2f7569d2b05e35369717351e5a1e29281dfe0af4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
2
3         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
4         https://bugs.webkit.org/show_bug.cgi?id=120107
5
6         Reviewed by Yong Li.
7
8         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
9
10         * dfg/DFGSpeculativeJIT.h:
11         (JSC::DFG::SpeculativeJIT::callOperation):
12
13 2013-08-21  Commit Queue  <commit-queue@webkit.org>
14
15         Unreviewed, rolling out r154416.
16         http://trac.webkit.org/changeset/154416
17         https://bugs.webkit.org/show_bug.cgi?id=120147
18
19         Broke Windows builds (Requested by rniwa on #webkit).
20
21         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
22         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
23         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
24         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
25         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
26         * JavaScriptCore.vcxproj/build-generated-files.sh:
27
28 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
29
30         Clarify var/const/function declaration
31         https://bugs.webkit.org/show_bug.cgi?id=120144
32
33         Reviewed by Sam Weinig.
34
35         Add methods to JSGlobalObject to declare vars, consts, and functions.
36
37         * runtime/Executable.cpp:
38         (JSC::ProgramExecutable::initializeGlobalProperties):
39         * runtime/Executable.h:
40             - Moved declaration code to JSGlobalObject
41         * runtime/JSGlobalObject.cpp:
42         (JSC::JSGlobalObject::addGlobalVar):
43             - internal implementation of addVar, addConst, addFunction
44         * runtime/JSGlobalObject.h:
45         (JSC::JSGlobalObject::addVar):
46         (JSC::JSGlobalObject::addConst):
47         (JSC::JSGlobalObject::addFunction):
48             - Added methods to declare vars, consts, and functions
49
50 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
51
52         https://bugs.webkit.org/show_bug.cgi?id=119900
53         Exception in global setter doesn't unwind correctly
54
55         Reviewed by Geoffrey Garen.
56
57         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
58
59         * jit/JITStubs.cpp:
60         (JSC::DEFINE_STUB_FUNCTION):
61
62 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
63
64         Rename/refactor setButterfly/setStructure
65         https://bugs.webkit.org/show_bug.cgi?id=120138
66
67         Reviewed by Geoffrey Garen.
68
69         setButterfly becomes setStructureAndButterfly.
70
71         Also removed the Butterfly* argument from setStructure and just implicitly
72         used m_butterfly internally since that's what every single client of setStructure
73         was doing already.
74
75         * jit/JITStubs.cpp:
76         (JSC::DEFINE_STUB_FUNCTION):
77         * runtime/JSObject.cpp:
78         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
79         (JSC::JSObject::createInitialUndecided):
80         (JSC::JSObject::createInitialInt32):
81         (JSC::JSObject::createInitialDouble):
82         (JSC::JSObject::createInitialContiguous):
83         (JSC::JSObject::createArrayStorage):
84         (JSC::JSObject::convertUndecidedToInt32):
85         (JSC::JSObject::convertUndecidedToDouble):
86         (JSC::JSObject::convertUndecidedToContiguous):
87         (JSC::JSObject::convertUndecidedToArrayStorage):
88         (JSC::JSObject::convertInt32ToDouble):
89         (JSC::JSObject::convertInt32ToContiguous):
90         (JSC::JSObject::convertInt32ToArrayStorage):
91         (JSC::JSObject::genericConvertDoubleToContiguous):
92         (JSC::JSObject::convertDoubleToArrayStorage):
93         (JSC::JSObject::convertContiguousToArrayStorage):
94         (JSC::JSObject::switchToSlowPutArrayStorage):
95         (JSC::JSObject::setPrototype):
96         (JSC::JSObject::putDirectAccessor):
97         (JSC::JSObject::seal):
98         (JSC::JSObject::freeze):
99         (JSC::JSObject::preventExtensions):
100         (JSC::JSObject::reifyStaticFunctionsForDelete):
101         (JSC::JSObject::removeDirect):
102         * runtime/JSObject.h:
103         (JSC::JSObject::setStructureAndButterfly):
104         (JSC::JSObject::setStructure):
105         (JSC::JSObject::putDirectInternal):
106         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
107         (JSC::JSObject::putDirectWithoutTransition):
108         * runtime/Structure.cpp:
109         (JSC::Structure::flattenDictionaryStructure):
110
111 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
112
113         https://bugs.webkit.org/show_bug.cgi?id=120127
114         Remove JSObject::propertyIsEnumerable
115
116         Unreviewed typo fix
117
118         * runtime/JSObject.h:
119             - fix typo
120
121 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
122
123         https://bugs.webkit.org/show_bug.cgi?id=120139
124         PropertyDescriptor argument to define methods should be const
125
126         Rubber stamped by Sam Weinig.
127
128         This should never be modified, and this way we can use rvalues.
129
130         * debugger/DebuggerActivation.cpp:
131         (JSC::DebuggerActivation::defineOwnProperty):
132         * debugger/DebuggerActivation.h:
133         * runtime/Arguments.cpp:
134         (JSC::Arguments::defineOwnProperty):
135         * runtime/Arguments.h:
136         * runtime/ClassInfo.h:
137         * runtime/JSArray.cpp:
138         (JSC::JSArray::defineOwnProperty):
139         * runtime/JSArray.h:
140         * runtime/JSArrayBuffer.cpp:
141         (JSC::JSArrayBuffer::defineOwnProperty):
142         * runtime/JSArrayBuffer.h:
143         * runtime/JSArrayBufferView.cpp:
144         (JSC::JSArrayBufferView::defineOwnProperty):
145         * runtime/JSArrayBufferView.h:
146         * runtime/JSCell.cpp:
147         (JSC::JSCell::defineOwnProperty):
148         * runtime/JSCell.h:
149         * runtime/JSFunction.cpp:
150         (JSC::JSFunction::defineOwnProperty):
151         * runtime/JSFunction.h:
152         * runtime/JSGenericTypedArrayView.h:
153         * runtime/JSGenericTypedArrayViewInlines.h:
154         (JSC::::defineOwnProperty):
155         * runtime/JSGlobalObject.cpp:
156         (JSC::JSGlobalObject::defineOwnProperty):
157         * runtime/JSGlobalObject.h:
158         * runtime/JSObject.cpp:
159         (JSC::JSObject::putIndexedDescriptor):
160         (JSC::JSObject::defineOwnIndexedProperty):
161         (JSC::putDescriptor):
162         (JSC::JSObject::defineOwnNonIndexProperty):
163         (JSC::JSObject::defineOwnProperty):
164         * runtime/JSObject.h:
165         * runtime/JSProxy.cpp:
166         (JSC::JSProxy::defineOwnProperty):
167         * runtime/JSProxy.h:
168         * runtime/RegExpMatchesArray.h:
169         (JSC::RegExpMatchesArray::defineOwnProperty):
170         * runtime/RegExpObject.cpp:
171         (JSC::RegExpObject::defineOwnProperty):
172         * runtime/RegExpObject.h:
173         * runtime/StringObject.cpp:
174         (JSC::StringObject::defineOwnProperty):
175         * runtime/StringObject.h:
176             - make PropertyDescriptor const
177
178 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
179
180         REGRESSION: Crash under JITCompiler::link while loading Gmail
181         https://bugs.webkit.org/show_bug.cgi?id=119872
182
183         Reviewed by Mark Hahnenberg.
184         
185         Apparently, unsigned + signed = unsigned. Work around it with a cast.
186
187         * dfg/DFGByteCodeParser.cpp:
188         (JSC::DFG::ByteCodeParser::parseBlock):
189
190 2013-08-21  Alex Christensen  <achristensen@apple.com>
191
192         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
193
194         Reviewed by Brent Fulgham.
195
196         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
197         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
198         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
199         Pass PlatformArchitecture as a command line parameter to bash scripts.
200         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
201         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
202         * JavaScriptCore.vcxproj/build-generated-files.sh:
203         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
204
205 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
206
207         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
208         https://bugs.webkit.org/show_bug.cgi?id=120099
209
210         Reviewed by Mark Hahnenberg.
211         
212         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
213         JSDataView may have ordinary JS indexed properties.
214
215         * runtime/ClassInfo.h:
216         * runtime/JSArrayBufferView.cpp:
217         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
218         (JSC::JSArrayBufferView::finishCreation):
219         * runtime/JSArrayBufferView.h:
220         (JSC::hasArrayBuffer):
221         * runtime/JSArrayBufferViewInlines.h:
222         (JSC::JSArrayBufferView::buffer):
223         (JSC::JSArrayBufferView::neuter):
224         (JSC::JSArrayBufferView::byteOffset):
225         * runtime/JSCell.cpp:
226         (JSC::JSCell::slowDownAndWasteMemory):
227         * runtime/JSCell.h:
228         * runtime/JSDataView.cpp:
229         (JSC::JSDataView::JSDataView):
230         (JSC::JSDataView::create):
231         (JSC::JSDataView::slowDownAndWasteMemory):
232         * runtime/JSDataView.h:
233         (JSC::JSDataView::buffer):
234         * runtime/JSGenericTypedArrayView.h:
235         * runtime/JSGenericTypedArrayViewInlines.h:
236         (JSC::::visitChildren):
237         (JSC::::slowDownAndWasteMemory):
238
239 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
240
241         Remove incorrect ASSERT from CopyVisitor::visitItem
242
243         Rubber stamped by Filip Pizlo.
244
245         * heap/CopyVisitorInlines.h:
246         (JSC::CopyVisitor::visitItem):
247
248 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
249
250         https://bugs.webkit.org/show_bug.cgi?id=120127
251         Remove JSObject::propertyIsEnumerable
252
253         Reviewed by Sam Weinig.
254
255         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
256
257         * runtime/JSObject.cpp:
258         * runtime/JSObject.h:
259             - remove propertyIsEnumerable
260         * runtime/ObjectPrototype.cpp:
261         (JSC::objectProtoFuncPropertyIsEnumerable):
262             - Move implementation here using getOwnPropertyDescriptor directly.
263
264 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
265
266         DFG should inline new typedArray()
267         https://bugs.webkit.org/show_bug.cgi?id=120022
268
269         Reviewed by Oliver Hunt.
270         
271         Adds inlining of typed array allocations in the DFG. Any operation of the
272         form:
273         
274             new foo(blah)
275         
276         or:
277         
278             foo(blah)
279         
280         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
281         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
282         is predicted integer, we generate inline code for an allocation. Otherwise
283         it turns into a call to an operation that behaves like the constructor would
284         if it was passed one argument (i.e. it may wrap a buffer or it may create a
285         copy or another array, or it may allocate an array of that length).
286
287         * bytecode/SpeculatedType.cpp:
288         (JSC::speculationFromTypedArrayType):
289         (JSC::speculationFromClassInfo):
290         * bytecode/SpeculatedType.h:
291         * dfg/DFGAbstractInterpreterInlines.h:
292         (JSC::DFG::::executeEffects):
293         * dfg/DFGBackwardsPropagationPhase.cpp:
294         (JSC::DFG::BackwardsPropagationPhase::propagate):
295         * dfg/DFGByteCodeParser.cpp:
296         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
297         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
298         * dfg/DFGCCallHelpers.h:
299         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
300         * dfg/DFGCSEPhase.cpp:
301         (JSC::DFG::CSEPhase::putStructureStoreElimination):
302         * dfg/DFGClobberize.h:
303         (JSC::DFG::clobberize):
304         * dfg/DFGFixupPhase.cpp:
305         (JSC::DFG::FixupPhase::fixupNode):
306         * dfg/DFGGraph.cpp:
307         (JSC::DFG::Graph::dump):
308         * dfg/DFGNode.h:
309         (JSC::DFG::Node::hasTypedArrayType):
310         (JSC::DFG::Node::typedArrayType):
311         * dfg/DFGNodeType.h:
312         * dfg/DFGOperations.cpp:
313         (JSC::DFG::newTypedArrayWithSize):
314         (JSC::DFG::newTypedArrayWithOneArgument):
315         * dfg/DFGOperations.h:
316         (JSC::DFG::operationNewTypedArrayWithSizeForType):
317         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
318         * dfg/DFGPredictionPropagationPhase.cpp:
319         (JSC::DFG::PredictionPropagationPhase::propagate):
320         * dfg/DFGSafeToExecute.h:
321         (JSC::DFG::safeToExecute):
322         * dfg/DFGSpeculativeJIT.cpp:
323         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
324         * dfg/DFGSpeculativeJIT.h:
325         (JSC::DFG::SpeculativeJIT::callOperation):
326         * dfg/DFGSpeculativeJIT32_64.cpp:
327         (JSC::DFG::SpeculativeJIT::compile):
328         * dfg/DFGSpeculativeJIT64.cpp:
329         (JSC::DFG::SpeculativeJIT::compile):
330         * jit/JITOpcodes.cpp:
331         (JSC::JIT::emit_op_new_object):
332         * jit/JITOpcodes32_64.cpp:
333         (JSC::JIT::emit_op_new_object):
334         * runtime/JSArray.h:
335         (JSC::JSArray::allocationSize):
336         * runtime/JSArrayBufferView.h:
337         (JSC::JSArrayBufferView::allocationSize):
338         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
339         (JSC::constructGenericTypedArrayView):
340         * runtime/JSObject.h:
341         (JSC::JSFinalObject::allocationSize):
342         * runtime/TypedArrayType.cpp:
343         (JSC::constructorClassInfoForType):
344         * runtime/TypedArrayType.h:
345         (JSC::indexToTypedArrayType):
346
347 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
348
349         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
350
351         Reviewed by Geoffrey Garen.
352
353         * dfg/DFGOperations.h:
354
355 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
356
357         https://bugs.webkit.org/show_bug.cgi?id=120093
358         Remove getOwnPropertyDescriptor trap
359
360         Reviewed by Geoff Garen.
361
362         All implementations of this method are now called via the method table, and equivalent in behaviour.
363         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
364
365         * API/JSCallbackObject.h:
366         * API/JSCallbackObjectFunctions.h:
367         * debugger/DebuggerActivation.cpp:
368         * debugger/DebuggerActivation.h:
369         * runtime/Arguments.cpp:
370         * runtime/Arguments.h:
371         * runtime/ArrayConstructor.cpp:
372         * runtime/ArrayConstructor.h:
373         * runtime/ArrayPrototype.cpp:
374         * runtime/ArrayPrototype.h:
375         * runtime/BooleanPrototype.cpp:
376         * runtime/BooleanPrototype.h:
377             - remove getOwnPropertyDescriptor
378         * runtime/ClassInfo.h:
379             - remove getOwnPropertyDescriptor from MethodTable
380         * runtime/DateConstructor.cpp:
381         * runtime/DateConstructor.h:
382         * runtime/DatePrototype.cpp:
383         * runtime/DatePrototype.h:
384         * runtime/ErrorPrototype.cpp:
385         * runtime/ErrorPrototype.h:
386         * runtime/JSActivation.cpp:
387         * runtime/JSActivation.h:
388         * runtime/JSArray.cpp:
389         * runtime/JSArray.h:
390         * runtime/JSArrayBuffer.cpp:
391         * runtime/JSArrayBuffer.h:
392         * runtime/JSArrayBufferView.cpp:
393         * runtime/JSArrayBufferView.h:
394         * runtime/JSCell.cpp:
395         * runtime/JSCell.h:
396         * runtime/JSDataView.cpp:
397         * runtime/JSDataView.h:
398         * runtime/JSDataViewPrototype.cpp:
399         * runtime/JSDataViewPrototype.h:
400         * runtime/JSFunction.cpp:
401         * runtime/JSFunction.h:
402         * runtime/JSGenericTypedArrayView.h:
403         * runtime/JSGenericTypedArrayViewInlines.h:
404         * runtime/JSGlobalObject.cpp:
405         * runtime/JSGlobalObject.h:
406         * runtime/JSNotAnObject.cpp:
407         * runtime/JSNotAnObject.h:
408         * runtime/JSONObject.cpp:
409         * runtime/JSONObject.h:
410             - remove getOwnPropertyDescriptor
411         * runtime/JSObject.cpp:
412         (JSC::JSObject::propertyIsEnumerable):
413             - switch to call new getOwnPropertyDescriptor member function
414         (JSC::JSObject::getOwnPropertyDescriptor):
415             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
416         (JSC::JSObject::defineOwnNonIndexProperty):
417             - switch to call new getOwnPropertyDescriptor member function
418         * runtime/JSObject.h:
419         * runtime/JSProxy.cpp:
420         * runtime/JSProxy.h:
421         * runtime/NamePrototype.cpp:
422         * runtime/NamePrototype.h:
423         * runtime/NumberConstructor.cpp:
424         * runtime/NumberConstructor.h:
425         * runtime/NumberPrototype.cpp:
426         * runtime/NumberPrototype.h:
427             - remove getOwnPropertyDescriptor
428         * runtime/ObjectConstructor.cpp:
429         (JSC::objectConstructorGetOwnPropertyDescriptor):
430         (JSC::objectConstructorSeal):
431         (JSC::objectConstructorFreeze):
432         (JSC::objectConstructorIsSealed):
433         (JSC::objectConstructorIsFrozen):
434             - switch to call new getOwnPropertyDescriptor member function
435         * runtime/ObjectConstructor.h:
436             - remove getOwnPropertyDescriptor
437         * runtime/PropertyDescriptor.h:
438             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
439         * runtime/RegExpConstructor.cpp:
440         * runtime/RegExpConstructor.h:
441         * runtime/RegExpMatchesArray.cpp:
442         * runtime/RegExpMatchesArray.h:
443         * runtime/RegExpObject.cpp:
444         * runtime/RegExpObject.h:
445         * runtime/RegExpPrototype.cpp:
446         * runtime/RegExpPrototype.h:
447         * runtime/StringConstructor.cpp:
448         * runtime/StringConstructor.h:
449         * runtime/StringObject.cpp:
450         * runtime/StringObject.h:
451             - remove getOwnPropertyDescriptor
452
453 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
454
455         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
456
457         Reviewed by Oliver Hunt.
458
459         When we flatten an object in dictionary mode, we compact its properties. If the object 
460         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
461         compaction its properties fit inline, the object's Structure "forgets" that the object 
462         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
463         with bytes = 0, which causes all sorts of badness in CopiedSpace.
464
465         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
466         Butterfly pointer so that the GC doesn't get confused later.
467
468         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
469         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
470         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
471         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
472
473         * heap/SlotVisitorInlines.h:
474         (JSC::SlotVisitor::copyLater):
475         * runtime/JSObject.cpp:
476         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
477         (JSC::JSObject::convertUndecidedToInt32):
478         (JSC::JSObject::convertUndecidedToDouble):
479         (JSC::JSObject::convertUndecidedToContiguous):
480         (JSC::JSObject::convertInt32ToDouble):
481         (JSC::JSObject::convertInt32ToContiguous):
482         (JSC::JSObject::genericConvertDoubleToContiguous):
483         (JSC::JSObject::switchToSlowPutArrayStorage):
484         (JSC::JSObject::setPrototype):
485         (JSC::JSObject::putDirectAccessor):
486         (JSC::JSObject::seal):
487         (JSC::JSObject::freeze):
488         (JSC::JSObject::preventExtensions):
489         (JSC::JSObject::reifyStaticFunctionsForDelete):
490         (JSC::JSObject::removeDirect):
491         * runtime/JSObject.h:
492         (JSC::JSObject::setButterfly):
493         (JSC::JSObject::putDirectInternal):
494         (JSC::JSObject::setStructure):
495         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
496         * runtime/Structure.cpp:
497         (JSC::Structure::flattenDictionaryStructure):
498
499 2013-08-20  Alex Christensen  <achristensen@apple.com>
500
501         Compile fix for Win64 after r154156.
502
503         Rubber stamped by Oliver Hunt.
504
505         * jit/JITStubsMSVC64.asm:
506         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
507         cti_vm_throw_slowpath to cti_vm_handle_exception.
508
509 2013-08-20  Alex Christensen  <achristensen@apple.com>
510
511         <https://webkit.org/b/120076> More work towards a Win64 build
512
513         Reviewed by Brent Fulgham.
514
515         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
516         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
517         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
518         * JavaScriptCore.vcxproj/copy-files.cmd:
519         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
520         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
521         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
522
523 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
524
525         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
526
527         Reviewed by Geoffrey Garen.
528
529         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
530         initializeLazyWriteBarrierFor* wrapper functions more sane. 
