ErrorInstance.cpp:
1037         (JSC::ErrorInstance::finishCreation):
1038
1039 2013-08-02  Oliver Hunt  <oliver@apple.com>
1040
1041         Incorrect type speculation reported by ToPrimitive
1042         https://bugs.webkit.org/show_bug.cgi?id=119458
1043
1044         Reviewed by Mark Hahnenberg.
1045
1046         Make sure that we report the correct type possibilities for the output
1047         from ToPrimitive
1048
1049         * dfg/DFGAbstractInterpreterInlines.h:
1050         (JSC::DFG::::executeEffects):
1051
1052 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1053
1054         Remove no-arguments constructor to PropertySlot
1055         https://bugs.webkit.org/show_bug.cgi?id=119460
1056
1057         Reviewed by Geoff Garen.
1058
1059         This constructor was unsafe if getValue is subsequently called,
1060         and the property is a getter. Simplest to just remove it.
1061
1062         * runtime/Arguments.cpp:
1063         (JSC::Arguments::defineOwnProperty):
1064         * runtime/JSActivation.cpp:
1065         (JSC::JSActivation::getOwnPropertyDescriptor):
1066         * runtime/JSFunction.cpp:
1067         (JSC::JSFunction::getOwnPropertyDescriptor):
1068         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1069         (JSC::JSFunction::put):
1070         (JSC::JSFunction::defineOwnProperty):
1071         * runtime/JSGlobalObject.cpp:
1072         (JSC::JSGlobalObject::defineOwnProperty):
1073         * runtime/JSGlobalObject.h:
1074         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1075         * runtime/JSNameScope.cpp:
1076         (JSC::JSNameScope::put):
1077         * runtime/JSONObject.cpp:
1078         (JSC::Stringifier::Holder::appendNextProperty):
1079         (JSC::Walker::walk):
1080         * runtime/JSObject.cpp:
1081         (JSC::JSObject::hasProperty):
1082         (JSC::JSObject::hasOwnProperty):
1083         (JSC::JSObject::reifyStaticFunctionsForDelete):
1084         * runtime/Lookup.h:
1085         (JSC::getStaticPropertyDescriptor):
1086         (JSC::getStaticFunctionDescriptor):
1087         (JSC::getStaticValueDescriptor):
1088         * runtime/ObjectConstructor.cpp:
1089         (JSC::defineProperties):
1090         * runtime/PropertySlot.h:
1091
1092 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1093
1094         DFG validation can cause assertion failures due to dumping
1095         https://bugs.webkit.org/show_bug.cgi?id=119456
1096
1097         Reviewed by Geoffrey Garen.
1098
1099         * bytecode/CodeBlock.cpp:
1100         (JSC::CodeBlock::hasHash):
1101         (JSC::CodeBlock::isSafeToComputeHash):
1102         (JSC::CodeBlock::hash):
1103         (JSC::CodeBlock::dumpAssumingJITType):
1104         * bytecode/CodeBlock.h:
1105
1106 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1107
1108         Have vm's exceptionStack match java's vm's exceptionStack.
1109         https://bugs.webkit.org/show_bug.cgi?id=119362
1110
1111         Reviewed by Geoffrey Garen.
1112         
1113         The error object's stack is only updated if it does not exist yet. This matches 
1114         the functionality of other browsers, and Java VMs. 
1115
1116         * interpreter/Interpreter.cpp:
1117         (JSC::Interpreter::addStackTraceIfNecessary):
1118         (JSC::Interpreter::throwException):
1119         * runtime/VM.cpp:
1120         (JSC::VM::clearExceptionStack):
1121         * runtime/VM.h:
1122         (JSC::VM::lastExceptionStack):
1123
1124 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1125
1126         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1127         https://bugs.webkit.org/show_bug.cgi?id=119447
1128
1129         Reviewed by Geoffrey Garen.
1130
1131         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1132         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1133         r153583 (sh4) and r153648 (ARM).
1134
1135         * jit/JITStubsMIPS.h:
1136
1137 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1138
1139         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1140         https://bugs.webkit.org/show_bug.cgi?id=119422
1141
1142         Reviewed by Oliver Hunt.
1143         
1144         This simplifies some code and also allows Structure to claim that an object
1145         has an indexing header even if it doesn't have indexed properties.
1146         
1147         I also changed some calls to use hasIndexedProperties() since in some cases,
1148         that's what we actually meant. Currently the two are synonyms.
1149
1150         * dfg/DFGRepatch.cpp:
1151         (JSC::DFG::tryCachePutByID):
1152         (JSC::DFG::tryBuildPutByIdList):
1153         * dfg/DFGSpeculativeJIT.cpp:
1154         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1155         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1156         * runtime/ButterflyInlines.h:
1157         (JSC::Butterfly::create):
1158         (JSC::Butterfly::growPropertyStorage):
1159         (JSC::Butterfly::growArrayRight):
1160         (JSC::Butterfly::resizeArray):
1161         * runtime/IndexingType.h:
1162         * runtime/JSObject.cpp:
1163         (JSC::JSObject::copyButterfly):
1164         (JSC::JSObject::visitButterfly):
1165         (JSC::JSObject::setPrototype):
1166         * runtime/JSObject.h:
1167         (JSC::JSObject::setButterfly):
1168         * runtime/JSPropertyNameIterator.cpp:
1169         (JSC::JSPropertyNameIterator::create):
1170         * runtime/Structure.h:
1171         (JSC::Structure::hasIndexingHeader):
1172
1173 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1174
1175         REGRESSION: ARM still crashes after change set r153612.
1176         https://bugs.webkit.org/show_bug.cgi?id=119433
1177
1178         Reviewed by Michael Saboff.
1179
1180         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1181         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1182         for sh4 architecture.
1183
1184         * jit/JITStubsARM.h:
1185         * jit/JITStubsARMv7.h:
1186
1187 2013-08-02  Michael Saboff  <msaboff@apple.com>
1188
1189         REGRESSION(r153612): It made jsc and layout tests crash
1190         https://bugs.webkit.org/show_bug.cgi?id=119440
1191
1192         Reviewed by Csaba Osztrogonác.
1193
1194         Made the changes if changeset r153612 only apply to 32 bit builds.
1195
1196         * jit/JITExceptions.cpp:
1197         * jit/JITExceptions.h:
1198         * jit/JITStubs.cpp:
1199         (JSC::cti_vm_throw_slowpath):
1200         * jit/JITStubs.h:
1201
1202 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
1203
1204         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1205
1206         * CMakeLists.txt:
1207
1208 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
1209
1210         [Forms: color] <input type='color'> popover color well implementation
1211         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1212
1213         Reviewed by Benjamin Poulain.
1214
1215         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1216
1217 2013-08-01  Oliver Hunt  <oliver@apple.com>
1218
1219         DFG is not enforcing correct ordering of ToString conversion in MakeRope
1220         https://bugs.webkit.org/show_bug.cgi?id=119408
1221
1222         Reviewed by Filip Pizlo.
1223
1224         Construct ToString and Phantom nodes in advance of MakeRope
1225         nodes to ensure that ordering is ensured, and correct values
1226         will be reified on OSR exit.
1227
1228         * dfg/DFGByteCodeParser.cpp:
1229         (JSC::DFG::ByteCodeParser::parseBlock):
1230
1231 2013-08-01  Michael Saboff  <msaboff@apple.com>
1232
1233         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1234         https://bugs.webkit.org/show_bug.cgi?id=119140
1235
1236         Reviewed by Filip Pizlo.
1237
1238         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1239
1240         * jit/JITExceptions.cpp:
1241         (JSC::encode):
1242         * jit/JITExceptions.h:
1243         * jit/JITStubs.cpp:
1244         (JSC::cti_vm_throw_slowpath):
1245         * jit/JITStubs.h:
1246
1247 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
1248
1249         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1250         https://bugs.webkit.org/show_bug.cgi?id=119391
1251
1252         Reviewed by Csaba Osztrogonác.
1253
1254         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1255             - Call frame is in r14 register.
1256             - Do not restore registers from JIT stack frame here.
1257
1258 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1259
1260         More cleanup in PropertySlot
1261         https://bugs.webkit.org/show_bug.cgi?id=119359
1262
1263         Reviewed by Geoff Garen.
1264
1265         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1266         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1267
1268         * dfg/DFGRepatch.cpp:
1269         (JSC::DFG::tryCacheGetByID):
1270         (JSC::DFG::tryBuildGetByIDList):
1271             - No need to ASSERT slotBase is an object.
1272         * jit/JITStubs.cpp:
1273         (JSC::tryCacheGetByID):
1274         (JSC::DEFINE_STUB_FUNCTION):
1275             - No need to ASSERT slotBase is an object.
1276         * runtime/JSObject.cpp:
1277         (JSC::JSObject::getOwnPropertySlotByIndex):
1278         (JSC::JSObject::fillGetterPropertySlot):
1279             - Pass an object through to setGetterSlot.
1280         * runtime/JSObject.h:
1281         (JSC::PropertySlot::getValue):
1282             - Moved from PropertySlot (need to know anout JSObject).
1283         * runtime/PropertySlot.cpp:
1284         (JSC::PropertySlot::functionGetter):
1285             - update per member name changes
1286         * runtime/PropertySlot.h:
1287         (JSC::PropertySlot::PropertySlot):
1288             - Argument to constructor set to 'thisValue'.
1289         (JSC::PropertySlot::slotBase):
1290             - This returns a JSObject*.
1291         (JSC::PropertySlot::setValue):
1292         (JSC::PropertySlot::setCustom):
1293         (JSC::PropertySlot::setCacheableCustom):
1294         (JSC::PropertySlot::setCustomIndex):
1295         (JSC::PropertySlot::setGetterSlot):
1296         (JSC::PropertySlot::setCacheableGetterSlot):
1297             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1298         * runtime/SparseArrayValueMap.cpp:
1299         (JSC::SparseArrayEntry::get):
1300             - Pass an object through to setGetterSlot.
1301         * runtime/SparseArrayValueMap.h:
1302             - Pass an object through to setGetterSlot.
1303
1304 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
1305
1306         Reduce JSC API static value setter/getter overhead.
1307         https://bugs.webkit.org/show_bug.cgi?id=119277
1308
1309         Reviewed by Geoffrey Garen.
1310
1311         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1312         need to get called every time when set or get the static value.
1313
1314         * API/JSCallbackObjectFunctions.h:
1315         (JSC::::put):
1316         (JSC::::putByIndex):
1317         (JSC::::getStaticValue):
1318         * API/JSClassRef.cpp:
1319         (OpaqueJSClassContextData::OpaqueJSClassContextData):
1320         * API/JSClassRef.h:
1321         (StaticValueEntry::StaticValueEntry):
1322
1323 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
1324
1325         Use emptyString instead of String("")
1326         https://bugs.webkit.org/show_bug.cgi?id=119335
1327
1328         Reviewed by Darin Adler.
1329
1330         Use emptyString() instead of String("") because it is better style and
1331         faster. This is a followup to r116908, removing all occurrences of
1332         String("") from WebKit.
1333
1334         * runtime/RegExpConstructor.cpp:
1335         (JSC::constructRegExp):
1336         * runtime/RegExpPrototype.cpp:
1337         (JSC::regExpProtoFuncCompile):
1338         * runtime/StringPrototype.cpp:
1339         (JSC::stringProtoFuncMatch):
1340         (JSC::stringProtoFuncSearch):
1341
1342 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
1343
1344         <input type=color> Mac UI behaviour
1345         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1346
1347         Reviewed by Brady Eidson.
1348
1349         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1350
1351 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1352
1353         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1354         https://bugs.webkit.org/show_bug.cgi?id=119349
1355
1356         Reviewed by Geoffrey Garen.
1357
1358         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
1359         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1360         on code it compiled with any switch statements to have been run in the baseline JIT first. 
