Fix the 32-bit build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-07-20  Mark Rowe  <mrowe@apple.com>
2
3         Fix the 32-bit build.
4
5         * runtime/ObjectPrototype.cpp:
6         (JSC::objectProtoFuncToString):
7
8 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
9
10         https://bugs.webkit.org/show_bug.cgi?id=64678
11         Fix bugs in Object.prototype this handling.
12
13         Reviewed by Darin Adler.
14
15         Fix ES5.1 correctness issues identified by Mads Ager.
16
17         * runtime/ObjectPrototype.cpp:
18         (JSC::objectProtoFuncToString):
19             - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]".
20
21 2011-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
22
23         [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
24         https://bugs.webkit.org/show_bug.cgi?id=63918
25
26         Reviewed by Darin Adler.
27
28         When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
29         method due to additional string copying within several of the constructors when dealing with 
30         UStrings.  This has been added to the UString version of the appendStringInConstruct method 
31         within the JSString class.
32
33         * runtime/JSString.h:
34         (JSC::RopeBuilder::JSString):
35         (JSC::RopeBuilder::appendStringInConstruct):
36
37 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
38
39         https://bugs.webkit.org/show_bug.cgi?id=64679
40         Fix bugs in Array.prototype this handling.
41
42         Reviewed by Oliver Hunt.
43
44         * runtime/ArrayPrototype.cpp:
45         (JSC::arrayProtoFuncJoin):
46         (JSC::arrayProtoFuncConcat):
47         (JSC::arrayProtoFuncPop):
48         (JSC::arrayProtoFuncPush):
49         (JSC::arrayProtoFuncReverse):
50         (JSC::arrayProtoFuncShift):
51         (JSC::arrayProtoFuncSlice):
52         (JSC::arrayProtoFuncSort):
53         (JSC::arrayProtoFuncSplice):
54         (JSC::arrayProtoFuncUnShift):
55         (JSC::arrayProtoFuncFilter):
56         (JSC::arrayProtoFuncMap):
57         (JSC::arrayProtoFuncEvery):
58         (JSC::arrayProtoFuncForEach):
59         (JSC::arrayProtoFuncSome):
60         (JSC::arrayProtoFuncReduce):
61         (JSC::arrayProtoFuncReduceRight):
62         (JSC::arrayProtoFuncIndexOf):
63         (JSC::arrayProtoFuncLastIndexOf):
64             - These methods should throw if this value is undefined.
65
66 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
67
68         https://bugs.webkit.org/show_bug.cgi?id=64677
69         Fix bugs in String.prototype this handling.
70
71         Reviewed by Oliver Hunt.
72
73         undefined/null this values should throw TypeErrors, not convert to
74         the global object, and primitive values should not be converted via
75         object types.
76
77         * runtime/StringPrototype.cpp:
78         (JSC::stringProtoFuncReplace):
79         (JSC::stringProtoFuncCharAt):
80         (JSC::stringProtoFuncCharCodeAt):
81         (JSC::stringProtoFuncIndexOf):
82         (JSC::stringProtoFuncLastIndexOf):
83         (JSC::stringProtoFuncMatch):
84         (JSC::stringProtoFuncSearch):
85         (JSC::stringProtoFuncSlice):
86         (JSC::stringProtoFuncSplit):
87         (JSC::stringProtoFuncSubstr):
88         (JSC::stringProtoFuncSubstring):
89         (JSC::stringProtoFuncToLowerCase):
90         (JSC::stringProtoFuncToUpperCase):
91         (JSC::stringProtoFuncLocaleCompare):
92         (JSC::stringProtoFuncBig):
93         (JSC::stringProtoFuncSmall):
94         (JSC::stringProtoFuncBlink):
95         (JSC::stringProtoFuncBold):
96         (JSC::stringProtoFuncFixed):
97         (JSC::stringProtoFuncItalics):
98         (JSC::stringProtoFuncStrike):
99         (JSC::stringProtoFuncSub):
100         (JSC::stringProtoFuncSup):
101         (JSC::stringProtoFuncFontcolor):
102         (JSC::stringProtoFuncFontsize):
103         (JSC::stringProtoFuncAnchor):
104         (JSC::stringProtoFuncLink):
105         (JSC::trimString):
106             - These methods should throw if this value is undefined,
107               convert ToString directly, not via ToObject.
108
109 2011-07-19  Filip Pizlo  <fpizlo@apple.com>
110
111         DFG JIT sometimes emits spill code even when the respective values
112         are never needed.
113         https://bugs.webkit.org/show_bug.cgi?id=64774
114
115         Reviewed by Gavin Barraclough.
116         
117         The main high-level change is that it is now easier to call use() on a
118         virtual register.  JSValueOperand and its other-typed relatives now have
119         a handy use() method, and jsValueResult() and friends now make it easier to
120         pass UseChildrenCalledExplicitly.
121         
122         The rest of this patch hoists the call to use() as high as possible for
123         all of those cases where either flushRegisters() or silentSpillAllRegisters()
124         may be called.
125
126         * dfg/DFGJITCodeGenerator.cpp:
127         (JSC::DFG::JITCodeGenerator::cachedGetById):
128         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
129         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
130         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
131         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
132         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
133         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
134         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
135         (JSC::DFG::JITCodeGenerator::emitBranch):
136         * dfg/DFGJITCodeGenerator.h:
137         (JSC::DFG::JITCodeGenerator::use):
138         (JSC::DFG::JITCodeGenerator::integerResult):
139         (JSC::DFG::JITCodeGenerator::jsValueResult):
140         (JSC::DFG::IntegerOperand::use):
141         (JSC::DFG::DoubleOperand::use):
142         (JSC::DFG::JSValueOperand::use):
143         * dfg/DFGNonSpeculativeJIT.cpp:
144         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
145         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
146         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
147         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
148         (JSC::DFG::NonSpeculativeJIT::compile):
149         * dfg/DFGSpeculativeJIT.cpp:
150         (JSC::DFG::SpeculativeJIT::compile):
151         * dfg/DFGSpeculativeJIT.h:
152         (JSC::DFG::SpeculateStrictInt32Operand::use):
153         (JSC::DFG::SpeculateCellOperand::use):
154
155 2011-07-19  Xan Lopez  <xlopez@igalia.com>
156
157         ARMv7 backend broken, lacks 3 parameter rshift32 method
158         https://bugs.webkit.org/show_bug.cgi?id=64571
159
160         Reviewed by Zoltan Herczeg.
161
162         * assembler/MacroAssemblerARMv7.h:
163         (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method.
164
165 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
166
167         DFG JIT does not optimize strict equality as effectively as the old JIT does.
168         https://bugs.webkit.org/show_bug.cgi?id=64759
169
170         Reviewed by Gavin Barraclough.
171         
172         This adds a more complete set of strict equality optimizations.  If either
173         operand is known numeric, then the code reverts to the old style of optimizing
174         (first try integer comparison).  Otherwise it uses the old JIT's trick of
175         first simultaneously checking if both operands are either numbers or cells;
176         if not then a fast path is taken.
177
178         * dfg/DFGJITCodeGenerator.cpp:
179         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
180         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
181         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
182         * dfg/DFGJITCodeGenerator.h:
183         * dfg/DFGNonSpeculativeJIT.cpp:
184         (JSC::DFG::NonSpeculativeJIT::compile):
185         * dfg/DFGOperations.cpp:
186         * dfg/DFGOperations.h:
187         * dfg/DFGSpeculativeJIT.cpp:
188         (JSC::DFG::SpeculativeJIT::compile):
189
190 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
191
192         https://bugs.webkit.org/show_bug.cgi?id=64760
193         DFG JIT - Should be able to compile program code.
194
195         Reviewed by Geoff Garen.
196
197         Add support for op_end, hooks to compile program code in Executable.cpp.
198
199         * dfg/DFGByteCodeParser.cpp:
200         (JSC::DFG::ByteCodeParser::parseBlock):
201             - Add support for op_end
202         * dfg/DFGJITCompiler.cpp:
203         (JSC::DFG::JITCompiler::compileEntry):
204         (JSC::DFG::JITCompiler::compileBody):
205         (JSC::DFG::JITCompiler::link):
206             - Added, separate out steps of compileFunction.
207         (JSC::DFG::JITCompiler::compile):
208             - Added, compile program code.
209         (JSC::DFG::JITCompiler::compileFunction):
210             - Sections separated out to helper functions.
211         * dfg/DFGJITCompiler.h:
212         (JSC::DFG::JITCompiler::JITCompiler):
213             - Added m_exceptionCheckCount.
214         * runtime/Executable.cpp:
215         (JSC::tryDFGCompile):
216         (JSC::tryDFGCompileFunction):
217         (JSC::ProgramExecutable::compileInternal):
218         (JSC::FunctionExecutable::compileForCallInternal):
219             - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code.
220
221 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
222
223         https://bugs.webkit.org/show_bug.cgi?id=64678
224         Fix bugs in Object.prototype this handling.
225
226         Reviewed by Oliver Hunt.
227
228         undefined/null this values should throw TypeErrors, not convert to the global object,
229         also, to toLocaleString should be calling the ToObject & invoking the object's toString
230         function, even for values that are already strings.
231
232         * runtime/ObjectPrototype.cpp:
233         (JSC::objectProtoFuncValueOf):
234         (JSC::objectProtoFuncHasOwnProperty):
235         (JSC::objectProtoFuncIsPrototypeOf):
236         (JSC::objectProtoFuncPropertyIsEnumerable):
237         (JSC::objectProtoFuncToLocaleString):
238         (JSC::objectProtoFuncToString):
239
240 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
241
242         JSC GC lazy sweep does not inline the common cases of cell destruction.
243         https://bugs.webkit.org/show_bug.cgi?id=64745
244
245         Reviewed by Oliver Hunt.
246         
247         This inlines the case of JSFinalObject destruction.
248
249         * heap/MarkedBlock.cpp:
250         (JSC::MarkedBlock::lazySweep):
251
252 2011-07-18  Oliver Hunt  <oliver@apple.com>
253
254         Interpreter build-fix
255
256         * interpreter/Interpreter.cpp:
257         (JSC::Interpreter::privateExecute):
258
259 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
260
261         DFG JIT does not optimize equal-null comparisons and branches.
262         https://bugs.webkit.org/show_bug.cgi?id=64659
263
264         Reviewed by Gavin Barraclough.
265         
266         Added a peephole-aware compare-to-null implementation to JITCodeGenerator,
267         which is used by both the speculative and non-speculative JIT.  Through
268         the use of the new isNullConstant helper, the two JITs invoke the
269         nonSpecualtiveCompareNull() helper instead of their regular comparison
270         helpers when compiling CompareEq.  Through the use of the new isKnownCell
271         helper, the compare-null code will skip the is-a-cell check if the
272         speculative JIT had been speculating cell.
273
274         * dfg/DFGJITCodeGenerator.cpp:
275         (JSC::DFG::JITCodeGenerator::isKnownCell):
276         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
277         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
278         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
279         * dfg/DFGJITCodeGenerator.h:
280         (JSC::DFG::JITCodeGenerator::isNullConstant):
281         * dfg/DFGNonSpeculativeJIT.cpp:
282         (JSC::DFG::NonSpeculativeJIT::compile):
283         * dfg/DFGOperations.cpp:
284         * dfg/DFGSpeculativeJIT.cpp:
285         (JSC::DFG::SpeculativeJIT::compile):
286
287 2011-07-18  James Robinson  <jamesr@chromium.org>
288
289         Timer scheduling should be based off the monotonic clock
290         https://bugs.webkit.org/show_bug.cgi?id=64544
291
292         Reviewed by Darin Adler.
293
294         Switches ThreadCondition::timedWait and related utility functions from currentTime() to
295         monotonicallyIncreasingTime().
296
297         Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit.
298
299         * JavaScriptCore.exp:
300         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
301         * wtf/ThreadingPthreads.cpp:
302         (WTF::ThreadCondition::timedWait):
303         * wtf/ThreadingWin.cpp:
304         (WTF::absoluteTimeToWaitTimeoutInterval):
305         * wtf/gtk/ThreadingGtk.cpp:
306         (WTF::ThreadCondition::timedWait):
307         * wtf/qt/ThreadingQt.cpp:
308         (WTF::ThreadCondition::timedWait):
309
310 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
311
312         JSC JIT does not inline GC allocation fast paths
313         https://bugs.webkit.org/show_bug.cgi?id=64582
314
315         Reviewed by Oliver Hunt.
316
317         This addresses inlining allocation for the easiest-to-allocate cases:
318         op_new_object and op_create_this.  Inlining GC allocation fast paths
319         required three changes.  First, the JSGlobalData now saves the vtable
320         pointer of JSFinalObject, since that's what op_new_object and
321         op_create_this allocate.  Second, the Heap exposes a reference to
322         the appropriate SizeClass, so that the JIT may inline accesses
323         directly to the SizeClass for JSFinalObject allocations.  And third,
324         the JIT is extended with code to emit inline fast paths for GC
325         allocation.  A stub call is emitted in the case where the inline fast
326         path fails.
327
328         * heap/Heap.h:
329         (JSC::Heap::sizeClassFor):
330         (JSC::Heap::allocate):
331         * jit/JIT.cpp:
332         (JSC::JIT::privateCompileSlowCases):
333         * jit/JIT.h:
334         * jit/JITInlineMethods.h:
335         (JSC::JIT::emitAllocateJSFinalObject):
336         * jit/JITOpcodes.cpp:
337         (JSC::JIT::emit_op_new_object):
338         (JSC::JIT::emitSlow_op_new_object):
339         (JSC::JIT::emit_op_create_this):
340         (JSC::JIT::emitSlow_op_create_this):
341         * jit/JITOpcodes32_64.cpp:
342         (JSC::JIT::emit_op_new_object):
343         (JSC::JIT::emitSlow_op_new_object):
344         (JSC::JIT::emit_op_create_this):
345         (JSC::JIT::emitSlow_op_create_this):
346         * runtime/JSGlobalData.cpp:
347         (JSC::JSGlobalData::storeVPtrs):
348         * runtime/JSGlobalData.h:
349         * runtime/JSObject.h:
350         (JSC::JSFinalObject::JSFinalObject):
351         (JSC::JSObject::offsetOfInheritorID):
352
353 2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>
354
355         Refactor JSC to replace JSCell::operator new with static create method
356         https://bugs.webkit.org/show_bug.cgi?id=64466
357
358         Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com).
359
360         First step in a longer refactoring process to remove the use of
361         operator new overloading in order to allocate GC objects and to replace
362         this method with static create methods for each individual type of heap-allocated
363         JS object.  This particular patch only deals with replacing uses of
364         operator new within JSC proper.  Future patches will remove it from the
365         parts that interface with the DOM.  Due to the DOM's continued dependence
366         on it, operator new has not actually been removed from JSCell.
