2bc2530e53b42187664cff98ef45cba4479fa6dc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-09-26  Noel Gordon  <noel.gordon@gmail.com>
2
3         [Chromium] Remove DFGAliasTracker.h references from gyp project files
4         https://bugs.webkit.org/show_bug.cgi?id=68787
5
6         Reviewed by Geoffrey Garen.
7
8         DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
9         to that file from the gyp project files.
10
11         * JavaScriptCore.gypi:
12
13 2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
14
15         [Qt]REGRESSION(r95865): It made 4 tests crash
16         https://bugs.webkit.org/show_bug.cgi?id=68780
17         
18         Reviewed by Oliver Hunt.
19
20         emitJumpSlowCaseIfNotJSCell(...) cannot be moved
21         away since the next load depends on it.
22
23         * jit/JITPropertyAccess32_64.cpp:
24         (JSC::JIT::emit_op_put_by_val):
25
26 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
27
28         Add custom vtable struct to ClassInfo struct
29         https://bugs.webkit.org/show_bug.cgi?id=68567
30
31         Reviewed by Oliver Hunt.
32
33         Declared/defined the MethodTable struct and added it to the ClassInfo struct.
34         Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
35         succinctly where they need to be defined.
36
37         Also added to it the first function to use this macro, visitChildren. 
38
39         This is part of the process of getting rid of all C++ virtual methods in JSCell.  
40         Eventually all virtual functions in JSCell that can't easily be converted to 
41         non-virtual functions will be put into this custom vtable structure.
42         * runtime/ClassInfo.h:
43
44         Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
45         ClassInfo structs declared in these classes.  This saves us from having to visit 
46         each s_info definition in the future when we add more methods to the MethodTable.
47         * API/JSCallbackConstructor.cpp:
48         * API/JSCallbackFunction.cpp:
49         * API/JSCallbackObject.cpp:
50         * JavaScriptCore.exp:
51         * runtime/Arguments.cpp:
52         * runtime/ArrayConstructor.cpp:
53         * runtime/ArrayPrototype.cpp:
54         * runtime/BooleanObject.cpp:
55         * runtime/BooleanPrototype.cpp:
56         * runtime/DateConstructor.cpp:
57         * runtime/DateInstance.cpp:
58         * runtime/DatePrototype.cpp:
59         * runtime/ErrorInstance.cpp:
60         * runtime/ErrorPrototype.cpp:
61         * runtime/ExceptionHelpers.cpp:
62         * runtime/Executable.cpp:
63         * runtime/GetterSetter.cpp:
64         * runtime/InternalFunction.cpp:
65         * runtime/JSAPIValueWrapper.cpp:
66         * runtime/JSActivation.cpp:
67         * runtime/JSArray.cpp:
68         * runtime/JSByteArray.cpp:
69         * runtime/JSFunction.cpp:
70         * runtime/JSGlobalObject.cpp:
71         * runtime/JSONObject.cpp:
72         * runtime/JSObject.cpp:
73         * runtime/JSPropertyNameIterator.cpp:
74         * runtime/JSString.cpp:
75         * runtime/MathObject.cpp:
76         * runtime/NativeErrorConstructor.cpp:
77         * runtime/NumberConstructor.cpp:
78         * runtime/NumberObject.cpp:
79         * runtime/NumberPrototype.cpp:
80         * runtime/ObjectConstructor.cpp:
81         * runtime/ObjectPrototype.cpp:
82         * runtime/RegExp.cpp:
83         * runtime/RegExpConstructor.cpp:
84         * runtime/RegExpObject.cpp:
85         * runtime/RegExpPrototype.cpp:
86         * runtime/ScopeChain.cpp:
87         * runtime/StringConstructor.cpp:
88         * runtime/StringObject.cpp:
89         * runtime/StringPrototype.cpp:
90         * runtime/Structure.cpp:
91         * runtime/StructureChain.cpp:
92
93         Had to make visitChildren and visitChildrenVirtual protected instead of private
94         because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
95         visitChildren function pointer in their vtable since they don't provide their own
96         implementation. Same for RegExpObject.
97         * runtime/JSWrapperObject.h:
98         * runtime/RegExpObject.h:
99
100 2011-09-25  Adam Barth  <abarth@webkit.org>
101
102         Finish removing PLATFORM(BREWMP) by removing associated code
103         https://bugs.webkit.org/show_bug.cgi?id=68779
104
105         Reviewed by Sam Weinig.
106
107         * JavaScriptCore.gyp/JavaScriptCore.gyp:
108         * JavaScriptCore.gypi:
109         * gyp/JavaScriptCore.gyp:
110         * wscript:
111         * wtf/FastMalloc.cpp:
112         (WTF::fastMallocSize):
113         * wtf/Vector.h:
114         * wtf/brew: Removed.
115         * wtf/brew/MainThreadBrew.cpp: Removed.
116         * wtf/brew/OwnPtrBrew.cpp: Removed.
117         * wtf/brew/RefPtrBrew.h: Removed.
118         * wtf/brew/ShellBrew.h: Removed.
119         * wtf/brew/StringBrew.cpp: Removed.
120         * wtf/brew/SystemMallocBrew.h: Removed.
121         * wtf/unicode/brew: Removed.
122         * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
123         * wtf/unicode/brew/UnicodeBrew.h: Removed.
124
125 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
126
127         DFG JIT does not count speculation successes correctly
128         https://bugs.webkit.org/show_bug.cgi?id=68785
129
130         Reviewed by Geoffrey Garen.
131
132         * dfg/DFGJITCompiler.cpp:
133         (JSC::DFG::JITCompiler::compileEntry):
134         (JSC::DFG::JITCompiler::compileBody):
135         * dfg/DFGOperations.cpp:
136
137 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
138
139         DFG support for op_resolve_global is not enabled
140         https://bugs.webkit.org/show_bug.cgi?id=68786
141
142         Reviewed by Geoffrey Garen.
143
144         * dfg/DFGCapabilities.h:
145         (JSC::DFG::canCompileOpcode):
146
147 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
148
149         DFG static prediction code is no longer needed and should be removed
150         https://bugs.webkit.org/show_bug.cgi?id=68784
151
152         Reviewed by Oliver Hunt.
153         
154         This gets rid of static prediction code, and ensures that we do not
155         try to compile code where dynamic predictions are not available.
156         This is accomplished by immediately performing an OSR exit wherever
157         a value is retrieved for which no predictions exist.
158         
159         This also adds value profiling for this on functions used for calls.
160         
161         The heuristics for deciding when to optimize code are also tweaked,
162         since it is now profitable to optimize sooner. This may need to be
163         tweaked further, but this patch only makes minimal changes.
164         
165         This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
166         overall win on Kraken.  It's neutral elsewhere.
167
168         * bytecode/CodeBlock.cpp:
169         (JSC::CodeBlock::shouldOptimizeNow):
170         (JSC::CodeBlock::dumpValueProfiles):
171         * bytecode/CodeBlock.h:
172         * bytecode/PredictedType.cpp:
173         (JSC::predictionToString):
174         * bytecode/PredictedType.h:
175         (JSC::isCellPrediction):
176         (JSC::isObjectPrediction):
177         (JSC::isFinalObjectPrediction):
178         (JSC::isStringPrediction):
179         (JSC::isArrayPrediction):
180         (JSC::isInt32Prediction):
181         (JSC::isDoublePrediction):
182         (JSC::isNumberPrediction):
183         (JSC::isBooleanPrediction):
184         (JSC::mergePredictions):
185         * bytecode/PredictionTracker.h:
186         (JSC::PredictionTracker::predictArgument):
187         (JSC::PredictionTracker::predict):
188         (JSC::PredictionTracker::predictGlobalVar):
189         * bytecode/ValueProfile.cpp:
190         (JSC::ValueProfile::computeUpdatedPrediction):
191         * dfg/DFGByteCodeParser.cpp:
192         (JSC::DFG::ByteCodeParser::set):
193         (JSC::DFG::ByteCodeParser::addCall):
194         (JSC::DFG::ByteCodeParser::getPrediction):
195         (JSC::DFG::ByteCodeParser::parseBlock):
196         * dfg/DFGGraph.cpp:
197         (JSC::DFG::Graph::predictArgumentTypes):
198         * dfg/DFGGraph.h:
199         (JSC::DFG::Graph::predict):
200         (JSC::DFG::Graph::predictGlobalVar):
201         (JSC::DFG::Graph::getMethodCheckPrediction):
202         (JSC::DFG::Graph::getJSConstantPrediction):
203         (JSC::DFG::Graph::getPrediction):
204         * dfg/DFGJITCodeGenerator.cpp:
205         (JSC::DFG::JITCodeGenerator::writeBarrier):
206         (JSC::DFG::JITCodeGenerator::emitBranch):
207         * dfg/DFGJITCompiler.h:
208         (JSC::DFG::JITCompiler::getPrediction):
209         * dfg/DFGNode.h:
210         (JSC::DFG::Node::valueOfJSConstantNode):
211         (JSC::DFG::Node::isInt32Constant):
212         (JSC::DFG::Node::isDoubleConstant):
213         (JSC::DFG::Node::isNumberConstant):
214         (JSC::DFG::Node::isBooleanConstant):
215         (JSC::DFG::Node::predict):
216         * dfg/DFGPropagator.cpp:
217         (JSC::DFG::Propagator::Propagator):
218         (JSC::DFG::Propagator::propagateNodePredictions):
219         (JSC::DFG::Propagator::fixupNode):
220         (JSC::DFG::Propagator::isPredictedNumerical):
221         (JSC::DFG::Propagator::logicalNotIsPure):
222         * dfg/DFGSpeculativeJIT.cpp:
223         (JSC::DFG::SpeculativeJIT::compile):
224         * dfg/DFGSpeculativeJIT.h:
225         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
226         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
227         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
228         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
229         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
230         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
231         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
232         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
233         * jit/JIT.cpp:
234         (JSC::JIT::privateCompile):
235
236 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
237
238         DFG JIT Construct opcode takes a this argument even though it's
239         not passed
240         https://bugs.webkit.org/show_bug.cgi?id=68782
241
242         Reviewed by Oliver Hunt.
243         
244         This is performance-neutral, mostly. It's a slight speed-up on
245         v8-splay.
246         
247         * dfg/DFGByteCodeParser.cpp:
248         (JSC::DFG::ByteCodeParser::addCall):
249         * dfg/DFGJITCodeGenerator.cpp:
250         (JSC::DFG::JITCodeGenerator::emitCall):
251
252 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
253
254         DFG tracking of the value in cachedResultRegister does not handle
255         op_mov correctly
256         https://bugs.webkit.org/show_bug.cgi?id=68781
257
258         Reviewed by Oliver Hunt.
259         
260         This takes the simplest approach: it makes the old JIT dumber rather
261         than making the DFG JIT smarter. This is performance-neutral.
262
263         * jit/JIT.h:
264         (JSC::JIT::canBeOptimized):
265         * jit/JITOpcodes.cpp:
266         (JSC::JIT::emit_op_mov):
267
268 2011-09-25  Adam Barth  <abarth@webkit.org>
269
270         Remove PLATFORM(HAIKU) and associated code
271         https://bugs.webkit.org/show_bug.cgi?id=68774
272
273         Reviewed by Sam Weinig.
274
275         * JavaScriptCore.gyp/JavaScriptCore.gyp:
276         * JavaScriptCore.gypi:
277         * gyp/JavaScriptCore.gyp:
278         * heap/MachineStackMarker.cpp:
279         * wtf/PageAllocation.h:
280         * wtf/Platform.h:
281         * wtf/StackBounds.cpp:
282         * wtf/haiku: Removed.
283         * wtf/haiku/MainThreadHaiku.cpp: Removed.
284         * wtf/haiku/StringHaiku.cpp: Removed.
285         * wtf/text/WTFString.h:
286
287 2011-09-24  Adam Barth  <abarth@webkit.org>
288
289         Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
290         https://bugs.webkit.org/show_bug.cgi?id=68767
291
292         Reviewed by Eric Seidel.
293
294         * Configurations/FeatureDefines.xcconfig:
295
296 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
297
298         JIT implementation of put_by_val increments m_length instead of setting
299         it to index+1
300         https://bugs.webkit.org/show_bug.cgi?id=68766
301
302         Reviewed by Geoffrey Garen.
303
304         * jit/JITPropertyAccess.cpp:
305         (JSC::JIT::emit_op_put_by_val):
306
307 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
308
309         More build fixage.
310
311         * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.
312
313 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
314
315         The DFG should not attempt to guess types in the absence of value
316         profiles
317         https://bugs.webkit.org/show_bug.cgi?id=68677
318
319         Reviewed by Oliver Hunt.
320         
321         This adds the ForceOSRExit node, which is ignored by the propagator
322         and virtual register allocator (and hence ensuring that liveness analysis
323         works correctly), but forces terminateSpeculativeExecution() in the
324         back-end. This appears to be a slight speed-up on benchmark averages,
325         with ~5% swings on individual benchmarks, in both directions. But it's
326         never a regression on any average, and appears to be a ~1% progression
327         in the SunSpider average.
328         
329         This also adds a bit better debugging support in the old JIT and in DFG,
330         as this was necessary to debug the much more frequent OSR transitions
331         that occur with this change.
332
333         * dfg/DFGByteCodeParser.cpp:
334         (JSC::DFG::ByteCodeParser::addCall):
335         (JSC::DFG::ByteCodeParser::getStrongPrediction):
336         (JSC::DFG::ByteCodeParser::parseBlock):
337         * dfg/DFGJITCompiler.cpp:
338         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
339         * dfg/DFGNode.h:
340         * dfg/DFGPropagator.cpp:
341         (JSC::DFG::Propagator::propagateNodePredictions):
342         * dfg/DFGSpeculativeJIT.cpp:
343         (JSC::DFG::SpeculativeJIT::compile):
344         * jit/JIT.cpp:
345         (JSC::JIT::privateCompileMainPass):
346         (JSC::JIT::privateCompileSlowCases):
347         (JSC::JIT::privateCompile):
348         * jit/JIT.h:
349
350 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
351
352         Some Windows build fixage.
353
354         * heap/MarkedBlock.cpp:
355         (JSC::MarkedBlock::sweep):
356         * heap/MarkedBlock.h:
357         (JSC::MarkedBlock::isLive): Show the compiler that all control paths
358         return a value. There, there, compiler. Everything's going to be OK.
359
360         * runtime/JSCell.h:
361         (JSC::JSCell::setVPtr): Oops! Unrename this function.
362
363 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
364
365         Allocate new objects unmarked
366         https://bugs.webkit.org/show_bug.cgi?id=68764
367
368         Reviewed by Oliver Hunt.
369         
370         This is a pre-requisite to using the mark bit to determine object age.
371
372         ~2% v8 speedup, mostly due to a 12% v8-splay speedup.
373
374         * heap/MarkedBlock.h:
375         (JSC::MarkedBlock::isLive):
376         (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
377         this patch. They can now determine object liveness without relying on
378         newly allocated objects having their mark bits set. Each MarkedBlock
379         now has a state variable that tells us how to determine whether its
380         cells are live. (This new state variable supercedes the old one about
381         destructor state. The rest of this patch is just refactoring to support
382         the invariants of this new state variable without introducing a
383         performance regression.)
384
385         (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
386         state when a block becomes fully allocated.
387
388         (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
389         this function because, logically, clearing all mark bits is the first
390         step in saying "mark bits now exactly reflect object liveness".
391
392         (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
393         that this function only tells you about the mark bits, so it's only
394         meaningful if you've put the mark bits into a meaningful state before
395         calling it.
396
397         (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
398         instead of testing mark bits, since mark bits are not always the right
399         way to find out if an object is live anymore. (New objects are live, but
400         not marked.)
401
402         * heap/MarkedBlock.cpp:
403         (JSC::MarkedBlock::recycle):
404         (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
405         initialization when recycling an old block -- into the MarkedBlock
406         constructor, for simplicity.
407
408         (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
409         a zapped cell before running a destructor, and always zap after
410         running a destructor. This does not seem to be expensive, and the
411         alternative just creates a too-confusing matrix of possible cell states
412         ((zombie undestructed cell + zombie destructed cell + zapped destructed
413         cell) * 5! permutations for progressing through block states = "Oh my!").
414
415         (JSC::MarkedBlock::specializedSweep):
416         (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
417         optimization to use template specialization to constant fold lots of
418         branches and elide certain operations entirely during a sweep. Merged
419         four or five functions that were logically about sweeping into this one
420         function pair, so there's only one way to do things now, it's
421         automatically correct, and it's always fast.
422
423         (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
424         about exactly what it does, and to honor the new block state system.
425
426         * heap/AllocationSpace.cpp:
427         (JSC::AllocationSpace::allocateBlock): Updated for rename.
428
429         (JSC::AllocationSpace::freeBlocks): Updated for changed interface.
430
431         (JSC::TakeIfUnmarked::TakeIfUnmarked):
432         (JSC::TakeIfUnmarked::operator()):
433         (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
434         to clarify that this functor only tests the mark bits, so it's only
435         valid if you've put the mark bits into a meaningful state before
436         calling it.
437         
438         (JSC::AllocationSpace::shrink): Updated for rename.
439
440         * heap/AllocationSpace.h:
441         (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
442         little more specific about what we're making canonical.
443
444         (JSC::AllocationSpace::forEachCell): Updated for rename.
445
446         (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
447         liveness data before iterating blocks -- clients that want iterated
448         blocks to have valid cell lieveness data should make this call for
449         themselves. (And not all clients want it.)
450
451         * heap/ConservativeRoots.cpp:
452         (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
453         obsolete comment.
454
455         * heap/Heap.cpp:
456         (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
457         because clearMarks() now does that implicitly.
458
459         (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
460         tear-down tests cell liveness when running destructors.
461
462         (JSC::Heap::markRoots):
463         (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
464         and into collect, since it strictly depends on root marking, and does
465         not contribute to root marking.
466
467         (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
468         specific about what we're making canonical.
469
470         * heap/Heap.h:
471         (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
472         data before iterating protected cells, since we know they're all live,
473         and don't need to test for it.
474
475         * heap/Local.h:
476         (JSC::::set): Can't make the same ASSERT we used to because we just don't
477         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
478         in a weaker form in the future.
479
480         * heap/MarkedSpace.cpp:
481         (JSC::MarkedSpace::addBlock):
482         (JSC::MarkedSpace::removeBlock): Updated for interface change.
483         (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
484         specific about what we're making canonical.
485
486         * heap/MarkedSpace.h:
487         (JSC::MarkedSpace::allocate):
488         (JSC::MarkedSpace::SizeClass::SizeClass):
489         (JSC::MarkedSpace::SizeClass::resetAllocator):
490         (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
491         functionality a bit. We now track only one block -- "currentBlock" --
492         and rely on its internal state to know whether it has more cells to
493         allocate.
494
495         * heap/Weak.h:
496         (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
497         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
498         in a weaker form in the future.
499
500         * runtime/JSCell.h:
501         (JSC::JSCell::vptr):
502         (JSC::JSCell::zap):
503         (JSC::JSCell::isZapped):
504         (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
505         In the future, exactly how a JSCell zaps itself will change, as the
506         internal representation of JSCell changes.
507
508 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
509
510         DFG JIT should not eagerly initialize integer tags in the register file
511         https://bugs.webkit.org/show_bug.cgi?id=68763
512
513         Reviewed by Oliver Hunt.
514
515         * dfg/DFGJITCompiler.cpp:
516         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
517         * dfg/DFGSpeculativeJIT.cpp:
518         (JSC::DFG::ValueRecovery::dump):
519         (JSC::DFG::OSRExit::OSRExit):
520         (JSC::DFG::SpeculativeJIT::compile):
521         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
522         * dfg/DFGSpeculativeJIT.h:
523         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
524         (JSC::DFG::OSRExit::operandForArgument):
525         (JSC::DFG::OSRExit::operandForIndex):
526         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
527
528 2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>
529
530         Add JSVALUE32_64 support to DFG JIT
531         https://bugs.webkit.org/show_bug.cgi?id=67460
532
533         Reviewed by Gavin Barraclough.
534
535         This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
536         It's tested on IA32 Linux EFL port currently. It still cannot run
537         all the test cases and benchmarks so should be turned off now.
538         
539         The major work includes:
540         1) dealing with JSVALUE32_64 data format in DFG JIT;
541         2) bindings between 64-bit JS Value and 32-bit registers;
542         3) handling of function calls. Currently for DFG operation function
543         calls we follow the X86 cdecl calling convention on Linux, and the
544         implementation is in a naive way by pushing the arguments into stack
545         one by one.
