https://bugs.webkit.org/show_bug.cgi?id=119900
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=119900
4         Exception in global setter doesn't unwind correctly
5
6         Reviewed by Geoffrey Garen.
7
8         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
9
10         * jit/JITStubs.cpp:
11         (JSC::DEFINE_STUB_FUNCTION):
12
13 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
14
15         Rename/refactor setButterfly/setStructure
16         https://bugs.webkit.org/show_bug.cgi?id=120138
17
18         Reviewed by Geoffrey Garen.
19
20         setButterfly becomes setStructureAndButterfly.
21
22         Also removed the Butterfly* argument from setStructure and just implicitly
23         used m_butterfly internally since that's what every single client of setStructure
24         was doing already.
25
26         * jit/JITStubs.cpp:
27         (JSC::DEFINE_STUB_FUNCTION):
28         * runtime/JSObject.cpp:
29         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
30         (JSC::JSObject::createInitialUndecided):
31         (JSC::JSObject::createInitialInt32):
32         (JSC::JSObject::createInitialDouble):
33         (JSC::JSObject::createInitialContiguous):
34         (JSC::JSObject::createArrayStorage):
35         (JSC::JSObject::convertUndecidedToInt32):
36         (JSC::JSObject::convertUndecidedToDouble):
37         (JSC::JSObject::convertUndecidedToContiguous):
38         (JSC::JSObject::convertUndecidedToArrayStorage):
39         (JSC::JSObject::convertInt32ToDouble):
40         (JSC::JSObject::convertInt32ToContiguous):
41         (JSC::JSObject::convertInt32ToArrayStorage):
42         (JSC::JSObject::genericConvertDoubleToContiguous):
43         (JSC::JSObject::convertDoubleToArrayStorage):
44         (JSC::JSObject::convertContiguousToArrayStorage):
45         (JSC::JSObject::switchToSlowPutArrayStorage):
46         (JSC::JSObject::setPrototype):
47         (JSC::JSObject::putDirectAccessor):
48         (JSC::JSObject::seal):
49         (JSC::JSObject::freeze):
50         (JSC::JSObject::preventExtensions):
51         (JSC::JSObject::reifyStaticFunctionsForDelete):
52         (JSC::JSObject::removeDirect):
53         * runtime/JSObject.h:
54         (JSC::JSObject::setStructureAndButterfly):
55         (JSC::JSObject::setStructure):
56         (JSC::JSObject::putDirectInternal):
57         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
58         (JSC::JSObject::putDirectWithoutTransition):
59         * runtime/Structure.cpp:
60         (JSC::Structure::flattenDictionaryStructure):
61
62 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
63
64         https://bugs.webkit.org/show_bug.cgi?id=120127
65         Remove JSObject::propertyIsEnumerable
66
67         Unreviewed typo fix
68
69         * runtime/JSObject.h:
70             - fix typo
71
72 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
73
74         https://bugs.webkit.org/show_bug.cgi?id=120139
75         PropertyDescriptor argument to define methods should be const
76
77         Rubber stamped by Sam Weinig.
78
79         This should never be modified, and this way we can use rvalues.
80
81         * debugger/DebuggerActivation.cpp:
82         (JSC::DebuggerActivation::defineOwnProperty):
83         * debugger/DebuggerActivation.h:
84         * runtime/Arguments.cpp:
85         (JSC::Arguments::defineOwnProperty):
86         * runtime/Arguments.h:
87         * runtime/ClassInfo.h:
88         * runtime/JSArray.cpp:
89         (JSC::JSArray::defineOwnProperty):
90         * runtime/JSArray.h:
91         * runtime/JSArrayBuffer.cpp:
92         (JSC::JSArrayBuffer::defineOwnProperty):
93         * runtime/JSArrayBuffer.h:
94         * runtime/JSArrayBufferView.cpp:
95         (JSC::JSArrayBufferView::defineOwnProperty):
96         * runtime/JSArrayBufferView.h:
97         * runtime/JSCell.cpp:
98         (JSC::JSCell::defineOwnProperty):
99         * runtime/JSCell.h:
100         * runtime/JSFunction.cpp:
101         (JSC::JSFunction::defineOwnProperty):
102         * runtime/JSFunction.h:
103         * runtime/JSGenericTypedArrayView.h:
104         * runtime/JSGenericTypedArrayViewInlines.h:
105         (JSC::::defineOwnProperty):
106         * runtime/JSGlobalObject.cpp:
107         (JSC::JSGlobalObject::defineOwnProperty):
108         * runtime/JSGlobalObject.h:
109         * runtime/JSObject.cpp:
110         (JSC::JSObject::putIndexedDescriptor):
111         (JSC::JSObject::defineOwnIndexedProperty):
112         (JSC::putDescriptor):
113         (JSC::JSObject::defineOwnNonIndexProperty):
114         (JSC::JSObject::defineOwnProperty):
115         * runtime/JSObject.h:
116         * runtime/JSProxy.cpp:
117         (JSC::JSProxy::defineOwnProperty):
118         * runtime/JSProxy.h:
119         * runtime/RegExpMatchesArray.h:
120         (JSC::RegExpMatchesArray::defineOwnProperty):
121         * runtime/RegExpObject.cpp:
122         (JSC::RegExpObject::defineOwnProperty):
123         * runtime/RegExpObject.h:
124         * runtime/StringObject.cpp:
125         (JSC::StringObject::defineOwnProperty):
126         * runtime/StringObject.h:
127             - make PropertyDescriptor const
128
129 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
130
131         REGRESSION: Crash under JITCompiler::link while loading Gmail
132         https://bugs.webkit.org/show_bug.cgi?id=119872
133
134         Reviewed by Mark Hahnenberg.
135         
136         Apparently, unsigned + signed = unsigned. Work around it with a cast.
137
138         * dfg/DFGByteCodeParser.cpp:
139         (JSC::DFG::ByteCodeParser::parseBlock):
140
141 2013-08-21  Alex Christensen  <achristensen@apple.com>
142
143         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
144
145         Reviewed by Brent Fulgham.
146
147         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
148         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
149         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
150         Pass PlatformArchitecture as a command line parameter to bash scripts.
151         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
152         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
153         * JavaScriptCore.vcxproj/build-generated-files.sh:
154         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
155
156 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
157
158         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
159         https://bugs.webkit.org/show_bug.cgi?id=120099
160
161         Reviewed by Mark Hahnenberg.
162         
163         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
164         JSDataView may have ordinary JS indexed properties.
165
166         * runtime/ClassInfo.h:
167         * runtime/JSArrayBufferView.cpp:
168         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
169         (JSC::JSArrayBufferView::finishCreation):
170         * runtime/JSArrayBufferView.h:
171         (JSC::hasArrayBuffer):
172         * runtime/JSArrayBufferViewInlines.h:
173         (JSC::JSArrayBufferView::buffer):
174         (JSC::JSArrayBufferView::neuter):
175         (JSC::JSArrayBufferView::byteOffset):
176         * runtime/JSCell.cpp:
177         (JSC::JSCell::slowDownAndWasteMemory):
178         * runtime/JSCell.h:
179         * runtime/JSDataView.cpp:
180         (JSC::JSDataView::JSDataView):
181         (JSC::JSDataView::create):
182         (JSC::JSDataView::slowDownAndWasteMemory):
183         * runtime/JSDataView.h:
184         (JSC::JSDataView::buffer):
185         * runtime/JSGenericTypedArrayView.h:
186         * runtime/JSGenericTypedArrayViewInlines.h:
187         (JSC::::visitChildren):
188         (JSC::::slowDownAndWasteMemory):
189
190 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
191
192         Remove incorrect ASSERT from CopyVisitor::visitItem
193
194         Rubber stamped by Filip Pizlo.
195
196         * heap/CopyVisitorInlines.h:
197         (JSC::CopyVisitor::visitItem):
198
199 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
200
201         https://bugs.webkit.org/show_bug.cgi?id=120127
202         Remove JSObject::propertyIsEnumerable
203
204         Reviewed by Sam Weinig.
205
206         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
207
208         * runtime/JSObject.cpp:
209         * runtime/JSObject.h:
210             - remove propertyIsEnumerable
211         * runtime/ObjectPrototype.cpp:
212         (JSC::objectProtoFuncPropertyIsEnumerable):
213             - Move implementation here using getOwnPropertyDescriptor directly.
214
215 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
216
217         DFG should inline new typedArray()
218         https://bugs.webkit.org/show_bug.cgi?id=120022
219
220         Reviewed by Oliver Hunt.
221         
222         Adds inlining of typed array allocations in the DFG. Any operation of the
223         form:
224         
225             new foo(blah)
226         
227         or:
228         
229             foo(blah)
230         
231         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
232         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
233         is predicted integer, we generate inline code for an allocation. Otherwise
234         it turns into a call to an operation that behaves like the constructor would
235         if it was passed one argument (i.e. it may wrap a buffer or it may create a
236         copy or another array, or it may allocate an array of that length).
237
238         * bytecode/SpeculatedType.cpp:
239         (JSC::speculationFromTypedArrayType):
240         (JSC::speculationFromClassInfo):
241         * bytecode/SpeculatedType.h:
242         * dfg/DFGAbstractInterpreterInlines.h:
243         (JSC::DFG::::executeEffects):
244         * dfg/DFGBackwardsPropagationPhase.cpp:
245         (JSC::DFG::BackwardsPropagationPhase::propagate):
246         * dfg/DFGByteCodeParser.cpp:
247         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
248         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
249         * dfg/DFGCCallHelpers.h:
250         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
251         * dfg/DFGCSEPhase.cpp:
252         (JSC::DFG::CSEPhase::putStructureStoreElimination):
253         * dfg/DFGClobberize.h:
254         (JSC::DFG::clobberize):
255         * dfg/DFGFixupPhase.cpp:
256         (JSC::DFG::FixupPhase::fixupNode):
257         * dfg/DFGGraph.cpp:
258         (JSC::DFG::Graph::dump):
259         * dfg/DFGNode.h:
260         (JSC::DFG::Node::hasTypedArrayType):
261         (JSC::DFG::Node::typedArrayType):
262         * dfg/DFGNodeType.h:
263         * dfg/DFGOperations.cpp:
264         (JSC::DFG::newTypedArrayWithSize):
265         (JSC::DFG::newTypedArrayWithOneArgument):
266         * dfg/DFGOperations.h:
267         (JSC::DFG::operationNewTypedArrayWithSizeForType):
268         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
269         * dfg/DFGPredictionPropagationPhase.cpp:
270         (JSC::DFG::PredictionPropagationPhase::propagate):
271         * dfg/DFGSafeToExecute.h:
272         (JSC::DFG::safeToExecute):
273         * dfg/DFGSpeculativeJIT.cpp:
274         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
275         * dfg/DFGSpeculativeJIT.h:
276         (JSC::DFG::SpeculativeJIT::callOperation):
277         * dfg/DFGSpeculativeJIT32_64.cpp:
278         (JSC::DFG::SpeculativeJIT::compile):
279         * dfg/DFGSpeculativeJIT64.cpp:
280         (JSC::DFG::SpeculativeJIT::compile):
281         * jit/JITOpcodes.cpp:
282         (JSC::JIT::emit_op_new_object):
283         * jit/JITOpcodes32_64.cpp:
284         (JSC::JIT::emit_op_new_object):
285         * runtime/JSArray.h:
286         (JSC::JSArray::allocationSize):
287         * runtime/JSArrayBufferView.h:
288         (JSC::JSArrayBufferView::allocationSize):
289         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
290         (JSC::constructGenericTypedArrayView):
291         * runtime/JSObject.h:
292         (JSC::JSFinalObject::allocationSize):
293         * runtime/TypedArrayType.cpp:
294         (JSC::constructorClassInfoForType):
295         * runtime/TypedArrayType.h:
296         (JSC::indexToTypedArrayType):
297
298 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
299
300         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
301
302         Reviewed by Geoffrey Garen.
303
304         * dfg/DFGOperations.h:
305
306 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
307
308         https://bugs.webkit.org/show_bug.cgi?id=120093
309         Remove getOwnPropertyDescriptor trap
310
311         Reviewed by Geoff Garen.
312
313         All implementations of this method are now called via the method table, and equivalent in behaviour.
314         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
315
316         * API/JSCallbackObject.h:
317         * API/JSCallbackObjectFunctions.h:
318         * debugger/DebuggerActivation.cpp:
319         * debugger/DebuggerActivation.h:
320         * runtime/Arguments.cpp:
321         * runtime/Arguments.h:
322         * runtime/ArrayConstructor.cpp:
323         * runtime/ArrayConstructor.h:
324         * runtime/ArrayPrototype.cpp:
325         * runtime/ArrayPrototype.h:
326         * runtime/BooleanPrototype.cpp:
327         * runtime/BooleanPrototype.h:
328             - remove getOwnPropertyDescriptor
329         * runtime/ClassInfo.h:
330             - remove getOwnPropertyDescriptor from MethodTable
331         * runtime/DateConstructor.cpp:
332         * runtime/DateConstructor.h:
333         * runtime/DatePrototype.cpp:
334         * runtime/DatePrototype.h:
335         * runtime/ErrorPrototype.cpp:
336         * runtime/ErrorPrototype.h:
337         * runtime/JSActivation.cpp:
338         * runtime/JSActivation.h:
339         * runtime/JSArray.cpp:
340         * runtime/JSArray.h:
341         * runtime/JSArrayBuffer.cpp:
342         * runtime/JSArrayBuffer.h:
343         * runtime/JSArrayBufferView.cpp:
344         * runtime/JSArrayBufferView.h:
345         * runtime/JSCell.cpp:
346         * runtime/JSCell.h:
347         * runtime/JSDataView.cpp:
348         * runtime/JSDataView.h:
349         * runtime/JSDataViewPrototype.cpp:
350         * runtime/JSDataViewPrototype.h:
351         * runtime/JSFunction.cpp:
352         * runtime/JSFunction.h:
353         * runtime/JSGenericTypedArrayView.h:
354         * runtime/JSGenericTypedArrayViewInlines.h:
355         * runtime/JSGlobalObject.cpp:
356         * runtime/JSGlobalObject.h:
357         * runtime/JSNotAnObject.cpp:
358         * runtime/JSNotAnObject.h:
359         * runtime/JSONObject.cpp:
360         * runtime/JSONObject.h:
361             - remove getOwnPropertyDescriptor
362         * runtime/JSObject.cpp:
363         (JSC::JSObject::propertyIsEnumerable):
364             - switch to call new getOwnPropertyDescriptor member function
365         (JSC::JSObject::getOwnPropertyDescriptor):
366             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
367         (JSC::JSObject::defineOwnNonIndexProperty):
368             - switch to call new getOwnPropertyDescriptor member function
369         * runtime/JSObject.h:
370         * runtime/JSProxy.cpp:
371         * runtime/JSProxy.h:
372         * runtime/NamePrototype.cpp:
373         * runtime/NamePrototype.h:
374         * runtime/NumberConstructor.cpp:
375         * runtime/NumberConstructor.h:
376         * runtime/NumberPrototype.cpp:
377         * runtime/NumberPrototype.h:
378             - remove getOwnPropertyDescriptor
379         * runtime/ObjectConstructor.cpp:
380         (JSC::objectConstructorGetOwnPropertyDescriptor):
381         (JSC::objectConstructorSeal):
382         (JSC::objectConstructorFreeze):
383         (JSC::objectConstructorIsSealed):
384         (JSC::objectConstructorIsFrozen):
385             - switch to call new getOwnPropertyDescriptor member function
386         * runtime/ObjectConstructor.h:
387             - remove getOwnPropertyDescriptor
388         * runtime/PropertyDescriptor.h:
389             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
390         * runtime/RegExpConstructor.cpp:
391         * runtime/RegExpConstructor.h:
392         * runtime/RegExpMatchesArray.cpp:
393         * runtime/RegExpMatchesArray.h:
394         * runtime/RegExpObject.cpp:
395         * runtime/RegExpObject.h:
396         * runtime/RegExpPrototype.cpp:
397         * runtime/RegExpPrototype.h:
398         * runtime/StringConstructor.cpp:
399         * runtime/StringConstructor.h:
400         * runtime/StringObject.cpp:
401         * runtime/StringObject.h:
402             - remove getOwnPropertyDescriptor
403
404 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
405
406         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
407
408         Reviewed by Oliver Hunt.
409
410         When we flatten an object in dictionary mode, we compact its properties. If the object 
411         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
412         compaction its properties fit inline, the object's Structure "forgets" that the object 
413         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
414         with bytes = 0, which causes all sorts of badness in CopiedSpace.