531
532         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
533         and index when triggering the WriteBarrier at the end of compilation. 
534
535         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
536         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
537         little extra work that really shouldn't have been its responsibility.
538
539         * dfg/DFGByteCodeParser.cpp:
540         (JSC::DFG::ByteCodeParser::addConstant):
541         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
542         * dfg/DFGDesiredWriteBarriers.cpp:
543         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
544         (JSC::DFG::DesiredWriteBarrier::trigger):
545         * dfg/DFGDesiredWriteBarriers.h:
546         (JSC::DFG::DesiredWriteBarriers::add):
547         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
548         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
549         (JSC::DFG::initializeLazyWriteBarrierForConstant):
550         * dfg/DFGFixupPhase.cpp:
551         (JSC::DFG::FixupPhase::truncateConstantToInt32):
552         * dfg/DFGGraph.h:
553         (JSC::DFG::Graph::constantRegisterForConstant):
554
555 2013-08-20  Michael Saboff  <msaboff@apple.com>
556
557         https://bugs.webkit.org/show_bug.cgi?id=120075
558         REGRESSION (r128400): BBC4 website not displaying pictures
559
560         Reviewed by Oliver Hunt.
561
562         * runtime/RegExpMatchesArray.h:
563         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
564         so that the match results will be reified before any other modification to the results array.
565
566 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
567
568         Incorrect behavior on emscripten-compiled cube2hash
569         https://bugs.webkit.org/show_bug.cgi?id=120033
570
571         Reviewed by Mark Hahnenberg.
572         
573         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
574         then we should bail attempts to CSE.
575
576         * dfg/DFGCSEPhase.cpp:
577         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
578         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
579
580 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
581
582         https://bugs.webkit.org/show_bug.cgi?id=120073
583         Remove use of GOPD from JSFunction::defineProperty
584
585         Reviewed by Oliver Hunt.
586
587         Call getOwnPropertySlot to check for existing properties instead.
588
589         * runtime/JSFunction.cpp:
590         (JSC::JSFunction::defineOwnProperty):
591             - getOwnPropertyDescriptor -> getOwnPropertySlot
592
593 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
594
595         https://bugs.webkit.org/show_bug.cgi?id=120067
596         Remove getPropertyDescriptor
597
598         Reviewed by Oliver Hunt.
599
600         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
601         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
602
603         * runtime/JSObject.cpp:
604         * runtime/JSObject.h:
605             - remove getPropertyDescriptor
606         * runtime/ObjectPrototype.cpp:
607         (JSC::objectProtoFuncLookupGetter):
608         (JSC::objectProtoFuncLookupSetter):
609             - replace call to getPropertyDescriptor with getPropertySlot
610         * runtime/PropertyDescriptor.h:
611         * runtime/PropertySlot.h:
612         (JSC::PropertySlot::isAccessor):
613         (JSC::PropertySlot::isCacheableGetter):
614         (JSC::PropertySlot::getterSetter):
615             - rename isGetter() to isAccessor()
616
617 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
618
619         https://bugs.webkit.org/show_bug.cgi?id=120054
620         Remove some dead code following getOwnPropertyDescriptor cleanup
621
622         Reviewed by Oliver Hunt.
623
624         * runtime/Lookup.h:
625         (JSC::getStaticFunctionSlot):
626             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
627
628 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
629
630         https://bugs.webkit.org/show_bug.cgi?id=120052
631         Remove custom getOwnPropertyDescriptor for JSProxy
632
633         Reviewed by Geoff Garen.
634
635         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
636         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
637         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
638         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
639         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
640
641         * runtime/JSProxy.cpp:
642             - Remove custom getOwnPropertyDescriptor implementation.
643         * runtime/PropertyDescriptor.h:
644             - Modify own property access check to perform toThis conversion.
645
646 2013-08-20  Alex Christensen  <achristensen@apple.com>
647
648         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
649         https://bugs.webkit.org/show_bug.cgi?id=119512
650
651         Reviewed by Brent Fulgham.
652
653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
654         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
655         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
656         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
657         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
658         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
659         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
660         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
661
662 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
663
664         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
665
666         Reviewed by Allan Sandfeld Jensen.
667
668         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
669         instructions and two constants now DFG is enabled for sh4 architecture.
670         These missing ensureSpace calls lead to random crashes.
671
672         * assembler/MacroAssemblerSH4.h:
673         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
674
675 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
676
677         https://bugs.webkit.org/show_bug.cgi?id=120034
678         Remove custom getOwnPropertyDescriptor for global objects
679
680         Reviewed by Geoff Garen.
681
682         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
683
684         * runtime/JSGlobalObject.cpp:
685             - Remove custom getOwnPropertyDescriptor implementation.
686         * runtime/JSSymbolTableObject.h:
687         (JSC::symbolTableGet):
688             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
689         * runtime/PropertyDescriptor.h:
690             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
691         * runtime/PropertySlot.h:
692         (JSC::PropertySlot::setUndefined):
693             - This is used by WebCore when blocking access to properties on cross-frame access.
694               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
695
696 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
697
698         DFG should inline typedArray.byteOffset
699         https://bugs.webkit.org/show_bug.cgi?id=119962
700
701         Reviewed by Oliver Hunt.
702         
703         This adds a new node, GetTypedArrayByteOffset, which inlines
704         typedArray.byteOffset.
705         
706         Also, I improved a bunch of the clobbering logic related to typed arrays
707         and clobbering in general. For example, PutByOffset/PutStructure are not
708         clobber-world so they can be handled by most default cases in CSE. Also,
709         It's better to use the 'Class_field' notation for typed arrays now that
710         they no longer involve magical descriptor thingies.
711
712         * bytecode/SpeculatedType.h:
713         * dfg/DFGAbstractHeap.h:
714         * dfg/DFGAbstractInterpreterInlines.h:
715         (JSC::DFG::::executeEffects):
716         * dfg/DFGArrayMode.h:
717         (JSC::DFG::neverNeedsStorage):
718         * dfg/DFGCSEPhase.cpp:
719         (JSC::DFG::CSEPhase::getByValLoadElimination):
720         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
721         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
722         (JSC::DFG::CSEPhase::checkArrayElimination):
723         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
724         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
725         (JSC::DFG::CSEPhase::performNodeCSE):
726         * dfg/DFGClobberize.h:
727         (JSC::DFG::clobberize):
728         * dfg/DFGFixupPhase.cpp:
729         (JSC::DFG::FixupPhase::fixupNode):
730         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
731         (JSC::DFG::FixupPhase::convertToGetArrayLength):
732         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
733         * dfg/DFGNodeType.h:
734         * dfg/DFGPredictionPropagationPhase.cpp:
735         (JSC::DFG::PredictionPropagationPhase::propagate):
736         * dfg/DFGSafeToExecute.h:
737         (JSC::DFG::safeToExecute):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
740         * dfg/DFGSpeculativeJIT.h:
741         * dfg/DFGSpeculativeJIT32_64.cpp:
742         (JSC::DFG::SpeculativeJIT::compile):
743         * dfg/DFGSpeculativeJIT64.cpp:
744         (JSC::DFG::SpeculativeJIT::compile):
745         * dfg/DFGTypeCheckHoistingPhase.cpp:
746         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
747         * runtime/ArrayBuffer.h:
748         (JSC::ArrayBuffer::offsetOfData):
749         * runtime/Butterfly.h:
750         (JSC::Butterfly::offsetOfArrayBuffer):
751         * runtime/IndexingHeader.h:
752         (JSC::IndexingHeader::offsetOfArrayBuffer):
753
754 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
755
756         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
757
758         Reviewed by Geoffrey Garen.
759
760         * dfg/DFGByteCodeParser.cpp:
761         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
762
763 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
764
765         https://bugs.webkit.org/show_bug.cgi?id=119995
766         Start removing custom implementations of getOwnPropertyDescriptor
767
768         Reviewed by Oliver Hunt.
769
770         This can now typically implemented in terms of getOwnPropertySlot.
771         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
772         Switch over most classes in JSC & the WebCore bindings generator to use this.
773
774         * API/JSCallbackObjectFunctions.h:
775         * debugger/DebuggerActivation.cpp:
776         * runtime/Arguments.cpp:
777         * runtime/ArrayConstructor.cpp:
778         * runtime/ArrayPrototype.cpp:
779         * runtime/BooleanPrototype.cpp:
780         * runtime/DateConstructor.cpp:
781         * runtime/DatePrototype.cpp:
782         * runtime/ErrorPrototype.cpp:
783         * runtime/JSActivation.cpp:
784         * runtime/JSArray.cpp:
785         * runtime/JSArrayBuffer.cpp:
786         * runtime/JSArrayBufferView.cpp:
787         * runtime/JSCell.cpp:
788         * runtime/JSDataView.cpp:
789         * runtime/JSDataViewPrototype.cpp:
790         * runtime/JSFunction.cpp:
791         * runtime/JSGenericTypedArrayViewInlines.h:
792         * runtime/JSNotAnObject.cpp:
793         * runtime/JSONObject.cpp:
794         * runtime/JSObject.cpp:
795         * runtime/NamePrototype.cpp:
796         * runtime/NumberConstructor.cpp:
797         * runtime/NumberPrototype.cpp:
798         * runtime/ObjectConstructor.cpp:
799             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
800         * runtime/PropertyDescriptor.h:
801             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
802         * runtime/PropertySlot.h:
803         (JSC::PropertySlot::isValue):
804         (JSC::PropertySlot::isGetter):
805         (JSC::PropertySlot::isCustom):
806         (JSC::PropertySlot::isCacheableValue):
807         (JSC::PropertySlot::isCacheableGetter):
808         (JSC::PropertySlot::isCacheableCustom):
809         (JSC::PropertySlot::attributes):
810         (JSC::PropertySlot::getterSetter):
811             - Add accessors necessary to convert PropertySlot to descriptor.
812         * runtime/RegExpConstructor.cpp:
813         * runtime/RegExpMatchesArray.cpp:
814         * runtime/RegExpMatchesArray.h:
815         * runtime/RegExpObject.cpp:
816         * runtime/RegExpPrototype.cpp:
817         * runtime/StringConstructor.cpp:
818         * runtime/StringObject.cpp:
819             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
820
821 2013-08-19  Michael Saboff  <msaboff@apple.com>
822
823         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
824
825         Reviewed by Sam Weinig.
826
827         * dfg/DFGSpeculativeJIT32_64.cpp:
828         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
829         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
830         all versions of fillSpeculateBoolean().
831
832 2013-08-19  Michael Saboff  <msaboff@apple.com>
833
834         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
835
836         Reviewed by Benjamin Poulain.
837
838         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
839         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
840
841         * assembler/MacroAssemblerX86Common.h:
842         (JSC::MacroAssemblerX86Common::branchTest32):
843
844 2013-08-16  Oliver Hunt  <oliver@apple.com>
845
846         <https://webkit.org/b/119860> Crash during exception unwinding
847
848         Reviewed by Filip Pizlo.
849
850         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
851         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
852
853         We need this so that Throw and ThrowReferenceError no longer need to be treated as
854         terminals and the subsequent flush keeps the activation (and other registers) live.
855
856         * dfg/DFGAbstractInterpreterInlines.h:
857         (JSC::DFG::::executeEffects):
858         * dfg/DFGByteCodeParser.cpp:
859         (JSC::DFG::ByteCodeParser::parseBlock):
860         * dfg/DFGClobberize.h:
861         (JSC::DFG::clobberize):
862         * dfg/DFGFixupPhase.cpp:
863         (JSC::DFG::FixupPhase::fixupNode):
864         * dfg/DFGNode.h:
865         (JSC::DFG::Node::isTerminal):
866         * dfg/DFGNodeType.h:
867         * dfg/DFGPredictionPropagationPhase.cpp:
868         (JSC::DFG::PredictionPropagationPhase::propagate):
869         * dfg/DFGSafeToExecute.h:
870         (JSC::DFG::safeToExecute):
871         * dfg/DFGSpeculativeJIT32_64.cpp:
872         (JSC::DFG::SpeculativeJIT::compile):
873         * dfg/DFGSpeculativeJIT64.cpp:
874         (JSC::DFG::SpeculativeJIT::compile):
875
876 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
877
878         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
879
880         Reviewed by Oliver Hunt.
881
882         Guard the compilation of these files only if DFG_JIT is enabled.
883
884         * dfg/DFGDesiredTransitions.cpp:
885         * dfg/DFGDesiredTransitions.h:
886         * dfg/DFGDesiredWeakReferences.cpp:
887         * dfg/DFGDesiredWeakReferences.h:
888         * dfg/DFGDesiredWriteBarriers.cpp:
889         * dfg/DFGDesiredWriteBarriers.h:
890
891 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
892
893         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
894         https://bugs.webkit.org/show_bug.cgi?id=119961
895
896         Reviewed by Mark Hahnenberg.
897
898         * dfg/DFGFixupPhase.cpp:
899         (JSC::DFG::FixupPhase::fixupNode):
900
901 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
902
903         https://bugs.webkit.org/show_bug.cgi?id=119972
904         Add attributes field to PropertySlot
905
906         Reviewed by Geoff Garen.
907
908         For all JSC types, this makes getOwnPropertyDescriptor redundant.
909         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
910         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
911
912         No performance impact.
913
914         * runtime/PropertySlot.h:
915         (JSC::PropertySlot::setValue):
916         (JSC::PropertySlot::setCustom):
917         (JSC::PropertySlot::setCacheableCustom):
918         (JSC::PropertySlot::setCustomIndex):
919         (JSC::PropertySlot::setGetterSlot):
920         (JSC::PropertySlot::setCacheableGetterSlot):
921             - These mathods now all require 'attributes'.
922         * runtime/JSObject.h:
923         (JSC::JSObject::getDirect):
924         (JSC::JSObject::getDirectOffset):
925         (JSC::JSObject::inlineGetOwnPropertySlot):
926             - Added variants of getDirect, getDirectOffset that return the attributes.
927         * API/JSCallbackObjectFunctions.h:
928         (JSC::::getOwnPropertySlot):
929         * runtime/Arguments.cpp:
930         (JSC::Arguments::getOwnPropertySlotByIndex):
931         (JSC::Arguments::getOwnPropertySlot):
932         * runtime/JSActivation.cpp:
933         (JSC::JSActivation::symbolTableGet):
934         (JSC::JSActivation::getOwnPropertySlot):
935         * runtime/JSArray.cpp:
936         (JSC::JSArray::getOwnPropertySlot):
937         * runtime/JSArrayBuffer.cpp:
938         (JSC::JSArrayBuffer::getOwnPropertySlot):
939         * runtime/JSArrayBufferView.cpp:
940         (JSC::JSArrayBufferView::getOwnPropertySlot):
941         * runtime/JSDataView.cpp:
942         (JSC::JSDataView::getOwnPropertySlot):
943         * runtime/JSFunction.cpp:
944         (JSC::JSFunction::getOwnPropertySlot):
945         * runtime/JSGenericTypedArrayViewInlines.h:
946         (JSC::::getOwnPropertySlot):
947         (JSC::::getOwnPropertySlotByIndex):
948         * runtime/JSObject.cpp:
949         (JSC::JSObject::getOwnPropertySlotByIndex):
950         (JSC::JSObject::fillGetterPropertySlot):
951         * runtime/JSString.h:
952         (JSC::JSString::getStringPropertySlot):
953         * runtime/JSSymbolTableObject.h:
954         (JSC::symbolTableGet):
955         * runtime/Lookup.cpp:
956         (JSC::setUpStaticFunctionSlot):
957         * runtime/Lookup.h:
958         (JSC::getStaticPropertySlot):
959         (JSC::getStaticPropertyDescriptor):
960         (JSC::getStaticValueSlot):
961         (JSC::getStaticValueDescriptor):
962         * runtime/RegExpObject.cpp:
963         (JSC::RegExpObject::getOwnPropertySlot):
964         * runtime/SparseArrayValueMap.cpp:
965         (JSC::SparseArrayEntry::get):
966             - Pass attributes to PropertySlot::set* methods.
967
968 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
969
970         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
971
972         Reviewed by Filip Pizlo.
973
974         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
975         Vector of WriteBarriers rather than the specific address. The fact that we were 
976         arbitrarily storing into a Vector's backing store for constants at the end of 
977         compilation after the Vector could have resized was causing crashes.
978
979         * bytecode/CodeBlock.h:
980         (JSC::CodeBlock::constants):
981         (JSC::CodeBlock::addConstantLazily):
982         * dfg/DFGByteCodeParser.cpp:
983         (JSC::DFG::ByteCodeParser::addConstant):
984         * dfg/DFGDesiredWriteBarriers.cpp:
985         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
986         (JSC::DFG::DesiredWriteBarrier::trigger):
987         (JSC::DFG::initializeLazyWriteBarrierForConstant):
988         * dfg/DFGDesiredWriteBarriers.h:
989         (JSC::DFG::DesiredWriteBarriers::add):
990         * dfg/DFGFixupPhase.cpp:
991         (JSC::DFG::FixupPhase::truncateConstantToInt32):
992         * dfg/DFGGraph.h:
993         (JSC::DFG::Graph::constantRegisterForConstant):
994
995 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
996
997         DFG should optimize typedArray.byteLength
998         https://bugs.webkit.org/show_bug.cgi?id=119909
999
1000         Reviewed by Oliver Hunt.
1001         
1002         This adds typedArray.byteLength inlining to the DFG, and does so without changing
1003         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
1004         legal since the byteLength of a typed array cannot exceed
1005         numeric_limits<int32_t>::max().
1006
1007         * bytecode/SpeculatedType.cpp:
1008         (JSC::typedArrayTypeFromSpeculation):
1009         * bytecode/SpeculatedType.h:
1010         * dfg/DFGArrayMode.cpp:
1011         (JSC::DFG::toArrayType):
1012         * dfg/DFGArrayMode.h:
1013         * dfg/DFGFixupPhase.cpp:
1014         (JSC::DFG::FixupPhase::fixupNode):
1015         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1016         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
1017         (JSC::DFG::FixupPhase::convertToGetArrayLength):
1018         (JSC::DFG::FixupPhase::prependGetArrayLength):
1019         * dfg/DFGGraph.h:
1020         (JSC::DFG::Graph::constantRegisterForConstant):
1021         (JSC::DFG::Graph::convertToConstant):
1022         * runtime/TypedArrayType.h:
1023         (JSC::logElementSize):
1024         (JSC::elementSize):
1025
1026 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1027
1028         DFG optimizes out strict mode arguments tear off
1029         https://bugs.webkit.org/show_bug.cgi?id=119504
1030
1031         Reviewed by Mark Hahnenberg and Oliver Hunt.
1032         
1033         Don't do the optimization for strict mode.
1034
1035         * dfg/DFGArgumentsSimplificationPhase.cpp:
1036         (JSC::DFG::ArgumentsSimplificationPhase::run):
1037         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
1038
1039 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
1040
1041         [JSC] x86: improve code generation for xxxTest32
1042         https://bugs.webkit.org/show_bug.cgi?id=119876
1043
1044         Reviewed by Geoffrey Garen.
1045
1046         Try to use testb whenever possible when testing for an immediate value.
1047
1048         When the input is an address and an offset, we can tweak the mask
1049         and offset to be able to generate testb for any byte of the mask.
1050
1051         When the input is a register, we can use testb if we are only interested
1052         in testing the low bits.
1053
1054         * assembler/MacroAssemblerX86Common.h:
1055         (JSC::MacroAssemblerX86Common::branchTest32):
1056         (JSC::MacroAssemblerX86Common::test32):
1057         (JSC::MacroAssemblerX86Common::generateTest32):
1058
1059 2013-08-16  Mark Lam  <mark.lam@apple.com>
1060
1061         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1062         error message that an object is not a constructor though it expects a function
1063
1064         Reviewed by Michael Saboff.
1065
1066         * jit/JITStubs.cpp:
1067         (JSC::DEFINE_STUB_FUNCTION):
1068
1069 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1070
1071         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1072         https://bugs.webkit.org/show_bug.cgi?id=119897
1073
1074         Reviewed by Oliver Hunt.
1075         
1076         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1077         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1078         to turn objects into dictionaries when you're storing using bracket syntax or using
1079         eval is still in place.