546         
547         The known issues include:
548         1) some code duplicates unnecessarily, especially in Speculative JIT
549         code generation, where most of the operations on SpeculataInteger /
550         SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
551         is needed in the future;
552         2) lack of op_call and op_construct support, comparing to current
553         JSVALUE64 DFG;
554         3) currently integer speculations assume to be StrictInt32;
555         4) lack of JSBoolean speculations;
556         5) boxing and unboxing doubles could be improved;
557         6) DFG X86 register description is different with the baseline JIT,
558         the timeoutCheckRegister is used for general purpose usage;
559         7) calls to runtime functions with primitive double parameters (e.g.
560         fmod) don't work. Support needs to be added to the assembler to
561         implement the mechanism of passing double parameters for X86 cdecl
562         convention.
563         
564         And there should be many other hidden bugs which should be exposed and
565         resolved in later debugging process.
566
567         * CMakeListsEfl.txt:
568         * assembler/MacroAssemblerX86.h:
569         (JSC::MacroAssemblerX86::loadDouble):
570         (JSC::MacroAssemblerX86::storeDouble):
571         * assembler/X86Assembler.h:
572         (JSC::X86Assembler::movsd_rm):
573         * bytecode/StructureStubInfo.h:
574         * dfg/DFGByteCodeParser.cpp:
575         (JSC::DFG::ByteCodeParser::parseBlock):
576         * dfg/DFGCapabilities.h:
577         (JSC::DFG::canCompileOpcode):
578         * dfg/DFGFPRInfo.h:
579         (JSC::DFG::FPRInfo::debugName):
580         * dfg/DFGGPRInfo.h:
581         (JSC::DFG::GPRInfo::toRegister):
582         (JSC::DFG::GPRInfo::toIndex):
583         (JSC::DFG::GPRInfo::debugName):
584         * dfg/DFGGenerationInfo.h:
585         (JSC::DFG::needDataFormatConversion):
586         (JSC::DFG::GenerationInfo::initJSValue):
587         (JSC::DFG::GenerationInfo::initDouble):
588         (JSC::DFG::GenerationInfo::gpr):
589         (JSC::DFG::GenerationInfo::tagGPR):
590         (JSC::DFG::GenerationInfo::payloadGPR):
591         (JSC::DFG::GenerationInfo::fpr):
592         (JSC::DFG::GenerationInfo::fillJSValue):
593         (JSC::DFG::GenerationInfo::fillCell):
594         (JSC::DFG::GenerationInfo::fillDouble):
595         * dfg/DFGJITCodeGenerator.cpp:
596         * dfg/DFGJITCodeGenerator.h:
597         (JSC::DFG::JITCodeGenerator::allocate):
598         (JSC::DFG::JITCodeGenerator::use):
599         (JSC::DFG::JITCodeGenerator::registersMatched):
600         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
601         (JSC::DFG::JITCodeGenerator::silentFillGPR):
602         (JSC::DFG::JITCodeGenerator::silentFillFPR):
603         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
604         (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
605         (JSC::DFG::JITCodeGenerator::boxDouble):
606         (JSC::DFG::JITCodeGenerator::unboxDouble):
607         (JSC::DFG::JITCodeGenerator::spill):
608         (JSC::DFG::addressOfDoubleConstant):
609         (JSC::DFG::integerResult):
610         (JSC::DFG::jsValueResult):
611         (JSC::DFG::setupResults):
612         (JSC::DFG::callOperation):
613         (JSC::JSValueOperand::JSValueOperand):
614         (JSC::JSValueOperand::~JSValueOperand):
615         (JSC::JSValueOperand::isDouble):
616         (JSC::JSValueOperand::fill):
617         (JSC::JSValueOperand::tagGPR):
618         (JSC::JSValueOperand::payloadGPR):
619         (JSC::JSValueOperand::fpr):
620         (JSC::GPRTemporary::~GPRTemporary):
621         (JSC::GPRTemporary::gpr):
622         (JSC::GPRResult2::GPRResult2):
623         * dfg/DFGJITCodeGenerator32_64.cpp: Added.
624         (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
625         (JSC::DFG::JITCodeGenerator::fillInteger):
626         (JSC::DFG::JITCodeGenerator::fillDouble):
627         (JSC::DFG::JITCodeGenerator::fillJSValue):
628         (JSC::DFG::JITCodeGenerator::fillStorage):
629         (JSC::DFG::JITCodeGenerator::useChildren):
630         (JSC::DFG::JITCodeGenerator::isStrictInt32):
631         (JSC::DFG::JITCodeGenerator::isKnownInteger):
632         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
633         (JSC::DFG::JITCodeGenerator::isKnownCell):
634         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
635         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
636         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
637         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
638         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
639         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
640         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
641         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
642         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
643         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
644         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
645         (JSC::DFG::JITCodeGenerator::cachedGetById):
646         (JSC::DFG::JITCodeGenerator::writeBarrier):
647         (JSC::DFG::JITCodeGenerator::cachedPutById):
648         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
649         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
650         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
651         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
652         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
653         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
654         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
655         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
656         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
657         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
658         (JSC::DFG::JITCodeGenerator::emitBranch):
659         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
660         (JSC::DFG::JITCodeGenerator::emitCall):
661         (JSC::DFG::JITCodeGenerator::speculationCheck):
662         (JSC::DFG::dataFormatString):
663         (JSC::DFG::JITCodeGenerator::dump):
664         (JSC::DFG::JITCodeGenerator::checkConsistency):
665         (JSC::DFG::GPRTemporary::GPRTemporary):
666         (JSC::DFG::FPRTemporary::FPRTemporary):
667         * dfg/DFGJITCompiler.cpp:
668         * dfg/DFGJITCompiler.h:
669         (JSC::DFG::JITCompiler::tagForGlobalVar):
670         (JSC::DFG::JITCompiler::payloadForGlobalVar):
671         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
672         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
673         (JSC::DFG::JITCompiler::boxDouble):
674         (JSC::DFG::JITCompiler::unboxDouble):
675         (JSC::DFG::JITCompiler::addPropertyAccess):
676         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
677         * dfg/DFGJITCompiler32_64.cpp: Added.
678         (JSC::DFG::JITCompiler::fillNumericToDouble):
679         (JSC::DFG::JITCompiler::fillInt32ToInteger):
680         (JSC::DFG::JITCompiler::fillToJS):
681         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
682         (JSC::DFG::JITCompiler::linkOSRExits):
683         (JSC::DFG::JITCompiler::compileEntry):
684         (JSC::DFG::JITCompiler::compileBody):
685         (JSC::DFG::JITCompiler::link):
686         (JSC::DFG::JITCompiler::compile):
687         (JSC::DFG::JITCompiler::compileFunction):
688         (JSC::DFG::JITCompiler::jitAssertIsInt32):
689         (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
690         (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
691         (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
692         (JSC::DFG::JITCompiler::jitAssertIsCell):
693         (JSC::DFG::JITCompiler::emitCount):
694         (JSC::DFG::JITCompiler::setSamplingFlag):
695         (JSC::DFG::JITCompiler::clearSamplingFlag):
696         * dfg/DFGJITCompilerInlineMethods.h: Added.
697         (JSC::DFG::JITCompiler::emitLoadTag):
698         (JSC::DFG::JITCompiler::emitLoadPayload):
699         (JSC::DFG::JITCompiler::emitLoad):
700         (JSC::DFG::JITCompiler::emitLoad2):
701         (JSC::DFG::JITCompiler::emitLoadDouble):
702         (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
703         (JSC::DFG::JITCompiler::emitStore):
704         (JSC::DFG::JITCompiler::emitStoreInt32):
705         (JSC::DFG::JITCompiler::emitStoreCell):
706         (JSC::DFG::JITCompiler::emitStoreBool):
707         (JSC::DFG::JITCompiler::emitStoreDouble):
708         * dfg/DFGNode.h:
709         * dfg/DFGOperations.cpp:
710         * dfg/DFGRepatch.cpp:
711         (JSC::DFG::generateProtoChainAccessStub):
712         (JSC::DFG::tryCacheGetByID):
713         (JSC::DFG::tryBuildGetByIDList):
714         (JSC::DFG::tryCachePutByID):
715         * dfg/DFGSpeculativeJIT.cpp:
716         * dfg/DFGSpeculativeJIT.h:
717         (JSC::DFG::ValueRecovery::inGPR):
718         (JSC::DFG::ValueRecovery::inPair):
719         (JSC::DFG::ValueRecovery::tagGPR):
720         (JSC::DFG::ValueRecovery::payloadGPR):
721         * dfg/DFGSpeculativeJIT32_64.cpp: Added.
722         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
723         (JSC::DFG::ValueSource::dump):
724         (JSC::DFG::ValueRecovery::dump):
725         (JSC::DFG::OSRExit::OSRExit):
726         (JSC::DFG::OSRExit::dump):
727         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
728         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
729         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
730         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
731         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
732         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
733         (JSC::DFG::SpeculativeJIT::convertToDouble):
734         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
735         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
736         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
737         (JSC::DFG::SpeculativeJIT::compare):
738         (JSC::DFG::SpeculativeJIT::compile):
739         (JSC::DFG::SpeculativeJIT::compileMovHint):
740         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
741         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
742         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
743         * runtime/JSValue.h:
744
745 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
746
747         wtf/BitVector.h has a variety of bugs which manifest when the
748         vector grows beyond 63 bits
749         https://bugs.webkit.org/show_bug.cgi?id=68746
750
751         Reviewed by Oliver Hunt.
752         
753         Out-of-lined slow path code in BitVector so that not every user
754         of CodeBlock ends up having to compile it. Fixed a variety of
755         index computation and size computation bugs.
756         
757         I have not seen these issues manifest themselves, but they are
758         blocking a patch that uses BitVector more aggressively.
759
760         * GNUmakefile.list.am:
761         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
762         * JavaScriptCore.xcodeproj/project.pbxproj:
763         * wtf/BitVector.cpp: Added.
764         (BitVector::BitVector):
765         (BitVector::operator=):
766         (BitVector::resize):
767         (BitVector::clearAll):
768         (BitVector::OutOfLineBits::create):
769         (BitVector::OutOfLineBits::destroy):
770         (BitVector::resizeOutOfLine):
771         * wtf/BitVector.h:
772         (WTF::BitVector::ensureSize):
773         (WTF::BitVector::get):
774         (WTF::BitVector::set):
775         (WTF::BitVector::clear):
776         (WTF::BitVector::byteCount):
777         (WTF::BitVector::OutOfLineBits::numWords):
778         (WTF::BitVector::OutOfLineBits::bits):
779         (WTF::BitVector::outOfLineBits):
780         * wtf/CMakeLists.txt:
781         * wtf/wtf.pri:
782
783 2011-09-23  Adam Klein  <adamk@chromium.org>
784
785         Add ENABLE_MUTATION_OBSERVERS feature flag
786         https://bugs.webkit.org/show_bug.cgi?id=68732
787
788         Reviewed by Ojan Vafai.
789
790         This flag will guard an implementation of the "Mutation Observers" proposed in
791         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
792
793         * Configurations/FeatureDefines.xcconfig:
794
795 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
796
797         De-virtualize JSCell::getJSNumber
798         https://bugs.webkit.org/show_bug.cgi?id=68651
799
800         Reviewed by Oliver Hunt.
801
802         Added a new JSType to check whether or not something is a 
803         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
804         currently a better way to determine whether something is indeed a NumberObject.
805         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
806         for whether the object is a NumberObject or not.  This patch is part of 
807         the larger process of de-virtualizing JSCell.
808
809         * JavaScriptCore.exp:
810         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
811         * runtime/JSCell.cpp:
812         (JSC::JSCell::getJSNumber):
813         * runtime/JSCell.h:
814         (JSC::JSValue::getJSNumber):
815         * runtime/JSType.h:
816         * runtime/JSTypeInfo.h:
817         (JSC::TypeInfo::isNumberObject):
818         * runtime/JSValue.h:
819         * runtime/NumberObject.cpp:
820         (JSC::NumberObject::getJSNumber):
821         * runtime/NumberObject.h:
822         (JSC::NumberObject::createStructure):
823         * runtime/NumberPrototype.h:
824         (JSC::NumberPrototype::createStructure):
825
826 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
827
828         Resolve opcodes should have value profiling.
829         https://bugs.webkit.org/show_bug.cgi?id=68723
830
831         Reviewed by Oliver Hunt.
832         
833         This adds value profiling to all forms of op_resolve in the
834         old JIT, and patches that information into the DFG along with
835         performing the appropriate type propagation.
836
837         * dfg/DFGByteCodeParser.cpp:
838         (JSC::DFG::ByteCodeParser::parseBlock):
839         * dfg/DFGGraph.h:
840         (JSC::DFG::Graph::predict):
841         * dfg/DFGNode.h:
842         (JSC::DFG::Node::hasIdentifier):
843         (JSC::DFG::Node::resolveGlobalDataIndex):
844         (JSC::DFG::Node::hasPrediction):
845         * dfg/DFGPropagator.cpp:
846         (JSC::DFG::Propagator::propagateNodePredictions):
847         * dfg/DFGSpeculativeJIT.cpp:
848         (JSC::DFG::SpeculativeJIT::compile):
849         * jit/JITOpcodes.cpp:
850         (JSC::JIT::emit_op_resolve):
851         (JSC::JIT::emit_op_resolve_base):
852         (JSC::JIT::emit_op_resolve_skip):
853         (JSC::JIT::emit_op_resolve_global):
854         (JSC::JIT::emitSlow_op_resolve_global):
855         (JSC::JIT::emit_op_resolve_with_base):
856         (JSC::JIT::emit_op_resolve_with_this):
857         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
858         * jit/JITStubCall.h:
859         (JSC::JITStubCall::callWithValueProfiling):
860
861 2011-09-23  Oliver Hunt  <oliver@apple.com>
862
863         Fix windows build.
864
865         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
866
867 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
868
869         Strict mode does not work in non-trivial nested functions.
870         https://bugs.webkit.org/show_bug.cgi?id=68740
871
872         Reviewed by Oliver Hunt.
873
874         Function-info caching does not preserve all state that it should.
875
876         * parser/JSParser.cpp:
877         (JSC::JSParser::Scope::saveFunctionInfo):
878         (JSC::JSParser::Scope::restoreFunctionInfo):
879         (JSC::JSParser::parseFunctionInfo):
880         * parser/SourceProviderCacheItem.h:
881
882 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
883
884         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
885         https://bugs.webkit.org/show_bug.cgi?id=68724
886
887         Reviewed by Oliver Hunt.
888
889         * dfg/DFGPropagator.cpp:
890         (JSC::DFG::Propagator::propagateNodePredictions):
891
892 2011-09-23  Oliver Hunt  <oliver@apple.com>
893
894         Build fix.
895
896         * JavaScriptCore.xcodeproj/project.pbxproj:
897
898 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
899
900         DFG implementation of PutScopedVar corrupts register allocation
901         https://bugs.webkit.org/show_bug.cgi?id=68735
902
903         Reviewed by Oliver Hunt.
904
905         * dfg/DFGSpeculativeJIT.cpp:
906         (JSC::DFG::SpeculativeJIT::compile):
907
908 2011-09-23  Oliver Hunt  <oliver@apple.com>
909
910         Make write barriers actually do something when enabled
911         https://bugs.webkit.org/show_bug.cgi?id=68717
912
913         Reviewed by Geoffrey Garen.
914
915         Add a basic card marking style write barrier to JSC (currently
916         turned off).  This requires two scratch registers in the JIT
917         so there was some register re-arranging to satisfy that requirement.
918         Happily this produced a minor perf bump in sunspider (~0.5%).
919
920         Turning the barriers on causes an overall regression of around 1.5%
921
922         * JavaScriptCore.exp:
923         * JavaScriptCore.xcodeproj/project.pbxproj:
924         * assembler/MacroAssemblerX86Common.h:
925         (JSC::MacroAssemblerX86Common::store8):
926         * assembler/X86Assembler.h:
927         (JSC::X86Assembler::movb_i8m):
928         * dfg/DFGJITCodeGenerator.cpp:
929         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
930         (JSC::DFG::JITCodeGenerator::writeBarrier):
931         (JSC::DFG::JITCodeGenerator::markCellCard):
932         (JSC::DFG::JITCodeGenerator::cachedPutById):
933         * dfg/DFGJITCodeGenerator.h:
934         * dfg/DFGRepatch.cpp:
935         (JSC::DFG::tryCachePutByID):
936         * dfg/DFGSpeculativeJIT.cpp:
937         (JSC::DFG::SpeculativeJIT::compile):
938         * heap/CardSet.h: Added.
939         (JSC::CardSet::CardSet):
940         (JSC::::cardForAtom):
941         (JSC::::cardMarkedForAtom):
942         (JSC::::markCardForAtom):
943         * heap/Heap.cpp:
944         * heap/Heap.h:
945         (JSC::Heap::addressOfCardFor):
946         (JSC::Heap::writeBarrierFastCase):
947         * heap/MarkedBlock.h:
948         (JSC::MarkedBlock::setDirtyObject):
949         (JSC::MarkedBlock::addressOfCardFor):
950         (JSC::MarkedBlock::offsetOfCards):
951         * jit/JIT.h:
952         * jit/JITPropertyAccess.cpp:
953         (JSC::JIT::emit_op_put_by_val):
954         (JSC::JIT::emit_op_put_by_id):
955         (JSC::JIT::privateCompilePutByIdTransition):
956         (JSC::JIT::emit_op_put_scoped_var):
957         (JSC::JIT::emit_op_put_global_var):
958         (JSC::JIT::emitWriteBarrier):
959         * jit/JITPropertyAccess32_64.cpp:
960         (JSC::JIT::emit_op_put_by_val):
961         (JSC::JIT::emit_op_put_by_id):
962         (JSC::JIT::emitSlow_op_put_by_id):
963         (JSC::JIT::privateCompilePutByIdTransition):
964         (JSC::JIT::emit_op_put_scoped_var):
965         (JSC::JIT::emit_op_put_global_var):
966
967 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
968
969         https://bugs.webkit.org/show_bug.cgi?id=68077
970         SH4 assemblers doesn't refer to executable memory handle.
971
972         Reviewed by Gavin Barraclough.
973
974         * assembler/MacroAssemblerSH4.h:
975         (JSC::MacroAssemblerSH4::branch8):
976         * assembler/SH4Assembler.h:
977         (JSC::SH4Assembler::executableCopy):
978
979 2011-09-23  Oliver Hunt  <oliver@apple.com>
980
981         PutScopedVar nodes should report that it has a var number
982         https://bugs.webkit.org/show_bug.cgi?id=68721
983
984         Reviewed by Anders Carlsson.
985
986         Another assertion fix.
987
988         * dfg/DFGNode.h:
989         (JSC::DFG::Node::hasVarNumber):
990
991 2011-09-23  Oliver Hunt  <oliver@apple.com>
992
993         Add a bunch of unhandled node types to the propagator
994         https://bugs.webkit.org/show_bug.cgi?id=68716
995
996         Reviewed by Darin Adler.
997
998         Remove the ASSERT_NOT_REACHED() default for debug builds in the
999         prediction propagator, this way unhandled nodes will just cause
1000         compile time failures rather than failing at some point in the
1001         future.
1002
1003         * dfg/DFGPropagator.cpp:
1004         (JSC::DFG::Propagator::propagateNodePredictions):
1005
1006 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1007
1008         Add static version of JSCell::visitChildren
1009         https://bugs.webkit.org/show_bug.cgi?id=68404
1010
1011         Reviewed by Darin Adler.
1012
1013         In this patch we just extract the bodies of the virtual visitChildren methods
1014         throughout the JSCell inheritance hierarchy out into static methods, which are 
1015         now called from the virtual methods.  This is an intermediate step in trying to 
1016         move the virtual-ness of visitChildren into our own custom vtable stored in 
1017         ClassInfo.  We need to convert the methods to static methods in order to be 
1018         able to more easily store and refer to them in our custom vtable since normal 
1019         member methods store some implicit information in their types, making it 
1020         impossible to store them generically in ClassInfo.