415
416         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
417         Butterfly pointer so that the GC doesn't get confused later.
418
419         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
420         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
421         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
422         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
423
424         * heap/SlotVisitorInlines.h:
425         (JSC::SlotVisitor::copyLater):
426         * runtime/JSObject.cpp:
427         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
428         (JSC::JSObject::convertUndecidedToInt32):
429         (JSC::JSObject::convertUndecidedToDouble):
430         (JSC::JSObject::convertUndecidedToContiguous):
431         (JSC::JSObject::convertInt32ToDouble):
432         (JSC::JSObject::convertInt32ToContiguous):
433         (JSC::JSObject::genericConvertDoubleToContiguous):
434         (JSC::JSObject::switchToSlowPutArrayStorage):
435         (JSC::JSObject::setPrototype):
436         (JSC::JSObject::putDirectAccessor):
437         (JSC::JSObject::seal):
438         (JSC::JSObject::freeze):
439         (JSC::JSObject::preventExtensions):
440         (JSC::JSObject::reifyStaticFunctionsForDelete):
441         (JSC::JSObject::removeDirect):
442         * runtime/JSObject.h:
443         (JSC::JSObject::setButterfly):
444         (JSC::JSObject::putDirectInternal):
445         (JSC::JSObject::setStructure):
446         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
447         * runtime/Structure.cpp:
448         (JSC::Structure::flattenDictionaryStructure):
449
450 2013-08-20  Alex Christensen  <achristensen@apple.com>
451
452         Compile fix for Win64 after r154156.
453
454         Rubber stamped by Oliver Hunt.
455
456         * jit/JITStubsMSVC64.asm:
457         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
458         cti_vm_throw_slowpath to cti_vm_handle_exception.
459
460 2013-08-20  Alex Christensen  <achristensen@apple.com>
461
462         <https://webkit.org/b/120076> More work towards a Win64 build
463
464         Reviewed by Brent Fulgham.
465
466         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
467         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
468         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
469         * JavaScriptCore.vcxproj/copy-files.cmd:
470         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
471         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
472         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
473
474 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
475
476         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
477
478         Reviewed by Geoffrey Garen.
479
480         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
481         initializeLazyWriteBarrierFor* wrapper functions more sane. 
482
483         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
484         and index when triggering the WriteBarrier at the end of compilation. 
485
486         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
487         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
488         little extra work that really shouldn't have been its responsibility.
489
490         * dfg/DFGByteCodeParser.cpp:
491         (JSC::DFG::ByteCodeParser::addConstant):
492         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
493         * dfg/DFGDesiredWriteBarriers.cpp:
494         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
495         (JSC::DFG::DesiredWriteBarrier::trigger):
496         * dfg/DFGDesiredWriteBarriers.h:
497         (JSC::DFG::DesiredWriteBarriers::add):
498         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
499         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
500         (JSC::DFG::initializeLazyWriteBarrierForConstant):
501         * dfg/DFGFixupPhase.cpp:
502         (JSC::DFG::FixupPhase::truncateConstantToInt32):
503         * dfg/DFGGraph.h:
504         (JSC::DFG::Graph::constantRegisterForConstant):
505
506 2013-08-20  Michael Saboff  <msaboff@apple.com>
507
508         https://bugs.webkit.org/show_bug.cgi?id=120075
509         REGRESSION (r128400): BBC4 website not displaying pictures
510
511         Reviewed by Oliver Hunt.
512
513         * runtime/RegExpMatchesArray.h:
514         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
515         so that the match results will be reified before any other modification to the results array.
516
517 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
518
519         Incorrect behavior on emscripten-compiled cube2hash
520         https://bugs.webkit.org/show_bug.cgi?id=120033
521
522         Reviewed by Mark Hahnenberg.
523         
524         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
525         then we should bail attempts to CSE.
526
527         * dfg/DFGCSEPhase.cpp:
528         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
529         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
530
531 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
532
533         https://bugs.webkit.org/show_bug.cgi?id=120073
534         Remove use of GOPD from JSFunction::defineProperty
535
536         Reviewed by Oliver Hunt.
537
538         Call getOwnPropertySlot to check for existing properties instead.
539
540         * runtime/JSFunction.cpp:
541         (JSC::JSFunction::defineOwnProperty):
542             - getOwnPropertyDescriptor -> getOwnPropertySlot
543
544 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
545
546         https://bugs.webkit.org/show_bug.cgi?id=120067
547         Remove getPropertyDescriptor
548
549         Reviewed by Oliver Hunt.
550
551         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
552         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
553
554         * runtime/JSObject.cpp:
555         * runtime/JSObject.h:
556             - remove getPropertyDescriptor
557         * runtime/ObjectPrototype.cpp:
558         (JSC::objectProtoFuncLookupGetter):
559         (JSC::objectProtoFuncLookupSetter):
560             - replace call to getPropertyDescriptor with getPropertySlot
561         * runtime/PropertyDescriptor.h:
562         * runtime/PropertySlot.h:
563         (JSC::PropertySlot::isAccessor):
564         (JSC::PropertySlot::isCacheableGetter):
565         (JSC::PropertySlot::getterSetter):
566             - rename isGetter() to isAccessor()
567
568 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
569
570         https://bugs.webkit.org/show_bug.cgi?id=120054
571         Remove some dead code following getOwnPropertyDescriptor cleanup
572
573         Reviewed by Oliver Hunt.
574
575         * runtime/Lookup.h:
576         (JSC::getStaticFunctionSlot):
577             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
578
579 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
580
581         https://bugs.webkit.org/show_bug.cgi?id=120052
582         Remove custom getOwnPropertyDescriptor for JSProxy
583
584         Reviewed by Geoff Garen.
585
586         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
587         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
588         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
589         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
590         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
591
592         * runtime/JSProxy.cpp:
593             - Remove custom getOwnPropertyDescriptor implementation.
594         * runtime/PropertyDescriptor.h:
595             - Modify own property access check to perform toThis conversion.
596
597 2013-08-20  Alex Christensen  <achristensen@apple.com>
598
599         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
600         https://bugs.webkit.org/show_bug.cgi?id=119512
601
602         Reviewed by Brent Fulgham.
603
604         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
605         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
606         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
607         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
608         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
609         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
610         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
611         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
612
613 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
614
615         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
616
617         Reviewed by Allan Sandfeld Jensen.
618
619         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
620         instructions and two constants now DFG is enabled for sh4 architecture.
621         These missing ensureSpace calls lead to random crashes.
622
623         * assembler/MacroAssemblerSH4.h:
624         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
625
626 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
627
628         https://bugs.webkit.org/show_bug.cgi?id=120034
629         Remove custom getOwnPropertyDescriptor for global objects
630
631         Reviewed by Geoff Garen.
632
633         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
634
635         * runtime/JSGlobalObject.cpp:
636             - Remove custom getOwnPropertyDescriptor implementation.
637         * runtime/JSSymbolTableObject.h:
638         (JSC::symbolTableGet):
639             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
640         * runtime/PropertyDescriptor.h:
641             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
642         * runtime/PropertySlot.h:
643         (JSC::PropertySlot::setUndefined):
644             - This is used by WebCore when blocking access to properties on cross-frame access.
645               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
646
647 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
648
649         DFG should inline typedArray.byteOffset
650         https://bugs.webkit.org/show_bug.cgi?id=119962
651
652         Reviewed by Oliver Hunt.
653         
654         This adds a new node, GetTypedArrayByteOffset, which inlines
655         typedArray.byteOffset.
656         
657         Also, I improved a bunch of the clobbering logic related to typed arrays
658         and clobbering in general. For example, PutByOffset/PutStructure are not
659         clobber-world so they can be handled by most default cases in CSE. Also,
660         It's better to use the 'Class_field' notation for typed arrays now that
661         they no longer involve magical descriptor thingies.
662
663         * bytecode/SpeculatedType.h:
664         * dfg/DFGAbstractHeap.h:
665         * dfg/DFGAbstractInterpreterInlines.h:
666         (JSC::DFG::::executeEffects):
667         * dfg/DFGArrayMode.h:
668         (JSC::DFG::neverNeedsStorage):
669         * dfg/DFGCSEPhase.cpp:
670         (JSC::DFG::CSEPhase::getByValLoadElimination):
671         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
672         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
673         (JSC::DFG::CSEPhase::checkArrayElimination):
674         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
675         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
676         (JSC::DFG::CSEPhase::performNodeCSE):
677         * dfg/DFGClobberize.h:
678         (JSC::DFG::clobberize):
679         * dfg/DFGFixupPhase.cpp:
680         (JSC::DFG::FixupPhase::fixupNode):
681         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
682         (JSC::DFG::FixupPhase::convertToGetArrayLength):
683         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
684         * dfg/DFGNodeType.h:
685         * dfg/DFGPredictionPropagationPhase.cpp:
686         (JSC::DFG::PredictionPropagationPhase::propagate):
687         * dfg/DFGSafeToExecute.h:
688         (JSC::DFG::safeToExecute):
689         * dfg/DFGSpeculativeJIT.cpp:
690         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
691         * dfg/DFGSpeculativeJIT.h:
692         * dfg/DFGSpeculativeJIT32_64.cpp:
693         (JSC::DFG::SpeculativeJIT::compile):
694         * dfg/DFGSpeculativeJIT64.cpp:
695         (JSC::DFG::SpeculativeJIT::compile):
696         * dfg/DFGTypeCheckHoistingPhase.cpp:
697         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
698         * runtime/ArrayBuffer.h:
699         (JSC::ArrayBuffer::offsetOfData):
700         * runtime/Butterfly.h:
701         (JSC::Butterfly::offsetOfArrayBuffer):
702         * runtime/IndexingHeader.h:
703         (JSC::IndexingHeader::offsetOfArrayBuffer):
704
705 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
706
707         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
708
709         Reviewed by Geoffrey Garen.
710
711         * dfg/DFGByteCodeParser.cpp:
712         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
713
714 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
715
716         https://bugs.webkit.org/show_bug.cgi?id=119995
717         Start removing custom implementations of getOwnPropertyDescriptor
718
719         Reviewed by Oliver Hunt.
720
721         This can now typically implemented in terms of getOwnPropertySlot.
722         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
723         Switch over most classes in JSC & the WebCore bindings generator to use this.
724
725         * API/JSCallbackObjectFunctions.h:
726         * debugger/DebuggerActivation.cpp:
727         * runtime/Arguments.cpp:
728         * runtime/ArrayConstructor.cpp:
729         * runtime/ArrayPrototype.cpp:
730         * runtime/BooleanPrototype.cpp:
731         * runtime/DateConstructor.cpp:
732         * runtime/DatePrototype.cpp:
733         * runtime/ErrorPrototype.cpp:
734         * runtime/JSActivation.cpp:
735         * runtime/JSArray.cpp:
736         * runtime/JSArrayBuffer.cpp:
737         * runtime/JSArrayBufferView.cpp:
738         * runtime/JSCell.cpp:
739         * runtime/JSDataView.cpp:
740         * runtime/JSDataViewPrototype.cpp:
741         * runtime/JSFunction.cpp:
742         * runtime/JSGenericTypedArrayViewInlines.h:
743         * runtime/JSNotAnObject.cpp:
744         * runtime/JSONObject.cpp:
745         * runtime/JSObject.cpp:
746         * runtime/NamePrototype.cpp:
747         * runtime/NumberConstructor.cpp:
748         * runtime/NumberPrototype.cpp:
749         * runtime/ObjectConstructor.cpp:
750             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
751         * runtime/PropertyDescriptor.h:
752             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
753         * runtime/PropertySlot.h:
754         (JSC::PropertySlot::isValue):
755         (JSC::PropertySlot::isGetter):
756         (JSC::PropertySlot::isCustom):
757         (JSC::PropertySlot::isCacheableValue):
758         (JSC::PropertySlot::isCacheableGetter):
759         (JSC::PropertySlot::isCacheableCustom):
760         (JSC::PropertySlot::attributes):
761         (JSC::PropertySlot::getterSetter):
762             - Add accessors necessary to convert PropertySlot to descriptor.
763         * runtime/RegExpConstructor.cpp:
764         * runtime/RegExpMatchesArray.cpp:
765         * runtime/RegExpMatchesArray.h:
766         * runtime/RegExpObject.cpp:
767         * runtime/RegExpPrototype.cpp:
768         * runtime/StringConstructor.cpp:
769         * runtime/StringObject.cpp:
770             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
771
772 2013-08-19  Michael Saboff  <msaboff@apple.com>
773
774         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
775
776         Reviewed by Sam Weinig.
777
778         * dfg/DFGSpeculativeJIT32_64.cpp:
779         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
780         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
781         all versions of fillSpeculateBoolean().
782
783 2013-08-19  Michael Saboff  <msaboff@apple.com>
784
785         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
786
787         Reviewed by Benjamin Poulain.
788
789         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
790         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
791
792         * assembler/MacroAssemblerX86Common.h:
793         (JSC::MacroAssemblerX86Common::branchTest32):
794
795 2013-08-16  Oliver Hunt  <oliver@apple.com>
796
797         <https://webkit.org/b/119860> Crash during exception unwinding
798
799         Reviewed by Filip Pizlo.
800
801         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
802         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
803
804         We need this so that Throw and ThrowReferenceError no longer need to be treated as
805         terminals and the subsequent flush keeps the activation (and other registers) live.
806
807         * dfg/DFGAbstractInterpreterInlines.h:
808         (JSC::DFG::::executeEffects):
809         * dfg/DFGByteCodeParser.cpp:
810         (JSC::DFG::ByteCodeParser::parseBlock):
811         * dfg/DFGClobberize.h:
812         (JSC::DFG::clobberize):
813         * dfg/DFGFixupPhase.cpp:
814         (JSC::DFG::FixupPhase::fixupNode):
815         * dfg/DFGNode.h:
816         (JSC::DFG::Node::isTerminal):
817         * dfg/DFGNodeType.h:
818         * dfg/DFGPredictionPropagationPhase.cpp:
819         (JSC::DFG::PredictionPropagationPhase::propagate):
820         * dfg/DFGSafeToExecute.h:
821         (JSC::DFG::safeToExecute):
822         * dfg/DFGSpeculativeJIT32_64.cpp:
823         (JSC::DFG::SpeculativeJIT::compile):
824         * dfg/DFGSpeculativeJIT64.cpp:
825         (JSC::DFG::SpeculativeJIT::compile):
826
827 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
828
829         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
830
831         Reviewed by Oliver Hunt.
832
833         Guard the compilation of these files only if DFG_JIT is enabled.
834
835         * dfg/DFGDesiredTransitions.cpp:
836         * dfg/DFGDesiredTransitions.h:
837         * dfg/DFGDesiredWeakReferences.cpp:
838         * dfg/DFGDesiredWeakReferences.h:
839         * dfg/DFGDesiredWriteBarriers.cpp:
840         * dfg/DFGDesiredWriteBarriers.h:
841
842 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
843
844         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
845         https://bugs.webkit.org/show_bug.cgi?id=119961
846
847         Reviewed by Mark Hahnenberg.
848
849         * dfg/DFGFixupPhase.cpp:
850         (JSC::DFG::FixupPhase::fixupNode):
851
852 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
853
854         https://bugs.webkit.org/show_bug.cgi?id=119972
855         Add attributes field to PropertySlot
856
857         Reviewed by Geoff Garen.
858
859         For all JSC types, this makes getOwnPropertyDescriptor redundant.
860         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
861         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
862
863         No performance impact.
864
865         * runtime/PropertySlot.h:
866         (JSC::PropertySlot::setValue):
867         (JSC::PropertySlot::setCustom):
868         (JSC::PropertySlot::setCacheableCustom):
869         (JSC::PropertySlot::setCustomIndex):
870         (JSC::PropertySlot::setGetterSlot):
871         (JSC::PropertySlot::setCacheableGetterSlot):
872             - These mathods now all require 'attributes'.
873         * runtime/JSObject.h:
874         (JSC::JSObject::getDirect):
875         (JSC::JSObject::getDirectOffset):
876         (JSC::JSObject::inlineGetOwnPropertySlot):
877             - Added variants of getDirect, getDirectOffset that return the attributes.
878         * API/JSCallbackObjectFunctions.h:
879         (JSC::::getOwnPropertySlot):
880         * runtime/Arguments.cpp:
881         (JSC::Arguments::getOwnPropertySlotByIndex):
882         (JSC::Arguments::getOwnPropertySlot):
883         * runtime/JSActivation.cpp:
884         (JSC::JSActivation::symbolTableGet):
885         (JSC::JSActivation::getOwnPropertySlot):
886         * runtime/JSArray.cpp:
887         (JSC::JSArray::getOwnPropertySlot):
888         * runtime/JSArrayBuffer.cpp:
889         (JSC::JSArrayBuffer::getOwnPropertySlot):
890         * runtime/JSArrayBufferView.cpp:
891         (JSC::JSArrayBufferView::getOwnPropertySlot):
892         * runtime/JSDataView.cpp:
893         (JSC::JSDataView::getOwnPropertySlot):
894         * runtime/JSFunction.cpp:
895         (JSC::JSFunction::getOwnPropertySlot):
896         * runtime/JSGenericTypedArrayViewInlines.h:
897         (JSC::::getOwnPropertySlot):
898         (JSC::::getOwnPropertySlotByIndex):
899         * runtime/JSObject.cpp:
900         (JSC::JSObject::getOwnPropertySlotByIndex):
901         (JSC::JSObject::fillGetterPropertySlot):
902         * runtime/JSString.h:
903         (JSC::JSString::getStringPropertySlot):
904         * runtime/JSSymbolTableObject.h:
905         (JSC::symbolTableGet):
906         * runtime/Lookup.cpp:
907         (JSC::setUpStaticFunctionSlot):
908         * runtime/Lookup.h:
909         (JSC::getStaticPropertySlot):
910         (JSC::getStaticPropertyDescriptor):
911         (JSC::getStaticValueSlot):
912         (JSC::getStaticValueDescriptor):
913         * runtime/RegExpObject.cpp:
914         (JSC::RegExpObject::getOwnPropertySlot):
915         * runtime/SparseArrayValueMap.cpp:
916         (JSC::SparseArrayEntry::get):
917             - Pass attributes to PropertySlot::set* methods.