1080
1081         * bytecode/CodeBlock.h:
1082         (JSC::CodeBlock::putByIdContext):
1083         * dfg/DFGOperations.cpp:
1084         * jit/JITStubs.cpp:
1085         (JSC::DEFINE_STUB_FUNCTION):
1086         * llint/LLIntSlowPaths.cpp:
1087         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1088         * runtime/JSObject.h:
1089         (JSC::JSObject::putDirectInternal):
1090         * runtime/PutPropertySlot.h:
1091         (JSC::PutPropertySlot::PutPropertySlot):
1092         (JSC::PutPropertySlot::context):
1093         * runtime/Structure.cpp:
1094         (JSC::Structure::addPropertyTransition):
1095         * runtime/Structure.h:
1096
1097 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1098
1099         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1100
1101         Reviewed by Allan Sandfeld Jensen.
1102
1103         ctiVMHandleException must jump/return using register ra (r31).
1104
1105         * jit/JITStubsMIPS.h:
1106
1107 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1108
1109         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1110
1111         Reviewed by Allan Sandfeld Jensen.
1112
1113         Fix typo in JITStubsSH4.h file.
1114
1115         * jit/JITStubsSH4.h:
1116
1117 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1118
1119         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1120
1121         Reviewed by Oliver Hunt.
1122
1123         The concurrent compilation thread should interact minimally with the Heap, including not 
1124         triggering WriteBarriers. This is a prerequisite for generational GC.
1125
1126         * JavaScriptCore.xcodeproj/project.pbxproj:
1127         * bytecode/CodeBlock.cpp:
1128         (JSC::CodeBlock::addOrFindConstant):
1129         (JSC::CodeBlock::findConstant):
1130         * bytecode/CodeBlock.h:
1131         (JSC::CodeBlock::addConstantLazily):
1132         * dfg/DFGByteCodeParser.cpp:
1133         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1134         (JSC::DFG::ByteCodeParser::constantUndefined):
1135         (JSC::DFG::ByteCodeParser::constantNull):
1136         (JSC::DFG::ByteCodeParser::one):
1137         (JSC::DFG::ByteCodeParser::constantNaN):
1138         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1139         * dfg/DFGCommonData.cpp:
1140         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1141         * dfg/DFGCommonData.h:
1142         * dfg/DFGDesiredTransitions.cpp: Added.
1143         (JSC::DFG::DesiredTransition::DesiredTransition):
1144         (JSC::DFG::DesiredTransition::reallyAdd):
1145         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1146         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1147         (JSC::DFG::DesiredTransitions::addLazily):
1148         (JSC::DFG::DesiredTransitions::reallyAdd):
1149         * dfg/DFGDesiredTransitions.h: Added.
1150         * dfg/DFGDesiredWeakReferences.cpp: Added.
1151         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1152         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1153         (JSC::DFG::DesiredWeakReferences::addLazily):
1154         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1155         * dfg/DFGDesiredWeakReferences.h: Added.
1156         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1157         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1158         (JSC::DFG::DesiredWriteBarrier::trigger):
1159         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1160         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1161         (JSC::DFG::DesiredWriteBarriers::addImpl):
1162         (JSC::DFG::DesiredWriteBarriers::trigger):
1163         * dfg/DFGDesiredWriteBarriers.h: Added.
1164         (JSC::DFG::DesiredWriteBarriers::add):
1165         (JSC::DFG::initializeLazyWriteBarrier):
1166         * dfg/DFGFixupPhase.cpp:
1167         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1168         * dfg/DFGGraph.h:
1169         (JSC::DFG::Graph::convertToConstant):
1170         * dfg/DFGJITCompiler.h:
1171         (JSC::DFG::JITCompiler::addWeakReference):
1172         * dfg/DFGPlan.cpp:
1173         (JSC::DFG::Plan::Plan):
1174         (JSC::DFG::Plan::reallyAdd):
1175         * dfg/DFGPlan.h:
1176         * dfg/DFGSpeculativeJIT32_64.cpp:
1177         (JSC::DFG::SpeculativeJIT::compile):
1178         * dfg/DFGSpeculativeJIT64.cpp:
1179         (JSC::DFG::SpeculativeJIT::compile):
1180         * runtime/WriteBarrier.h:
1181         (JSC::WriteBarrierBase::set):
1182         (JSC::WriteBarrier::WriteBarrier):
1183
1184 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1185
1186         Fix x86 32bits build after r154158
1187
1188         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1189
1190 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1191
1192         Build fix attempt after r154156.
1193
1194         * jit/JITStubs.cpp:
1195         (JSC::cti_vm_handle_exception): encode!
1196
1197 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1198
1199         [JSC] x86: Use inc and dec when possible
1200         https://bugs.webkit.org/show_bug.cgi?id=119831
1201
1202         Reviewed by Geoffrey Garen.
1203
1204         When incrementing or decrementing by an immediate of 1, use the insctructions
1205         inc and dec instead of add and sub.
1206         The instructions have good timing and their encoding is smaller.
1207
1208         * assembler/MacroAssemblerX86Common.h:
1209         (JSC::MacroAssemblerX86_64::add32):
1210         (JSC::MacroAssemblerX86_64::sub32):
1211         * assembler/MacroAssemblerX86_64.h:
1212         (JSC::MacroAssemblerX86_64::add64):
1213         (JSC::MacroAssemblerX86_64::sub64):
1214         * assembler/X86Assembler.h:
1215         (JSC::X86Assembler::dec_r):
1216         (JSC::X86Assembler::decq_r):
1217         (JSC::X86Assembler::inc_r):
1218         (JSC::X86Assembler::incq_r):
1219
1220 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1221
1222         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1223         https://bugs.webkit.org/show_bug.cgi?id=119874
1224
1225         Reviewed by Oliver Hunt and Mark Hahnenberg.
1226         
1227         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1228         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1229         sometimes for typed array length accesses, and the FixupPhase assuming that a
1230         ForceExit ArrayMode means that it should continue using a generic GetById.
1231
1232         This fixes the confusion.
1233
1234         * dfg/DFGFixupPhase.cpp:
1235         (JSC::DFG::FixupPhase::fixupNode):
1236
1237 2013-08-15  Mark Lam  <mark.lam@apple.com>
1238
1239         Fix crash when performing activation tearoff.
1240         https://bugs.webkit.org/show_bug.cgi?id=119848
1241
1242         Reviewed by Oliver Hunt.
1243
1244         The activation tearoff crash was due to a bug in the baseline JIT.
1245         If we have a scenario where the a baseline JIT frame calls a LLINT
1246         frame, an exception may be thrown while in the LLINT.
1247
1248         Interpreter::throwException() which handles the exception will unwind
1249         all frames until it finds a catcher or sees a host frame. When we
1250         return from the LLINT to the baseline JIT code, the baseline JIT code
1251         errorneously sets topCallFrame to the value in its call frame register,
1252         and starts unwinding the stack frames that have already been unwound.
1253
1254         The fix is:
1255         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1256            This is a more accurate description of what this runtime function
1257            is supposed to do i.e. it handles the exception which include doing
1258            nothing (if there are no more frames to unwind).
1259         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1260            set on it.
1261         3. Reloading the call frame register from topCallFrame when we're
1262            returning from a callee and detect exception handling in progress.
1263
1264         * interpreter/Interpreter.cpp:
1265         (JSC::Interpreter::unwindCallFrame):
1266         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1267         (JSC::Interpreter::getStackTrace):
1268         * interpreter/Interpreter.h:
1269         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1270         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1271         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1272         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1273         * jit/JIT.h:
1274         * jit/JITExceptions.cpp:
1275         (JSC::uncaughtExceptionHandler):
1276         - Convenience function to get the handler for uncaught exceptions.
1277         * jit/JITExceptions.h:
1278         * jit/JITInlines.h:
1279         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1280         * jit/JITOpcodes32_64.cpp:
1281         (JSC::JIT::privateCompileCTINativeCall):
1282         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1283         * jit/JITStubs.cpp:
1284         (JSC::throwExceptionFromOpCall):
1285         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1286         (JSC::cti_vm_handle_exception):
1287         - Check for the case when there are no more frames to unwind.
1288         * jit/JITStubs.h:
1289         * jit/JITStubsARM.h:
1290         * jit/JITStubsARMv7.h:
1291         * jit/JITStubsMIPS.h:
1292         * jit/JITStubsSH4.h:
1293         * jit/JITStubsX86.h:
1294         * jit/JITStubsX86_64.h:
1295         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1296         * jit/SlowPathCall.h:
1297         (JSC::JITSlowPathCall::call):
1298         - reload cfr from topcallFrame when handling an exception.
1299         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1300         * jit/ThunkGenerators.cpp:
1301         (JSC::nativeForGenerator):
1302         * llint/LowLevelInterpreter32_64.asm:
1303         * llint/LowLevelInterpreter64.asm:
1304         - reload cfr from topcallFrame when handling an exception.
1305         * runtime/VM.cpp:
1306         (JSC::VM::VM):
1307         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1308
1309 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1310
1311         Remove some code duplication.
1312         
1313         Rubber stamped by Mark Hahnenberg.
1314
1315         * runtime/JSDataViewPrototype.cpp:
1316         (JSC::getData):
1317         (JSC::setData):
1318
1319 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1320
1321         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1322         https://bugs.webkit.org/show_bug.cgi?id=119794
1323
1324         Reviewed by Filip Pizlo.
1325
1326         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1327
1328         * dfg/DFGUseKind.h:
1329         (JSC::DFG::isNumerical):
1330         (JSC::DFG::isDouble):
1331
1332 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1333
1334         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1335
1336         Rubber stamped by Oliver Hunt.
1337         
1338         This was causing some test crashes for me.
1339
1340         * dfg/DFGCapabilities.cpp:
1341         (JSC::DFG::capabilityLevel):
1342
1343 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1344
1345         [Windows] Clear up improper export declaration.
1346
1347         * runtime/ArrayBufferView.h:
1348
1349 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1350
1351         Unreviewed, remove some unnecessary periods from exceptions.
1352
1353         * runtime/JSDataViewPrototype.cpp:
1354         (JSC::getData):
1355         (JSC::setData):
1356
1357 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1358
1359         Unreviewed, fix 32-bit build.
1360
1361         * dfg/DFGSpeculativeJIT32_64.cpp:
1362         (JSC::DFG::SpeculativeJIT::compile):
1363
1364 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1365
1366         Typed arrays should be rewritten
1367         https://bugs.webkit.org/show_bug.cgi?id=119064
1368
1369         Reviewed by Oliver Hunt.
1370         
1371         Typed arrays were previously deficient in several major ways:
1372         
1373         - They were defined separately in WebCore and in the jsc shell. The two
1374           implementations were different, and the jsc shell one was basically wrong.
1375           The WebCore one was quite awful, also.
1376         
1377         - Typed arrays were not visible to the JIT except through some weird hooks.
1378           For example, the JIT could not ask "what is the Structure that this typed
1379           array would have if I just allocated it from this global object". Also,
1380           it was difficult to wire any of the typed array intrinsics, because most
1381           of the functionality wasn't visible anywhere in JSC.
1382         
1383         - Typed array allocation was brain-dead. Allocating a typed array involved
1384           two JS objects, two GC weak handles, and three malloc allocations.
1385         
1386         - Neutering. It involved keeping tabs on all native views but not the view
1387           wrappers, even though the native views can autoneuter just by asking the
1388           buffer if it was neutered anytime you touch them; while the JS view
1389           wrappers are the ones that you really want to reach out to.
1390         
1391         - Common case-ing. Most typed arrays have one buffer and one view, and
1392           usually nobody touches the buffer. Yet we created all of that stuff
1393           anyway, using data structures optimized for the case where you had a lot
1394           of views.
1395         
1396         - Semantic goofs. Typed arrays should, in the future, behave like ES
1397           features rather than DOM features, for example when it comes to exceptions.
1398           Firefox already does this and I agree with them.
1399         
1400         This patch cleanses our codebase of these sins:
1401         
1402         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1403           management of native references to buffers is left to WebCore.
1404         
1405         - Allocating a typed array requires either two GC allocations (a cell and a
1406           copied storage vector) or one GC allocation, a malloc allocation, and a
1407           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1408           latter). The latter is only used for oversize arrays. Remember that before
1409           it was 7 allocations no matter what.
1410         
1411         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1412           mode/length, void* vector. Before it was a lot more than that - remember,
1413           there were five additional objects that did absolutely nothing for anybody.
1414         
1415         - Native views aren't tracked by the buffer, or by the wrappers. They are
1416           transient. In the future we'll probably switch to not even having them be
1417           malloc'd.
1418         
1419         - Native array buffers have an efficient way of tracking all of their JS view
1420           wrappers, both for neutering, and for lifecycle management. The GC
1421           special-cases native array buffers. This saves a bunch of grief; for example
1422           it means that a JS view wrapper can refer to its buffer via the butterfly,
1423           which would be dead by the time we went to finalize.
1424         
1425         - Typed array semantics now match Firefox, which also happens to be where the
1426           standards are going. The discussion on webkit-dev seemed to confirm that
1427           Chrome is also heading in this direction. This includes making
1428           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1429           ArrayBufferView as a JS-visible construct.
1430         
1431         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1432         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1433         further typed array optimizations in the JSC JITs, including inlining typed
1434         array allocation, inlining more of the accessors, reducing the cost of type
1435         checks, etc.
1436         
1437         An additional property of this patch is that typed arrays are mostly
1438         implemented using templates. This deduplicates a bunch of code, but does mean
1439         that we need some hacks for exporting s_info's of template classes. See
1440         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1441         low-impact compared to code duplication.
1442         
1443         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1444
1445         * CMakeLists.txt:
1446         * DerivedSources.make:
1447         * GNUmakefile.list.am:
1448         * JSCTypedArrayStubs.h: Removed.
1449         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1450         * JavaScriptCore.xcodeproj/project.pbxproj:
1451         * Target.pri:
1452         * bytecode/ByValInfo.h:
1453         (JSC::hasOptimizableIndexingForClassInfo):
1454         (JSC::jitArrayModeForClassInfo):
1455         (JSC::typedArrayTypeForJITArrayMode):
1456         * bytecode/SpeculatedType.cpp:
1457         (JSC::speculationFromClassInfo):
1458         * dfg/DFGArrayMode.cpp:
1459         (JSC::DFG::toTypedArrayType):
1460         * dfg/DFGArrayMode.h:
1461         (JSC::DFG::ArrayMode::typedArrayType):
1462         * dfg/DFGSpeculativeJIT.cpp:
1463         (JSC::DFG::SpeculativeJIT::checkArray):
1464         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1465         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1466         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1467         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1468         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1469         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1470         * dfg/DFGSpeculativeJIT.h:
1471         * dfg/DFGSpeculativeJIT32_64.cpp:
1472         (JSC::DFG::SpeculativeJIT::compile):
1473         * dfg/DFGSpeculativeJIT64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compile):
1475         * heap/CopyToken.h:
1476         * heap/DeferGC.h:
1477         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1478         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1479         * heap/GCIncomingRefCounted.h: Added.
1480         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1481         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1482         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1483         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1484         (JSC::GCIncomingRefCounted::singletonFlag):
1485         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1486         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1487         (JSC::GCIncomingRefCounted::hasSingleton):
1488         (JSC::GCIncomingRefCounted::singleton):
1489         (JSC::GCIncomingRefCounted::vectorOfCells):
1490         * heap/GCIncomingRefCountedInlines.h: Added.
1491         (JSC::::addIncomingReference):
1492         (JSC::::filterIncomingReferences):
1493         * heap/GCIncomingRefCountedSet.h: Added.
1494         (JSC::GCIncomingRefCountedSet::size):
1495         * heap/GCIncomingRefCountedSetInlines.h: Added.
1496         (JSC::::GCIncomingRefCountedSet):
1497         (JSC::::~GCIncomingRefCountedSet):
1498         (JSC::::addReference):
1499         (JSC::::sweep):
1500         (JSC::::removeAll):
1501         (JSC::::removeDead):
1502         * heap/Heap.cpp:
1503         (JSC::Heap::addReference):
1504         (JSC::Heap::extraSize):
1505         (JSC::Heap::size):
1506         (JSC::Heap::capacity):
1507         (JSC::Heap::collect):
1508         (JSC::Heap::decrementDeferralDepth):
1509         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1510         * heap/Heap.h:
1511         * interpreter/CallFrame.h:
1512         (JSC::ExecState::dataViewTable):
1513         * jit/JIT.h:
1514         * jit/JITPropertyAccess.cpp:
1515         (JSC::JIT::privateCompileGetByVal):
1516         (JSC::JIT::privateCompilePutByVal):
1517         (JSC::JIT::emitIntTypedArrayGetByVal):
1518         (JSC::JIT::emitFloatTypedArrayGetByVal):
1519         (JSC::JIT::emitIntTypedArrayPutByVal):
1520         (JSC::JIT::emitFloatTypedArrayPutByVal):
1521         * jsc.cpp:
1522         (GlobalObject::finishCreation):
1523         * runtime/ArrayBuffer.cpp:
1524         (JSC::ArrayBuffer::transfer):
1525         * runtime/ArrayBuffer.h:
1526         (JSC::ArrayBuffer::createAdopted):
1527         (JSC::ArrayBuffer::ArrayBuffer):
1528         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1529         (JSC::ArrayBuffer::pin):
1530         (JSC::ArrayBuffer::unpin):
1531         (JSC::ArrayBufferContents::tryAllocate):
1532         * runtime/ArrayBufferView.cpp:
1533         (JSC::ArrayBufferView::ArrayBufferView):
1534         (JSC::ArrayBufferView::~ArrayBufferView):
1535         (JSC::ArrayBufferView::setNeuterable):
1536         * runtime/ArrayBufferView.h:
1537         (JSC::ArrayBufferView::isNeutered):
1538         (JSC::ArrayBufferView::buffer):
1539         (JSC::ArrayBufferView::baseAddress):
1540         (JSC::ArrayBufferView::byteOffset):
1541         (JSC::ArrayBufferView::verifySubRange):
1542         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1543         (JSC::ArrayBufferView::calculateOffsetAndLength):
1544         * runtime/ClassInfo.h:
1545         * runtime/CommonIdentifiers.h:
1546         * runtime/DataView.cpp: Added.
1547         (JSC::DataView::DataView):
1548         (JSC::DataView::create):
1549         (JSC::DataView::wrap):
1550         * runtime/DataView.h: Added.
1551         (JSC::DataView::byteLength):
1552         (JSC::DataView::getType):
1553         (JSC::DataView::get):
1554         (JSC::DataView::set):
1555         * runtime/Float32Array.h:
1556         * runtime/Float64Array.h:
1557         * runtime/GenericTypedArrayView.h: Added.
1558         (JSC::GenericTypedArrayView::data):
1559         (JSC::GenericTypedArrayView::set):
1560         (JSC::GenericTypedArrayView::setRange):
1561         (JSC::GenericTypedArrayView::zeroRange):
1562         (JSC::GenericTypedArrayView::zeroFill):
1563         (JSC::GenericTypedArrayView::length):
1564         (JSC::GenericTypedArrayView::byteLength):
1565         (JSC::GenericTypedArrayView::item):
1566         (JSC::GenericTypedArrayView::checkInboundData):
1567         (JSC::GenericTypedArrayView::getType):
1568         * runtime/GenericTypedArrayViewInlines.h: Added.
1569         (JSC::::GenericTypedArrayView):
1570         (JSC::::create):
1571         (JSC::::createUninitialized):
1572         (JSC::::subarray):
1573         (JSC::::wrap):
1574         * runtime/IndexingHeader.h:
1575         (JSC::IndexingHeader::arrayBuffer):
1576         (JSC::IndexingHeader::setArrayBuffer):
1577         * runtime/Int16Array.h:
1578         * runtime/Int32Array.h:
1579         * runtime/Int8Array.h:
1580         * runtime/JSArrayBuffer.cpp: Added.