367
368         * API/JSCallbackConstructor.h:
369         (JSC::JSCallbackConstructor::create):
370         * API/JSCallbackFunction.h:
371         (JSC::JSCallbackFunction::create):
372         * API/JSCallbackObject.h:
373         (JSC::JSCallbackObject::operator new):
374         (JSC::JSCallbackObject::create):
375         * API/JSCallbackObjectFunctions.h:
376         (JSC::::staticFunctionGetter):
377         * API/JSClassRef.cpp:
378         (OpaqueJSClass::prototype):
379         * API/JSContextRef.cpp:
380         * API/JSObjectRef.cpp:
381         (JSObjectMake):
382         (JSObjectMakeFunctionWithCallback):
383         (JSObjectMakeConstructor):
384         * JavaScriptCore.exp:
385         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
386         * bytecode/CodeBlock.cpp:
387         (JSC::CodeBlock::createActivation):
388         * bytecompiler/BytecodeGenerator.cpp:
389         (JSC::BytecodeGenerator::BytecodeGenerator):
390         * bytecompiler/BytecodeGenerator.h:
391         (JSC::BytecodeGenerator::makeFunction):
392         * bytecompiler/NodesCodegen.cpp:
393         (JSC::RegExpNode::emitBytecode):
394         * interpreter/Interpreter.cpp:
395         (JSC::Interpreter::privateExecute):
396         (JSC::Interpreter::retrieveArguments):
397         * jit/JITStubs.cpp:
398         (JSC::DEFINE_STUB_FUNCTION):
399         * jsc.cpp:
400         (GlobalObject::create):
401         (GlobalObject::GlobalObject):
402         (functionRun):
403         (jscmain):
404         * runtime/Arguments.h:
405         (JSC::Arguments::create):
406         (JSC::Arguments::createNoParameters):
407         * runtime/ArrayConstructor.cpp:
408         (JSC::constructArrayWithSizeQuirk):
409         * runtime/ArrayConstructor.h:
410         (JSC::ArrayConstructor::create):
411         * runtime/ArrayPrototype.cpp:
412         (JSC::arrayProtoFuncSplice):
413         * runtime/ArrayPrototype.h:
414         (JSC::ArrayPrototype::create):
415         * runtime/BooleanConstructor.cpp:
416         (JSC::constructBoolean):
417         (JSC::constructBooleanFromImmediateBoolean):
418         * runtime/BooleanConstructor.h:
419         (JSC::BooleanConstructor::create):
420         * runtime/BooleanObject.h:
421         (JSC::BooleanObject::create):
422         * runtime/BooleanPrototype.h:
423         (JSC::BooleanPrototype::create):
424         * runtime/DateConstructor.cpp:
425         (JSC::constructDate):
426         * runtime/DateConstructor.h:
427         (JSC::DateConstructor::create):
428         * runtime/DateInstance.h:
429         (JSC::DateInstance::create):
430         * runtime/DatePrototype.h:
431         (JSC::DatePrototype::create):
432         * runtime/Error.cpp:
433         (JSC::createError):
434         (JSC::createEvalError):
435         (JSC::createRangeError):
436         (JSC::createReferenceError):
437         (JSC::createSyntaxError):
438         (JSC::createTypeError):
439         (JSC::createURIError):
440         (JSC::StrictModeTypeErrorFunction::create):
441         (JSC::createTypeErrorFunction):
442         * runtime/ErrorConstructor.h:
443         (JSC::ErrorConstructor::create):
444         * runtime/ErrorInstance.cpp:
445         (JSC::ErrorInstance::ErrorInstance):
446         (JSC::ErrorInstance::create):
447         * runtime/ErrorInstance.h:
448         * runtime/ErrorPrototype.cpp:
449         (JSC::ErrorPrototype::ErrorPrototype):
450         * runtime/ErrorPrototype.h:
451         (JSC::ErrorPrototype::create):
452         * runtime/ExceptionHelpers.cpp:
453         (JSC::InterruptedExecutionError::InterruptedExecutionError):
454         (JSC::InterruptedExecutionError::create):
455         (JSC::createInterruptedExecutionException):
456         (JSC::TerminatedExecutionError::TerminatedExecutionError):
457         (JSC::TerminatedExecutionError::create):
458         (JSC::createTerminatedExecutionException):
459         * runtime/Executable.cpp:
460         (JSC::FunctionExecutable::FunctionExecutable):
461         (JSC::FunctionExecutable::fromGlobalCode):
462         * runtime/Executable.h:
463         (JSC::ExecutableBase::create):
464         (JSC::NativeExecutable::create):
465         (JSC::ScriptExecutable::ScriptExecutable):
466         (JSC::EvalExecutable::create):
467         (JSC::ProgramExecutable::create):
468         (JSC::FunctionExecutable::create):
469         (JSC::FunctionExecutable::make):
470         * runtime/FunctionConstructor.cpp:
471         (JSC::constructFunctionSkippingEvalEnabledCheck):
472         * runtime/FunctionConstructor.h:
473         (JSC::FunctionConstructor::create):
474         * runtime/FunctionPrototype.cpp:
475         (JSC::FunctionPrototype::addFunctionProperties):
476         * runtime/FunctionPrototype.h:
477         (JSC::FunctionPrototype::create):
478         * runtime/GetterSetter.h:
479         (JSC::GetterSetter::create):
480         * runtime/JSAPIValueWrapper.h:
481         (JSC::JSAPIValueWrapper::create):
482         (JSC::jsAPIValueWrapper):
483         * runtime/JSActivation.cpp:
484         (JSC::JSActivation::argumentsGetter):
485         * runtime/JSActivation.h:
486         (JSC::JSActivation::create):
487         * runtime/JSArray.h:
488         (JSC::JSArray::create):
489         * runtime/JSCell.h:
490         (JSC::JSCell::allocateCell):
491         * runtime/JSFunction.h:
492         (JSC::JSFunction::create):
493         * runtime/JSGlobalObject.cpp:
494         (JSC::JSGlobalObject::init):
495         (JSC::JSGlobalObject::reset):
496         * runtime/JSGlobalObject.h:
497         (JSC::constructEmptyArray):
498         (JSC::constructArray):
499         * runtime/JSNotAnObject.h:
500         (JSC::JSNotAnObject::create):
501         * runtime/JSONObject.h:
502         (JSC::JSONObject::create):
503         * runtime/JSObject.cpp:
504         (JSC::JSObject::defineGetter):
505         (JSC::JSObject::defineSetter):
506         (JSC::putDescriptor):
507         * runtime/JSObject.h:
508         (JSC::JSFinalObject::create):
509         * runtime/JSPropertyNameIterator.cpp:
510         (JSC::JSPropertyNameIterator::create):
511         * runtime/JSPropertyNameIterator.h:
512         (JSC::JSPropertyNameIterator::create):
513         * runtime/JSString.cpp:
514         (JSC::JSString::substringFromRope):
515         (JSC::JSString::replaceCharacter):
516         (JSC::StringObject::create):
517         * runtime/JSString.h:
518         (JSC::RopeBuilder::JSString):
519         (JSC::RopeBuilder::create):
520         (JSC::RopeBuilder::createHasOtherOwner):
521         (JSC::jsSingleCharacterString):
522         (JSC::jsSingleCharacterSubstring):
523         (JSC::jsNontrivialString):
524         (JSC::jsString):
525         (JSC::jsSubstring):
526         (JSC::jsOwnedString):
527         * runtime/JSValue.cpp:
528         (JSC::JSValue::toObjectSlowCase):
529         (JSC::JSValue::synthesizeObject):
530         (JSC::JSValue::synthesizePrototype):
531         * runtime/Lookup.cpp:
532         (JSC::setUpStaticFunctionSlot):
533         * runtime/MathObject.h:
534         (JSC::MathObject::create):
535         * runtime/NativeErrorConstructor.cpp:
536         (JSC::NativeErrorConstructor::NativeErrorConstructor):
537         * runtime/NativeErrorConstructor.h:
538         (JSC::NativeErrorConstructor::create):
539         * runtime/NativeErrorPrototype.h:
540         (JSC::NativeErrorPrototype::create):
541         * runtime/NumberConstructor.cpp:
542         (JSC::constructWithNumberConstructor):
543         * runtime/NumberConstructor.h:
544         (JSC::NumberConstructor::create):
545         * runtime/NumberObject.cpp:
546         (JSC::constructNumber):
547         * runtime/NumberObject.h:
548         (JSC::NumberObject::create):
549         * runtime/NumberPrototype.h:
550         (JSC::NumberPrototype::create):
551         * runtime/ObjectConstructor.h:
552         (JSC::ObjectConstructor::create):
553         * runtime/ObjectPrototype.h:
554         (JSC::ObjectPrototype::create):
555         * runtime/Operations.h:
556         (JSC::jsString):
557         * runtime/RegExp.cpp:
558         (JSC::RegExp::RegExp):
559         (JSC::RegExp::createWithoutCaching):
560         (JSC::RegExp::create):
561         * runtime/RegExp.h:
562         * runtime/RegExpCache.cpp:
563         (JSC::RegExpCache::lookupOrCreate):
564         * runtime/RegExpConstructor.cpp:
565         (JSC::RegExpConstructor::arrayOfMatches):
566         (JSC::constructRegExp):
567         * runtime/RegExpConstructor.h:
568         (JSC::RegExpConstructor::create):
569         * runtime/RegExpMatchesArray.h:
570         (JSC::RegExpMatchesArray::create):
571         * runtime/RegExpObject.h:
572         (JSC::RegExpObject::create):
573         * runtime/RegExpPrototype.cpp:
574         (JSC::regExpProtoFuncCompile):
575         * runtime/RegExpPrototype.h:
576         (JSC::RegExpPrototype::create):
577         * runtime/ScopeChain.h:
578         (JSC::ScopeChainNode::create):
579         (JSC::ScopeChainNode::push):
580         * runtime/SmallStrings.cpp:
581         (JSC::SmallStrings::createEmptyString):
582         (JSC::SmallStrings::createSingleCharacterString):
583         * runtime/StringConstructor.cpp:
584         (JSC::constructWithStringConstructor):
585         * runtime/StringConstructor.h:
586         (JSC::StringConstructor::create):
587         * runtime/StringObject.h:
588         (JSC::StringObject::create):
589         * runtime/StringObjectThatMasqueradesAsUndefined.h:
590         (JSC::StringObjectThatMasqueradesAsUndefined::create):
591         * runtime/StringPrototype.cpp:
592         (JSC::stringProtoFuncMatch):
593         (JSC::stringProtoFuncSearch):
594         * runtime/StringPrototype.h:
595         (JSC::StringPrototype::create):
596         * runtime/Structure.h:
597         (JSC::Structure::create):
598         (JSC::Structure::createStructure):
599         * runtime/StructureChain.h:
600         (JSC::StructureChain::create):
601
602 2011-07-17  Ryuan Choi  <ryuan.choi@samsung.com>
603
604         [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash.
605         https://bugs.webkit.org/show_bug.cgi?id=64337
606
607         Replace ecore_timer_add to Ecore_Pipe.
608         This is needed because ecore_timer should not be called in a child thread,
609         but in the main thread.
610
611         Reviewed by Antonio Gomes.
612
613         * wtf/efl/MainThreadEfl.cpp:
614         (WTF::pipeObject):
615         (WTF::monitorDispatchFunctions):
616         (WTF::initializeMainThreadPlatform):
617         (WTF::scheduleDispatchFunctionsOnMainThread):
618
619 2011-07-17  Filip Pizlo  <fpizlo@apple.com>
620
621         DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline.
622         https://bugs.webkit.org/show_bug.cgi?id=64637
623
624         Reviewed by Gavin Barraclough.
625
626         * dfg/DFGOperations.cpp:
627
628 2011-07-16  Gavin Barraclough  <barraclough@apple.com>
629
630         https://bugs.webkit.org/show_bug.cgi?id=64657
631         Converted this value not preserved when accessed via direct eval.
632
633         Reviewed by Oliver Hunt.
634
635         Upon entry into a non-strict function, primitive this values should be boxed as Object types
636         (or substituted with the global object) - which is done by op_convert_this. However we only
637         do so where this is used lexically within the function (we omit the conversion op if not).
638         The problem comes if a direct eval (running within the function's scope) accesses the this
639         value.
640
641         We are safe in the case of a single eval, since the this object will be converted within
642         callEval, however the converted value is not preserved, and a new wrapper object is allocated
643         each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
644         object will be lost between eval statements.
645
646         * bytecompiler/BytecodeGenerator.cpp:
647         (JSC::BytecodeGenerator::BytecodeGenerator):
648             - If a function uses eval, we always need to convert this.
649         * interpreter/Interpreter.cpp:
650         (JSC::Interpreter::execute):
651             - Don't convert primitive values here - this is too late!
652         (JSC::Interpreter::privateExecute):
653             - Changed op_convert_this to call new isPrimitive method.
654         * jit/JITStubs.cpp:
655         (JSC::DEFINE_STUB_FUNCTION):
656             - Changed op_convert_this to call new isPrimitive method.
657         * runtime/JSCell.h:
658         (JSC::JSCell::JSValue::isPrimitive):
659             - Added JSValue::isPrimitive.
660         * runtime/JSValue.h:
661             - Added JSValue::isPrimitive.
662
663 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
664
665         DFG JIT compare/branch code emits is-integer tests even when a value is
666         definitely not an integer.
667         https://bugs.webkit.org/show_bug.cgi?id=64654
668
669         Reviewed by Gavin Barraclough.
670         
671         Added the isKnownNotInteger() method, which returns true if a node is
672         definitely not an integer and will always fail any is-integer test.  Then
673         modified the compare and branch code to use this method; if it returns
674         true then is-int tests are omitted and the compiler always emits a slow
675         call.
676
677         * dfg/DFGJITCodeGenerator.cpp:
678         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
679         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
680         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
681         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
682         * dfg/DFGJITCodeGenerator.h:
683         * dfg/DFGSpeculativeJIT.cpp:
684         (JSC::DFG::SpeculativeJIT::compare):
685
686 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
687
688         DFG speculative JIT has dead code for slow calls for branches.
689         https://bugs.webkit.org/show_bug.cgi?id=64653
690
691         Reviewed by Gavin Barraclough.
692         
693         Removed SpeculativeJIT::compilePeepHoleCall.
694
695         * dfg/DFGSpeculativeJIT.cpp:
696         * dfg/DFGSpeculativeJIT.h:
697
698 2011-07-15  Mark Rowe  <mrowe@apple.com>
699
700         Fix the build.
701
702         * dfg/DFGGraph.h:
703
704 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
705
706         NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
707         https://bugs.webkit.org/show_bug.cgi?id=55346
708
709         Reviewed by Sam Weinig.
710
711         * runtime/ErrorPrototype.cpp:
712         (JSC::ErrorPrototype::ErrorPrototype):
713             - Switch to putDirect since we're not the only ones tranitioning this Structure now.
714         * runtime/NativeErrorPrototype.cpp:
715         (JSC::NativeErrorPrototype::NativeErrorPrototype):
716         * runtime/NativeErrorPrototype.h:
717             - Switch base class to ErrorPrototype.
718
719 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
720
721         DFG JIT - Where arguments passed are integers, speculate this.
722         https://bugs.webkit.org/show_bug.cgi?id=64630
723
724         Reviewed by Sam Weinig.
725
726         Presently the DFG JIT is overly aggressively predicting double.
727         Use a bit of dynamic information, and curtail this a little.
728
729         * dfg/DFGGraph.cpp:
730         (JSC::DFG::Graph::predictArgumentTypes):
731             - Check for integer arguments.
732         * dfg/DFGGraph.h:
733             - Function declaration.
734         * runtime/Executable.cpp:
735         (JSC::tryDFGCompile):
736         (JSC::FunctionExecutable::compileForCallInternal):
737             - Add call to predictArgumentTypes.
738
739 2011-07-15  Filip Pizlo  <fpizlo@apple.com>
740
741         DFG JIT is inconsistent about fusing branches and speculating
742         integer comparisons for branches.
743         https://bugs.webkit.org/show_bug.cgi?id=64573
744
745         Reviewed by Gavin Barraclough.
746         
747         This patch moves some of NonSpeculativeJIT's functionality up into the
748         JITCodeGenerator superclass so that it can be used from both JITs.  Now,
749         in cases where the speculative JIT doesn't want to speculate but still
750         wants to emit good code, it can reliably emit the same code sequence as
751         the non-speculative JIT.  This patch also extends the non-speculative
752         JIT's compare optimizations to include compare/branch fusing, and
753         extends the speculative JIT's compare optimizations to cover StrictEqual.
754
755         * dfg/DFGJITCodeGenerator.cpp:
756         (JSC::DFG::JITCodeGenerator::isKnownInteger):
757         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
758         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
759         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
760         * dfg/DFGJITCodeGenerator.h:
761         (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
762         * dfg/DFGNonSpeculativeJIT.cpp:
763         (JSC::DFG::NonSpeculativeJIT::compile):
764         * dfg/DFGNonSpeculativeJIT.h:
765         * dfg/DFGOperations.cpp:
766         * dfg/DFGSpeculativeJIT.cpp:
767         (JSC::DFG::SpeculativeJIT::compare):
768         (JSC::DFG::SpeculativeJIT::compile):
769         * dfg/DFGSpeculativeJIT.h:
770         * wtf/Platform.h:
771
772 2011-07-14  Gavin Barraclough  <barraclough@apple.com>
773
774         https://bugs.webkit.org/show_bug.cgi?id=64250
775         Global strict mode function leaking global object as "this".
776
777         Reviewed by Oliver Hunt.
778
779         The root problem here is that we pass the wrong values into
780         calls, and then try to fix them up in the callee. Correct
781         behaviour per the spec is to pass in the value undefined,
782         as this unless either (1) the function call is based on an
783         explicit property access or (2) the base of the call comes
784         directly from a 'with'.
785
786         This change does away with the need for this conversion of
787         objects (non strict code should only box primitives), and
788         does away with all this conversion for strict functions.
789
790         This patch may have web compatibility ramifications, and may
791         require some advocacy.
792
793         * bytecode/CodeBlock.cpp:
794         (JSC::CodeBlock::dump):
795             - Removed op_convert_this_strict, added op_resolve_with_this.
796         * bytecode/Opcode.h:
797             - Removed op_convert_this_strict, added op_resolve_with_this.
798         * bytecompiler/BytecodeGenerator.cpp:
799         (JSC::BytecodeGenerator::BytecodeGenerator):
800         (JSC::BytecodeGenerator::emitResolveWithThis):
801             - Removed op_convert_this_strict, added op_resolve_with_this.
802         * bytecompiler/BytecodeGenerator.h:
803             - Removed op_convert_this_strict, added op_resolve_with_this.
804         * bytecompiler/NodesCodegen.cpp:
805         (JSC::EvalFunctionCallNode::emitBytecode):
806         (JSC::FunctionCallResolveNode::emitBytecode):
807             - Removed op_convert_this_strict, added op_resolve_with_this.
808         * dfg/DFGSpeculativeJIT.cpp:
809         (JSC::DFG::SpeculativeJIT::compile):
810             - Change NeedsThisConversion check to test for JSString's vptr
811               (objects no longer need conversion).
812         * interpreter/Interpreter.cpp:
813         (JSC::Interpreter::resolveThisAndProperty):
814             - Based on resolveBaseAndProperty, but produce correct this value.
815         (JSC::Interpreter::privateExecute):
816             - Removed op_convert_this_strict, added op_resolve_with_this.
817         * interpreter/Interpreter.h:
818         * jit/JIT.cpp:
819         (JSC::JIT::privateCompileMainPass):
820         (JSC::JIT::privateCompileSlowCases):
821             - Removed op_convert_this_strict, added op_resolve_with_this.
822         * jit/JIT.h:
823         * jit/JITOpcodes.cpp:
824         (JSC::JIT::emit_op_resolve_with_this):
825             - Removed op_convert_this_strict, added op_resolve_with_this.
826         (JSC::JIT::emit_op_convert_this):
827         (JSC::JIT::emitSlow_op_convert_this):
828             - Change NeedsThisConversion check to test for JSString's vptr
829               (objects no longer need conversion).
830         * jit/JITOpcodes32_64.cpp:
831         (JSC::JIT::emit_op_resolve_with_this):
832             - Removed op_convert_this_strict, added op_resolve_with_this.
833         (JSC::JIT::emit_op_convert_this):
834         (JSC::JIT::emitSlow_op_convert_this):
835             - Change NeedsThisConversion check to test for JSString's vptr
836               (objects no longer need conversion).
837         * jit/JITStubs.cpp:
838         (JSC::DEFINE_STUB_FUNCTION):
839             - Removed op_convert_this_strict, added op_resolve_with_this.
840         * jit/JITStubs.h:
841             - Removed op_convert_this_strict, added op_resolve_with_this.
842         * runtime/JSActivation.h:
843             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
844         * runtime/JSStaticScopeObject.h:
845             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
846         * runtime/JSString.h:
847         (JSC::RopeBuilder::createStructure):
848             - removed NeedsThisConversion.
849         * runtime/JSTypeInfo.h:
850         (JSC::TypeInfo::isEnvironmentRecord):
851         (JSC::TypeInfo::overridesHasInstance):
852             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
853         * runtime/JSValue.h:
854             - removed NeedsThisConversion.
855         * runtime/JSVariableObject.h:
856             - Corrected StructureFlags inheritance.
857         * runtime/StrictEvalActivation.h:
858         (JSC::StrictEvalActivation::createStructure):
859             - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
860         * runtime/Structure.h:
861             - removed NeedsThisConversion.
862         * tests/mozilla/ecma/String/15.5.4.6-2.js:
863         (getTestCases):
864             - Removed invalid test case.