1021
1022         * API/JSCallbackObject.h:
1023         (JSC::JSCallbackObject::visitChildrenVirtual):
1024         (JSC::JSCallbackObject::visitChildren):
1025         * JavaScriptCore.exp:
1026         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1027         * debugger/DebuggerActivation.cpp:
1028         (JSC::DebuggerActivation::visitChildrenVirtual):
1029         (JSC::DebuggerActivation::visitChildren):
1030         * debugger/DebuggerActivation.h:
1031         * heap/MarkStack.cpp:
1032         (JSC::SlotVisitor::visitChildren):
1033         (JSC::SlotVisitor::drain):
1034         * runtime/Arguments.cpp:
1035         (JSC::Arguments::visitChildrenVirtual):
1036         (JSC::Arguments::visitChildren):
1037         * runtime/Arguments.h:
1038         * runtime/Executable.cpp:
1039         (JSC::EvalExecutable::visitChildrenVirtual):
1040         (JSC::EvalExecutable::visitChildren):
1041         (JSC::ProgramExecutable::visitChildrenVirtual):
1042         (JSC::ProgramExecutable::visitChildren):
1043         (JSC::FunctionExecutable::visitChildrenVirtual):
1044         (JSC::FunctionExecutable::visitChildren):
1045         * runtime/Executable.h:
1046         * runtime/GetterSetter.cpp:
1047         (JSC::GetterSetter::visitChildrenVirtual):
1048         (JSC::GetterSetter::visitChildren):
1049         * runtime/GetterSetter.h:
1050         * runtime/JSActivation.cpp:
1051         (JSC::JSActivation::visitChildrenVirtual):
1052         (JSC::JSActivation::visitChildren):
1053         * runtime/JSActivation.h:
1054         * runtime/JSArray.cpp:
1055         (JSC::JSArray::visitChildrenVirtual):
1056         (JSC::JSArray::visitChildren):
1057         * runtime/JSArray.h:
1058         * runtime/JSBoundFunction.cpp:
1059         (JSC::JSBoundFunction::visitChildrenVirtual):
1060         (JSC::JSBoundFunction::visitChildren):
1061         * runtime/JSBoundFunction.h:
1062         * runtime/JSCell.h:
1063         (JSC::JSCell::visitChildrenVirtual):
1064         (JSC::JSCell::visitChildren):
1065         * runtime/JSFunction.cpp:
1066         (JSC::JSFunction::visitChildrenVirtual):
1067         (JSC::JSFunction::visitChildren):
1068         * runtime/JSFunction.h:
1069         * runtime/JSGlobalObject.cpp:
1070         (JSC::JSGlobalObject::visitChildrenVirtual):
1071         (JSC::JSGlobalObject::visitChildren):
1072         * runtime/JSGlobalObject.h:
1073         * runtime/JSObject.cpp:
1074         (JSC::JSObject::visitChildrenVirtual):
1075         (JSC::JSObject::visitChildren):
1076         * runtime/JSObject.h:
1077         (JSC::JSObject::visitChildrenDirect):
1078         * runtime/JSPropertyNameIterator.cpp:
1079         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
1080         (JSC::JSPropertyNameIterator::visitChildren):
1081         * runtime/JSPropertyNameIterator.h:
1082         * runtime/JSStaticScopeObject.cpp:
1083         (JSC::JSStaticScopeObject::visitChildrenVirtual):
1084         (JSC::JSStaticScopeObject::visitChildren):
1085         * runtime/JSStaticScopeObject.h:
1086         * runtime/JSWrapperObject.cpp:
1087         (JSC::JSWrapperObject::visitChildrenVirtual):
1088         (JSC::JSWrapperObject::visitChildren):
1089         * runtime/JSWrapperObject.h:
1090         * runtime/NativeErrorConstructor.cpp:
1091         (JSC::NativeErrorConstructor::visitChildrenVirtual):
1092         (JSC::NativeErrorConstructor::visitChildren):
1093         * runtime/NativeErrorConstructor.h:
1094         * runtime/RegExpObject.cpp:
1095         (JSC::RegExpObject::visitChildrenVirtual):
1096         (JSC::RegExpObject::visitChildren):
1097         * runtime/RegExpObject.h:
1098         * runtime/ScopeChain.cpp:
1099         (JSC::ScopeChainNode::visitChildrenVirtual):
1100         (JSC::ScopeChainNode::visitChildren):
1101         * runtime/ScopeChain.h:
1102         * runtime/Structure.cpp:
1103         (JSC::Structure::visitChildrenVirtual):
1104         (JSC::Structure::visitChildren):
1105         * runtime/Structure.h:
1106         * runtime/StructureChain.cpp:
1107         (JSC::StructureChain::visitChildrenVirtual):
1108         (JSC::StructureChain::visitChildren):
1109         * runtime/StructureChain.h:
1110
1111 2011-09-23  Oliver Hunt  <oliver@apple.com>
1112
1113         Node propagation doesn't handle PutScopedVar
1114         https://bugs.webkit.org/show_bug.cgi?id=68713
1115
1116         Reviewed by Sam Weinig.
1117
1118         This was causing assertion failures.
1119
1120         * dfg/DFGPropagator.cpp:
1121         (JSC::DFG::Propagator::propagateNodePredictions):
1122
1123 2011-09-23  Anders Carlsson  <andersca@apple.com>
1124
1125         Make sure to define OVERRIDE and FINAL for older builds of clang.
1126
1127         * wtf/Compiler.h:
1128
1129 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
1130
1131         Implement op_resolve_global in the DFG JIT
1132         https://bugs.webkit.org/show_bug.cgi?id=68704
1133
1134         Reviewed by Oliver Hunt.
1135
1136         This is performance neutral, but increases coverage.
1137
1138         * dfg/DFGByteCodeParser.cpp:
1139         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1140         (JSC::DFG::ByteCodeParser::parseBlock):
1141         * dfg/DFGNode.h:
1142         (JSC::DFG::Node::hasIdentifier):
1143         (JSC::DFG::Node::resolveInfoIndex):
1144         * dfg/DFGOperations.cpp:
1145         * dfg/DFGOperations.h:
1146         * dfg/DFGSpeculativeJIT.cpp:
1147         (JSC::DFG::SpeculativeJIT::compile):
1148
1149 2011-09-23  Mark Rowe  <mrowe@apple.com>
1150
1151         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
1152
1153         * wtf/Platform.h:
1154
1155 2011-09-22  Anders Carlsson  <andersca@apple.com>
1156
1157         We should add support for OVERRIDE and FINAL annotations
1158         https://bugs.webkit.org/show_bug.cgi?id=68654
1159
1160         Reviewed by David Hyatt.
1161
1162         Add OVERRIDE and FINAL macros for compilers that support them.
1163
1164         * wtf/Compiler.h:
1165
1166 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1167
1168         GetScopedVar should have value profiling
1169         https://bugs.webkit.org/show_bug.cgi?id=68676
1170
1171         Reviewed by Oliver Hunt.
1172         
1173         Added GetScopedVar value profiling and predictin propagation.
1174         Added GetScopeChain to CSE.
1175
1176         * dfg/DFGByteCodeParser.cpp:
1177         (JSC::DFG::ByteCodeParser::parseBlock):
1178         * dfg/DFGGraph.h:
1179         (JSC::DFG::Graph::predict):
1180         * dfg/DFGNode.h:
1181         (JSC::DFG::Node::hasPrediction):
1182         * dfg/DFGPropagator.cpp:
1183         (JSC::DFG::Propagator::propagateNodePredictions):
1184         (JSC::DFG::Propagator::getScopeChainLoadElimination):
1185         (JSC::DFG::Propagator::performNodeCSE):
1186         * jit/JITPropertyAccess.cpp:
1187         (JSC::JIT::emit_op_get_scoped_var):
1188
1189 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1190
1191         PPC build fix, part 3.
1192
1193         * runtime/Executable.cpp:
1194         (JSC::FunctionExecutable::compileForConstructInternal):
1195
1196 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1197
1198         Another PPC build fix.
1199
1200         * runtime/Executable.cpp:
1201         * runtime/Executable.h:
1202
1203 2011-09-22  Dean Jackson  <dino@apple.com>
1204
1205         Add ENABLE_CSS_FILTERS
1206         https://bugs.webkit.org/show_bug.cgi?id=68652
1207
1208         Reviewed by Simon Fraser.
1209
1210         * Configurations/FeatureDefines.xcconfig:
1211
1212 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1213
1214         Incorrect this value passed to callbacks.
1215         https://bugs.webkit.org/show_bug.cgi?id=68668
1216
1217         Reviewed by Oliver Hunt.
1218
1219         From Array/String prototype function.  Should be undefined, but
1220         global object is passed instead (this is visible for strict callbacks).
1221
1222         * runtime/ArrayPrototype.cpp:
1223         (JSC::arrayProtoFuncSort):
1224         (JSC::arrayProtoFuncFilter):
1225         (JSC::arrayProtoFuncMap):
1226         (JSC::arrayProtoFuncEvery):
1227         (JSC::arrayProtoFuncForEach):
1228         (JSC::arrayProtoFuncSome):
1229         * runtime/JSArray.cpp:
1230         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
1231         (JSC::JSArray::sort):
1232         * runtime/StringPrototype.cpp:
1233         (JSC::stringProtoFuncReplace):
1234
1235 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1236
1237         Function.prototype.bind.length shoudl be 1.
1238
1239         Rubber stamped by Olier Hunt.
1240
1241         * runtime/FunctionPrototype.cpp:
1242         (JSC::FunctionPrototype::addFunctionProperties):
1243
1244 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1245
1246         PPC build fix.
1247
1248         * bytecode/CodeBlock.h:
1249
1250 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1251
1252         Windows build fix pt. 2
1253
1254         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1255
1256 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1257
1258         Windows build fix pt. 1
1259
1260         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1261
1262 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1263
1264         DFG JIT does not support to_primitive or strcat
1265         https://bugs.webkit.org/show_bug.cgi?id=68582
1266
1267         Reviewed by Darin Adler.
1268         
1269         This adds functional support for to_primitive and strcat. It focuses
1270         on minimizing the amount of code emitted on to_primitive (if we know
1271         that it is a primitive or can speculate cheaply, then we omit the
1272         slow path) and on keeping the implementation of strcat simple while
1273         leveraging whatever optimizations we have already. In particular,
1274         unlike the Call and Construct nodes which require extending the size
1275         of the DFG's callee registers, StrCat takes advantage of the fact
1276         that no JS code can run while StrCat is in progress and uses a
1277         scratch buffer, rather than the register file, to store the list of
1278         values to concatenate. This was done mainly to keep the code simple,
1279         but there are probably other benefits to keeping call frame sizes
1280         down. Essentially, this patch ensures that the presence of an
1281         op_strcat does not mess up any other optimizations we might do while
1282         ensuring that if you do execute it, it'll work about as well as you'd
1283         expect.
1284         
1285         When combined with the previous patch for integer division, this is a
1286         14% speed-up on Kraken. Without it, it would have been a 2% loss.
1287
1288         * assembler/AbstractMacroAssembler.h:
1289         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
1290         * dfg/DFGByteCodeParser.cpp:
1291         (JSC::DFG::ByteCodeParser::parseBlock):
1292         * dfg/DFGCapabilities.h:
1293         (JSC::DFG::canCompileOpcode):
1294         * dfg/DFGJITCodeGenerator.h:
1295         (JSC::DFG::JITCodeGenerator::callOperation):
1296         * dfg/DFGJITCompiler.cpp:
1297         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1298         * dfg/DFGNode.h:
1299         * dfg/DFGOperations.cpp:
1300         * dfg/DFGOperations.h:
1301         * dfg/DFGPropagator.cpp:
1302         (JSC::DFG::Propagator::propagateNodePredictions):
1303         (JSC::DFG::Propagator::performNodeCSE):
1304         * dfg/DFGSpeculativeJIT.cpp:
1305         (JSC::DFG::SpeculativeJIT::compile):
1306         * runtime/JSGlobalData.cpp:
1307         (JSC::JSGlobalData::JSGlobalData):
1308         (JSC::JSGlobalData::~JSGlobalData):
1309         * runtime/JSGlobalData.h:
1310         (JSC::JSGlobalData::scratchBufferForSize):
1311
1312 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1313
1314         DFG JIT should support integer division
1315         https://bugs.webkit.org/show_bug.cgi?id=68597
1316
1317         Reviewed by Darin Adler.
1318         
1319         This adds support for ArithDiv speculating integer, and speculating
1320         that the result is integer (i.e. remainder = 0).
1321         
1322         This is a 4% win on Kraken and a 1% loss on V8.
1323
1324         * bytecode/CodeBlock.h:
1325         * dfg/DFGByteCodeParser.cpp:
1326         (JSC::DFG::ByteCodeParser::makeDivSafe):
1327         (JSC::DFG::ByteCodeParser::parseBlock):
1328         * dfg/DFGNode.h:
1329         (JSC::DFG::Node::hasArithNodeFlags):
1330         * dfg/DFGPropagator.cpp:
1331         (JSC::DFG::Propagator::propagateArithNodeFlags):
1332         (JSC::DFG::Propagator::propagateNodePredictions):
1333         (JSC::DFG::Propagator::fixupNode):
1334         * dfg/DFGSpeculativeJIT.cpp:
1335         (JSC::DFG::SpeculativeJIT::compile):
1336         * jit/JITArithmetic.cpp:
1337         (JSC::JIT::emit_op_div):
1338
1339 2011-09-22  Oliver Hunt  <oliver@apple.com>
1340
1341         Implement put_scoped_var in the DFG jit
1342         https://bugs.webkit.org/show_bug.cgi?id=68653
1343
1344         Reviewed by Gavin Barraclough.
1345
1346         Naive implementation of put_scoped_var.  Same story as the
1347         get_scoped_var implementation, although I've hoisted scope
1348         object acquisition into a separate dfg node.  Ideally in the
1349         future we would reuse the resolved scope chain object, but
1350         for now we don't.
1351
1352         * dfg/DFGByteCodeParser.cpp:
1353         (JSC::DFG::ByteCodeParser::parseBlock):
1354         * dfg/DFGCapabilities.h:
1355         (JSC::DFG::canCompileOpcode):
1356         * dfg/DFGNode.h:
1357         (JSC::DFG::Node::hasScopeChainDepth):
1358         (JSC::DFG::Node::scopeChainDepth):
1359         * dfg/DFGPropagator.cpp:
1360         (JSC::DFG::Propagator::propagateNodePredictions):
1361         * dfg/DFGSpeculativeJIT.cpp:
1362         (JSC::DFG::SpeculativeJIT::compile):
1363
1364 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1365
1366         Implement Function.prototype.bind
1367         https://bugs.webkit.org/show_bug.cgi?id=26382
1368
1369         Reviewed by Sam Weinig.
1370
1371         This patch provides a basic functional implementation
1372         for Function.bind. It should (hopefully!) be fully
1373         functionally correct, and the bound functions can be
1374         called to quickly (since they are a subclass of
1375         JSFunction, not InternalFunction), but we'll probably
1376         want to follow up with some optimization work to keep
1377         bound calls in JIT code.
1378
1379         * JavaScriptCore.JSVALUE32_64only.exp:
1380         * JavaScriptCore.JSVALUE64only.exp:
1381         * JavaScriptCore.exp:
1382         * JavaScriptCore.xcodeproj/project.pbxproj:
1383         * jit/JITStubs.cpp:
1384         (JSC::JITThunks::hostFunctionStub):
1385         * jit/JITStubs.h:
1386         * jsc.cpp:
1387         (GlobalObject::addFunction):
1388         * runtime/CommonIdentifiers.h:
1389         * runtime/ConstructData.h:
1390         * runtime/Executable.h:
1391         (JSC::NativeExecutable::NativeExecutable):
1392         * runtime/FunctionPrototype.cpp:
1393         (JSC::FunctionPrototype::addFunctionProperties):
1394         (JSC::functionProtoFuncBind):
1395         * runtime/FunctionPrototype.h:
1396         * runtime/JSBoundFunction.cpp: Added.
1397         (JSC::boundFunctionCall):
1398         (JSC::boundFunctionConstruct):
1399         (JSC::JSBoundFunction::create):
1400         (JSC::JSBoundFunction::hasInstance):
1401         (JSC::JSBoundFunction::getOwnPropertySlot):
1402         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
1403         (JSC::JSBoundFunction::JSBoundFunction):
1404         (JSC::JSBoundFunction::finishCreation):
1405         * runtime/JSBoundFunction.h: Added.
1406         (JSC::JSBoundFunction::targetFunction):
1407         (JSC::JSBoundFunction::boundThis):
1408         (JSC::JSBoundFunction::boundArgs):
1409         (JSC::JSBoundFunction::createStructure):
1410         * runtime/JSFunction.cpp:
1411         (JSC::JSFunction::create):
1412         (JSC::JSFunction::finishCreation):
1413         (JSC::createDescriptorForThrowingProperty):
1414         (JSC::JSFunction::getOwnPropertySlot):
1415         * runtime/JSFunction.h:
1416         * runtime/JSGlobalData.cpp:
1417         (JSC::JSGlobalData::getHostFunction):
1418         * runtime/JSGlobalData.h:
1419         * runtime/JSGlobalObject.cpp:
1420         (JSC::JSGlobalObject::reset):
1421         (JSC::JSGlobalObject::visitChildren):
1422         * runtime/JSGlobalObject.h:
1423         (JSC::JSGlobalObject::boundFunctionStructure):
1424         * runtime/Lookup.cpp:
1425         (JSC::setUpStaticFunctionSlot):
1426
1427 2011-09-22  Oliver Hunt  <oliver@apple.com>
1428
1429         Implement get_scoped_var in the DFG
1430         https://bugs.webkit.org/show_bug.cgi?id=68640
1431
1432         Reviewed by Gavin Barraclough.
1433
1434         Naive implementation of get_scoped_var in the DFG.  Essentially this
1435         is the bare minimum required to get correct behaviour, so there's no
1436         load/store coalescing or type profiling involved, even though these
1437         would be wins.  No impact on SunSpider or V8.
1438
1439         * dfg/DFGByteCodeParser.cpp:
1440         (JSC::DFG::ByteCodeParser::parseBlock):
1441         * dfg/DFGCapabilities.h:
1442         (JSC::DFG::canCompileOpcode):
1443         * dfg/DFGNode.h:
1444         (JSC::DFG::Node::hasVarNumber):
1445         (JSC::DFG::Node::hasScopeChainDepth):
1446         (JSC::DFG::Node::scopeChainDepth):
1447         * dfg/DFGPropagator.cpp:
1448         (JSC::DFG::Propagator::propagateNodePredictions):
1449         * dfg/DFGSpeculativeJIT.cpp:
1450         (JSC::DFG::SpeculativeJIT::compile):
1451
1452 2011-09-22  Adam Roben  <aroben@apple.com>
1453
1454         Remove FindSafari from all our .sln files
1455
1456         It isn't used anymore, so there's no point in building it.
1457
1458         Part of <http://webkit.org/b/68628> Remove FindSafari
1459
1460         Reviewed by Steve Falkenburg.
1461
1462         * JavaScriptCore.vcproj/JavaScriptCore.sln:
1463
1464 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1465
1466         32-bit call code clobbers the function cell tag
1467         https://bugs.webkit.org/show_bug.cgi?id=68606
1468
1469         Reviewed by Csaba Osztrogon√°c.
1470         
1471         This is a minimalistic fix: it simply emits code to restore the
1472         cell tag on the slow path, if we know that we failed due to
1473         emitCallIfNotType.
1474
1475         * jit/JITCall32_64.cpp:
1476         (JSC::JIT::compileOpCallVarargsSlowCase):
1477         (JSC::JIT::compileOpCallSlowCase):
1478
1479 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1480
1481         Add missing addPtr->add32 mapping for X86.
1482
1483         Rubber stamped by Sam Weinig.
1484
1485         * assembler/MacroAssembler.h:
1486         (JSC::MacroAssembler::addPtr):
1487
1488 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1489
1490         Add missing addDouble for AbsoluteAddress to X86
1491
1492         Rubber stamped by Geoff Garen.
1493
1494         * assembler/MacroAssemblerX86.h:
1495         (JSC::MacroAssemblerX86::addDouble):
1496         * assembler/X86Assembler.h:
1497         (JSC::X86Assembler::addsd_mr):
1498         (JSC::X86Assembler::cvtsi2sd_rr):
1499         (JSC::X86Assembler::cvtsi2sd_mr):
1500
1501 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1502
1503         Build fix following fix for bug #68586.
1504
1505         * jit/JIT.cpp:
1506         * jit/JITInlineMethods.h:
1507
1508 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1509
1510         DFG JIT should be able to compile op_throw
1511         https://bugs.webkit.org/show_bug.cgi?id=68571
1512
1513         Reviewed by Geoffrey Garen.
1514         
1515         This compiles op_throw in the simplest way possible: it's an OSR
1516         point back to the old JIT. This is a good step towards increasing
1517         coverage, particularly on Kraken, but it's neutral because the
1518         same functions that do throw also use some other unsupported
1519         opcodes.
1520
1521         * dfg/DFGByteCodeParser.cpp:
1522         (JSC::DFG::ByteCodeParser::parseBlock):
1523         * dfg/DFGCapabilities.h:
1524         (JSC::DFG::canCompileOpcode):
1525         * dfg/DFGNode.h:
1526         * dfg/DFGPropagator.cpp:
1527         (JSC::DFG::Propagator::propagateNodePredictions):
1528         * dfg/DFGSpeculativeJIT.cpp:
1529         (JSC::DFG::SpeculativeJIT::compile):
1530
1531 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1532
1533         DFG should support continuous optimization
1534         https://bugs.webkit.org/show_bug.cgi?id=68329
1535
1536         Reviewed by Geoffrey Garen.
1537         
1538         This adds the ability to reoptimize a code block if speculation
1539         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
1540         on V8, neutral on SunSpider.