1581         (JSC::JSArrayBuffer::JSArrayBuffer):
1582         (JSC::JSArrayBuffer::finishCreation):
1583         (JSC::JSArrayBuffer::create):
1584         (JSC::JSArrayBuffer::createStructure):
1585         (JSC::JSArrayBuffer::getOwnPropertySlot):
1586         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1587         (JSC::JSArrayBuffer::put):
1588         (JSC::JSArrayBuffer::defineOwnProperty):
1589         (JSC::JSArrayBuffer::deleteProperty):
1590         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1591         * runtime/JSArrayBuffer.h: Added.
1592         (JSC::JSArrayBuffer::impl):
1593         (JSC::toArrayBuffer):
1594         * runtime/JSArrayBufferConstructor.cpp: Added.
1595         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1596         (JSC::JSArrayBufferConstructor::finishCreation):
1597         (JSC::JSArrayBufferConstructor::create):
1598         (JSC::JSArrayBufferConstructor::createStructure):
1599         (JSC::constructArrayBuffer):
1600         (JSC::JSArrayBufferConstructor::getConstructData):
1601         (JSC::JSArrayBufferConstructor::getCallData):
1602         * runtime/JSArrayBufferConstructor.h: Added.
1603         * runtime/JSArrayBufferPrototype.cpp: Added.
1604         (JSC::arrayBufferProtoFuncSlice):
1605         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1606         (JSC::JSArrayBufferPrototype::finishCreation):
1607         (JSC::JSArrayBufferPrototype::create):
1608         (JSC::JSArrayBufferPrototype::createStructure):
1609         * runtime/JSArrayBufferPrototype.h: Added.
1610         * runtime/JSArrayBufferView.cpp: Added.
1611         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1612         (JSC::JSArrayBufferView::JSArrayBufferView):
1613         (JSC::JSArrayBufferView::finishCreation):
1614         (JSC::JSArrayBufferView::getOwnPropertySlot):
1615         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1616         (JSC::JSArrayBufferView::put):
1617         (JSC::JSArrayBufferView::defineOwnProperty):
1618         (JSC::JSArrayBufferView::deleteProperty):
1619         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1620         (JSC::JSArrayBufferView::finalize):
1621         * runtime/JSArrayBufferView.h: Added.
1622         (JSC::JSArrayBufferView::sizeOf):
1623         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1624         (JSC::JSArrayBufferView::ConstructionContext::structure):
1625         (JSC::JSArrayBufferView::ConstructionContext::vector):
1626         (JSC::JSArrayBufferView::ConstructionContext::length):
1627         (JSC::JSArrayBufferView::ConstructionContext::mode):
1628         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1629         (JSC::JSArrayBufferView::mode):
1630         (JSC::JSArrayBufferView::vector):
1631         (JSC::JSArrayBufferView::length):
1632         (JSC::JSArrayBufferView::offsetOfVector):
1633         (JSC::JSArrayBufferView::offsetOfLength):
1634         (JSC::JSArrayBufferView::offsetOfMode):
1635         * runtime/JSArrayBufferViewInlines.h: Added.
1636         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1637         (JSC::JSArrayBufferView::buffer):
1638         (JSC::JSArrayBufferView::impl):
1639         (JSC::JSArrayBufferView::neuter):
1640         (JSC::JSArrayBufferView::byteOffset):
1641         * runtime/JSCell.cpp:
1642         (JSC::JSCell::slowDownAndWasteMemory):
1643         (JSC::JSCell::getTypedArrayImpl):
1644         * runtime/JSCell.h:
1645         * runtime/JSDataView.cpp: Added.
1646         (JSC::JSDataView::JSDataView):
1647         (JSC::JSDataView::create):
1648         (JSC::JSDataView::createUninitialized):
1649         (JSC::JSDataView::set):
1650         (JSC::JSDataView::typedImpl):
1651         (JSC::JSDataView::getOwnPropertySlot):
1652         (JSC::JSDataView::getOwnPropertyDescriptor):
1653         (JSC::JSDataView::slowDownAndWasteMemory):
1654         (JSC::JSDataView::getTypedArrayImpl):
1655         (JSC::JSDataView::createStructure):
1656         * runtime/JSDataView.h: Added.
1657         * runtime/JSDataViewPrototype.cpp: Added.
1658         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1659         (JSC::JSDataViewPrototype::create):
1660         (JSC::JSDataViewPrototype::createStructure):
1661         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1662         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1663         (JSC::getData):
1664         (JSC::setData):
1665         (JSC::dataViewProtoFuncGetInt8):
1666         (JSC::dataViewProtoFuncGetInt16):
1667         (JSC::dataViewProtoFuncGetInt32):
1668         (JSC::dataViewProtoFuncGetUint8):
1669         (JSC::dataViewProtoFuncGetUint16):
1670         (JSC::dataViewProtoFuncGetUint32):
1671         (JSC::dataViewProtoFuncGetFloat32):
1672         (JSC::dataViewProtoFuncGetFloat64):
1673         (JSC::dataViewProtoFuncSetInt8):
1674         (JSC::dataViewProtoFuncSetInt16):
1675         (JSC::dataViewProtoFuncSetInt32):
1676         (JSC::dataViewProtoFuncSetUint8):
1677         (JSC::dataViewProtoFuncSetUint16):
1678         (JSC::dataViewProtoFuncSetUint32):
1679         (JSC::dataViewProtoFuncSetFloat32):
1680         (JSC::dataViewProtoFuncSetFloat64):
1681         * runtime/JSDataViewPrototype.h: Added.
1682         * runtime/JSFloat32Array.h: Added.
1683         * runtime/JSFloat64Array.h: Added.
1684         * runtime/JSGenericTypedArrayView.h: Added.
1685         (JSC::JSGenericTypedArrayView::byteLength):
1686         (JSC::JSGenericTypedArrayView::byteSize):
1687         (JSC::JSGenericTypedArrayView::typedVector):
1688         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1689         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1690         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1691         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1692         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1693         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1694         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1695         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1696         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1697         (JSC::JSGenericTypedArrayView::typedImpl):
1698         (JSC::JSGenericTypedArrayView::createStructure):
1699         (JSC::JSGenericTypedArrayView::info):
1700         (JSC::toNativeTypedView):
1701         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1702         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1703         (JSC::::JSGenericTypedArrayViewConstructor):
1704         (JSC::::finishCreation):
1705         (JSC::::create):
1706         (JSC::::createStructure):
1707         (JSC::constructGenericTypedArrayView):
1708         (JSC::::getConstructData):
1709         (JSC::::getCallData):
1710         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1711         (JSC::::JSGenericTypedArrayView):
1712         (JSC::::create):
1713         (JSC::::createUninitialized):
1714         (JSC::::validateRange):
1715         (JSC::::setWithSpecificType):
1716         (JSC::::set):
1717         (JSC::::getOwnPropertySlot):
1718         (JSC::::getOwnPropertyDescriptor):
1719         (JSC::::put):
1720         (JSC::::defineOwnProperty):
1721         (JSC::::deleteProperty):
1722         (JSC::::getOwnPropertySlotByIndex):
1723         (JSC::::putByIndex):
1724         (JSC::::deletePropertyByIndex):
1725         (JSC::::getOwnNonIndexPropertyNames):
1726         (JSC::::getOwnPropertyNames):
1727         (JSC::::visitChildren):
1728         (JSC::::copyBackingStore):
1729         (JSC::::slowDownAndWasteMemory):
1730         (JSC::::getTypedArrayImpl):
1731         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1732         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1733         (JSC::genericTypedArrayViewProtoFuncSet):
1734         (JSC::genericTypedArrayViewProtoFuncSubarray):
1735         (JSC::::JSGenericTypedArrayViewPrototype):
1736         (JSC::::finishCreation):
1737         (JSC::::create):
1738         (JSC::::createStructure):
1739         * runtime/JSGlobalObject.cpp:
1740         (JSC::JSGlobalObject::reset):
1741         (JSC::JSGlobalObject::visitChildren):
1742         * runtime/JSGlobalObject.h:
1743         (JSC::JSGlobalObject::arrayBufferPrototype):
1744         (JSC::JSGlobalObject::arrayBufferStructure):
1745         (JSC::JSGlobalObject::typedArrayStructure):
1746         * runtime/JSInt16Array.h: Added.
1747         * runtime/JSInt32Array.h: Added.
1748         * runtime/JSInt8Array.h: Added.
1749         * runtime/JSTypedArrayConstructors.cpp: Added.
1750         * runtime/JSTypedArrayConstructors.h: Added.
1751         * runtime/JSTypedArrayPrototypes.cpp: Added.
1752         * runtime/JSTypedArrayPrototypes.h: Added.
1753         * runtime/JSTypedArrays.cpp: Added.
1754         * runtime/JSTypedArrays.h: Added.
1755         * runtime/JSUint16Array.h: Added.
1756         * runtime/JSUint32Array.h: Added.
1757         * runtime/JSUint8Array.h: Added.
1758         * runtime/JSUint8ClampedArray.h: Added.
1759         * runtime/Operations.h:
1760         * runtime/Options.h:
1761         * runtime/SimpleTypedArrayController.cpp: Added.
1762         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1763         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1764         (JSC::SimpleTypedArrayController::toJS):
1765         * runtime/SimpleTypedArrayController.h: Added.
1766         * runtime/Structure.h:
1767         (JSC::Structure::couldHaveIndexingHeader):
1768         * runtime/StructureInlines.h:
1769         (JSC::Structure::hasIndexingHeader):
1770         * runtime/TypedArrayAdaptors.h: Added.
1771         (JSC::IntegralTypedArrayAdaptor::toNative):
1772         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1773         (JSC::IntegralTypedArrayAdaptor::toDouble):
1774         (JSC::FloatTypedArrayAdaptor::toNative):
1775         (JSC::FloatTypedArrayAdaptor::toJSValue):
1776         (JSC::FloatTypedArrayAdaptor::toDouble):
1777         (JSC::Uint8ClampedAdaptor::toNative):
1778         (JSC::Uint8ClampedAdaptor::toJSValue):
1779         (JSC::Uint8ClampedAdaptor::toDouble):
1780         (JSC::Uint8ClampedAdaptor::clamp):
1781         * runtime/TypedArrayController.cpp: Added.
1782         (JSC::TypedArrayController::TypedArrayController):
1783         (JSC::TypedArrayController::~TypedArrayController):
1784         * runtime/TypedArrayController.h: Added.
1785         * runtime/TypedArrayDescriptor.h: Removed.
1786         * runtime/TypedArrayInlines.h: Added.
1787         * runtime/TypedArrayType.cpp: Added.
1788         (JSC::classInfoForType):
1789         (WTF::printInternal):
1790         * runtime/TypedArrayType.h: Added.
1791         (JSC::toIndex):
1792         (JSC::isTypedView):
1793         (JSC::elementSize):
1794         (JSC::isInt):
1795         (JSC::isFloat):
1796         (JSC::isSigned):
1797         (JSC::isClamped):
1798         * runtime/TypedArrays.h: Added.
1799         * runtime/Uint16Array.h:
1800         * runtime/Uint32Array.h:
1801         * runtime/Uint8Array.h:
1802         * runtime/Uint8ClampedArray.h:
1803         * runtime/VM.cpp:
1804         (JSC::VM::VM):
1805         (JSC::VM::~VM):
1806         * runtime/VM.h:
1807
1808 2013-08-15  Oliver Hunt  <oliver@apple.com>
1809
1810         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1811
1812         Reviewed by Filip Pizlo.
1813
1814         Make sure dfgCapabilities doesn't report a Dynamic put as
1815         being compilable when we don't actually support it.  
1816
1817         * bytecode/CodeBlock.cpp:
1818         (JSC::CodeBlock::dumpBytecode):
1819         * dfg/DFGCapabilities.cpp:
1820         (JSC::DFG::capabilityLevel):
1821
1822 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1823
1824         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1825         https://bugs.webkit.org/show_bug.cgi?id=119847
1826
1827         Reviewed by Oliver Hunt.
1828
1829         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1830         * runtime/ArrayBufferView.h: Ditto.
1831
1832 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1833
1834         https://bugs.webkit.org/show_bug.cgi?id=119843
1835         PropertySlot::setValue is ambiguous
1836
1837         Reviewed by Geoff Garen.
1838
1839         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1840         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1841         Unify on always providing the object, and remove the version that just takes a value.
1842         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1843         Provide a version of setValue that takes a JSString as the owner of the property.
1844         We won't store this, but it makes it clear that this interface should only be used from JSString.
1845
1846         * API/JSCallbackObjectFunctions.h:
1847         (JSC::::getOwnPropertySlot):
1848         * JSCTypedArrayStubs.h:
1849         * runtime/Arguments.cpp:
1850         (JSC::Arguments::getOwnPropertySlotByIndex):
1851         (JSC::Arguments::getOwnPropertySlot):
1852         * runtime/JSActivation.cpp:
1853         (JSC::JSActivation::symbolTableGet):
1854         (JSC::JSActivation::getOwnPropertySlot):
1855         * runtime/JSArray.cpp:
1856         (JSC::JSArray::getOwnPropertySlot):
1857         * runtime/JSObject.cpp:
1858         (JSC::JSObject::getOwnPropertySlotByIndex):
1859         * runtime/JSString.h:
1860         (JSC::JSString::getStringPropertySlot):
1861         * runtime/JSSymbolTableObject.h:
1862         (JSC::symbolTableGet):
1863         * runtime/SparseArrayValueMap.cpp:
1864         (JSC::SparseArrayEntry::get):
1865             - Pass object containing property to PropertySlot::setValue
1866         * runtime/PropertySlot.h:
1867         (JSC::PropertySlot::setValue):
1868             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1869         (JSC::PropertySlot::setUndefined):
1870             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1871
1872 2013-08-15  Oliver Hunt  <oliver@apple.com>
1873
1874         Remove bogus assertion.
1875
1876         RS=Filip Pizlo
1877
1878         * dfg/DFGAbstractInterpreterInlines.h:
1879         (JSC::DFG::::executeEffects):
1880
1881 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1882
1883         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1884         https://bugs.webkit.org/show_bug.cgi?id=114913
1885
1886         Reviewed by Filip Pizlo.
1887
1888         The X87 register was not freed before some calls. Instead
1889         of inserting resetX87Registers to the last call sites,
1890         the two X87 registers are now freed in every call.
1891
1892         * llint/LowLevelInterpreter32_64.asm:
1893         * llint/LowLevelInterpreter64.asm:
1894         * offlineasm/instructions.rb:
1895         * offlineasm/x86.rb:
1896
1897 2013-08-14  Michael Saboff  <msaboff@apple.com>
1898
1899         Fixed jit on Win64.
1900         https://bugs.webkit.org/show_bug.cgi?id=119601
1901
1902         Reviewed by Oliver Hunt.
1903
1904         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1905         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1906         * jit/SlowPathCall.h:
1907         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1908
1909 2013-08-14  Alex Christensen  <achristensen@apple.com>
1910
1911         Compile fix for Win64 with jit disabled.
1912         https://bugs.webkit.org/show_bug.cgi?id=119804
1913
1914         Reviewed by Michael Saboff.
1915
1916         * offlineasm/cloop.rb: Added std:: before isnan.
1917
1918 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1919
1920         DFG_JIT implementation for sh4 architecture.
1921         https://bugs.webkit.org/show_bug.cgi?id=119737
1922
1923         Reviewed by Oliver Hunt.
1924
1925         * assembler/MacroAssemblerSH4.h:
1926         (JSC::MacroAssemblerSH4::invert):
1927         (JSC::MacroAssemblerSH4::add32):
1928         (JSC::MacroAssemblerSH4::and32):
1929         (JSC::MacroAssemblerSH4::lshift32):
1930         (JSC::MacroAssemblerSH4::mul32):
1931         (JSC::MacroAssemblerSH4::or32):
1932         (JSC::MacroAssemblerSH4::rshift32):
1933         (JSC::MacroAssemblerSH4::sub32):
1934         (JSC::MacroAssemblerSH4::xor32):
1935         (JSC::MacroAssemblerSH4::store32):
1936         (JSC::MacroAssemblerSH4::swapDouble):
1937         (JSC::MacroAssemblerSH4::storeDouble):
1938         (JSC::MacroAssemblerSH4::subDouble):
1939         (JSC::MacroAssemblerSH4::mulDouble):
1940         (JSC::MacroAssemblerSH4::divDouble):
1941         (JSC::MacroAssemblerSH4::negateDouble):
1942         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1943         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1944         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1945         (JSC::MacroAssemblerSH4::swap):
1946         (JSC::MacroAssemblerSH4::jump):
1947         (JSC::MacroAssemblerSH4::branchNeg32):
1948         (JSC::MacroAssemblerSH4::branchAdd32):
1949         (JSC::MacroAssemblerSH4::branchMul32):
1950         (JSC::MacroAssemblerSH4::urshift32):
1951         * assembler/SH4Assembler.h:
1952         (JSC::SH4Assembler::SH4Assembler):
1953         (JSC::SH4Assembler::labelForWatchpoint):
1954         (JSC::SH4Assembler::label):
1955         (JSC::SH4Assembler::debugOffset):
1956         * dfg/DFGAssemblyHelpers.h:
1957         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1958         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1959         (JSC::DFG::AssemblyHelpers::debugCall):
1960         * dfg/DFGCCallHelpers.h:
1961         (JSC::DFG::CCallHelpers::setupArguments):
1962         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1963         * dfg/DFGFPRInfo.h:
1964         (JSC::DFG::FPRInfo::toRegister):
1965         (JSC::DFG::FPRInfo::toIndex):
1966         (JSC::DFG::FPRInfo::debugName):
1967         * dfg/DFGGPRInfo.h:
1968         (JSC::DFG::GPRInfo::toRegister):
1969         (JSC::DFG::GPRInfo::toIndex):
1970         (JSC::DFG::GPRInfo::debugName):
1971         * dfg/DFGOperations.cpp:
1972         * dfg/DFGSpeculativeJIT.h:
1973         (JSC::DFG::SpeculativeJIT::callOperation):
1974         * jit/JITStubs.h:
1975         * jit/JITStubsSH4.h:
1976
1977 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1978
1979         Unreviewed, fix build.
1980
1981         * API/JSValue.mm:
1982         (isDate):
1983         (isArray):
1984         * API/JSWrapperMap.mm:
1985         (tryUnwrapObjcObject):
1986         * API/ObjCCallbackFunction.mm:
1987         (tryUnwrapBlock):
1988
1989 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1990
1991         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1992         https://bugs.webkit.org/show_bug.cgi?id=119770