865
866 2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>
867
868         Unreviewed, rolling out r91082, r91087, and r91089.
869         http://trac.webkit.org/changeset/91082
870         http://trac.webkit.org/changeset/91087
871         http://trac.webkit.org/changeset/91089
872         https://bugs.webkit.org/show_bug.cgi?id=64616
873
874         gtk tests are failing a lot after this change. (Requested by
875         dave_levin on #webkit).
876
877         * wtf/ThreadIdentifierDataPthreads.cpp:
878         (WTF::ThreadIdentifierData::identifier):
879         (WTF::ThreadIdentifierData::initialize):
880         (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
881         (WTF::ThreadIdentifierData::initializeKeyOnce):
882         * wtf/ThreadIdentifierDataPthreads.h:
883         * wtf/ThreadingPthreads.cpp:
884         (WTF::initializeThreading):
885
886 2011-07-15  David Levin  <levin@chromium.org>
887
888         Another attempted build fix.
889
890         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
891         up the definition of PTHREAD_KEYS_MAX.
892
893 2011-07-15  David Levin  <levin@chromium.org>
894
895         Chromium build fix.
896
897         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
898         up the definition of PTHREAD_KEYS_MAX.
899
900 2011-07-14  David Levin  <levin@chromium.org>
901
902         currentThread is too slow!
903         https://bugs.webkit.org/show_bug.cgi?id=64577
904
905         Reviewed by Darin Adler and Dmitry Titov.
906
907         The problem is that currentThread results in a pthread_once call which always takes a lock.
908         With this change, currentThread is 10% faster than isMainThread in release mode and only
909         5% slower than isMainThread in debug.
910
911         * wtf/ThreadIdentifierDataPthreads.cpp:
912         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
913         which is no longer needed because this is called from initializeThreading().
914         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
915         intialization of the pthread key should already be done.
916         (WTF::ThreadIdentifierData::initialize): Ditto.
917         * wtf/ThreadIdentifierDataPthreads.h:
918         * wtf/ThreadingPthreads.cpp:
919         (WTF::initializeThreading): Acquire the pthread key here.
920
921 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
922
923         DFG JIT does not optimize Branch as well as it could.
924         https://bugs.webkit.org/show_bug.cgi?id=64574
925
926         Reviewed by Gavin Barraclough.
927         
928         This creates a common code path for emitting unfused branches, which does
929         no speculation, and only performs a slow call if absolutely necessary.
930
931         * dfg/DFGJITCodeGenerator.cpp:
932         (JSC::DFG::JITCodeGenerator::emitBranch):
933         * dfg/DFGJITCodeGenerator.h:
934         * dfg/DFGNonSpeculativeJIT.cpp:
935         (JSC::DFG::NonSpeculativeJIT::compile):
936         * dfg/DFGSpeculativeJIT.cpp:
937         (JSC::DFG::SpeculativeJIT::compile):
938
939 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
940
941         GC allocation fast path has too many operations.
942         https://bugs.webkit.org/show_bug.cgi?id=64493
943
944         Reviewed by Darin Adler.
945         
946         Changed the timing of the lazy sweep so that it occurs when we land on
947         a previously-unsweeped block, rather than whenever we land on an unsweeped
948         cell.  After the per-block lazy sweep occurs, the block is turned into a
949         singly linked list of free cells.  The allocation fast path is now just a
950         load-branch-store to remove a cell from the head of the list.
951         
952         Additionally, this changes the way new blocks are allocated.  Previously,
953         they would be populated with dummy cells.  With this patch, they are
954         turned into a free list, which means that there will never be destructor
955         calls for allocations in fresh blocks.
956         
957         These changes result in a 1.9% speed-up on V8, and a 0.6% speed-up on
958         SunSpider.  There are no observed statistically significant slow-downs
959         on any individual benchmark.
960
961         * JavaScriptCore.exp:
962         * heap/Heap.cpp:
963         (JSC::Heap::allocateSlowCase):
964         (JSC::Heap::collect):
965         (JSC::Heap::canonicalizeBlocks):
966         (JSC::Heap::resetAllocator):
967         * heap/Heap.h:
968         (JSC::Heap::forEachProtectedCell):
969         (JSC::Heap::forEachCell):
970         (JSC::Heap::forEachBlock):
971         (JSC::Heap::allocate):
972         * heap/MarkedBlock.cpp:
973         (JSC::MarkedBlock::MarkedBlock):
974         (JSC::MarkedBlock::lazySweep):
975         (JSC::MarkedBlock::blessNewBlockForFastPath):
976         (JSC::MarkedBlock::blessNewBlockForSlowPath):
977         (JSC::MarkedBlock::canonicalizeBlock):
978         * heap/MarkedBlock.h:
979         * heap/NewSpace.cpp:
980         (JSC::NewSpace::addBlock):
981         (JSC::NewSpace::canonicalizeBlocks):
982         * heap/NewSpace.h:
983         (JSC::NewSpace::allocate):
984         (JSC::NewSpace::SizeClass::SizeClass):
985         (JSC::NewSpace::SizeClass::canonicalizeBlock):
986         * heap/OldSpace.cpp:
987         (JSC::OldSpace::addBlock):
988
989 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
990
991         DFG JIT crashes on host constructor calls in debug mode.
992         https://bugs.webkit.org/show_bug.cgi?id=64562
993         
994         Reviewed by Gavin Barraclough.
995         
996         Fixed the relevant ASSERT.
997
998         * dfg/DFGOperations.cpp:
999
1000 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
1001
1002         DFG speculative JIT contains a FIXME for rewinding speculative code generation that
1003         has already been fixed.
1004         https://bugs.webkit.org/show_bug.cgi?id=64022
1005
1006         Reviewed by Gavin Barraclough.
1007
1008         * dfg/DFGSpeculativeJIT.h:
1009         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1010
1011 2011-07-14  Ryuan Choi  <ryuan.choi@samsung.com>
1012
1013         [EFL] Add OwnPtr specialization for Ecore_Pipe.
1014         https://bugs.webkit.org/show_bug.cgi?id=64515
1015
1016         Add an overload for deleteOwnedPtr(Ecore_Pipe*) on EFL port.
1017
1018         Reviewed by Xan Lopez.
1019
1020         * wtf/OwnPtrCommon.h:
1021         * wtf/efl/OwnPtrEfl.cpp:
1022         (WTF::deleteOwnedPtr):
1023
1024 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
1025
1026         DFG JIT unnecessarily boxes and unboxes values during silent spilling.
1027         https://bugs.webkit.org/show_bug.cgi?id=64068
1028
1029         Reviewed by Gavin Barraclough.
1030         
1031         Silent spilling and filling of registers is done during slow-path C
1032         function calls.  The silent spill/fill logic does not affect register
1033         allocation on paths that don't involve the C function call.
1034         
1035         This changes the silent spilling code to spill in unboxed form.  The
1036         silent fill will refill in whatever form the register was spilled in.
1037         For example, the silent spill code may choose not to spill the register
1038         because it was already spilled previously, which would imply that it
1039         was spilled in boxed form.  The filling code detects this and either
1040         unboxes, or not, depending on what is appropriate.
1041         
1042         This change also results in a simplification of the silent spill/fill
1043         API: silent spilling no longer needs to know about the set of registers
1044         that cannot be trampled, since it never does boxing and hence does not
1045         need a temporary register.
1046
1047         * dfg/DFGJITCodeGenerator.cpp:
1048         (JSC::DFG::JITCodeGenerator::cachedGetById):
1049         (JSC::DFG::JITCodeGenerator::cachedPutById):
1050         * dfg/DFGJITCodeGenerator.h:
1051         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
1052         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
1053         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1054         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
1055         * dfg/DFGNonSpeculativeJIT.cpp:
1056         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
1057         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
1058         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
1059         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
1060         (JSC::DFG::NonSpeculativeJIT::compare):
1061         (JSC::DFG::NonSpeculativeJIT::compile):
1062         * dfg/DFGSpeculativeJIT.cpp:
1063         (JSC::DFG::SpeculativeJIT::compile):
1064
1065 2011-07-13  Michael Saboff  <msaboff@apple.com>
1066
1067         https://bugs.webkit.org/show_bug.cgi?id=64202
1068         Enh: Improve handling of RegExp in the form of /.*blah.*/
1069
1070         Reviewed by Gavin Barraclough.
1071
1072         Added code to both the Yarr interpreter and JIT to handle
1073         these expressions a little differently.  First off, the terms
1074         in between the leading and trailing .*'s cannot capture and
1075         also this enhancement is limited to single alternative expressions.
1076         If an expression is of the right form with the aforementioned
1077         restrictions, we process the inner terms and then look for the
1078         beginning of the string and end of the string.  There is handling 
1079         for multiline expressions to allow the beginning and end to be 
1080         right after and right before newlines.
1081
1082         This enhancement speeds up expressions of this type 12x on
1083         a MacBookPro.
1084
1085         Cleaned up 'case' statement indentation.
1086
1087         A new set of tests was added as LayoutTests/fast/regex/dotstar.html
1088
1089         * yarr/YarrInterpreter.cpp:
1090         (JSC::Yarr::Interpreter::InputStream::end):
1091         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1092         (JSC::Yarr::Interpreter::matchDisjunction):
1093         (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure):
1094         (JSC::Yarr::ByteCompiler::emitDisjunction):
1095         * yarr/YarrInterpreter.h:
1096         (JSC::Yarr::ByteTerm::DotStarEnclosure):
1097         * yarr/YarrJIT.cpp:
1098         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1099         (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure):
1100         (JSC::Yarr::YarrGenerator::generateTerm):
1101         (JSC::Yarr::YarrGenerator::backtrackTerm):
1102         * yarr/YarrPattern.cpp:
1103         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1104         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
1105         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1106         (JSC::Yarr::YarrPattern::compile):
1107         * yarr/YarrPattern.h:
1108         (JSC::Yarr::PatternTerm::PatternTerm):
1109
1110 2011-07-13  Xan Lopez  <xlopez@igalia.com>
1111
1112         [GTK] Fix distcheck
1113
1114         Reviewed by Martin Robinson.
1115
1116         * GNUmakefile.list.am: add missing files.
1117
1118 2011-07-13  Filip Pizlo  <fpizlo@apple.com>
1119
1120         DFG JIT does not implement prototype chain or list caching for get_by_id.
1121         https://bugs.webkit.org/show_bug.cgi?id=64147
1122
1123         Reviewed by Gavin Barraclough.
1124         
1125         This implements unified support for prototype caching, prototype chain
1126         caching, and polymorphic (i.e. list) prototype and prototype chain
1127         caching.  This is done by creating common code for emitting prototype
1128         or chain access stubs, and having it factored out into
1129         generateProtoChainAccessStub().  This function is called by
1130         tryCacheGetByID once the latter determines that some form of prototype
1131         access caching is necessary (i.e. the slot being accessed is not on the
1132         base value but on some other object).
1133         
1134         Direct prototype list, and prototype chain list, caching is implemented by
1135         linking the slow path to operationGetByIdProtoBuildList(), which uses the
1136         same helper function (generateProtoChainAccessStub()) as tryCacheGetByID.
1137         
1138         This change required ensuring that the value in the scratchGPR field in
1139         StructureStubInfo is preserved even after the stub info is in the
1140         chain, or proto_list, states.  Hence scratchGPR was moved out of the union
1141         and into the top-level of StructureStubInfo.
1142         
1143         * bytecode/StructureStubInfo.h:
1144         * dfg/DFGJITCompiler.cpp:
1145         (JSC::DFG::JITCompiler::compileFunction):
1146         * dfg/DFGOperations.cpp:
1147         * dfg/DFGOperations.h:
1148         * dfg/DFGRepatch.cpp:
1149         (JSC::DFG::emitRestoreScratch):
1150         (JSC::DFG::linkRestoreScratch):
1151         (JSC::DFG::generateProtoChainAccessStub):
1152         (JSC::DFG::tryCacheGetByID):
1153         (JSC::DFG::tryBuildGetByIDProtoList):
1154         (JSC::DFG::dfgBuildGetByIDProtoList):
1155         (JSC::DFG::tryCachePutByID):
1156         * dfg/DFGRepatch.h:
1157
1158 2011-07-12  Brent Fulgham  <bfulgham@webkit.org>
1159
1160         Standardize WinCairo conditionalized code under PLATFORM macro.
1161         https://bugs.webkit.org/show_bug.cgi?id=64377
1162
1163         Reviewed by Maciej Stachowiak.
1164
1165         * wtf/Platform.h: Update to use PLATFORM(WIN_CAIRO) for tests.
1166
1167 2011-07-13  David Levin  <levin@chromium.org>
1168
1169         Possible race condition in ThreadIdentifierData::initializeKeyOnce and shouldCallRealDebugger.
1170         https://bugs.webkit.org/show_bug.cgi?id=64465
1171
1172         Reviewed by Dmitry Titov.
1173
1174         There isn't a good way to test this as it is very highly unlikely to occur.
1175
1176         * wtf/ThreadIdentifierDataPthreads.cpp:
1177         (WTF::ThreadIdentifierData::initializeKeyOnce): Since scoped static initialization
1178         isn't thread-safe, change the initialization to be global.
1179
1180 2011-07-12  Gavin Barraclough  <barraclough@apple.com>
1181
1182         https://bugs.webkit.org/show_bug.cgi?id=64424
1183         Our direct eval behaviour deviates slightly from the spec.
1184
1185         Reviewed by Oliver Hunt.
1186
1187         The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
1188         behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
1189         or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
1190         may be introduced into the caller's environment.
1191
1192         ES5 direct calls are any call where the callee function is provided by a reference, a base
1193         of that Reference is an EnvironmentRecord (this corresponds to all productions
1194         "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
1195         of the reference is "eval". This means any expression of the form "eval(...)", and that
1196         calls the standard built in eval method from on the Global Object, is considered to be
1197         direct.
1198
1199         In JavaScriptCore we are currently overly restrictive. We also check that the
1200         EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
1201         at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
1202         that hits a var eval in a nested scope is not considered to be direct. This behaviour does
1203         not emanate from the spec, and is incorrect.
1204
1205         * interpreter/Interpreter.cpp:
1206         (JSC::Interpreter::privateExecute):
1207             - Fixed direct eval check in op_call_eval.
1208         * jit/JITStubs.cpp:
1209         (JSC::DEFINE_STUB_FUNCTION):
1210             - Fixed direct eval check in op_call_eval.
1211         * runtime/Executable.h:
1212         (JSC::isHostFunction):
1213             - Added check for host function with specific NativeFunction.
1214
1215 2011-07-13  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>
1216
1217         Reviewed by Andreas Kling.
1218
1219         Broken build on QNX
1220         https://bugs.webkit.org/show_bug.cgi?id=63717
1221
1222         QNX doesn't support pthread's SA_RESTART (required by
1223         JSC_MULTIPLE_THREADS), JIT is broken at runtime and there a
1224         few minor compilation errors here and there.
1225
1226         Original patch by Ritt Konstantin <ritt.ks@gmail.com>, also
1227         tested by him on QNX v6.5 (x86)
1228
1229         * wtf/DateMath.cpp: fix usage of abs/labs
1230         * wtf/Platform.h: Disable JIT and JSC_MULTIPLE_THREADS
1231         * wtf/StackBounds.cpp: Add a couple of missing includes (and sort them)
1232
1233 2011-07-12  Anders Carlsson  <andersca@apple.com>
1234
1235         If a compiler has nullptr support, include <cstddef> to get the nullptr_t definition
1236         https://bugs.webkit.org/show_bug.cgi?id=64429
1237
1238         Include the cstddef which has the nullptr_t typedef according to the C++0x standard.
1239
1240         * wtf/NullPtr.h:
1241
1242 2011-07-13  MORITA Hajime  <morrita@google.com>
1243
1244         Refactoring: Ignored ExceptionCode value should be less annoying.
1245         https://bugs.webkit.org/show_bug.cgi?id=63688
1246
1247         Added ASSERT_AT macro.
1248
1249         Reviewed by Darin Adler.
1250
1251         * wtf/Assertions.h:
1252
1253 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1254
1255         DFG JIT does not implement op_construct.
1256         https://bugs.webkit.org/show_bug.cgi?id=64066
1257
1258         Reviewed by Gavin Barraclough.
1259         
1260         This is a fixed implementation of op_construct.  Constructor calls are implemented
1261         by reusing almost all of the code for Call, with care taken to make sure that
1262         where the are differences (like selecting different code blocks), those differences
1263         are respected.  The two fixes over the last patch are: (1) make sure the
1264         CodeBlock::unlinkCalls respects differences between Call and Construct, and (2)
1265         make sure that virtualFor() in DFGOperations respects the CodeSpecializationKind
1266         (either CodeForCall or CodeForConstruct) when invoking the compiler.
1267
1268         * dfg/DFGAliasTracker.h:
1269         (JSC::DFG::AliasTracker::recordConstruct):
1270         * dfg/DFGByteCodeParser.cpp:
1271         (JSC::DFG::ByteCodeParser::addCall):
1272         (JSC::DFG::ByteCodeParser::parseBlock):
1273         * dfg/DFGJITCodeGenerator.cpp:
1274         (JSC::DFG::JITCodeGenerator::emitCall):
1275         * dfg/DFGNode.h:
1276         * dfg/DFGNonSpeculativeJIT.cpp:
1277         (JSC::DFG::NonSpeculativeJIT::compile):
1278         * dfg/DFGOperations.cpp:
1279         * dfg/DFGOperations.h:
1280         * dfg/DFGRepatch.cpp:
1281         (JSC::DFG::dfgLinkFor):
1282         * dfg/DFGRepatch.h:
1283         * dfg/DFGSpeculativeJIT.cpp:
1284         (JSC::DFG::SpeculativeJIT::compile):
1285         * runtime/CodeBlock.cpp:
1286         (JSC::CodeBlock::unlinkCalls):
1287
1288 2011-07-12  Oliver Hunt  <oliver@apple.com>
1289
1290         Overzealous type validation in method_check
1291         https://bugs.webkit.org/show_bug.cgi?id=64415
1292
1293         Reviewed by Gavin Barraclough.
1294
1295         method_check is essentially just a value look up
1296         optimisation, but it internally stores the value
1297         as a JSFunction, even though it never relies on
1298         this fact.  Under GC validation however we end up
1299         trying to enforce that assumption.  The fix is
1300         simply to store the value as a correct supertype.