1541
1542         * CMakeLists.txt:
1543         * GNUmakefile.list.am:
1544         * JavaScriptCore.pro:
1545         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1546         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
1547         * JavaScriptCore.xcodeproj/project.pbxproj:
1548         * bytecode/CodeBlock.cpp:
1549         (JSC::CodeBlock::CodeBlock):
1550         (JSC::ProgramCodeBlock::jettison):
1551         (JSC::EvalCodeBlock::jettison):
1552         (JSC::FunctionCodeBlock::jettison):
1553         (JSC::CodeBlock::shouldOptimizeNow):
1554         (JSC::CodeBlock::dumpValueProfiles):
1555         * bytecode/CodeBlock.h:
1556         * dfg/DFGByteCodeParser.cpp:
1557         (JSC::DFG::ByteCodeParser::getStrongPrediction):
1558         * dfg/DFGJITCompiler.cpp:
1559         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1560         (JSC::DFG::JITCompiler::compileEntry):
1561         (JSC::DFG::JITCompiler::compileBody):
1562         * dfg/DFGJITCompiler.h:
1563         (JSC::DFG::JITCompiler::noticeOSREntry):
1564         * dfg/DFGOSREntry.cpp:
1565         (JSC::DFG::prepareOSREntry):
1566         * dfg/DFGOSREntry.h:
1567         (JSC::DFG::getOSREntryDataBytecodeIndex):
1568         * dfg/DFGSpeculativeJIT.cpp:
1569         (JSC::DFG::SpeculativeJIT::compile):
1570         * heap/ConservativeRoots.cpp:
1571         (JSC::ConservativeRoots::ConservativeRoots):
1572         (JSC::ConservativeRoots::~ConservativeRoots):
1573         (JSC::DummyMarkHook::mark):
1574         (JSC::ConservativeRoots::genericAddPointer):
1575         (JSC::ConservativeRoots::genericAddSpan):
1576         (JSC::ConservativeRoots::add):
1577         * heap/ConservativeRoots.h:
1578         * heap/Heap.cpp:
1579         (JSC::Heap::addJettisonCodeBlock):
1580         (JSC::Heap::markRoots):
1581         * heap/Heap.h:
1582         * heap/JettisonedCodeBlocks.cpp: Added.
1583         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
1584         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
1585         (JSC::JettisonedCodeBlocks::addCodeBlock):
1586         (JSC::JettisonedCodeBlocks::clearMarks):
1587         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
1588         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
1589         * heap/JettisonedCodeBlocks.h: Added.
1590         (JSC::JettisonedCodeBlocks::mark):
1591         * interpreter/RegisterFile.cpp:
1592         (JSC::RegisterFile::gatherConservativeRoots):
1593         * interpreter/RegisterFile.h:
1594         * jit/JITStubs.cpp:
1595         (JSC::DEFINE_STUB_FUNCTION):
1596         * runtime/Executable.cpp:
1597         (JSC::jettisonCodeBlock):
1598         (JSC::EvalExecutable::jettisonOptimizedCode):
1599         (JSC::ProgramExecutable::jettisonOptimizedCode):
1600         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
1601         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
1602         * runtime/Executable.h:
1603         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
1604         * wtf/BitVector.h: Added.
1605         (WTF::BitVector::BitVector):
1606         (WTF::BitVector::~BitVector):
1607         (WTF::BitVector::operator=):
1608         (WTF::BitVector::size):
1609         (WTF::BitVector::ensureSize):
1610         (WTF::BitVector::resize):
1611         (WTF::BitVector::clearAll):
1612         (WTF::BitVector::get):
1613         (WTF::BitVector::set):
1614         (WTF::BitVector::clear):
1615         (WTF::BitVector::bitsInPointer):
1616         (WTF::BitVector::maxInlineBits):
1617         (WTF::BitVector::byteCount):
1618         (WTF::BitVector::makeInlineBits):
1619         (WTF::BitVector::OutOfLineBits::numBits):
1620         (WTF::BitVector::OutOfLineBits::numWords):
1621         (WTF::BitVector::OutOfLineBits::bits):
1622         (WTF::BitVector::OutOfLineBits::create):
1623         (WTF::BitVector::OutOfLineBits::destroy):
1624         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
1625         (WTF::BitVector::isInline):
1626         (WTF::BitVector::outOfLineBits):
1627         (WTF::BitVector::resizeOutOfLine):
1628         (WTF::BitVector::bits):
1629
1630 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1631
1632         Add X86 GPRInfo for DFG JIT.
1633         https://bugs.webkit.org/show_bug.cgi?id=68586
1634
1635         Reviewed by Geoff Garen.
1636
1637         * dfg/DFGGPRInfo.h:
1638         (JSC::DFG::GPRInfo::toRegister):
1639         (JSC::DFG::GPRInfo::toIndex):
1640         (JSC::DFG::GPRInfo::debugName):
1641
1642 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1643
1644         Should support value profiling on CPU(X86)
1645         https://bugs.webkit.org/show_bug.cgi?id=68575
1646
1647         Reviewed by Sam Weinig.
1648
1649         Fix verbose profiling in ToT (SlowCaseProfile had been
1650         partially renamed to RareCaseProfile), add in-memory
1651         bucket counter for CPU(X86), move JIT::m_canBeOptimized
1652         out of the DFG_JIT ifdef.
1653
1654         * bytecode/CodeBlock.cpp:
1655         (JSC::CodeBlock::resetRareCaseProfiles):
1656         (JSC::CodeBlock::dumpValueProfiles):
1657         * bytecode/CodeBlock.h:
1658         * dfg/DFGByteCodeParser.cpp:
1659         (JSC::DFG::ByteCodeParser::makeSafe):
1660         * jit/JIT.cpp:
1661         (JSC::JIT::privateCompileSlowCases):
1662         (JSC::JIT::privateCompile):
1663         * jit/JIT.h:
1664         * jit/JITInlineMethods.h:
1665         (JSC::JIT::emitValueProfilingSite):
1666
1667 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1668
1669         DFG does not support compiling functions as constructors
1670         https://bugs.webkit.org/show_bug.cgi?id=68500
1671
1672         Reviewed by Oliver Hunt.
1673         
1674         This adds support for compiling constructors to the DFG. It's a
1675         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
1676         It's also a 13% win on access-binary-trees, but it's neutral in
1677         the SunSpider and Kraken averages.
1678
1679         * dfg/DFGByteCodeParser.cpp:
1680         (JSC::DFG::ByteCodeParser::parseBlock):
1681         * dfg/DFGCapabilities.h:
1682         (JSC::DFG::mightCompileFunctionForConstruct):
1683         (JSC::DFG::canCompileOpcode):
1684         * dfg/DFGNode.h:
1685         * dfg/DFGOperations.cpp:
1686         * dfg/DFGOperations.h:
1687         * dfg/DFGPropagator.cpp:
1688         (JSC::DFG::Propagator::propagateNodePredictions):
1689         (JSC::DFG::Propagator::performNodeCSE):
1690         * dfg/DFGSpeculativeJIT.cpp:
1691         (JSC::DFG::SpeculativeJIT::compile):
1692         * runtime/Executable.cpp:
1693         (JSC::FunctionExecutable::compileOptimizedForConstruct):
1694         (JSC::FunctionExecutable::compileForConstructInternal):
1695         * runtime/Executable.h:
1696         (JSC::FunctionExecutable::compileForConstruct):
1697         (JSC::FunctionExecutable::compileFor):
1698         (JSC::FunctionExecutable::compileOptimizedFor):
1699
1700 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1701
1702         Replace jsFunctionVPtr compares with a type check on the Structure.
1703         https://bugs.webkit.org/show_bug.cgi?id=68557
1704
1705         Reviewed by Oliver Hunt.
1706
1707         This will permit calls to still optimize to subclasses of JSFunction
1708         that have the correct type (but a different C++ vptr).
1709
1710         This patch stops passing the globalData into numerous functions.
1711
1712         * dfg/DFGByteCodeParser.cpp:
1713         (JSC::DFG::ByteCodeParser::parseBlock):
1714         * dfg/DFGGraph.h:
1715         (JSC::DFG::Graph::isFunctionConstant):
1716         (JSC::DFG::Graph::valueOfFunctionConstant):
1717         * dfg/DFGJITCompiler.h:
1718         (JSC::DFG::JITCompiler::isFunctionConstant):
1719         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
1720         * dfg/DFGOperations.cpp:
1721         * interpreter/Interpreter.cpp:
1722         (JSC::Interpreter::privateExecute):
1723         * jit/JIT.h:
1724         * jit/JITCall.cpp:
1725         (JSC::JIT::compileOpCallVarargs):
1726         (JSC::JIT::compileOpCallSlowCase):
1727         * jit/JITCall32_64.cpp:
1728         (JSC::JIT::compileOpCallVarargs):
1729         (JSC::JIT::compileOpCallSlowCase):
1730         * jit/JITInlineMethods.h:
1731         (JSC::JIT::emitJumpIfNotType):
1732         * jit/JITStubs.cpp:
1733         (JSC::DEFINE_STUB_FUNCTION):
1734         * runtime/Executable.h:
1735         (JSC::isHostFunction):
1736         * runtime/JSFunction.h:
1737         (JSC::JSFunction::createStructure):
1738         * runtime/JSObject.cpp:
1739         (JSC::JSObject::put):
1740         (JSC::JSObject::putWithAttributes):
1741         * runtime/JSObject.h:
1742         (JSC::getJSFunction):
1743         (JSC::JSObject::putDirect):
1744         (JSC::JSObject::putDirectWithoutTransition):
1745         * runtime/JSType.h:
1746
1747 2011-09-21  Geoffrey Garen  <ggaren@apple.com>
1748
1749         Removed WTFTHREADDATA_MULTITHREADED, making it always true
1750         https://bugs.webkit.org/show_bug.cgi?id=68549
1751
1752         Reviewed by Darin Adler.
1753         
1754         Another part of making threads exist in WebKit.
1755
1756         * wtf/WTFThreadData.cpp:
1757         * wtf/WTFThreadData.h:
1758         (WTF::wtfThreadData):
1759
1760 2011-09-21  Dan Bernstein  <mitz@apple.com>
1761
1762         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
1763         https://bugs.webkit.org/show_bug.cgi?id=68451
1764
1765         Reviewed by Darin Adler.
1766
1767         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
1768         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
1769
1770 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
1771
1772         MacroAssembler fixes.
1773         https://bugs.webkit.org/show_bug.cgi?id=68494
1774
1775         Reviewed by Sam Weinig.
1776
1777         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
1778
1779         * assembler/MacroAssembler.h:
1780         (JSC::MacroAssembler::orPtr):
1781         (JSC::MacroAssembler::loadPtr):
1782         * assembler/MacroAssemblerARM.h:
1783         (JSC::MacroAssemblerARM::or32):
1784         * assembler/MacroAssemblerARMv7.h:
1785         (JSC::MacroAssemblerARMv7::or32):
1786         * assembler/MacroAssemblerMIPS.h:
1787         (JSC::MacroAssemblerMIPS::or32):
1788         * assembler/MacroAssemblerSH4.h:
1789         (JSC::MacroAssemblerSH4::or32):
1790         (JSC::MacroAssemblerSH4::load32):
1791         * assembler/MacroAssemblerX86.h:
1792         (JSC::MacroAssemblerX86::load32):
1793         * assembler/MacroAssemblerX86_64.h:
1794         (JSC::MacroAssemblerX86_64::load32):
1795
1796 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
1797
1798         Some Heap cleanup.
1799
1800         Reviewed by Beth Dakin.
1801
1802         * heap/MarkedBlock.cpp:
1803         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
1804         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
1805         since there is only one now.
1806
1807         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
1808         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
1809         place where we were recalculating it.
1810
1811         * heap/MarkedSpace.cpp:
1812         (JSC::MarkedSpace::addBlock): Updated for rename.
1813
1814 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1815
1816         DFG JIT always speculates integer on modulo
1817         https://bugs.webkit.org/show_bug.cgi?id=68485
1818
1819         Reviewed by Oliver Hunt.
1820         
1821         Added support for double modulo, which is a call to fmod().
1822         Also added support for recording the old JIT's statistics
1823         on op_mod and propagating them along the graph. Finally,
1824         fixed a goof in the ArithNodeFlags propagation logic that
1825         was made obvious when I started testing ArithMod.
1826
1827         * dfg/DFGByteCodeParser.cpp:
1828         (JSC::DFG::ByteCodeParser::makeSafe):
1829         (JSC::DFG::ByteCodeParser::parseBlock):
1830         * dfg/DFGNode.h:
1831         (JSC::DFG::Node::hasArithNodeFlags):
1832         * dfg/DFGPropagator.cpp:
1833         (JSC::DFG::Propagator::propagateArithNodeFlags):
1834         (JSC::DFG::Propagator::propagateNodePredictions):
1835         (JSC::DFG::Propagator::fixupNode):
1836         * dfg/DFGSpeculativeJIT.cpp:
1837         (JSC::DFG::SpeculativeJIT::compile):
1838
1839 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
1840
1841         [GTK] requestAnimationFrame support for gtk port
1842         https://bugs.webkit.org/show_bug.cgi?id=66280
1843
1844         Reviewed by Martin Robinson.
1845
1846         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
1847
1848         * wtf/Platform.h:
1849
1850 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1851
1852         DFG JIT performs too many negative zero checks, and too many
1853         overflow checks
1854         https://bugs.webkit.org/show_bug.cgi?id=68430
1855
1856         Reviewed by Oliver Hunt.
1857         
1858         This adds comprehensive support for deciding how to perform an
1859         arithmetic operations based on a combination of overflow profiling,
1860         negative zero profiling, value profiling, and a static analysis of
1861         how the results of these operations get used.
1862         
1863         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
1864         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
1865         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
1866         V8-crypto, because apparenty everything we do speeds up crypto.
1867
1868         * dfg/DFGByteCodeParser.cpp:
1869         (JSC::DFG::ByteCodeParser::toInt32):
1870         (JSC::DFG::ByteCodeParser::toNumber):
1871         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
1872         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
1873         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
1874         (JSC::DFG::ByteCodeParser::makeSafe):
1875         (JSC::DFG::ByteCodeParser::handleMinMax):
1876         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1877         (JSC::DFG::ByteCodeParser::parseBlock):
1878         (JSC::DFG::ByteCodeParser::processPhiStack):
1879         (JSC::DFG::ByteCodeParser::parse):
1880         * dfg/DFGGraph.cpp:
1881         (JSC::DFG::Graph::dump):
1882         * dfg/DFGJITCodeGenerator.cpp:
1883         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1884         * dfg/DFGNode.h:
1885         (JSC::DFG::nodeUsedAsNumber):
1886         (JSC::DFG::nodeCanTruncateInteger):
1887         (JSC::DFG::nodeCanIgnoreNegativeZero):
1888         (JSC::DFG::nodeCanSpeculateInteger):
1889         (JSC::DFG::arithNodeFlagsAsString):
1890         (JSC::DFG::Node::Node):
1891         (JSC::DFG::Node::hasArithNodeFlags):
1892         (JSC::DFG::Node::rawArithNodeFlags):
1893         (JSC::DFG::Node::arithNodeFlags):
1894         (JSC::DFG::Node::arithNodeFlagsForCompare):
1895         (JSC::DFG::Node::setArithNodeFlag):
1896         (JSC::DFG::Node::mergeArithNodeFlags):
1897         * dfg/DFGPropagator.cpp:
1898         (JSC::DFG::Propagator::fixpoint):
1899         (JSC::DFG::Propagator::isNotNegZero):
1900         (JSC::DFG::Propagator::isNotZero):
1901         (JSC::DFG::Propagator::propagateArithNodeFlags):
1902         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1903         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1904         (JSC::DFG::Propagator::propagateNodePredictions):
1905         (JSC::DFG::Propagator::propagatePredictionsForward):
1906         (JSC::DFG::Propagator::propagatePredictionsBackward):
1907         (JSC::DFG::Propagator::toDouble):
1908         (JSC::DFG::Propagator::fixupNode):
1909         (JSC::DFG::Propagator::fixup):
1910         (JSC::DFG::Propagator::startIndexForChildren):
1911         (JSC::DFG::Propagator::endIndexForPureCSE):
1912         (JSC::DFG::Propagator::pureCSE):
1913         (JSC::DFG::Propagator::clobbersWorld):
1914         (JSC::DFG::Propagator::setReplacement):
1915         (JSC::DFG::Propagator::performNodeCSE):
1916         (JSC::DFG::Propagator::localCSE):
1917         * dfg/DFGSpeculativeJIT.cpp:
1918         (JSC::DFG::SpeculativeJIT::compile):
1919         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1920
1921 2011-09-19  Oliver Hunt  <oliver@apple.com>
1922
1923         Refactor Heap allocation logic into separate AllocationSpace class
1924         https://bugs.webkit.org/show_bug.cgi?id=68409
1925
1926         Reviewed by Gavin Barraclough.
1927
1928         This patch hoists direct manipulation of the MarkedSpace and related
1929         data out of Heap and into a separate class.  This will allow us to
1930         have multiple allocation spaces in future, so easing the way towards
1931         having GC'd backing stores for objects.
1932
1933         * CMakeLists.txt:
1934         * GNUmakefile.list.am:
1935         * JavaScriptCore.exp:
1936         * JavaScriptCore.gypi:
1937         * JavaScriptCore.pro:
1938         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1939         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1940         * JavaScriptCore.xcodeproj/project.pbxproj:
1941         * debugger/Debugger.cpp:
1942         (JSC::Debugger::recompileAllJSFunctions):
1943         * heap/AllocationSpace.cpp: Added.
1944         (JSC::AllocationSpace::tryAllocate):
1945         (JSC::AllocationSpace::allocateSlowCase):
1946         (JSC::AllocationSpace::allocateBlock):
1947         (JSC::AllocationSpace::freeBlocks):
1948         (JSC::TakeIfEmpty::TakeIfEmpty):
1949         (JSC::TakeIfEmpty::operator()):
1950         (JSC::TakeIfEmpty::returnValue):
1951         (JSC::AllocationSpace::shrink):
1952         * heap/AllocationSpace.h: Added.
1953         (JSC::AllocationSpace::AllocationSpace):
1954         (JSC::AllocationSpace::blocks):
1955         (JSC::AllocationSpace::sizeClassFor):
1956         (JSC::AllocationSpace::setHighWaterMark):
1957         (JSC::AllocationSpace::highWaterMark):
1958         (JSC::AllocationSpace::canonicalizeBlocks):
1959         (JSC::AllocationSpace::resetAllocator):
1960         (JSC::AllocationSpace::forEachCell):
1961         (JSC::AllocationSpace::forEachBlock):
1962         (JSC::AllocationSpace::allocate):
1963         * heap/Heap.cpp:
1964         (JSC::Heap::Heap):
1965         (JSC::Heap::reportExtraMemoryCostSlowCase):
1966         (JSC::Heap::getConservativeRegisterRoots):
1967         (JSC::Heap::markRoots):
1968         (JSC::Heap::clearMarks):
1969         (JSC::Heap::sweep):
1970         (JSC::Heap::objectCount):
1971         (JSC::Heap::size):
1972         (JSC::Heap::capacity):
1973         (JSC::Heap::globalObjectCount):
1974         (JSC::Heap::objectTypeCounts):
1975         (JSC::Heap::collect):
1976         (JSC::Heap::canonicalizeBlocks):
1977         (JSC::Heap::resetAllocator):
1978         (JSC::Heap::freeBlocks):
1979         (JSC::Heap::shrink):
1980         * heap/Heap.h:
1981         (JSC::Heap::objectSpace):
1982         (JSC::Heap::sizeClassForObject):
1983         (JSC::Heap::allocate):
1984         * jit/JITInlineMethods.h:
1985         (JSC::JIT::emitAllocateBasicJSObject):
1986         * runtime/JSGlobalData.cpp:
1987         (JSC::JSGlobalData::recompileAllJSFunctions):
1988         (JSC::JSGlobalData::releaseExecutableMemory):
1989
1990 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1991
1992         Removed BREWMP* platform #ifdefs
1993         https://bugs.webkit.org/show_bug.cgi?id=68425
1994         
1995         BREWMP* has no maintainer, and this is dead code.
1996
1997         Reviewed by Darin Adler.
1998
1999         * heap/MarkStack.h:
2000         (JSC::::shrinkAllocation):
2001         * jit/ExecutableAllocator.h:
2002         (JSC::ExecutableAllocator::cacheFlush):
2003         * runtime/TimeoutChecker.cpp:
2004         (JSC::getCPUTime):
2005         * wtf/Assertions.cpp:
2006         * wtf/Assertions.h:
2007         * wtf/CurrentTime.cpp:
2008         * wtf/DateMath.cpp:
2009         (WTF::calculateUTCOffset):
2010         * wtf/FastMalloc.cpp:
2011         (WTF::fastMalloc):
2012         (WTF::fastCalloc):
2013         (WTF::fastMallocSize):
2014         * wtf/FastMalloc.h:
2015         * wtf/MainThread.cpp:
2016         * wtf/MathExtras.h:
2017         * wtf/OwnPtrCommon.h:
2018         * wtf/Platform.h:
2019         * wtf/RandomNumber.cpp:
2020         (WTF::randomNumber):
2021         * wtf/RandomNumberSeed.h:
2022         (WTF::initializeRandomNumberGenerator):
2023         * wtf/text/WTFString.h:
2024         * wtf/unicode/Unicode.h:
2025
2026 2011-09-20  Adam Roben  <aroben@apple.com>
2027
2028         Windows build fix after r95523
2029
2030         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
2031
2032 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
2033
2034         DFG JIT does not speculate aggressively enough on GetById
2035         https://bugs.webkit.org/show_bug.cgi?id=68320
2036
2037         Reviewed by Oliver Hunt.
2038         
2039         This adds the ability to access properties directly, by offset.
2040         This optimization kicks in when at the time of DFG compilation,
2041         it appears that the given get_by_id is self-cached by the old JIT.