918
919 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
920
921         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
922
923         Reviewed by Filip Pizlo.
924
925         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
926         Vector of WriteBarriers rather than the specific address. The fact that we were 
927         arbitrarily storing into a Vector's backing store for constants at the end of 
928         compilation after the Vector could have resized was causing crashes.
929
930         * bytecode/CodeBlock.h:
931         (JSC::CodeBlock::constants):
932         (JSC::CodeBlock::addConstantLazily):
933         * dfg/DFGByteCodeParser.cpp:
934         (JSC::DFG::ByteCodeParser::addConstant):
935         * dfg/DFGDesiredWriteBarriers.cpp:
936         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
937         (JSC::DFG::DesiredWriteBarrier::trigger):
938         (JSC::DFG::initializeLazyWriteBarrierForConstant):
939         * dfg/DFGDesiredWriteBarriers.h:
940         (JSC::DFG::DesiredWriteBarriers::add):
941         * dfg/DFGFixupPhase.cpp:
942         (JSC::DFG::FixupPhase::truncateConstantToInt32):
943         * dfg/DFGGraph.h:
944         (JSC::DFG::Graph::constantRegisterForConstant):
945
946 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
947
948         DFG should optimize typedArray.byteLength
949         https://bugs.webkit.org/show_bug.cgi?id=119909
950
951         Reviewed by Oliver Hunt.
952         
953         This adds typedArray.byteLength inlining to the DFG, and does so without changing
954         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
955         legal since the byteLength of a typed array cannot exceed
956         numeric_limits<int32_t>::max().
957
958         * bytecode/SpeculatedType.cpp:
959         (JSC::typedArrayTypeFromSpeculation):
960         * bytecode/SpeculatedType.h:
961         * dfg/DFGArrayMode.cpp:
962         (JSC::DFG::toArrayType):
963         * dfg/DFGArrayMode.h:
964         * dfg/DFGFixupPhase.cpp:
965         (JSC::DFG::FixupPhase::fixupNode):
966         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
967         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
968         (JSC::DFG::FixupPhase::convertToGetArrayLength):
969         (JSC::DFG::FixupPhase::prependGetArrayLength):
970         * dfg/DFGGraph.h:
971         (JSC::DFG::Graph::constantRegisterForConstant):
972         (JSC::DFG::Graph::convertToConstant):
973         * runtime/TypedArrayType.h:
974         (JSC::logElementSize):
975         (JSC::elementSize):
976
977 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
978
979         DFG optimizes out strict mode arguments tear off
980         https://bugs.webkit.org/show_bug.cgi?id=119504
981
982         Reviewed by Mark Hahnenberg and Oliver Hunt.
983         
984         Don't do the optimization for strict mode.
985
986         * dfg/DFGArgumentsSimplificationPhase.cpp:
987         (JSC::DFG::ArgumentsSimplificationPhase::run):
988         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
989
990 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
991
992         [JSC] x86: improve code generation for xxxTest32
993         https://bugs.webkit.org/show_bug.cgi?id=119876
994
995         Reviewed by Geoffrey Garen.
996
997         Try to use testb whenever possible when testing for an immediate value.
998
999         When the input is an address and an offset, we can tweak the mask
1000         and offset to be able to generate testb for any byte of the mask.
1001
1002         When the input is a register, we can use testb if we are only interested
1003         in testing the low bits.
1004
1005         * assembler/MacroAssemblerX86Common.h:
1006         (JSC::MacroAssemblerX86Common::branchTest32):
1007         (JSC::MacroAssemblerX86Common::test32):
1008         (JSC::MacroAssemblerX86Common::generateTest32):
1009
1010 2013-08-16  Mark Lam  <mark.lam@apple.com>
1011
1012         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1013         error message that an object is not a constructor though it expects a function
1014
1015         Reviewed by Michael Saboff.
1016
1017         * jit/JITStubs.cpp:
1018         (JSC::DEFINE_STUB_FUNCTION):
1019
1020 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1021
1022         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1023         https://bugs.webkit.org/show_bug.cgi?id=119897
1024
1025         Reviewed by Oliver Hunt.
1026         
1027         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1028         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1029         to turn objects into dictionaries when you're storing using bracket syntax or using
1030         eval is still in place.
1031
1032         * bytecode/CodeBlock.h:
1033         (JSC::CodeBlock::putByIdContext):
1034         * dfg/DFGOperations.cpp:
1035         * jit/JITStubs.cpp:
1036         (JSC::DEFINE_STUB_FUNCTION):
1037         * llint/LLIntSlowPaths.cpp:
1038         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1039         * runtime/JSObject.h:
1040         (JSC::JSObject::putDirectInternal):
1041         * runtime/PutPropertySlot.h:
1042         (JSC::PutPropertySlot::PutPropertySlot):
1043         (JSC::PutPropertySlot::context):
1044         * runtime/Structure.cpp:
1045         (JSC::Structure::addPropertyTransition):
1046         * runtime/Structure.h:
1047
1048 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1049
1050         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1051
1052         Reviewed by Allan Sandfeld Jensen.
1053
1054         ctiVMHandleException must jump/return using register ra (r31).
1055
1056         * jit/JITStubsMIPS.h:
1057
1058 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1059
1060         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1061
1062         Reviewed by Allan Sandfeld Jensen.
1063
1064         Fix typo in JITStubsSH4.h file.
1065
1066         * jit/JITStubsSH4.h:
1067
1068 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1069
1070         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1071
1072         Reviewed by Oliver Hunt.
1073
1074         The concurrent compilation thread should interact minimally with the Heap, including not 
1075         triggering WriteBarriers. This is a prerequisite for generational GC.
1076
1077         * JavaScriptCore.xcodeproj/project.pbxproj:
1078         * bytecode/CodeBlock.cpp:
1079         (JSC::CodeBlock::addOrFindConstant):
1080         (JSC::CodeBlock::findConstant):
1081         * bytecode/CodeBlock.h:
1082         (JSC::CodeBlock::addConstantLazily):
1083         * dfg/DFGByteCodeParser.cpp:
1084         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1085         (JSC::DFG::ByteCodeParser::constantUndefined):
1086         (JSC::DFG::ByteCodeParser::constantNull):
1087         (JSC::DFG::ByteCodeParser::one):
1088         (JSC::DFG::ByteCodeParser::constantNaN):
1089         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1090         * dfg/DFGCommonData.cpp:
1091         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1092         * dfg/DFGCommonData.h:
1093         * dfg/DFGDesiredTransitions.cpp: Added.
1094         (JSC::DFG::DesiredTransition::DesiredTransition):
1095         (JSC::DFG::DesiredTransition::reallyAdd):
1096         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1097         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1098         (JSC::DFG::DesiredTransitions::addLazily):
1099         (JSC::DFG::DesiredTransitions::reallyAdd):
1100         * dfg/DFGDesiredTransitions.h: Added.
1101         * dfg/DFGDesiredWeakReferences.cpp: Added.
1102         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1103         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1104         (JSC::DFG::DesiredWeakReferences::addLazily):
1105         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1106         * dfg/DFGDesiredWeakReferences.h: Added.
1107         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1108         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1109         (JSC::DFG::DesiredWriteBarrier::trigger):
1110         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1111         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1112         (JSC::DFG::DesiredWriteBarriers::addImpl):
1113         (JSC::DFG::DesiredWriteBarriers::trigger):
1114         * dfg/DFGDesiredWriteBarriers.h: Added.
1115         (JSC::DFG::DesiredWriteBarriers::add):
1116         (JSC::DFG::initializeLazyWriteBarrier):
1117         * dfg/DFGFixupPhase.cpp:
1118         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1119         * dfg/DFGGraph.h:
1120         (JSC::DFG::Graph::convertToConstant):
1121         * dfg/DFGJITCompiler.h:
1122         (JSC::DFG::JITCompiler::addWeakReference):
1123         * dfg/DFGPlan.cpp:
1124         (JSC::DFG::Plan::Plan):
1125         (JSC::DFG::Plan::reallyAdd):
1126         * dfg/DFGPlan.h:
1127         * dfg/DFGSpeculativeJIT32_64.cpp:
1128         (JSC::DFG::SpeculativeJIT::compile):
1129         * dfg/DFGSpeculativeJIT64.cpp:
1130         (JSC::DFG::SpeculativeJIT::compile):
1131         * runtime/WriteBarrier.h:
1132         (JSC::WriteBarrierBase::set):
1133         (JSC::WriteBarrier::WriteBarrier):
1134
1135 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1136
1137         Fix x86 32bits build after r154158
1138
1139         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1140
1141 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1142
1143         Build fix attempt after r154156.
1144
1145         * jit/JITStubs.cpp:
1146         (JSC::cti_vm_handle_exception): encode!
1147
1148 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1149
1150         [JSC] x86: Use inc and dec when possible
1151         https://bugs.webkit.org/show_bug.cgi?id=119831
1152
1153         Reviewed by Geoffrey Garen.
1154
1155         When incrementing or decrementing by an immediate of 1, use the insctructions
1156         inc and dec instead of add and sub.
1157         The instructions have good timing and their encoding is smaller.
1158
1159         * assembler/MacroAssemblerX86Common.h:
1160         (JSC::MacroAssemblerX86_64::add32):
1161         (JSC::MacroAssemblerX86_64::sub32):
1162         * assembler/MacroAssemblerX86_64.h:
1163         (JSC::MacroAssemblerX86_64::add64):
1164         (JSC::MacroAssemblerX86_64::sub64):
1165         * assembler/X86Assembler.h:
1166         (JSC::X86Assembler::dec_r):
1167         (JSC::X86Assembler::decq_r):
1168         (JSC::X86Assembler::inc_r):
1169         (JSC::X86Assembler::incq_r):
1170
1171 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1172
1173         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1174         https://bugs.webkit.org/show_bug.cgi?id=119874
1175
1176         Reviewed by Oliver Hunt and Mark Hahnenberg.
1177         
1178         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1179         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1180         sometimes for typed array length accesses, and the FixupPhase assuming that a
1181         ForceExit ArrayMode means that it should continue using a generic GetById.
1182
1183         This fixes the confusion.
1184
1185         * dfg/DFGFixupPhase.cpp:
1186         (JSC::DFG::FixupPhase::fixupNode):
1187
1188 2013-08-15  Mark Lam  <mark.lam@apple.com>
1189
1190         Fix crash when performing activation tearoff.
1191         https://bugs.webkit.org/show_bug.cgi?id=119848
1192
1193         Reviewed by Oliver Hunt.
1194
1195         The activation tearoff crash was due to a bug in the baseline JIT.
1196         If we have a scenario where the a baseline JIT frame calls a LLINT
1197         frame, an exception may be thrown while in the LLINT.
1198
1199         Interpreter::throwException() which handles the exception will unwind
1200         all frames until it finds a catcher or sees a host frame. When we
1201         return from the LLINT to the baseline JIT code, the baseline JIT code
1202         errorneously sets topCallFrame to the value in its call frame register,
1203         and starts unwinding the stack frames that have already been unwound.
1204
1205         The fix is:
1206         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1207            This is a more accurate description of what this runtime function
1208            is supposed to do i.e. it handles the exception which include doing
1209            nothing (if there are no more frames to unwind).
1210         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1211            set on it.
1212         3. Reloading the call frame register from topCallFrame when we're
1213            returning from a callee and detect exception handling in progress.
1214
1215         * interpreter/Interpreter.cpp:
1216         (JSC::Interpreter::unwindCallFrame):
1217         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1218         (JSC::Interpreter::getStackTrace):
1219         * interpreter/Interpreter.h:
1220         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1221         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1222         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1223         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1224         * jit/JIT.h:
1225         * jit/JITExceptions.cpp:
1226         (JSC::uncaughtExceptionHandler):
1227         - Convenience function to get the handler for uncaught exceptions.
1228         * jit/JITExceptions.h:
1229         * jit/JITInlines.h:
1230         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1231         * jit/JITOpcodes32_64.cpp:
1232         (JSC::JIT::privateCompileCTINativeCall):
1233         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1234         * jit/JITStubs.cpp:
1235         (JSC::throwExceptionFromOpCall):
1236         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1237         (JSC::cti_vm_handle_exception):
1238         - Check for the case when there are no more frames to unwind.
1239         * jit/JITStubs.h:
1240         * jit/JITStubsARM.h:
1241         * jit/JITStubsARMv7.h:
1242         * jit/JITStubsMIPS.h:
1243         * jit/JITStubsSH4.h:
1244         * jit/JITStubsX86.h:
1245         * jit/JITStubsX86_64.h:
1246         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1247         * jit/SlowPathCall.h:
1248         (JSC::JITSlowPathCall::call):
1249         - reload cfr from topcallFrame when handling an exception.
1250         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1251         * jit/ThunkGenerators.cpp:
1252         (JSC::nativeForGenerator):
1253         * llint/LowLevelInterpreter32_64.asm:
1254         * llint/LowLevelInterpreter64.asm:
1255         - reload cfr from topcallFrame when handling an exception.
1256         * runtime/VM.cpp:
1257         (JSC::VM::VM):
1258         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1259
1260 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1261
1262         Remove some code duplication.
1263         
1264         Rubber stamped by Mark Hahnenberg.
1265
1266         * runtime/JSDataViewPrototype.cpp:
1267         (JSC::getData):
1268         (JSC::setData):
1269
1270 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1271
1272         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1273         https://bugs.webkit.org/show_bug.cgi?id=119794
1274
1275         Reviewed by Filip Pizlo.
1276
1277         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1278
1279         * dfg/DFGUseKind.h:
1280         (JSC::DFG::isNumerical):
1281         (JSC::DFG::isDouble):
1282
1283 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1284
1285         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1286
1287         Rubber stamped by Oliver Hunt.
1288         
1289         This was causing some test crashes for me.
1290
1291         * dfg/DFGCapabilities.cpp:
1292         (JSC::DFG::capabilityLevel):
1293
1294 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1295
1296         [Windows] Clear up improper export declaration.
1297
1298         * runtime/ArrayBufferView.h:
1299
1300 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1301
1302         Unreviewed, remove some unnecessary periods from exceptions.
1303
1304         * runtime/JSDataViewPrototype.cpp:
1305         (JSC::getData):
1306         (JSC::setData):
1307
1308 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1309
1310         Unreviewed, fix 32-bit build.
1311
1312         * dfg/DFGSpeculativeJIT32_64.cpp:
1313         (JSC::DFG::SpeculativeJIT::compile):
1314
1315 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1316
1317         Typed arrays should be rewritten
1318         https://bugs.webkit.org/show_bug.cgi?id=119064
1319
1320         Reviewed by Oliver Hunt.
1321         
1322         Typed arrays were previously deficient in several major ways:
1323         
1324         - They were defined separately in WebCore and in the jsc shell. The two
1325           implementations were different, and the jsc shell one was basically wrong.
1326           The WebCore one was quite awful, also.
1327         
1328         - Typed arrays were not visible to the JIT except through some weird hooks.
1329           For example, the JIT could not ask "what is the Structure that this typed
1330           array would have if I just allocated it from this global object". Also,
1331           it was difficult to wire any of the typed array intrinsics, because most
1332           of the functionality wasn't visible anywhere in JSC.
1333         
1334         - Typed array allocation was brain-dead. Allocating a typed array involved
1335           two JS objects, two GC weak handles, and three malloc allocations.
1336         
1337         - Neutering. It involved keeping tabs on all native views but not the view
1338           wrappers, even though the native views can autoneuter just by asking the
1339           buffer if it was neutered anytime you touch them; while the JS view
1340           wrappers are the ones that you really want to reach out to.
1341         
1342         - Common case-ing. Most typed arrays have one buffer and one view, and
1343           usually nobody touches the buffer. Yet we created all of that stuff
1344           anyway, using data structures optimized for the case where you had a lot
1345           of views.
1346         
1347         - Semantic goofs. Typed arrays should, in the future, behave like ES
1348           features rather than DOM features, for example when it comes to exceptions.
1349           Firefox already does this and I agree with them.
1350         
1351         This patch cleanses our codebase of these sins:
1352         
1353         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1354           management of native references to buffers is left to WebCore.
1355         
1356         - Allocating a typed array requires either two GC allocations (a cell and a
1357           copied storage vector) or one GC allocation, a malloc allocation, and a
1358           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1359           latter). The latter is only used for oversize arrays. Remember that before
1360           it was 7 allocations no matter what.
1361         
1362         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1363           mode/length, void* vector. Before it was a lot more than that - remember,
1364           there were five additional objects that did absolutely nothing for anybody.
1365         
1366         - Native views aren't tracked by the buffer, or by the wrappers. They are
1367           transient. In the future we'll probably switch to not even having them be
1368           malloc'd.
1369         
1370         - Native array buffers have an efficient way of tracking all of their JS view
1371           wrappers, both for neutering, and for lifecycle management. The GC
1372           special-cases native array buffers. This saves a bunch of grief; for example
1373           it means that a JS view wrapper can refer to its buffer via the butterfly,
1374           which would be dead by the time we went to finalize.