1301
1302         * bytecode/CodeBlock.h:
1303         * dfg/DFGRepatch.cpp:
1304         (JSC::DFG::dfgRepatchGetMethodFast):
1305         (JSC::DFG::tryCacheGetMethod):
1306         * jit/JIT.h:
1307         * jit/JITPropertyAccess.cpp:
1308         (JSC::JIT::patchMethodCallProto):
1309         * jit/JITStubs.cpp:
1310         (JSC::DEFINE_STUB_FUNCTION):
1311
1312 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1313
1314         COLLECT_ON_EVERY_ALLOCATION no longer works.
1315         https://bugs.webkit.org/show_bug.cgi?id=64388
1316
1317         Reviewed by Oliver Hunt.
1318         
1319         Added a flag to Heap that determines if it's safe to collect (which for now means that
1320         JSGlobalObject has actually been initialized, but it should work for other things, too).
1321         This allows JSGlobalObject to allocate even if the allocator wants to GC; instead of
1322         GCing it just grows the heap, if necessary.
1323         
1324         Then changed Heap::allocate() to not recurse ad infinitum when
1325         COLLECT_ON_EVERY_ALLOCATION is set.  This also makes the allocator generally more
1326         resilient against bugs; this change allowed me to put in handy assertions, such as that
1327         an allocation must succeed after either a collection or after a new block was added.
1328
1329         * heap/Heap.cpp:
1330         (JSC::Heap::Heap):
1331         (JSC::Heap::tryAllocate):
1332         (JSC::Heap::allocate):
1333         (JSC::Heap::collectAllGarbage):
1334         (JSC::Heap::collect):
1335         * heap/Heap.h:
1336         (JSC::Heap::notifyIsSafeToCollect):
1337         * runtime/JSGlobalData.cpp:
1338         (JSC::JSGlobalData::JSGlobalData):
1339
1340 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1341
1342         DFG JIT put_by_id transition caching does not inform the GC about the structure and
1343         prototype chain that it is referencing.
1344         https://bugs.webkit.org/show_bug.cgi?id=64387
1345
1346         Reviewed by Gavin Barraclough.
1347         
1348         Fixed the relevant code in DFGRepatch to call StructureStubInfo::initPutByIdTransition().
1349
1350         * dfg/DFGRepatch.cpp:
1351         (JSC::DFG::tryCachePutByID):
1352
1353 2011-07-12  Adam Roben  <aroben@apple.com>
1354
1355         Ensure no intermediate WTF::Strings are created when concatenating with string literals
1356
1357         Fixes <http://webkit.org/b/63330> Concatenating string literals and WTF::Strings using
1358         operator+ is suboptimal
1359
1360         Reviewed by Darin Adler.
1361
1362         * wtf/text/StringConcatenate.h:
1363         (WTF::StringTypeAdapter<String>::writeTo): Added a macro that can be used for testing how
1364         many WTF::Strings get copied while evaluating an operator+ expression.
1365
1366         * wtf/text/StringOperators.h:
1367         (WTF::operator+): Changed the overload that takes a StringAppend to take it on the left-hand
1368         side, since operator+ is left-associative. Having the StringAppend on the right-hand side
1369         was causing us to make intermediate WTF::Strings when evaluating expressions that contained
1370         multiple calls to operator+. Added some more overloads for that take a left-hand side of
1371         const char* to resolve overload ambiguity for certain expressions. Added overloads that take
1372         a left-hand side of const UChar* (matching the const char* overloads) so that wide string
1373         literals don't first have to be converted to a WTF::String in operator+ expressions.
1374
1375 2011-07-12  Adam Roben  <aroben@apple.com>
1376
1377         Unreviewed, rolling out r90811.
1378         http://trac.webkit.org/changeset/90811
1379         https://bugs.webkit.org/show_bug.cgi?id=61025
1380
1381         Several svg tests failing assertions beneath
1382         SVGSMILElement::findInstanceTime
1383
1384         * wtf/StdLibExtras.h:
1385         (WTF::binarySearch):
1386
1387 2011-07-12  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
1388
1389         Reviewed by Nikolas Zimmermann.
1390
1391         Speed up SVGSMILElement::findInstanceTime.
1392         https://bugs.webkit.org/show_bug.cgi?id=61025
1393
1394         Add a new parameter to StdlibExtras.h::binarySerarch function
1395         to also handle cases when the array does not contain the key value.
1396         This is needed for an svg function.
1397
1398         * wtf/StdLibExtras.h:
1399         (WTF::binarySearch):
1400
1401 2011-07-11  Filip Pizlo  <fpizlo@apple.com>
1402
1403         DFG speculative JIT does not guard itself against floating point speculation
1404         failures on non-floating-point constants.
1405         https://bugs.webkit.org/show_bug.cgi?id=64330
1406
1407         Reviewed by Gavin Barraclough.
1408         
1409         Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
1410         soon as it notices that it's speculating on something that is a non-numeric
1411         JSConstant.
1412
1413         * dfg/DFGSpeculativeJIT.cpp:
1414         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1415
1416 2011-07-11  Filip Pizlo  <fpizlo@apple.com>
1417
1418         DFG Speculative JIT does not always insert speculation checks when speculating
1419         arrays.
1420         https://bugs.webkit.org/show_bug.cgi?id=64254
1421
1422         Reviewed by Gavin Barraclough.
1423         
1424         Changed the SetLocal instruction to always validate that the value being stored
1425         into the local variable is an array, if that variable was marked PredictArray.
1426         This is necessary since uses of arrays assume that if a PredictArray value is
1427         in a local variable then the speculation check validating that the value is an
1428         array was already performed.
1429
1430         * dfg/DFGSpeculativeJIT.cpp:
1431         (JSC::DFG::SpeculativeJIT::compile):
1432
1433 2011-07-11  Gabor Loki  <loki@webkit.org>
1434
1435         Fix the condition of the optimized code in doubleTransfer
1436         https://bugs.webkit.org/show_bug.cgi?id=64261
1437
1438         Reviewed by Zoltan Herczeg.
1439
1440         The condition of the optimized code in doubleTransfer is wrong. The
1441         data transfer should be executed with four bytes aligned address.
1442         VFP cannot perform unaligned memory access.
1443
1444         Reported by Jacob Bramley.
1445
1446         * assembler/ARMAssembler.cpp:
1447         (JSC::ARMAssembler::doubleTransfer):
1448
1449 2011-07-11  Gabor Loki  <loki@webkit.org>
1450
1451         Signed arithmetic bug in dataTransfer32.
1452         https://bugs.webkit.org/show_bug.cgi?id=64257
1453
1454         Reviewed by Zoltan Herczeg.
1455
1456         An arithmetic bug is fixed. If the offset of dataTransfer is half of the
1457         addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
1458         a load instruction is emitted with a wrong zero offset.
1459
1460         Inspired by Jacob Bramley's patch from JaegerMonkey.
1461
1462         * assembler/ARMAssembler.cpp:
1463         (JSC::ARMAssembler::dataTransfer32):
1464
1465 2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>
1466
1467         Fix unaligned userspace access for SH4 platforms. 
1468         https://bugs.webkit.org/show_bug.cgi?id=62993
1469
1470         * wtf/Platform.h:
1471
1472 2011-07-09  Chao-ying Fu  <fu@mips.com>
1473
1474         Fix MIPS build due to readInt32 and readPointer
1475         https://bugs.webkit.org/show_bug.cgi?id=63962
1476
1477         * assembler/MIPSAssembler.h:
1478         (JSC::MIPSAssembler::readInt32):
1479         (JSC::MIPSAssembler::readPointer):
1480         * assembler/MacroAssemblerMIPS.h:
1481         (JSC::MacroAssemblerMIPS::rshift32):
1482
1483 2011-07-08  Gavin Barraclough  <barraclough@apple.com>
1484
1485         https://bugs.webkit.org/show_bug.cgi?id=64181
1486         REGRESSION (r90602): Gmail doesn't load
1487
1488         Rolling out r90601, r90602.
1489
1490         * dfg/DFGAliasTracker.h:
1491         * dfg/DFGByteCodeParser.cpp:
1492         (JSC::DFG::ByteCodeParser::addVarArgChild):
1493         (JSC::DFG::ByteCodeParser::parseBlock):
1494         * dfg/DFGJITCodeGenerator.cpp:
1495         (JSC::DFG::JITCodeGenerator::emitCall):
1496         * dfg/DFGNode.h:
1497         * dfg/DFGNonSpeculativeJIT.cpp:
1498         (JSC::DFG::NonSpeculativeJIT::compile):
1499         * dfg/DFGOperations.cpp:
1500         * dfg/DFGOperations.h:
1501         * dfg/DFGRepatch.cpp:
1502         (JSC::DFG::tryCacheGetByID):
1503         (JSC::DFG::dfgLinkCall):
1504         * dfg/DFGRepatch.h:
1505         * dfg/DFGSpeculativeJIT.cpp:
1506         (JSC::DFG::SpeculativeJIT::compile):
1507         * runtime/JSObject.h:
1508         (JSC::JSObject::isUsingInlineStorage):
1509
1510 2011-07-08  Kalev Lember  <kalev@smartlink.ee>
1511
1512         Reviewed by Adam Roben.
1513
1514         Add missing _WIN32_WINNT and WINVER definitions
1515         https://bugs.webkit.org/show_bug.cgi?id=59702
1516
1517         Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
1518         available for all source files.
1519
1520         In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
1521         DeleteTimerQueueTimer which are both guarded by
1522         #if (_WIN32_WINNT >= 0x0500)
1523         in MinGW headers.
1524
1525         * config.h:
1526         * wtf/Assertions.cpp:
1527
1528 2011-07-08  Chang Shu  <cshu@webkit.org>
1529
1530         Rename "makeSecure" to "fill" and remove the support for displaying last character
1531         to avoid layering violatation.
1532         https://bugs.webkit.org/show_bug.cgi?id=59114
1533
1534         Reviewed by Alexey Proskuryakov.
1535
1536         * JavaScriptCore.exp:
1537         * JavaScriptCore.order:
1538         * wtf/text/StringImpl.cpp:
1539         (WTF::StringImpl::fill):
1540         * wtf/text/StringImpl.h:
1541         * wtf/text/WTFString.h:
1542         (WTF::String::fill):
1543
1544 2011-07-08  Benjamin Poulain  <benjamin@webkit.org>
1545
1546         [WK2] Do not forward touch events to the web process when it does not need them
1547         https://bugs.webkit.org/show_bug.cgi?id=64164
1548
1549         Reviewed by Kenneth Rohde Christiansen.
1550
1551         Add a convenience function to obtain a reference to the last element of a Deque.
1552
1553         * wtf/Deque.h:
1554         (WTF::Deque::last):
1555
1556 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1557
1558         DFG JIT does not implement op_construct.
1559         https://bugs.webkit.org/show_bug.cgi?id=64066
1560
1561         Reviewed by Gavin Barraclough.
1562
1563         * dfg/DFGAliasTracker.h:
1564         (JSC::DFG::AliasTracker::recordConstruct):
1565         * dfg/DFGByteCodeParser.cpp:
1566         (JSC::DFG::ByteCodeParser::addCall):
1567         (JSC::DFG::ByteCodeParser::parseBlock):
1568         * dfg/DFGJITCodeGenerator.cpp:
1569         (JSC::DFG::JITCodeGenerator::emitCall):
1570         * dfg/DFGNode.h:
1571         * dfg/DFGNonSpeculativeJIT.cpp:
1572         (JSC::DFG::NonSpeculativeJIT::compile):
1573         * dfg/DFGOperations.cpp:
1574         * dfg/DFGOperations.h:
1575         * dfg/DFGRepatch.cpp:
1576         (JSC::DFG::dfgLinkFor):
1577         * dfg/DFGRepatch.h:
1578         * dfg/DFGSpeculativeJIT.cpp:
1579         (JSC::DFG::SpeculativeJIT::compile):
1580
1581 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1582
1583         DFG JIT does not implement get_by_id prototype caching.
1584         https://bugs.webkit.org/show_bug.cgi?id=64077
1585
1586         Reviewed by Gavin Barraclough.
1587
1588         * dfg/DFGRepatch.cpp:
1589         (JSC::DFG::emitRestoreScratch):
1590         (JSC::DFG::linkRestoreScratch):
1591         (JSC::DFG::tryCacheGetByID):
1592         * runtime/JSObject.h:
1593         (JSC::JSObject::addressOfPropertyAtOffset):
1594
1595 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1596
1597         DFG JIT method_check implementation does not link to optimized get_by_id
1598         slow path.
1599         https://bugs.webkit.org/show_bug.cgi?id=64073
1600
1601         Reviewed by Gavin Barraclough.
1602
1603         * dfg/DFGRepatch.cpp:
1604         (JSC::DFG::dfgRepatchGetMethodFast):
1605
1606 2011-07-07  Oliver Hunt  <oliver@apple.com>
1607
1608         Encode jump and link sizes into the appropriate enums
1609         https://bugs.webkit.org/show_bug.cgi?id=64123
1610
1611         Reviewed by Sam Weinig.
1612
1613         Finally kill off the out of line jump and link size arrays, 
1614         so we can avoid icky loads and constant fold the linking arithmetic.
1615
1616         * assembler/ARMv7Assembler.cpp:
1617         * assembler/ARMv7Assembler.h:
1618         (JSC::ARMv7Assembler::jumpSizeDelta):
1619         (JSC::ARMv7Assembler::computeJumpType):
1620
1621 2011-07-06  Juan C. Montemayor  <jmont@apple.com>
1622
1623         ASSERT_NOT_REACHED running test 262
1624         https://bugs.webkit.org/show_bug.cgi?id=63951
1625         
1626         Added a case to the switch statement where the code was failing. Fixed
1627         some logic as well that gave faulty error messages.
1628
1629         Reviewed by Gavin Barraclough.
1630
1631         * parser/JSParser.cpp:
1632         (JSC::JSParser::getTokenName):
1633         (JSC::JSParser::updateErrorMessageSpecialCase):
1634         (JSC::JSParser::updateErrorMessage):
1635
1636 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1637
1638         DFG JIT implementation of op_call results in regressions on sunspider
1639         controlflow-recursive.
1640         https://bugs.webkit.org/show_bug.cgi?id=64039
1641
1642         Reviewed by Gavin Barraclough.
1643
1644         * dfg/DFGByteCodeParser.cpp:
1645         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
1646         (JSC::DFG::ByteCodeParser::parseBlock):
1647         * dfg/DFGSpeculativeJIT.h:
1648         (JSC::DFG::SpeculativeJIT::isInteger):
1649
1650 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1651
1652         DFG JIT does not support method_check
1653         https://bugs.webkit.org/show_bug.cgi?id=63972
1654
1655         Reviewed by Gavin Barraclough.
1656
1657         * assembler/CodeLocation.h:
1658         (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
1659         * bytecode/CodeBlock.cpp:
1660         (JSC::CodeBlock::visitAggregate):
1661         * bytecode/CodeBlock.h:
1662         (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
1663         (JSC::MethodCallLinkInfo::seenOnce):
1664         (JSC::MethodCallLinkInfo::setSeen):
1665         * dfg/DFGAliasTracker.h:
1666         (JSC::DFG::AliasTracker::recordGetMethod):
1667         * dfg/DFGByteCodeParser.cpp:
1668         (JSC::DFG::ByteCodeParser::parseBlock):
1669         * dfg/DFGJITCodeGenerator.cpp:
1670         (JSC::DFG::JITCodeGenerator::cachedGetById):
1671         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
1672         * dfg/DFGJITCodeGenerator.h:
1673         * dfg/DFGJITCompiler.cpp:
1674         (JSC::DFG::JITCompiler::compileFunction):
1675         * dfg/DFGJITCompiler.h:
1676         (JSC::DFG::JITCompiler::addMethodGet):
1677         (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
1678         * dfg/DFGNode.h:
1679         (JSC::DFG::Node::hasIdentifier):
1680         * dfg/DFGNonSpeculativeJIT.cpp:
1681         (JSC::DFG::NonSpeculativeJIT::compile):
1682         * dfg/DFGOperations.cpp:
1683         * dfg/DFGOperations.h:
1684         * dfg/DFGRepatch.cpp:
1685         (JSC::DFG::dfgRepatchGetMethodFast):
1686         (JSC::DFG::tryCacheGetMethod):
1687         (JSC::DFG::dfgRepatchGetMethod):
1688         * dfg/DFGRepatch.h:
1689         * dfg/DFGSpeculativeJIT.cpp:
1690         (JSC::DFG::SpeculativeJIT::compile):
1691         * jit/JITWriteBarrier.h:
1692         (JSC::JITWriteBarrier::set):
1693
1694 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1695
1696         DFG JIT op_call implementation will flush registers even when those registers are dead
1697         https://bugs.webkit.org/show_bug.cgi?id=64023
1698
1699         Reviewed by Gavin Barraclough.
1700
1701         * dfg/DFGJITCodeGenerator.cpp:
1702         (JSC::DFG::JITCodeGenerator::emitCall):
1703         * dfg/DFGJITCodeGenerator.h:
1704         (JSC::DFG::JITCodeGenerator::integerResult):
1705         (JSC::DFG::JITCodeGenerator::noResult):
1706         (JSC::DFG::JITCodeGenerator::cellResult):
1707         (JSC::DFG::JITCodeGenerator::jsValueResult):
1708         (JSC::DFG::JITCodeGenerator::doubleResult):
1709         * dfg/DFGNonSpeculativeJIT.cpp:
1710         (JSC::DFG::NonSpeculativeJIT::compile):
1711         * dfg/DFGSpeculativeJIT.cpp:
1712         (JSC::DFG::SpeculativeJIT::compile):
1713
1714 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1715
1716         DFG speculative JIT may crash when speculating int on a non-int JSConstant.
1717         https://bugs.webkit.org/show_bug.cgi?id=64017
1718
1719         Reviewed by Gavin Barraclough.
1720
1721         * dfg/DFGSpeculativeJIT.cpp:
1722         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1723         (JSC::DFG::SpeculativeJIT::compile):
1724
1725 2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>
1726
1727         Reviewed by David Levin.
1728
1729         Allow substitution of dynamic annotations and prevent identical code folding by the linker.
1730         https://bugs.webkit.org/show_bug.cgi?id=62443
1731
1732         * wtf/DynamicAnnotations.cpp:
1733         (WTFAnnotateBenignRaceSized):
1734         (WTFAnnotateHappensBefore):
1735         (WTFAnnotateHappensAfter):
1736
1737 2011-07-06  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
1738
1739         Calls on 32 bit machines are failed after r90423
1740         https://bugs.webkit.org/show_bug.cgi?id=63980
1741
1742         Reviewed by Gavin Barraclough.
1743
1744         Copy the necessary lines from JITCall.cpp.
1745
1746         * jit/JITCall32_64.cpp:
1747         (JSC::JIT::compileOpCall):
1748
1749 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1750
1751         DFG JIT virtual call implementation is inefficient.
1752         https://bugs.webkit.org/show_bug.cgi?id=63974
1753
1754         Reviewed by Gavin Barraclough.
1755
1756         * dfg/DFGOperations.cpp:
1757         * runtime/Executable.h:
1758         (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck):
1759         (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck):
1760         (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor):
1761         (JSC::ExecutableBase::hasJITCodeForCall):
1762         (JSC::ExecutableBase::hasJITCodeForConstruct):
1763         (JSC::ExecutableBase::hasJITCodeFor):
1764         * runtime/JSFunction.h:
1765         (JSC::JSFunction::scopeUnchecked):
1766
1767 2011-07-05  Oliver Hunt  <oliver@apple.com>
1768
1769         Force inlining of simple functions that show up as not being inlined
1770         https://bugs.webkit.org/show_bug.cgi?id=63964
1771
1772         Reviewed by Gavin Barraclough.
1773
1774         Looking at profile data indicates the gcc is failing to inline a
1775         number of trivial functions.  This patch hits the ones that show
1776         up in profiles with the ALWAYS_INLINE hammer.
1777
1778         We also replace the memcpy() call in linking with a manual loop.
1779         Apparently memcpy() is almost never faster than an inlined loop.
1780
1781         * assembler/ARMv7Assembler.h:
1782         (JSC::ARMv7Assembler::add):
1783         (JSC::ARMv7Assembler::add_S):
1784         (JSC::ARMv7Assembler::ARM_and):
1785         (JSC::ARMv7Assembler::asr):
1786         (JSC::ARMv7Assembler::b):
1787         (JSC::ARMv7Assembler::blx):
1788         (JSC::ARMv7Assembler::bx):
1789         (JSC::ARMv7Assembler::clz):
1790         (JSC::ARMv7Assembler::cmn):
1791         (JSC::ARMv7Assembler::cmp):
1792         (JSC::ARMv7Assembler::eor):
1793         (JSC::ARMv7Assembler::it):
1794         (JSC::ARMv7Assembler::ldr):
1795         (JSC::ARMv7Assembler::ldrCompact):
1796         (JSC::ARMv7Assembler::ldrh):
1797         (JSC::ARMv7Assembler::ldrb):
1798         (JSC::ARMv7Assembler::lsl):
1799         (JSC::ARMv7Assembler::lsr):
1800         (JSC::ARMv7Assembler::movT3):
1801         (JSC::ARMv7Assembler::mov):
1802         (JSC::ARMv7Assembler::movt):
1803         (JSC::ARMv7Assembler::mvn):
1804         (JSC::ARMv7Assembler::neg):
1805         (JSC::ARMv7Assembler::orr):
1806         (JSC::ARMv7Assembler::orr_S):
1807         (JSC::ARMv7Assembler::ror):
1808         (JSC::ARMv7Assembler::smull):
1809         (JSC::ARMv7Assembler::str):
1810         (JSC::ARMv7Assembler::sub):
1811         (JSC::ARMv7Assembler::sub_S):
1812         (JSC::ARMv7Assembler::tst):
1813         (JSC::ARMv7Assembler::linkRecordSourceComparator):
1814         (JSC::ARMv7Assembler::link):
1815         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
1816         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
1817         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
1818         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
1819         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
1820         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
1821         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
1822         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
1823         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
1824         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
1825         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
1826         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
1827         (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
1828         (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
1829         * assembler/LinkBuffer.h:
1830         (JSC::LinkBuffer::linkCode):
1831         * assembler/MacroAssemblerARMv7.h:
1832         (JSC::MacroAssemblerARMv7::nearCall):
1833         (JSC::MacroAssemblerARMv7::call):
1834         (JSC::MacroAssemblerARMv7::ret):
1835         (JSC::MacroAssemblerARMv7::moveWithPatch):
1836         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
1837         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
1838         (JSC::MacroAssemblerARMv7::tailRecursiveCall):
1839         (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
1840         (JSC::MacroAssemblerARMv7::jump):
1841         (JSC::MacroAssemblerARMv7::makeBranch):
1842
1843 2011-07-05  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
1844
1845         Make "Add optimised paths for a few maths functions" work on Qt
1846         https://bugs.webkit.org/show_bug.cgi?id=63893
1847
1848         Reviewed by Oliver Hunt.
1849
1850         Move the generated code to the .text section instead of .data section.
1851         Fix alignment for the 32 bit thunk code.
1852
1853         * jit/ThunkGenerators.cpp:
1854
1855 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1856
1857         DFG JIT does not implement op_call.
1858         https://bugs.webkit.org/show_bug.cgi?id=63858
1859
1860         Reviewed by Gavin Barraclough.
1861
1862         * bytecode/CodeBlock.cpp:
1863         (JSC::CodeBlock::unlinkCalls):
1864         * bytecode/CodeBlock.h:
1865         (JSC::CodeBlock::setNumberOfCallLinkInfos):
1866         (JSC::CodeBlock::numberOfCallLinkInfos):
1867         * bytecompiler/BytecodeGenerator.cpp:
1868         (JSC::BytecodeGenerator::emitCall):
1869         (JSC::BytecodeGenerator::emitConstruct):
1870         * dfg/DFGAliasTracker.h:
1871         (JSC::DFG::AliasTracker::lookupGetByVal):
1872         (JSC::DFG::AliasTracker::recordCall):
1873         (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
1874         * dfg/DFGByteCodeParser.cpp:
1875         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1876         (JSC::DFG::ByteCodeParser::getLocal):
1877         (JSC::DFG::ByteCodeParser::getArgument):
1878         (JSC::DFG::ByteCodeParser::toInt32):
1879         (JSC::DFG::ByteCodeParser::addToGraph):
1880         (JSC::DFG::ByteCodeParser::addVarArgChild):
1881         (JSC::DFG::ByteCodeParser::predictInt32):
1882         (JSC::DFG::ByteCodeParser::parseBlock):
1883         (JSC::DFG::ByteCodeParser::processPhiStack):
1884         (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
1885         * dfg/DFGGraph.cpp:
1886         (JSC::DFG::Graph::opName):
1887         (JSC::DFG::Graph::dump):
1888         (JSC::DFG::Graph::refChildren):
1889         * dfg/DFGGraph.h:
1890         * dfg/DFGJITCodeGenerator.cpp:
1891         (JSC::DFG::JITCodeGenerator::useChildren):
1892         (JSC::DFG::JITCodeGenerator::emitCall):
1893         * dfg/DFGJITCodeGenerator.h:
1894         (JSC::DFG::JITCodeGenerator::addressOfCallData):
1895         * dfg/DFGJITCompiler.cpp:
1896         (JSC::DFG::JITCompiler::compileFunction):
1897         * dfg/DFGJITCompiler.h:
1898         (JSC::DFG::CallRecord::CallRecord):
1899         (JSC::DFG::JITCompiler::notifyCall):
1900         (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
1901         (JSC::DFG::JITCompiler::addJSCall):
1902         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
1903         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1904         * dfg/DFGNode.h:
1905         (JSC::DFG::Node::Node):
1906         (JSC::DFG::Node::child1):
1907         (JSC::DFG::Node::child2):
1908         (JSC::DFG::Node::child3):
1909         (JSC::DFG::Node::firstChild):
1910         (JSC::DFG::Node::numChildren):
1911         * dfg/DFGNonSpeculativeJIT.cpp:
1912         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
1913         (JSC::DFG::NonSpeculativeJIT::compare):
1914         (JSC::DFG::NonSpeculativeJIT::compile):
1915         * dfg/DFGOperations.cpp:
1916         * dfg/DFGOperations.h:
1917         * dfg/DFGRepatch.cpp:
1918         (JSC::DFG::dfgLinkCall):
1919         * dfg/DFGRepatch.h:
1920         * dfg/DFGSpeculativeJIT.cpp:
1921         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1922         (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
1923         (JSC::DFG::SpeculativeJIT::compile):
1924         * dfg/DFGSpeculativeJIT.h:
1925         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1926         * interpreter/CallFrame.h:
1927         (JSC::ExecState::calleeAsValue):
1928         * jit/JIT.cpp:
1929         (JSC::JIT::JIT):
1930         (JSC::JIT::privateCompileMainPass):
1931         (JSC::JIT::privateCompileSlowCases):
1932         (JSC::JIT::privateCompile):
1933         (JSC::JIT::linkCall):
1934         (JSC::JIT::linkConstruct):
1935         * jit/JITCall.cpp:
1936         (JSC::JIT::compileOpCall):
1937         * jit/JITCode.h:
1938         (JSC::JITCode::JITCode):
1939         (JSC::JITCode::jitType):
1940         (JSC::JITCode::HostFunction):
1941         * runtime/JSFunction.h:
1942         * runtime/JSGlobalData.h:
1943
1944 2011-07-05  Oliver Hunt  <oliver@apple.com>
1945
1946         Initialize new MarkStack member
1947
1948         * heap/MarkStack.h:
1949         (JSC::MarkStack::MarkStack):
1950
1951 2011-07-05  Oliver Hunt  <oliver@apple.com>
1952
1953         Don't throw out compiled code repeatedly
1954         https://bugs.webkit.org/show_bug.cgi?id=63960
1955
1956         Reviewed by Gavin Barraclough.
1957
1958         Stop throwing away all compiled code every time
1959         we're told to do a full GC.  Instead unlink all
1960         callsites during such GC passes to maximise the
1961         number of collectable functions, but otherwise
1962         leave compiled functions alone.
1963
1964         * API/JSBase.cpp:
1965         (JSGarbageCollect):
1966         * bytecode/CodeBlock.cpp:
1967         (JSC::CodeBlock::visitAggregate):
1968         * heap/Heap.cpp:
1969         (JSC::Heap::collectAllGarbage):
1970         * heap/MarkStack.h:
1971         (JSC::MarkStack::shouldUnlinkCalls):
1972         (JSC::MarkStack::setShouldUnlinkCalls):
1973         * runtime/JSGlobalData.cpp:
1974         (JSC::JSGlobalData::recompileAllJSFunctions):
1975         (JSC::JSGlobalData::releaseExecutableMemory):
1976         * runtime/RegExp.cpp:
1977         (JSC::RegExp::compile):
1978         (JSC::RegExp::invalidateCode):
1979         * runtime/RegExp.h:
1980
1981 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1982
1983         JSC JIT has code duplication for the handling of call and construct
1984         https://bugs.webkit.org/show_bug.cgi?id=63957
1985
1986         Reviewed by Gavin Barraclough.
1987
1988         * jit/JIT.cpp:
1989         (JSC::JIT::linkFor):
1990         * jit/JIT.h:
1991         * jit/JITStubs.cpp:
1992         (JSC::jitCompileFor):
1993         (JSC::DEFINE_STUB_FUNCTION):
1994         (JSC::arityCheckFor):
1995         (JSC::lazyLinkFor):
1996         * runtime/Executable.h:
1997         (JSC::ExecutableBase::generatedJITCodeFor):
1998         (JSC::FunctionExecutable::compileFor):
1999         (JSC::FunctionExecutable::isGeneratedFor):
2000         (JSC::FunctionExecutable::generatedBytecodeFor):
2001         (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor):
2002
2003 2011-07-05  Gavin Barraclough  <barraclough@apple.com>
2004
2005         Build fix following last patch.
2006
2007         * runtime/JSFunction.cpp:
2008         (JSC::createPrototypeProperty):
2009
2010 2011-07-05  Gavin Barraclough  <barraclough@apple.com>
2011
2012         https://bugs.webkit.org/show_bug.cgi?id=63947
2013         ASSERT running Object.preventExtensions(Math.sin)
2014
2015         Reviewed by Oliver Hunt.
2016
2017         This is due to calling scope() on a hostFunction as a part of
2018         calling createPrototypeProperty to reify the prototype property.
2019         But host functions don't have a prototype property anyway!
2020
2021         Prevent callling createPrototypeProperty on a host function.
2022
2023         * runtime/JSFunction.cpp:
2024         (JSC::JSFunction::createPrototypeProperty):
2025         (JSC::JSFunction::preventExtensions):
2026
2027 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2028
2029         https://bugs.webkit.org/show_bug.cgi?id=63880
2030         Evaluation order of conversions of operands to >, >= incorrect.
2031
2032         Reviewed by Sam Weinig.
2033
2034         Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5
2035         spec. This allows these methods to be reused to perform >, >= relational compares
2036         with correct ordering of type conversions.
2037
2038         * dfg/DFGOperations.cpp:
2039         * interpreter/Interpreter.cpp:
2040         (JSC::Interpreter::privateExecute):
2041         * jit/JITStubs.cpp:
2042         (JSC::DEFINE_STUB_FUNCTION):
2043         * runtime/Operations.h:
2044         (JSC::jsLess):
2045         (JSC::jsLessEq):
2046
2047 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2048
2049         Reviewed by Sam Weinig.
2050
2051         https://bugs.webkit.org/show_bug.cgi?id=16652
2052         Firefox and JavaScriptCore differ in Number.toString(integer)
2053
2054         Our arbitrary radix (2..36) toString conversion is inaccurate.
2055         This is partly because it uses doubles to perform math that requires
2056         higher accuracy, and partly becasue it does not attempt to correctly
2057         detect where to terminate, instead relying on a simple 'epsilon'.
2058
2059         * runtime/NumberPrototype.cpp:
2060         (JSC::decomposeDouble):
2061             - helper function to extract sign, exponent, mantissa from IEEE doubles.
2062         (JSC::Uint16WithFraction::Uint16WithFraction):
2063             - helper class, u16int with infinite precision fraction, used to convert
2064               the fractional part of the number to a string.
2065         (JSC::Uint16WithFraction::operator*=):
2066             - Multiply by a uint16.
2067         (JSC::Uint16WithFraction::operator<):
2068             - Compare two Uint16WithFractions.
2069         (JSC::Uint16WithFraction::floorAndSubtract):
2070             - Extract the integer portion of the number, and subtract it (clears the integer portion).
2071         (JSC::Uint16WithFraction::comparePoint5):
2072             - Compare to 0.5.
2073         (JSC::Uint16WithFraction::sumGreaterThanOne):
2074             - Passed a second Uint16WithFraction, returns true if the result of adding
2075               the two values would be greater than one.
2076         (JSC::Uint16WithFraction::isNormalized):
2077             - Used by ASSERTs to consistency check internal representation.
2078         (JSC::BigInteger::BigInteger):
2079             - helper class, unbounded integer value, used to convert the integer part
2080               of the number to a string.
2081         (JSC::BigInteger::divide):
2082             - Divide this value through by a uint32.
2083         (JSC::BigInteger::operator!):
2084             - test for zero.
2085         (JSC::toStringWithRadix):
2086             - Performs number to string conversion, with the given radix (2..36).
2087         (JSC::numberProtoFuncToString):
2088             - Changed to use toStringWithRadix.
2089
2090 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2091
2092         https://bugs.webkit.org/show_bug.cgi?id=63881
2093         Need separate bytecodes for handling >, >= comparisons.
2094
2095         Reviewed by Oliver Hunt.
2096
2097         This clears the way to fix Bug#63880. We currently handle greater-than comparisons
2098         as being using the corresponding op_less, etc opcodes.  This is incorrect with
2099         respect to evaluation ordering of the implicit conversions performed on operands -
2100         we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
2101         but instead convert RHS then LHS.
2102
2103         This patch adds opcodes for greater-than comparisons mirroring existing ones used
2104         for less-than.
2105
2106         * bytecode/CodeBlock.cpp:
2107         (JSC::CodeBlock::dump):
2108         * bytecode/Opcode.h:
2109         * bytecompiler/BytecodeGenerator.cpp:
2110         (JSC::BytecodeGenerator::emitJumpIfTrue):
2111         (JSC::BytecodeGenerator::emitJumpIfFalse):
2112         * bytecompiler/NodesCodegen.cpp:
2113         * dfg/DFGByteCodeParser.cpp:
2114         (JSC::DFG::ByteCodeParser::parseBlock):
2115         * dfg/DFGNode.h:
2116         * dfg/DFGNonSpeculativeJIT.cpp:
2117         (JSC::DFG::NonSpeculativeJIT::compare):
2118         (JSC::DFG::NonSpeculativeJIT::compile):
2119         * dfg/DFGNonSpeculativeJIT.h:
2120         * dfg/DFGOperations.cpp:
2121         * dfg/DFGOperations.h:
2122         * dfg/DFGSpeculativeJIT.cpp:
2123         (JSC::DFG::SpeculativeJIT::compare):
2124         (JSC::DFG::SpeculativeJIT::compile):
2125         * dfg/DFGSpeculativeJIT.h:
2126         * interpreter/Interpreter.cpp:
2127         (JSC::Interpreter::privateExecute):
2128         * jit/JIT.cpp:
2129         (JSC::JIT::privateCompileMainPass):
2130         (JSC::JIT::privateCompileSlowCases):
2131         * jit/JIT.h:
2132         (JSC::JIT::emit_op_loop_if_greater):
2133         (JSC::JIT::emitSlow_op_loop_if_greater):
2134         (JSC::JIT::emit_op_loop_if_greatereq):
2135         (JSC::JIT::emitSlow_op_loop_if_greatereq):
2136         * jit/JITArithmetic.cpp:
2137         (JSC::JIT::emit_op_jgreater):
2138         (JSC::JIT::emit_op_jgreatereq):
2139         (JSC::JIT::emit_op_jngreater):
2140         (JSC::JIT::emit_op_jngreatereq):
2141         (JSC::JIT::emitSlow_op_jgreater):
2142         (JSC::JIT::emitSlow_op_jgreatereq):
2143         (JSC::JIT::emitSlow_op_jngreater):
2144         (JSC::JIT::emitSlow_op_jngreatereq):
2145         (JSC::JIT::emit_compareAndJumpSlow):
2146         * jit/JITArithmetic32_64.cpp:
2147         (JSC::JIT::emitBinaryDoubleOp):
2148         * jit/JITStubs.cpp:
2149         (JSC::DEFINE_STUB_FUNCTION):
2150         * jit/JITStubs.h:
2151         * parser/NodeConstructors.h:
2152         (JSC::GreaterNode::GreaterNode):
2153         (JSC::GreaterEqNode::GreaterEqNode):
2154         * parser/Nodes.h:
2155
2156 2011-07-03  Gavin Barraclough  <barraclough@apple.com>
2157
2158         https://bugs.webkit.org/show_bug.cgi?id=63879
2159         Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq.