2042         Two new opcodes get introduced: CheckStructure and GetByOffset.
2043         CheckStructure performs a speculation check on the object's
2044         structure, and returns the storage pointer. GetByOffset performs
2045         a direct read of the field from the storage pointer. Both
2046         CheckStructure and GetByOffset can be CSE'd, so that we can
2047         eliminate redundant structure checks, and redundant reads of the
2048         same field.
2049         
2050         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
2051         neutral on SunSpider.
2052
2053         * bytecode/PredictedType.cpp:
2054         (JSC::predictionFromClassInfo):
2055         (JSC::predictionFromStructure):
2056         (JSC::predictionFromCell):
2057         * bytecode/PredictedType.h:
2058         * dfg/DFGByteCodeParser.cpp:
2059         (JSC::DFG::ByteCodeParser::parseBlock):
2060         * dfg/DFGGenerationInfo.h:
2061         (JSC::DFG::dataFormatToString):
2062         (JSC::DFG::needDataFormatConversion):
2063         (JSC::DFG::GenerationInfo::initStorage):
2064         (JSC::DFG::GenerationInfo::spill):
2065         (JSC::DFG::GenerationInfo::fillStorage):
2066         * dfg/DFGGraph.h:
2067         (JSC::DFG::Graph::predict):
2068         (JSC::DFG::Graph::getPrediction):
2069         * dfg/DFGJITCodeGenerator.cpp:
2070         (JSC::DFG::JITCodeGenerator::fillInteger):
2071         (JSC::DFG::JITCodeGenerator::fillDouble):
2072         (JSC::DFG::JITCodeGenerator::fillJSValue):
2073         (JSC::DFG::JITCodeGenerator::fillStorage):
2074         (JSC::DFG::GPRTemporary::GPRTemporary):
2075         * dfg/DFGJITCodeGenerator.h:
2076         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
2077         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2078         (JSC::DFG::JITCodeGenerator::spill):
2079         (JSC::DFG::JITCodeGenerator::storageResult):
2080         (JSC::DFG::StorageOperand::StorageOperand):
2081         (JSC::DFG::StorageOperand::~StorageOperand):
2082         (JSC::DFG::StorageOperand::index):
2083         (JSC::DFG::StorageOperand::gpr):
2084         (JSC::DFG::StorageOperand::use):
2085         * dfg/DFGNode.h:
2086         (JSC::DFG::OpInfo::OpInfo):
2087         (JSC::DFG::Node::Node):
2088         (JSC::DFG::Node::hasPrediction):
2089         (JSC::DFG::Node::hasStructure):
2090         (JSC::DFG::Node::structure):
2091         (JSC::DFG::Node::hasStorageAccessData):
2092         (JSC::DFG::Node::storageAccessDataIndex):
2093         * dfg/DFGPropagator.cpp:
2094         (JSC::DFG::Propagator::propagateNode):
2095         (JSC::DFG::Propagator::globalVarLoadElimination):
2096         (JSC::DFG::Propagator::getMethodLoadElimination):
2097         (JSC::DFG::Propagator::checkStructureLoadElimination):
2098         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2099         (JSC::DFG::Propagator::performNodeCSE):
2100         * dfg/DFGSpeculativeJIT.cpp:
2101         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2102         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2103         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2104         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2105         (JSC::DFG::SpeculativeJIT::compile):
2106         * wtf/StdLibExtras.h:
2107         (WTF::safeCast):
2108
2109 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2110
2111         Remove toPrimitive from JSCell
2112         https://bugs.webkit.org/show_bug.cgi?id=67875
2113
2114         Reviewed by Darin Adler.
2115
2116         Part of the refactoring process to un-virtualize JSCell.  We move 
2117         all of the implicit functionality provided by the virtual toPrimitive method 
2118         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
2119         also de-virtualizing JSCell::toPrimitive.
2120
2121         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2122         * runtime/JSCell.cpp:
2123         (JSC::JSCell::toPrimitive):
2124         * runtime/JSCell.h:
2125
2126         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
2127         JSObject.  This pushes the virtual method further down, enabling us to get rid 
2128         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
2129         again, but we'll cross that bridge when we come to it.
2130         * runtime/JSNotAnObject.cpp:
2131         (JSC::JSNotAnObject::defaultValue):
2132         * runtime/JSNotAnObject.h:
2133         * runtime/JSObject.h:
2134         * runtime/JSString.h:
2135
2136 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2137
2138         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
2139         https://bugs.webkit.org/show_bug.cgi?id=68424
2140
2141         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
2142         
2143         This may break WinCE and other ports that have not built and tested with
2144         this configuration. I've filed bugs for port maintainers. It's time for
2145         WebKit to move forward.
2146
2147         Reviewed by Mark Rowe.
2148
2149         * heap/Heap.cpp:
2150         (JSC::Heap::Heap):
2151         (JSC::Heap::~Heap):
2152         (JSC::Heap::destroy):
2153         (JSC::Heap::blockFreeingThreadMain):
2154         (JSC::Heap::allocateBlock):
2155         (JSC::Heap::freeBlocks):
2156         (JSC::Heap::releaseFreeBlocks):
2157         * heap/Heap.h:
2158         * wtf/Platform.h:
2159
2160 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2161
2162         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
2163         https://bugs.webkit.org/show_bug.cgi?id=68423
2164
2165         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
2166         
2167         This may break WinCE and other ports that have not built and tested with
2168         this configuration. I've filed bugs for port maintainers. It's time for
2169         WebKit to move forward.
2170
2171         Reviewed by Mark Rowe.
2172
2173         * wtf/CryptographicallyRandomNumber.cpp:
2174         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
2175         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
2176         * wtf/FastMalloc.cpp:
2177         * wtf/Platform.h:
2178         * wtf/RandomNumber.cpp:
2179         (WTF::randomNumber):
2180         * wtf/RefCountedLeakCounter.cpp:
2181         (WTF::RefCountedLeakCounter::increment):
2182         (WTF::RefCountedLeakCounter::decrement):
2183         * wtf/ThreadingPthreads.cpp:
2184         (WTF::initializeThreading):
2185         * wtf/ThreadingWin.cpp:
2186         (WTF::initializeThreading):
2187         * wtf/dtoa.cpp:
2188         (WTF::pow5mult):
2189         * wtf/gtk/ThreadingGtk.cpp:
2190         (WTF::initializeThreading):
2191         * wtf/qt/ThreadingQt.cpp:
2192         (WTF::initializeThreading):
2193
2194 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2195
2196         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
2197         https://bugs.webkit.org/show_bug.cgi?id=68422
2198         
2199         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
2200         
2201         This may break WinCE and other ports that have not built and tested with
2202         this configuration. I've filed bugs for port maintainers. It's time for
2203         WebKit to move forward.
2204
2205         Reviewed by Sam Weinig.
2206
2207         * API/APIShims.h:
2208         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
2209         * API/JSContextRef.cpp:
2210         * heap/MachineStackMarker.cpp:
2211         (JSC::MachineThreads::MachineThreads):
2212         (JSC::MachineThreads::~MachineThreads):
2213         (JSC::MachineThreads::gatherConservativeRoots):
2214         * heap/MachineStackMarker.h:
2215         * runtime/InitializeThreading.cpp:
2216         (JSC::initializeThreadingOnce):
2217         (JSC::initializeThreading):
2218         * runtime/JSGlobalData.cpp:
2219         (JSC::JSGlobalData::sharedInstance):
2220         * runtime/JSGlobalData.h:
2221         (JSC::JSGlobalData::makeUsableFromMultipleThreads):
2222         * runtime/JSLock.cpp:
2223         * runtime/Structure.cpp:
2224         * wtf/Platform.h:
2225
2226 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
2227
2228         Unreviewed, rolling out r95493 and r95496.
2229         http://trac.webkit.org/changeset/95493
2230         http://trac.webkit.org/changeset/95496
2231         https://bugs.webkit.org/show_bug.cgi?id=68418
2232
2233         Broke Windows build (Requested by rniwa on #webkit).
2234
2235         * CMakeLists.txt:
2236         * GNUmakefile.list.am:
2237         * JavaScriptCore.exp:
2238         * JavaScriptCore.gypi:
2239         * JavaScriptCore.pro:
2240         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2241         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2242         * JavaScriptCore.xcodeproj/project.pbxproj:
2243         * debugger/Debugger.cpp:
2244         (JSC::Debugger::recompileAllJSFunctions):
2245         * heap/AllocationSpace.cpp: Removed.
2246         * heap/AllocationSpace.h: Removed.
2247         * heap/Heap.cpp:
2248         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
2249         (JSC::CountFunctor::TakeIfEmpty::operator()):
2250         (JSC::CountFunctor::TakeIfEmpty::returnValue):
2251         (JSC::Heap::Heap):
2252         (JSC::Heap::reportExtraMemoryCostSlowCase):
2253         (JSC::Heap::tryAllocate):
2254         (JSC::Heap::allocateSlowCase):
2255         (JSC::Heap::getConservativeRegisterRoots):
2256         (JSC::Heap::markRoots):
2257         (JSC::Heap::clearMarks):
2258         (JSC::Heap::sweep):
2259         (JSC::Heap::objectCount):
2260         (JSC::Heap::size):
2261         (JSC::Heap::capacity):
2262         (JSC::Heap::globalObjectCount):
2263         (JSC::Heap::objectTypeCounts):
2264         (JSC::Heap::collect):
2265         (JSC::Heap::canonicalizeBlocks):
2266         (JSC::Heap::resetAllocator):
2267         (JSC::Heap::allocateBlock):
2268         (JSC::Heap::freeBlocks):
2269         (JSC::Heap::shrink):
2270         * heap/Heap.h:
2271         (JSC::Heap::markedSpace):
2272         (JSC::Heap::forEachCell):
2273         (JSC::Heap::forEachBlock):
2274         (JSC::Heap::sizeClassFor):
2275         (JSC::Heap::allocate):
2276         * jit/JITInlineMethods.h:
2277         (JSC::JIT::emitAllocateBasicJSObject):
2278         * runtime/JSGlobalData.cpp:
2279         (JSC::JSGlobalData::recompileAllJSFunctions):
2280         (JSC::JSGlobalData::releaseExecutableMemory):
2281
2282 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
2283
2284         Errrk, missed stylebot comments in last commit.
2285
2286         * runtime/StringPrototype.cpp:
2287         (JSC::stringProtoFuncSplit):
2288
2289 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
2290
2291         String#split is buggy
2292         https://bugs.webkit.org/show_bug.cgi?id=68348
2293
2294         Reviewed by Sam Weinig.
2295
2296         * runtime/StringPrototype.cpp:
2297         (JSC::jsStringWithReuse):
2298             - added helper function to reuse original JSString value.
2299         (JSC::stringProtoFuncSplit):
2300             - Rewritten from the spec.
2301         * tests/mozilla/ecma/String/15.5.4.8-2.js:
2302         (getTestCases):
2303             - This test is not ES5 compliant.
2304
2305 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2306
2307         Removed lots of friend declarations from JSCell, so we can more
2308         effectively make use of private and protected.
2309
2310         Reviewed by Sam Weinig.
2311
2312         * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
2313         confusion for not much safety.
2314         (JSC::JSCell::operator new): Made this public because it is used by a
2315         few clients, and not really dangerous.
2316
2317         * runtime/JSObject.cpp:
2318         (JSC::JSObject::put):
2319         (JSC::JSObject::deleteProperty):
2320         (JSC::JSObject::defineGetter):
2321         (JSC::JSObject::defineSetter):
2322         (JSC::JSObject::getPropertySpecificValue):
2323         (JSC::JSObject::getOwnPropertyNames):
2324         (JSC::JSObject::seal):
2325         (JSC::JSObject::freeze):
2326         (JSC::JSObject::preventExtensions):
2327         (JSC::JSObject::removeDirect):
2328         (JSC::JSObject::createInheritorID):
2329         (JSC::JSObject::allocatePropertyStorage):
2330         (JSC::JSObject::getOwnPropertyDescriptor):
2331         * runtime/JSObject.h:
2332         (JSC::JSObject::getDirect):
2333         (JSC::JSObject::getDirectLocation):
2334         (JSC::JSObject::hasCustomProperties):
2335         (JSC::JSObject::hasGetterSetterProperties):
2336         (JSC::JSObject::isSealed):
2337         (JSC::JSObject::isFrozen):
2338         (JSC::JSObject::isExtensible):
2339         (JSC::JSObject::flattenDictionaryObject):
2340         (JSC::JSObject::finishCreation):
2341         (JSC::JSObject::prototype):
2342         (JSC::JSObject::setPrototype):
2343         (JSC::JSObject::inlineGetOwnPropertySlot):
2344         (JSC::JSCell::fastGetOwnProperty):
2345         (JSC::JSObject::putDirectInternal):
2346         (JSC::JSObject::putDirectWithoutTransition):
2347         (JSC::JSObject::transitionTo):
2348         (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
2349         structure() / setStructure(), so we don't have to be a friend of JSCell.
2350
2351         * runtime/Structure.h:
2352         (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
2353         to JSCell::m_structure.
2354
2355 2011-09-19  Adam Barth  <abarth@webkit.org>
2356
2357         Always enable ENABLE(EVENTSOURCE)
2358         https://bugs.webkit.org/show_bug.cgi?id=68414
2359
2360         Reviewed by Eric Seidel.
2361
2362         * Configurations/FeatureDefines.xcconfig:
2363
2364 2011-09-19  Eli Fidler  <efidler@rim.com>
2365
2366         Enable JSC_MULTIPLE_THREADS for OS(QNX).
2367         https://bugs.webkit.org/show_bug.cgi?id=68047
2368
2369         Reviewed by Daniel Bates.
2370
2371         SA_RESTART was required for SIGUSR2-based debugging, but is not
2372         present on QNX. This debugging doesn't seem critical to
2373         JSC_MULTIPLE_THREADS, so allow it to proceed.
2374
2375         * heap/MachineStackMarker.cpp:
2376         (JSC::MachineThreads::Thread::Thread):
2377         (JSC::getPlatformThreadRegisters):
2378         (JSC::otherThreadStackPointer):
2379         (JSC::freePlatformThreadRegisters):
2380         * wtf/Platform.h: enable PTHREADS for OS(QNX)
2381
2382 2011-09-19  Oliver Hunt  <oliver@apple.com>
2383
2384         Windows build fix.
2385
2386         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2387
2388 2011-09-19  Oliver Hunt  <oliver@apple.com>
2389
2390         Refactor Heap allocation logic into separate AllocationSpace class
2391         https://bugs.webkit.org/show_bug.cgi?id=68409
2392
2393         Reviewed by Gavin Barraclough.
2394
2395         This patch hoists direct manipulation of the MarkedSpace and related
2396         data out of Heap and into a separate class.  This will allow us to
2397         have multiple allocation spaces in future, so easing the way towards
2398         having GC'd backing stores for objects.
2399
2400         * CMakeLists.txt:
2401         * GNUmakefile.list.am:
2402         * JavaScriptCore.exp:
2403         * JavaScriptCore.gypi:
2404         * JavaScriptCore.pro:
2405         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2406         * JavaScriptCore.xcodeproj/project.pbxproj:
2407         * debugger/Debugger.cpp:
2408         (JSC::Debugger::recompileAllJSFunctions):
2409         * heap/AllocationSpace.cpp: Added.
2410         (JSC::AllocationSpace::tryAllocate):
2411         (JSC::AllocationSpace::allocateSlowCase):
2412         (JSC::AllocationSpace::allocateBlock):
2413         (JSC::AllocationSpace::freeBlocks):
2414         (JSC::TakeIfEmpty::TakeIfEmpty):
2415         (JSC::TakeIfEmpty::operator()):
2416         (JSC::TakeIfEmpty::returnValue):
2417         (JSC::AllocationSpace::shrink):
2418         * heap/AllocationSpace.h: Added.
2419         (JSC::AllocationSpace::AllocationSpace):
2420         (JSC::AllocationSpace::blocks):
2421         (JSC::AllocationSpace::sizeClassFor):
2422         (JSC::AllocationSpace::setHighWaterMark):
2423         (JSC::AllocationSpace::highWaterMark):
2424         (JSC::AllocationSpace::canonicalizeBlocks):
2425         (JSC::AllocationSpace::resetAllocator):
2426         (JSC::AllocationSpace::forEachCell):
2427         (JSC::AllocationSpace::forEachBlock):
2428         (JSC::AllocationSpace::allocate):
2429         * heap/Heap.cpp:
2430         (JSC::Heap::Heap):
2431         (JSC::Heap::reportExtraMemoryCostSlowCase):
2432         (JSC::Heap::getConservativeRegisterRoots):
2433         (JSC::Heap::markRoots):
2434         (JSC::Heap::clearMarks):
2435         (JSC::Heap::sweep):
2436         (JSC::Heap::objectCount):
2437         (JSC::Heap::size):
2438         (JSC::Heap::capacity):
2439         (JSC::Heap::globalObjectCount):
2440         (JSC::Heap::objectTypeCounts):
2441         (JSC::Heap::collect):
2442         (JSC::Heap::canonicalizeBlocks):
2443         (JSC::Heap::resetAllocator):
2444         (JSC::Heap::freeBlocks):
2445         (JSC::Heap::shrink):
2446         * heap/Heap.h:
2447         (JSC::Heap::objectSpace):
2448         (JSC::Heap::sizeClassForObject):
2449         (JSC::Heap::allocate):
2450         * jit/JITInlineMethods.h:
2451         (JSC::JIT::emitAllocateBasicJSObject):
2452         * runtime/JSGlobalData.cpp:
2453         (JSC::JSGlobalData::recompileAllJSFunctions):
2454         (JSC::JSGlobalData::releaseExecutableMemory):
2455
2456 2011-09-19  Adam Roben  <aroben@apple.com>
2457
2458         Windows build fix after r95310
2459
2460         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
2461         include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.
2462
2463 2011-09-19  Filip Pizlo  <fpizlo@apple.com>
2464
2465         DFG speculation failures should act as additional value profiles
2466         https://bugs.webkit.org/show_bug.cgi?id=68335
2467
2468         Reviewed by Oliver Hunt.
2469         
2470         This adds slow-case counters to the old JIT. It also ensures that
2471         negative zero in multiply is handled carefully. The old JIT
2472         previously took slow path if the result of a multiply was zero,
2473         which, without any changes, would cause the DFG to think that
2474         every such multiply produced a double result.
2475         
2476         This also fixes a bug in the old JIT's handling of decrements. It
2477         would take the slow path if the result was zero, but not if it
2478         underflowed.
2479         
2480         By itself, this would be a 1% slow-down on V8 and Kraken. But then
2481         I wrote optimizations in the DFG that take advantage of this new
2482         information. It's no longer the case that every multiply needs to
2483         do a check for negative zero; it only happens if the negative
2484         zero is ignored.
2485         
2486         This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
2487         speed-up in V8. It's mostly neutral on Kraken. I can see an
2488         0.5% slow-down and it appears to be significant.
2489
2490         * bytecode/CodeBlock.cpp:
2491         (JSC::CodeBlock::resetRareCaseProfiles):
2492         (JSC::CodeBlock::dumpValueProfiles):
2493         * bytecode/CodeBlock.h:
2494         * bytecode/ValueProfile.h:
2495         (JSC::RareCaseProfile::RareCaseProfile):
2496         (JSC::getRareCaseProfileBytecodeOffset):
2497         * dfg/DFGByteCodeParser.cpp:
2498         (JSC::DFG::ByteCodeParser::toInt32):
2499         (JSC::DFG::ByteCodeParser::makeSafe):
2500         (JSC::DFG::ByteCodeParser::parseBlock):
2501         * dfg/DFGJITCodeGenerator.cpp:
2502         (JSC::DFG::GPRTemporary::GPRTemporary):
2503         * dfg/DFGJITCodeGenerator.h:
2504         * dfg/DFGNode.h:
2505         * dfg/DFGPropagator.cpp:
2506         (JSC::DFG::Propagator::propagateNode):
2507         (JSC::DFG::Propagator::fixupNode):
2508         (JSC::DFG::Propagator::clobbersWorld):
2509         (JSC::DFG::Propagator::performNodeCSE):
2510         * dfg/DFGSpeculativeJIT.cpp:
2511         (JSC::DFG::SpeculativeJIT::compile):
2512         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2513         * jit/JIT.cpp:
2514         (JSC::JIT::privateCompileSlowCases):
2515         * jit/JIT.h:
2516         (JSC::JIT::linkDummySlowCase):
2517         * jit/JITArithmetic.cpp:
2518         (JSC::JIT::emit_op_post_dec):
2519         (JSC::JIT::emit_op_pre_dec):
2520         (JSC::JIT::compileBinaryArithOp):
2521         (JSC::JIT::emit_op_add):
2522         (JSC::JIT::emitSlow_op_add):
2523         * jit/JITInlineMethods.h:
2524         (JSC::JIT::addSlowCase):
2525
2526 2011-09-19  Adam Roben  <aroben@apple.com>
2527
2528         Windows build fix after r94575
2529
2530         * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
2531         now builds just before FindSafari.
2532
2533 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
2534
2535         Unreviewed, rolling out r95466.
2536         http://trac.webkit.org/changeset/95466
2537         https://bugs.webkit.org/show_bug.cgi?id=68389
2538
2539         Incorrect version of the patch. (Requested by mhahnenberg on
2540         #webkit).
2541
2542         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2543         * runtime/JSCell.cpp:
2544         (JSC::JSCell::toPrimitive):
2545         * runtime/JSCell.h:
2546         (JSC::JSCell::JSValue::toPrimitive):
2547         * runtime/JSNotAnObject.cpp:
2548         (JSC::JSNotAnObject::toPrimitive):
2549         * runtime/JSNotAnObject.h:
2550         * runtime/JSObject.h:
2551         * runtime/JSString.h:
2552
2553 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2554
2555         Remove toPrimitive from JSCell
2556         https://bugs.webkit.org/show_bug.cgi?id=67875
2557
2558         Reviewed by Geoffrey Garen.
2559
2560         Part of the refactoring process to un-virtualize JSCell.  We move 
2561         all of the implicit functionality provided by the virtual toPrimitive method 
2562         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
2563         also de-virtualizing JSCell::toPrimitive.
2564
2565         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2566         * runtime/JSCell.cpp:
2567         (JSC::JSCell::toPrimitive):
2568         * runtime/JSCell.h:
2569
2570         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
2571         JSObject.  This pushes the virtual method further down, enabling us to get rid 
2572         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
2573         again, but we'll cross that bridge when we come to it.
2574         * runtime/JSNotAnObject.cpp:
2575         (JSC::JSNotAnObject::defaultValue):
2576         * runtime/JSNotAnObject.h:
2577         * runtime/JSObject.h:
2578         * runtime/JSString.h:
2579         (JSC::JSValue::toPrimitive):
2580
2581 2011-09-19  Oliver Hunt  <oliver@apple.com>
2582
2583         Build fix.
2584
2585         * jit/JITPropertyAccess32_64.cpp:
2586         (JSC::JIT::compileGetDirectOffset):
2587
2588 2011-09-19  Oliver Hunt  <oliver@apple.com>
2589
2590         Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
2591         https://bugs.webkit.org/show_bug.cgi?id=68376
2592
2593         Reviewed by Gavin Barraclough.
2594
2595         Renamed the the MarkedSpace files to match new name, and
2596         updated the relevant references.
2597
2598         * CMakeLists.txt:
2599         * GNUmakefile.list.am:
2600         * JavaScriptCore.gypi:
2601         * JavaScriptCore.pro:
2602         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2603         * JavaScriptCore.xcodeproj/project.pbxproj:
2604         * heap/Heap.h:
2605         * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
2606         (JSC::MarkedSpace::MarkedSpace):
2607         (JSC::MarkedSpace::addBlock):
2608         (JSC::MarkedSpace::removeBlock):
2609         (JSC::MarkedSpace::resetAllocator):
2610         (JSC::MarkedSpace::canonicalizeBlocks):
2611         * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
2612         (JSC::MarkedSpace::waterMark):
2613         (JSC::MarkedSpace::highWaterMark):
2614         (JSC::MarkedSpace::setHighWaterMark):
2615         (JSC::MarkedSpace::sizeClassFor):
2616         (JSC::MarkedSpace::allocate):
2617         (JSC::MarkedSpace::forEachBlock):
2618         (JSC::MarkedSpace::SizeClass::SizeClass):
2619         (JSC::MarkedSpace::SizeClass::resetAllocator):
2620         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
2621         * runtime/JSCell.h:
2622
2623 2011-09-19  Oliver Hunt  <oliver@apple.com>
2624
2625         Rename NewSpace to MarkedSpace
2626         https://bugs.webkit.org/show_bug.cgi?id=68375
2627
2628         Reviewed by Gavin Barraclough.
2629
2630         Rename NewSpace to a more accurate name, and update all uses.
2631         This patch doesn't rename the files themselves as that will
2632         just make the patch appear bigger than it is.
2633
2634         * JavaScriptCore.exp:
2635         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2636         * heap/Heap.cpp:
2637         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
2638         (JSC::CountFunctor::TakeIfEmpty::operator()):
2639         (JSC::Heap::Heap):
2640         (JSC::Heap::reportExtraMemoryCostSlowCase):
2641         (JSC::Heap::tryAllocate):
2642         (JSC::Heap::allocateSlowCase):
2643         (JSC::Heap::collect):
2644         (JSC::Heap::canonicalizeBlocks):
2645         (JSC::Heap::resetAllocator):
2646         (JSC::Heap::isValidAllocation):
2647         (JSC::Heap::shrink):
2648         * heap/Heap.h:
2649         (JSC::Heap::markedSpace):
2650         (JSC::Heap::sizeClassFor):
2651         (JSC::Heap::allocate):
2652         * heap/NewSpace.cpp:
2653         (JSC::MarkedSpace::MarkedSpace):
2654         (JSC::MarkedSpace::addBlock):
2655         (JSC::MarkedSpace::removeBlock):
2656         (JSC::MarkedSpace::resetAllocator):
2657         (JSC::MarkedSpace::canonicalizeBlocks):
2658         * heap/NewSpace.h:
2659         (JSC::MarkedSpace::waterMark):
2660         (JSC::MarkedSpace::highWaterMark):
2661         (JSC::MarkedSpace::setHighWaterMark):
2662         (JSC::MarkedSpace::sizeClassFor):
2663         (JSC::MarkedSpace::allocate):
2664         (JSC::MarkedSpace::forEachBlock):
2665         (JSC::MarkedSpace::SizeClass::SizeClass):
2666         (JSC::MarkedSpace::SizeClass::resetAllocator):
2667         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
2668         * jit/JITInlineMethods.h:
2669         (JSC::JIT::emitAllocateBasicJSObject):
2670
2671 2011-09-19  Peter Rybin  <peter.rybin@gmail.com>
2672
2673         TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
2674         https://bugs.webkit.org/show_bug.cgi?id=63541
2675
2676         Reviewed by Adam Barth.
2677
2678         * parser/SourceProvider.h:
2679         (JSC::SourceProvider::startPosition):
2680         * wtf/text/TextPosition.h:
2681         (WTF::OrdinalNumber::fromZeroBasedInt):
2682         (WTF::OrdinalNumber::fromOneBasedInt):
2683         (WTF::OrdinalNumber::OrdinalNumber):
2684         (WTF::OrdinalNumber::zeroBasedInt):
2685         (WTF::OrdinalNumber::oneBasedInt):
2686         (WTF::OrdinalNumber::operator==):
2687         (WTF::OrdinalNumber::operator!=):
2688         (WTF::OrdinalNumber::first):
2689         (WTF::OrdinalNumber::beforeFirst):
2690         (WTF::TextPosition::TextPosition):
2691         (WTF::TextPosition::minimumPosition):
2692         (WTF::TextPosition::belowRangePosition):
2693
2694 2011-09-19  Dan Bernstein  <mitz@apple.com>
2695
2696         JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
2697         https://bugs.webkit.org/show_bug.cgi?id=68323
2698
2699         Reviewed by Sam Weinig.
2700
2701         Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.
2702
2703         * wtf/mac/MainThreadMac.mm:
2704         (WTF::initializeMainThreadPlatform):
2705         (WTF::initializeMainThreadToProcessMainThreadPlatform):
2706
2707 2011-09-19  Oliver Hunt  <oliver@apple.com>
2708
2709         Remove direct property slot pointers from the instruction stream
2710         https://bugs.webkit.org/show_bug.cgi?id=68373
2711
2712         Reviewed by Gavin Barraclough.
2713
2714         Use an indirect load to access prototype properties rather than directly
2715         storing the property address in the instruction stream.  This should allow
2716         further optimisations in future, and also provides a 0.5% win to sunspider.
2717
2718         * dfg/DFGRepatch.cpp:
2719         (JSC::DFG::generateProtoChainAccessStub):
2720         * jit/JITPropertyAccess.cpp:
2721         (JSC::JIT::compileGetDirectOffset):
2722         * jit/JITPropertyAccess32_64.cpp:
2723         (JSC::JIT::compileGetDirectOffset):
2724         * runtime/JSObject.h:
2725         (JSC::JSObject::addressOfPropertyStorage):
2726
2727 2011-09-19  Oliver Hunt  <oliver@apple.com>
2728
2729         Remove bump allocator
2730         https://bugs.webkit.org/show_bug.cgi?id=68370
2731
2732         Reviewed by Sam Weinig.
2733
2734         Can't do anything with this allocator currently, and it's
2735         increasing the complexity of the GC code.  Slight progression
2736         on SunSpider, slight regression (undoing the original progression)
2737         in V8.
2738
2739         * heap/Heap.cpp:
2740         (JSC::Heap::collect):
2741         * heap/Heap.h:
2742         * heap/NewSpace.cpp:
2743         (JSC::NewSpace::NewSpace):
2744         * heap/NewSpace.h:
2745         (JSC::NewSpace::allocate):
2746         * runtime/JSObject.cpp:
2747         (JSC::JSObject::allocatePropertyStorage):
2748         * runtime/JSObject.h:
2749         (JSC::JSObject::~JSObject):
2750         (JSC::JSObject::visitChildrenDirect):
2751         * runtime/StorageBarrier.h:
2752         (JSC::StorageBarrier::set):
2753
2754 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2755
2756         [GTK] Fix distcheck build
2757         https://bugs.webkit.org/show_bug.cgi?id=68346
2758
2759         Reviewed by Philippe Normand.
2760
2761         * GNUmakefile.list.am:
2762
2763 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
2764
2765         [GTK] Fix distcheck build
2766         https://bugs.webkit.org/show_bug.cgi?id=68241
2767
2768         Reviewed by Martin Robinson.
2769
2770         * GNUmakefile.list.am:
2771
2772 2011-09-18  Dan Bernstein  <mitz@apple.com>
2773
2774         Removed ProfilerServer.
2775
2776         Reviewed by Mark Rowe.
2777
2778         * JavaScriptCore.gypi:
2779         * JavaScriptCore.xcodeproj/project.pbxproj:
2780         * profiler/ProfilerServer.h: Removed.
2781         * profiler/ProfilerServer.mm: Removed.
2782         * runtime/JSGlobalData.cpp:
2783         (JSC::JSGlobalData::JSGlobalData):
2784         * wscript:
2785
2786 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2787
2788         DFG JIT should inline Math.min, Math.max, and Math.sqrt
2789         https://bugs.webkit.org/show_bug.cgi?id=68318
2790
2791         Reviewed by Gavin Barraclough.
2792         
2793         Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
2794         a function to have an intrinsic but not a thunk generator. This is
2795         a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
2796         we're still not DFG compiling the bulk of the hot code in Kraken audio
2797         benchmarks.
2798
2799         * create_hash_table:
2800         * dfg/DFGByteCodeParser.cpp:
2801         (JSC::DFG::ByteCodeParser::handleMinMax):
2802         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2803         * dfg/DFGIntrinsic.h:
2804         * dfg/DFGNode.h:
2805         * dfg/DFGPropagator.cpp:
2806         (JSC::DFG::Propagator::propagateNode):
2807         (JSC::DFG::Propagator::fixupNode):
2808         * dfg/DFGSpeculativeJIT.cpp:
2809         (JSC::DFG::SpeculativeJIT::compile):
2810         * jit/JITStubs.cpp:
2811         (JSC::JITThunks::hostFunctionStub):
2812         * runtime/Lookup.cpp:
2813         (JSC::setUpStaticFunctionSlot):
2814
2815 2011-09-18  Nico Weber  <thakis@chromium.org>
2816
2817         Remove two files from JavaScriptCore.gypi that were removed in r95240
2818         https://bugs.webkit.org/show_bug.cgi?id=68327
2819
2820         Unreviewed, build warning fix.
2821
2822         * JavaScriptCore.gypi:
2823
2824 2011-09-17  Oliver Hunt  <oliver@apple.com>
2825
2826         Remove special case handling of inline storage from the JIT
2827         https://bugs.webkit.org/show_bug.cgi?id=68319
2828
2829         Reviewed by Gavin Barraclough.
2830
2831         Simplify logic used for reading and writing to property storage
2832         by removing the special cases for inline storage.  This has no
2833         perf impact.
2834
2835         * dfg/DFGRepatch.cpp:
2836         (JSC::DFG::generateProtoChainAccessStub):
2837         (JSC::DFG::tryBuildGetByIDList):
2838         * jit/JIT.h:
2839         * jit/JITPropertyAccess.cpp:
2840         (JSC::JIT::compilePutDirectOffset):
2841         (JSC::JIT::compileGetDirectOffset):
2842         (JSC::JIT::privateCompilePutByIdTransition):
2843         (JSC::JIT::privateCompileGetByIdSelfList):
2844         * jit/JITPropertyAccess32_64.cpp:
2845         (JSC::JIT::compilePutDirectOffset):
2846         (JSC::JIT::compileGetDirectOffset):
2847         (JSC::JIT::privateCompilePutByIdTransition):
2848         (JSC::JIT::privateCompileGetByIdSelfList):
2849
2850 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2851
2852         DFG JIT does not have full block-local CSE
2853         https://bugs.webkit.org/show_bug.cgi?id=68316
2854
2855         Reviewed by Oliver Hunt.
2856         
2857         This adds block-local CSE to the DFG. CSE runs in the propagator just after
2858         type propagation. It is part of the propagator itself because it needs to
2859         use the propagator's internal data structures to determine which operations
2860         may have side effects. Because it changes the live-ranges of nodes, the
2861         virtual register allocator had to be moved into the propagator so that it
2862         runs after CSE. To ensure that the back-end knows to keep the inputs to
2863         any eliminated node alive for OSR, a new node type, Phantom, was introduced.
2864         It is a no-op but prolonges the live-range of its inputs.
2865         
2866         This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
2867         Kraken.
2868         
2869         * JavaScriptCore.xcodeproj/project.pbxproj:
2870         * dfg/DFGAliasTracker.h: Removed.
2871         * dfg/DFGByteCodeParser.cpp:
2872         (JSC::DFG::ByteCodeParser::parseBlock):
2873         (JSC::DFG::ByteCodeParser::parse):
2874         * dfg/DFGGraph.cpp:
2875         (JSC::DFG::Graph::dump):
2876         * dfg/DFGGraph.h:
2877         (JSC::DFG::MethodCheckData::operator==):
2878         (JSC::DFG::MethodCheckData::operator!=):
2879         * dfg/DFGNode.h:
2880         (JSC::DFG::Node::hasVirtualRegister):
2881         (JSC::DFG::Node::setRefCount):
2882         * dfg/DFGPropagator.cpp:
2883         (JSC::DFG::Propagator::Propagator):
2884         (JSC::DFG::Propagator::fixpoint):
2885         (JSC::DFG::Propagator::propagateNode):
2886         (JSC::DFG::Propagator::canonicalize):
2887         (JSC::DFG::Propagator::computeStartIndex):
2888         (JSC::DFG::Propagator::startIndex):
2889         (JSC::DFG::Propagator::pureCSE):
2890         (JSC::DFG::Propagator::globalVarLoadElimination):
2891         (JSC::DFG::Propagator::getByValLoadElimination):
2892         (JSC::DFG::Propagator::getMethodLoadElimination):
2893         (JSC::DFG::Propagator::performSubstitution):
2894         (JSC::DFG::Propagator::setReplacement):
2895         (JSC::DFG::Propagator::performNodeCSE):
2896         (JSC::DFG::Propagator::performBlockCSE):
2897         (JSC::DFG::Propagator::localCSE):
2898         (JSC::DFG::Propagator::allocateVirtualRegisters):
2899         (JSC::DFG::propagate):
2900         * dfg/DFGSpeculativeJIT.cpp:
2901         (JSC::DFG::SpeculativeJIT::compile):
2902
2903 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2904
2905         method_check should repatch itself if it finds that the new structure(s)
2906         are the result of transitions from the old structure(s)
2907         https://bugs.webkit.org/show_bug.cgi?id=68294
2908
2909         Reviewed by Gavin Barraclough.
2910         
2911         Previously a patched method_check would slow-path to get_by_id. Now it
2912         slow-paths to method_check_update, which attempts to correct the
2913         method_check due to structure transitions before bailing to get_by_id.
2914         
2915         This is a 1-2% speed-up on some benchmarks and is not a slow-down
2916         anywhere, leading to a 0.6% speed-up on the Kraken geomean.
2917
2918         * jit/JITPropertyAccess.cpp:
2919         (JSC::JIT::patchMethodCallProto):
2920         * jit/JITStubs.cpp:
2921         (JSC::DEFINE_STUB_FUNCTION):
2922         * jit/JITStubs.h:
2923         * runtime/Structure.h:
2924         (JSC::Structure::transitivelyTransitionedFrom):
2925
2926 2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>
2927
2928         Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).
2929
2930         * wtf/Platform.h:
2931
2932 2011-09-16  Sam Weinig  <sam@webkit.org>
2933
2934         Rename APIValueWrapper type to APIValueWrapperType for consistency
2935         https://bugs.webkit.org/show_bug.cgi?id=68306
2936
2937         Reviewed by Anders Carlsson.
2938
2939         * runtime/JSAPIValueWrapper.h:
2940         (JSC::JSAPIValueWrapper::createStructure):
2941         Update name.
2942
2943         * runtime/JSType.h:
2944         Update name and un-indent.
2945
2946         * runtime/Structure.h:
2947         (JSC::JSCell::isAPIValueWrapper):
2948         Update name.
2949
2950 2011-09-16  Sam Weinig  <sam@webkit.org>
2951
2952         Remove unused isStrictModeFunction function
2953         https://bugs.webkit.org/show_bug.cgi?id=68305
2954
2955         Reviewed by Anders Carlsson.
2956
2957         * runtime/JSObject.h:
2958         (JSC::JSObject::isStrictModeFunction):
2959
2960 2011-09-16  Sam Weinig  <sam@webkit.org>
2961
2962         Cleanup JSTypeInfo a bit
2963         https://bugs.webkit.org/show_bug.cgi?id=68289
2964
2965         Reviewed by Anders Carlsson.
2966
2967         * dfg/DFGOperations.cpp:
2968         * jit/JITStubs.cpp:
2969         (JSC::DEFINE_STUB_FUNCTION):
2970         Replace direct access to flags() with predicate.
2971
2972         * runtime/JSObject.h:
2973         (JSC::JSFinalObject::createStructure):
2974         Pass FinalObjectType instead of using special IsJSFinalObject.
2975
2976         * runtime/JSTypeInfo.h:
2977         (JSC::TypeInfo::TypeInfo):
2978         Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.
2979
2980         (JSC::TypeInfo::isFinalObject):
2981         Added.
2982
2983         (JSC::TypeInfo::masqueradesAsUndefined):
2984         (JSC::TypeInfo::implementsHasInstance):
2985         (JSC::TypeInfo::isEnvironmentRecord):
2986         (JSC::TypeInfo::overridesHasInstance):
2987         (JSC::TypeInfo::implementsDefaultHasInstance):
2988         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2989         (JSC::TypeInfo::overridesVisitChildren):
2990         (JSC::TypeInfo::overridesGetPropertyNames):
2991         (JSC::TypeInfo::prohibitsPropertyCaching):
2992         (JSC::TypeInfo::isSetOnFlags1):
2993         (JSC::TypeInfo::isSetOnFlags2):
2994         Replace direct bit twiddling with helper functions.
2995
2996         * runtime/Structure.cpp:
2997         (JSC::Structure::Structure):
2998         Use new isFinalObject() predicate.
2999
3000 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
3001
3002         Unsigned bit shift fails under certain conditions in 32 bit builds
3003         https://bugs.webkit.org/show_bug.cgi?id=68166
3004
3005         Reviewed by Geoff Garen.
3006
3007         The major bug here is that the slow case (which handles shifts of
3008         doubles) doesn't check for negative results from an unsigned shift
3009         (which should be unsigned, and as such can't be represented by a
3010         signed integer immediate).  The implementation is also flawed for
3011         shifts by negative shift amounts (treats as shift by zero).
3012
3013         * jit/JITArithmetic32_64.cpp:
3014         (JSC::JIT::emitRightShift):
3015         (JSC::JIT::emitRightShiftSlowCase):
3016
3017 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
3018
3019         Removed undetectable style.filter.
3020
3021         Reviewed by Sam Weinig.
3022         
3023         This feature was added in http://trac.webkit.org/changeset/15557 to
3024         support housingmaps.com. But housingmaps.com no longer needs this hack,
3025         we don't know of other websites that need it, and we don't know of
3026         any other browsers that have implemented this feature.
3027
3028         * GNUmakefile.list.am:
3029         * JavaScriptCore.gypi:
3030         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3031         * JavaScriptCore.xcodeproj/project.pbxproj:
3032         * runtime/JSTypeInfo.h:
3033         * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.
3034
3035 2011-09-15  Sam Weinig  <sam@webkit.org>
3036
3037         Prepare JSTypes for more Object subtypes
3038         https://bugs.webkit.org/show_bug.cgi?id=68200
3039
3040         Reviewed by Gavin Barraclough.
3041
3042         * dfg/DFGJITCompiler.h:
3043         (JSC::DFG::JITCompiler::branchIfNotObject):
3044         * jit/JITInlineMethods.h:
3045         (JSC::JIT::emitJumpIfNotObject):
3046         * runtime/JSGlobalObject.h:
3047         (JSC::Structure::prototypeForLookup):
3048         * runtime/JSObject.h:
3049         (JSC::JSObject::finishCreation):
3050         * runtime/JSType.h:
3051         * runtime/JSTypeInfo.h:
3052         (JSC::TypeInfo::type):
3053         (JSC::TypeInfo::isObject):
3054         (JSC::TypeInfo::isFinal):
3055         (JSC::TypeInfo::prohibitsPropertyCaching):
3056         * runtime/NativeErrorConstructor.h:
3057         (JSC::NativeErrorConstructor::finishCreation):
3058         * runtime/Operations.cpp:
3059         (JSC::jsIsObjectType):
3060         * runtime/Structure.cpp:
3061         (JSC::Structure::addPropertyTransitionToExistingStructure):
3062         (JSC::Structure::addPropertyTransition):
3063         * runtime/Structure.h:
3064         (JSC::Structure::isObject):
3065         (JSC::JSCell::isObject):
3066
3067 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
3068
3069         Rolled back in r95201 with test failure fixed.
3070         
3071         I missed two cases of jumpSlowToHot in rshift -- these cases need to be
3072         sure to initialize regT1 to the int tag, since it will otherwise hold
3073         the top 32 bits of a double.
3074
3075         * jit/JIT.h:
3076         * jit/JITArithmetic32_64.cpp:
3077         (JSC::JIT::emit_op_lshift):
3078         (JSC::JIT::emitRightShift):
3079         (JSC::JIT::emitRightShiftSlowCase):
3080         (JSC::JIT::emit_op_bitand):
3081         (JSC::JIT::emit_op_bitor):
3082         (JSC::JIT::emit_op_bitxor):
3083         (JSC::JIT::emit_op_bitnot):
3084         (JSC::JIT::emit_op_post_inc):
3085         (JSC::JIT::emit_op_post_dec):
3086         (JSC::JIT::emit_op_pre_inc):
3087         (JSC::JIT::emit_op_pre_dec):
3088         * jit/JITInlineMethods.h:
3089         (JSC::JIT::emitStoreAndMapInt32):
3090
3091 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3092
3093         Unreviewed Windows build fix after 95318.
3094
3095         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3096
3097 2011-09-16  Adam Roben  <aroben@apple.com>
3098
3099         Windows build fix after r95310
3100
3101         * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
3102         include path so DFGIntrinsic.h can be found.
3103
3104 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
3105
3106         Rationalize JSObject::putDirect* methods
3107         https://bugs.webkit.org/show_bug.cgi?id=68274
3108
3109         Reviewed by Sam Weinig.
3110         
3111         Delete the *Function variants. These are overall inefficient,
3112         in the way they get the name back from the function rather
3113         than just passing it in.
3114
3115         * JavaScriptCore.exp:
3116         * jsc.cpp:
3117         (GlobalObject::finishCreation):
3118         (GlobalObject::addFunction):
3119         * runtime/FunctionPrototype.cpp:
3120         (JSC::FunctionPrototype::addFunctionProperties):
3121         * runtime/JSGlobalObject.cpp:
3122         (JSC::JSGlobalObject::reset):
3123         * runtime/JSObject.cpp:
3124         (JSC::JSObject::put):
3125         (JSC::JSObject::putWithAttributes):
3126         (JSC::JSObject::defineGetter):
3127         (JSC::JSObject::defineSetter):
3128         * runtime/JSObject.h:
3129         (JSC::JSObject::putDirect):
3130         (JSC::JSObject::putDirectWithoutTransition):
3131         * runtime/Lookup.cpp:
3132         (JSC::setUpStaticFunctionSlot):
3133         * runtime/Lookup.h:
3134         (JSC::lookupPut):
3135
3136 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3137
3138         Unreviewed build fix for Windows.
3139
3140         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3141
3142 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3143
3144         Unreviewed build fix for non-DFG builds.
3145
3146         * runtime/Executable.h:
3147         (JSC::NativeExecutable::finishCreation):
3148
3149 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3150
3151         DFG JIT should inline Math.abs
3152         https://bugs.webkit.org/show_bug.cgi?id=68227
3153
3154         Reviewed by Oliver Hunt.
3155         
3156         This adds the ability to track intrinsic functions throughout the
3157         host function infrastructure, so that the DFG can easily query
3158         whether or not a call's target is intrinsic, and if so, which
3159         intrinsic it is.
3160         
3161         On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
3162         is transformed into ValueToNumber<-ArithAbs nodes. These nodes
3163         then get optimized using the usual tricks.
3164         
3165         Also had to make a completely unrelated change to
3166         DateInstanceCache.h in order to fix a preexisting alphabetical
3167         sorting problem in JSGlobalData.h
3168         
3169         This results in a big win in imaging-gaussian-blur: 61% faster
3170         than before. The net win on Kraken is around 13%.
3171
3172         * JavaScriptCore.xcodeproj/project.pbxproj:
3173         * create_hash_table:
3174         * dfg/DFGByteCodeParser.cpp:
3175         (JSC::DFG::ByteCodeParser::parseBlock):
3176         * dfg/DFGGraph.h:
3177         (JSC::DFG::Graph::isFunctionConstant):
3178         (JSC::DFG::Graph::valueOfFunctionConstant):
3179         * dfg/DFGIntrinsic.h: Added.
3180         * dfg/DFGJITCodeGenerator.h:
3181         (JSC::DFG::JITCodeGenerator::isFunctionConstant):
3182         (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
3183         * dfg/DFGJITCompiler.h:
3184         (JSC::DFG::JITCompiler::isFunctionConstant):
3185         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
3186         * dfg/DFGNode.h:
3187         * dfg/DFGPropagator.cpp:
3188         (JSC::DFG::Propagator::propagateNode):
3189         * dfg/DFGSpeculativeJIT.cpp:
3190         (JSC::DFG::SpeculativeJIT::compile):
3191         * jit/JITStubs.cpp:
3192         (JSC::JITThunks::hostFunctionStub):
3193         * jit/JITStubs.h:
3194         * runtime/DateInstanceCache.h:
3195         * runtime/Executable.cpp:
3196         (JSC::ExecutableBase::intrinsic):
3197         (JSC::NativeExecutable::intrinsic):
3198         * runtime/Executable.h:
3199         (JSC::NativeExecutable::create):
3200         (JSC::NativeExecutable::finishCreation):
3201         * runtime/JSGlobalData.cpp:
3202         (JSC::JSGlobalData::getHostFunction):
3203         * runtime/JSGlobalData.h:
3204         * runtime/Lookup.cpp:
3205         (JSC::HashTable::createTable):
3206         (JSC::setUpStaticFunctionSlot):
3207         * runtime/Lookup.h:
3208         (JSC::HashEntry::initialize):
3209         (JSC::HashEntry::intrinsic):
3210
3211 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3212
3213         REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
3214         using Domino's online ordering
3215         https://bugs.webkit.org/show_bug.cgi?id=68220
3216
3217         Reviewed by Oliver Hunt.
3218         
3219         Weak handle processing can result in new objects being marked, which
3220         results in new WeakReferencesHarvesters being added. But weak
3221         reference harvesters are only processed before weak handle processing,
3222         so there's the risk that a weak reference harvester will persist
3223         until the next collection, by which time it may have been deleted.
3224
3225         * heap/Heap.cpp:
3226         (JSC::Heap::markRoots):
3227
3228 2011-09-16  Csaba Osztrogon√°c  <ossy@webkit.org>
3229
3230         REGRESSION(r95201): It made two tests fail
3231         https://bugs.webkit.org/show_bug.cgi?id=68230
3232
3233         Unreviewed rolling out r95201.
3234
3235         * jit/JIT.h:
3236         * jit/JITArithmetic32_64.cpp:
3237         (JSC::JIT::emit_op_lshift):
3238         (JSC::JIT::emitRightShift):
3239         (JSC::JIT::emit_op_bitand):
3240         (JSC::JIT::emit_op_bitor):
3241         (JSC::JIT::emit_op_bitxor):
3242         (JSC::JIT::emit_op_bitnot):
3243         (JSC::JIT::emit_op_post_inc):
3244         (JSC::JIT::emit_op_post_dec):
3245         (JSC::JIT::emit_op_pre_inc):
3246         (JSC::JIT::emit_op_pre_dec):
3247         * jit/JITInlineMethods.h:
3248
3249 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3250
3251         DFG JIT does not optimize method_check
3252         https://bugs.webkit.org/show_bug.cgi?id=68215
3253
3254         Reviewed by Oliver Hunt.
3255         
3256         MethodCallLinkInfo and StructureStubInfo are now searchable by
3257         bytecodeIndex, so that DFG::ByteCodeParser can use that information
3258         to determine how to optimize GetMethod.
3259         
3260         A new node op has been added to DFG: CheckMethod. This is a variant
3261         of GetMethod that has been optimized for the case that GetMethod
3262         always takes the fast path. CheckMethod results in only a very
3263         small amount of code (two loads and two branches in the worst case,
3264         one load and one branch in the best case). CheckMethod behaves as
3265         if it were a constant.  
3266         
3267         Introduced the notion that a DFG node that is not JSConstant
3268         behaves as a constant. CheckMethod uses this functionality.
3269         
3270         This is a 3% speed-up on Kraken, and a small speed-up on V8.
3271         Appears to be neutral on SunSpider.
3272
3273         * bytecode/CodeBlock.h:
3274         (JSC::getStructureStubInfoBytecodeIndex):
3275         (JSC::getMethodCallLinkInfoBytecodeIndex):
3276         * bytecode/PredictedType.cpp:
3277         (JSC::predictionFromCell):
3278         (JSC::predictionFromValue):
3279         * bytecode/PredictedType.h:
3280         * bytecode/StructureStubInfo.h:
3281         * dfg/DFGAliasTracker.h:
3282         (JSC::DFG::AliasTracker::recordGetMethod):
3283         * dfg/DFGByteCodeParser.cpp:
3284         (JSC::DFG::ByteCodeParser::parseBlock):
3285         * dfg/DFGGraph.cpp:
3286         (JSC::DFG::Graph::dump):
3287         * dfg/DFGGraph.h:
3288         (JSC::DFG::Graph::getMethodCheckPrediction):
3289         (JSC::DFG::Graph::getPrediction):
3290         (JSC::DFG::Graph::isConstant):
3291         (JSC::DFG::Graph::isJSConstant):
3292         (JSC::DFG::Graph::valueOfJSConstant):
3293         (JSC::DFG::Graph::valueOfInt32Constant):
3294         (JSC::DFG::Graph::valueOfNumberConstant):
3295         (JSC::DFG::Graph::valueOfBooleanConstant):
3296         (JSC::DFG::Graph::valueOfJSConstantNode):
3297         * dfg/DFGJITCodeGenerator.cpp:
3298         (JSC::DFG::JITCodeGenerator::fillInteger):
3299         (JSC::DFG::JITCodeGenerator::fillDouble):
3300         (JSC::DFG::JITCodeGenerator::fillJSValue):
3301         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
3302         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
3303         * dfg/DFGJITCodeGenerator.h:
3304         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
3305         (JSC::DFG::JITCodeGenerator::silentFillGPR):
3306         (JSC::DFG::JITCodeGenerator::silentFillFPR):
3307         * dfg/DFGJITCompiler.cpp:
3308         (JSC::DFG::JITCompiler::fillNumericToDouble):
3309         (JSC::DFG::JITCompiler::fillInt32ToInteger):
3310         (JSC::DFG::JITCompiler::fillToJS):
3311         * dfg/DFGNode.h:
3312         (JSC::DFG::Node::hasConstant):
3313         (JSC::DFG::Node::hasIdentifier):
3314         (JSC::DFG::Node::hasMethodCheckData):
3315         (JSC::DFG::Node::methodCheckDataIndex):
3316         (JSC::DFG::Node::valueOfJSConstant):
3317         * dfg/DFGPropagator.cpp:
3318         (JSC::DFG::Propagator::propagateNode):
3319         * dfg/DFGSpeculativeJIT.cpp:
3320         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3321         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3322         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3323         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3324         (JSC::DFG::SpeculativeJIT::compile):
3325         * jit/JIT.cpp:
3326         (JSC::JIT::privateCompile):
3327         * jit/JIT.h:
3328         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
3329         (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
3330         * jit/JITPropertyAccess.cpp:
3331         (JSC::JIT::emit_op_method_check):
3332         (JSC::JIT::compileGetByIdHotPath):
3333         (JSC::JIT::emit_op_put_by_id):
3334         * jit/JITPropertyAccess32_64.cpp:
3335         (JSC::JIT::emit_op_method_check):
3336         (JSC::JIT::compileGetByIdHotPath):
3337         (JSC::JIT::emit_op_put_by_id):
3338         * runtime/JSCell.h:
3339         (JSC::JSCell::JSCell::structureAddress):
3340
3341 2011-09-15  Adam Barth  <abarth@webkit.org>
3342
3343         Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
3344         https://bugs.webkit.org/show_bug.cgi?id=68205
3345
3346         Reviewed by Eric Seidel.
3347
3348         * Configurations/FeatureDefines.xcconfig:
3349         * wtf/Platform.h:
3350
3351 2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>
3352
3353         Unzip initialization lists and constructors in JSCell hierarchy (7/7)
3354         https://bugs.webkit.org/show_bug.cgi?id=68122
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         Completed the seventh and final level of the refactoring to add finishCreation() 
3359         methods to all classes within the JSCell hierarchy with non-trivial 
3360         constructor bodies.
3361
3362         JSCallbackObject was missed in previous patches due to the fact that 
3363         it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
3364         this is just a bit of retroactive cleanup.
3365
3366         * API/JSCallbackObject.h:
3367         (JSC::JSCallbackObject::create):
3368         * API/JSCallbackObjectFunctions.h:
3369         (JSC::::JSCallbackObject):
3370
3371 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3372
3373         The DFG non-speculative JIT is no longer used and should be removed.
3374         https://bugs.webkit.org/show_bug.cgi?id=68177
3375
3376         Reviewed by Geoffrey Garen.
3377         
3378         This removes the non-speculative JIT and everything that relied on it,
3379         including the ability to turn on DFG but not tiered compilation the,
3380         ability to perform speculation failure into non-speculative JIT code,
3381         and the ability to statically terminate speculation.
3382
3383         * GNUmakefile.list.am:
3384         * JavaScriptCore.pro:
3385         * JavaScriptCore.xcodeproj/project.pbxproj:
3386         * bytecode/CodeBlock.h:
3387         * bytecompiler/BytecodeGenerator.cpp:
3388         (JSC::BytecodeGenerator::emitLoopHint):
3389         * dfg/DFGByteCodeParser.cpp:
3390         (JSC::DFG::ByteCodeParser::ByteCodeParser):
3391         (JSC::DFG::ByteCodeParser::getStrongPrediction):
3392         (JSC::DFG::ByteCodeParser::parseBlock):
3393         * dfg/DFGDriver.cpp:
3394         (JSC::DFG::compile):
3395         * dfg/DFGGenerationInfo.h:
3396         * dfg/DFGGraph.cpp:
3397         (JSC::DFG::Graph::predictArgumentTypes):
3398         * dfg/DFGJITCodeGenerator.cpp:
3399         * dfg/DFGJITCompiler.cpp:
3400         (JSC::DFG::JITCompiler::linkOSRExits):
3401         (JSC::DFG::JITCompiler::compileBody):
3402         * dfg/DFGJITCompiler.h:
3403         * dfg/DFGNode.h:
3404         * dfg/DFGNonSpeculativeJIT.cpp: Removed.
3405         * dfg/DFGNonSpeculativeJIT.h: Removed.
3406         * dfg/DFGOSREntry.cpp:
3407         (JSC::DFG::prepareOSREntry):
3408         * dfg/DFGPropagator.cpp:
3409         * dfg/DFGPropagator.h:
3410         * dfg/DFGSpeculativeJIT.cpp:
3411         (JSC::DFG::SpeculativeJIT::compile):
3412         * dfg/DFGSpeculativeJIT.h:
3413         (JSC::DFG::SpeculativeJIT::osrExits):
3414         (JSC::DFG::SpeculativeJIT::speculationRecovery):
3415         (JSC::DFG::SpeculativeJIT::speculationCheck):
3416         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3417         * jit/JIT.cpp:
3418         (JSC::JIT::privateCompileMainPass):
3419         (JSC::JIT::privateCompile):
3420         * jit/JIT.h:
3421         * jit/JITCode.h:
3422         (JSC::JITCode::bottomTierJIT):
3423         * runtime/JSGlobalData.cpp:
3424         (JSC::JSGlobalData::JSGlobalData):
3425         (JSC::JSGlobalData::~JSGlobalData):
3426         * runtime/JSGlobalData.h:
3427         * wtf/Platform.h:
3428
3429 2011-09-15  Eric Seidel  <eric@webkit.org>
3430
3431         Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
3432         https://bugs.webkit.org/show_bug.cgi?id=68182
3433
3434         Reviewed by Adam Barth.
3435
3436         * Configurations/FeatureDefines.xcconfig:
3437
3438 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3439
3440         DFG speculative JIT sometimes asserts that a value is not a number
3441         even when it doesn't know anything about the number
3442         https://bugs.webkit.org/show_bug.cgi?id=68189
3443
3444         Reviewed by Oliver Hunt.
3445
3446         * dfg/DFGGenerationInfo.h:
3447         (JSC::DFG::GenerationInfo::isUnknownJS):
3448         * dfg/DFGJITCodeGenerator.cpp:
3449         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
3450
3451 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3452
3453         All of the functionality in the non-speculative JIT should be
3454         available to the speculative JIT via helper methods
3455         https://bugs.webkit.org/show_bug.cgi?id=68186
3456
3457         Reviewed by Oliver Hunt.
3458         
3459         Stole all of the goodness from NonSpeculativeJIT and placed it
3460         in JITCodeGenerator.  Left all of the badness (i.e. subtle code
3461         duplication with SpeculativeJIT, etc).  This is in preparation
3462         for removing the NonSpeculativeJIT entirely, but having its
3463         goodness available for reuse in the SpeculativeJIT if necessary.
3464
3465         * dfg/DFGJITCodeGenerator.cpp:
3466         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
3467         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
3468         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
3469         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
3470         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
3471         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
3472         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
3473         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
3474         * dfg/DFGJITCodeGenerator.h:
3475         (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
3476         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
3477         * dfg/DFGNonSpeculativeJIT.cpp:
3478         (JSC::DFG::NonSpeculativeJIT::compile):
3479         * dfg/DFGNonSpeculativeJIT.h:
3480
3481 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
3482
3483         Unreviewed, rolling out r95167.
3484         http://trac.webkit.org/changeset/95167
3485         https://bugs.webkit.org/show_bug.cgi?id=68191
3486
3487         Patch needs further work. (Requested by mhahnenberg on
3488         #webkit).
3489
3490         * JavaScriptCore.exp:
3491         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3492         * runtime/JSCell.cpp:
3493         (JSC::JSCell::toBoolean):
3494         * runtime/JSCell.h:
3495         (JSC::JSCell::JSValue::toBoolean):
3496         * runtime/JSNotAnObject.cpp:
3497         (JSC::JSNotAnObject::toBoolean):
3498         * runtime/JSNotAnObject.h:
3499         * runtime/JSObject.h:
3500         * runtime/JSString.h:
3501         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3502         (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):
3503
3504 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3505
3506         Unreviewed build fix for platforms that expect a linkable symbol
3507         for primitive static const's.
3508
3509         * bytecode/CodeBlock.h:
3510         * jit/JIT.cpp:
3511         (JSC::JIT::emitOptimizationCheck):
3512
3513 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
3514
3515         Unreviewed build fix for assertion on existence of alternative
3516         CodeBlock.
3517
3518         * dfg/DFGGraph.cpp:
3519         (JSC::DFG::Graph::predictArgumentTypes):
3520
3521 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3522
3523         Value profiles collect no information for global variables
3524         https://bugs.webkit.org/show_bug.cgi?id=68143
3525
3526         Reviewed by Geoffrey Garen.
3527         
3528         17% speed-up on string-fasta.  Neutral elsewhere.
3529
3530         * dfg/DFGByteCodeParser.cpp:
3531         (JSC::DFG::ByteCodeParser::getStrongPrediction):
3532         (JSC::DFG::ByteCodeParser::stronglyPredict):
3533         (JSC::DFG::ByteCodeParser::parseBlock):
3534         * jit/JITPropertyAccess.cpp:
3535         (JSC::JIT::emit_op_get_global_var):
3536
3537 2011-09-15  Eric Seidel  <eric@webkit.org>
3538
3539         Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
3540         https://bugs.webkit.org/show_bug.cgi?id=68022
3541
3542         Reviewed by Ryosuke Niwa.
3543
3544         * Configurations/FeatureDefines.xcconfig:
3545
3546 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
3547
3548         Ooops, revert accidentally commited unreviewed changes.
3549
3550         * jit/JITOpcodes32_64.cpp:
3551         (JSC::JIT::emit_op_jfalse):
3552         (JSC::JIT::emit_op_jtrue):
3553         * jit/JSInterfaceJIT.h:
3554         * runtime/JSValue.h:
3555
3556 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
3557
3558         Unreviewed, rolling out r95163.
3559         http://trac.webkit.org/changeset/95163
3560         https://bugs.webkit.org/show_bug.cgi?id=68180
3561
3562         [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
3563         (Requested by darktears on #webkit).
3564
3565         * JavaScriptCore.pro:
3566
3567 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
3568
3569         Windows build fix p1.
3570
3571         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3572         * jit/JITOpcodes32_64.cpp:
3573         (JSC::JIT::emit_op_jfalse):
3574         (JSC::JIT::emit_op_jtrue):
3575         * jit/JSInterfaceJIT.h:
3576         * runtime/JSValue.h:
3577
3578 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3579
3580         Tiered compilation should be enabled by default on platforms
3581         that support the DFG JIT
3582         https://bugs.webkit.org/show_bug.cgi?id=68136
3583
3584         Reviewed by Sam Weinig.
3585         
3586         Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
3587         Kraken.  Large progressions on some benchmarks, including
3588         3x on imaging-desaturate.
3589
3590         * wtf/Platform.h:
3591
3592 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
3593
3594         devirtualize preventExtensions
3595         https://bugs.webkit.org/show_bug.cgi?id=68176
3596
3597         Reviewed by Oliver Hunt.
3598
3599         This is virtual due to problems in JSFunction putting the prototype
3600         property, but we can fix this problem a different way, just setting
3601         the checkReadOnly flag to false in the put.
3602
3603         * runtime/JSFunction.cpp:
3604         (JSC::JSFunction::getOwnPropertySlot):
3605         * runtime/JSFunction.h:
3606         * runtime/JSObject.h:
3607
3608 2011-09-15  Geoffrey Garen  <ggaren@apple.com>
3609
3610         Value chaining for JSValue32_64 bitops.
3611
3612         Reviewed by Sam Weinig.
3613         
3614         SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).
3615
3616         * jit/JIT.h:
3617         * jit/JITInlineMethods.h:
3618         (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
3619         that can chain their results, which is the common case.
3620
3621         * jit/JITArithmetic32_64.cpp:
3622         (JSC::JIT::emit_op_lshift):
3623         (JSC::JIT::emitRightShift):
3624         (JSC::JIT::emit_op_bitand):
3625         (JSC::JIT::emit_op_bitor):
3626         (JSC::JIT::emit_op_bitxor):
3627         (JSC::JIT::emit_op_bitnot):
3628         (JSC::JIT::emit_op_pre_inc):
3629         (JSC::JIT::emit_op_pre_dec): Deployed new function.
3630         (JSC::JIT::emit_op_post_inc):
3631         (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
3632         computed their result values last, to make them elligible for chaining.
3633
3634 2011-09-15  Adam Roben  <aroben@apple.com>
3635
3636         Clang build fix after r95172
3637
3638         * dfg/DFGSpeculativeJIT.h:
3639         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
3640         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
3641         Added parentheses to make precendence clear.
3642
3643 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3644
3645         DFG does not speculate aggressively enough on comparisons
3646         https://bugs.webkit.org/show_bug.cgi?id=68138
3647
3648         Reviewed by Oliver Hunt.
3649         
3650         This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
3651         V8 and an 8.5% win on Kraken.  Neutral on SunSpider.
3652
3653         * dfg/DFGSpeculativeJIT.cpp:
3654         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
3655         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3656         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3657         (JSC::DFG::SpeculativeJIT::compare):
3658         * dfg/DFGSpeculativeJIT.h:
3659         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
3660         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
3661         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
3662         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
3663
3664 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3665
3666         DFG JIT does not leverage integer speculations on branches
3667         https://bugs.webkit.org/show_bug.cgi?id=68140
3668
3669         Reviewed by Oliver Hunt.
3670
3671         * dfg/DFGJITCodeGenerator.cpp:
3672         (JSC::DFG::JITCodeGenerator::isStrictInt32):
3673         * dfg/DFGJITCodeGenerator.h:
3674         * dfg/DFGSpeculativeJIT.cpp:
3675         (JSC::DFG::SpeculativeJIT::compile):
3676
3677 2011-09-14  Gavin Barraclough  <barraclough@apple.com>
3678
3679         [n]stricteq code is bogus in JSValue32_64 JIT
3680         https://bugs.webkit.org/show_bug.cgi?id=68141
3681
3682         Reviewed by Sam Weinig.
3683
3684         The code tries to check for both ints or cells, but this check also
3685         catches cases where values that are undefined, null, etc (probably
3686         was incorrectly assuming cell was the 2nd highest tag?).
3687
3688         Also, there is no need not to handle int on the fast path.
3689         stricteq is just a case of comparing the payloads, if we:
3690             * handle cases of differing tags on a slow path
3691             * handle doubles a slow path
3692             * handle both-are-string on a slow path
3693
3694         * jit/JITOpcodes32_64.cpp:
3695         (JSC::JIT::compileOpStrictEq):
3696         (JSC::JIT::emitSlow_op_stricteq):
3697         (JSC::JIT::emitSlow_op_nstricteq):
3698
3699 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3700
3701         Make JSCell::toBoolean non-virtual
3702         https://bugs.webkit.org/show_bug.cgi?id=67727
3703
3704         Reviewed by Sam Weinig.
3705
3706         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
3707         before it was simply virtual and would crash if its implementation was called). 
3708         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
3709         explicitly covers all cases of toBoolean, so having a virtual implementation of 
3710         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
3711
3712         * JavaScriptCore.exp:
3713         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3714         * runtime/JSCell.cpp:
3715         * runtime/JSCell.h:
3716         * runtime/JSNotAnObject.cpp:
3717         * runtime/JSNotAnObject.h:
3718         * runtime/JSObject.h:
3719         * runtime/JSString.h:
3720         (JSC::JSCell::toBoolean):
3721         (JSC::JSValue::toBoolean):
3722         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3723
3724 2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>
3725
3726         [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
3727         https://bugs.webkit.org/show_bug.cgi?id=68114
3728
3729         Reviewed by Kenneth Rohde Christiansen.
3730
3731         Use the new GCC_X variables defined in WebKit.pri to replace
3732         the usage of QT_GCC_X.
3733
3734         * JavaScriptCore.pro:
3735
3736 2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>
3737
3738         Unreviewed, rolling out r95145.
3739         http://trac.webkit.org/changeset/95145
3740         https://bugs.webkit.org/show_bug.cgi?id=68139
3741
3742         The GTK+ build is working now, so revert this trial build fix.
3743         (Requested by mrobinson on #webkit).
3744
3745         * GNUmakefile.list.am:
3746
3747 2011-09-14  Patrick Gansterer  <paroga@webkit.org>
3748
3749         Port MachineStackMarker to Windows ARM and MIPS
3750         https://bugs.webkit.org/show_bug.cgi?id=68068
3751
3752         Reviewed by Geoffrey Garen.
3753
3754         Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
3755         Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
3756         CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
3757         CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).
3758
3759         * heap/MachineStackMarker.cpp:
3760         (JSC::getPlatformThreadRegisters):
3761         (JSC::otherThreadStackPointer):
3762
3763 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
3764
3765         DFG JIT always speculates that ValueAdd is a numeric addition
3766         https://bugs.webkit.org/show_bug.cgi?id=67956
3767
3768         Reviewed by Geoffrey Garen.
3769
3770         * dfg/DFGJITCodeGenerator.cpp:
3771         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
3772         * dfg/DFGJITCodeGenerator.h:
3773         * dfg/DFGNonSpeculativeJIT.cpp:
3774         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
3775         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
3776         * dfg/DFGOperations.cpp:
3777         * dfg/DFGOperations.h:
3778         * dfg/DFGSpeculativeJIT.cpp:
3779         (JSC::DFG::SpeculativeJIT::compile):
3780         * dfg/DFGSpeculativeJIT.h:
3781         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
3782
3783 2011-09-14  Anders Carlsson  <andersca@apple.com>
3784
3785         Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.
3786
3787         * GNUmakefile.list.am:
3788
3789 2011-09-14  Anders Carlsson  <andersca@apple.com>
3790
3791         This is getting old. Yet another build fix attempt.
3792
3793         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3794
3795 2011-09-14  Anders Carlsson  <andersca@apple.com>
3796
3797         Yet another build fix attempt.
3798
3799         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
3800
3801 2011-09-14  Anders Carlsson  <andersca@apple.com>
3802
3803         How I &quot;love&quot; Visual Studio...
3804
3805         Try to fix build again.
3806
3807         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3808
3809 2011-09-14  Anders Carlsson  <andersca@apple.com>
3810
3811         Try to fix Windows build.
3812
3813         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3814
3815 2011-09-14  Anders Carlsson  <andersca@apple.com>
3816
3817         Add BinarySemaphore class from WebKit2 to WTF
3818         https://bugs.webkit.org/show_bug.cgi?id=68132
3819
3820         Reviewed by Sam Weinig.
3821
3822         * GNUmakefile.list.am:
3823         * JavaScriptCore.gypi:
3824         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3825         * JavaScriptCore.xcodeproj/project.pbxproj:
3826         * wtf/CMakeLists.txt:
3827         Update build systems.
3828
3829         * wtf/threads: Added.
3830         * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
3831         * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
3832         * wtf/threads/win: Added.
3833         * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.
3834
3835 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3836
3837         Unreviewed build fix for Interpreter.
3838
3839         * interpreter/Interpreter.cpp:
3840         (JSC::Interpreter::privateExecute):
3841
3842 2011-09-14  Anders Carlsson  <andersca@apple.com>
3843
3844         Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
3845         bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132
3846
3847         Rubber-stamped by Sam Weinig.
3848
3849         * wtf/threads: Added.
3850         * wtf/threads/win: Added.
3851
3852 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3853
3854         DFG JIT should not speculate integer if the value is always going to be
3855         used as a double anyway
3856         https://bugs.webkit.org/show_bug.cgi?id=68127
3857
3858         Reviewed by Oliver Hunt.
3859         
3860         Added a ValueToDouble node, which is a variant of ValueToNumber that
3861         hints that it will only be used as a double and never as an integer.
3862         Thus, it turns off integer speculation even if the value profiler
3863         told us that the value source is an int. The logic for converting a
3864         ValueToNumber into a ValueToDouble is found in Propagator.
3865         
3866         This appears to be a 22% speed-up in imaging-darkroom.
3867
3868         * dfg/DFGNode.h:
3869         * dfg/DFGNonSpeculativeJIT.cpp:
3870         (JSC::DFG::NonSpeculativeJIT::compile):
3871         * dfg/DFGPropagator.cpp:
3872         (JSC::DFG::Propagator::fixpoint):
3873         (JSC::DFG::Propagator::toDouble):
3874         (JSC::DFG::Propagator::fixupNode):
3875         (JSC::DFG::Propagator::fixup):
3876         * dfg/DFGSpeculativeJIT.cpp:
3877         (JSC::DFG::SpeculativeJIT::compile):
3878         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3879
3880 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3881
3882         Tiered compilation heuristics do not account for value profile fullness
3883         https://bugs.webkit.org/show_bug.cgi?id=68116
3884
3885         Reviewed by Oliver Hunt.
3886         
3887         Tiered compilation avoids invoking the DFG JIT if it finds that value
3888         profiles contain insufficient information. Instead, it produces a
3889         prediction from the current value profile, and then clears the value
3890         profile. This allows the value profile to heat up from scratch for
3891         some number of additional executions. The new profiles will then be
3892         merged with the previous prediction. Once the amount of information
3893         in predictions is enough according to heuristics in CodeBlock.cpp,
3894         DFG optimization is allowed to proceed.
3895
3896         * CMakeLists.txt:
3897         * GNUmakefile.list.am:
3898         * JavaScriptCore.pro:
3899         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3900         * JavaScriptCore.xcodeproj/project.pbxproj:
3901         * bytecode/CodeBlock.cpp:
3902         (JSC::CodeBlock::CodeBlock):
3903         (JSC::CodeBlock::~CodeBlock):
3904         (JSC::CodeBlock::visitAggregate):
3905         (JSC::CodeBlock::visitWeakReferences):
3906         (JSC::CodeBlock::shouldOptimizeNow):
3907         (JSC::CodeBlock::dumpValueProfiles):
3908         * bytecode/CodeBlock.h:
3909         * bytecode/PredictedType.cpp:
3910         (JSC::predictionToString):
3911         * bytecode/PredictedType.h:
3912         * bytecode/ValueProfile.cpp: Added.
3913         (JSC::ValueProfile::computeStatistics):
3914         (JSC::ValueProfile::computeUpdatedPrediction):
3915         * bytecode/ValueProfile.h:
3916         (JSC::ValueProfile::ValueProfile):
3917         (JSC::ValueProfile::classInfo):
3918         (JSC::ValueProfile::numberOfSamples):
3919         (JSC::ValueProfile::totalNumberOfSamples):
3920         (JSC::ValueProfile::isLive):
3921         (JSC::ValueProfile::numberOfInt32s):
3922         (JSC::ValueProfile::numberOfDoubles):
3923         (JSC::ValueProfile::numberOfBooleans):
3924         (JSC::ValueProfile::dump):
3925         (JSC::getValueProfileBytecodeOffset):
3926         * dfg/DFGByteCodeParser.cpp:
3927         (JSC::DFG::ByteCodeParser::stronglyPredict):
3928         * dfg/DFGGraph.cpp:
3929         (JSC::DFG::Graph::predictArgumentTypes):
3930         * dfg/DFGJITCompiler.cpp:
3931         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3932         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
3933         * jit/JIT.cpp:
3934         (JSC::JIT::emitOptimizationCheck):
3935         * jit/JITInlineMethods.h:
3936         (JSC::JIT::emitValueProfilingSite):
3937         * jit/JITStubs.cpp:
3938         (JSC::DEFINE_STUB_FUNCTION):
3939
3940 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3941
3942         DFG should not speculate that the child of LogicalNot is a boolean if
3943         predictions tell us otherwise
3944         https://bugs.webkit.org/show_bug.cgi?id=68118
3945
3946         Reviewed by Geoffrey Garen.
3947
3948         * dfg/DFGJITCodeGenerator.cpp:
3949         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
3950         * dfg/DFGJITCodeGenerator.h:
3951         * dfg/DFGNonSpeculativeJIT.cpp:
3952         (JSC::DFG::NonSpeculativeJIT::compile):
3953         * dfg/DFGSpeculativeJIT.cpp:
3954         (JSC::DFG::SpeculativeJIT::compile):
3955
3956 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3957
3958         Unreviewed build fix.  Turn off tiered compilation.
3959
3960         * wtf/Platform.h:
3961
3962 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
3963
3964         Prediction tracking is not precise enough
3965         https://bugs.webkit.org/show_bug.cgi?id=67993
3966
3967         Reviewed by Oliver Hunt.
3968         
3969         Added a richer set of type predictions, including JSFinalObject, JSString,
3970         object that is not a JSFinalObject or JSArray (ObjectOther), some object
3971         but we don't or care know what kind (SomeObject), definitely an object,
3972         cell that is not an object or JSString, an value that is none of the above
3973         (so either Undefined or Null). Made the propagator and value profiler work
3974         with the new types.
3975         
3976         Performance is neutral, because the DFG JIT does not take advantage of this
3977         new knowledge yet.
3978         
3979         In the process of writing predictionToString() (which is now considerably
3980         more complex) I decided to finally add a BoundsCheckedPointer, which
3981         should come in handy in other places, like at least the OSR scratch buffer
3982         and the CompactJITCodeMap. It's great for cases where you want to
3983         do pointer arithmetic, you want to have assertions about the
3984         pointer not going out of bounds, but you don't want to write those
3985         assertions yourself.
3986         
3987         This also required refactoring inherits(), since the ValueProfiler may
3988         want to do the equivalent of inherits() but given two ClassInfo's.
3989
3990         * GNUmakefile.list.am:
3991         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3992         * JavaScriptCore.xcodeproj/project.pbxproj:
3993         * bytecode/PredictedType.cpp: Added.
3994         (JSC::predictionToString):
3995         (JSC::makePrediction):
3996         (JSC::predictionFromValue):
3997         * bytecode/PredictedType.h:
3998         (JSC::isCellPrediction):
3999         (JSC::isObjectPrediction):
4000         (JSC::isFinalObjectPrediction):
4001         (JSC::isStringPrediction):
4002         (JSC::mergePredictions):
4003         * bytecode/ValueProfile.h:
4004         (JSC::ValueProfile::numberOfObjects):
4005         (JSC::ValueProfile::numberOfFinalObjects):
4006         (JSC::ValueProfile::numberOfStrings):
4007         (JSC::ValueProfile::probabilityOfObject):
4008         (JSC::ValueProfile::probabilityOfFinalObject):
4009         (JSC::ValueProfile::probabilityOfString):
4010         (JSC::ValueProfile::dump):
4011         (JSC::ValueProfile::Statistics::Statistics):
4012         (JSC::ValueProfile::computeStatistics):
4013         * dfg/DFGByteCodeParser.cpp:
4014         (JSC::DFG::ByteCodeParser::stronglyPredict):
4015         * dfg/DFGGraph.cpp:
4016         (JSC::DFG::Graph::dump):
4017         (JSC::DFG::Graph::predictArgumentTypes):
4018         * dfg/DFGNode.h:
4019         (JSC::DFG::Node::predict):
4020         * dfg/DFGPropagator.cpp:
4021         (JSC::DFG::Propagator::propagateNode):
4022         * runtime/ClassInfo.h:
4023         (JSC::ClassInfo::isSubClassOf):
4024         * runtime/JSObject.h:
4025         (JSC::JSCell::inherits):
4026         * wtf/BoundsCheckedPointer.h: Added.
4027         (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
4028         (WTF::BoundsCheckedPointer::operator=):
4029         (WTF::BoundsCheckedPointer::operator+=):
4030         (WTF::BoundsCheckedPointer::operator-=):
4031         (WTF::BoundsCheckedPointer::operator+):
4032         (WTF::BoundsCheckedPointer::operator-):
4033         (WTF::BoundsCheckedPointer::operator++):
4034         (WTF::BoundsCheckedPointer::operator--):
4035         (WTF::BoundsCheckedPointer::operator<):
4036         (WTF::BoundsCheckedPointer::operator<=):
4037         (WTF::BoundsCheckedPointer::operator>):
4038         (WTF::BoundsCheckedPointer::operator>=):
4039         (WTF::BoundsCheckedPointer::operator==):
4040         (WTF::BoundsCheckedPointer::operator!=):
4041         (WTF::BoundsCheckedPointer::operator!):
4042         (WTF::BoundsCheckedPointer::get):
4043         (WTF::BoundsCheckedPointer::operator*):
4044         (WTF::BoundsCheckedPointer::operator[]):
4045         (WTF::BoundsCheckedPointer::strcat):
4046         (WTF::BoundsCheckedPointer::validate):
4047         * wtf/CMakeLists.txt:
4048