1375         
1376         - Typed array semantics now match Firefox, which also happens to be where the
1377           standards are going. The discussion on webkit-dev seemed to confirm that
1378           Chrome is also heading in this direction. This includes making
1379           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1380           ArrayBufferView as a JS-visible construct.
1381         
1382         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1383         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1384         further typed array optimizations in the JSC JITs, including inlining typed
1385         array allocation, inlining more of the accessors, reducing the cost of type
1386         checks, etc.
1387         
1388         An additional property of this patch is that typed arrays are mostly
1389         implemented using templates. This deduplicates a bunch of code, but does mean
1390         that we need some hacks for exporting s_info's of template classes. See
1391         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1392         low-impact compared to code duplication.
1393         
1394         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1395
1396         * CMakeLists.txt:
1397         * DerivedSources.make:
1398         * GNUmakefile.list.am:
1399         * JSCTypedArrayStubs.h: Removed.
1400         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1401         * JavaScriptCore.xcodeproj/project.pbxproj:
1402         * Target.pri:
1403         * bytecode/ByValInfo.h:
1404         (JSC::hasOptimizableIndexingForClassInfo):
1405         (JSC::jitArrayModeForClassInfo):
1406         (JSC::typedArrayTypeForJITArrayMode):
1407         * bytecode/SpeculatedType.cpp:
1408         (JSC::speculationFromClassInfo):
1409         * dfg/DFGArrayMode.cpp:
1410         (JSC::DFG::toTypedArrayType):
1411         * dfg/DFGArrayMode.h:
1412         (JSC::DFG::ArrayMode::typedArrayType):
1413         * dfg/DFGSpeculativeJIT.cpp:
1414         (JSC::DFG::SpeculativeJIT::checkArray):
1415         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1416         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1417         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1418         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1419         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1420         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1421         * dfg/DFGSpeculativeJIT.h:
1422         * dfg/DFGSpeculativeJIT32_64.cpp:
1423         (JSC::DFG::SpeculativeJIT::compile):
1424         * dfg/DFGSpeculativeJIT64.cpp:
1425         (JSC::DFG::SpeculativeJIT::compile):
1426         * heap/CopyToken.h:
1427         * heap/DeferGC.h:
1428         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1429         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1430         * heap/GCIncomingRefCounted.h: Added.
1431         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1432         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1433         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1434         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1435         (JSC::GCIncomingRefCounted::singletonFlag):
1436         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1437         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1438         (JSC::GCIncomingRefCounted::hasSingleton):
1439         (JSC::GCIncomingRefCounted::singleton):
1440         (JSC::GCIncomingRefCounted::vectorOfCells):
1441         * heap/GCIncomingRefCountedInlines.h: Added.
1442         (JSC::::addIncomingReference):
1443         (JSC::::filterIncomingReferences):
1444         * heap/GCIncomingRefCountedSet.h: Added.
1445         (JSC::GCIncomingRefCountedSet::size):
1446         * heap/GCIncomingRefCountedSetInlines.h: Added.
1447         (JSC::::GCIncomingRefCountedSet):
1448         (JSC::::~GCIncomingRefCountedSet):
1449         (JSC::::addReference):
1450         (JSC::::sweep):
1451         (JSC::::removeAll):
1452         (JSC::::removeDead):
1453         * heap/Heap.cpp:
1454         (JSC::Heap::addReference):
1455         (JSC::Heap::extraSize):
1456         (JSC::Heap::size):
1457         (JSC::Heap::capacity):
1458         (JSC::Heap::collect):
1459         (JSC::Heap::decrementDeferralDepth):
1460         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1461         * heap/Heap.h:
1462         * interpreter/CallFrame.h:
1463         (JSC::ExecState::dataViewTable):
1464         * jit/JIT.h:
1465         * jit/JITPropertyAccess.cpp:
1466         (JSC::JIT::privateCompileGetByVal):
1467         (JSC::JIT::privateCompilePutByVal):
1468         (JSC::JIT::emitIntTypedArrayGetByVal):
1469         (JSC::JIT::emitFloatTypedArrayGetByVal):
1470         (JSC::JIT::emitIntTypedArrayPutByVal):
1471         (JSC::JIT::emitFloatTypedArrayPutByVal):
1472         * jsc.cpp:
1473         (GlobalObject::finishCreation):
1474         * runtime/ArrayBuffer.cpp:
1475         (JSC::ArrayBuffer::transfer):
1476         * runtime/ArrayBuffer.h:
1477         (JSC::ArrayBuffer::createAdopted):
1478         (JSC::ArrayBuffer::ArrayBuffer):
1479         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1480         (JSC::ArrayBuffer::pin):
1481         (JSC::ArrayBuffer::unpin):
1482         (JSC::ArrayBufferContents::tryAllocate):
1483         * runtime/ArrayBufferView.cpp:
1484         (JSC::ArrayBufferView::ArrayBufferView):
1485         (JSC::ArrayBufferView::~ArrayBufferView):
1486         (JSC::ArrayBufferView::setNeuterable):
1487         * runtime/ArrayBufferView.h:
1488         (JSC::ArrayBufferView::isNeutered):
1489         (JSC::ArrayBufferView::buffer):
1490         (JSC::ArrayBufferView::baseAddress):
1491         (JSC::ArrayBufferView::byteOffset):
1492         (JSC::ArrayBufferView::verifySubRange):
1493         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1494         (JSC::ArrayBufferView::calculateOffsetAndLength):
1495         * runtime/ClassInfo.h:
1496         * runtime/CommonIdentifiers.h:
1497         * runtime/DataView.cpp: Added.
1498         (JSC::DataView::DataView):
1499         (JSC::DataView::create):
1500         (JSC::DataView::wrap):
1501         * runtime/DataView.h: Added.
1502         (JSC::DataView::byteLength):
1503         (JSC::DataView::getType):
1504         (JSC::DataView::get):
1505         (JSC::DataView::set):
1506         * runtime/Float32Array.h:
1507         * runtime/Float64Array.h:
1508         * runtime/GenericTypedArrayView.h: Added.
1509         (JSC::GenericTypedArrayView::data):
1510         (JSC::GenericTypedArrayView::set):
1511         (JSC::GenericTypedArrayView::setRange):
1512         (JSC::GenericTypedArrayView::zeroRange):
1513         (JSC::GenericTypedArrayView::zeroFill):
1514         (JSC::GenericTypedArrayView::length):
1515         (JSC::GenericTypedArrayView::byteLength):
1516         (JSC::GenericTypedArrayView::item):
1517         (JSC::GenericTypedArrayView::checkInboundData):
1518         (JSC::GenericTypedArrayView::getType):
1519         * runtime/GenericTypedArrayViewInlines.h: Added.
1520         (JSC::::GenericTypedArrayView):
1521         (JSC::::create):
1522         (JSC::::createUninitialized):
1523         (JSC::::subarray):
1524         (JSC::::wrap):
1525         * runtime/IndexingHeader.h:
1526         (JSC::IndexingHeader::arrayBuffer):
1527         (JSC::IndexingHeader::setArrayBuffer):
1528         * runtime/Int16Array.h:
1529         * runtime/Int32Array.h:
1530         * runtime/Int8Array.h:
1531         * runtime/JSArrayBuffer.cpp: Added.
1532         (JSC::JSArrayBuffer::JSArrayBuffer):
1533         (JSC::JSArrayBuffer::finishCreation):
1534         (JSC::JSArrayBuffer::create):
1535         (JSC::JSArrayBuffer::createStructure):
1536         (JSC::JSArrayBuffer::getOwnPropertySlot):
1537         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1538         (JSC::JSArrayBuffer::put):
1539         (JSC::JSArrayBuffer::defineOwnProperty):
1540         (JSC::JSArrayBuffer::deleteProperty):
1541         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1542         * runtime/JSArrayBuffer.h: Added.
1543         (JSC::JSArrayBuffer::impl):
1544         (JSC::toArrayBuffer):
1545         * runtime/JSArrayBufferConstructor.cpp: Added.
1546         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1547         (JSC::JSArrayBufferConstructor::finishCreation):
1548         (JSC::JSArrayBufferConstructor::create):
1549         (JSC::JSArrayBufferConstructor::createStructure):
1550         (JSC::constructArrayBuffer):
1551         (JSC::JSArrayBufferConstructor::getConstructData):
1552         (JSC::JSArrayBufferConstructor::getCallData):
1553         * runtime/JSArrayBufferConstructor.h: Added.
1554         * runtime/JSArrayBufferPrototype.cpp: Added.
1555         (JSC::arrayBufferProtoFuncSlice):
1556         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1557         (JSC::JSArrayBufferPrototype::finishCreation):
1558         (JSC::JSArrayBufferPrototype::create):
1559         (JSC::JSArrayBufferPrototype::createStructure):
1560         * runtime/JSArrayBufferPrototype.h: Added.
1561         * runtime/JSArrayBufferView.cpp: Added.
1562         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1563         (JSC::JSArrayBufferView::JSArrayBufferView):
1564         (JSC::JSArrayBufferView::finishCreation):
1565         (JSC::JSArrayBufferView::getOwnPropertySlot):
1566         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1567         (JSC::JSArrayBufferView::put):
1568         (JSC::JSArrayBufferView::defineOwnProperty):
1569         (JSC::JSArrayBufferView::deleteProperty):
1570         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1571         (JSC::JSArrayBufferView::finalize):
1572         * runtime/JSArrayBufferView.h: Added.
1573         (JSC::JSArrayBufferView::sizeOf):
1574         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1575         (JSC::JSArrayBufferView::ConstructionContext::structure):
1576         (JSC::JSArrayBufferView::ConstructionContext::vector):
1577         (JSC::JSArrayBufferView::ConstructionContext::length):
1578         (JSC::JSArrayBufferView::ConstructionContext::mode):
1579         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1580         (JSC::JSArrayBufferView::mode):
1581         (JSC::JSArrayBufferView::vector):
1582         (JSC::JSArrayBufferView::length):
1583         (JSC::JSArrayBufferView::offsetOfVector):
1584         (JSC::JSArrayBufferView::offsetOfLength):
1585         (JSC::JSArrayBufferView::offsetOfMode):
1586         * runtime/JSArrayBufferViewInlines.h: Added.
1587         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1588         (JSC::JSArrayBufferView::buffer):
1589         (JSC::JSArrayBufferView::impl):
1590         (JSC::JSArrayBufferView::neuter):
1591         (JSC::JSArrayBufferView::byteOffset):
1592         * runtime/JSCell.cpp:
1593         (JSC::JSCell::slowDownAndWasteMemory):
1594         (JSC::JSCell::getTypedArrayImpl):
1595         * runtime/JSCell.h:
1596         * runtime/JSDataView.cpp: Added.
1597         (JSC::JSDataView::JSDataView):
1598         (JSC::JSDataView::create):
1599         (JSC::JSDataView::createUninitialized):
1600         (JSC::JSDataView::set):
1601         (JSC::JSDataView::typedImpl):
1602         (JSC::JSDataView::getOwnPropertySlot):
1603         (JSC::JSDataView::getOwnPropertyDescriptor):
1604         (JSC::JSDataView::slowDownAndWasteMemory):
1605         (JSC::JSDataView::getTypedArrayImpl):
1606         (JSC::JSDataView::createStructure):
1607         * runtime/JSDataView.h: Added.
1608         * runtime/JSDataViewPrototype.cpp: Added.
1609         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1610         (JSC::JSDataViewPrototype::create):
1611         (JSC::JSDataViewPrototype::createStructure):
1612         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1613         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1614         (JSC::getData):
1615         (JSC::setData):
1616         (JSC::dataViewProtoFuncGetInt8):
1617         (JSC::dataViewProtoFuncGetInt16):
1618         (JSC::dataViewProtoFuncGetInt32):
1619         (JSC::dataViewProtoFuncGetUint8):
1620         (JSC::dataViewProtoFuncGetUint16):
1621         (JSC::dataViewProtoFuncGetUint32):
1622         (JSC::dataViewProtoFuncGetFloat32):
1623         (JSC::dataViewProtoFuncGetFloat64):
1624         (JSC::dataViewProtoFuncSetInt8):
1625         (JSC::dataViewProtoFuncSetInt16):
1626         (JSC::dataViewProtoFuncSetInt32):
1627         (JSC::dataViewProtoFuncSetUint8):
1628         (JSC::dataViewProtoFuncSetUint16):
1629         (JSC::dataViewProtoFuncSetUint32):
1630         (JSC::dataViewProtoFuncSetFloat32):
1631         (JSC::dataViewProtoFuncSetFloat64):
1632         * runtime/JSDataViewPrototype.h: Added.
1633         * runtime/JSFloat32Array.h: Added.
1634         * runtime/JSFloat64Array.h: Added.
1635         * runtime/JSGenericTypedArrayView.h: Added.
1636         (JSC::JSGenericTypedArrayView::byteLength):
1637         (JSC::JSGenericTypedArrayView::byteSize):
1638         (JSC::JSGenericTypedArrayView::typedVector):
1639         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1640         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1641         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1642         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1643         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1644         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1645         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1646         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1647         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1648         (JSC::JSGenericTypedArrayView::typedImpl):
1649         (JSC::JSGenericTypedArrayView::createStructure):
1650         (JSC::JSGenericTypedArrayView::info):
1651         (JSC::toNativeTypedView):
1652         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1653         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1654         (JSC::::JSGenericTypedArrayViewConstructor):
1655         (JSC::::finishCreation):
1656         (JSC::::create):
1657         (JSC::::createStructure):
1658         (JSC::constructGenericTypedArrayView):
1659         (JSC::::getConstructData):
1660         (JSC::::getCallData):
1661         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1662         (JSC::::JSGenericTypedArrayView):
1663         (JSC::::create):
1664         (JSC::::createUninitialized):
1665         (JSC::::validateRange):
1666         (JSC::::setWithSpecificType):
1667         (JSC::::set):
1668         (JSC::::getOwnPropertySlot):
1669         (JSC::::getOwnPropertyDescriptor):
1670         (JSC::::put):
1671         (JSC::::defineOwnProperty):
1672         (JSC::::deleteProperty):
1673         (JSC::::getOwnPropertySlotByIndex):
1674         (JSC::::putByIndex):
1675         (JSC::::deletePropertyByIndex):
1676         (JSC::::getOwnNonIndexPropertyNames):
1677         (JSC::::getOwnPropertyNames):
1678         (JSC::::visitChildren):
1679         (JSC::::copyBackingStore):
1680         (JSC::::slowDownAndWasteMemory):
1681         (JSC::::getTypedArrayImpl):
1682         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1683         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1684         (JSC::genericTypedArrayViewProtoFuncSet):
1685         (JSC::genericTypedArrayViewProtoFuncSubarray):
1686         (JSC::::JSGenericTypedArrayViewPrototype):
1687         (JSC::::finishCreation):
1688         (JSC::::create):
1689         (JSC::::createStructure):
1690         * runtime/JSGlobalObject.cpp:
1691         (JSC::JSGlobalObject::reset):
1692         (JSC::JSGlobalObject::visitChildren):
1693         * runtime/JSGlobalObject.h:
1694         (JSC::JSGlobalObject::arrayBufferPrototype):
1695         (JSC::JSGlobalObject::arrayBufferStructure):
1696         (JSC::JSGlobalObject::typedArrayStructure):
1697         * runtime/JSInt16Array.h: Added.
1698         * runtime/JSInt32Array.h: Added.
1699         * runtime/JSInt8Array.h: Added.
1700         * runtime/JSTypedArrayConstructors.cpp: Added.
1701         * runtime/JSTypedArrayConstructors.h: Added.
1702         * runtime/JSTypedArrayPrototypes.cpp: Added.
1703         * runtime/JSTypedArrayPrototypes.h: Added.
1704         * runtime/JSTypedArrays.cpp: Added.
1705         * runtime/JSTypedArrays.h: Added.
1706         * runtime/JSUint16Array.h: Added.
1707         * runtime/JSUint32Array.h: Added.
1708         * runtime/JSUint8Array.h: Added.
1709         * runtime/JSUint8ClampedArray.h: Added.
1710         * runtime/Operations.h:
1711         * runtime/Options.h:
1712         * runtime/SimpleTypedArrayController.cpp: Added.
1713         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1714         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1715         (JSC::SimpleTypedArrayController::toJS):
1716         * runtime/SimpleTypedArrayController.h: Added.
1717         * runtime/Structure.h:
1718         (JSC::Structure::couldHaveIndexingHeader):
1719         * runtime/StructureInlines.h:
1720         (JSC::Structure::hasIndexingHeader):
1721         * runtime/TypedArrayAdaptors.h: Added.
1722         (JSC::IntegralTypedArrayAdaptor::toNative):
1723         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1724         (JSC::IntegralTypedArrayAdaptor::toDouble):
1725         (JSC::FloatTypedArrayAdaptor::toNative):
1726         (JSC::FloatTypedArrayAdaptor::toJSValue):
1727         (JSC::FloatTypedArrayAdaptor::toDouble):
1728         (JSC::Uint8ClampedAdaptor::toNative):
1729         (JSC::Uint8ClampedAdaptor::toJSValue):
1730         (JSC::Uint8ClampedAdaptor::toDouble):
1731         (JSC::Uint8ClampedAdaptor::clamp):
1732         * runtime/TypedArrayController.cpp: Added.