1993
1994         Reviewed by Mark Hahnenberg.
1995
1996         * API/JSCallbackConstructor.cpp:
1997         (JSC::JSCallbackConstructor::finishCreation):
1998         * API/JSCallbackConstructor.h:
1999         (JSC::JSCallbackConstructor::createStructure):
2000         * API/JSCallbackFunction.cpp:
2001         (JSC::JSCallbackFunction::finishCreation):
2002         * API/JSCallbackFunction.h:
2003         (JSC::JSCallbackFunction::createStructure):
2004         * API/JSCallbackObject.cpp:
2005         (JSC::::createStructure):
2006         * API/JSCallbackObject.h:
2007         (JSC::JSCallbackObject::visitChildren):
2008         * API/JSCallbackObjectFunctions.h:
2009         (JSC::::asCallbackObject):
2010         (JSC::::finishCreation):
2011         * API/JSObjectRef.cpp:
2012         (JSObjectGetPrivate):
2013         (JSObjectSetPrivate):
2014         (JSObjectGetPrivateProperty):
2015         (JSObjectSetPrivateProperty):
2016         (JSObjectDeletePrivateProperty):
2017         * API/JSValueRef.cpp:
2018         (JSValueIsObjectOfClass):
2019         * API/JSWeakObjectMapRefPrivate.cpp:
2020         * API/ObjCCallbackFunction.h:
2021         (JSC::ObjCCallbackFunction::createStructure):
2022         * JSCTypedArrayStubs.h:
2023         * bytecode/CallLinkStatus.cpp:
2024         (JSC::CallLinkStatus::CallLinkStatus):
2025         (JSC::CallLinkStatus::function):
2026         (JSC::CallLinkStatus::internalFunction):
2027         * bytecode/CodeBlock.h:
2028         (JSC::baselineCodeBlockForInlineCallFrame):
2029         * bytecode/SpeculatedType.cpp:
2030         (JSC::speculationFromClassInfo):
2031         * bytecode/UnlinkedCodeBlock.cpp:
2032         (JSC::UnlinkedFunctionExecutable::visitChildren):
2033         (JSC::UnlinkedCodeBlock::visitChildren):
2034         (JSC::UnlinkedProgramCodeBlock::visitChildren):
2035         * bytecode/UnlinkedCodeBlock.h:
2036         (JSC::UnlinkedFunctionExecutable::createStructure):
2037         (JSC::UnlinkedProgramCodeBlock::createStructure):
2038         (JSC::UnlinkedEvalCodeBlock::createStructure):
2039         (JSC::UnlinkedFunctionCodeBlock::createStructure):
2040         * debugger/Debugger.cpp:
2041         * debugger/DebuggerActivation.cpp:
2042         (JSC::DebuggerActivation::visitChildren):
2043         * debugger/DebuggerActivation.h:
2044         (JSC::DebuggerActivation::createStructure):
2045         * debugger/DebuggerCallFrame.cpp:
2046         (JSC::DebuggerCallFrame::functionName):
2047         * dfg/DFGAbstractInterpreterInlines.h:
2048         (JSC::DFG::::executeEffects):
2049         * dfg/DFGByteCodeParser.cpp:
2050         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2051         (JSC::DFG::ByteCodeParser::parseBlock):
2052         * dfg/DFGFixupPhase.cpp:
2053         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2054         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2055         * dfg/DFGGraph.cpp:
2056         (JSC::DFG::Graph::dump):
2057         * dfg/DFGGraph.h:
2058         (JSC::DFG::Graph::isInternalFunctionConstant):
2059         * dfg/DFGOperations.cpp:
2060         * dfg/DFGSpeculativeJIT.cpp:
2061         (JSC::DFG::SpeculativeJIT::checkArray):
2062         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2063         * dfg/DFGThunks.cpp:
2064         (JSC::DFG::virtualForThunkGenerator):
2065         * interpreter/Interpreter.cpp:
2066         (JSC::loadVarargs):
2067         * jsc.cpp:
2068         (GlobalObject::createStructure):
2069         * profiler/LegacyProfiler.cpp:
2070         (JSC::LegacyProfiler::createCallIdentifier):
2071         * runtime/Arguments.cpp:
2072         (JSC::Arguments::visitChildren):
2073         * runtime/Arguments.h:
2074         (JSC::Arguments::createStructure):
2075         (JSC::asArguments):
2076         (JSC::Arguments::finishCreation):
2077         * runtime/ArrayConstructor.cpp:
2078         (JSC::arrayConstructorIsArray):
2079         * runtime/ArrayConstructor.h:
2080         (JSC::ArrayConstructor::createStructure):
2081         * runtime/ArrayPrototype.cpp:
2082         (JSC::ArrayPrototype::finishCreation):
2083         (JSC::arrayProtoFuncConcat):
2084         (JSC::attemptFastSort):
2085         * runtime/ArrayPrototype.h:
2086         (JSC::ArrayPrototype::createStructure):
2087         * runtime/BooleanConstructor.h:
2088         (JSC::BooleanConstructor::createStructure):
2089         * runtime/BooleanObject.cpp:
2090         (JSC::BooleanObject::finishCreation):
2091         * runtime/BooleanObject.h:
2092         (JSC::BooleanObject::createStructure):
2093         (JSC::asBooleanObject):
2094         * runtime/BooleanPrototype.cpp:
2095         (JSC::BooleanPrototype::finishCreation):
2096         (JSC::booleanProtoFuncToString):
2097         (JSC::booleanProtoFuncValueOf):
2098         * runtime/BooleanPrototype.h:
2099         (JSC::BooleanPrototype::createStructure):
2100         * runtime/DateConstructor.cpp:
2101         (JSC::constructDate):
2102         * runtime/DateConstructor.h:
2103         (JSC::DateConstructor::createStructure):
2104         * runtime/DateInstance.cpp:
2105         (JSC::DateInstance::finishCreation):
2106         * runtime/DateInstance.h:
2107         (JSC::DateInstance::createStructure):
2108         (JSC::asDateInstance):
2109         * runtime/DatePrototype.cpp:
2110         (JSC::formateDateInstance):
2111         (JSC::DatePrototype::finishCreation):
2112         (JSC::dateProtoFuncToISOString):
2113         (JSC::dateProtoFuncToLocaleString):
2114         (JSC::dateProtoFuncToLocaleDateString):
2115         (JSC::dateProtoFuncToLocaleTimeString):
2116         (JSC::dateProtoFuncGetTime):
2117         (JSC::dateProtoFuncGetFullYear):
2118         (JSC::dateProtoFuncGetUTCFullYear):
2119         (JSC::dateProtoFuncGetMonth):
2120         (JSC::dateProtoFuncGetUTCMonth):
2121         (JSC::dateProtoFuncGetDate):
2122         (JSC::dateProtoFuncGetUTCDate):
2123         (JSC::dateProtoFuncGetDay):
2124         (JSC::dateProtoFuncGetUTCDay):
2125         (JSC::dateProtoFuncGetHours):
2126         (JSC::dateProtoFuncGetUTCHours):
2127         (JSC::dateProtoFuncGetMinutes):
2128         (JSC::dateProtoFuncGetUTCMinutes):
2129         (JSC::dateProtoFuncGetSeconds):
2130         (JSC::dateProtoFuncGetUTCSeconds):
2131         (JSC::dateProtoFuncGetMilliSeconds):
2132         (JSC::dateProtoFuncGetUTCMilliseconds):
2133         (JSC::dateProtoFuncGetTimezoneOffset):
2134         (JSC::dateProtoFuncSetTime):
2135         (JSC::setNewValueFromTimeArgs):
2136         (JSC::setNewValueFromDateArgs):
2137         (JSC::dateProtoFuncSetYear):
2138         (JSC::dateProtoFuncGetYear):
2139         * runtime/DatePrototype.h:
2140         (JSC::DatePrototype::createStructure):
2141         * runtime/Error.h:
2142         (JSC::StrictModeTypeErrorFunction::createStructure):
2143         * runtime/ErrorConstructor.h:
2144         (JSC::ErrorConstructor::createStructure):
2145         * runtime/ErrorInstance.cpp:
2146         (JSC::ErrorInstance::finishCreation):
2147         * runtime/ErrorInstance.h:
2148         (JSC::ErrorInstance::createStructure):
2149         * runtime/ErrorPrototype.cpp:
2150         (JSC::ErrorPrototype::finishCreation):
2151         * runtime/ErrorPrototype.h:
2152         (JSC::ErrorPrototype::createStructure):
2153         * runtime/ExceptionHelpers.cpp:
2154         (JSC::isTerminatedExecutionException):
2155         * runtime/ExceptionHelpers.h:
2156         (JSC::TerminatedExecutionError::createStructure):
2157         * runtime/Executable.cpp:
2158         (JSC::EvalExecutable::visitChildren):
2159         (JSC::ProgramExecutable::visitChildren):
2160         (JSC::FunctionExecutable::visitChildren):
2161         (JSC::ExecutableBase::hashFor):
2162         * runtime/Executable.h:
2163         (JSC::ExecutableBase::createStructure):
2164         (JSC::NativeExecutable::createStructure):
2165         (JSC::EvalExecutable::createStructure):
2166         (JSC::ProgramExecutable::createStructure):
2167         (JSC::FunctionExecutable::compileFor):
2168         (JSC::FunctionExecutable::compileOptimizedFor):
2169         (JSC::FunctionExecutable::createStructure):
2170         * runtime/FunctionConstructor.h:
2171         (JSC::FunctionConstructor::createStructure):
2172         * runtime/FunctionPrototype.cpp:
2173         (JSC::functionProtoFuncToString):
2174         (JSC::functionProtoFuncApply):
2175         (JSC::functionProtoFuncBind):
2176         * runtime/FunctionPrototype.h:
2177         (JSC::FunctionPrototype::createStructure):
2178         * runtime/GetterSetter.cpp:
2179         (JSC::GetterSetter::visitChildren):
2180         * runtime/GetterSetter.h:
2181         (JSC::GetterSetter::createStructure):
2182         * runtime/InternalFunction.cpp:
2183         (JSC::InternalFunction::finishCreation):
2184         * runtime/InternalFunction.h:
2185         (JSC::InternalFunction::createStructure):
2186         (JSC::asInternalFunction):
2187         * runtime/JSAPIValueWrapper.h:
2188         (JSC::JSAPIValueWrapper::createStructure):
2189         * runtime/JSActivation.cpp:
2190         (JSC::JSActivation::visitChildren):
2191         (JSC::JSActivation::argumentsGetter):
2192         * runtime/JSActivation.h:
2193         (JSC::JSActivation::createStructure):
2194         (JSC::asActivation):
2195         * runtime/JSArray.h:
2196         (JSC::JSArray::createStructure):
2197         (JSC::asArray):
2198         (JSC::isJSArray):
2199         * runtime/JSBoundFunction.cpp:
2200         (JSC::JSBoundFunction::finishCreation):
2201         (JSC::JSBoundFunction::visitChildren):
2202         * runtime/JSBoundFunction.h:
2203         (JSC::JSBoundFunction::createStructure):
2204         * runtime/JSCJSValue.cpp:
2205         (JSC::JSValue::dumpInContext):
2206         * runtime/JSCJSValueInlines.h:
2207         (JSC::JSValue::isFunction):
2208         * runtime/JSCell.h:
2209         (JSC::jsCast):
2210         (JSC::jsDynamicCast):
2211         * runtime/JSCellInlines.h:
2212         (JSC::allocateCell):
2213         * runtime/JSFunction.cpp:
2214         (JSC::JSFunction::finishCreation):
2215         (JSC::JSFunction::visitChildren):
2216         (JSC::skipOverBoundFunctions):
2217         (JSC::JSFunction::callerGetter):
2218         * runtime/JSFunction.h:
2219         (JSC::JSFunction::createStructure):
2220         * runtime/JSGlobalObject.cpp:
2221         (JSC::JSGlobalObject::visitChildren):
2222         (JSC::slowValidateCell):
2223         * runtime/JSGlobalObject.h:
2224         (JSC::JSGlobalObject::createStructure):
2225         * runtime/JSNameScope.cpp:
2226         (JSC::JSNameScope::visitChildren):
2227         * runtime/JSNameScope.h:
2228         (JSC::JSNameScope::createStructure):
2229         * runtime/JSNotAnObject.h:
2230         (JSC::JSNotAnObject::createStructure):
2231         * runtime/JSONObject.cpp:
2232         (JSC::JSONObject::finishCreation):
2233         (JSC::unwrapBoxedPrimitive):
2234         (JSC::Stringifier::Stringifier):
2235         (JSC::Stringifier::appendStringifiedValue):
2236         (JSC::Stringifier::Holder::Holder):
2237         (JSC::Walker::walk):
2238         (JSC::JSONProtoFuncStringify):
2239         * runtime/JSONObject.h:
2240         (JSC::JSONObject::createStructure):
2241         * runtime/JSObject.cpp:
2242         (JSC::getCallableObjectSlow):
2243         (JSC::JSObject::visitChildren):
2244         (JSC::JSObject::copyBackingStore):
2245         (JSC::JSFinalObject::visitChildren):
2246         (JSC::JSObject::ensureInt32Slow):
2247         (JSC::JSObject::ensureDoubleSlow):
2248         (JSC::JSObject::ensureContiguousSlow):
2249         (JSC::JSObject::ensureArrayStorageSlow):
2250         * runtime/JSObject.h:
2251         (JSC::JSObject::finishCreation):
2252         (JSC::JSObject::createStructure):
2253         (JSC::JSNonFinalObject::createStructure):
2254         (JSC::JSFinalObject::createStructure):
2255         (JSC::isJSFinalObject):
2256         * runtime/JSPropertyNameIterator.cpp:
2257         (JSC::JSPropertyNameIterator::visitChildren):
2258         * runtime/JSPropertyNameIterator.h:
2259         (JSC::JSPropertyNameIterator::createStructure):
2260         * runtime/JSProxy.cpp:
2261         (JSC::JSProxy::visitChildren):
2262         * runtime/JSProxy.h:
2263         (JSC::JSProxy::createStructure):
2264         * runtime/JSScope.cpp:
2265         (JSC::JSScope::visitChildren):
2266         * runtime/JSSegmentedVariableObject.cpp:
2267         (JSC::JSSegmentedVariableObject::visitChildren):
2268         * runtime/JSString.h:
2269         (JSC::JSString::createStructure):
2270         (JSC::isJSString):
2271         * runtime/JSSymbolTableObject.cpp:
2272         (JSC::JSSymbolTableObject::visitChildren):
2273         * runtime/JSVariableObject.h:
2274         * runtime/JSWithScope.cpp:
2275         (JSC::JSWithScope::visitChildren):
2276         * runtime/JSWithScope.h:
2277         (JSC::JSWithScope::createStructure):
2278         * runtime/JSWrapperObject.cpp:
2279         (JSC::JSWrapperObject::visitChildren):
2280         * runtime/JSWrapperObject.h:
2281         (JSC::JSWrapperObject::createStructure):
2282         * runtime/MathObject.cpp:
2283         (JSC::MathObject::finishCreation):
2284         * runtime/MathObject.h:
2285         (JSC::MathObject::createStructure):
2286         * runtime/NameConstructor.h:
2287         (JSC::NameConstructor::createStructure):
2288         * runtime/NameInstance.h:
2289         (JSC::NameInstance::createStructure):
2290         (JSC::NameInstance::finishCreation):
2291         * runtime/NamePrototype.cpp:
2292         (JSC::NamePrototype::finishCreation):
2293         (JSC::privateNameProtoFuncToString):
2294         * runtime/NamePrototype.h:
2295         (JSC::NamePrototype::createStructure):
2296         * runtime/NativeErrorConstructor.cpp:
2297         (JSC::NativeErrorConstructor::visitChildren):
2298         * runtime/NativeErrorConstructor.h:
2299         (JSC::NativeErrorConstructor::createStructure):
2300         (JSC::NativeErrorConstructor::finishCreation):
2301         * runtime/NumberConstructor.cpp:
2302         (JSC::NumberConstructor::finishCreation):
2303         * runtime/NumberConstructor.h:
2304         (JSC::NumberConstructor::createStructure):
2305         * runtime/NumberObject.cpp:
2306         (JSC::NumberObject::finishCreation):
2307         * runtime/NumberObject.h:
2308         (JSC::NumberObject::createStructure):
2309         * runtime/NumberPrototype.cpp:
2310         (JSC::NumberPrototype::finishCreation):
2311         * runtime/NumberPrototype.h:
2312         (JSC::NumberPrototype::createStructure):
2313         * runtime/ObjectConstructor.h:
2314         (JSC::ObjectConstructor::createStructure):
2315         * runtime/ObjectPrototype.cpp:
2316         (JSC::ObjectPrototype::finishCreation):
2317         * runtime/ObjectPrototype.h:
2318         (JSC::ObjectPrototype::createStructure):
2319         * runtime/PropertyMapHashTable.h:
2320         (JSC::PropertyTable::createStructure):
2321         * runtime/PropertyTable.cpp:
2322         (JSC::PropertyTable::visitChildren):
2323         * runtime/RegExp.h:
2324         (JSC::RegExp::createStructure):
2325         * runtime/RegExpConstructor.cpp:
2326         (JSC::RegExpConstructor::finishCreation):
2327         (JSC::RegExpConstructor::visitChildren):
2328         (JSC::constructRegExp):
2329         * runtime/RegExpConstructor.h:
2330         (JSC::RegExpConstructor::createStructure):
2331         (JSC::asRegExpConstructor):
2332         * runtime/RegExpMatchesArray.cpp:
2333         (JSC::RegExpMatchesArray::visitChildren):
2334         * runtime/RegExpMatchesArray.h:
2335         (JSC::RegExpMatchesArray::createStructure):
2336         * runtime/RegExpObject.cpp:
2337         (JSC::RegExpObject::finishCreation):
2338         (JSC::RegExpObject::visitChildren):
2339         * runtime/RegExpObject.h:
2340         (JSC::RegExpObject::createStructure):
2341         (JSC::asRegExpObject):
2342         * runtime/RegExpPrototype.cpp:
2343         (JSC::regExpProtoFuncTest):
2344         (JSC::regExpProtoFuncExec):
2345         (JSC::regExpProtoFuncCompile):
2346         (JSC::regExpProtoFuncToString):
2347         * runtime/RegExpPrototype.h:
2348         (JSC::RegExpPrototype::createStructure):
2349         * runtime/SparseArrayValueMap.cpp:
2350         (JSC::SparseArrayValueMap::createStructure):
2351         * runtime/SparseArrayValueMap.h:
2352         * runtime/StrictEvalActivation.h:
2353         (JSC::StrictEvalActivation::createStructure):
2354         * runtime/StringConstructor.h:
2355         (JSC::StringConstructor::createStructure):
2356         * runtime/StringObject.cpp:
2357         (JSC::StringObject::finishCreation):
2358         * runtime/StringObject.h:
2359         (JSC::StringObject::createStructure):
2360         (JSC::asStringObject):
2361         * runtime/StringPrototype.cpp:
2362         (JSC::StringPrototype::finishCreation):
2363         (JSC::stringProtoFuncReplace):
2364         (JSC::stringProtoFuncToString):
2365         (JSC::stringProtoFuncMatch):
2366         (JSC::stringProtoFuncSearch):
2367         (JSC::stringProtoFuncSplit):
2368         * runtime/StringPrototype.h:
2369         (JSC::StringPrototype::createStructure):
2370         * runtime/Structure.cpp:
2371         (JSC::Structure::Structure):
2372         (JSC::Structure::materializePropertyMap):
2373         (JSC::Structure::get):
2374         (JSC::Structure::visitChildren):
2375         * runtime/Structure.h:
2376         (JSC::Structure::typeInfo):
2377         (JSC::Structure::previousID):
2378         (JSC::Structure::outOfLineSize):
2379         (JSC::Structure::totalStorageCapacity):
2380         (JSC::Structure::materializePropertyMapIfNecessary):
2381         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2382         * runtime/StructureChain.cpp:
2383         (JSC::StructureChain::visitChildren):
2384         * runtime/StructureChain.h:
2385         (JSC::StructureChain::createStructure):
2386         * runtime/StructureInlines.h:
2387         (JSC::Structure::get):
2388         * runtime/StructureRareData.cpp:
2389         (JSC::StructureRareData::createStructure):
2390         (JSC::StructureRareData::visitChildren):
2391         * runtime/StructureRareData.h:
2392         * runtime/SymbolTable.h:
2393         (JSC::SharedSymbolTable::createStructure):
2394         * runtime/VM.cpp:
2395         (JSC::VM::VM):
2396         (JSC::StackPreservingRecompiler::operator()):
2397         (JSC::VM::releaseExecutableMemory):
2398         * runtime/WriteBarrier.h:
2399         (JSC::validateCell):
2400         * testRegExp.cpp:
2401         (GlobalObject::createStructure):
2402
2403 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2404
2405         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2406         https://bugs.webkit.org/show_bug.cgi?id=119762
2407
2408         Reviewed by Geoffrey Garen.
2409
2410         * heap/Heap.cpp:
2411         (JSC::Heap::Heap):
2412         (JSC::Heap::markRoots):
2413         (JSC::Heap::collect):
2414         * jsc.cpp:
2415         (StopWatch::start):
2416         (StopWatch::stop):
2417         * testRegExp.cpp:
2418         (StopWatch::start):
2419         (StopWatch::stop):
2420
2421 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2422
2423         [sh4] Prepare LLINT for DFG_JIT implementation.