1361         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
1362         JIT then this resizing never happens and we crash at link time in the DFG.
1363
1364         We can fix this by also doing the resize in the DFG to catch this case.
1365
1366         * dfg/DFGJITCompiler.cpp:
1367         (JSC::DFG::JITCompiler::link):
1368
1369 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
1370
1371         Speculative Windows build fix.
1372
1373         Reviewed by NOBODY
1374
1375         * runtime/JSString.cpp:
1376         (JSC::JSRopeString::getIndexSlowCase):
1377         * runtime/JSString.h:
1378
1379 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
1380
1381         Some cleanup in JSValue::get
1382         https://bugs.webkit.org/show_bug.cgi?id=119343
1383
1384         Reviewed by Geoff Garen.
1385
1386         JSValue::get is implemented to:
1387             1) Check if the value is a cell – if not, synthesize a prototype to search,
1388             2) call getOwnPropertySlot on the cell,
1389             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1390         By all rights this should crash when passed a string and accessing a property that does not exist, because
1391         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1392         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1393         prototype chain, and faking out a return value of undefined if no property is found.
1394
1395         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1396         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1397
1398         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1399         slots anyway.
1400
1401         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1402
1403 2013-07-31  Michael Saboff  <msaboff@apple.com>
1404
1405         [Win] JavaScript crash.
1406         https://bugs.webkit.org/show_bug.cgi?id=119339
1407
1408         Reviewed by Mark Hahnenberg.
1409
1410         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1411         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1412
1413 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1414
1415         GetByVal on Arguments does the wrong size load when checking the Arguments object length
1416         https://bugs.webkit.org/show_bug.cgi?id=119281
1417
1418         Reviewed by Geoffrey Garen.
1419
1420         This leads to out of bounds accesses and subsequent crashes.
1421
1422         * dfg/DFGSpeculativeJIT.cpp:
1423         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1424         * dfg/DFGSpeculativeJIT64.cpp:
1425         (JSC::DFG::SpeculativeJIT::compile):
1426
1427 2013-07-30  Oliver Hunt  <oliver@apple.com>
1428
1429         Add an assertion to SpeculateCellOperand
1430         https://bugs.webkit.org/show_bug.cgi?id=119276
1431
1432         Reviewed by Michael Saboff.
1433
1434         More assertions are better
1435
1436         * dfg/DFGSpeculativeJIT64.cpp:
1437         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1438         (JSC::DFG::SpeculativeJIT::compile):
1439
1440 2013-07-30  Mark Lam  <mark.lam@apple.com>
1441
1442         Fix problems with divot and lineStart mismatches.
1443         https://bugs.webkit.org/show_bug.cgi?id=118662.
1444
1445         Reviewed by Oliver Hunt.
1446
1447         r152494 added the recording of lineStart values for divot positions.
1448         This is needed for the computation of column numbers. Similarly, it also
1449         added the recording of line numbers for the divot positions. One problem
1450         with the approach taken was that the line and lineStart values were
1451         recorded independently, and hence were not always guaranteed to be
1452         sampled at the same place that the divot position is recorded. This
1453         resulted in potential mismatches that cause some assertions to fail.
1454
1455         The solution is to introduce a JSTextPosition abstraction that records
1456         the divot position, line, and lineStart as a single quantity. Wherever
1457         we record the divot position as an unsigned int previously, we now record
1458         its JSTextPosition which captures all 3 values in one go. This ensures
1459         that the captured line and lineStart will always match the captured divot
1460         position.
1461
1462         * bytecompiler/BytecodeGenerator.cpp:
1463         (JSC::BytecodeGenerator::emitCall):
1464         (JSC::BytecodeGenerator::emitCallEval):
1465         (JSC::BytecodeGenerator::emitCallVarargs):
1466         (JSC::BytecodeGenerator::emitConstruct):
1467         (JSC::BytecodeGenerator::emitDebugHook):
1468         - Use JSTextPosition instead of passing line and lineStart explicitly.
1469         * bytecompiler/BytecodeGenerator.h:
1470         (JSC::BytecodeGenerator::emitExpressionInfo):
1471         - Use JSTextPosition instead of passing line and lineStart explicitly.
1472         * bytecompiler/NodesCodegen.cpp:
1473         (JSC::ThrowableExpressionData::emitThrowReferenceError):
1474         (JSC::ResolveNode::emitBytecode):
1475         (JSC::BracketAccessorNode::emitBytecode):
1476         (JSC::DotAccessorNode::emitBytecode):
1477         (JSC::NewExprNode::emitBytecode):
1478         (JSC::EvalFunctionCallNode::emitBytecode):
1479         (JSC::FunctionCallValueNode::emitBytecode):
1480         (JSC::FunctionCallResolveNode::emitBytecode):
1481         (JSC::FunctionCallBracketNode::emitBytecode):
1482         (JSC::FunctionCallDotNode::emitBytecode):
1483         (JSC::CallFunctionCallDotNode::emitBytecode):
1484         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1485         (JSC::PostfixNode::emitResolve):
1486         (JSC::PostfixNode::emitBracket):
1487         (JSC::PostfixNode::emitDot):
1488         (JSC::DeleteResolveNode::emitBytecode):
1489         (JSC::DeleteBracketNode::emitBytecode):
1490         (JSC::DeleteDotNode::emitBytecode):
1491         (JSC::PrefixNode::emitResolve):
1492         (JSC::PrefixNode::emitBracket):
1493         (JSC::PrefixNode::emitDot):
1494         (JSC::UnaryOpNode::emitBytecode):
1495         (JSC::BinaryOpNode::emitStrcat):
1496         (JSC::BinaryOpNode::emitBytecode):
1497         (JSC::ThrowableBinaryOpNode::emitBytecode):
1498         (JSC::InstanceOfNode::emitBytecode):
1499         (JSC::emitReadModifyAssignment):
1500         (JSC::ReadModifyResolveNode::emitBytecode):
1501         (JSC::AssignResolveNode::emitBytecode):
1502         (JSC::AssignDotNode::emitBytecode):
1503         (JSC::ReadModifyDotNode::emitBytecode):
1504         (JSC::AssignBracketNode::emitBytecode):
1505         (JSC::ReadModifyBracketNode::emitBytecode):
1506         (JSC::ForInNode::emitBytecode):
1507         (JSC::WithNode::emitBytecode):
1508         (JSC::ThrowNode::emitBytecode):
1509         - Use JSTextPosition instead of passing line and lineStart explicitly.
1510         * parser/ASTBuilder.h:
1511         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1512         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1513         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1514         (JSC::ASTBuilder::createResolve):
1515         (JSC::ASTBuilder::createBracketAccess):
1516         (JSC::ASTBuilder::createDotAccess):
1517         (JSC::ASTBuilder::createRegExp):
1518         (JSC::ASTBuilder::createNewExpr):
1519         (JSC::ASTBuilder::createAssignResolve):
1520         (JSC::ASTBuilder::createExprStatement):
1521         (JSC::ASTBuilder::createForInLoop):
1522         (JSC::ASTBuilder::createReturnStatement):
1523         (JSC::ASTBuilder::createBreakStatement):
1524         (JSC::ASTBuilder::createContinueStatement):
1525         (JSC::ASTBuilder::createLabelStatement):
1526         (JSC::ASTBuilder::createWithStatement):
1527         (JSC::ASTBuilder::createThrowStatement):
1528         (JSC::ASTBuilder::appendBinaryExpressionInfo):
1529         (JSC::ASTBuilder::appendUnaryToken):
1530         (JSC::ASTBuilder::unaryTokenStackLastStart):
1531         (JSC::ASTBuilder::assignmentStackAppend):
1532         (JSC::ASTBuilder::createAssignment):
1533         (JSC::ASTBuilder::setExceptionLocation):
1534         (JSC::ASTBuilder::makeDeleteNode):
1535         (JSC::ASTBuilder::makeFunctionCallNode):
1536         (JSC::ASTBuilder::makeBinaryNode):
1537         (JSC::ASTBuilder::makeAssignNode):
1538         (JSC::ASTBuilder::makePrefixNode):
1539         (JSC::ASTBuilder::makePostfixNode):
1540         - Use JSTextPosition instead of passing line and lineStart explicitly.
1541         * parser/Lexer.cpp:
1542         (JSC::::lex):
1543         - Added support for capturing the appropriate JSTextPositions instead
1544           of just the character offset.
1545         * parser/Lexer.h:
1546         (JSC::Lexer::currentPosition):
1547         (JSC::::lexExpectIdentifier):
1548         - Added support for capturing the appropriate JSTextPositions instead
1549           of just the character offset.
1550         * parser/NodeConstructors.h:
1551         (JSC::Node::Node):
1552         (JSC::ResolveNode::ResolveNode):
1553         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1554         (JSC::FunctionCallValueNode::FunctionCallValueNode):
1555         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1556         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1557         (JSC::FunctionCallDotNode::FunctionCallDotNode):
1558         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1559         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1560         (JSC::PostfixNode::PostfixNode):
1561         (JSC::DeleteResolveNode::DeleteResolveNode):
1562         (JSC::DeleteBracketNode::DeleteBracketNode):
1563         (JSC::DeleteDotNode::DeleteDotNode):
1564         (JSC::PrefixNode::PrefixNode):
1565         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1566         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1567         (JSC::AssignBracketNode::AssignBracketNode):
1568         (JSC::AssignDotNode::AssignDotNode):
1569         (JSC::ReadModifyDotNode::ReadModifyDotNode):
1570         (JSC::AssignErrorNode::AssignErrorNode):
1571         (JSC::WithNode::WithNode):
1572         (JSC::ForInNode::ForInNode):
1573         - Use JSTextPosition instead of passing line and lineStart explicitly.
1574         * parser/Nodes.cpp:
1575         (JSC::StatementNode::setLoc):
1576         - Use JSTextPosition instead of passing line and lineStart explicitly.
1577         * parser/Nodes.h:
1578         (JSC::Node::lineNo):
1579         (JSC::Node::startOffset):
1580         (JSC::Node::lineStartOffset):
1581         (JSC::Node::position):
1582         (JSC::ThrowableExpressionData::ThrowableExpressionData):
1583         (JSC::ThrowableExpressionData::setExceptionSourceCode):
1584         (JSC::ThrowableExpressionData::divot):
1585         (JSC::ThrowableExpressionData::divotStart):
1586         (JSC::ThrowableExpressionData::divotEnd):
1587         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1588         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1589         (JSC::ThrowableSubExpressionData::subexpressionDivot):
1590         (JSC::ThrowableSubExpressionData::subexpressionStart):
1591         (JSC::ThrowableSubExpressionData::subexpressionEnd):
1592         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1593         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1594         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1595         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1596         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1597         - Use JSTextPosition instead of passing line and lineStart explicitly.
1598         * parser/Parser.cpp:
1599         (JSC::::Parser):
1600         (JSC::::parseInner):
1601         - Use JSTextPosition instead of passing line and lineStart explicitly.
1602         (JSC::::didFinishParsing):
1603         - Remove setting of m_lastLine value. We always pass in the value from
1604           m_lastLine anyway. So, this assignment is effectively a nop.