1733         (JSC::TypedArrayController::TypedArrayController):
1734         (JSC::TypedArrayController::~TypedArrayController):
1735         * runtime/TypedArrayController.h: Added.
1736         * runtime/TypedArrayDescriptor.h: Removed.
1737         * runtime/TypedArrayInlines.h: Added.
1738         * runtime/TypedArrayType.cpp: Added.
1739         (JSC::classInfoForType):
1740         (WTF::printInternal):
1741         * runtime/TypedArrayType.h: Added.
1742         (JSC::toIndex):
1743         (JSC::isTypedView):
1744         (JSC::elementSize):
1745         (JSC::isInt):
1746         (JSC::isFloat):
1747         (JSC::isSigned):
1748         (JSC::isClamped):
1749         * runtime/TypedArrays.h: Added.
1750         * runtime/Uint16Array.h:
1751         * runtime/Uint32Array.h:
1752         * runtime/Uint8Array.h:
1753         * runtime/Uint8ClampedArray.h:
1754         * runtime/VM.cpp:
1755         (JSC::VM::VM):
1756         (JSC::VM::~VM):
1757         * runtime/VM.h:
1758
1759 2013-08-15  Oliver Hunt  <oliver@apple.com>
1760
1761         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1762
1763         Reviewed by Filip Pizlo.
1764
1765         Make sure dfgCapabilities doesn't report a Dynamic put as
1766         being compilable when we don't actually support it.  
1767
1768         * bytecode/CodeBlock.cpp:
1769         (JSC::CodeBlock::dumpBytecode):
1770         * dfg/DFGCapabilities.cpp:
1771         (JSC::DFG::capabilityLevel):
1772
1773 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1774
1775         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1776         https://bugs.webkit.org/show_bug.cgi?id=119847
1777
1778         Reviewed by Oliver Hunt.
1779
1780         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1781         * runtime/ArrayBufferView.h: Ditto.
1782
1783 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1784
1785         https://bugs.webkit.org/show_bug.cgi?id=119843
1786         PropertySlot::setValue is ambiguous
1787
1788         Reviewed by Geoff Garen.
1789
1790         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1791         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1792         Unify on always providing the object, and remove the version that just takes a value.
1793         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1794         Provide a version of setValue that takes a JSString as the owner of the property.
1795         We won't store this, but it makes it clear that this interface should only be used from JSString.
1796
1797         * API/JSCallbackObjectFunctions.h:
1798         (JSC::::getOwnPropertySlot):
1799         * JSCTypedArrayStubs.h:
1800         * runtime/Arguments.cpp:
1801         (JSC::Arguments::getOwnPropertySlotByIndex):
1802         (JSC::Arguments::getOwnPropertySlot):
1803         * runtime/JSActivation.cpp:
1804         (JSC::JSActivation::symbolTableGet):
1805         (JSC::JSActivation::getOwnPropertySlot):
1806         * runtime/JSArray.cpp:
1807         (JSC::JSArray::getOwnPropertySlot):
1808         * runtime/JSObject.cpp:
1809         (JSC::JSObject::getOwnPropertySlotByIndex):
1810         * runtime/JSString.h:
1811         (JSC::JSString::getStringPropertySlot):
1812         * runtime/JSSymbolTableObject.h:
1813         (JSC::symbolTableGet):
1814         * runtime/SparseArrayValueMap.cpp:
1815         (JSC::SparseArrayEntry::get):
1816             - Pass object containing property to PropertySlot::setValue
1817         * runtime/PropertySlot.h:
1818         (JSC::PropertySlot::setValue):
1819             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1820         (JSC::PropertySlot::setUndefined):
1821             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1822
1823 2013-08-15  Oliver Hunt  <oliver@apple.com>
1824
1825         Remove bogus assertion.
1826
1827         RS=Filip Pizlo
1828
1829         * dfg/DFGAbstractInterpreterInlines.h:
1830         (JSC::DFG::::executeEffects):
1831
1832 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1833
1834         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1835         https://bugs.webkit.org/show_bug.cgi?id=114913
1836
1837         Reviewed by Filip Pizlo.
1838
1839         The X87 register was not freed before some calls. Instead
1840         of inserting resetX87Registers to the last call sites,
1841         the two X87 registers are now freed in every call.
1842
1843         * llint/LowLevelInterpreter32_64.asm:
1844         * llint/LowLevelInterpreter64.asm:
1845         * offlineasm/instructions.rb:
1846         * offlineasm/x86.rb:
1847
1848 2013-08-14  Michael Saboff  <msaboff@apple.com>
1849
1850         Fixed jit on Win64.
1851         https://bugs.webkit.org/show_bug.cgi?id=119601
1852
1853         Reviewed by Oliver Hunt.
1854
1855         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1856         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1857         * jit/SlowPathCall.h:
1858         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1859
1860 2013-08-14  Alex Christensen  <achristensen@apple.com>
1861
1862         Compile fix for Win64 with jit disabled.
1863         https://bugs.webkit.org/show_bug.cgi?id=119804
1864
1865         Reviewed by Michael Saboff.
1866
1867         * offlineasm/cloop.rb: Added std:: before isnan.
1868
1869 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1870
1871         DFG_JIT implementation for sh4 architecture.
1872         https://bugs.webkit.org/show_bug.cgi?id=119737
1873
1874         Reviewed by Oliver Hunt.
1875
1876         * assembler/MacroAssemblerSH4.h:
1877         (JSC::MacroAssemblerSH4::invert):
1878         (JSC::MacroAssemblerSH4::add32):
1879         (JSC::MacroAssemblerSH4::and32):
1880         (JSC::MacroAssemblerSH4::lshift32):
1881         (JSC::MacroAssemblerSH4::mul32):
1882         (JSC::MacroAssemblerSH4::or32):
1883         (JSC::MacroAssemblerSH4::rshift32):
1884         (JSC::MacroAssemblerSH4::sub32):
1885         (JSC::MacroAssemblerSH4::xor32):
1886         (JSC::MacroAssemblerSH4::store32):
1887         (JSC::MacroAssemblerSH4::swapDouble):
1888         (JSC::MacroAssemblerSH4::storeDouble):
1889         (JSC::MacroAssemblerSH4::subDouble):
1890         (JSC::MacroAssemblerSH4::mulDouble):
1891         (JSC::MacroAssemblerSH4::divDouble):
1892         (JSC::MacroAssemblerSH4::negateDouble):
1893         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1894         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1895         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1896         (JSC::MacroAssemblerSH4::swap):
1897         (JSC::MacroAssemblerSH4::jump):
1898         (JSC::MacroAssemblerSH4::branchNeg32):
1899         (JSC::MacroAssemblerSH4::branchAdd32):
1900         (JSC::MacroAssemblerSH4::branchMul32):
1901         (JSC::MacroAssemblerSH4::urshift32):
1902         * assembler/SH4Assembler.h:
1903         (JSC::SH4Assembler::SH4Assembler):
1904         (JSC::SH4Assembler::labelForWatchpoint):
1905         (JSC::SH4Assembler::label):
1906         (JSC::SH4Assembler::debugOffset):
1907         * dfg/DFGAssemblyHelpers.h:
1908         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1909         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1910         (JSC::DFG::AssemblyHelpers::debugCall):
1911         * dfg/DFGCCallHelpers.h:
1912         (JSC::DFG::CCallHelpers::setupArguments):
1913         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1914         * dfg/DFGFPRInfo.h:
1915         (JSC::DFG::FPRInfo::toRegister):
1916         (JSC::DFG::FPRInfo::toIndex):
1917         (JSC::DFG::FPRInfo::debugName):
1918         * dfg/DFGGPRInfo.h:
1919         (JSC::DFG::GPRInfo::toRegister):
1920         (JSC::DFG::GPRInfo::toIndex):
1921         (JSC::DFG::GPRInfo::debugName):
1922         * dfg/DFGOperations.cpp:
1923         * dfg/DFGSpeculativeJIT.h:
1924         (JSC::DFG::SpeculativeJIT::callOperation):
1925         * jit/JITStubs.h:
1926         * jit/JITStubsSH4.h:
1927
1928 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1929
1930         Unreviewed, fix build.
1931
1932         * API/JSValue.mm:
1933         (isDate):
1934         (isArray):
1935         * API/JSWrapperMap.mm:
1936         (tryUnwrapObjcObject):
1937         * API/ObjCCallbackFunction.mm:
1938         (tryUnwrapBlock):
1939
1940 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1941
1942         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1943         https://bugs.webkit.org/show_bug.cgi?id=119770
1944
1945         Reviewed by Mark Hahnenberg.
1946
1947         * API/JSCallbackConstructor.cpp:
1948         (JSC::JSCallbackConstructor::finishCreation):
1949         * API/JSCallbackConstructor.h:
1950         (JSC::JSCallbackConstructor::createStructure):
1951         * API/JSCallbackFunction.cpp:
1952         (JSC::JSCallbackFunction::finishCreation):
1953         * API/JSCallbackFunction.h:
1954         (JSC::JSCallbackFunction::createStructure):
1955         * API/JSCallbackObject.cpp:
1956         (JSC::::createStructure):
1957         * API/JSCallbackObject.h:
1958         (JSC::JSCallbackObject::visitChildren):
1959         * API/JSCallbackObjectFunctions.h:
1960         (JSC::::asCallbackObject):
1961         (JSC::::finishCreation):
1962         * API/JSObjectRef.cpp:
1963         (JSObjectGetPrivate):
1964         (JSObjectSetPrivate):
1965         (JSObjectGetPrivateProperty):
1966         (JSObjectSetPrivateProperty):
1967         (JSObjectDeletePrivateProperty):
1968         * API/JSValueRef.cpp:
1969         (JSValueIsObjectOfClass):
1970         * API/JSWeakObjectMapRefPrivate.cpp:
1971         * API/ObjCCallbackFunction.h:
1972         (JSC::ObjCCallbackFunction::createStructure):
1973         * JSCTypedArrayStubs.h:
1974         * bytecode/CallLinkStatus.cpp:
1975         (JSC::CallLinkStatus::CallLinkStatus):
1976         (JSC::CallLinkStatus::function):
1977         (JSC::CallLinkStatus::internalFunction):
1978         * bytecode/CodeBlock.h:
1979         (JSC::baselineCodeBlockForInlineCallFrame):
1980         * bytecode/SpeculatedType.cpp:
1981         (JSC::speculationFromClassInfo):
1982         * bytecode/UnlinkedCodeBlock.cpp:
1983         (JSC::UnlinkedFunctionExecutable::visitChildren):
1984         (JSC::UnlinkedCodeBlock::visitChildren):
1985         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1986         * bytecode/UnlinkedCodeBlock.h:
1987         (JSC::UnlinkedFunctionExecutable::createStructure):
1988         (JSC::UnlinkedProgramCodeBlock::createStructure):
1989         (JSC::UnlinkedEvalCodeBlock::createStructure):
1990         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1991         * debugger/Debugger.cpp:
1992         * debugger/DebuggerActivation.cpp:
1993         (JSC::DebuggerActivation::visitChildren):
1994         * debugger/DebuggerActivation.h:
1995         (JSC::DebuggerActivation::createStructure):
1996         * debugger/DebuggerCallFrame.cpp:
1997         (JSC::DebuggerCallFrame::functionName):
1998         * dfg/DFGAbstractInterpreterInlines.h:
1999         (JSC::DFG::::executeEffects):
2000         * dfg/DFGByteCodeParser.cpp:
2001         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2002         (JSC::DFG::ByteCodeParser::parseBlock):
2003         * dfg/DFGFixupPhase.cpp:
2004         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2005         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
2006         * dfg/DFGGraph.cpp:
2007         (JSC::DFG::Graph::dump):
2008         * dfg/DFGGraph.h:
2009         (JSC::DFG::Graph::isInternalFunctionConstant):
2010         * dfg/DFGOperations.cpp:
2011         * dfg/DFGSpeculativeJIT.cpp:
2012         (JSC::DFG::SpeculativeJIT::checkArray):
2013         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2014         * dfg/DFGThunks.cpp:
2015         (JSC::DFG::virtualForThunkGenerator):
2016         * interpreter/Interpreter.cpp:
2017         (JSC::loadVarargs):
2018         * jsc.cpp:
2019         (GlobalObject::createStructure):
2020         * profiler/LegacyProfiler.cpp:
2021         (JSC::LegacyProfiler::createCallIdentifier):
2022         * runtime/Arguments.cpp:
2023         (JSC::Arguments::visitChildren):
2024         * runtime/Arguments.h:
2025         (JSC::Arguments::createStructure):
2026         (JSC::asArguments):
2027         (JSC::Arguments::finishCreation):
2028         * runtime/ArrayConstructor.cpp:
2029         (JSC::arrayConstructorIsArray):
2030         * runtime/ArrayConstructor.h:
2031         (JSC::ArrayConstructor::createStructure):
2032         * runtime/ArrayPrototype.cpp:
2033         (JSC::ArrayPrototype::finishCreation):
2034         (JSC::arrayProtoFuncConcat):
2035         (JSC::attemptFastSort):
2036         * runtime/ArrayPrototype.h:
2037         (JSC::ArrayPrototype::createStructure):
2038         * runtime/BooleanConstructor.h:
2039         (JSC::BooleanConstructor::createStructure):
2040         * runtime/BooleanObject.cpp:
2041         (JSC::BooleanObject::finishCreation):
2042         * runtime/BooleanObject.h:
2043         (JSC::BooleanObject::createStructure):
2044         (JSC::asBooleanObject):
2045         * runtime/BooleanPrototype.cpp:
2046         (JSC::BooleanPrototype::finishCreation):
2047         (JSC::booleanProtoFuncToString):
2048         (JSC::booleanProtoFuncValueOf):
2049         * runtime/BooleanPrototype.h:
2050         (JSC::BooleanPrototype::createStructure):
2051         * runtime/DateConstructor.cpp:
2052         (JSC::constructDate):
2053         * runtime/DateConstructor.h:
2054         (JSC::DateConstructor::createStructure):
2055         * runtime/DateInstance.cpp:
2056         (JSC::DateInstance::finishCreation):
2057         * runtime/DateInstance.h:
2058         (JSC::DateInstance::createStructure):
2059         (JSC::asDateInstance):
2060         * runtime/DatePrototype.cpp:
2061         (JSC::formateDateInstance):
2062         (JSC::DatePrototype::finishCreation):
2063         (JSC::dateProtoFuncToISOString):
2064         (JSC::dateProtoFuncToLocaleString):
2065         (JSC::dateProtoFuncToLocaleDateString):
2066         (JSC::dateProtoFuncToLocaleTimeString):
2067         (JSC::dateProtoFuncGetTime):
2068         (JSC::dateProtoFuncGetFullYear):
2069         (JSC::dateProtoFuncGetUTCFullYear):
2070         (JSC::dateProtoFuncGetMonth):
2071         (JSC::dateProtoFuncGetUTCMonth):
2072         (JSC::dateProtoFuncGetDate):
2073         (JSC::dateProtoFuncGetUTCDate):
2074         (JSC::dateProtoFuncGetDay):
2075         (JSC::dateProtoFuncGetUTCDay):
2076         (JSC::dateProtoFuncGetHours):
2077         (JSC::dateProtoFuncGetUTCHours):
2078         (JSC::dateProtoFuncGetMinutes):
2079         (JSC::dateProtoFuncGetUTCMinutes):
2080         (JSC::dateProtoFuncGetSeconds):
2081         (JSC::dateProtoFuncGetUTCSeconds):
2082         (JSC::dateProtoFuncGetMilliSeconds):
2083         (JSC::dateProtoFuncGetUTCMilliseconds):
2084         (JSC::dateProtoFuncGetTimezoneOffset):
2085         (JSC::dateProtoFuncSetTime):
2086         (JSC::setNewValueFromTimeArgs):
2087         (JSC::setNewValueFromDateArgs):
2088         (JSC::dateProtoFuncSetYear):
2089         (JSC::dateProtoFuncGetYear):
2090         * runtime/DatePrototype.h:
2091         (JSC::DatePrototype::createStructure):
2092         * runtime/Error.h:
2093         (JSC::StrictModeTypeErrorFunction::createStructure):
2094         * runtime/ErrorConstructor.h:
2095         (JSC::ErrorConstructor::createStructure):
2096         * runtime/ErrorInstance.cpp:
2097         (JSC::ErrorInstance::finishCreation):
2098         * runtime/ErrorInstance.h:
2099         (JSC::ErrorInstance::createStructure):
2100         * runtime/ErrorPrototype.cpp:
2101         (JSC::ErrorPrototype::finishCreation):
2102         * runtime/ErrorPrototype.h:
2103         (JSC::ErrorPrototype::createStructure):
2104         * runtime/ExceptionHelpers.cpp:
2105         (JSC::isTerminatedExecutionException):
2106         * runtime/ExceptionHelpers.h:
2107         (JSC::TerminatedExecutionError::createStructure):
2108         * runtime/Executable.cpp:
2109         (JSC::EvalExecutable::visitChildren):
2110         (JSC::ProgramExecutable::visitChildren):
2111         (JSC::FunctionExecutable::visitChildren):
2112         (JSC::ExecutableBase::hashFor):
2113         * runtime/Executable.h:
2114         (JSC::ExecutableBase::createStructure):
2115         (JSC::NativeExecutable::createStructure):
2116         (JSC::EvalExecutable::createStructure):
2117         (JSC::ProgramExecutable::createStructure):
2118         (JSC::FunctionExecutable::compileFor):
2119         (JSC::FunctionExecutable::compileOptimizedFor):
2120         (JSC::FunctionExecutable::createStructure):
2121         * runtime/FunctionConstructor.h:
2122         (JSC::FunctionConstructor::createStructure):
2123         * runtime/FunctionPrototype.cpp:
2124         (JSC::functionProtoFuncToString):
2125         (JSC::functionProtoFuncApply):
2126         (JSC::functionProtoFuncBind):
2127         * runtime/FunctionPrototype.h:
2128         (JSC::FunctionPrototype::createStructure):
2129         * runtime/GetterSetter.cpp:
2130         (JSC::GetterSetter::visitChildren):
2131         * runtime/GetterSetter.h:
2132         (JSC::GetterSetter::createStructure):
2133         * runtime/InternalFunction.cpp:
2134         (JSC::InternalFunction::finishCreation):
2135         * runtime/InternalFunction.h:
2136         (JSC::InternalFunction::createStructure):
2137         (JSC::asInternalFunction):
2138         * runtime/JSAPIValueWrapper.h:
2139         (JSC::JSAPIValueWrapper::createStructure):
2140         * runtime/JSActivation.cpp:
2141         (JSC::JSActivation::visitChildren):
2142         (JSC::JSActivation::argumentsGetter):
2143         * runtime/JSActivation.h:
2144         (JSC::JSActivation::createStructure):
2145         (JSC::asActivation):
2146         * runtime/JSArray.h:
2147         (JSC::JSArray::createStructure):
2148         (JSC::asArray):
2149         (JSC::isJSArray):
2150         * runtime/JSBoundFunction.cpp:
2151         (JSC::JSBoundFunction::finishCreation):
2152         (JSC::JSBoundFunction::visitChildren):
2153         * runtime/JSBoundFunction.h:
2154         (JSC::JSBoundFunction::createStructure):
2155         * runtime/JSCJSValue.cpp:
2156         (JSC::JSValue::dumpInContext):
2157         * runtime/JSCJSValueInlines.h:
2158         (JSC::JSValue::isFunction):
2159         * runtime/JSCell.h:
2160         (JSC::jsCast):
2161         (JSC::jsDynamicCast):
2162         * runtime/JSCellInlines.h:
2163         (JSC::allocateCell):
2164         * runtime/JSFunction.cpp:
2165         (JSC::JSFunction::finishCreation):
2166         (JSC::JSFunction::visitChildren):
2167         (JSC::skipOverBoundFunctions):
2168         (JSC::JSFunction::callerGetter):
2169         * runtime/JSFunction.h:
2170         (JSC::JSFunction::createStructure):
2171         * runtime/JSGlobalObject.cpp:
2172         (JSC::JSGlobalObject::visitChildren):
2173         (JSC::slowValidateCell):
2174         * runtime/JSGlobalObject.h:
2175         (JSC::JSGlobalObject::createStructure):
2176         * runtime/JSNameScope.cpp:
2177         (JSC::JSNameScope::visitChildren):
2178         * runtime/JSNameScope.h:
2179         (JSC::JSNameScope::createStructure):
2180         * runtime/JSNotAnObject.h:
2181         (JSC::JSNotAnObject::createStructure):
2182         * runtime/JSONObject.cpp:
2183         (JSC::JSONObject::finishCreation):
2184         (JSC::unwrapBoxedPrimitive):
2185         (JSC::Stringifier::Stringifier):
2186         (JSC::Stringifier::appendStringifiedValue):
2187         (JSC::Stringifier::Holder::Holder):
2188         (JSC::Walker::walk):
2189         (JSC::JSONProtoFuncStringify):
2190         * runtime/JSONObject.h:
2191         (JSC::JSONObject::createStructure):
2192         * runtime/JSObject.cpp:
2193         (JSC::getCallableObjectSlow):
2194         (JSC::JSObject::visitChildren):
2195         (JSC::JSObject::copyBackingStore):
2196         (JSC::JSFinalObject::visitChildren):
2197         (JSC::JSObject::ensureInt32Slow):
2198         (JSC::JSObject::ensureDoubleSlow):
2199         (JSC::JSObject::ensureContiguousSlow):
2200         (JSC::JSObject::ensureArrayStorageSlow):
2201         * runtime/JSObject.h:
2202         (JSC::JSObject::finishCreation):
2203         (JSC::JSObject::createStructure):
2204         (JSC::JSNonFinalObject::createStructure):
2205         (JSC::JSFinalObject::createStructure):
2206         (JSC::isJSFinalObject):
2207         * runtime/JSPropertyNameIterator.cpp:
2208         (JSC::JSPropertyNameIterator::visitChildren):
2209         * runtime/JSPropertyNameIterator.h:
2210         (JSC::JSPropertyNameIterator::createStructure):
2211         * runtime/JSProxy.cpp:
2212         (JSC::JSProxy::visitChildren):
2213         * runtime/JSProxy.h:
2214         (JSC::JSProxy::createStructure):
2215         * runtime/JSScope.cpp:
2216         (JSC::JSScope::visitChildren):
2217         * runtime/JSSegmentedVariableObject.cpp:
2218         (JSC::JSSegmentedVariableObject::visitChildren):
2219         * runtime/JSString.h:
2220         (JSC::JSString::createStructure):
2221         (JSC::isJSString):
2222         * runtime/JSSymbolTableObject.cpp:
2223         (JSC::JSSymbolTableObject::visitChildren):
2224         * runtime/JSVariableObject.h:
2225         * runtime/JSWithScope.cpp:
2226         (JSC::JSWithScope::visitChildren):
2227         * runtime/JSWithScope.h:
2228         (JSC::JSWithScope::createStructure):
2229         * runtime/JSWrapperObject.cpp:
2230         (JSC::JSWrapperObject::visitChildren):
2231         * runtime/JSWrapperObject.h:
2232         (JSC::JSWrapperObject::createStructure):
2233         * runtime/MathObject.cpp:
2234         (JSC::MathObject::finishCreation):
2235         * runtime/MathObject.h:
2236         (JSC::MathObject::createStructure):
2237         * runtime/NameConstructor.h:
2238         (JSC::NameConstructor::createStructure):
2239         * runtime/NameInstance.h:
2240         (JSC::NameInstance::createStructure):
2241         (JSC::NameInstance::finishCreation):
2242         * runtime/NamePrototype.cpp:
2243         (JSC::NamePrototype::finishCreation):
2244         (JSC::privateNameProtoFuncToString):
2245         * runtime/NamePrototype.h:
2246         (JSC::NamePrototype::createStructure):
2247         * runtime/NativeErrorConstructor.cpp:
2248         (JSC::NativeErrorConstructor::visitChildren):
2249         * runtime/NativeErrorConstructor.h:
2250         (JSC::NativeErrorConstructor::createStructure):
2251         (JSC::NativeErrorConstructor::finishCreation):
2252         * runtime/NumberConstructor.cpp:
2253         (JSC::NumberConstructor::finishCreation):
2254         * runtime/NumberConstructor.h:
2255         (JSC::NumberConstructor::createStructure):
2256         * runtime/NumberObject.cpp:
2257         (JSC::NumberObject::finishCreation):
2258         * runtime/NumberObject.h:
2259         (JSC::NumberObject::createStructure):
2260         * runtime/NumberPrototype.cpp:
2261         (JSC::NumberPrototype::finishCreation):
2262         * runtime/NumberPrototype.h:
2263         (JSC::NumberPrototype::createStructure):
2264         * runtime/ObjectConstructor.h:
2265         (JSC::ObjectConstructor::createStructure):
2266         * runtime/ObjectPrototype.cpp:
2267         (JSC::ObjectPrototype::finishCreation):
2268         * runtime/ObjectPrototype.h:
2269         (JSC::ObjectPrototype::createStructure):
2270         * runtime/PropertyMapHashTable.h:
2271         (JSC::PropertyTable::createStructure):
2272         * runtime/PropertyTable.cpp:
2273         (JSC::PropertyTable::visitChildren):
2274         * runtime/RegExp.h:
2275         (JSC::RegExp::createStructure):
2276         * runtime/RegExpConstructor.cpp:
2277         (JSC::RegExpConstructor::finishCreation):
2278         (JSC::RegExpConstructor::visitChildren):
2279         (JSC::constructRegExp):
2280         * runtime/RegExpConstructor.h:
2281         (JSC::RegExpConstructor::createStructure):
2282         (JSC::asRegExpConstructor):
2283         * runtime/RegExpMatchesArray.cpp:
2284         (JSC::RegExpMatchesArray::visitChildren):
2285         * runtime/RegExpMatchesArray.h:
2286         (JSC::RegExpMatchesArray::createStructure):
2287         * runtime/RegExpObject.cpp:
2288         (JSC::RegExpObject::finishCreation):
2289         (JSC::RegExpObject::visitChildren):
2290         * runtime/RegExpObject.h:
2291         (JSC::RegExpObject::createStructure):
2292         (JSC::asRegExpObject):
2293         * runtime/RegExpPrototype.cpp:
2294         (JSC::regExpProtoFuncTest):
2295         (JSC::regExpProtoFuncExec):
2296         (JSC::regExpProtoFuncCompile):
2297         (JSC::regExpProtoFuncToString):
2298         * runtime/RegExpPrototype.h:
2299         (JSC::RegExpPrototype::createStructure):
2300         * runtime/SparseArrayValueMap.cpp:
2301         (JSC::SparseArrayValueMap::createStructure):
2302         * runtime/SparseArrayValueMap.h:
2303         * runtime/StrictEvalActivation.h:
2304         (JSC::StrictEvalActivation::createStructure):
2305         * runtime/StringConstructor.h:
2306         (JSC::StringConstructor::createStructure):
2307         * runtime/StringObject.cpp:
2308         (JSC::StringObject::finishCreation):
2309         * runtime/StringObject.h:
2310         (JSC::StringObject::createStructure):
2311         (JSC::asStringObject):
2312         * runtime/StringPrototype.cpp:
2313         (JSC::StringPrototype::finishCreation):
2314         (JSC::stringProtoFuncReplace):
2315         (JSC::stringProtoFuncToString):
2316         (JSC::stringProtoFuncMatch):
2317         (JSC::stringProtoFuncSearch):
2318         (JSC::stringProtoFuncSplit):
2319         * runtime/StringPrototype.h:
2320         (JSC::StringPrototype::createStructure):
2321         * runtime/Structure.cpp:
2322         (JSC::Structure::Structure):
2323         (JSC::Structure::materializePropertyMap):
2324         (JSC::Structure::get):
2325         (JSC::Structure::visitChildren):
2326         * runtime/Structure.h:
2327         (JSC::Structure::typeInfo):
2328         (JSC::Structure::previousID):
2329         (JSC::Structure::outOfLineSize):
2330         (JSC::Structure::totalStorageCapacity):
2331         (JSC::Structure::materializePropertyMapIfNecessary):
2332         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2333         * runtime/StructureChain.cpp:
2334         (JSC::StructureChain::visitChildren):
2335         * runtime/StructureChain.h:
2336         (JSC::StructureChain::createStructure):
2337         * runtime/StructureInlines.h:
2338         (JSC::Structure::get):
2339         * runtime/StructureRareData.cpp:
2340         (JSC::StructureRareData::createStructure):
2341         (JSC::StructureRareData::visitChildren):
2342         * runtime/StructureRareData.h:
2343         * runtime/SymbolTable.h:
2344         (JSC::SharedSymbolTable::createStructure):
2345         * runtime/VM.cpp:
2346         (JSC::VM::VM):
2347         (JSC::StackPreservingRecompiler::operator()):
2348         (JSC::VM::releaseExecutableMemory):
2349         * runtime/WriteBarrier.h:
2350         (JSC::validateCell):
2351         * testRegExp.cpp:
2352         (GlobalObject::createStructure):
2353
2354 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2355
2356         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2357         https://bugs.webkit.org/show_bug.cgi?id=119762
2358
2359         Reviewed by Geoffrey Garen.
2360
2361         * heap/Heap.cpp:
2362         (JSC::Heap::Heap):
2363         (JSC::Heap::markRoots):
2364         (JSC::Heap::collect):
2365         * jsc.cpp:
2366         (StopWatch::start):
2367         (StopWatch::stop):
2368         * testRegExp.cpp:
2369         (StopWatch::start):
2370         (StopWatch::stop):
2371
2372 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2373
2374         [sh4] Prepare LLINT for DFG_JIT implementation.
2375         https://bugs.webkit.org/show_bug.cgi?id=119755
2376
2377         Reviewed by Oliver Hunt.
2378
2379         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2380         * offlineasm/sh4.rb:
2381             - Handle storeb opcode.
2382             - Make relative jumps when possible using braf opcode.
2383             - Update bmulio implementation to be consistent with baseline JIT.
2384             - Remove useless code from leap opcode.
2385             - Fix incorrect comment.
2386
2387 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2388
2389         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2390         https://bugs.webkit.org/show_bug.cgi?id=119758
2391
2392         Reviewed by Oliver Hunt.
2393
2394         * assembler/MacroAssemblerSH4.h:
2395             - Introduce a loadEffectiveAddress function to avoid code duplication.
2396             - Add ASSERTs and clean code.
2397         * assembler/SH4Assembler.h:
2398             - Prepare DFG_JIT implementation.
2399             - Add ASSERTs.
2400         * jit/JITStubs.cpp:
2401             - Add SH4 specific call for assertions.
2402         * jit/JITStubs.h:
2403             - Cosmetic change.
2404         * jit/JITStubsSH4.h:
2405             - Use constants to be more flexible with sh4 JIT stack frame.
2406         * jit/JSInterfaceJIT.h:
2407             - Cosmetic change.
2408
2409 2013-08-13  Oliver Hunt  <oliver@apple.com>
2410
2411         Harden executeConstruct against incorrect return types from host functions
2412         https://bugs.webkit.org/show_bug.cgi?id=119757
2413
2414         Reviewed by Mark Hahnenberg.
2415
2416         Add logic to guard against bogus return types.  There doesn't seem to be any
2417         class in webkit that does this wrong, but the typed array stubs in debug JSC
2418         do exhibit this bad behaviour.
2419
2420         * interpreter/Interpreter.cpp:
2421         (JSC::Interpreter::executeConstruct):
2422
2423 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2424
2425         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2426         https://bugs.webkit.org/show_bug.cgi?id=119736
2427
2428         Reviewed by Anders Carlsson.
2429
2430         Don't force C++11 mode off anymore.
2431
2432         * Target.pri:
2433
2434 2013-08-12  Oliver Hunt  <oliver@apple.com>
2435
2436         Remove CodeBlock's notion of adding identifiers entirely
2437         https://bugs.webkit.org/show_bug.cgi?id=119708
2438
2439         Reviewed by Geoffrey Garen.
2440
2441         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2442         Move the addition of identifiers to DFGPlan::reallyAdd
2443
2444         * bytecode/CodeBlock.h:
2445         * dfg/DFGDesiredIdentifiers.cpp:
2446         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2447         * dfg/DFGDesiredIdentifiers.h:
2448         * dfg/DFGPlan.cpp:
2449         (JSC::DFG::Plan::reallyAdd):
2450         (JSC::DFG::Plan::finalize):
2451         * dfg/DFGPlan.h:
2452
2453 2013-08-12  Oliver Hunt  <oliver@apple.com>
2454
2455         Build fix
2456
2457         * runtime/JSCell.h:
2458
2459 2013-08-12  Oliver Hunt  <oliver@apple.com>
2460
2461         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2462         https://bugs.webkit.org/show_bug.cgi?id=119705
2463
2464         Reviewed by Geoffrey Garen.
2465
2466         Relatively trivial refactoring
2467
2468         * bytecode/CodeBlock.h:
2469         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2470         (JSC::CodeBlock::addAdditionalIdentifier):
2471         (JSC::CodeBlock::identifier):
2472         (JSC::CodeBlock::numberOfIdentifiers):
2473         * dfg/DFGCommonData.h:
2474
2475 2013-08-12  Oliver Hunt  <oliver@apple.com>
2476
2477         Stop making unnecessary copy of CodeBlock Identifier Vector
2478         https://bugs.webkit.org/show_bug.cgi?id=119702
2479
2480         Reviewed by Michael Saboff.
2481
2482         Make CodeBlock simply use a separate Vector for additional Identifiers
2483         and use the UnlinkedCodeBlock for the initial set of identifiers.
2484
2485         * bytecode/CodeBlock.cpp:
2486         (JSC::CodeBlock::printGetByIdOp):
2487         (JSC::dumpStructure):
2488         (JSC::dumpChain):
2489         (JSC::CodeBlock::printGetByIdCacheStatus):
2490         (JSC::CodeBlock::printPutByIdOp):
2491         (JSC::CodeBlock::dumpBytecode):
2492         (JSC::CodeBlock::CodeBlock):
2493         (JSC::CodeBlock::shrinkToFit):
2494         * bytecode/CodeBlock.h:
2495         (JSC::CodeBlock::numberOfIdentifiers):
2496         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2497         (JSC::CodeBlock::addAdditionalIdentifier):
2498         (JSC::CodeBlock::identifier):
2499         * dfg/DFGDesiredIdentifiers.cpp:
2500         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2501         * jit/JIT.h:
2502         * jit/JITOpcodes.cpp:
2503         (JSC::JIT::emitSlow_op_get_arguments_length):
2504         * jit/JITPropertyAccess.cpp:
2505         (JSC::JIT::emit_op_get_by_id):
2506         (JSC::JIT::compileGetByIdHotPath):
2507         (JSC::JIT::emitSlow_op_get_by_id):
2508         (JSC::JIT::compileGetByIdSlowCase):
2509         (JSC::JIT::emitSlow_op_put_by_id):
2510         * jit/JITPropertyAccess32_64.cpp:
2511         (JSC::JIT::emit_op_get_by_id):
2512         (JSC::JIT::compileGetByIdHotPath):
2513         (JSC::JIT::compileGetByIdSlowCase):
2514         * jit/JITStubs.cpp:
2515         (JSC::DEFINE_STUB_FUNCTION):
2516         * llint/LLIntSlowPaths.cpp:
2517         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2518
2519 2013-08-08  Mark Lam  <mark.lam@apple.com>
2520
2521         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2522         https://bugs.webkit.org/show_bug.cgi?id=119575.
2523
2524         Reviewed by Oliver Hunt.
2525
2526         * interpreter/Interpreter.h:
2527         - Made getStackTrace() private.
2528         * interpreter/StackIterator.cpp:
2529         (JSC::StackIterator::StackIterator):
2530         (JSC::StackIterator::numberOfFrames):
2531         - Computes the number of frames by iterating through the whole stack
2532           from the starting frame. The iterator will save its current frame
2533           position before counting the frames, and then restoring it after
2534           the counting.
2535         (JSC::StackIterator::gotoFrameAtIndex):
2536         (JSC::StackIterator::gotoNextFrame):
2537         (JSC::StackIterator::resetIterator):
2538         - Points the iterator to the starting frame.
2539         * interpreter/StackIteratorPrivate.h:
2540
2541 2013-08-08  Mark Lam  <mark.lam@apple.com>
2542
2543         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2544         the Interpreter class.
2545         https://bugs.webkit.org/show_bug.cgi?id=119576.
2546
2547         Reviewed by Oliver Hunt.
2548
2549         This change is needed to prepare for making Interpreter::getStackTrace()
2550         private. It does not change the behavior of the code, only the lexical
2551         scoping.
2552
2553         * interpreter/Interpreter.h:
2554         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2555         * runtime/ErrorConstructor.cpp:
2556         (JSC::Interpreter::constructWithErrorConstructor):
2557         (JSC::ErrorConstructor::getConstructData):
2558         (JSC::Interpreter::callErrorConstructor):
2559         (JSC::ErrorConstructor::getCallData):
2560         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2561           directly. So, we moved the helper functions into the Interpreter
2562           class.
2563         * runtime/NativeErrorConstructor.cpp:
2564         (JSC::Interpreter::constructWithNativeErrorConstructor):
2565         (JSC::NativeErrorConstructor::getConstructData):
2566         (JSC::Interpreter::callNativeErrorConstructor):
2567         (JSC::NativeErrorConstructor::getCallData):
2568         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2569           directly. So, we moved the helper functions into the Interpreter
2570           class.
2571
2572 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2573
2574         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2575         https://bugs.webkit.org/show_bug.cgi?id=119555
2576
2577         Reviewed by Geoffrey Garen.
2578
2579         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2580         This was causing crashes on maps.google.com in 32-bit debug builds.
2581
2582         * dfg/DFGSpeculativeJIT32_64.cpp:
2583         (JSC::DFG::SpeculativeJIT::compile):
2584
2585 2013-08-06  Michael Saboff  <msaboff@apple.com>
2586
2587         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2588         https://bugs.webkit.org/show_bug.cgi?id=119405
2589
2590         Reviewed by Geoffrey Garen.
2591
2592         * dfg/DFGSpeculativeJIT.cpp:
2593         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2594         ourselves to save a register and then load from it.
2595
2596 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2597
2598         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2599         https://bugs.webkit.org/show_bug.cgi?id=119528
2600
2601         Reviewed by Geoffrey Garen.
2602
2603         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2604         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2605         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2606         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2607         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2608
2609         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2610
2611         * bytecode/CodeBlock.cpp:
2612         (JSC::CodeBlock::finalizeUnconditionally):
2613         * dfg/DFGDriver.cpp:
2614         (JSC::DFG::compile):
2615         * dfg/DFGFixupPhase.cpp:
2616         (JSC::DFG::FixupPhase::fixupNode):
2617         * dfg/DFGGraph.cpp:
2618         (JSC::DFG::Graph::dump):
2619         * dfg/DFGSpeculativeJIT64.cpp:
2620         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2621         * runtime/JSObject.h:
2622         (JSC::JSObject::getIndexQuickly):
2623         (JSC::JSObject::tryGetIndexQuickly):
2624
2625 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2626
2627         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2628
2629         Unreviewed.
2630
2631         Ensure llint symbols are in source order.
2632
2633         * JavaScriptCore.order:
2634
2635 2013-08-06  Mark Lam  <mark.lam@apple.com>
2636
2637         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2638         https://bugs.webkit.org/show_bug.cgi?id=119532.
2639
2640         Reviewed by Oliver Hunt.
2641
2642         * parser/Parser.cpp:
2643         (JSC::::Parser):
2644         - Just need to initialize the Parser's JSTokenLocation's initial line and
2645           startOffset as well during Parser construction.
2646
2647 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2648
2649         Update Order Files for Safari
2650         <rdar://problem/14517392>
2651
2652         Unreviewed.
2653
2654         * JavaScriptCore.order:
2655
2656 2013-08-04  Sam Weinig  <sam@webkit.org>
2657
2658         Remove support for HTML5 MicroData
2659         https://bugs.webkit.org/show_bug.cgi?id=119480
2660
2661         Reviewed by Anders Carlsson.
2662
2663         * Configurations/FeatureDefines.xcconfig:
2664
2665 2013-08-05  Oliver Hunt  <oliver@apple.com>
2666
2667         Delay Arguments creation in strict mode
2668         https://bugs.webkit.org/show_bug.cgi?id=119505
2669
2670         Reviewed by Geoffrey Garen.
2671
2672         Make use of the write tracking performed by the parser to
2673         allow us to know if we're modifying the parameters to a function.
2674         Then use that information to make strict mode function opt out
2675         of eager arguments creation.
2676
2677         * bytecompiler/BytecodeGenerator.cpp:
2678         (JSC::BytecodeGenerator::BytecodeGenerator):
2679         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2680         (JSC::BytecodeGenerator::emitReturn):
2681         * bytecompiler/BytecodeGenerator.h:
2682         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2683         * parser/Nodes.h:
2684         (JSC::ScopeNode::modifiesParameter):
2685         * parser/Parser.cpp:
2686         (JSC::::parseInner):
2687         * parser/Parser.h:
2688         (JSC::Scope::declareParameter):
2689         (JSC::Scope::getCapturedVariables):
2690         (JSC::Parser::declareWrite):
2691         * parser/ParserModes.h:
2692
2693 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2694
2695         Remove useless code from COMPILER(RVCT) JITStubs
2696         https://bugs.webkit.org/show_bug.cgi?id=119521
2697
2698         Reviewed by Geoffrey Garen.
2699
2700         * jit/JITStubsARMv7.h:
2701         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2702         (JSC::ctiOpThrowNotCaught): Ditto.
2703
2704 2013-07-23  David Farler  <dfarler@apple.com>
2705
2706         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2707         https://bugs.webkit.org/show_bug.cgi?id=117762
2708
2709         Reviewed by Mark Rowe.
2710
2711         * Configurations/DebugRelease.xcconfig:
2712         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2713         * Configurations/JavaScriptCore.xcconfig:
2714         Add ASAN_OTHER_LDFLAGS.
2715         * Configurations/ToolExecutable.xcconfig:
2716         Don't use ASAN for build tools.
2717
2718 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2719
2720         Build fix for ARM MSVC after r153222 and r153648.
2721
2722         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2723
2724 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2725
2726         Build fix for ARM MSVC after r150109.
2727
2728         Read the stub template from a header files instead of the JITStubs.cpp.
2729
2730         * CMakeLists.txt:
2731         * DerivedSources.pri:
2732         * create_jit_stubs:
2733
2734 2013-08-05  Oliver Hunt  <oliver@apple.com>
2735
2736         Move TypedArray implementation into JSC
2737         https://bugs.webkit.org/show_bug.cgi?id=119489
2738
2739         Reviewed by Filip Pizlo.
2740
2741         Move TypedArray implementation into JSC in advance of re-implementation
2742
2743         * GNUmakefile.list.am:
2744         * JSCTypedArrayStubs.h:
2745         * JavaScriptCore.xcodeproj/project.pbxproj:
2746         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2747         (JSC::ArrayBuffer::transfer):
2748         (JSC::ArrayBuffer::addView):
2749         (JSC::ArrayBuffer::removeView):
2750         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2751         (JSC::ArrayBufferContents::ArrayBufferContents):
2752         (JSC::ArrayBufferContents::data):
2753         (JSC::ArrayBufferContents::sizeInBytes):
2754         (JSC::ArrayBufferContents::transfer):
2755         (JSC::ArrayBufferContents::copyTo):
2756         (JSC::ArrayBuffer::isNeutered):
2757         (JSC::ArrayBuffer::~ArrayBuffer):
2758         (JSC::ArrayBuffer::clampValue):
2759         (JSC::ArrayBuffer::create):
2760         (JSC::ArrayBuffer::createUninitialized):
2761         (JSC::ArrayBuffer::ArrayBuffer):
2762         (JSC::ArrayBuffer::data):
2763         (JSC::ArrayBuffer::byteLength):
2764         (JSC::ArrayBuffer::slice):
2765         (JSC::ArrayBuffer::sliceImpl):
2766         (JSC::ArrayBuffer::clampIndex):
2767         (JSC::ArrayBufferContents::tryAllocate):
2768         (JSC::ArrayBufferContents::~ArrayBufferContents):
2769         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2770         (JSC::ArrayBufferView::ArrayBufferView):
2771         (JSC::ArrayBufferView::~ArrayBufferView):
2772         (JSC::ArrayBufferView::neuter):
2773         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2774         (JSC::ArrayBufferView::buffer):
2775         (JSC::ArrayBufferView::baseAddress):
2776         (JSC::ArrayBufferView::byteOffset):
2777         (JSC::ArrayBufferView::setNeuterable):
2778         (JSC::ArrayBufferView::isNeuterable):
2779         (JSC::ArrayBufferView::verifySubRange):
2780         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2781         (JSC::ArrayBufferView::setImpl):
2782         (JSC::ArrayBufferView::setRangeImpl):
2783         (JSC::ArrayBufferView::zeroRangeImpl):
2784         (JSC::ArrayBufferView::calculateOffsetAndLength):
2785         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2786         (JSC::Float32Array::set):
2787         (JSC::Float32Array::getType):
2788         (JSC::Float32Array::create):
2789         (JSC::Float32Array::createUninitialized):
2790         (JSC::Float32Array::Float32Array):
2791         (JSC::Float32Array::subarray):
2792         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2793         (JSC::Float64Array::set):
2794         (JSC::Float64Array::getType):
2795         (JSC::Float64Array::create):
2796         (JSC::Float64Array::createUninitialized):
2797         (JSC::Float64Array::Float64Array):
2798         (JSC::Float64Array::subarray):
2799         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2800         (JSC::Int16Array::getType):
2801         (JSC::Int16Array::create):
2802         (JSC::Int16Array::createUninitialized):
2803         (JSC::Int16Array::Int16Array):
2804         (JSC::Int16Array::subarray):
2805         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2806         (JSC::Int32Array::getType):
2807         (JSC::Int32Array::create):
2808         (JSC::Int32Array::createUninitialized):
2809         (JSC::Int32Array::Int32Array):
2810         (JSC::Int32Array::subarray):
2811         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2812         (JSC::Int8Array::getType):
2813         (JSC::Int8Array::create):
2814         (JSC::Int8Array::createUninitialized):
2815         (JSC::Int8Array::Int8Array):
2816         (JSC::Int8Array::subarray):
2817         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2818         (JSC::IntegralTypedArrayBase::set):
2819         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2820         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2821         (JSC::TypedArrayBase::data):
2822         (JSC::TypedArrayBase::set):
2823         (JSC::TypedArrayBase::setRange):
2824         (JSC::TypedArrayBase::zeroRange):
2825         (JSC::TypedArrayBase::length):
2826         (JSC::TypedArrayBase::byteLength):
2827         (JSC::TypedArrayBase::item):
2828         (JSC::TypedArrayBase::checkInboundData):
2829         (JSC::TypedArrayBase::TypedArrayBase):
2830         (JSC::TypedArrayBase::create):
2831         (JSC::TypedArrayBase::createUninitialized):
2832         (JSC::TypedArrayBase::subarrayImpl):
2833         (JSC::TypedArrayBase::neuter):
2834         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2835         (JSC::Uint16Array::getType):
2836         (JSC::Uint16Array::create):
2837         (JSC::Uint16Array::createUninitialized):
2838         (JSC::Uint16Array::Uint16Array):
2839         (JSC::Uint16Array::subarray):
2840         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2841         (JSC::Uint32Array::getType):
2842         (JSC::Uint32Array::create):
2843         (JSC::Uint32Array::createUninitialized):
2844         (JSC::Uint32Array::Uint32Array):
2845         (JSC::Uint32Array::subarray):
2846         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2847         (JSC::Uint8Array::getType):
2848         (JSC::Uint8Array::create):
2849         (JSC::Uint8Array::createUninitialized):
2850         (JSC::Uint8Array::Uint8Array):
2851         (JSC::Uint8Array::subarray):
2852         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2853         (JSC::Uint8ClampedArray::getType):
2854         (JSC::Uint8ClampedArray::create):
2855         (JSC::Uint8ClampedArray::createUninitialized):
2856         (JSC::Uint8ClampedArray::zeroFill):
2857         (JSC::Uint8ClampedArray::set):
2858         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2859         (JSC::Uint8ClampedArray::subarray):
2860         * runtime/VM.h:
2861
2862 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2863
2864         Copied space should be able to handle more than one copied backing store per JSCell
2865         https://bugs.webkit.org/show_bug.cgi?id=119471
2866
2867         Reviewed by Mark Hahnenberg.
2868         
2869         This allows a cell to call copyLater() multiple times for multiple different
2870         backing stores, and then have copyBackingStore() called exactly once for each
2871         of those. A token tells it which backing store to copy. All backing stores
2872         must be named using the CopyToken, an enumeration which currently cannot
2873         exceed eight entries.
2874         
2875         When copyBackingStore() is called, it's up to the callee to (a) use the token
2876         to decide what to copy and (b) call its base class's copyBackingStore() in
2877         case the base class had something that needed copying. The only exception is
2878         that JSCell never asks anything to be copied, and so if your base is JSCell
2879         then you don't have to do anything.
2880
2881         * GNUmakefile.list.am:
2882         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2883         * JavaScriptCore.xcodeproj/project.pbxproj:
2884         * heap/CopiedBlock.h:
2885         * heap/CopiedBlockInlines.h:
2886         (JSC::CopiedBlock::reportLiveBytes):
2887         * heap/CopyToken.h: Added.
2888         * heap/CopyVisitor.cpp:
2889         (JSC::CopyVisitor::copyFromShared):
2890         * heap/CopyVisitor.h:
2891         * heap/CopyVisitorInlines.h:
2892         (JSC::CopyVisitor::visitItem):
2893         * heap/CopyWorkList.h:
2894         (JSC::CopyWorklistItem::CopyWorklistItem):
2895         (JSC::CopyWorklistItem::cell):
2896         (JSC::CopyWorklistItem::token):
2897         (JSC::CopyWorkListSegment::get):
2898         (JSC::CopyWorkListSegment::append):
2899         (JSC::CopyWorkListSegment::data):
2900         (JSC::CopyWorkListIterator::get):
2901         (JSC::CopyWorkListIterator::operator*):
2902         (JSC::CopyWorkListIterator::operator->):
2903         (JSC::CopyWorkList::append):
2904         * heap/SlotVisitor.h:
2905         * heap/SlotVisitorInlines.h:
2906         (JSC::SlotVisitor::copyLater):
2907         * runtime/ClassInfo.h:
2908         * runtime/JSCell.cpp:
2909         (JSC::JSCell::copyBackingStore):
2910         * runtime/JSCell.h:
2911         * runtime/JSObject.cpp:
2912         (JSC::JSObject::visitButterfly):
2913         (JSC::JSObject::copyBackingStore):
2914         * runtime/JSObject.h:
2915
2916 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2917
2918         [Automake] Define ENABLE_JIT through the Autoconf header
2919         https://bugs.webkit.org/show_bug.cgi?id=119445
2920
2921         Reviewed by Martin Robinson.
2922
2923         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2924
2925 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2926
2927         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2928         https://bugs.webkit.org/show_bug.cgi?id=119470
2929
2930         Reviewed by Oliver Hunt.
2931         
2932         Structure can still tell you if the object "could" (in the conservative sense)
2933         have an indexing header; that's used by the compiler.
2934         
2935         Most of the time if you want to know if there's an indexing header, you ask the
2936         JSObject.
2937         
2938         In some cases, the JSObject wants to know if it would have an indexing header if
2939         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2940
2941         * dfg/DFGRepatch.cpp:
2942         (JSC::DFG::tryCachePutByID):
2943         (JSC::DFG::tryBuildPutByIdList):
2944         * dfg/DFGSpeculativeJIT.cpp:
2945         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2946         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2947         * runtime/ButterflyInlines.h:
2948         (JSC::Butterfly::create):
2949         (JSC::Butterfly::growPropertyStorage):
2950         (JSC::Butterfly::growArrayRight):
2951         (JSC::Butterfly::resizeArray):
2952         * runtime/JSObject.cpp:
2953         (JSC::JSObject::copyButterfly):
2954         (JSC::JSObject::visitButterfly):
2955         * runtime/JSObject.h:
2956         (JSC::JSObject::hasIndexingHeader):
2957         (JSC::JSObject::setButterfly):
2958         * runtime/Structure.h:
2959         (JSC::Structure::couldHaveIndexingHeader):
2960         (JSC::Structure::hasIndexingHeader):
2961
2962 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2963
2964         Give the error object's stack property accessor attributes.
2965         https://bugs.webkit.org/show_bug.cgi?id=119404
2966
2967         Reviewed by Geoffrey Garen.
2968         
2969         Changed the attributes of error object's stack property to allow developers to write
2970         and delete the stack property. This will match the functionality of Chrome. Firefox  
2971         allows developers to write the error's stack, but not delete it. 
2972
2973         * interpreter/Interpreter.cpp:
2974         (JSC::Interpreter::addStackTraceIfNecessary):
2975         * runtime/ErrorInstance.cpp:
2976         (JSC::ErrorInstance::finishCreation):
2977
2978 2013-08-02  Oliver Hunt  <oliver@apple.com>
2979
2980         Incorrect type speculation reported by ToPrimitive
2981         https://bugs.webkit.org/show_bug.cgi?id=119458
2982
2983         Reviewed by Mark Hahnenberg.
2984
2985         Make sure that we report the correct type possibilities for the output
2986         from ToPrimitive
2987
2988         * dfg/DFGAbstractInterpreterInlines.h:
2989         (JSC::DFG::::executeEffects):
2990
2991 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2992
2993         Remove no-arguments constructor to PropertySlot
2994         https://bugs.webkit.org/show_bug.cgi?id=119460
2995
2996         Reviewed by Geoff Garen.
2997
2998         This constructor was unsafe if getValue is subsequently called,
2999         and the property is a getter. Simplest to just remove it.
3000
3001         * runtime/Arguments.cpp:
3002         (JSC::Arguments::defineOwnProperty):
3003         * runtime/JSActivation.cpp:
3004         (JSC::JSActivation::getOwnPropertyDescriptor):
3005         * runtime/JSFunction.cpp:
3006         (JSC::JSFunction::getOwnPropertyDescriptor):
3007         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3008         (JSC::JSFunction::put):
3009         (JSC::JSFunction::defineOwnProperty):
3010         * runtime/JSGlobalObject.cpp:
3011         (JSC::JSGlobalObject::defineOwnProperty):
3012         * runtime/JSGlobalObject.h:
3013         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3014         * runtime/JSNameScope.cpp:
3015         (JSC::JSNameScope::put):
3016         * runtime/JSONObject.cpp:
3017         (JSC::Stringifier::Holder::appendNextProperty):
3018         (JSC::Walker::walk):
3019         * runtime/JSObject.cpp:
3020         (JSC::JSObject::hasProperty):
3021         (JSC::JSObject::hasOwnProperty):
3022         (JSC::JSObject::reifyStaticFunctionsForDelete):
3023         * runtime/Lookup.h:
3024         (JSC::getStaticPropertyDescriptor):
3025         (JSC::getStaticFunctionDescriptor):
3026         (JSC::getStaticValueDescriptor):
3027         * runtime/ObjectConstructor.cpp:
3028         (JSC::defineProperties):
3029         * runtime/PropertySlot.h:
3030
3031 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3032
3033         DFG validation can cause assertion failures due to dumping
3034         https://bugs.webkit.org/show_bug.cgi?id=119456
3035
3036         Reviewed by Geoffrey Garen.
3037
3038         * bytecode/CodeBlock.cpp:
3039         (JSC::CodeBlock::hasHash):
3040         (JSC::CodeBlock::isSafeToComputeHash):
3041         (JSC::CodeBlock::hash):
3042         (JSC::CodeBlock::dumpAssumingJITType):
3043         * bytecode/CodeBlock.h:
3044
3045 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3046
3047         Have vm's exceptionStack match java's vm's exceptionStack.
3048         https://bugs.webkit.org/show_bug.cgi?id=119362
3049
3050         Reviewed by Geoffrey Garen.
3051         
3052         The error object's stack is only updated if it does not exist yet. This matches 
3053         the functionality of other browsers, and Java VMs. 
3054
3055         * interpreter/Interpreter.cpp:
3056         (JSC::Interpreter::addStackTraceIfNecessary):
3057         (JSC::Interpreter::throwException):
3058         * runtime/VM.cpp:
3059         (JSC::VM::clearExceptionStack):
3060         * runtime/VM.h:
3061         (JSC::VM::lastExceptionStack):
3062
3063 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3064
3065         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3066         https://bugs.webkit.org/show_bug.cgi?id=119447
3067
3068         Reviewed by Geoffrey Garen.
3069
3070         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3071         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3072         r153583 (sh4) and r153648 (ARM).
3073
3074         * jit/JITStubsMIPS.h:
3075
3076 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3077
3078         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3079         https://bugs.webkit.org/show_bug.cgi?id=119422
3080
3081         Reviewed by Oliver Hunt.
3082         
3083         This simplifies some code and also allows Structure to claim that an object
3084         has an indexing header even if it doesn't have indexed properties.
3085         
3086         I also changed some calls to use hasIndexedProperties() since in some cases,
3087         that's what we actually meant. Currently the two are synonyms.
3088
3089         * dfg/DFGRepatch.cpp:
3090         (JSC::DFG::tryCachePutByID):
3091         (JSC::DFG::tryBuildPutByIdList):
3092         * dfg/DFGSpeculativeJIT.cpp:
3093         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3094         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3095         * runtime/ButterflyInlines.h:
3096         (JSC::Butterfly::create):
3097         (JSC::Butterfly::growPropertyStorage):
3098         (JSC::Butterfly::growArrayRight):
3099         (JSC::Butterfly::resizeArray):
3100         * runtime/IndexingType.h:
3101         * runtime/JSObject.cpp:
3102         (JSC::JSObject::copyButterfly):
3103         (JSC::JSObject::visitButterfly):
3104         (JSC::JSObject::setPrototype):
3105         * runtime/JSObject.h:
3106         (JSC::JSObject::setButterfly):
3107         * runtime/JSPropertyNameIterator.cpp:
3108         (JSC::JSPropertyNameIterator::create):
3109         * runtime/Structure.h:
3110         (JSC::Structure::hasIndexingHeader):
3111
3112 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3113
3114         REGRESSION: ARM still crashes after change set r153612.
3115         https://bugs.webkit.org/show_bug.cgi?id=119433
3116
3117         Reviewed by Michael Saboff.
3118
3119         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3120         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3121         for sh4 architecture.
3122
3123         * jit/JITStubsARM.h:
3124         * jit/JITStubsARMv7.h:
3125
3126 2013-08-02  Michael Saboff  <msaboff@apple.com>
3127
3128         REGRESSION(r153612): It made jsc and layout tests crash
3129         https://bugs.webkit.org/show_bug.cgi?id=119440
3130
3131         Reviewed by Csaba Osztrogonác.
3132
3133         Made the changes if changeset r153612 only apply to 32 bit builds.
3134
3135         * jit/JITExceptions.cpp:
3136         * jit/JITExceptions.h:
3137         * jit/JITStubs.cpp:
3138         (JSC::cti_vm_throw_slowpath):
3139         * jit/JITStubs.h:
3140
3141 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3142
3143         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3144
3145         * CMakeLists.txt:
3146
3147 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3148
3149         [Forms: color] <input type='color'> popover color well implementation
3150         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3151
3152         Reviewed by Benjamin Poulain.
3153
3154         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3155
3156 2013-08-01  Oliver Hunt  <oliver@apple.com>
3157
3158         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3159         https://bugs.webkit.org/show_bug.cgi?id=119408
3160
3161         Reviewed by Filip Pizlo.
3162
3163         Construct ToString and Phantom nodes in advance of MakeRope
3164         nodes to ensure that ordering is ensured, and correct values
3165         will be reified on OSR exit.
3166
3167         * dfg/DFGByteCodeParser.cpp:
3168         (JSC::DFG::ByteCodeParser::parseBlock):
3169
3170 2013-08-01  Michael Saboff  <msaboff@apple.com>
3171
3172         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3173         https://bugs.webkit.org/show_bug.cgi?id=119140
3174
3175         Reviewed by Filip Pizlo.
3176
3177         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3178
3179         * jit/JITExceptions.cpp:
3180         (JSC::encode):
3181         * jit/JITExceptions.h:
3182         * jit/JITStubs.cpp:
3183         (JSC::cti_vm_throw_slowpath):
3184         * jit/JITStubs.h:
3185
3186 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3187
3188         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3189         https://bugs.webkit.org/show_bug.cgi?id=119391
3190
3191         Reviewed by Csaba Osztrogonác.
3192
3193         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3194             - Call frame is in r14 register.
3195             - Do not restore registers from JIT stack frame here.
3196
3197 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3198
3199         More cleanup in PropertySlot
3200         https://bugs.webkit.org/show_bug.cgi?id=119359
3201
3202         Reviewed by Geoff Garen.
3203
3204         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3205         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3206
3207         * dfg/DFGRepatch.cpp:
3208         (JSC::DFG::tryCacheGetByID):
3209         (JSC::DFG::tryBuildGetByIDList):
3210             - No need to ASSERT slotBase is an object.
3211         * jit/JITStubs.cpp:
3212         (JSC::tryCacheGetByID):
3213         (JSC::DEFINE_STUB_FUNCTION):
3214             - No need to ASSERT slotBase is an object.
3215         * runtime/JSObject.cpp:
3216         (JSC::JSObject::getOwnPropertySlotByIndex):
3217         (JSC::JSObject::fillGetterPropertySlot):
3218             - Pass an object through to setGetterSlot.
3219         * runtime/JSObject.h:
3220         (JSC::PropertySlot::getValue):
3221             - Moved from PropertySlot (need to know anout JSObject).
3222         * runtime/PropertySlot.cpp:
3223         (JSC::PropertySlot::functionGetter):
3224             - update per member name changes
3225         * runtime/PropertySlot.h:
3226         (JSC::PropertySlot::PropertySlot):
3227             - Argument to constructor set to 'thisValue'.
3228         (JSC::PropertySlot::slotBase):
3229             - This returns a JSObject*.
3230         (JSC::PropertySlot::setValue):
3231         (JSC::PropertySlot::setCustom):
3232         (JSC::PropertySlot::setCacheableCustom):
3233         (JSC::PropertySlot::setCustomIndex):
3234         (JSC::PropertySlot::setGetterSlot):
3235         (JSC::PropertySlot::setCacheableGetterSlot):
3236             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3237         * runtime/SparseArrayValueMap.cpp:
3238         (JSC::SparseArrayEntry::get):
3239             - Pass an object through to setGetterSlot.
3240         * runtime/SparseArrayValueMap.h:
3241             - Pass an object through to setGetterSlot.
3242
3243 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3244
3245         Reduce JSC API static value setter/getter overhead.
3246         https://bugs.webkit.org/show_bug.cgi?id=119277
3247
3248         Reviewed by Geoffrey Garen.
3249
3250         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3251         need to get called every time when set or get the static value.
3252
3253         * API/JSCallbackObjectFunctions.h:
3254         (JSC::::put):
3255         (JSC::::putByIndex):
3256         (JSC::::getStaticValue):
3257         * API/JSClassRef.cpp:
3258         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3259         * API/JSClassRef.h:
3260         (StaticValueEntry::StaticValueEntry):
3261
3262 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3263
3264         Use emptyString instead of String("")
3265         https://bugs.webkit.org/show_bug.cgi?id=119335
3266
3267         Reviewed by Darin Adler.
3268
3269         Use emptyString() instead of String("") because it is better style and
3270         faster. This is a followup to r116908, removing all occurrences of
3271         String("") from WebKit.
3272
3273         * runtime/RegExpConstructor.cpp:
3274         (JSC::constructRegExp):
3275         * runtime/RegExpPrototype.cpp:
3276         (JSC::regExpProtoFuncCompile):
3277         * runtime/StringPrototype.cpp:
3278         (JSC::stringProtoFuncMatch):
3279         (JSC::stringProtoFuncSearch):
3280
3281 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3282
3283         <input type=color> Mac UI behaviour
3284         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3285
3286         Reviewed by Brady Eidson.
3287
3288         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3289
3290 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3291
3292         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3293         https://bugs.webkit.org/show_bug.cgi?id=119349
3294
3295         Reviewed by Geoffrey Garen.
3296
3297         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3298         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3299         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3300         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3301         JIT then this resizing never happens and we crash at link time in the DFG.
3302
3303         We can fix this by also doing the resize in the DFG to catch this case.
3304
3305         * dfg/DFGJITCompiler.cpp:
3306         (JSC::DFG::JITCompiler::link):
3307
3308 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3309
3310         Speculative Windows build fix.
3311
3312         Reviewed by NOBODY
3313
3314         * runtime/JSString.cpp:
3315         (JSC::JSRopeString::getIndexSlowCase):
3316         * runtime/JSString.h:
3317
3318 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3319
3320         Some cleanup in JSValue::get
3321         https://bugs.webkit.org/show_bug.cgi?id=119343
3322
3323         Reviewed by Geoff Garen.
3324
3325         JSValue::get is implemented to:
3326             1) Check if the value is a cell – if not, synthesize a prototype to search,
3327             2) call getOwnPropertySlot on the cell,
3328             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3329         By all rights this should crash when passed a string and accessing a property that does not exist, because
3330         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3331         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3332         prototype chain, and faking out a return value of undefined if no property is found.
3333
3334         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3335         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3336
3337         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3338         slots anyway.
3339
3340         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3341
3342 2013-07-31  Michael Saboff  <msaboff@apple.com>
3343
3344         [Win] JavaScript crash.
3345         https://bugs.webkit.org/show_bug.cgi?id=119339
3346
3347         Reviewed by Mark Hahnenberg.
3348
3349         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3350         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3351
3352 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3353
3354         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3355         https://bugs.webkit.org/show_bug.cgi?id=119281
3356
3357         Reviewed by Geoffrey Garen.
3358
3359         This leads to out of bounds accesses and subsequent crashes.
3360
3361         * dfg/DFGSpeculativeJIT.cpp:
3362         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3363         * dfg/DFGSpeculativeJIT64.cpp:
3364         (JSC::DFG::SpeculativeJIT::compile):
3365
3366 2013-07-30  Oliver Hunt  <oliver@apple.com>
3367
3368         Add an assertion to SpeculateCellOperand
3369         https://bugs.webkit.org/show_bug.cgi?id=119276
3370
3371         Reviewed by Michael Saboff.
3372
3373         More assertions are better
3374
3375         * dfg/DFGSpeculativeJIT64.cpp:
3376         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3377         (JSC::DFG::SpeculativeJIT::compile):
3378
3379 2013-07-30  Mark Lam  <mark.lam@apple.com>
3380
3381         Fix problems with divot and lineStart mismatches.
3382         https://bugs.webkit.org/show_bug.cgi?id=118662.
3383
3384         Reviewed by Oliver Hunt.
3385
3386         r152494 added the recording of lineStart values for divot positions.
3387         This is needed for the computation of column numbers. Similarly, it also
3388         added the recording of line numbers for the divot positions. One problem
3389         with the approach taken was that the line and lineStart values were
3390         recorded independently, and hence were not always guaranteed to be
3391         sampled at the same place that the divot position is recorded. This
3392         resulted in potential mismatches that cause some assertions to fail.
3393
3394         The solution is to introduce a JSTextPosition abstraction that records
3395         the divot position, line, and lineStart as a single quantity. Wherever
3396         we record the divot position as an unsigned int previously, we now record
3397         its JSTextPosition which captures all 3 values in one go. This ensures
3398         that the captured line and lineStart will always match the captured divot
3399         position.
3400
3401         * bytecompiler/BytecodeGenerator.cpp:
3402         (JSC::BytecodeGenerator::emitCall):
3403         (JSC::BytecodeGenerator::emitCallEval):
3404         (JSC::BytecodeGenerator::emitCallVarargs):
3405         (JSC::BytecodeGenerator::emitConstruct):
3406         (JSC::BytecodeGenerator::emitDebugHook):
3407         - Use JSTextPosition instead of passing line and lineStart explicitly.
3408         * bytecompiler/BytecodeGenerator.h:
3409         (JSC::BytecodeGenerator::emitExpressionInfo):