2424         https://bugs.webkit.org/show_bug.cgi?id=119755
2425
2426         Reviewed by Oliver Hunt.
2427
2428         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2429         * offlineasm/sh4.rb:
2430             - Handle storeb opcode.
2431             - Make relative jumps when possible using braf opcode.
2432             - Update bmulio implementation to be consistent with baseline JIT.
2433             - Remove useless code from leap opcode.
2434             - Fix incorrect comment.
2435
2436 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2437
2438         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2439         https://bugs.webkit.org/show_bug.cgi?id=119758
2440
2441         Reviewed by Oliver Hunt.
2442
2443         * assembler/MacroAssemblerSH4.h:
2444             - Introduce a loadEffectiveAddress function to avoid code duplication.
2445             - Add ASSERTs and clean code.
2446         * assembler/SH4Assembler.h:
2447             - Prepare DFG_JIT implementation.
2448             - Add ASSERTs.
2449         * jit/JITStubs.cpp:
2450             - Add SH4 specific call for assertions.
2451         * jit/JITStubs.h:
2452             - Cosmetic change.
2453         * jit/JITStubsSH4.h:
2454             - Use constants to be more flexible with sh4 JIT stack frame.
2455         * jit/JSInterfaceJIT.h:
2456             - Cosmetic change.
2457
2458 2013-08-13  Oliver Hunt  <oliver@apple.com>
2459
2460         Harden executeConstruct against incorrect return types from host functions
2461         https://bugs.webkit.org/show_bug.cgi?id=119757
2462
2463         Reviewed by Mark Hahnenberg.
2464
2465         Add logic to guard against bogus return types.  There doesn't seem to be any
2466         class in webkit that does this wrong, but the typed array stubs in debug JSC
2467         do exhibit this bad behaviour.
2468
2469         * interpreter/Interpreter.cpp:
2470         (JSC::Interpreter::executeConstruct):
2471
2472 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2473
2474         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2475         https://bugs.webkit.org/show_bug.cgi?id=119736
2476
2477         Reviewed by Anders Carlsson.
2478
2479         Don't force C++11 mode off anymore.
2480
2481         * Target.pri:
2482
2483 2013-08-12  Oliver Hunt  <oliver@apple.com>
2484
2485         Remove CodeBlock's notion of adding identifiers entirely
2486         https://bugs.webkit.org/show_bug.cgi?id=119708
2487
2488         Reviewed by Geoffrey Garen.
2489
2490         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2491         Move the addition of identifiers to DFGPlan::reallyAdd
2492
2493         * bytecode/CodeBlock.h:
2494         * dfg/DFGDesiredIdentifiers.cpp:
2495         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2496         * dfg/DFGDesiredIdentifiers.h:
2497         * dfg/DFGPlan.cpp:
2498         (JSC::DFG::Plan::reallyAdd):
2499         (JSC::DFG::Plan::finalize):
2500         * dfg/DFGPlan.h:
2501
2502 2013-08-12  Oliver Hunt  <oliver@apple.com>
2503
2504         Build fix
2505
2506         * runtime/JSCell.h:
2507
2508 2013-08-12  Oliver Hunt  <oliver@apple.com>
2509
2510         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2511         https://bugs.webkit.org/show_bug.cgi?id=119705
2512
2513         Reviewed by Geoffrey Garen.
2514
2515         Relatively trivial refactoring
2516
2517         * bytecode/CodeBlock.h:
2518         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2519         (JSC::CodeBlock::addAdditionalIdentifier):
2520         (JSC::CodeBlock::identifier):
2521         (JSC::CodeBlock::numberOfIdentifiers):
2522         * dfg/DFGCommonData.h:
2523
2524 2013-08-12  Oliver Hunt  <oliver@apple.com>
2525
2526         Stop making unnecessary copy of CodeBlock Identifier Vector
2527         https://bugs.webkit.org/show_bug.cgi?id=119702
2528
2529         Reviewed by Michael Saboff.
2530
2531         Make CodeBlock simply use a separate Vector for additional Identifiers
2532         and use the UnlinkedCodeBlock for the initial set of identifiers.
2533
2534         * bytecode/CodeBlock.cpp:
2535         (JSC::CodeBlock::printGetByIdOp):
2536         (JSC::dumpStructure):
2537         (JSC::dumpChain):
2538         (JSC::CodeBlock::printGetByIdCacheStatus):
2539         (JSC::CodeBlock::printPutByIdOp):
2540         (JSC::CodeBlock::dumpBytecode):
2541         (JSC::CodeBlock::CodeBlock):
2542         (JSC::CodeBlock::shrinkToFit):
2543         * bytecode/CodeBlock.h:
2544         (JSC::CodeBlock::numberOfIdentifiers):
2545         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2546         (JSC::CodeBlock::addAdditionalIdentifier):
2547         (JSC::CodeBlock::identifier):
2548         * dfg/DFGDesiredIdentifiers.cpp:
2549         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2550         * jit/JIT.h:
2551         * jit/JITOpcodes.cpp:
2552         (JSC::JIT::emitSlow_op_get_arguments_length):
2553         * jit/JITPropertyAccess.cpp:
2554         (JSC::JIT::emit_op_get_by_id):
2555         (JSC::JIT::compileGetByIdHotPath):
2556         (JSC::JIT::emitSlow_op_get_by_id):
2557         (JSC::JIT::compileGetByIdSlowCase):
2558         (JSC::JIT::emitSlow_op_put_by_id):
2559         * jit/JITPropertyAccess32_64.cpp:
2560         (JSC::JIT::emit_op_get_by_id):
2561         (JSC::JIT::compileGetByIdHotPath):
2562         (JSC::JIT::compileGetByIdSlowCase):
2563         * jit/JITStubs.cpp:
2564         (JSC::DEFINE_STUB_FUNCTION):
2565         * llint/LLIntSlowPaths.cpp:
2566         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2567
2568 2013-08-08  Mark Lam  <mark.lam@apple.com>
2569
2570         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2571         https://bugs.webkit.org/show_bug.cgi?id=119575.
2572
2573         Reviewed by Oliver Hunt.
2574
2575         * interpreter/Interpreter.h:
2576         - Made getStackTrace() private.
2577         * interpreter/StackIterator.cpp:
2578         (JSC::StackIterator::StackIterator):
2579         (JSC::StackIterator::numberOfFrames):
2580         - Computes the number of frames by iterating through the whole stack
2581           from the starting frame. The iterator will save its current frame
2582           position before counting the frames, and then restoring it after
2583           the counting.
2584         (JSC::StackIterator::gotoFrameAtIndex):
2585         (JSC::StackIterator::gotoNextFrame):
2586         (JSC::StackIterator::resetIterator):
2587         - Points the iterator to the starting frame.
2588         * interpreter/StackIteratorPrivate.h:
2589
2590 2013-08-08  Mark Lam  <mark.lam@apple.com>
2591
2592         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2593         the Interpreter class.
2594         https://bugs.webkit.org/show_bug.cgi?id=119576.
2595
2596         Reviewed by Oliver Hunt.
2597
2598         This change is needed to prepare for making Interpreter::getStackTrace()
2599         private. It does not change the behavior of the code, only the lexical
2600         scoping.
2601
2602         * interpreter/Interpreter.h:
2603         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2604         * runtime/ErrorConstructor.cpp:
2605         (JSC::Interpreter::constructWithErrorConstructor):
2606         (JSC::ErrorConstructor::getConstructData):
2607         (JSC::Interpreter::callErrorConstructor):
2608         (JSC::ErrorConstructor::getCallData):
2609         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2610           directly. So, we moved the helper functions into the Interpreter
2611           class.
2612         * runtime/NativeErrorConstructor.cpp:
2613         (JSC::Interpreter::constructWithNativeErrorConstructor):
2614         (JSC::NativeErrorConstructor::getConstructData):
2615         (JSC::Interpreter::callNativeErrorConstructor):
2616         (JSC::NativeErrorConstructor::getCallData):
2617         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2618           directly. So, we moved the helper functions into the Interpreter
2619           class.
2620
2621 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2622
2623         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2624         https://bugs.webkit.org/show_bug.cgi?id=119555
2625
2626         Reviewed by Geoffrey Garen.
2627
2628         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2629         This was causing crashes on maps.google.com in 32-bit debug builds.
2630
2631         * dfg/DFGSpeculativeJIT32_64.cpp:
2632         (JSC::DFG::SpeculativeJIT::compile):
2633
2634 2013-08-06  Michael Saboff  <msaboff@apple.com>
2635
2636         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2637         https://bugs.webkit.org/show_bug.cgi?id=119405
2638
2639         Reviewed by Geoffrey Garen.
2640
2641         * dfg/DFGSpeculativeJIT.cpp:
2642         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2643         ourselves to save a register and then load from it.
2644
2645 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2646
2647         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2648         https://bugs.webkit.org/show_bug.cgi?id=119528
2649
2650         Reviewed by Geoffrey Garen.
2651
2652         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2653         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2654         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2655         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2656         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2657
2658         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2659
2660         * bytecode/CodeBlock.cpp:
2661         (JSC::CodeBlock::finalizeUnconditionally):
2662         * dfg/DFGDriver.cpp:
2663         (JSC::DFG::compile):
2664         * dfg/DFGFixupPhase.cpp:
2665         (JSC::DFG::FixupPhase::fixupNode):
2666         * dfg/DFGGraph.cpp:
2667         (JSC::DFG::Graph::dump):
2668         * dfg/DFGSpeculativeJIT64.cpp:
2669         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2670         * runtime/JSObject.h:
2671         (JSC::JSObject::getIndexQuickly):
2672         (JSC::JSObject::tryGetIndexQuickly):
2673
2674 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2675
2676         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2677
2678         Unreviewed.
2679
2680         Ensure llint symbols are in source order.
2681
2682         * JavaScriptCore.order:
2683
2684 2013-08-06  Mark Lam  <mark.lam@apple.com>
2685
2686         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2687         https://bugs.webkit.org/show_bug.cgi?id=119532.
2688
2689         Reviewed by Oliver Hunt.
2690
2691         * parser/Parser.cpp:
2692         (JSC::::Parser):
2693         - Just need to initialize the Parser's JSTokenLocation's initial line and
2694           startOffset as well during Parser construction.
2695
2696 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2697
2698         Update Order Files for Safari
2699         <rdar://problem/14517392>
2700
2701         Unreviewed.
2702
2703         * JavaScriptCore.order:
2704
2705 2013-08-04  Sam Weinig  <sam@webkit.org>
2706
2707         Remove support for HTML5 MicroData
2708         https://bugs.webkit.org/show_bug.cgi?id=119480
2709
2710         Reviewed by Anders Carlsson.
2711
2712         * Configurations/FeatureDefines.xcconfig:
2713
2714 2013-08-05  Oliver Hunt  <oliver@apple.com>
2715
2716         Delay Arguments creation in strict mode
2717         https://bugs.webkit.org/show_bug.cgi?id=119505
2718
2719         Reviewed by Geoffrey Garen.
2720
2721         Make use of the write tracking performed by the parser to
2722         allow us to know if we're modifying the parameters to a function.
2723         Then use that information to make strict mode function opt out
2724         of eager arguments creation.
2725
2726         * bytecompiler/BytecodeGenerator.cpp:
2727         (JSC::BytecodeGenerator::BytecodeGenerator):
2728         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2729         (JSC::BytecodeGenerator::emitReturn):
2730         * bytecompiler/BytecodeGenerator.h:
2731         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2732         * parser/Nodes.h:
2733         (JSC::ScopeNode::modifiesParameter):
2734         * parser/Parser.cpp:
2735         (JSC::::parseInner):
2736         * parser/Parser.h:
2737         (JSC::Scope::declareParameter):
2738         (JSC::Scope::getCapturedVariables):
2739         (JSC::Parser::declareWrite):
2740         * parser/ParserModes.h:
2741
2742 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2743
2744         Remove useless code from COMPILER(RVCT) JITStubs
2745         https://bugs.webkit.org/show_bug.cgi?id=119521
2746
2747         Reviewed by Geoffrey Garen.
2748
2749         * jit/JITStubsARMv7.h:
2750         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2751         (JSC::ctiOpThrowNotCaught): Ditto.
2752
2753 2013-07-23  David Farler  <dfarler@apple.com>
2754
2755         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2756         https://bugs.webkit.org/show_bug.cgi?id=117762
2757
2758         Reviewed by Mark Rowe.
2759
2760         * Configurations/DebugRelease.xcconfig:
2761         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2762         * Configurations/JavaScriptCore.xcconfig:
2763         Add ASAN_OTHER_LDFLAGS.
2764         * Configurations/ToolExecutable.xcconfig:
2765         Don't use ASAN for build tools.
2766
2767 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2768
2769         Build fix for ARM MSVC after r153222 and r153648.
2770
2771         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2772
2773 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2774
2775         Build fix for ARM MSVC after r150109.
2776
2777         Read the stub template from a header files instead of the JITStubs.cpp.
2778
2779         * CMakeLists.txt:
2780         * DerivedSources.pri:
2781         * create_jit_stubs:
2782
2783 2013-08-05  Oliver Hunt  <oliver@apple.com>
2784
2785         Move TypedArray implementation into JSC
2786         https://bugs.webkit.org/show_bug.cgi?id=119489
2787
2788         Reviewed by Filip Pizlo.
2789
2790         Move TypedArray implementation into JSC in advance of re-implementation
2791
2792         * GNUmakefile.list.am:
2793         * JSCTypedArrayStubs.h:
2794         * JavaScriptCore.xcodeproj/project.pbxproj:
2795         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2796         (JSC::ArrayBuffer::transfer):
2797         (JSC::ArrayBuffer::addView):
2798         (JSC::ArrayBuffer::removeView):
2799         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2800         (JSC::ArrayBufferContents::ArrayBufferContents):
2801         (JSC::ArrayBufferContents::data):
2802         (JSC::ArrayBufferContents::sizeInBytes):
2803         (JSC::ArrayBufferContents::transfer):
2804         (JSC::ArrayBufferContents::copyTo):
2805         (JSC::ArrayBuffer::isNeutered):
2806         (JSC::ArrayBuffer::~ArrayBuffer):
2807         (JSC::ArrayBuffer::clampValue):
2808         (JSC::ArrayBuffer::create):
2809         (JSC::ArrayBuffer::createUninitialized):
2810         (JSC::ArrayBuffer::ArrayBuffer):
2811         (JSC::ArrayBuffer::data):
2812         (JSC::ArrayBuffer::byteLength):
2813         (JSC::ArrayBuffer::slice):
2814         (JSC::ArrayBuffer::sliceImpl):
2815         (JSC::ArrayBuffer::clampIndex):
2816         (JSC::ArrayBufferContents::tryAllocate):
2817         (JSC::ArrayBufferContents::~ArrayBufferContents):
2818         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2819         (JSC::ArrayBufferView::ArrayBufferView):
2820         (JSC::ArrayBufferView::~ArrayBufferView):
2821         (JSC::ArrayBufferView::neuter):
2822         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2823         (JSC::ArrayBufferView::buffer):
2824         (JSC::ArrayBufferView::baseAddress):
2825         (JSC::ArrayBufferView::byteOffset):
2826         (JSC::ArrayBufferView::setNeuterable):
2827         (JSC::ArrayBufferView::isNeuterable):
2828         (JSC::ArrayBufferView::verifySubRange):
2829         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2830         (JSC::ArrayBufferView::setImpl):
2831         (JSC::ArrayBufferView::setRangeImpl):
2832         (JSC::ArrayBufferView::zeroRangeImpl):
2833         (JSC::ArrayBufferView::calculateOffsetAndLength):
2834         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2835         (JSC::Float32Array::set):
2836         (JSC::Float32Array::getType):
2837         (JSC::Float32Array::create):
2838         (JSC::Float32Array::createUninitialized):
2839         (JSC::Float32Array::Float32Array):
2840         (JSC::Float32Array::subarray):
2841         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2842         (JSC::Float64Array::set):
2843         (JSC::Float64Array::getType):
2844         (JSC::Float64Array::create):
2845         (JSC::Float64Array::createUninitialized):
2846         (JSC::Float64Array::Float64Array):
2847         (JSC::Float64Array::subarray):
2848         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2849         (JSC::Int16Array::getType):
2850         (JSC::Int16Array::create):
2851         (JSC::Int16Array::createUninitialized):
2852         (JSC::Int16Array::Int16Array):
2853         (JSC::Int16Array::subarray):
2854         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2855         (JSC::Int32Array::getType):
2856         (JSC::Int32Array::create):
2857         (JSC::Int32Array::createUninitialized):
2858         (JSC::Int32Array::Int32Array):
2859         (JSC::Int32Array::subarray):
2860         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2861         (JSC::Int8Array::getType):
2862         (JSC::Int8Array::create):
2863         (JSC::Int8Array::createUninitialized):
2864         (JSC::Int8Array::Int8Array):
2865         (JSC::Int8Array::subarray):
2866         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2867         (JSC::IntegralTypedArrayBase::set):
2868         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2869         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2870         (JSC::TypedArrayBase::data):
2871         (JSC::TypedArrayBase::set):
2872         (JSC::TypedArrayBase::setRange):
2873         (JSC::TypedArrayBase::zeroRange):
2874         (JSC::TypedArrayBase::length):
2875         (JSC::TypedArrayBase::byteLength):
2876         (JSC::TypedArrayBase::item):
2877         (JSC::TypedArrayBase::checkInboundData):
2878         (JSC::TypedArrayBase::TypedArrayBase):
2879         (JSC::TypedArrayBase::create):
2880         (JSC::TypedArrayBase::createUninitialized):
2881         (JSC::TypedArrayBase::subarrayImpl):
2882         (JSC::TypedArrayBase::neuter):
2883         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2884         (JSC::Uint16Array::getType):
2885         (JSC::Uint16Array::create):
2886         (JSC::Uint16Array::createUninitialized):
2887         (JSC::Uint16Array::Uint16Array):
2888         (JSC::Uint16Array::subarray):
2889         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2890         (JSC::Uint32Array::getType):
2891         (JSC::Uint32Array::create):
2892         (JSC::Uint32Array::createUninitialized):
2893         (JSC::Uint32Array::Uint32Array):
2894         (JSC::Uint32Array::subarray):
2895         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2896         (JSC::Uint8Array::getType):
2897         (JSC::Uint8Array::create):
2898         (JSC::Uint8Array::createUninitialized):
2899         (JSC::Uint8Array::Uint8Array):
2900         (JSC::Uint8Array::subarray):
2901         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2902         (JSC::Uint8ClampedArray::getType):
2903         (JSC::Uint8ClampedArray::create):
2904         (JSC::Uint8ClampedArray::createUninitialized):
2905         (JSC::Uint8ClampedArray::zeroFill):
2906         (JSC::Uint8ClampedArray::set):
2907         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2908         (JSC::Uint8ClampedArray::subarray):
2909         * runtime/VM.h:
2910
2911 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2912
2913         Copied space should be able to handle more than one copied backing store per JSCell
2914         https://bugs.webkit.org/show_bug.cgi?id=119471
2915
2916         Reviewed by Mark Hahnenberg.
2917         
2918         This allows a cell to call copyLater() multiple times for multiple different
2919         backing stores, and then have copyBackingStore() called exactly once for each
2920         of those. A token tells it which backing store to copy. All backing stores
2921         must be named using the CopyToken, an enumeration which currently cannot
2922         exceed eight entries.
2923         
2924         When copyBackingStore() is called, it's up to the callee to (a) use the token
2925         to decide what to copy and (b) call its base class's copyBackingStore() in
2926         case the base class had something that needed copying. The only exception is
2927         that JSCell never asks anything to be copied, and so if your base is JSCell
2928         then you don't have to do anything.
2929
2930         * GNUmakefile.list.am:
2931         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2932         * JavaScriptCore.xcodeproj/project.pbxproj:
2933         * heap/CopiedBlock.h:
2934         * heap/CopiedBlockInlines.h:
2935         (JSC::CopiedBlock::reportLiveBytes):
2936         * heap/CopyToken.h: Added.