2160
2161         Reviewed by Sam Weinig.
2162         
2163         There is a lot of copy & paste code here; we can reduce duplication by making
2164         a shared implementation.
2165
2166         * assembler/MacroAssembler.h:
2167         (JSC::MacroAssembler::branch32):
2168         (JSC::MacroAssembler::commute):
2169             - Make these function platform agnostic.
2170         * assembler/MacroAssemblerX86Common.h:
2171             - Moved branch32/commute up to MacroAssembler.
2172         * jit/JIT.h:
2173         (JSC::JIT::emit_op_loop_if_lesseq):
2174         (JSC::JIT::emitSlow_op_loop_if_lesseq):
2175             - Add an implementation matching that for op_loop_if_less, which just calls op_jless.
2176         * jit/JITArithmetic.cpp:
2177         (JSC::JIT::emit_op_jless):
2178         (JSC::JIT::emit_op_jlesseq):
2179         (JSC::JIT::emit_op_jnless):
2180         (JSC::JIT::emit_op_jnlesseq):
2181         (JSC::JIT::emitSlow_op_jless):
2182         (JSC::JIT::emitSlow_op_jlesseq):
2183         (JSC::JIT::emitSlow_op_jnless):
2184         (JSC::JIT::emitSlow_op_jnlesseq):
2185             - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64.
2186         (JSC::JIT::emit_compareAndJump):
2187         (JSC::JIT::emit_compareAndJumpSlow):
2188             - Internal implmementation of jless etc for JSVALUE64.
2189         * jit/JITArithmetic32_64.cpp:
2190         (JSC::JIT::emit_compareAndJump):
2191         (JSC::JIT::emit_compareAndJumpSlow):
2192             - Internal implmementation of jless etc for JSVALUE32_64.
2193         * jit/JITOpcodes.cpp:
2194         * jit/JITOpcodes32_64.cpp:
2195         * jit/JITStubs.cpp:
2196         * jit/JITStubs.h:
2197             - Remove old implementation of emit_op_loop_if_lesseq.
2198
2199 2011-07-03  Sheriff Bot  <webkit.review.bot@gmail.com>
2200
2201         Unreviewed, rolling out r90347.
2202         http://trac.webkit.org/changeset/90347
2203         https://bugs.webkit.org/show_bug.cgi?id=63886
2204
2205         Build breaks on Leopard, Chromium-win, WinCairo, and WinCE.
2206         (Requested by tkent on #webkit).
2207
2208         * JavaScriptCore.xcodeproj/project.pbxproj:
2209         * runtime/BigInteger.h: Removed.
2210         * runtime/NumberPrototype.cpp:
2211         (JSC::numberProtoFuncToPrecision):
2212         (JSC::numberProtoFuncToString):
2213         * runtime/Uint16WithFraction.h: Removed.
2214         * wtf/MathExtras.h:
2215
2216 2011-06-30  Gavin Barraclough  <barraclough@apple.com>
2217
2218         Reviewed by Sam Weinig.
2219
2220         https://bugs.webkit.org/show_bug.cgi?id=16652
2221         Firefox and JavaScriptCore differ in Number.toString(integer)
2222
2223         Our arbitrary radix (2..36) toString conversion is inaccurate.
2224         This is partly because it uses doubles to perform math that requires
2225         higher accuracy, and partly becasue it does not attempt to correctly
2226         detect where to terminate, instead relying on a simple 'epsilon'.
2227
2228         * runtime/NumberPrototype.cpp:
2229         (JSC::decomposeDouble):
2230             - helper function to extract sign, exponent, mantissa from IEEE doubles.
2231         (JSC::Uint16WithFraction::Uint16WithFraction):
2232             - helper class, u16int with infinite precision fraction, used to convert
2233               the fractional part of the number to a string.
2234         (JSC::Uint16WithFraction::operator*=):
2235             - Multiply by a uint16.
2236         (JSC::Uint16WithFraction::operator<):
2237             - Compare two Uint16WithFractions.
2238         (JSC::Uint16WithFraction::floorAndSubtract):
2239             - Extract the integer portion of the number, and subtract it (clears the integer portion).
2240         (JSC::Uint16WithFraction::comparePoint5):
2241             - Compare to 0.5.
2242         (JSC::Uint16WithFraction::sumGreaterThanOne):
2243             - Passed a second Uint16WithFraction, returns true if the result of adding
2244               the two values would be greater than one.
2245         (JSC::Uint16WithFraction::isNormalized):
2246             - Used by ASSERTs to consistency check internal representation.
2247         (JSC::BigInteger::BigInteger):
2248             - helper class, unbounded integer value, used to convert the integer part
2249               of the number to a string.
2250         (JSC::BigInteger::divide):
2251             - Divide this value through by a uint32.
2252         (JSC::BigInteger::operator!):
2253             - test for zero.
2254         (JSC::toStringWithRadix):
2255             - Performs number to string conversion, with the given radix (2..36).
2256         (JSC::numberProtoFuncToString):
2257             - Changed to use toStringWithRadix.
2258
2259 2011-07-02  Gavin Barraclough  <barraclough@apple.com>
2260
2261         https://bugs.webkit.org/show_bug.cgi?id=63866
2262         DFG JIT - implement instanceof
2263
2264         Reviewed by Sam Weinig.
2265
2266         Add ops CheckHasInstance & InstanceOf to implement bytecodes
2267         op_check_has_instance & op_instanceof. This is an initial
2268         functional implementation, performance is a wash. We can
2269         follow up with changes to fuse the InstanceOf node with
2270         a subsequant branch, as we do with other comparisons.
2271
2272         * dfg/DFGByteCodeParser.cpp:
2273         (JSC::DFG::ByteCodeParser::parseBlock):
2274         * dfg/DFGJITCompiler.cpp:
2275         (JSC::DFG::JITCompiler::jitAssertIsCell):
2276         * dfg/DFGJITCompiler.h:
2277         (JSC::DFG::JITCompiler::jitAssertIsCell):
2278         * dfg/DFGNode.h:
2279         * dfg/DFGNonSpeculativeJIT.cpp:
2280         (JSC::DFG::NonSpeculativeJIT::compile):
2281         * dfg/DFGOperations.cpp:
2282         * dfg/DFGOperations.h:
2283         * dfg/DFGSpeculativeJIT.cpp:
2284         (JSC::DFG::SpeculativeJIT::compile):
2285
2286 2011-07-01  Oliver Hunt  <oliver@apple.com>
2287
2288         IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
2289         https://bugs.webkit.org/show_bug.cgi?id=63732
2290
2291         Reviewed by Gavin Barraclough.
2292
2293         Initialise the memory at the head of the new storage so that
2294         GC is safe if triggered by reportExtraMemoryCost.
2295
2296         * runtime/JSArray.cpp:
2297         (JSC::JSArray::increaseVectorPrefixLength):
2298
2299 2011-07-01  Oliver Hunt  <oliver@apple.com>
2300
2301         GC sweep can occur before an object is completely initialised
2302         https://bugs.webkit.org/show_bug.cgi?id=63836
2303
2304         Reviewed by Gavin Barraclough.
2305
2306         In rare cases it's possible for a GC sweep to occur while a
2307         live, but not completely initialised object is on the stack.
2308         In such a case we may incorrectly choose to mark it, even
2309         though it has no children that need marking.
2310
2311         We resolve this by always zeroing out the structure of any
2312         value returned from JSCell::operator new(), and making the
2313         markstack tolerant of a null structure. 
2314
2315         * runtime/JSCell.h:
2316         (JSC::JSCell::JSCell::~JSCell):
2317         (JSC::JSCell::JSCell::operator new):
2318         * runtime/Structure.h:
2319         (JSC::MarkStack::internalAppend):
2320
2321 2011-07-01  Filip Pizlo  <fpizlo@apple.com>
2322
2323         Reviewed by Gavin Barraclough.
2324
2325         DFG non-speculative JIT always performs slow C calls for div and mod.
2326         https://bugs.webkit.org/show_bug.cgi?id=63684
2327
2328         * dfg/DFGNonSpeculativeJIT.cpp:
2329         (JSC::DFG::NonSpeculativeJIT::compile):
2330
2331 2011-07-01  Juan C. Montemayor  <jmont@apple.com>
2332
2333         Reviewed by Oliver Hunt.
2334
2335         Lexer error messages are currently appalling
2336         https://bugs.webkit.org/show_bug.cgi?id=63340
2337
2338         Added error messages for the Lexer. These messages will be displayed
2339         instead of the lexer error messages from the parser that are currently
2340         shown.
2341
2342         * parser/Lexer.cpp:
2343         (JSC::Lexer::getInvalidCharMessage):
2344         (JSC::Lexer::setCode):
2345         (JSC::Lexer::parseString):
2346         (JSC::Lexer::lex):
2347         (JSC::Lexer::clear):
2348         * parser/Lexer.h:
2349         (JSC::Lexer::getErrorMessage):
2350         (JSC::Lexer::setOffset):
2351         * parser/Parser.cpp:
2352         (JSC::Parser::parse):
2353
2354 2011-07-01  Jungshik Shin  <jshin@chromium.org>
2355
2356         Reviewed by Alexey Proskuryakov.
2357
2358         Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
2359         build files for ports not using ICU.
2360         Add icu/unicode/uscript.h for ports using ICU. It's taken from 
2361         ICU 3.6 (the version used on Mac OS 10.5)
2362
2363         http://bugs.webkit.org/show_bug.cgi?id=20797
2364
2365         * GNUmakefile.list.am:
2366         * JavaScriptCore.gypi:
2367         * icu/unicode/uscript.h: Added for UScriptCode enum.
2368         * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
2369         * wtf/unicode/icu/UnicodeIcu.h:
2370         * wtf/unicode/brew/UnicodeBrew.h:
2371         * wtf/unicode/glib/UnicodeGLib.h:
2372         * wtf/unicode/qt4/UnicodeQt4.h:
2373         * wtf/unicode/wince/UnicodeWinCE.h:
2374
2375 2011-07-01  Gavin Barraclough  <barraclough@apple.com>
2376
2377         Reviewed by Sam Weinig.
2378
2379         https://bugs.webkit.org/show_bug.cgi?id=63819
2380         Escaping of forwardslashes in strings incorrect if multiple exist.
2381
2382         The bug is in the parameters passed to a substring - should be
2383         start & length, but we're passing start & end indices!
2384
2385         * runtime/RegExpObject.cpp:
2386         (JSC::regExpObjectSource):
2387
2388 2011-07-01  Adam Roben  <aroben@apple.com>
2389
2390         Roll out r90194
2391         http://trac.webkit.org/changeset/90194
2392         https://bugs.webkit.org/show_bug.cgi?id=63778
2393
2394         Fixes <http://webkit.org/b/63812> REGRESSION (r90194): Multiple tests intermittently failing
2395         assertions in WriteBarrierBase<JSC::Structure>::get
2396
2397         * runtime/JSCell.h:
2398         (JSC::JSCell::JSCell::~JSCell):
2399
2400 2011-06-30  Oliver Hunt  <oliver@apple.com>
2401
2402         Reviewed by Gavin Barraclough.
2403
2404         Add optimised paths for a few maths functions
2405         https://bugs.webkit.org/show_bug.cgi?id=63757
2406
2407         Relanding as a Mac only patch.
2408
2409         This adds specialised thunks for Math.abs, Math.round, Math.ceil,
2410         Math.floor, Math.log, and Math.exp as they are apparently more
2411         important in real web content than we thought, which is somewhat
2412         mind-boggling.  On average doubles the performance of the common
2413         cases (eg. actually passing numbers in).  They're not as efficient
2414         as they could be, but this way gives them the most portability.
2415
2416         * assembler/MacroAssemblerARM.h:
2417         (JSC::MacroAssemblerARM::supportsDoubleBitops):
2418         (JSC::MacroAssemblerARM::andnotDouble):
2419         * assembler/MacroAssemblerARMv7.h:
2420         (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
2421         (JSC::MacroAssemblerARMv7::andnotDouble):
2422         * assembler/MacroAssemblerMIPS.h:
2423         (JSC::MacroAssemblerMIPS::andnotDouble):
2424         (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
2425         * assembler/MacroAssemblerSH4.h:
2426         (JSC::MacroAssemblerSH4::supportsDoubleBitops):
2427         (JSC::MacroAssemblerSH4::andnotDouble):
2428         * assembler/MacroAssemblerX86.h:
2429         (JSC::MacroAssemblerX86::supportsDoubleBitops):
2430         * assembler/MacroAssemblerX86Common.h:
2431         (JSC::MacroAssemblerX86Common::andnotDouble):
2432         * assembler/MacroAssemblerX86_64.h:
2433         (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
2434         * assembler/X86Assembler.h:
2435         (JSC::X86Assembler::andnpd_rr):
2436         * create_hash_table:
2437         * jit/SpecializedThunkJIT.h:
2438         (JSC::SpecializedThunkJIT::finalize):
2439         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2440         * jit/ThunkGenerators.cpp:
2441         (JSC::floorThunkGenerator):
2442         (JSC::ceilThunkGenerator):
2443         (JSC::roundThunkGenerator):
2444         (JSC::expThunkGenerator):
2445         (JSC::logThunkGenerator):
2446         (JSC::absThunkGenerator):
2447         * jit/ThunkGenerators.h:
2448
2449 2011-07-01  David Kilzer  <ddkilzer@apple.com>
2450
2451         <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp
2452
2453         Fixes the following build error in clang:
2454
2455             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
2456                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2457                      ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
2458             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
2459                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2460                                                 ^
2461                      (                         )
2462             fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
2463             fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
2464             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
2465                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2466                                         ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2467             1 error generated.
2468
2469         * jit/JITOpcodes32_64.cpp:
2470         (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
2471         tertiary expression evaluate first.
2472
2473 2011-07-01  Sheriff Bot  <webkit.review.bot@gmail.com>
2474
2475         Unreviewed, rolling out r90177 and r90179.
2476         http://trac.webkit.org/changeset/90177
2477         http://trac.webkit.org/changeset/90179
2478         https://bugs.webkit.org/show_bug.cgi?id=63790
2479
2480         It caused crashes on Qt in debug mode (Requested by Ossy on
2481         #webkit).
2482
2483         * assembler/MacroAssemblerARM.h:
2484         (JSC::MacroAssemblerARM::rshift32):
2485         (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
2486         (JSC::MacroAssemblerARM::sqrtDouble):
2487         * assembler/MacroAssemblerARMv7.h:
2488         (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
2489         (JSC::MacroAssemblerARMv7::sqrtDouble):
2490         * assembler/MacroAssemblerMIPS.h:
2491         (JSC::MacroAssemblerMIPS::sqrtDouble):
2492         (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
2493         * assembler/MacroAssemblerSH4.h:
2494         (JSC::MacroAssemblerSH4::sqrtDouble):
2495         * assembler/MacroAssemblerX86.h:
2496         * assembler/MacroAssemblerX86Common.h:
2497         * assembler/MacroAssemblerX86_64.h:
2498         * assembler/X86Assembler.h:
2499         * create_hash_table:
2500         * jit/JSInterfaceJIT.h:
2501         (JSC::JSInterfaceJIT::emitLoadDouble):
2502         * jit/SpecializedThunkJIT.h:
2503         (JSC::SpecializedThunkJIT::finalize):
2504         * jit/ThunkGenerators.cpp:
2505         * jit/ThunkGenerators.h:
2506
2507 2011-06-30  Oliver Hunt  <oliver@apple.com>
2508
2509         Reviewed by Beth Dakin.
2510
2511         Make GC validation clear cell structure on destruction
2512         https://bugs.webkit.org/show_bug.cgi?id=63778
2513
2514         * runtime/JSCell.h:
2515         (JSC::JSCell::JSCell::~JSCell):
2516
2517 2011-06-30  Geoffrey Garen  <ggaren@apple.com>
2518
2519         Reviewed by Gavin Barraclough.
2520
2521         Added write barrier that was missing from put_by_id_transition
2522         https://bugs.webkit.org/show_bug.cgi?id=63775
2523
2524         * dfg/DFGJITCodeGenerator.cpp:
2525         (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
2526         MacroAssembler& argument so our patching functions could use it.
2527
2528         (JSC::DFG::JITCodeGenerator::cachedPutById):
2529         * dfg/DFGJITCodeGenerator.h:
2530         * dfg/DFGNonSpeculativeJIT.cpp:
2531         (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.
2532
2533         * dfg/DFGRepatch.cpp:
2534         (JSC::DFG::tryCachePutByID): Missing barrier!
2535
2536         * dfg/DFGSpeculativeJIT.cpp:
2537         (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.
2538
2539         * jit/JITPropertyAccess.cpp:
2540         (JSC::JIT::privateCompilePutByIdTransition):
2541         * jit/JITPropertyAccess32_64.cpp:
2542         (JSC::JIT::privateCompilePutByIdTransition):
2543         * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
2544         because its meaning isn't clear -- maybe in the future we'll have a
2545         clear way to pass all stores through a common function that guarantees
2546         a write barrier, but that's not the case right now.
2547
2548 2011-06-30  Filip Pizlo  <fpizlo@apple.com>
2549
2550         Reviewed by Gavin Barraclough.
2551
2552         DFG non-speculative JIT does not reuse registers when compiling comparisons.
2553         https://bugs.webkit.org/show_bug.cgi?id=63565
2554
2555         * dfg/DFGNonSpeculativeJIT.cpp:
2556         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2557         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2558         (JSC::DFG::NonSpeculativeJIT::compare):
2559
2560 2011-06-30  Geoffrey Garen  <ggaren@apple.com>
2561
2562         Reviewed by Gavin Barraclough.
2563
2564         Added empty write barrier stubs in all the right places in the DFG JIT
2565         https://bugs.webkit.org/show_bug.cgi?id=63764
2566         
2567         SunSpider thinks this might be a 0.5% speedup. Meh.
2568
2569         * dfg/DFGJITCodeGenerator.cpp:
2570         (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub.
2571
2572         (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special
2573         for the case where base == scratch, since we now require base and scratch
2574         to be not equal, for the sake of the write barrier.
2575
2576         * dfg/DFGJITCodeGenerator.h: Le stub.
2577
2578         * dfg/DFGNonSpeculativeJIT.cpp:
2579         (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register
2580         as the scratch register, since that's incompatible with the write barrier,
2581         which needs a distinct base and scratch.
2582         
2583         Do put the global object into a register before loading its var storage,
2584         since it needs to be in a register for the write barrier to operate on it.
2585
2586         * dfg/DFGSpeculativeJIT.cpp:
2587         (JSC::DFG::SpeculativeJIT::compile):
2588         * jit/JITPropertyAccess.cpp:
2589         (JSC::JIT::emitWriteBarrier): Second verse, same as the first.
2590
2591         * jit/JITPropertyAccess.cpp:
2592         (JSC::JIT::emit_op_get_scoped_var):
2593         (JSC::JIT::emit_op_put_scoped_var):
2594         (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
2595         places.
2596
2597         (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
2598         is a little more than meaningless.
2599
2600         * jit/JITPropertyAccess32_64.cpp:
2601         (JSC::JIT::emit_op_get_scoped_var):
2602         (JSC::JIT::emit_op_put_scoped_var):
2603         (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
2604         places.
2605
2606         (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
2607         is a little more than meaningless.
2608
2609         * runtime/JSVariableObject.h:
2610         (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since
2611         we put the global object in a register and only then load its var storage
2612         by offset.
2613
2614         (JSC::JIT::emitWriteBarrier):
2615
2616 2011-06-30  Oliver Hunt  <oliver@apple.com>
2617
2618         Fix ARMv6 build
2619
2620         * assembler/MacroAssemblerARM.h:
2621         (JSC::MacroAssemblerARM::rshift32):
2622
2623 2011-06-30  Oliver Hunt  <oliver@apple.com>
2624
2625         Reviewed by Gavin Barraclough.
2626
2627         Add optimised paths for a few maths functions
2628         https://bugs.webkit.org/show_bug.cgi?id=63757
2629
2630         This adds specialised thunks for Math.abs, Math.round, Math.ceil,
2631         Math.floor, Math.log, and Math.exp as they are apparently more
2632         important in real web content than we thought, which is somewhat
2633         mind-boggling.  On average doubles the performance of the common
2634         cases (eg. actually passing numbers in).  They're not as efficient
2635         as they could be, but this way gives them the most portability.
2636
2637         * assembler/MacroAssemblerARM.h:
2638         (JSC::MacroAssemblerARM::supportsDoubleBitops):
2639         (JSC::MacroAssemblerARM::andnotDouble):
2640         * assembler/MacroAssemblerARMv7.h:
2641         (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
2642         (JSC::MacroAssemblerARMv7::andnotDouble):
2643         * assembler/MacroAssemblerMIPS.h:
2644         (JSC::MacroAssemblerMIPS::andnotDouble):
2645         (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
2646         * assembler/MacroAssemblerSH4.h:
2647         (JSC::MacroAssemblerSH4::supportsDoubleBitops):
2648         (JSC::MacroAssemblerSH4::andnotDouble):
2649         * assembler/MacroAssemblerX86.h:
2650         (JSC::MacroAssemblerX86::supportsDoubleBitops):
2651         * assembler/MacroAssemblerX86Common.h:
2652         (JSC::MacroAssemblerX86Common::andnotDouble):
2653         * assembler/MacroAssemblerX86_64.h:
2654         (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
2655         * assembler/X86Assembler.h:
2656         (JSC::X86Assembler::andnpd_rr):
2657         * create_hash_table:
2658         * jit/SpecializedThunkJIT.h:
2659         (JSC::SpecializedThunkJIT::finalize):
2660         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2661         * jit/ThunkGenerators.cpp:
2662         (JSC::floorThunkGenerator):
2663         (JSC::ceilThunkGenerator):
2664         (JSC::roundThunkGenerator):
2665         (JSC::expThunkGenerator):
2666         (JSC::logThunkGenerator):
2667         (JSC::absThunkGenerator):
2668         * jit/ThunkGenerators.h:
2669
2670 2011-06-30  Cary Clark  <caryclark@google.com>
2671
2672         Reviewed by James Robinson.
2673
2674         Use Skia if Skia on Mac Chrome is enabled
2675         https://bugs.webkit.org/show_bug.cgi?id=62999
2676
2677         * wtf/Platform.h:
2678         Add switch to use Skia if, externally,
2679         Skia has been enabled by a gyp define.
2680
2681 2011-06-30  Juan C. Montemayor  <jmont@apple.com>
2682
2683         Reviewed by Geoffrey Garen.
2684
2685         Web Inspector fails to display source for eval with syntax error
2686         https://bugs.webkit.org/show_bug.cgi?id=63583
2687
2688         Web Inspector now displays a link to an eval statement that contains
2689         a syntax error.
2690
2691         * parser/Parser.h:
2692         (JSC::isEvalNode):
2693         (JSC::EvalNode):
2694         (JSC::Parser::parse):
2695
2696 2011-06-30  Filip Pizlo  <fpizlo@apple.com>
2697
2698         Reviewed by Gavin Barraclough.
2699
2700         X86Assembler does not encode byte registers in 64-bit mode correctly.
2701         https://bugs.webkit.org/show_bug.cgi?id=63665
2702
2703         * assembler/X86Assembler.h:
2704         (JSC::X86Assembler::testb_rr):
2705         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
2706
2707 2011-06-30  Sheriff Bot  <webkit.review.bot@gmail.com>
2708
2709         Unreviewed, rolling out r90102.
2710         http://trac.webkit.org/changeset/90102
2711         https://bugs.webkit.org/show_bug.cgi?id=63714
2712
2713         Lots of tests asserting beneath
2714         SVGSMILElement::findInstanceTime (Requested by aroben on
2715         #webkit).
2716
2717         * wtf/StdLibExtras.h:
2718         (WTF::binarySearch):
2719
2720 2011-06-30  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
2721
2722         Reviewed by Nikolas Zimmermann.
2723
2724         Speed up SVGSMILElement::findInstanceTime.
2725         https://bugs.webkit.org/show_bug.cgi?id=61025
2726
2727         Add a new parameter to StdlibExtras.h::binarySerarch function
2728         to also handle cases when the array does not contain the key value.
2729         This is needed for an svg function.
2730
2731         * wtf/StdLibExtras.h:
2732         (WTF::binarySearch):
2733
2734 2011-06-29  Gavin Barraclough  <barraclough@apple.com>
2735
2736         Reviewed by Geoff Garen.
2737
2738         https://bugs.webkit.org/show_bug.cgi?id=63669
2739         DFG JIT - fix spectral-norm regression
2740
2741         The problem is a mis-speculation leading to us falling off the speculative path.
2742         Make the speculation logic slightly smarter, don't predict int if one of the
2743         operands is already loaded as a double (we use this logic already for compares).
2744
2745         * dfg/DFGSpeculativeJIT.cpp:
2746         (JSC::DFG::SpeculativeJIT::compile):
2747         * dfg/DFGSpeculativeJIT.h:
2748         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
2749
2750 2011-06-29  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Reviewed by Gavin Barraclough.
2753
2754         DFG JIT does not do put_by_id transition caching.
2755         https://bugs.webkit.org/show_bug.cgi?id=63662
2756
2757         * dfg/DFGJITCodeGenerator.cpp:
2758         (JSC::DFG::JITCodeGenerator::cachedPutById):
2759         * dfg/DFGJITCompiler.h:
2760         (JSC::DFG::JITCompiler::addPropertyAccess):
2761         * dfg/DFGRepatch.cpp:
2762         (JSC::DFG::testPrototype):
2763         (JSC::DFG::tryCachePutByID):
2764
2765 2011-06-29  Geoffrey Garen  <ggaren@apple.com>
2766
2767         Reviewed by Oliver Hunt.
2768
2769         Added a dummy write barrier emitting function in all the right places in the old JIT
2770         https://bugs.webkit.org/show_bug.cgi?id=63667
2771         
2772         SunSpider reports no change.
2773
2774         * jit/JIT.h:
2775         * jit/JITPropertyAccess.cpp:
2776         (JSC::JIT::emit_op_put_by_id):
2777         (JSC::JIT::emit_op_put_scoped_var): Do it.
2778
2779         (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
2780         for the sake of the write barrier.
2781
2782         (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
2783
2784         * jit/JITPropertyAccess32_64.cpp:
2785         (JSC::JIT::emit_op_put_by_val):
2786         (JSC::JIT::emit_op_put_by_id):
2787         (JSC::JIT::emit_op_put_scoped_var): Do it.
2788
2789         (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
2790         for the sake of the write barrier.
2791
2792         (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
2793
2794 2011-06-29  Filip Pizlo  <fpizlo@apple.com>
2795
2796         Reviewed by Gavin Barraclough.
2797
2798         DFG JIT does not perform get_by_id self list caching.
2799         https://bugs.webkit.org/show_bug.cgi?id=63605
2800
2801         * bytecode/StructureStubInfo.h:
2802         * dfg/DFGJITCompiler.cpp:
2803         (JSC::DFG::JITCompiler::compileFunction):
2804         * dfg/DFGOperations.cpp:
2805         * dfg/DFGOperations.h:
2806         * dfg/DFGRepatch.cpp:
2807         (JSC::DFG::tryCacheGetByID):
2808         (JSC::DFG::tryBuildGetByIDList):
2809         (JSC::DFG::dfgBuildGetByIDList):
2810         * dfg/DFGRepatch.h:
2811
2812 2011-06-28  Filip Pizlo  <fpizlo@apple.com>
2813
2814         Reviewed by Gavin Barraclough.
2815
2816         DFG JIT lacks array.length caching.
2817         https://bugs.webkit.org/show_bug.cgi?id=63505
2818
2819         * bytecode/StructureStubInfo.h:
2820         * dfg/DFGJITCodeGenerator.cpp:
2821         (JSC::DFG::JITCodeGenerator::cachedGetById):
2822         (JSC::DFG::JITCodeGenerator::cachedPutById):
2823         * dfg/DFGJITCodeGenerator.h:
2824         (JSC::DFG::JITCodeGenerator::tryAllocate):
2825         (JSC::DFG::JITCodeGenerator::selectScratchGPR):
2826         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
2827         * dfg/DFGJITCompiler.cpp:
2828         (JSC::DFG::JITCompiler::compileFunction):
2829         * dfg/DFGJITCompiler.h:
2830         (JSC::DFG::JITCompiler::addPropertyAccess):
2831         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
2832         * dfg/DFGRegisterBank.h:
2833         (JSC::DFG::RegisterBank::tryAllocate):
2834         * dfg/DFGRepatch.cpp:
2835         (JSC::DFG::tryCacheGetByID):
2836
2837 2011-06-28  Pierre Rossi  <pierre.rossi@gmail.com>
2838
2839         Reviewed by Eric Seidel.
2840
2841         Warnings in JSC's JIT on 32 bit
2842         https://bugs.webkit.org/show_bug.cgi?id=63259
2843
2844         Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies.
2845
2846         * jit/JITPropertyAccess32_64.cpp:
2847         (JSC::JIT::emit_op_method_check):
2848         (JSC::JIT::compileGetByIdHotPath):
2849         (JSC::JIT::emit_op_put_by_id):
2850
2851 2011-06-28  Sheriff Bot  <webkit.review.bot@gmail.com>
2852
2853         Unreviewed, rolling out r89968.
2854         http://trac.webkit.org/changeset/89968
2855         https://bugs.webkit.org/show_bug.cgi?id=63581
2856
2857         Broke chromium windows compile (Requested by jamesr on
2858         #webkit).
2859
2860         * wtf/Platform.h:
2861
2862 2011-06-28  Oliver Hunt  <oliver@apple.com>
2863
2864         Reviewed by Gavin Barraclough.
2865
2866         Fix sampling build
2867         https://bugs.webkit.org/show_bug.cgi?id=63579
2868
2869         Gets opcode sampling building again, doesn't seem to work alas
2870
2871         * bytecode/SamplingTool.cpp:
2872         (JSC::SamplingTool::notifyOfScope):
2873         * bytecode/SamplingTool.h:
2874         (JSC::SamplingTool::SamplingTool):
2875         * interpreter/Interpreter.cpp:
2876         (JSC::Interpreter::enableSampler):
2877         * runtime/Executable.h:
2878         (JSC::ScriptExecutable::ScriptExecutable):
2879
2880 2011-06-28  Cary Clark  <caryclark@google.com>
2881
2882         Reviewed by James Robinson.
2883
2884         Use Skia if Skia on Mac Chrome is enabled
2885         https://bugs.webkit.org/show_bug.cgi?id=62999
2886
2887         * wtf/Platform.h:
2888         Add switch to use Skia if, externally,
2889         Skia has been enabled by a gyp define.
2890
2891 2011-06-28  Oliver Hunt  <oliver@apple.com>
2892
2893         Reviewed by Gavin Barraclough.
2894
2895         ASSERT when launching debug builds with interpreter and jit enabled
2896         https://bugs.webkit.org/show_bug.cgi?id=63566
2897
2898         Add appropriate guards to the various Executable's memory reporting
2899         logic.
2900
2901         * runtime/Executable.cpp:
2902         (JSC::EvalExecutable::compileInternal):
2903         (JSC::ProgramExecutable::compileInternal):
2904         (JSC::FunctionExecutable::compileForCallInternal):
2905         (JSC::FunctionExecutable::compileForConstructInternal):
2906
2907 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2908
2909         Reviewed by Oliver Hunt.
2910
2911         https://bugs.webkit.org/show_bug.cgi?id=63563
2912         DFG JIT - add support for double arith to speculative path
2913
2914         Add integer support for div & mod, add double support for div, mod,
2915         add, sub & mul, dynamically selecting based on operand types.
2916
2917         * dfg/DFGJITCodeGenerator.cpp:
2918         (JSC::DFG::FPRTemporary::FPRTemporary):
2919         * dfg/DFGJITCodeGenerator.h:
2920         * dfg/DFGJITCompiler.h:
2921         (JSC::DFG::JITCompiler::assembler):
2922         * dfg/DFGSpeculativeJIT.cpp:
2923         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2924         (JSC::DFG::SpeculativeJIT::compile):
2925         * dfg/DFGSpeculativeJIT.h:
2926         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2927         (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand):
2928         (JSC::DFG::SpeculateDoubleOperand::index):
2929         (JSC::DFG::SpeculateDoubleOperand::fpr):
2930
2931 2011-06-28  Oliver Hunt  <oliver@apple.com>
2932
2933         Fix interpreter build.
2934
2935         * interpreter/Interpreter.cpp:
2936         (JSC::Interpreter::privateExecute):
2937
2938 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2939
2940         Reviewed by Oliver Hunt.
2941
2942         https://bugs.webkit.org/show_bug.cgi?id=63561
2943         DFG JIT - don't always assume integer in relational compare
2944
2945         If neither operand is known integer, or either is in double representation,
2946         then at least use a function call (don't bail off the speculative path).
2947
2948         * dfg/DFGSpeculativeJIT.cpp:
2949         (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
2950         (JSC::DFG::SpeculativeJIT::compile):
2951         * dfg/DFGSpeculativeJIT.h:
2952         (JSC::DFG::SpeculativeJIT::isDataFormatDouble):
2953         (JSC::DFG::SpeculativeJIT::compareIsInteger):
2954
2955 2011-06-28  Oliver Hunt  <oliver@apple.com>
2956
2957         Reviewed by Gavin Barraclough.
2958
2959         Make constant array optimisation less strict about what constitutes a constant
2960         https://bugs.webkit.org/show_bug.cgi?id=63554
2961
2962         Now allow string constants in array literals to actually be considered constant,
2963         and so avoid codegen in array literals with strings in them.
2964
2965         * bytecode/CodeBlock.h:
2966         (JSC::CodeBlock::addConstantBuffer):
2967         (JSC::CodeBlock::constantBuffer):
2968         * bytecompiler/BytecodeGenerator.cpp:
2969         (JSC::BytecodeGenerator::addConstantBuffer):
2970         (JSC::BytecodeGenerator::addStringConstant):
2971         (JSC::BytecodeGenerator::emitNewArray):
2972         * bytecompiler/BytecodeGenerator.h:
2973         * interpreter/Interpreter.cpp:
2974         (JSC::Interpreter::privateExecute):
2975         * jit/JITStubs.cpp:
2976         (JSC::DEFINE_STUB_FUNCTION):
2977
2978 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2979
2980         Reviewed by Oliver Hunt.
2981
2982         https://bugs.webkit.org/show_bug.cgi?id=63560
2983         DFG_JIT allow allocation of specific machine registers
2984
2985         This allow us to allocate the registers necessary to perform x86
2986         idiv instructions for div/mod, and may be useful for shifts, too.
2987
2988         * dfg/DFGJITCodeGenerator.cpp:
2989         (JSC::DFG::GPRTemporary::GPRTemporary):
2990         * dfg/DFGJITCodeGenerator.h:
2991         (JSC::DFG::JITCodeGenerator::allocate):
2992         (JSC::DFG::GPRResult::GPRResult):
2993         * dfg/DFGRegisterBank.h:
2994         (JSC::DFG::RegisterBank::allocateSpecific):
2995         * dfg/DFGSpeculativeJIT.h:
2996         (JSC::DFG::SpeculativeJIT::isInteger):
2997
2998 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2999
3000         Reviewed by Oliver Hunt.
3001
3002         https://bugs.webkit.org/show_bug.cgi?id=55040
3003         RegExp constructor returns the argument regexp instead of a new object
3004
3005         Per 15.10.3.1, our current behaviour is correct if called as a function,
3006         but incorrect when called as a constructor.
3007
3008         * runtime/RegExpConstructor.cpp:
3009         (JSC::constructRegExp):
3010         (JSC::constructWithRegExpConstructor):
3011         * runtime/RegExpConstructor.h:
3012
3013 2011-06-28  Luke Macpherson   <macpherson@chromium.org>
3014
3015         Reviewed by Darin Adler.
3016
3017         Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits.
3018         https://bugs.webkit.org/show_bug.cgi?id=63469
3019
3020         * wtf/MathExtras.h:
3021         (defaultMinimumForClamp):
3022         Version of std::numeric_limits::min() that returns the largest negative value for floating point types.
3023         (defaultMaximumForClamp):
3024         Symmetric alias for std::numeric_limits::max()
3025         (clampTo):
3026         New templated clamping function that supports arbitrary output types.
3027         (clampToInteger):
3028         Use new clampTo template.
3029         (clampToFloat):
3030         Use new clampTo template.
3031         (clampToPositiveInteger):
3032         Use new clampTo template.
3033
3034 2011-06-28  Adam Roben  <aroben@apple.com>
3035
3036         Windows Debug build fix after r89885
3037
3038         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported
3039         JSGlobalData::releaseExecutableMemory for jsc.exe's benefit.
3040
3041 2011-06-28  Shinya Kawanaka  <shinyak@google.com>
3042
3043         Reviewed by Kent Tamura.
3044
3045         Add const to show() method in WTFString and AtomicString.
3046         https://bugs.webkit.org/show_bug.cgi?id=63515
3047
3048         The lack of const in show() method is painful when
3049         doing something like printf-debug.
3050
3051         * wtf/text/AtomicString.cpp:
3052         (WTF::AtomicString::show):
3053         * wtf/text/AtomicString.h:
3054         * wtf/text/WTFString.cpp:
3055         (String::show):
3056         * wtf/text/WTFString.h:
3057
3058 2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
3059
3060         Build fix attempt after r89885.
3061
3062         * JavaScriptCore.exp:
3063         * jsc.cpp:
3064
3065 2011-06-27  Oliver Hunt  <oliver@apple.com>
3066
3067         Reviewed by Geoffrey Garen.
3068
3069         Support throwing away non-running code even while other code is running
3070         https://bugs.webkit.org/show_bug.cgi?id=63485
3071
3072         Add a function to CodeBlock to support unlinking direct linked callsites,
3073         and then with that in place add logic to discard code from any function
3074         that is not currently on the stack.
3075
3076         The unlinking completely reverts any optimized call sites, such that they
3077         may be relinked again in future.
3078
3079         * JavaScriptCore.exp:
3080         * bytecode/CodeBlock.cpp:
3081         (JSC::CodeBlock::unlinkCalls):
3082         (JSC::CodeBlock::clearEvalCache):
3083         * bytecode/CodeBlock.h:
3084         (JSC::CallLinkInfo::CallLinkInfo):
3085         (JSC::CallLinkInfo::unlink):
3086         * bytecode/EvalCodeCache.h:
3087         (JSC::EvalCodeCache::clear):
3088         * heap/Heap.cpp:
3089         (JSC::Heap::getConservativeRegisterRoots):
3090         * heap/Heap.h:
3091         * jit/JIT.cpp:
3092         (JSC::JIT::privateCompile):
3093         * jit/JIT.h:
3094         * jit/JITCall.cpp:
3095         (JSC::JIT::compileOpCall):
3096         * jit/JITWriteBarrier.h:
3097         (JSC::JITWriteBarrierBase::clear):
3098         * jsc.cpp:
3099         (GlobalObject::GlobalObject):
3100         (functionReleaseExecutableMemory):
3101         * runtime/Executable.cpp:
3102         (JSC::EvalExecutable::unlinkCalls):
3103         (JSC::ProgramExecutable::unlinkCalls):
3104         (JSC::FunctionExecutable::discardCode):
3105         (JSC::FunctionExecutable::unlinkCalls):
3106         * runtime/Executable.h:
3107         * runtime/JSGlobalData.cpp:
3108         (JSC::SafeRecompiler::returnValue):
3109         (JSC::SafeRecompiler::operator()):
3110         (JSC::JSGlobalData::releaseExecutableMemory):
3111
3112 2011-06-27  Gavin Barraclough  <barraclough@apple.com>
3113
3114         Reviewed by Darin Adler & Oliver Hunt.
3115
3116         https://bugs.webkit.org/show_bug.cgi?id=50554
3117         RegExp.prototype.toString does not escape slashes
3118
3119         The problem here is that we don't escape forwards slashes when converting
3120         a RegExp to a string. This means that RegExp("/").toString() is "///",
3121         which is not a valid RegExp literal. Also, we return an invalid literal
3122         for RegExp.prototype.toString() ("//", which is an empty single-line comment).
3123
3124         From ES5:
3125         "NOTE: The returned String has the form of a RegularExpressionLiteral that
3126         evaluates to another RegExp object with the same behaviour as this object."
3127
3128         * runtime/RegExpObject.cpp:
3129         (JSC::regExpObjectSource):
3130             - Escape forward slashes when getting the source of a RegExp.
3131         * runtime/RegExpPrototype.cpp:
3132         (JSC::regExpProtoFuncToString):
3133             - Remove unnecessary and erroneous hack to return "//" as the string
3134             representation of RegExp.prototype. This is not a valid RegExp literal
3135             (it is an empty single-line comment).
3136
3137 2011-06-27  Gavin Barraclough  <barraclough@apple.com>
3138
3139         Reviewed by Oliver Hunt.
3140
3141         https://bugs.webkit.org/show_bug.cgi?id=63497
3142         Add DEBUG_WITH_BREAKPOINT support to the DFG JIT.
3143
3144         * dfg/DFGByteCodeParser.cpp:
3145         (JSC::DFG::ByteCodeParser::parseBlock):
3146         * dfg/DFGNode.h:
3147         * dfg/DFGNonSpeculativeJIT.cpp:
3148         (JSC::DFG::NonSpeculativeJIT::compile):
3149         * dfg/DFGSpeculativeJIT.cpp:
3150         (JSC::DFG::SpeculativeJIT::compile):
3151
3152 2011-06-27  Juan C. Montemayor  <jmont@apple.com>
3153
3154         Reviewed by Mark Rowe.
3155
3156         Indirectly including TextPosition.h and XPathGrammar.h causes compile errors
3157         https://bugs.webkit.org/show_bug.cgi?id=63392
3158         
3159         When both TextPosition.h and XPathGrammar.h are included a compile-error
3160         is caused, since XPathGrammar.h defines a macro called NUMBER and 
3161         TextPosition has a typedef named NUMBER.
3162
3163         * wtf/text/TextPosition.h:
3164         (WTF::TextPosition::TextPosition):
3165         (WTF::TextPosition::minimumPosition):
3166         (WTF::TextPosition::belowRangePosition):
3167
3168 2011-06-27  Filip Pizlo  <fpizlo@apple.com>
3169
3170         Reviewed by Gavin Barraclough.
3171
3172         DFG JIT does not perform put_by_id caching.
3173         https://bugs.webkit.org/show_bug.cgi?id=63409
3174
3175         * bytecode/StructureStubInfo.h:
3176         * dfg/DFGJITCodeGenerator.cpp:
3177         (JSC::DFG::JITCodeGenerator::cachedPutById):
3178         * dfg/DFGJITCodeGenerator.h:
3179         * dfg/DFGJITCompiler.cpp:
3180         (JSC::DFG::JITCompiler::compileFunction):
3181         * dfg/DFGJITCompiler.h:
3182         (JSC::DFG::JITCompiler::addPropertyAccess):
3183         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
3184         * dfg/DFGNonSpeculativeJIT.cpp:
3185         (JSC::DFG::NonSpeculativeJIT::compile):
3186         * dfg/DFGOperations.cpp:
3187         * dfg/DFGOperations.h:
3188         * dfg/DFGRepatch.cpp:
3189         (JSC::DFG::dfgRepatchByIdSelfAccess):
3190         (JSC::DFG::tryCacheGetByID):
3191         (JSC::DFG::appropriatePutByIdFunction):
3192         (JSC::DFG::tryCachePutByID):
3193         (JSC::DFG::dfgRepatchPutByID):
3194         * dfg/DFGRepatch.h:
3195         * dfg/DFGSpeculativeJIT.cpp:
3196         (JSC::DFG::SpeculativeJIT::compile):
3197
3198 2011-06-27  Gustavo Noronha Silva  <gns@gnome.org>
3199
3200         Unreviewed build fix. One more filed missing during distcheck, for
3201         the MIPS build.
3202
3203         * GNUmakefile.list.am:
3204
3205 2011-06-26  Filip Pizlo  <fpizlo@apple.com>
3206
3207         Reviewed by Gavin Barraclough.
3208
3209         DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
3210         https://bugs.webkit.org/show_bug.cgi?id=63347
3211
3212         * dfg/DFGNonSpeculativeJIT.cpp:
3213             - Changed arithmetic operations to speculate in favor of integers.
3214         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
3215         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
3216         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
3217         (JSC::DFG::NonSpeculativeJIT::compile):
3218         * dfg/DFGNonSpeculativeJIT.h:
3219         * dfg/DFGOperations.cpp:
3220             - Added slow-path routines for arithmetic that perform no speculation; the
3221               non-speculative JIT will generate calls to these in cases where its
3222               speculation fails.
3223         * dfg/DFGOperations.h:
3224
3225 2011-06-24  Nikolas Zimmermann  <nzimmermann@rim.com>
3226
3227         Reviewed by Rob Buis.
3228
3229         Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
3230         https://bugs.webkit.org/show_bug.cgi?id=59085
3231
3232         * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.
3233
3234 2011-06-24  Michael Saboff  <msaboff@apple.com>
3235
3236         Reviewed by Gavin Barraclough.
3237
3238         Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
3239         https://bugs.webkit.org/show_bug.cgi?id=63345
3240
3241         The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
3242         return 9 and 10 bit quantities, therefore changed their return type from
3243         uint8_t to uint16_t.  Also casted the places where they are used as they
3244         are currently shifted and used as 7 or 8 bit values.
3245
3246         These methods are currently used for literals for stack offsets, 
3247         including creating and destroying stack frames.  The prior truncation of
3248         the upper bits caused stack frames to be too small, thus allowing a
3249         JIT'ed function to access and overwrite stack space outside of the
3250         incorrectly sized stack frame.
3251
3252         * assembler/ARMv7Assembler.h:
3253         (JSC::ARMThumbImmediate::getUInt9):
3254         (JSC::ARMThumbImmediate::getUInt10):
3255         (JSC::ARMv7Assembler::add):
3256         (JSC::ARMv7Assembler::ldr):
3257         (JSC::ARMv7Assembler::str):
3258         (JSC::ARMv7Assembler::sub):
3259         (JSC::ARMv7Assembler::sub_S):
3260
3261 2011-06-24  Michael Saboff  <msaboff@apple.com>
3262
3263         Reviewed by Geoffrey Garen.
3264
3265         releaseFastMallocFreeMemory doesn't adjust free counts for scavenger
3266         https://bugs.webkit.org/show_bug.cgi?id=63015
3267
3268         Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and
3269         min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList().  These 
3270         adjustments are a bug.  These need to reflect the pages that are released
3271         in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well.
3272         Made ReleaseFreeList a member of TCMalloc_PageHeap in the process.  Updated
3273         Check() and helper method CheckList() to check the number of actual free pages
3274         with free_committed_pages_.
3275
3276         The symptom of the problem of the existing code is that the scavenger may
3277         run unneccesarily without any real work to do, i.e. pages on the free lists.
3278         The scanvenger would also end up freeing too many pages, that is going below 
3279         the current 528 target free pages.
3280
3281         Note that the style of the changes was kept consistent with the
3282         existing style.
3283
3284         * wtf/FastMalloc.cpp:
3285         (WTF::TCMalloc_PageHeap::Check):
3286         (WTF::TCMalloc_PageHeap::CheckList):
3287         (WTF::TCMalloc_PageHeap::ReleaseFreeList):
3288
3289 2011-06-24  Abhishek Arya  <inferno@chromium.org>
3290
3291         Reviewed by Darin Adler.
3292
3293         Match other clampTo* functions in style with clampToInteger(float)
3294         function.
3295         https://bugs.webkit.org/show_bug.cgi?id=53449
3296
3297         * wtf/MathExtras.h:
3298         (clampToInteger):
3299         (clampToFloat):
3300         (clampToPositiveInteger):
3301
3302 2011-06-24  Sheriff Bot  <webkit.review.bot@gmail.com>
3303
3304         Unreviewed, rolling out r89594.
3305         http://trac.webkit.org/changeset/89594
3306         https://bugs.webkit.org/show_bug.cgi?id=63316
3307
3308         It broke 5 tests on the Qt bot (Requested by Ossy_DC on
3309         #webkit).
3310
3311         * GNUmakefile.list.am:
3312         * JavaScriptCore.gypi:
3313         * icu/unicode/uscript.h: Removed.
3314         * wtf/unicode/ScriptCodesFromICU.h: Removed.
3315         * wtf/unicode/brew/UnicodeBrew.h:
3316         * wtf/unicode/glib/UnicodeGLib.h:
3317         * wtf/unicode/icu/UnicodeIcu.h:
3318         * wtf/unicode/qt4/UnicodeQt4.h:
3319         * wtf/unicode/wince/UnicodeWinCE.h:
3320
3321 2011-06-23  Filip Pizlo  <fpizlo@apple.com>
3322
3323         Reviewed by Gavin Barraclough.
3324
3325         DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal
3326         https://bugs.webkit.org/show_bug.cgi?id=63173
3327
3328         * dfg/DFGJITCodeGenerator.cpp:
3329         (JSC::DFG::JITCodeGenerator::cachedGetById):
3330         * dfg/DFGJITCodeGenerator.h:
3331         * dfg/DFGNonSpeculativeJIT.cpp:
3332         (JSC::DFG::NonSpeculativeJIT::compile):
3333         * dfg/DFGSpeculativeJIT.cpp:
3334         (JSC::DFG::SpeculativeJIT::compile):
3335
3336 2011-06-23  Oliver Hunt  <oliver@apple.com>
3337
3338         Fix Qt again.
3339
3340         * assembler/ARMAssembler.h:
3341         (JSC::ARMAssembler::readPointer):
3342
3343 2011-06-23  Oliver Hunt  <oliver@apple.com>
3344
3345         Fix Qt Build
3346
3347         * assembler/ARMAssembler.h:
3348         (JSC::ARMAssembler::readPointer):
3349
3350 2011-06-23  Stephanie Lewis  <slewis@apple.com>
3351
3352         Reviewed by Darin Adler.
3353
3354         https://bugs.webkit.org/show_bug.cgi?id=63298
3355         Replace Malloc with FastMalloc to match the rest of wtf.
3356
3357         * wtf/BlockStack.h:
3358         (WTF::::~BlockStack):
3359         (WTF::::grow):
3360         (WTF::::shrink):
3361
3362 2011-06-23  Oliver Hunt  <oliver@apple.com>
3363
3364         Reviewed by Gavin Barraclough.
3365
3366         Add the ability to dynamically modify linked call sites
3367         https://bugs.webkit.org/show_bug.cgi?id=63291
3368
3369         Add JITWriteBarrier as a writebarrier class that allows
3370         reading and writing directly into the code stream.
3371
3372         This required adding logic to all the assemblers to allow
3373         us to read values back out of the instruction stream.
3374
3375         * JavaScriptCore.xcodeproj/project.pbxproj:
3376         * assembler/ARMAssembler.h:
3377         (JSC::ARMAssembler::readPointer):
3378         * assembler/ARMv7Assembler.h:
3379         (JSC::ARMv7Assembler::readPointer):
3380         (JSC::ARMv7Assembler::readInt32):
3381         (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst):
3382         (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond):
3383         * assembler/AbstractMacroAssembler.h:
3384         (JSC::AbstractMacroAssembler::readPointer):
3385         * assembler/MIPSAssembler.h:
3386         (JSC::MIPSAssembler::readInt32):
3387         (JSC::MIPSAssembler::readPointer):
3388         * assembler/MacroAssemblerCodeRef.h:
3389         (JSC::MacroAssemblerCodePtr::operator!):
3390         * assembler/SH4Assembler.h:
3391         (JSC::SH4Assembler::readPCrelativeAddress):
3392         (JSC::SH4Assembler::readPointer):
3393         (JSC::SH4Assembler::readInt32):
3394         * assembler/X86Assembler.h:
3395         (JSC::X86Assembler::readPointer):
3396         * bytecode/CodeBlock.cpp:
3397         (JSC::CodeBlock::visitAggregate):
3398         * bytecode/CodeBlock.h:
3399         (JSC::MethodCallLinkInfo::seenOnce):
3400         (JSC::MethodCallLinkInfo::setSeen):
3401         * heap/MarkStack.h:
3402         * jit/JIT.cpp:
3403         (JSC::JIT::privateCompile):
3404         (JSC::JIT::linkCall):
3405         (JSC::JIT::linkConstruct):
3406         * jit/JITPropertyAccess.cpp:
3407         (JSC::JIT::patchMethodCallProto):
3408         * jit/JITPropertyAccess32_64.cpp:
3409         * jit/JITWriteBarrier.h: Added.
3410         (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*):
3411         (JSC::JITWriteBarrierBase::operator!):
3412         (JSC::JITWriteBarrierBase::setFlagOnBarrier):
3413         (JSC::JITWriteBarrierBase::isFlagged):
3414         (JSC::JITWriteBarrierBase::setLocation):
3415         (JSC::JITWriteBarrierBase::location):
3416         (JSC::JITWriteBarrierBase::JITWriteBarrierBase):
3417         (JSC::JITWriteBarrierBase::set):
3418         (JSC::JITWriteBarrierBase::get):
3419         (JSC::JITWriteBarrier::JITWriteBarrier):
3420         (JSC::JITWriteBarrier::set):
3421         (JSC::JITWriteBarrier::get):
3422         (JSC::MarkStack::append):
3423
3424 2011-06-23  Gavin Barraclough  <barraclough@apple.com>
3425
3426         Reviewed by Oliver Hunt.
3427
3428         https://bugs.webkit.org/show_bug.cgi?id=61585
3429         Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/
3430
3431         This is due to use of int instead of unsigned, bad math around
3432         the 2^31 boundary.
3433
3434         * yarr/YarrInterpreter.cpp:
3435         (JSC::Yarr::ByteCompiler::emitDisjunction):