1605         (JSC::::parseVarDeclaration):
1606         (JSC::::parseVarDeclarationList):
1607         (JSC::::parseForStatement):
1608         (JSC::::parseBreakStatement):
1609         (JSC::::parseContinueStatement):
1610         (JSC::::parseReturnStatement):
1611         (JSC::::parseThrowStatement):
1612         (JSC::::parseWithStatement):
1613         (JSC::::parseTryStatement):
1614         (JSC::::parseBlockStatement):
1615         (JSC::::parseFunctionDeclaration):
1616         (JSC::LabelInfo::LabelInfo):
1617         (JSC::::parseExpressionOrLabelStatement):
1618         (JSC::::parseExpressionStatement):
1619         (JSC::::parseAssignmentExpression):
1620         (JSC::::parseBinaryExpression):
1621         (JSC::::parseProperty):
1622         (JSC::::parsePrimaryExpression):
1623         (JSC::::parseMemberExpression):
1624         (JSC::::parseUnaryExpression):
1625         - Use JSTextPosition instead of passing line and lineStart explicitly.
1626         * parser/Parser.h:
1627         (JSC::Parser::next):
1628         (JSC::Parser::nextExpectIdentifier):
1629         (JSC::Parser::getToken):
1630         (JSC::Parser::tokenStartPosition):
1631         (JSC::Parser::tokenEndPosition):
1632         (JSC::Parser::lastTokenEndPosition):
1633         (JSC::::parse):
1634         - Use JSTextPosition instead of passing line and lineStart explicitly.
1635         * parser/ParserTokens.h:
1636         (JSC::JSTextPosition::JSTextPosition):
1637         (JSC::JSTextPosition::operator+):
1638         (JSC::JSTextPosition::operator-):
1639         (JSC::JSTextPosition::operator int):
1640         - Added JSTextPosition.
1641         * parser/SyntaxChecker.h:
1642         (JSC::SyntaxChecker::makeFunctionCallNode):
1643         (JSC::SyntaxChecker::makeAssignNode):
1644         (JSC::SyntaxChecker::makePrefixNode):
1645         (JSC::SyntaxChecker::makePostfixNode):
1646         (JSC::SyntaxChecker::makeDeleteNode):
1647         (JSC::SyntaxChecker::createResolve):
1648         (JSC::SyntaxChecker::createBracketAccess):
1649         (JSC::SyntaxChecker::createDotAccess):
1650         (JSC::SyntaxChecker::createRegExp):
1651         (JSC::SyntaxChecker::createNewExpr):
1652         (JSC::SyntaxChecker::createAssignResolve):
1653         (JSC::SyntaxChecker::createForInLoop):
1654         (JSC::SyntaxChecker::createReturnStatement):
1655         (JSC::SyntaxChecker::createBreakStatement):
1656         (JSC::SyntaxChecker::createContinueStatement):
1657         (JSC::SyntaxChecker::createWithStatement):
1658         (JSC::SyntaxChecker::createLabelStatement):
1659         (JSC::SyntaxChecker::createThrowStatement):
1660         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1661         (JSC::SyntaxChecker::operatorStackPop):
1662         - Use JSTextPosition instead of passing line and lineStart explicitly.
1663
1664 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
1665
1666         Unreviewed. Fix make distcheck.
1667
1668         * GNUmakefile.list.am: Add missing files to compilation.
1669         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1670         include FTL header files not included in the compilation.
1671         * dfg/DFGDriver.cpp: Ditto.
1672         * dfg/DFGPlan.cpp: Ditto.
1673
1674 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
1675
1676         Eager stack trace for error objects.
1677         https://bugs.webkit.org/show_bug.cgi?id=118918
1678
1679         Reviewed by Geoffrey Garen.
1680         
1681         Chrome and Firefox give error objects the stack property and we wanted to match
1682         that functionality. This allows developers to see the stack without throwing an object.
1683
1684         * runtime/ErrorInstance.cpp:
1685         (JSC::ErrorInstance::finishCreation):
1686          For error objects that are not thrown as an exception, we pass the stackTrace in 
1687          as a parameter. This allows the error object to have the stack property.
1688         
1689         * interpreter/Interpreter.cpp:
1690         (JSC::stackTraceAsString):
1691         Helper function used to eliminate duplicate code.
1692
1693         (JSC::Interpreter::addStackTraceIfNecessary):
1694         When an error object is created by the user the vm->exceptionStack is not set.
1695         If the user throws this error object later the stack that is in the error object 
1696         may not be the correct stack for the throw, so when we set the vm->exception stack,
1697         the stack property on the error object is set as well.
1698         
1699         * runtime/ErrorConstructor.cpp:
1700         (JSC::constructWithErrorConstructor):
1701         (JSC::callErrorConstructor):
1702         * runtime/NativeErrorConstructor.cpp:
1703         (JSC::constructWithNativeErrorConstructor):
1704         (JSC::callNativeErrorConstructor):
1705         These functions indicate that the user created an error object. For all error objects 
1706         that the user explicitly creates, the topCallFrame is at a new frame created to 
1707         handle the user's call. In this case though, the error object needs the caller's 
1708         frame to create the stack trace correctly.
1709         
1710         * interpreter/Interpreter.h:
1711         * runtime/ErrorInstance.h:
1712         (JSC::ErrorInstance::create):
1713
1714 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
1715
1716         Some cleanup in PropertySlot
1717         https://bugs.webkit.org/show_bug.cgi?id=119189
1718
1719         Reviewed by Geoff Garen.
1720
1721         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1722         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1723         is set to a special value to indicate the type (other than custom), and the type is also tracked by
1724         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1725         (this is invalidOffset if not cacheable).
1726
1727             * Internally, always track the type of the property using an enum value, PropertyType.
1728             * Use m_offset to indicate cacheable.
1729             * Keep the external interface (CachedPropertyType) unchanged.
1730             * Better pack data into the m_data union.
1731
1732         Performance neutral.
1733
1734         * dfg/DFGRepatch.cpp:
1735         (JSC::DFG::tryCacheGetByID):
1736         (JSC::DFG::tryBuildGetByIDList):
1737             - cachedPropertyType() -> isCacheable*()
1738         * jit/JITPropertyAccess.cpp:
1739         (JSC::JIT::privateCompileGetByIdProto):
1740         (JSC::JIT::privateCompileGetByIdSelfList):
1741         (JSC::JIT::privateCompileGetByIdProtoList):
1742         (JSC::JIT::privateCompileGetByIdChainList):
1743         (JSC::JIT::privateCompileGetByIdChain):
1744             - cachedPropertyType() -> isCacheable*()
1745         * jit/JITPropertyAccess32_64.cpp:
1746         (JSC::JIT::privateCompileGetByIdProto):
1747         (JSC::JIT::privateCompileGetByIdSelfList):
1748         (JSC::JIT::privateCompileGetByIdProtoList):
1749         (JSC::JIT::privateCompileGetByIdChainList):
1750         (JSC::JIT::privateCompileGetByIdChain):
1751             - cachedPropertyType() -> isCacheable*()
1752         * jit/JITStubs.cpp:
1753         (JSC::tryCacheGetByID):
1754             - cachedPropertyType() -> isCacheable*()
1755         * llint/LLIntSlowPaths.cpp:
1756         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1757             - cachedPropertyType() -> isCacheable*()
1758         * runtime/PropertySlot.cpp:
1759         (JSC::PropertySlot::functionGetter):
1760             - refactoring described above.
1761         * runtime/PropertySlot.h:
1762         (JSC::PropertySlot::PropertySlot):
1763         (JSC::PropertySlot::getValue):
1764         (JSC::PropertySlot::isCacheable):
1765         (JSC::PropertySlot::isCacheableValue):
1766         (JSC::PropertySlot::isCacheableGetter):
1767         (JSC::PropertySlot::isCacheableCustom):
1768         (JSC::PropertySlot::cachedOffset):
1769         (JSC::PropertySlot::customGetter):
1770         (JSC::PropertySlot::setValue):
1771         (JSC::PropertySlot::setCustom):
1772         (JSC::PropertySlot::setCacheableCustom):
1773         (JSC::PropertySlot::setCustomIndex):
1774         (JSC::PropertySlot::setGetterSlot):
1775         (JSC::PropertySlot::setCacheableGetterSlot):
1776         (JSC::PropertySlot::setUndefined):
1777         (JSC::PropertySlot::slotBase):
1778         (JSC::PropertySlot::setBase):
1779             - refactoring described above.
1780
1781 2013-07-28  Oliver Hunt  <oliver@apple.com>
1782
1783         REGRESSION: Crash when opening Facebook.com
1784         https://bugs.webkit.org/show_bug.cgi?id=119155
1785
1786         Reviewed by Andreas Kling.
1787
1788         Scope nodes are always objects, so we should be using SpecObjectOther
1789         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
1790         contradiction in the CFA, resulting in bogus codegen.
1791
1792         * dfg/DFGAbstractInterpreterInlines.h:
1793         (JSC::DFG::::executeEffects):
1794         * dfg/DFGPredictionPropagationPhase.cpp:
1795         (JSC::DFG::PredictionPropagationPhase::propagate):
1796
1797 2013-07-26  Oliver Hunt  <oliver@apple.com>
1798
1799         REGRESSION(FTL?): Crashes in plugin tests
1800         https://bugs.webkit.org/show_bug.cgi?id=119141
1801
1802         Reviewed by Michael Saboff.
1803
1804         Re-export getStackTrace
1805
1806         * interpreter/Interpreter.h:
1807
1808 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
1809
1810         REGRESSION: Crash when opening a message on Gmail
1811         https://bugs.webkit.org/show_bug.cgi?id=119105
1812
1813         Reviewed by Oliver Hunt and Mark Hahnenberg.
1814         
1815         - GetById patching in the DFG needs to be more disciplined about how it derives the
1816           slow path.
1817         
1818         - Fix some dumping code thread safety issues.
1819
1820         * bytecode/CallLinkStatus.cpp:
1821         (JSC::CallLinkStatus::dump):
1822         * bytecode/CodeBlock.cpp:
1823         (JSC::CodeBlock::dumpBytecode):
1824         * dfg/DFGRepatch.cpp:
1825         (JSC::DFG::getPolymorphicStructureList):
1826         (JSC::DFG::tryBuildGetByIDList):
1827
1828 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
1829
1830         [mips] Fix LLINT build for mips backend
1831         https://bugs.webkit.org/show_bug.cgi?id=119152
1832
1833         Reviewed by Oliver Hunt.
1834
1835         * offlineasm/mips.rb:
1836
1837 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1838
1839         Setting a large numeric property on an object causes it to allocate a huge backing store
1840         https://bugs.webkit.org/show_bug.cgi?id=118914
1841
1842         Reviewed by Geoffrey Garen.
1843
1844         There are two distinct actions that we're trying to optimize for:
1845
1846         new Array(100000);
1847
1848         and:
1849
1850         a = [];
1851         a[100000] = 42;
1852         
1853         In the first case, the programmer has indicated that they expect this Array to be very big, 
1854         so they should get a contiguous array up until some threshold, above which we perform density 
1855         calculations to see if it is indeed dense enough to warrant being contiguous.
1856         
1857         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
1858         we should be more conservative and assume it should be sparse until we've proven otherwise.
1859         
1860         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
1861         between them for the purposes of not over-allocating large backing stores like we see on 
1862         http://www.peekanalytics.com/burgerjoints/
1863         
1864         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
1865         introduce a new heuristic for the second case. If we are putting to an index above a certain 
1866         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
1867         map instead. So for example, in the second case above the empty array has a blank indexing 
1868         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1869
1870         This fix is ~800x speedup on the accompanying regression test :-o
1871
1872         * runtime/ArrayConventions.h:
1873         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1874         * runtime/JSObject.cpp:
1875         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1876         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1877         (JSC::JSObject::putByIndexBeyondVectorLength):
1878         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1879
1880 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1881
1882         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
1883         https://bugs.webkit.org/show_bug.cgi?id=119148
1884
1885         Reviewed by Csaba Osztrogonác.
1886
1887         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
1888         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
1889         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
1890         code duplication.
1891
1892 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
1893
1894         REGRESSION(FTL): Crash in sh4 baseline JIT.
1895         https://bugs.webkit.org/show_bug.cgi?id=119138
1896
1897         Reviewed by Csaba Osztrogonác.
1898
1899         This crash is due to incomplete report of r150146 and r148474.
1900
1901         * jit/JITStubsSH4.h:
1902
1903 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
1904
1905         Unreviewed.
1906
1907         * Target.pri: Adding missing DFG files to the Qt build.
1908
1909 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
1910
1911         GTK and Qt buildfix after the intrusive win buildfix r153360.
1912
1913         * GNUmakefile.list.am:
1914         * Target.pri:
1915
1916 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
1917
1918         Unreviewed, fix build break after r153360.
1919
1920         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
1921
1922 2013-07-25  Roger Fong  <roger_fong@apple.com>
1923
1924         Unreviewed build fix, AppleWin port.
1925
1926         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1927         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1928         * JavaScriptCore.vcxproj/copy-files.cmd:
1929
1930 2013-07-25  Roger Fong  <roger_fong@apple.com>
1931
1932         Unreviewed. Followup to r153360.
1933
1934         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1935         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1936
1937 2013-07-25  Michael Saboff  <msaboff@apple.com>
1938
1939         [Windows] Speculative build fix.
1940
1941         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
1942         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
1943
1944         * JavaScriptCore.xcodeproj/project.pbxproj:
1945         * llint/LLIntExceptions.cpp:
1946         * llint/LLIntExceptions.h:
1947         * llint/LLIntSlowPaths.cpp:
1948         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1949         * runtime/CommonSlowPaths.cpp:
1950         (JSC::SLOW_PATH_DECL):
1951         * runtime/CommonSlowPathsExceptions.cpp: Added.
1952         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1953         * runtime/CommonSlowPathsExceptions.h: Added.
1954
1955 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
1956
1957         [Windows] Unreviewed build fix.
1958
1959         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
1960         parser/SourceCode.h,.cpp.
1961         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1962
1963 2013-07-25  Anders Carlsson  <andersca@apple.com>
1964
1965         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
1966         https://bugs.webkit.org/show_bug.cgi?id=119108
1967
1968         Reviewed by Mark Hahnenberg.
1969
1970         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
1971
1972         * heap/CopiedSpace.cpp:
1973         (JSC::CopiedSpace::tryAllocateSlowCase):
1974         * heap/Heap.cpp:
1975         (JSC::Heap::protect):
1976         (JSC::Heap::unprotect):
1977         (JSC::Heap::collect):
1978         * heap/MarkedAllocator.cpp:
1979         (JSC::MarkedAllocator::allocateSlowCase):
1980         * runtime/JSGlobalObject.cpp:
1981         (JSC::JSGlobalObject::init):
1982         * runtime/VM.h:
1983         (JSC::VM::currentThreadIsHoldingAPILock):
1984
1985 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
1986
1987         REGRESSION(FTL): Most layout tests crashes
1988         https://bugs.webkit.org/show_bug.cgi?id=119089
1989
1990         Reviewed by Oliver Hunt.
1991
1992         * runtime/ExecutionHarness.h:
1993         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
1994         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
1995         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
1996         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
1997         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
1998         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
1999
2000 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2001
2002         [Windows] Unreviewed build fix.
2003
2004         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2005         include path.
2006
2007 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2008
2009         [Windows] Unreviewed build fix.
2010
2011         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2012         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2013         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2014
2015 2013-07-25  Oliver Hunt  <oliver@apple.com>
2016
2017         Make all jit & non-jit combos build cleanly
2018         https://bugs.webkit.org/show_bug.cgi?id=119102
2019
2020         Reviewed by Anders Carlsson.
2021
2022         * bytecode/CodeBlock.cpp:
2023         (JSC::CodeBlock::counterValueForOptimizeSoon):
2024         * bytecode/CodeBlock.h:
2025         (JSC::CodeBlock::optimizeAfterWarmUp):
2026         (JSC::CodeBlock::numberOfDFGCompiles):
2027
2028 2013-07-25  Oliver Hunt  <oliver@apple.com>
2029
2030         32 bit portion of load validation logic
2031         https://bugs.webkit.org/show_bug.cgi?id=118878
2032
2033         Reviewed by NOBODY (Build fix).
2034
2035         * dfg/DFGSpeculativeJIT32_64.cpp:
2036         (JSC::DFG::SpeculativeJIT::compile):
2037
2038 2013-07-25  Oliver Hunt  <oliver@apple.com>
2039
2040         More 32bit build fixes
2041
2042         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2043
2044         * API/APICallbackFunction.h:
2045         (JSC::APICallbackFunction::call):
2046         * bytecode/CodeBlock.cpp:
2047         * runtime/Structure.cpp:
2048
2049 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2050
2051         Optimize the thread locks for API Shims
2052         https://bugs.webkit.org/show_bug.cgi?id=118573
2053
2054         Reviewed by Geoffrey Garen.
2055
2056         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2057         only used by WebCore's main thread).
2058
2059         * API/APIShims.h:
2060         (JSC::APIEntryShim::APIEntryShim):
2061         (JSC::APICallbackShim::APICallbackShim):
2062         * runtime/JSLock.cpp:
2063         (JSC::JSLockHolder::JSLockHolder):
2064         (JSC::JSLockHolder::init):
2065         (JSC::JSLockHolder::~JSLockHolder):
2066         (JSC::JSLock::DropAllLocks::DropAllLocks):
2067         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2068         * runtime/VM.cpp:
2069         (JSC::VM::VM):
2070         * runtime/VM.h:
2071
2072 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2073
2074         Unreviewed build fix after r153218.
2075
2076         Broke the EFL port build with gcc 4.7.
2077
2078         * interpreter/StackIterator.cpp:
2079         (JSC::printif):
2080
2081 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2082
2083         Build fix: add missing #include.
2084         https://bugs.webkit.org/show_bug.cgi?id=119087
2085
2086         Reviewed by Allan Sandfeld Jensen.
2087
2088         * bytecode/ArrayProfile.cpp:
2089
2090 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2091
2092         Unreviewed, build fix on the EFL port.
2093
2094         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2095
2096 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2097
2098         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2099         https://bugs.webkit.org/show_bug.cgi?id=119083
2100
2101         Reviewed by Allan Sandfeld Jensen.
2102
2103         * assembler/MacroAssemblerSH4.h:
2104         (JSC::MacroAssemblerSH4::store8):
2105
2106 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2107
2108         [Qt] Fix test build after FTL upstream
2109
2110         Unreviewed build fix.
2111
2112         * Target.pri:
2113
2114 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2115
2116         [Qt] Build fix after FTL.
2117
2118         Un Reviewed build fix.
2119
2120         * Target.pri:
2121         * interpreter/StackIterator.cpp:
2122         (JSC::StackIterator::Frame::print):
2123
2124 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2125
2126         Unreviewed build fix after FTL upstream.
2127
2128         * dfg/DFGWorklist.cpp:
2129         (JSC::DFG::Worklist::~Worklist):
2130
2131 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2132
2133         Unreviewed, build fix on the EFL port.
2134
2135         * CMakeLists.txt:
2136         Added SourceCode.cpp and removed BlackBerry file.
2137         * jit/JITCode.h:
2138         (JSC::JITCode::nextTierJIT):
2139         Fixed to build break because of -Werror=return-type
2140         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2141         * runtime/JSScope.h:
2142         (JSC::makeType):
2143         Fixed to build break because of -Werror=return-type
2144
2145 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2146
2147         Unreviewed build fixing after FTL upstream.
2148
2149         * runtime/Executable.cpp:
2150         (JSC::FunctionExecutable::produceCodeBlockFor):
2151
2152 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2153
2154         Add missing implementation of bxxxnz in sh4 LLINT.
2155         https://bugs.webkit.org/show_bug.cgi?id=119079
2156
2157         Reviewed by Allan Sandfeld Jensen.
2158
2159         * offlineasm/sh4.rb:
2160
2161 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2162
2163         Unreviewed, build fix on the Qt port.
2164
2165         * Target.pri: Add additional build files for the FTL.
2166
2167 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2168
2169         Unreviewed buildfix after FTL upstream..
2170
2171         * interpreter/StackIterator.cpp:
2172         (JSC::StackIterator::Frame::codeType):
2173         (JSC::StackIterator::Frame::functionName):
2174         (JSC::StackIterator::Frame::sourceURL):
2175         (JSC::StackIterator::Frame::logicalFrame):
2176
2177 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2178
2179         Unreviewed.
2180
2181         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2182         method is not left undefined, causing build failures on (at least) the GTK port.
2183
2184 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2185
2186         Unreviewed, further build fixing on the GTK port.
2187
2188         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2189
2190 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2191
2192         Unreviewed GTK build fixing.
2193
2194         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2195         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2196
2197 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2198
2199         Buildfix after this error:
2200         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2201
2202         * dfg/DFGPlan.cpp:
2203         (JSC::DFG::Plan::compileInThread):
2204
2205 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2206
2207         One more buildfix after FTL upstream.
2208
2209         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2210
2211         * dfg/DFGLazyJSValue.cpp:
2212         (JSC::DFG::LazyJSValue::getValue):
2213         (JSC::DFG::LazyJSValue::strictEqual):
2214
2215 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2216
2217         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2218         https://bugs.webkit.org/show_bug.cgi?id=119076
2219
2220         Reviewed by Allan Sandfeld Jensen.
2221
2222         * offlineasm/mips.rb:
2223         * offlineasm/sh4.rb:
2224
2225 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2226
2227         Unreviewed GTK build fix.
2228
2229         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2230
2231 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2232
2233         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2234         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2235
2236         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2237
2238 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2239
2240         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2241
2242         * GNUmakefile.am:
2243         * GNUmakefile.list.am:
2244
2245 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2246
2247         Unreviewed buildfix after FTL upstream.
2248
2249         * runtime/JSScope.h:
2250         (JSC::needsVarInjectionChecks):
2251
2252 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2253
2254         One more fix after FTL upstream.
2255
2256         * Target.pri:
2257         * bytecode/CodeBlock.h:
2258         * bytecode/GetByIdStatus.h:
2259         (JSC::GetByIdStatus::GetByIdStatus):
2260
2261 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2262
2263         Unreviewed buildfix after FTL upstream.
2264
2265         Add ftl directory as include path.
2266
2267         * CMakeLists.txt:
2268         * JavaScriptCore.pri:
2269
2270 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
2271
2272         Unreviewed buildfix after FTL upstream for non C++11 builds.
2273
2274         * interpreter/CallFrame.h:
2275         * interpreter/StackIteratorPrivate.h:
2276         (JSC::StackIterator::end):
2277
2278 2013-07-24  Oliver Hunt  <oliver@apple.com>
2279
2280         Endeavour to fix CMakelist builds
2281
2282         * CMakeLists.txt:
2283
2284 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
2285
2286         fourthTier: DFG IR dumps should be easier to read
2287         https://bugs.webkit.org/show_bug.cgi?id=119050
2288
2289         Reviewed by Mark Hahnenberg.
2290         
2291         Added a DumpContext that includes support for printing an endnote
2292         that describes all structures in full, while the main flow of the
2293         dump just uses made-up names for the structures. This is helpful
2294         since Structure::dump() may print a lot. The stuff it prints is
2295         useful, but if it's all inline with the surrounding thing you're        
2296         dumping (often, a node in the DFG), then you get a ridiculously
2297         long print-out. All classes that dump structures (including
2298         Structure itself) now have dumpInContext() methods that use
2299         inContext() for dumping anything that might transitively print a
2300         structure. If Structure::dumpInContext() is called with a NULL
2301         context, it just uses dump() like before. Hence you don't have to
2302         know anything about DumpContext unless you want to.
2303         
2304         inContext(*structure, context) dumps something like %B4:Array,
2305         and the endnote will have something like:
2306         
2307             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2308         
2309         where B4 is the inferred name that StringHashDumpContext came up
2310         with.
2311         
2312         Also shortened a bunch of other dumps, removing information that
2313         isn't so important.
2314         
2315         * JavaScriptCore.xcodeproj/project.pbxproj:
2316         * bytecode/ArrayProfile.cpp:
2317         (JSC::dumpArrayModes):
2318         * bytecode/CodeBlockHash.cpp:
2319         (JSC):
2320         (JSC::CodeBlockHash::CodeBlockHash):
2321         (JSC::CodeBlockHash::dump):
2322         * bytecode/CodeOrigin.cpp:
2323         (JSC::CodeOrigin::dumpInContext):
2324         (JSC):
2325         (JSC::InlineCallFrame::dumpInContext):
2326         (JSC::InlineCallFrame::dump):
2327         * bytecode/CodeOrigin.h:
2328         (CodeOrigin):
2329         (InlineCallFrame):
2330         * bytecode/Operands.h:
2331         (JSC::OperandValueTraits::isEmptyForDump):
2332         (Operands):
2333         (JSC::Operands::dump):
2334         (JSC):
2335         * bytecode/OperandsInlines.h: Added.
2336         (JSC):
2337         (JSC::::dumpInContext):
2338         * bytecode/StructureSet.h:
2339         (JSC::StructureSet::dumpInContext):
2340         (JSC::StructureSet::dump):
2341         (StructureSet):
2342         * dfg/DFGAbstractValue.cpp:
2343         (JSC::DFG::AbstractValue::dump):
2344         (DFG):
2345         (JSC::DFG::AbstractValue::dumpInContext):
2346         * dfg/DFGAbstractValue.h:
2347         (JSC::DFG::AbstractValue::operator!):
2348         (AbstractValue):
2349         * dfg/DFGCFAPhase.cpp:
2350         (JSC::DFG::CFAPhase::performBlockCFA):
2351         * dfg/DFGCommon.cpp:
2352         * dfg/DFGCommon.h:
2353         (JSC::DFG::NodePointerTraits::isEmptyForDump):
2354         * dfg/DFGDisassembler.cpp:
2355         (JSC::DFG::Disassembler::createDumpList):
2356         * dfg/DFGDisassembler.h:
2357         (Disassembler):
2358         * dfg/DFGFlushFormat.h:
2359         (WTF::inContext):
2360         (WTF):
2361         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2362         * dfg/DFGGraph.cpp:
2363         (JSC::DFG::Graph::dumpCodeOrigin):
2364         (JSC::DFG::Graph::dump):
2365         (JSC::DFG::Graph::dumpBlockHeader):
2366         * dfg/DFGGraph.h:
2367         (Graph):
2368         * dfg/DFGLazyJSValue.cpp:
2369         (JSC::DFG::LazyJSValue::dumpInContext):
2370         (JSC::DFG::LazyJSValue::dump):
2371         (DFG):
2372         * dfg/DFGLazyJSValue.h:
2373         (LazyJSValue):
2374         * dfg/DFGNode.h:
2375         (JSC::DFG::nodeMapDump):
2376         (WTF::inContext):
2377         (WTF):
2378         * dfg/DFGOSRExitCompiler32_64.cpp:
2379         (JSC::DFG::OSRExitCompiler::compileExit):
2380         * dfg/DFGOSRExitCompiler64.cpp:
2381         (JSC::DFG::OSRExitCompiler::compileExit):
2382         * dfg/DFGStructureAbstractValue.h:
2383         (JSC::DFG::StructureAbstractValue::dumpInContext):
2384         (JSC::DFG::StructureAbstractValue::dump):
2385         (StructureAbstractValue):
2386         * ftl/FTLExitValue.cpp:
2387         (JSC::FTL::ExitValue::dumpInContext):
2388         (JSC::FTL::ExitValue::dump):
2389         (FTL):
2390         * ftl/FTLExitValue.h:
2391         (ExitValue):
2392         * ftl/FTLLowerDFGToLLVM.cpp:
2393         * ftl/FTLValueSource.cpp:
2394         (JSC::FTL::ValueSource::dumpInContext):
2395         (FTL):
2396         * ftl/FTLValueSource.h:
2397         (ValueSource):
2398         * runtime/DumpContext.cpp: Added.
2399         (JSC):
2400         (JSC::DumpContext::DumpContext):
2401         (JSC::DumpContext::~DumpContext):
2402         (JSC::DumpContext::isEmpty):
2403         (JSC::DumpContext::dump):
2404         * runtime/DumpContext.h: Added.
2405         (JSC):
2406         (DumpContext):
2407         * runtime/JSCJSValue.cpp:
2408         (JSC::JSValue::dump):
2409         (JSC):
2410         (JSC::JSValue::dumpInContext):
2411         * runtime/JSCJSValue.h:
2412         (JSC):
2413         (JSValue):
2414         * runtime/Structure.cpp:
2415         (JSC::Structure::dumpInContext):
2416         (JSC):
2417         (JSC::Structure::dumpBrief):
2418         (JSC::Structure::dumpContextHeader):
2419         * runtime/Structure.h:
2420         (JSC):
2421         (Structure):
2422
2423 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
2424
2425         fourthTier: DFG should do a high-level LICM before going to FTL
2426         https://bugs.webkit.org/show_bug.cgi?id=118749
2427
2428         Reviewed by Oliver Hunt.
2429         
2430         Implements LICM hoisting for nodes that never write anything and never read
2431         things that are clobbered by the loop. There are some other preconditions for
2432         hoisting, see DFGLICMPhase.cpp.
2433
2434         Also did a few fixes:
2435         
2436         - ClobberSet::add was failing to switch Super entries to Direct entries in
2437           some cases.
2438         
2439         - DFGClobberize.cpp needed to #include "Operations.h".
2440         
2441         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2442         
2443         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2444           Knowing the indexInBlock is an optional optimization that all other clients
2445           of AI still opt into, but LICM doesn't.
2446         
2447         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2448
2449         * JavaScriptCore.xcodeproj/project.pbxproj:
2450         * dfg/DFGAbstractInterpreter.h:
2451         (AbstractInterpreter):
2452         * dfg/DFGAbstractInterpreterInlines.h:
2453         (JSC::DFG::::executeEffects):
2454         (JSC::DFG::::execute):
2455         (DFG):
2456         (JSC::DFG::::clobberWorld):
2457         (JSC::DFG::::clobberStructures):
2458         * dfg/DFGAtTailAbstractState.cpp: Added.
2459         (DFG):
2460         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2461         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2462         (JSC::DFG::AtTailAbstractState::createValueForNode):
2463         (JSC::DFG::AtTailAbstractState::forNode):
2464         * dfg/DFGAtTailAbstractState.h: Added.
2465         (DFG):
2466         (AtTailAbstractState):
2467         (JSC::DFG::AtTailAbstractState::initializeTo):
2468         (JSC::DFG::AtTailAbstractState::forNode):
2469         (JSC::DFG::AtTailAbstractState::variables):
2470         (JSC::DFG::AtTailAbstractState::block):
2471         (JSC::DFG::AtTailAbstractState::isValid):
2472         (JSC::DFG::AtTailAbstractState::setDidClobber):
2473         (JSC::DFG::AtTailAbstractState::setIsValid):
2474         (JSC::DFG::AtTailAbstractState::setBranchDirection):
2475         (JSC::DFG::AtTailAbstractState::setFoundConstants):
2476         (JSC::DFG::AtTailAbstractState::haveStructures):
2477         (JSC::DFG::AtTailAbstractState::setHaveStructures):
2478         * dfg/DFGBasicBlock.h:
2479         (JSC::DFG::BasicBlock::insertBeforeLast):
2480         * dfg/DFGBasicBlockInlines.h:
2481         (DFG):
2482         * dfg/DFGClobberSet.cpp:
2483         (JSC::DFG::ClobberSet::add):
2484         (JSC::DFG::ClobberSet::addAll):
2485         * dfg/DFGClobberize.cpp:
2486         (JSC::DFG::doesWrites):
2487         * dfg/DFGClobberize.h:
2488         (DFG):
2489         * dfg/DFGDCEPhase.cpp:
2490         (JSC::DFG::DCEPhase::DCEPhase):
2491         (JSC::DFG::DCEPhase::run):
2492         (JSC::DFG::DCEPhase::fixupBlock):
2493         (DCEPhase):
2494         * dfg/DFGEdgeDominates.h: Added.
2495         (DFG):
2496         (EdgeDominates):
2497         (JSC::DFG::EdgeDominates::EdgeDominates):
2498         (JSC::DFG::EdgeDominates::operator()):
2499         (JSC::DFG::EdgeDominates::result):
2500         (JSC::DFG::edgesDominate):
2501         * dfg/DFGFixupPhase.cpp:
2502         (JSC::DFG::FixupPhase::fixupNode):
2503         (JSC::DFG::FixupPhase::checkArray):
2504         * dfg/DFGLICMPhase.cpp: Added.
2505         (LICMPhase):
2506         (JSC::DFG::LICMPhase::LICMPhase):
2507         (JSC::DFG::LICMPhase::run):
2508         (JSC::DFG::LICMPhase::attemptHoist):
2509         (DFG):
2510         (JSC::DFG::performLICM):
2511         * dfg/DFGLICMPhase.h: Added.
2512         (DFG):
2513         * dfg/DFGPlan.cpp:
2514         (JSC::DFG::Plan::compileInThreadImpl):
2515
2516 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2517
2518         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2519         https://bugs.webkit.org/show_bug.cgi?id=118910
2520
2521         Reviewed by Sam Weinig.
2522         
2523         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2524         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2525         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2526         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2527         create them all up front). FTL AbstractHeaps also don't actually give you the
2528         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2529         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2530         They also give you aliasing machinery. The DFG AbstractHeaps are represented
2531         internally by a int64_t. Many comparisons between them are just integer comaprisons.
2532         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2533         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2534         payload is the direct subtype of its corresponding TOP Kind).
2535         
2536         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2537         clobbered. It represents the set that results from unifying a bunch of
2538         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2539         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2540         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2541         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2542         member is equal to it, or if any of its ancestors are equal to a direct member.
2543         
2544         Example #1:
2545         
2546             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2547               is a subtype of Variables, which is a subtype of World.
2548             - You query Variables. I.e. Variables with a TOP payload, which is the
2549               supertype of Variables(X) for any X, and a subtype of World.
2550             
2551             The set will have Variables(5) as a direct member, and Variables and World as
2552             super members. The Variables query will immediately return true, because
2553             Variables is indeed a super member.
2554         
2555         Example #2:
2556         
2557             - I add Variables(5)
2558             - You query NamedProperties
2559             
2560             NamedProperties is not a member at all (neither direct or super). We next
2561             query World. World is a member, but it's a super member, so we return false.
2562         
2563         Example #3:
2564         
2565             - I add Variables
2566             - You query Variables(5)
2567             
2568             The set will have Variables as a direct member, and World as a super member.
2569             The Variables(5) query will not find Variables(5) in the set, but then it
2570             will query Variables. Variables is a direct member, so we return true.
2571         
2572         Example #4:
2573         
2574             - I add Variables
2575             - You query NamedProperties(5)
2576             
2577             Neither NamedProperties nor NamedProperties(5) are members. We next query
2578             World. World is a member, but it's a super member, so we return false.
2579         
2580         Overlap queries require that either the heap being queried is in the set (either
2581         direct or super), or that one of its ancestors is a direct member. Another way to
2582         think about how this works is that two heaps A and B are said to overlap if
2583         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2584         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2585         heaps and answers the question, "is any member in the set an ancestor (i.e.
2586         supertype) of some other heap". We would have the set contain the heaps themselves,
2587         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2588         chain of A, and repeatedly querying its membership in the set. This is what the
2589         "direct" members of our set do. Now consider the other part, where we want to ask if
2590         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2591         would implement this by implementing set.add(B) as adding not just B but also all of
2592         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2593         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2594         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2595         heap" question. ClobberSet does this, but combines the two sets into a single
2596         HashMap. The HashMap's value, "direct", means that the key is a member of both the
2597         supertype set and the subtype set; if it's false then it's only a member of one of
2598         them.
2599         
2600         Finally, this adds a functorized clobberize() method that adds the read and write
2601         clobbers of a DFG::Node to read and write functors. Common functors for adding to
2602         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2603         are also provided. This allows you to say things like:
2604         
2605             ClobberSet set;
2606             addWrites(graph, node1, set);
2607             if (readsOverlap(graph, node2, set))
2608                 // We know that node1 may write to something that node2 may read from.
2609         
2610         Currently this facility is only used to improve graph dumping, but it will be
2611         instrumental in both LICM and GVN. In the future, I want to completely kill the
2612         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2613         of accomplishing almost exactly what AbstractHeap gives you.
2614
2615         * JavaScriptCore.xcodeproj/project.pbxproj:
2616         * dfg/DFGAbstractHeap.cpp: Added.
2617         (DFG):
2618         (JSC::DFG::AbstractHeap::Payload::dump):
2619         (JSC::DFG::AbstractHeap::dump):
2620         (WTF):
2621         (WTF::printInternal):
2622         * dfg/DFGAbstractHeap.h: Added.
2623         (DFG):
2624         (AbstractHeap):
2625         (Payload):
2626         (JSC::DFG::AbstractHeap::Payload::Payload):
2627         (JSC::DFG::AbstractHeap::Payload::top):
2628         (JSC::DFG::AbstractHeap::Payload::isTop):
2629         (JSC::DFG::AbstractHeap::Payload::value):
2630         (JSC::DFG::AbstractHeap::Payload::valueImpl):
2631         (JSC::DFG::AbstractHeap::Payload::operator==):
2632         (JSC::DFG::AbstractHeap::Payload::operator!=):
2633         (JSC::DFG::AbstractHeap::Payload::operator<):
2634         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2635         (JSC::DFG::AbstractHeap::Payload::overlaps):
2636         (JSC::DFG::AbstractHeap::AbstractHeap):
2637         (JSC::DFG::AbstractHeap::operator!):
2638         (JSC::DFG::AbstractHeap::kind):
2639         (JSC::DFG::AbstractHeap::payload):
2640         (JSC::DFG::AbstractHeap::isDisjoint):
2641         (JSC::DFG::AbstractHeap::overlaps):
2642         (JSC::DFG::AbstractHeap::supertype):
2643         (JSC::DFG::AbstractHeap::hash):
2644         (JSC::DFG::AbstractHeap::operator==):
2645         (JSC::DFG::AbstractHeap::operator!=):
2646         (JSC::DFG::AbstractHeap::operator<):
2647         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2648         (JSC::DFG::AbstractHeap::payloadImpl):
2649         (JSC::DFG::AbstractHeap::encode):
2650         (JSC::DFG::AbstractHeapHash::hash):
2651         (JSC::DFG::AbstractHeapHash::equal):
2652         (AbstractHeapHash):
2653         (WTF):
2654         * dfg/DFGClobberSet.cpp: Added.
2655         (DFG):
2656         (JSC::DFG::ClobberSet::ClobberSet):
2657         (JSC::DFG::ClobberSet::~ClobberSet):
2658         (JSC::DFG::ClobberSet::add):
2659         (JSC::DFG::ClobberSet::addAll):
2660         (JSC::DFG::ClobberSet::contains):
2661         (JSC::DFG::ClobberSet::overlaps):
2662         (JSC::DFG::ClobberSet::clear):
2663         (JSC::DFG::ClobberSet::direct):
2664         (JSC::DFG::ClobberSet::super):
2665         (JSC::DFG::ClobberSet::dump):
2666         (JSC::DFG::ClobberSet::setOf):
2667         (JSC::DFG::addReads):
2668         (JSC::DFG::addWrites):
2669         (JSC::DFG::addReadsAndWrites):
2670         (JSC::DFG::readsOverlap):
2671         (JSC::DFG::writesOverlap):
2672         * dfg/DFGClobberSet.h: Added.
2673         (DFG):
2674         (ClobberSet):
2675         (JSC::DFG::ClobberSet::isEmpty):
2676         (ClobberSetAdd):
2677         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2678         (JSC::DFG::ClobberSetAdd::operator()):
2679         (ClobberSetOverlaps):
2680         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2681         (JSC::DFG::ClobberSetOverlaps::operator()):
2682         (JSC::DFG::ClobberSetOverlaps::result):
2683         * dfg/DFGClobberize.cpp: Added.
2684         (DFG):
2685         (JSC::DFG::didWrites):
2686         * dfg/DFGClobberize.h: Added.
2687         (DFG):
2688         (JSC::DFG::clobberize):
2689         (NoOpClobberize):
2690         (JSC::DFG::NoOpClobberize::NoOpClobberize):
2691         (JSC::DFG::NoOpClobberize::operator()):
2692         (CheckClobberize):
2693         (JSC::DFG::CheckClobberize::CheckClobberize):
2694         (JSC::DFG::CheckClobberize::operator()):
2695         (JSC::DFG::CheckClobberize::result):
2696         * dfg/DFGGraph.cpp:
2697         (JSC::DFG::Graph::dump):
2698
2699 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2700
2701         fourthTier: It should be easy to figure out which blocks nodes belong to
2702         https://bugs.webkit.org/show_bug.cgi?id=118957
2703
2704         Reviewed by Sam Weinig.
2705
2706         * dfg/DFGGraph.cpp:
2707         (DFG):
2708         (JSC::DFG::Graph::initializeNodeOwners):
2709         * dfg/DFGGraph.h:
2710         (Graph):
2711         * dfg/DFGNode.h:
2712
2713 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2714
2715         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2716         https://bugs.webkit.org/show_bug.cgi?id=118956
2717
2718         Reviewed by Sam Weinig.
2719         
2720         We had two way of expressing that something exits forward: the NodeExitsForward
2721         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2722         makes it just be a flag.
2723
2724         * dfg/DFGAbstractInterpreterInlines.h:
2725         (JSC::DFG::::executeEffects):
2726         * dfg/DFGArgumentsSimplificationPhase.cpp:
2727         (JSC::DFG::ArgumentsSimplificationPhase::run):
2728         * dfg/DFGCSEPhase.cpp:
2729         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2730         (JSC::DFG::CSEPhase::checkStructureElimination):
2731         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2732         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2733         (JSC::DFG::CSEPhase::checkArrayElimination):
2734         (JSC::DFG::CSEPhase::performNodeCSE):
2735         * dfg/DFGConstantFoldingPhase.cpp:
2736         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2737         * dfg/DFGFixupPhase.cpp:
2738         (JSC::DFG::FixupPhase::fixupNode):
2739         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2740         * dfg/DFGMinifiedNode.h:
2741         (JSC::DFG::belongsInMinifiedGraph):
2742         (JSC::DFG::MinifiedNode::hasChild):
2743         * dfg/DFGNode.h:
2744         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2745         (JSC::DFG::Node::hasStructureSet):
2746         (JSC::DFG::Node::hasStructure):
2747         (JSC::DFG::Node::hasArrayMode):
2748         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2749         * dfg/DFGNodeType.h:
2750         (DFG):
2751         (JSC::DFG::needsOSRForwardRewiring):
2752         * dfg/DFGPredictionPropagationPhase.cpp:
2753         (JSC::DFG::PredictionPropagationPhase::propagate):
2754         * dfg/DFGSafeToExecute.h:
2755         (JSC::DFG::safeToExecute):
2756         * dfg/DFGSpeculativeJIT.cpp:
2757         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2758         * dfg/DFGSpeculativeJIT32_64.cpp:
2759         (JSC::DFG::SpeculativeJIT::compile):
2760         * dfg/DFGSpeculativeJIT64.cpp:
2761         (JSC::DFG::SpeculativeJIT::compile):
2762         * dfg/DFGTypeCheckHoistingPhase.cpp:
2763         (JSC::DFG::TypeCheckHoistingPhase::run):
2764         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2765         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2766         * dfg/DFGVariableEventStream.cpp:
2767         (JSC::DFG::VariableEventStream::reconstruct):
2768         * ftl/FTLCapabilities.cpp:
2769         (JSC::FTL::canCompile):
2770         * ftl/FTLLowerDFGToLLVM.cpp:
2771         (JSC::FTL::LowerDFGToLLVM::compileNode):
2772         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2773
2774 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
2775
2776         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2777         https://bugs.webkit.org/show_bug.cgi?id=118946
2778
2779         Reviewed by Geoffrey Garen.
2780         
2781         We want to decouple the exit target code origin of a node from the code origin
2782         for all other purposes. The purposes of code origins are:
2783         
2784         - Where the node will exit, if it exits. The exit target should be consistent with
2785           the surrounding nodes, in that if you just looked at the code origins of nodes in
2786           the graph, they would be consistent with the code origins in bytecode. This is
2787           necessary for live-at-bytecode analyses to work, and to preserve the original
2788           bytecode semantics when exiting.
2789         
2790         - What kind of code the node came from, for semantics thingies. For example, we
2791           might use the code origin to find the node's global object for doing an original
2792           array check. Or we might use it to determine if the code is in strict mode. Or
2793           other similar things. When we use the code origin in this way, we're basically
2794           using it as a way of describing the node's meta-data without putting it into the
2795           node directly, to save space. In the absurd extreme you could imagine nodes not
2796           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2797           what bytecode the node originated from. We won't do that, but you can think of
2798           this use of code origins as just a way of compressing meta-data.
2799         
2800         - What code origin we should supply profiling to, if we exit. This is closely
2801           related to the semantics thingies, in that the exit profiling is a persistent
2802           kind of semantic meta-data that survives between recompiles, and the only way to
2803           do that is to ascribe it to the original bytecode via the code origin.
2804         
2805         If we hoist a node, we need to change the exit target code origin, but we must not
2806         change the code origin for other purposes. The best way to do this is to decouple
2807         the two kinds of code origin.
2808         
2809         OSR exit data structures already do this, because they may edit the exit target
2810         code origin while keeping the code origin for profiling intact. This happens for
2811         forward exits. So, we just need to thread separation all the way back to DFG::Node.
2812         That's what this patch does.
2813
2814         * dfg/DFGNode.h:
2815         (JSC::DFG::Node::Node):
2816         (Node):
2817         * dfg/DFGOSRExit.cpp:
2818         (JSC::DFG::OSRExit::OSRExit):
2819         * dfg/DFGOSRExitBase.h:
2820         (JSC::DFG::OSRExitBase::OSRExitBase):
2821         * dfg/DFGSpeculativeJIT.cpp:
2822         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2823         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2824         * dfg/DFGSpeculativeJIT.h:
2825         (SpeculativeJIT):
2826         * ftl/FTLLowerDFGToLLVM.cpp:
2827         (JSC::FTL::LowerDFGToLLVM::compileNode):
2828         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2829         (LowerDFGToLLVM):
2830         * ftl/FTLOSRExit.cpp:
2831         (JSC::FTL::OSRExit::OSRExit):
2832         * ftl/FTLOSRExit.h:
2833         (OSRExit):
2834
2835 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2836
2837         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2838         https://bugs.webkit.org/show_bug.cgi?id=118866
2839
2840         Reviewed by Sam Weinig.
2841         
2842         Adds a safeToExecute() method that takes a node and an abstract state and tells you
2843         if the node will run without crashing under that state.
2844
2845         * JavaScriptCore.xcodeproj/project.pbxproj:
2846         * bytecode/CodeBlock.cpp:
2847         (JSC::CodeBlock::CodeBlock):
2848         * dfg/DFGCFAPhase.cpp:
2849         (CFAPhase):
2850         (JSC::DFG::CFAPhase::CFAPhase):
2851         (JSC::DFG::CFAPhase::run):
2852         (JSC::DFG::CFAPhase::performBlockCFA):
2853         (JSC::DFG::CFAPhase::performForwardCFA):
2854         * dfg/DFGSafeToExecute.h: Added.
2855         (DFG):
2856         (SafeToExecuteEdge):
2857         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2858         (JSC::DFG::SafeToExecuteEdge::operator()):
2859         (JSC::DFG::SafeToExecuteEdge::result):
2860         (JSC::DFG::safeToExecute):
2861         * dfg/DFGStructureAbstractValue.h:
2862         (JSC::DFG::StructureAbstractValue::isValidOffset):
2863         (StructureAbstractValue):
2864         * runtime/Options.h:
2865         (JSC):
2866
2867 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
2868
2869         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2870         https://bugs.webkit.org/show_bug.cgi?id=118948
2871
2872         Reviewed by Sam Weinig.
2873         
2874         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2875           This allows doing "what if" experiments with IR generation, even if the generated IR
2876           can't yet execute.
2877         
2878         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2879           off-ramp.
2880
2881         * JavaScriptCore.xcodeproj/project.pbxproj:
2882         * dfg/DFGPlan.cpp:
2883         (JSC::DFG::Plan::compileInThreadImpl):
2884         * ftl/FTLFail.cpp: Added.
2885         (FTL):
2886         (JSC::FTL::fail):
2887         * ftl/FTLFail.h: Added.
2888         (FTL):
2889         * ftl/FTLIntrinsicRepository.h:
2890         (FTL):
2891         * ftl/FTLLowerDFGToLLVM.cpp:
2892         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2893         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
2894         * runtime/Options.h:
2895         (JSC):
2896
2897 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2898
2899         fourthTier: StringObjectUse uses structures, and CSE should know that
2900         https://bugs.webkit.org/show_bug.cgi?id=118940
2901
2902         Reviewed by Geoffrey Garen.
2903         
2904         This is asymptomatic right now, but we should fix it.
2905
2906         * JavaScriptCore.xcodeproj/project.pbxproj:
2907         * dfg/DFGCSEPhase.cpp:
2908         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2909         * dfg/DFGEdgeUsesStructure.h: Added.
2910         (DFG):
2911         (EdgeUsesStructure):
2912         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
2913         (JSC::DFG::EdgeUsesStructure::operator()):
2914         (JSC::DFG::EdgeUsesStructure::result):
2915         (JSC::DFG::edgesUseStructure):
2916         * dfg/DFGUseKind.h:
2917         (DFG):
2918         (JSC::DFG::usesStructure):
2919
2920 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2921
2922         fourthTier: String GetByVal out-of-bounds handling is so wrong
2923         https://bugs.webkit.org/show_bug.cgi?id=118935
2924
2925         Reviewed by Geoffrey Garen.
2926         
2927         Bunch of String GetByVal out-of-bounds fixes:
2928         
2929         - Even if the string proto chain is sane, we need to watch out for negative
2930           indices. They may get values or call getters in the prototypes, since proto
2931           sanity doesn't check for negative indexed properties, as they are not
2932           technically indexed properties.
2933         
2934         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
2935           given this information.
2936         
2937         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
2938           given this information.
2939         
2940         Also fixed some other things:
2941         
2942         - If the DFG is disabled, the testRunner should pretend that we've done a
2943           bunch of DFG compiles. That's necessary to prevent the tests from timing
2944           out.
2945         
2946         - Disassembler shouldn't try to dump source code since it's not safe in the
2947           concurrent JIT.
2948
2949         * API/JSCTestRunnerUtils.cpp:
2950         (JSC::numberOfDFGCompiles):
2951         * JavaScriptCore.xcodeproj/project.pbxproj:
2952         * dfg/DFGAbstractInterpreterInlines.h:
2953         (JSC::DFG::::executeEffects):
2954         * dfg/DFGDisassembler.cpp:
2955         (JSC::DFG::Disassembler::dumpHeader):
2956         * dfg/DFGGraph.h:
2957         (JSC::DFG::Graph::byValIsPure):
2958         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
2959         (DFG):
2960         (SaneStringGetByValSlowPathGenerator):
2961         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
2962         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
2963         * dfg/DFGSpeculativeJIT.cpp:
2964         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2965
2966 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2967
2968         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
2969         https://bugs.webkit.org/show_bug.cgi?id=118911
2970
2971         Reviewed by Geoffrey Garen.
2972         
2973         We could also have a separate method like "willNotCrash(offset)", but that's not
2974         what isValidOffset() is intended to mean.
2975
2976         * runtime/Structure.h:
2977         (JSC::Structure::isValidOffset):
2978
2979 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
2980
2981         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
2982         https://bugs.webkit.org/show_bug.cgi?id=118878
2983
2984         Reviewed by Oliver Hunt.
2985         
2986         - Change Structure::isValidOffset() to actually answer the question "If I attempted
2987           to load from an object of this structure, at this offset, would I commit suicide
2988           or would I get back some kind of value?"
2989         
2990         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
2991           way from the start.
2992         
2993         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
2994         
2995         - Make GetByOffset also reference the base object in addition to the butterfly.
2996         
2997         The future use of this power will be to answer questions like "If I hoisted this
2998         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
2999         fine?"
3000         
3001         I don't currently plan to use this power to perform validation, since the CSE has
3002         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3003         remove - both in the case of StructureSets where size >= 2 and in the case of
3004         CheckStructures that match across PutStructures. At first I tried to write a
3005         validator that was aware of this, but the validation code got way too complicated
3006         and I started having nightmares of spurious assertion bugs being filed against me.
3007         
3008         This also changes some of the code for how we hash FunctionExecutable's for debug
3009         dumps, since that code still had some thread-safety issues. Basically, the
3010         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3011         that could transitively try to compute the hash from the source code. The source
3012         code is a string that may be lazily computed, and that involves all manner of thread
3013         unsafe things.
3014
3015         * bytecode/CodeOrigin.cpp:
3016         (JSC::InlineCallFrame::hash):
3017         * dfg/DFGAbstractInterpreterInlines.h:
3018         (JSC::DFG::::executeEffects):
3019         * dfg/DFGByteCodeParser.cpp:
3020         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3021         (JSC::DFG::ByteCodeParser::handlePutByOffset):
3022         (JSC::DFG::ByteCodeParser::parseBlock):
3023         * dfg/DFGCFAPhase.cpp:
3024         (JSC::DFG::CFAPhase::performBlockCFA):
3025         * dfg/DFGConstantFoldingPhase.cpp:
3026         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3027         * dfg/DFGFixupPhase.cpp:
3028         (JSC::DFG::FixupPhase::fixupNode):
3029         * dfg/DFGGraph.h:
3030         (StorageAccessData):
3031         * dfg/DFGNode.h:
3032         (JSC::DFG::Node::convertToGetByOffset):
3033         * dfg/DFGSpeculativeJIT64.cpp:
3034         (JSC::DFG::SpeculativeJIT::compile):
3035         * ftl/FTLLowerDFGToLLVM.cpp:
3036         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3037         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3038         * runtime/FunctionExecutableDump.cpp:
3039         (JSC::FunctionExecutableDump::dump):
3040         * runtime/Structure.h:
3041         (Structure):
3042         (JSC::Structure::isValidOffset):
3043
3044 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3045
3046         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3047         https://bugs.webkit.org/show_bug.cgi?id=118880
3048
3049         Reviewed by Sam Weinig.
3050         
3051         It should be possible to have an AbstractState that is backed by a HashMap. But to
3052         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3053         the map, since otherwise the idiom of getting a reference to the AbstractValue
3054         returned by forNode() would cause really subtle memory corruption bugs.
3055
3056         * dfg/DFGAbstractInterpreterInlines.h:
3057         (JSC::DFG::::executeEffects):
3058         * dfg/DFGInPlaceAbstractState.h:
3059         (JSC::DFG::InPlaceAbstractState::createValueForNode):
3060         (InPlaceAbstractState):
3061
3062 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3063
3064         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3065         https://bugs.webkit.org/show_bug.cgi?id=118835
3066
3067         Reviewed by Oliver Hunt.
3068         
3069         This separates AbstractState into two things:
3070         
3071         - InPlaceAbstractState, which can tell you the abstract state of anything you
3072           might care about, and uses the old AbstractState's algorithms and data
3073           structures for doing so.
3074         
3075         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3076           respect to an AbstractStateType. Currently we always use
3077           AbstractStateType = InPlaceAbstractState. But we could drop in an other
3078           class that supports basic primitives like forNode() and variables().
3079         
3080         This is important because:
3081         
3082         - We want to hoist things out of loops.
3083
3084         - We don't know what things rely on what type checks.
3085
3086         - We only want to hoist type checks out of loops if they aren't clobbered.
3087
3088         - We may want to still hoist things that depended on those type checks, if it's
3089           safe to do those things based on the CFA state at the tail of the loop
3090           pre-header.
3091
3092         - We don't want things to rely on their type checks by way of a token, because
3093           that's just weird.
3094
3095         So, we want to be able to have a special form of the CFA that can
3096         incrementally update a basic block's state-at-tail, and we want to be able to
3097         do this for multiple blocks simultaneously. This requires *not* storing the
3098         per-node state in the nodes themselves, but instead using the at-tail HashMap
3099         directly.
3100
3101         Hence we need to have a way of making the abstract interpreter (i.e.
3102         AbstractState::execute) polymorphic with respect to state representation. Put
3103         another way, we need to separate the way that abstract state is represented
3104         from the way DFG IR is abstractly interpreted.
3105
3106         * JavaScriptCore.xcodeproj/project.pbxproj:
3107         * dfg/DFGAbstractInterpreter.h: Added.
3108         (DFG):
3109         (AbstractInterpreter):
3110         (JSC::DFG::AbstractInterpreter::forNode):
3111         (JSC::DFG::AbstractInterpreter::variables):
3112         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3113         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3114         (JSC::DFG::AbstractInterpreter::filter):
3115         (JSC::DFG::AbstractInterpreter::filterArrayModes):
3116         (JSC::DFG::AbstractInterpreter::filterByValue):
3117         (JSC::DFG::AbstractInterpreter::trySetConstant):
3118         (JSC::DFG::AbstractInterpreter::filterByType):
3119         * dfg/DFGAbstractInterpreterInlines.h: Added.
3120         (DFG):
3121         (JSC::DFG::::AbstractInterpreter):
3122         (JSC::DFG::::~AbstractInterpreter):
3123         (JSC::DFG::::booleanResult):
3124         (JSC::DFG::::startExecuting):
3125         (JSC::DFG::::executeEdges):
3126         (JSC::DFG::::verifyEdge):
3127         (JSC::DFG::::verifyEdges):
3128         (JSC::DFG::::executeEffects):
3129         (JSC::DFG::::execute):
3130         (JSC::DFG::::clobberWorld):
3131         (JSC::DFG::::clobberCapturedVars):
3132         (JSC::DFG::::clobberStructures):
3133         (JSC::DFG::::dump):
3134         (JSC::DFG::::filter):
3135         (JSC::DFG::::filterArrayModes):
3136         (JSC::DFG::::filterByValue):
3137         * dfg/DFGAbstractState.cpp: Removed.
3138         * dfg/DFGAbstractState.h: Removed.
3139         * dfg/DFGArgumentsSimplificationPhase.cpp:
3140         * dfg/DFGCFAPhase.cpp:
3141         (JSC::DFG::CFAPhase::CFAPhase):
3142         (JSC::DFG::CFAPhase::performBlockCFA):
3143         (CFAPhase):
3144         * dfg/DFGCFGSimplificationPhase.cpp:
3145         * dfg/DFGConstantFoldingPhase.cpp:
3146         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3147         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3148         (ConstantFoldingPhase):
3149         * dfg/DFGInPlaceAbstractState.cpp: Added.
3150         (DFG):
3151         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3152         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3153         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3154         (JSC::DFG::setLiveValues):
3155         (JSC::DFG::InPlaceAbstractState::initialize):
3156         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3157         (JSC::DFG::InPlaceAbstractState::reset):
3158         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3159         (JSC::DFG::InPlaceAbstractState::merge):
3160         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3161         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3162         * dfg/DFGInPlaceAbstractState.h: Added.
3163         (DFG):
3164         (InPlaceAbstractState):
3165         (JSC::DFG::InPlaceAbstractState::forNode):
3166         (JSC::DFG::InPlaceAbstractState::variables):
3167         (JSC::DFG::InPlaceAbstractState::block):
3168         (JSC::DFG::InPlaceAbstractState::didClobber):
3169         (JSC::DFG::InPlaceAbstractState::isValid):
3170         (JSC::DFG::InPlaceAbstractState::setDidClobber):
3171         (JSC::DFG::InPlaceAbstractState::setIsValid):
3172         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3173         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3174         (JSC::DFG::InPlaceAbstractState::haveStructures):
3175         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3176         * dfg/DFGMergeMode.h: Added.
3177         (DFG):
3178         * dfg/DFGSpeculativeJIT.cpp:
3179         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3180         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3181         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3182         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3183         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3184         (JSC::DFG::SpeculativeJIT::speculateStringObject):
3185         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3186         * dfg/DFGSpeculativeJIT.h:
3187         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3188         (SpeculativeJIT):
3189         * dfg/DFGSpeculativeJIT32_64.cpp:
3190         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3191         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3192         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3193         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3194         * dfg/DFGSpeculativeJIT64.cpp:
3195         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3196         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3197         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3198         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3199         * ftl/FTLLowerDFGToLLVM.cpp:
3200         (FTL):
3201         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3202         (JSC::FTL::LowerDFGToLLVM::compileNode):
3203         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3204         (JSC::FTL::LowerDFGToLLVM::speculate):
3205         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3206         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3207         (LowerDFGToLLVM):
3208
3209 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3210
3211         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3212         https://bugs.webkit.org/show_bug.cgi?id=118867
3213
3214         Reviewed by Mark Hahnenberg.
3215         
3216         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3217         ArrayProfile.
3218
3219         It also makes it easier to ask any array-using node how to create its type check.
3220         
3221         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3222         an array profile, thinking that it was storing into a value profile. Reshuffling the
3223         fields in ArrayProfile revealed this.
3224
3225         * bytecode/ArrayProfile.cpp:
3226         (JSC::ArrayProfile::computeUpdatedPrediction):
3227         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3228         * bytecode/ArrayProfile.h:
3229         (JSC::ArrayProfile::ArrayProfile):
3230         (ArrayProfile):
3231         * bytecode/CodeBlock.cpp:
3232         (JSC::CodeBlock::updateAllArrayPredictions):
3233         (JSC::CodeBlock::updateAllPredictions):
3234         * bytecode/CodeBlock.h:
3235         (CodeBlock):
3236         (JSC::CodeBlock::updateAllArrayPredictions):
3237         * dfg/DFGArrayMode.h:
3238         (ArrayMode):
3239         * dfg/DFGByteCodeParser.cpp:
3240         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3241         (JSC::DFG::ByteCodeParser::parseBlock):
3242         * dfg/DFGFixupPhase.cpp:
3243         (JSC::DFG::FixupPhase::fixupNode):
3244         (FixupPhase):
3245         (JSC::DFG::FixupPhase::checkArray):
3246         (JSC::DFG::FixupPhase::blessArrayOperation):
3247         * llint/LowLevelInterpreter64.asm:
3248
3249 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
3250
3251         fourthTier: CFA should consider live-at-head for clobbering and dumping
3252         https://bugs.webkit.org/show_bug.cgi?id=118857
3253
3254         Reviewed by Mark Hahnenberg.
3255         
3256         - clobberStructures() was not considering nodes live-at-head when in SSA
3257           form. This means it would fail to clobber some structures.
3258         
3259         - dump() was not considering nodes live-at-head when in SSA form. This
3260           means it wouldn't dump everything that you might be interested in.
3261         
3262         - AbstractState::m_currentNode is a useless variable and we should get
3263           rid of it.
3264
3265         * dfg/DFGAbstractState.cpp:
3266         (JSC::DFG::AbstractState::AbstractState):
3267         (JSC::DFG::AbstractState::beginBasicBlock):
3268         (JSC::DFG::AbstractState::reset):
3269         (JSC::DFG::AbstractState::startExecuting):
3270         (JSC::DFG::AbstractState::clobberStructures):
3271         (JSC::DFG::AbstractState::dump):
3272         * dfg/DFGAbstractState.h:
3273         (AbstractState):
3274
3275 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3276
3277         fourthTier: Add a phase to create loop pre-headers
3278         https://bugs.webkit.org/show_bug.cgi?id=118778
3279
3280         Reviewed by Oliver Hunt.
3281         
3282         Add a loop pre-header creation phase. Any loop that doesn't already have
3283         just one predecessor that isn't part of the loop has a pre-header
3284         prepended. All non-loop predecessors then jump to that pre-header.
3285         
3286         Also fix a handful of bugs:
3287         
3288         - DFG::Analysis should set m_valid before running the analysis, since that
3289           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3290           may be called by the analysis before the analysis completes. NaturalLoops
3291           does this with loopsOf().
3292         
3293         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3294           returning 0, since that'll happen if the block isn't in any loop.
3295         
3296         - Change BlockInsertionSet to dethread the graph, since anyone using it
3297           will want to do so.
3298         
3299         - Change dethreading to ignore SSA form graphs.
3300         
3301         This also adds NaturalLoops::belongsTo(), which I always used in the
3302         pre-header creation phase. I didn't end up using it but I'll probably use
3303         it in the near future.
3304         
3305         * JavaScriptCore.xcodeproj/project.pbxproj:
3306         * dfg/DFGAnalysis.h:
3307         (JSC::DFG::Analysis::computeIfNecessary):
3308         * dfg/DFGBlockInsertionSet.cpp:
3309         (JSC::DFG::BlockInsertionSet::execute):
3310         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3311         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3312         * dfg/DFGGraph.cpp:
3313         (JSC::DFG::Graph::dethread):
3314         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3315         (DFG):
3316         (LoopPreHeaderCreationPhase):
3317         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3318         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3319         (JSC::DFG::performLoopPreHeaderCreation):
3320         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3321         (DFG):
3322         * dfg/DFGNaturalLoops.h:
3323         (NaturalLoop):
3324         (JSC::DFG::NaturalLoops::headerOf):
3325         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3326         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3327         (JSC::DFG::NaturalLoops::belongsTo):
3328         (NaturalLoops):
3329         * dfg/DFGPlan.cpp:
3330         (JSC::DFG::Plan::compileInThreadImpl):
3331
3332 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3333
3334         fourthTier: Rationalize Node::replacement
3335         https://bugs.webkit.org/show_bug.cgi?id=118774
3336
3337         Reviewed by Oliver Hunt.
3338         
3339         - Clearing of replacements is now done in Graph::clearReplacements().
3340         
3341         - New nodes now have replacement set to 0.
3342         
3343         - Node::replacement is now part of a 'misc' union. I'll be putting at least
3344           one other field into that union as part of LICM work (see
3345           https://bugs.webkit.org/show_bug.cgi?id=118749).
3346
3347         * dfg/DFGCPSRethreadingPhase.cpp:
3348         (JSC::DFG::CPSRethreadingPhase::run):
3349         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3350         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3351         * dfg/DFGCSEPhase.cpp:
3352         (JSC::DFG::CSEPhase::run):
3353         (JSC::DFG::CSEPhase::setReplacement):
3354         (JSC::DFG::CSEPhase::performBlockCSE):
3355         * dfg/DFGGraph.cpp:
3356         (DFG):
3357         (JSC::DFG::Graph::clearReplacements):
3358         * dfg/DFGGraph.h:
3359         (JSC::DFG::Graph::performSubstitutionForEdge):
3360         (Graph):
3361         * dfg/DFGNode.h:
3362         (JSC::DFG::Node::Node):
3363         * dfg/DFGSSAConversionPhase.cpp:
3364         (JSC::DFG::SSAConversionPhase::run):
3365
3366 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3367
3368         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3369         https://bugs.webkit.org/show_bug.cgi?id=118750
3370
3371         Reviewed by Mark Hahnenberg.
3372
3373         * dfg/DFGBasicBlock.h:
3374         (BasicBlock):
3375         * dfg/DFGNaturalLoops.cpp:
3376         (JSC::DFG::NaturalLoops::compute):
3377         (JSC::DFG::NaturalLoops::loopsOf):
3378         * dfg/DFGNaturalLoops.h:
3379         (DFG):
3380         (JSC::DFG::NaturalLoop::NaturalLoop):
3381         (NaturalLoop):
3382         (JSC::DFG::NaturalLoop::index):
3383         (JSC::DFG::NaturalLoop::isOuterMostLoop):
3384         (JSC::DFG::NaturalLoop::addBlock):
3385         (JSC::DFG::NaturalLoops::headerOf):
3386         (JSC::DFG::NaturalLoops::innerMostLoopOf):
3387         (NaturalLoops):
3388         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3389         * dfg/DFGPlan.cpp:
3390         (JSC::DFG::Plan::compileInThreadImpl):
3391
3392 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
3393
3394         fourthTier: don't GC when shutting down the VM
3395         https://bugs.webkit.org/show_bug.cgi?id=118751
3396
3397         Reviewed by Mark Hahnenberg.
3398