2937         * heap/CopyVisitor.cpp:
2938         (JSC::CopyVisitor::copyFromShared):
2939         * heap/CopyVisitor.h:
2940         * heap/CopyVisitorInlines.h:
2941         (JSC::CopyVisitor::visitItem):
2942         * heap/CopyWorkList.h:
2943         (JSC::CopyWorklistItem::CopyWorklistItem):
2944         (JSC::CopyWorklistItem::cell):
2945         (JSC::CopyWorklistItem::token):
2946         (JSC::CopyWorkListSegment::get):
2947         (JSC::CopyWorkListSegment::append):
2948         (JSC::CopyWorkListSegment::data):
2949         (JSC::CopyWorkListIterator::get):
2950         (JSC::CopyWorkListIterator::operator*):
2951         (JSC::CopyWorkListIterator::operator->):
2952         (JSC::CopyWorkList::append):
2953         * heap/SlotVisitor.h:
2954         * heap/SlotVisitorInlines.h:
2955         (JSC::SlotVisitor::copyLater):
2956         * runtime/ClassInfo.h:
2957         * runtime/JSCell.cpp:
2958         (JSC::JSCell::copyBackingStore):
2959         * runtime/JSCell.h:
2960         * runtime/JSObject.cpp:
2961         (JSC::JSObject::visitButterfly):
2962         (JSC::JSObject::copyBackingStore):
2963         * runtime/JSObject.h:
2964
2965 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2966
2967         [Automake] Define ENABLE_JIT through the Autoconf header
2968         https://bugs.webkit.org/show_bug.cgi?id=119445
2969
2970         Reviewed by Martin Robinson.
2971
2972         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2973
2974 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2975
2976         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2977         https://bugs.webkit.org/show_bug.cgi?id=119470
2978
2979         Reviewed by Oliver Hunt.
2980         
2981         Structure can still tell you if the object "could" (in the conservative sense)
2982         have an indexing header; that's used by the compiler.
2983         
2984         Most of the time if you want to know if there's an indexing header, you ask the
2985         JSObject.
2986         
2987         In some cases, the JSObject wants to know if it would have an indexing header if
2988         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2989
2990         * dfg/DFGRepatch.cpp:
2991         (JSC::DFG::tryCachePutByID):
2992         (JSC::DFG::tryBuildPutByIdList):
2993         * dfg/DFGSpeculativeJIT.cpp:
2994         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2995         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2996         * runtime/ButterflyInlines.h:
2997         (JSC::Butterfly::create):
2998         (JSC::Butterfly::growPropertyStorage):
2999         (JSC::Butterfly::growArrayRight):
3000         (JSC::Butterfly::resizeArray):
3001         * runtime/JSObject.cpp:
3002         (JSC::JSObject::copyButterfly):
3003         (JSC::JSObject::visitButterfly):
3004         * runtime/JSObject.h:
3005         (JSC::JSObject::hasIndexingHeader):
3006         (JSC::JSObject::setButterfly):
3007         * runtime/Structure.h:
3008         (JSC::Structure::couldHaveIndexingHeader):
3009         (JSC::Structure::hasIndexingHeader):
3010
3011 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3012
3013         Give the error object's stack property accessor attributes.
3014         https://bugs.webkit.org/show_bug.cgi?id=119404
3015
3016         Reviewed by Geoffrey Garen.
3017         
3018         Changed the attributes of error object's stack property to allow developers to write
3019         and delete the stack property. This will match the functionality of Chrome. Firefox  
3020         allows developers to write the error's stack, but not delete it. 
3021
3022         * interpreter/Interpreter.cpp:
3023         (JSC::Interpreter::addStackTraceIfNecessary):
3024         * runtime/ErrorInstance.cpp:
3025         (JSC::ErrorInstance::finishCreation):
3026
3027 2013-08-02  Oliver Hunt  <oliver@apple.com>
3028
3029         Incorrect type speculation reported by ToPrimitive
3030         https://bugs.webkit.org/show_bug.cgi?id=119458
3031
3032         Reviewed by Mark Hahnenberg.
3033
3034         Make sure that we report the correct type possibilities for the output
3035         from ToPrimitive
3036
3037         * dfg/DFGAbstractInterpreterInlines.h:
3038         (JSC::DFG::::executeEffects):
3039
3040 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
3041
3042         Remove no-arguments constructor to PropertySlot
3043         https://bugs.webkit.org/show_bug.cgi?id=119460
3044
3045         Reviewed by Geoff Garen.
3046
3047         This constructor was unsafe if getValue is subsequently called,
3048         and the property is a getter. Simplest to just remove it.
3049
3050         * runtime/Arguments.cpp:
3051         (JSC::Arguments::defineOwnProperty):
3052         * runtime/JSActivation.cpp:
3053         (JSC::JSActivation::getOwnPropertyDescriptor):
3054         * runtime/JSFunction.cpp:
3055         (JSC::JSFunction::getOwnPropertyDescriptor):
3056         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3057         (JSC::JSFunction::put):
3058         (JSC::JSFunction::defineOwnProperty):
3059         * runtime/JSGlobalObject.cpp:
3060         (JSC::JSGlobalObject::defineOwnProperty):
3061         * runtime/JSGlobalObject.h:
3062         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3063         * runtime/JSNameScope.cpp:
3064         (JSC::JSNameScope::put):
3065         * runtime/JSONObject.cpp:
3066         (JSC::Stringifier::Holder::appendNextProperty):
3067         (JSC::Walker::walk):
3068         * runtime/JSObject.cpp:
3069         (JSC::JSObject::hasProperty):
3070         (JSC::JSObject::hasOwnProperty):
3071         (JSC::JSObject::reifyStaticFunctionsForDelete):
3072         * runtime/Lookup.h:
3073         (JSC::getStaticPropertyDescriptor):
3074         (JSC::getStaticFunctionDescriptor):
3075         (JSC::getStaticValueDescriptor):
3076         * runtime/ObjectConstructor.cpp:
3077         (JSC::defineProperties):
3078         * runtime/PropertySlot.h:
3079
3080 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3081
3082         DFG validation can cause assertion failures due to dumping
3083         https://bugs.webkit.org/show_bug.cgi?id=119456
3084
3085         Reviewed by Geoffrey Garen.
3086
3087         * bytecode/CodeBlock.cpp:
3088         (JSC::CodeBlock::hasHash):
3089         (JSC::CodeBlock::isSafeToComputeHash):
3090         (JSC::CodeBlock::hash):
3091         (JSC::CodeBlock::dumpAssumingJITType):
3092         * bytecode/CodeBlock.h:
3093
3094 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3095
3096         Have vm's exceptionStack match java's vm's exceptionStack.
3097         https://bugs.webkit.org/show_bug.cgi?id=119362
3098
3099         Reviewed by Geoffrey Garen.
3100         
3101         The error object's stack is only updated if it does not exist yet. This matches 
3102         the functionality of other browsers, and Java VMs. 
3103
3104         * interpreter/Interpreter.cpp:
3105         (JSC::Interpreter::addStackTraceIfNecessary):
3106         (JSC::Interpreter::throwException):
3107         * runtime/VM.cpp:
3108         (JSC::VM::clearExceptionStack):
3109         * runtime/VM.h:
3110         (JSC::VM::lastExceptionStack):
3111
3112 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3113
3114         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3115         https://bugs.webkit.org/show_bug.cgi?id=119447
3116
3117         Reviewed by Geoffrey Garen.
3118
3119         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3120         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3121         r153583 (sh4) and r153648 (ARM).
3122
3123         * jit/JITStubsMIPS.h:
3124
3125 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3126
3127         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3128         https://bugs.webkit.org/show_bug.cgi?id=119422
3129
3130         Reviewed by Oliver Hunt.
3131         
3132         This simplifies some code and also allows Structure to claim that an object
3133         has an indexing header even if it doesn't have indexed properties.
3134         
3135         I also changed some calls to use hasIndexedProperties() since in some cases,
3136         that's what we actually meant. Currently the two are synonyms.
3137
3138         * dfg/DFGRepatch.cpp:
3139         (JSC::DFG::tryCachePutByID):
3140         (JSC::DFG::tryBuildPutByIdList):
3141         * dfg/DFGSpeculativeJIT.cpp:
3142         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3143         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3144         * runtime/ButterflyInlines.h:
3145         (JSC::Butterfly::create):
3146         (JSC::Butterfly::growPropertyStorage):
3147         (JSC::Butterfly::growArrayRight):
3148         (JSC::Butterfly::resizeArray):
3149         * runtime/IndexingType.h:
3150         * runtime/JSObject.cpp:
3151         (JSC::JSObject::copyButterfly):
3152         (JSC::JSObject::visitButterfly):
3153         (JSC::JSObject::setPrototype):
3154         * runtime/JSObject.h:
3155         (JSC::JSObject::setButterfly):
3156         * runtime/JSPropertyNameIterator.cpp:
3157         (JSC::JSPropertyNameIterator::create):
3158         * runtime/Structure.h:
3159         (JSC::Structure::hasIndexingHeader):
3160
3161 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3162
3163         REGRESSION: ARM still crashes after change set r153612.
3164         https://bugs.webkit.org/show_bug.cgi?id=119433
3165
3166         Reviewed by Michael Saboff.
3167
3168         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3169         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3170         for sh4 architecture.
3171
3172         * jit/JITStubsARM.h:
3173         * jit/JITStubsARMv7.h:
3174
3175 2013-08-02  Michael Saboff  <msaboff@apple.com>
3176
3177         REGRESSION(r153612): It made jsc and layout tests crash
3178         https://bugs.webkit.org/show_bug.cgi?id=119440
3179
3180         Reviewed by Csaba Osztrogonác.
3181
3182         Made the changes if changeset r153612 only apply to 32 bit builds.
3183
3184         * jit/JITExceptions.cpp:
3185         * jit/JITExceptions.h:
3186         * jit/JITStubs.cpp:
3187         (JSC::cti_vm_throw_slowpath):
3188         * jit/JITStubs.h:
3189
3190 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3191
3192         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3193
3194         * CMakeLists.txt:
3195
3196 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3197
3198         [Forms: color] <input type='color'> popover color well implementation
3199         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3200
3201         Reviewed by Benjamin Poulain.
3202
3203         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3204
3205 2013-08-01  Oliver Hunt  <oliver@apple.com>
3206
3207         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3208         https://bugs.webkit.org/show_bug.cgi?id=119408
3209
3210         Reviewed by Filip Pizlo.
3211
3212         Construct ToString and Phantom nodes in advance of MakeRope
3213         nodes to ensure that ordering is ensured, and correct values
3214         will be reified on OSR exit.
3215
3216         * dfg/DFGByteCodeParser.cpp:
3217         (JSC::DFG::ByteCodeParser::parseBlock):
3218
3219 2013-08-01  Michael Saboff  <msaboff@apple.com>
3220
3221         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3222         https://bugs.webkit.org/show_bug.cgi?id=119140
3223
3224         Reviewed by Filip Pizlo.
3225
3226         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3227
3228         * jit/JITExceptions.cpp:
3229         (JSC::encode):
3230         * jit/JITExceptions.h:
3231         * jit/JITStubs.cpp:
3232         (JSC::cti_vm_throw_slowpath):
3233         * jit/JITStubs.h:
3234
3235 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3236
3237         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3238         https://bugs.webkit.org/show_bug.cgi?id=119391
3239
3240         Reviewed by Csaba Osztrogonác.
3241
3242         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3243             - Call frame is in r14 register.
3244             - Do not restore registers from JIT stack frame here.
3245
3246 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3247
3248         More cleanup in PropertySlot
3249         https://bugs.webkit.org/show_bug.cgi?id=119359
3250
3251         Reviewed by Geoff Garen.
3252
3253         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3254         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3255
3256         * dfg/DFGRepatch.cpp:
3257         (JSC::DFG::tryCacheGetByID):
3258         (JSC::DFG::tryBuildGetByIDList):
3259             - No need to ASSERT slotBase is an object.
3260         * jit/JITStubs.cpp:
3261         (JSC::tryCacheGetByID):
3262         (JSC::DEFINE_STUB_FUNCTION):
3263             - No need to ASSERT slotBase is an object.
3264         * runtime/JSObject.cpp:
3265         (JSC::JSObject::getOwnPropertySlotByIndex):
3266         (JSC::JSObject::fillGetterPropertySlot):
3267             - Pass an object through to setGetterSlot.
3268         * runtime/JSObject.h:
3269         (JSC::PropertySlot::getValue):
3270             - Moved from PropertySlot (need to know anout JSObject).
3271         * runtime/PropertySlot.cpp:
3272         (JSC::PropertySlot::functionGetter):
3273             - update per member name changes
3274         * runtime/PropertySlot.h:
3275         (JSC::PropertySlot::PropertySlot):
3276             - Argument to constructor set to 'thisValue'.
3277         (JSC::PropertySlot::slotBase):
3278             - This returns a JSObject*.
3279         (JSC::PropertySlot::setValue):
3280         (JSC::PropertySlot::setCustom):
3281         (JSC::PropertySlot::setCacheableCustom):
3282         (JSC::PropertySlot::setCustomIndex):
3283         (JSC::PropertySlot::setGetterSlot):
3284         (JSC::PropertySlot::setCacheableGetterSlot):
3285             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3286         * runtime/SparseArrayValueMap.cpp:
3287         (JSC::SparseArrayEntry::get):
3288             - Pass an object through to setGetterSlot.
3289         * runtime/SparseArrayValueMap.h:
3290             - Pass an object through to setGetterSlot.
3291
3292 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3293
3294         Reduce JSC API static value setter/getter overhead.
3295         https://bugs.webkit.org/show_bug.cgi?id=119277
3296
3297         Reviewed by Geoffrey Garen.
3298
3299         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3300         need to get called every time when set or get the static value.
3301
3302         * API/JSCallbackObjectFunctions.h:
3303         (JSC::::put):
3304         (JSC::::putByIndex):
3305         (JSC::::getStaticValue):
3306         * API/JSClassRef.cpp:
3307         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3308         * API/JSClassRef.h:
3309         (StaticValueEntry::StaticValueEntry):
3310
3311 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3312
3313         Use emptyString instead of String("")
3314         https://bugs.webkit.org/show_bug.cgi?id=119335
3315
3316         Reviewed by Darin Adler.
3317
3318         Use emptyString() instead of String("") because it is better style and
3319         faster. This is a followup to r116908, removing all occurrences of
3320         String("") from WebKit.
3321
3322         * runtime/RegExpConstructor.cpp:
3323         (JSC::constructRegExp):
3324         * runtime/RegExpPrototype.cpp:
3325         (JSC::regExpProtoFuncCompile):
3326         * runtime/StringPrototype.cpp:
3327         (JSC::stringProtoFuncMatch):
3328         (JSC::stringProtoFuncSearch):
3329
3330 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3331
3332         <input type=color> Mac UI behaviour
3333         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3334
3335         Reviewed by Brady Eidson.
3336
3337         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3338
3339 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3340
3341         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3342         https://bugs.webkit.org/show_bug.cgi?id=119349
3343
3344         Reviewed by Geoffrey Garen.
3345
3346         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3347         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3348         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3349         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3350         JIT then this resizing never happens and we crash at link time in the DFG.
3351
3352         We can fix this by also doing the resize in the DFG to catch this case.
3353
3354         * dfg/DFGJITCompiler.cpp:
3355         (JSC::DFG::JITCompiler::link):
3356
3357 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3358
3359         Speculative Windows build fix.
3360
3361         Reviewed by NOBODY
3362
3363         * runtime/JSString.cpp:
3364         (JSC::JSRopeString::getIndexSlowCase):
3365         * runtime/JSString.h:
3366
3367 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3368
3369         Some cleanup in JSValue::get
3370         https://bugs.webkit.org/show_bug.cgi?id=119343
3371
3372         Reviewed by Geoff Garen.
3373
3374         JSValue::get is implemented to:
3375             1) Check if the value is a cell – if not, synthesize a prototype to search,
3376             2) call getOwnPropertySlot on the cell,
3377             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3378         By all rights this should crash when passed a string and accessing a property that does not exist, because
3379         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3380         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3381         prototype chain, and faking out a return value of undefined if no property is found.
3382
3383         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3384         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3385
3386         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3387         slots anyway.
3388
3389         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3390
3391 2013-07-31  Michael Saboff  <msaboff@apple.com>
3392
3393         [Win] JavaScript crash.
3394         https://bugs.webkit.org/show_bug.cgi?id=119339
3395
3396         Reviewed by Mark Hahnenberg.
3397
3398         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3399         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3400
3401 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3402
3403         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3404         https://bugs.webkit.org/show_bug.cgi?id=119281
3405
3406         Reviewed by Geoffrey Garen.
3407
3408         This leads to out of bounds accesses and subsequent crashes.
3409
3410         * dfg/DFGSpeculativeJIT.cpp:
3411         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3412         * dfg/DFGSpeculativeJIT64.cpp:
3413         (JSC::DFG::SpeculativeJIT::compile):
3414
3415 2013-07-30  Oliver Hunt  <oliver@apple.com>
3416
3417         Add an assertion to SpeculateCellOperand
3418         https://bugs.webkit.org/show_bug.cgi?id=119276
3419
3420         Reviewed by Michael Saboff.
3421
3422         More assertions are better
3423
3424         * dfg/DFGSpeculativeJIT64.cpp:
3425         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3426         (JSC::DFG::SpeculativeJIT::compile):
3427
3428 2013-07-30  Mark Lam  <mark.lam@apple.com>
3429
3430         Fix problems with divot and lineStart mismatches.
3431         https://bugs.webkit.org/show_bug.cgi?id=118662.
3432
3433         Reviewed by Oliver Hunt.
3434
3435         r152494 added the recording of lineStart values for divot positions.
3436         This is needed for the computation of column numbers. Similarly, it also
3437         added the recording of line numbers for the divot positions. One problem
3438         with the approach taken was that the line and lineStart values were
3439         recorded independently, and hence were not always guaranteed to be
3440         sampled at the same place that the divot position is recorded. This
3441         resulted in potential mismatches that cause some assertions to fail.
3442
3443         The solution is to introduce a JSTextPosition abstraction that records
3444         the divot position, line, and lineStart as a single quantity. Wherever
3445         we record the divot position as an unsigned int previously, we now record
3446         its JSTextPosition which captures all 3 values in one go. This ensures
3447         that the captured line and lineStart will always match the captured divot
3448         position.
3449
3450         * bytecompiler/BytecodeGenerator.cpp:
3451         (JSC::BytecodeGenerator::emitCall):
3452         (JSC::BytecodeGenerator::emitCallEval):
3453         (JSC::BytecodeGenerator::emitCallVarargs):
3454         (JSC::BytecodeGenerator::emitConstruct):
3455         (JSC::BytecodeGenerator::emitDebugHook):
3456         - Use JSTextPosition instead of passing line and lineStart explicitly.
3457         * bytecompiler/BytecodeGenerator.h:
3458         (JSC::BytecodeGenerator::emitExpressionInfo):
3459         - Use JSTextPosition instead of passing line and lineStart explicitly.
3460         * bytecompiler/NodesCodegen.cpp:
3461         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3462         (JSC::ResolveNode::emitBytecode):
3463         (JSC::BracketAccessorNode::emitBytecode):
3464         (JSC::DotAccessorNode::emitBytecode):
3465         (JSC::NewExprNode::emitBytecode):
3466         (JSC::EvalFunctionCallNode::emitBytecode):
3467         (JSC::FunctionCallValueNode::emitBytecode):
3468         (JSC::FunctionCallResolveNode::emitBytecode):
3469         (JSC::FunctionCallBracketNode::emitBytecode):
3470         (JSC::FunctionCallDotNode::emitBytecode):
3471         (JSC::CallFunctionCallDotNode::emitBytecode):
3472         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3473         (JSC::PostfixNode::emitResolve):
3474         (JSC::PostfixNode::emitBracket):
3475         (JSC::PostfixNode::emitDot):
3476         (JSC::DeleteResolveNode::emitBytecode):
3477         (JSC::DeleteBracketNode::emitBytecode):
3478         (JSC::DeleteDotNode::emitBytecode):
3479         (JSC::PrefixNode::emitResolve):
3480         (JSC::PrefixNode::emitBracket):
3481         (JSC::PrefixNode::emitDot):
3482         (JSC::UnaryOpNode::emitBytecode):
3483         (JSC::BinaryOpNode::emitStrcat):
3484         (JSC::BinaryOpNode::emitBytecode):
3485         (JSC::ThrowableBinaryOpNode::emitBytecode):
3486         (JSC::InstanceOfNode::emitBytecode):
3487         (JSC::emitReadModifyAssignment):
3488         (JSC::ReadModifyResolveNode::emitBytecode):
3489         (JSC::AssignResolveNode::emitBytecode):
3490         (JSC::AssignDotNode::emitBytecode):
3491         (JSC::ReadModifyDotNode::emitBytecode):
3492         (JSC::AssignBracketNode::emitBytecode):
3493         (JSC::ReadModifyBracketNode::emitBytecode):
3494         (JSC::ForInNode::emitBytecode):
3495         (JSC::WithNode::emitBytecode):
3496         (JSC::ThrowNode::emitBytecode):
3497         - Use JSTextPosition instead of passing line and lineStart explicitly.
3498         * parser/ASTBuilder.h:
3499         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3500         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
3501         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
3502         (JSC::ASTBuilder::createResolve):
3503         (JSC::ASTBuilder::createBracketAccess):
3504         (JSC::ASTBuilder::createDotAccess):
3505         (JSC::ASTBuilder::createRegExp):
3506         (JSC::ASTBuilder::createNewExpr):
3507         (JSC::ASTBuilder::createAssignResolve):
3508         (JSC::ASTBuilder::createExprStatement):
3509         (JSC::ASTBuilder::createForInLoop):
3510         (JSC::ASTBuilder::createReturnStatement):
3511         (JSC::ASTBuilder::createBreakStatement):
3512         (JSC::ASTBuilder::createContinueStatement):
3513         (JSC::ASTBuilder::createLabelStatement):
3514         (JSC::ASTBuilder::createWithStatement):
3515         (JSC::ASTBuilder::createThrowStatement):
3516         (JSC::ASTBuilder::appendBinaryExpressionInfo):
3517         (JSC::ASTBuilder::appendUnaryToken):
3518         (JSC::ASTBuilder::unaryTokenStackLastStart):
3519         (JSC::ASTBuilder::assignmentStackAppend):
3520         (JSC::ASTBuilder::createAssignment):
3521         (JSC::ASTBuilder::setExceptionLocation):
3522         (JSC::ASTBuilder::makeDeleteNode):
3523         (JSC::ASTBuilder::makeFunctionCallNode):
3524         (JSC::ASTBuilder::makeBinaryNode):
3525         (JSC::ASTBuilder::makeAssignNode):
3526         (JSC::ASTBuilder::makePrefixNode):
3527         (JSC::ASTBuilder::makePostfixNode):
3528         - Use JSTextPosition instead of passing line and lineStart explicitly.
3529         * parser/Lexer.cpp:
3530         (JSC::::lex):
3531         - Added support for capturing the appropriate JSTextPositions instead
3532           of just the character offset.
3533         * parser/Lexer.h:
3534         (JSC::Lexer::currentPosition):
3535         (JSC::::lexExpectIdentifier):
3536         - Added support for capturing the appropriate JSTextPositions instead
3537           of just the character offset.
3538         * parser/NodeConstructors.h:
3539         (JSC::Node::Node):
3540         (JSC::ResolveNode::ResolveNode):
3541         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3542         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3543         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3544         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3545         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3546         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3547         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3548         (JSC::PostfixNode::PostfixNode):
3549         (JSC::DeleteResolveNode::DeleteResolveNode):
3550         (JSC::DeleteBracketNode::DeleteBracketNode):
3551         (JSC::DeleteDotNode::DeleteDotNode):
3552         (JSC::PrefixNode::PrefixNode):
3553         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3554         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3555         (JSC::AssignBracketNode::AssignBracketNode):
3556         (JSC::AssignDotNode::AssignDotNode):
3557         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3558         (JSC::AssignErrorNode::AssignErrorNode):
3559         (JSC::WithNode::WithNode):
3560         (JSC::ForInNode::ForInNode):
3561         - Use JSTextPosition instead of passing line and lineStart explicitly.
3562         * parser/Nodes.cpp:
3563         (JSC::StatementNode::setLoc):
3564         - Use JSTextPosition instead of passing line and lineStart explicitly.
3565         * parser/Nodes.h:
3566         (JSC::Node::lineNo):
3567         (JSC::Node::startOffset):
3568         (JSC::Node::lineStartOffset):
3569         (JSC::Node::position):
3570         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3571         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3572         (JSC::ThrowableExpressionData::divot):
3573         (JSC::ThrowableExpressionData::divotStart):
3574         (JSC::ThrowableExpressionData::divotEnd):
3575         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3576         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3577         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3578         (JSC::ThrowableSubExpressionData::subexpressionStart):
3579         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3580         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3581         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3582         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3583         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3584         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3585         - Use JSTextPosition instead of passing line and lineStart explicitly.
3586         * parser/Parser.cpp:
3587         (JSC::::Parser):
3588         (JSC::::parseInner):
3589         - Use JSTextPosition instead of passing line and lineStart explicitly.
3590         (JSC::::didFinishParsing):
3591         - Remove setting of m_lastLine value. We always pass in the value from
3592           m_lastLine anyway. So, this assignment is effectively a nop.
3593         (JSC::::parseVarDeclaration):
3594         (JSC::::parseVarDeclarationList):
3595         (JSC::::parseForStatement):
3596         (JSC::::parseBreakStatement):
3597         (JSC::::parseContinueStatement):
3598         (JSC::::parseReturnStatement):
3599         (JSC::::parseThrowStatement):
3600         (JSC::::parseWithStatement):
3601         (JSC::::parseTryStatement):
3602         (JSC::::parseBlockStatement):
3603         (JSC::::parseFunctionDeclaration):
3604         (JSC::LabelInfo::LabelInfo):
3605         (JSC::::parseExpressionOrLabelStatement):
3606         (JSC::::parseExpressionStatement):
3607         (JSC::::parseAssignmentExpression):
3608         (JSC::::parseBinaryExpression):
3609         (JSC::::parseProperty):
3610         (JSC::::parsePrimaryExpression):
3611         (JSC::::parseMemberExpression):
3612         (JSC::::parseUnaryExpression):
3613         - Use JSTextPosition instead of passing line and lineStart explicitly.
3614         * parser/Parser.h:
3615         (JSC::Parser::next):
3616         (JSC::Parser::nextExpectIdentifier):
3617         (JSC::Parser::getToken):
3618         (JSC::Parser::tokenStartPosition):
3619         (JSC::Parser::tokenEndPosition):
3620         (JSC::Parser::lastTokenEndPosition):
3621         (JSC::::parse):
3622         - Use JSTextPosition instead of passing line and lineStart explicitly.
3623         * parser/ParserTokens.h:
3624         (JSC::JSTextPosition::JSTextPosition):
3625         (JSC::JSTextPosition::operator+):
3626         (JSC::JSTextPosition::operator-):
3627         (JSC::JSTextPosition::operator int):
3628         - Added JSTextPosition.
3629         * parser/SyntaxChecker.h:
3630         (JSC::SyntaxChecker::makeFunctionCallNode):
3631         (JSC::SyntaxChecker::makeAssignNode):
3632         (JSC::SyntaxChecker::makePrefixNode):
3633         (JSC::SyntaxChecker::makePostfixNode):
3634         (JSC::SyntaxChecker::makeDeleteNode):
3635         (JSC::SyntaxChecker::createResolve):
3636         (JSC::SyntaxChecker::createBracketAccess):
3637         (JSC::SyntaxChecker::createDotAccess):
3638         (JSC::SyntaxChecker::createRegExp):
3639         (JSC::SyntaxChecker::createNewExpr):
3640         (JSC::SyntaxChecker::createAssignResolve):
3641         (JSC::SyntaxChecker::createForInLoop):
3642         (JSC::SyntaxChecker::createReturnStatement):
3643         (JSC::SyntaxChecker::createBreakStatement):
3644         (JSC::SyntaxChecker::createContinueStatement):
3645         (JSC::SyntaxChecker::createWithStatement):
3646         (JSC::SyntaxChecker::createLabelStatement):
3647         (JSC::SyntaxChecker::createThrowStatement):
3648         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3649         (JSC::SyntaxChecker::operatorStackPop):
3650         - Use JSTextPosition instead of passing line and lineStart explicitly.
3651
3652 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3653
3654         Unreviewed. Fix make distcheck.
3655
3656         * GNUmakefile.list.am: Add missing files to compilation.
3657         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3658         include FTL header files not included in the compilation.
3659         * dfg/DFGDriver.cpp: Ditto.
3660         * dfg/DFGPlan.cpp: Ditto.
3661
3662 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3663
3664         Eager stack trace for error objects.
3665         https://bugs.webkit.org/show_bug.cgi?id=118918
3666
3667         Reviewed by Geoffrey Garen.
3668         
3669         Chrome and Firefox give error objects the stack property and we wanted to match
3670         that functionality. This allows developers to see the stack without throwing an object.
3671
3672         * runtime/ErrorInstance.cpp:
3673         (JSC::ErrorInstance::finishCreation):
3674          For error objects that are not thrown as an exception, we pass the stackTrace in 
3675          as a parameter. This allows the error object to have the stack property.
3676         
3677         * interpreter/Interpreter.cpp:
3678         (JSC::stackTraceAsString):
3679         Helper function used to eliminate duplicate code.
3680
3681         (JSC::Interpreter::addStackTraceIfNecessary):
3682         When an error object is created by the user the vm->exceptionStack is not set.
3683         If the user throws this error object later the stack that is in the error object 
3684         may not be the correct stack for the throw, so when we set the vm->exception stack,
3685         the stack property on the error object is set as well.
3686         
3687         * runtime/ErrorConstructor.cpp:
3688         (JSC::constructWithErrorConstructor):
3689         (JSC::callErrorConstructor):
3690         * runtime/NativeErrorConstructor.cpp:
3691         (JSC::constructWithNativeErrorConstructor):
3692         (JSC::callNativeErrorConstructor):
3693         These functions indicate that the user created an error object. For all error objects 
3694         that the user explicitly creates, the topCallFrame is at a new frame created to 
3695         handle the user's call. In this case though, the error object needs the caller's 
3696         frame to create the stack trace correctly.
3697         
3698         * interpreter/Interpreter.h:
3699         * runtime/ErrorInstance.h:
3700         (JSC::ErrorInstance::create):
3701
3702 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3703
3704         Some cleanup in PropertySlot
3705         https://bugs.webkit.org/show_bug.cgi?id=119189
3706
3707         Reviewed by Geoff Garen.
3708
3709         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3710         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3711         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3712         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3713         (this is invalidOffset if not cacheable).
3714
3715             * Internally, always track the type of the property using an enum value, PropertyType.
3716             * Use m_offset to indicate cacheable.
3717             * Keep the external interface (CachedPropertyType) unchanged.
3718             * Better pack data into the m_data union.
3719
3720         Performance neutral.
3721
3722         * dfg/DFGRepatch.cpp:
3723         (JSC::DFG::tryCacheGetByID):
3724         (JSC::DFG::tryBuildGetByIDList):
3725             - cachedPropertyType() -> isCacheable*()
3726         * jit/JITPropertyAccess.cpp:
3727         (JSC::JIT::privateCompileGetByIdProto):
3728         (JSC::JIT::privateCompileGetByIdSelfList):
3729         (JSC::JIT::privateCompileGetByIdProtoList):
3730         (JSC::JIT::privateCompileGetByIdChainList):
3731         (JSC::JIT::privateCompileGetByIdChain):
3732             - cachedPropertyType() -> isCacheable*()
3733         * jit/JITPropertyAccess32_64.cpp:
3734         (JSC::JIT::privateCompileGetByIdProto):
3735         (JSC::JIT::privateCompileGetByIdSelfList):
3736         (JSC::JIT::privateCompileGetByIdProtoList):
3737         (JSC::JIT::privateCompileGetByIdChainList):
3738         (JSC::JIT::privateCompileGetByIdChain):
3739             - cachedPropertyType() -> isCacheable*()
3740         * jit/JITStubs.cpp:
3741         (JSC::tryCacheGetByID):
3742             - cachedPropertyType() -> isCacheable*()
3743         * llint/LLIntSlowPaths.cpp:
3744         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3745             - cachedPropertyType() -> isCacheable*()
3746         * runtime/PropertySlot.cpp:
3747         (JSC::PropertySlot::functionGetter):
3748             - refactoring described above.
3749         * runtime/PropertySlot.h:
3750         (JSC::PropertySlot::PropertySlot):
3751         (JSC::PropertySlot::getValue):
3752         (JSC::PropertySlot::isCacheable):
3753         (JSC::PropertySlot::isCacheableValue):
3754         (JSC::PropertySlot::isCacheableGetter):
3755         (JSC::PropertySlot::isCacheableCustom):
3756         (JSC::PropertySlot::cachedOffset):
3757         (JSC::PropertySlot::customGetter):
3758         (JSC::PropertySlot::setValue):
3759         (JSC::PropertySlot::setCustom):
3760         (JSC::PropertySlot::setCacheableCustom):
3761         (JSC::PropertySlot::setCustomIndex):
3762         (JSC::PropertySlot::setGetterSlot):
3763         (JSC::PropertySlot::setCacheableGetterSlot):
3764         (JSC::PropertySlot::setUndefined):
3765         (JSC::PropertySlot::slotBase):
3766         (JSC::PropertySlot::setBase):
3767             - refactoring described above.
3768
3769 2013-07-28  Oliver Hunt  <oliver@apple.com>
3770
3771         REGRESSION: Crash when opening Facebook.com
3772         https://bugs.webkit.org/show_bug.cgi?id=119155
3773
3774         Reviewed by Andreas Kling.
3775
3776         Scope nodes are always objects, so we should be using SpecObjectOther
3777         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3778         contradiction in the CFA, resulting in bogus codegen.
3779
3780         * dfg/DFGAbstractInterpreterInlines.h:
3781         (JSC::DFG::::executeEffects):
3782         * dfg/DFGPredictionPropagationPhase.cpp:
3783         (JSC::DFG::PredictionPropagationPhase::propagate):
3784
3785 2013-07-26  Oliver Hunt  <oliver@apple.com>
3786
3787         REGRESSION(FTL?): Crashes in plugin tests
3788         https://bugs.webkit.org/show_bug.cgi?id=119141
3789
3790         Reviewed by Michael Saboff.
3791
3792         Re-export getStackTrace
3793
3794         * interpreter/Interpreter.h:
3795
3796 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3797
3798         REGRESSION: Crash when opening a message on Gmail
3799         https://bugs.webkit.org/show_bug.cgi?id=119105
3800
3801         Reviewed by Oliver Hunt and Mark Hahnenberg.
3802         
3803         - GetById patching in the DFG needs to be more disciplined about how it derives the
3804           slow path.
3805         
3806         - Fix some dumping code thread safety issues.
3807
3808         * bytecode/CallLinkStatus.cpp:
3809         (JSC::CallLinkStatus::dump):
3810         * bytecode/CodeBlock.cpp:
3811         (JSC::CodeBlock::dumpBytecode):
3812         * dfg/DFGRepatch.cpp:
3813         (JSC::DFG::getPolymorphicStructureList):
3814         (JSC::DFG::tryBuildGetByIDList):
3815
3816 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3817
3818         [mips] Fix LLINT build for mips backend
3819         https://bugs.webkit.org/show_bug.cgi?id=119152
3820
3821         Reviewed by Oliver Hunt.
3822
3823         * offlineasm/mips.rb:
3824
3825 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3826
3827         Setting a large numeric property on an object causes it to allocate a huge backing store
3828         https://bugs.webkit.org/show_bug.cgi?id=118914
3829
3830         Reviewed by Geoffrey Garen.
3831
3832         There are two distinct actions that we're trying to optimize for:
3833
3834         new Array(100000);
3835
3836         and:
3837
3838         a = [];
3839         a[100000] = 42;
3840         
3841         In the first case, the programmer has indicated that they expect this Array to be very big, 
3842         so they should get a contiguous array up until some threshold, above which we perform density 
3843         calculations to see if it is indeed dense enough to warrant being contiguous.
3844         
3845         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3846         we should be more conservative and assume it should be sparse until we've proven otherwise.
3847         
3848         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3849         between them for the purposes of not over-allocating large backing stores like we see on 
3850         http://www.peekanalytics.com/burgerjoints/
3851         
3852         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3853         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3854         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3855         map instead. So for example, in the second case above the empty array has a blank indexing 
3856         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3857
3858         This fix is ~800x speedup on the accompanying regression test :-o
3859
3860         * runtime/ArrayConventions.h:
3861         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3862         * runtime/JSObject.cpp:
3863         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3864         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3865         (JSC::JSObject::putByIndexBeyondVectorLength):
3866         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3867
3868 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3869
3870         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3871         https://bugs.webkit.org/show_bug.cgi?id=119148
3872
3873         Reviewed by Csaba Osztrogonác.
3874
3875         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3876         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3877         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3878         code duplication.
3879
3880 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3881
3882         REGRESSION(FTL): Crash in sh4 baseline JIT.
3883         https://bugs.webkit.org/show_bug.cgi?id=119138
3884
3885         Reviewed by Csaba Osztrogonác.
3886
3887         This crash is due to incomplete report of r150146 and r148474.
3888
3889         * jit/JITStubsSH4.h:
3890
3891 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3892
3893         Unreviewed.
3894
3895         * Target.pri: Adding missing DFG files to the Qt build.
3896
3897 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3898
3899         GTK and Qt buildfix after the intrusive win buildfix r153360.
3900
3901         * GNUmakefile.list.am:
3902         * Target.pri:
3903
3904 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3905
3906         Unreviewed, fix build break after r153360.
3907
3908         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3909
3910 2013-07-25  Roger Fong  <roger_fong@apple.com>
3911
3912         Unreviewed build fix, AppleWin port.
3913
3914         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3915         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3916         * JavaScriptCore.vcxproj/copy-files.cmd:
3917
3918 2013-07-25  Roger Fong  <roger_fong@apple.com>
3919
3920         Unreviewed. Followup to r153360.
3921
3922         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3924
3925 2013-07-25  Michael Saboff  <msaboff@apple.com>
3926
3927         [Windows] Speculative build fix.
3928
3929         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3930         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3931
3932         * JavaScriptCore.xcodeproj/project.pbxproj:
3933         * llint/LLIntExceptions.cpp:
3934         * llint/LLIntExceptions.h:
3935         * llint/LLIntSlowPaths.cpp:
3936         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3937         * runtime/CommonSlowPaths.cpp:
3938         (JSC::SLOW_PATH_DECL):
3939         * runtime/CommonSlowPathsExceptions.cpp: Added.
3940         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3941         * runtime/CommonSlowPathsExceptions.h: Added.
3942
3943 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3944
3945         [Windows] Unreviewed build fix.
3946
3947         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3948         parser/SourceCode.h,.cpp.
3949         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3950
3951 2013-07-25  Anders Carlsson  <andersca@apple.com>
3952
3953         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3954         https://bugs.webkit.org/show_bug.cgi?id=119108
3955
3956         Reviewed by Mark Hahnenberg.
3957
3958         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3959
3960         * heap/CopiedSpace.cpp:
3961         (JSC::CopiedSpace::tryAllocateSlowCase):
3962         * heap/Heap.cpp:
3963         (JSC::Heap::protect):
3964         (JSC::Heap::unprotect):
3965         (JSC::Heap::collect):
3966         * heap/MarkedAllocator.cpp:
3967         (JSC::MarkedAllocator::allocateSlowCase):
3968         * runtime/JSGlobalObject.cpp:
3969         (JSC::JSGlobalObject::init):
3970         * runtime/VM.h:
3971         (JSC::VM::currentThreadIsHoldingAPILock):
3972
3973 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3974
3975         REGRESSION(FTL): Most layout tests crashes
3976         https://bugs.webkit.org/show_bug.cgi?id=119089
3977
3978         Reviewed by Oliver Hunt.
3979
3980         * runtime/ExecutionHarness.h:
3981         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled