Source/JavaScriptCore: JavaScriptCore Part of: Prevent the WebKit frameworks from...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-09-21  Dan Bernstein  <mitz@apple.com>
2
3         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
4         https://bugs.webkit.org/show_bug.cgi?id=68451
5
6         Reviewed by Darin Adler.
7
8         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
9         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
10
11 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
12
13         MacroAssembler fixes.
14         https://bugs.webkit.org/show_bug.cgi?id=68494
15
16         Reviewed by Sam Weinig.
17
18         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
19
20         * assembler/MacroAssembler.h:
21         (JSC::MacroAssembler::orPtr):
22         (JSC::MacroAssembler::loadPtr):
23         * assembler/MacroAssemblerARM.h:
24         (JSC::MacroAssemblerARM::or32):
25         * assembler/MacroAssemblerARMv7.h:
26         (JSC::MacroAssemblerARMv7::or32):
27         * assembler/MacroAssemblerMIPS.h:
28         (JSC::MacroAssemblerMIPS::or32):
29         * assembler/MacroAssemblerSH4.h:
30         (JSC::MacroAssemblerSH4::or32):
31         (JSC::MacroAssemblerSH4::load32):
32         * assembler/MacroAssemblerX86.h:
33         (JSC::MacroAssemblerX86::load32):
34         * assembler/MacroAssemblerX86_64.h:
35         (JSC::MacroAssemblerX86_64::load32):
36
37 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
38
39         Some Heap cleanup.
40
41         Reviewed by Beth Dakin.
42
43         * heap/MarkedBlock.cpp:
44         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
45         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
46         since there is only one now.
47
48         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
49         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
50         place where we were recalculating it.
51
52         * heap/MarkedSpace.cpp:
53         (JSC::MarkedSpace::addBlock): Updated for rename.
54
55 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
56
57         DFG JIT always speculates integer on modulo
58         https://bugs.webkit.org/show_bug.cgi?id=68485
59
60         Reviewed by Oliver Hunt.
61         
62         Added support for double modulo, which is a call to fmod().
63         Also added support for recording the old JIT's statistics
64         on op_mod and propagating them along the graph. Finally,
65         fixed a goof in the ArithNodeFlags propagation logic that
66         was made obvious when I started testing ArithMod.
67
68         * dfg/DFGByteCodeParser.cpp:
69         (JSC::DFG::ByteCodeParser::makeSafe):
70         (JSC::DFG::ByteCodeParser::parseBlock):
71         * dfg/DFGNode.h:
72         (JSC::DFG::Node::hasArithNodeFlags):
73         * dfg/DFGPropagator.cpp:
74         (JSC::DFG::Propagator::propagateArithNodeFlags):
75         (JSC::DFG::Propagator::propagateNodePredictions):
76         (JSC::DFG::Propagator::fixupNode):
77         * dfg/DFGSpeculativeJIT.cpp:
78         (JSC::DFG::SpeculativeJIT::compile):
79
80 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
81
82         [GTK] requestAnimationFrame support for gtk port
83         https://bugs.webkit.org/show_bug.cgi?id=66280
84
85         Reviewed by Martin Robinson.
86
87         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
88
89         * wtf/Platform.h:
90
91 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
92
93         DFG JIT performs too many negative zero checks, and too many
94         overflow checks
95         https://bugs.webkit.org/show_bug.cgi?id=68430
96
97         Reviewed by Oliver Hunt.
98         
99         This adds comprehensive support for deciding how to perform an
100         arithmetic operations based on a combination of overflow profiling,
101         negative zero profiling, value profiling, and a static analysis of
102         how the results of these operations get used.
103         
104         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
105         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
106         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
107         V8-crypto, because apparenty everything we do speeds up crypto.
108
109         * dfg/DFGByteCodeParser.cpp:
110         (JSC::DFG::ByteCodeParser::toInt32):
111         (JSC::DFG::ByteCodeParser::toNumber):
112         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
113         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
114         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
115         (JSC::DFG::ByteCodeParser::makeSafe):
116         (JSC::DFG::ByteCodeParser::handleMinMax):
117         (JSC::DFG::ByteCodeParser::handleIntrinsic):
118         (JSC::DFG::ByteCodeParser::parseBlock):
119         (JSC::DFG::ByteCodeParser::processPhiStack):
120         (JSC::DFG::ByteCodeParser::parse):
121         * dfg/DFGGraph.cpp:
122         (JSC::DFG::Graph::dump):
123         * dfg/DFGJITCodeGenerator.cpp:
124         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
125         * dfg/DFGNode.h:
126         (JSC::DFG::nodeUsedAsNumber):
127         (JSC::DFG::nodeCanTruncateInteger):
128         (JSC::DFG::nodeCanIgnoreNegativeZero):
129         (JSC::DFG::nodeCanSpeculateInteger):
130         (JSC::DFG::arithNodeFlagsAsString):
131         (JSC::DFG::Node::Node):
132         (JSC::DFG::Node::hasArithNodeFlags):
133         (JSC::DFG::Node::rawArithNodeFlags):
134         (JSC::DFG::Node::arithNodeFlags):
135         (JSC::DFG::Node::arithNodeFlagsForCompare):
136         (JSC::DFG::Node::setArithNodeFlag):
137         (JSC::DFG::Node::mergeArithNodeFlags):
138         * dfg/DFGPropagator.cpp:
139         (JSC::DFG::Propagator::fixpoint):
140         (JSC::DFG::Propagator::isNotNegZero):
141         (JSC::DFG::Propagator::isNotZero):
142         (JSC::DFG::Propagator::propagateArithNodeFlags):
143         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
144         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
145         (JSC::DFG::Propagator::propagateNodePredictions):
146         (JSC::DFG::Propagator::propagatePredictionsForward):
147         (JSC::DFG::Propagator::propagatePredictionsBackward):
148         (JSC::DFG::Propagator::toDouble):
149         (JSC::DFG::Propagator::fixupNode):
150         (JSC::DFG::Propagator::fixup):
151         (JSC::DFG::Propagator::startIndexForChildren):
152         (JSC::DFG::Propagator::endIndexForPureCSE):
153         (JSC::DFG::Propagator::pureCSE):
154         (JSC::DFG::Propagator::clobbersWorld):
155         (JSC::DFG::Propagator::setReplacement):
156         (JSC::DFG::Propagator::performNodeCSE):
157         (JSC::DFG::Propagator::localCSE):
158         * dfg/DFGSpeculativeJIT.cpp:
159         (JSC::DFG::SpeculativeJIT::compile):
160         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
161
162 2011-09-19  Oliver Hunt  <oliver@apple.com>
163
164         Refactor Heap allocation logic into separate AllocationSpace class
165         https://bugs.webkit.org/show_bug.cgi?id=68409
166
167         Reviewed by Gavin Barraclough.
168
169         This patch hoists direct manipulation of the MarkedSpace and related
170         data out of Heap and into a separate class.  This will allow us to
171         have multiple allocation spaces in future, so easing the way towards
172         having GC'd backing stores for objects.
173
174         * CMakeLists.txt:
175         * GNUmakefile.list.am:
176         * JavaScriptCore.exp:
177         * JavaScriptCore.gypi:
178         * JavaScriptCore.pro:
179         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
180         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
181         * JavaScriptCore.xcodeproj/project.pbxproj:
182         * debugger/Debugger.cpp:
183         (JSC::Debugger::recompileAllJSFunctions):
184         * heap/AllocationSpace.cpp: Added.
185         (JSC::AllocationSpace::tryAllocate):
186         (JSC::AllocationSpace::allocateSlowCase):
187         (JSC::AllocationSpace::allocateBlock):
188         (JSC::AllocationSpace::freeBlocks):
189         (JSC::TakeIfEmpty::TakeIfEmpty):
190         (JSC::TakeIfEmpty::operator()):
191         (JSC::TakeIfEmpty::returnValue):
192         (JSC::AllocationSpace::shrink):
193         * heap/AllocationSpace.h: Added.
194         (JSC::AllocationSpace::AllocationSpace):
195         (JSC::AllocationSpace::blocks):
196         (JSC::AllocationSpace::sizeClassFor):
197         (JSC::AllocationSpace::setHighWaterMark):
198         (JSC::AllocationSpace::highWaterMark):
199         (JSC::AllocationSpace::canonicalizeBlocks):
200         (JSC::AllocationSpace::resetAllocator):
201         (JSC::AllocationSpace::forEachCell):
202         (JSC::AllocationSpace::forEachBlock):
203         (JSC::AllocationSpace::allocate):
204         * heap/Heap.cpp:
205         (JSC::Heap::Heap):
206         (JSC::Heap::reportExtraMemoryCostSlowCase):
207         (JSC::Heap::getConservativeRegisterRoots):
208         (JSC::Heap::markRoots):
209         (JSC::Heap::clearMarks):
210         (JSC::Heap::sweep):
211         (JSC::Heap::objectCount):
212         (JSC::Heap::size):
213         (JSC::Heap::capacity):
214         (JSC::Heap::globalObjectCount):
215         (JSC::Heap::objectTypeCounts):
216         (JSC::Heap::collect):
217         (JSC::Heap::canonicalizeBlocks):
218         (JSC::Heap::resetAllocator):
219         (JSC::Heap::freeBlocks):
220         (JSC::Heap::shrink):
221         * heap/Heap.h:
222         (JSC::Heap::objectSpace):
223         (JSC::Heap::sizeClassForObject):
224         (JSC::Heap::allocate):
225         * jit/JITInlineMethods.h:
226         (JSC::JIT::emitAllocateBasicJSObject):
227         * runtime/JSGlobalData.cpp:
228         (JSC::JSGlobalData::recompileAllJSFunctions):
229         (JSC::JSGlobalData::releaseExecutableMemory):
230
231 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
232
233         Removed BREWMP* platform #ifdefs
234         https://bugs.webkit.org/show_bug.cgi?id=68425
235         
236         BREWMP* has no maintainer, and this is dead code.
237
238         Reviewed by Darin Adler.
239
240         * heap/MarkStack.h:
241         (JSC::::shrinkAllocation):
242         * jit/ExecutableAllocator.h:
243         (JSC::ExecutableAllocator::cacheFlush):
244         * runtime/TimeoutChecker.cpp:
245         (JSC::getCPUTime):
246         * wtf/Assertions.cpp:
247         * wtf/Assertions.h:
248         * wtf/CurrentTime.cpp:
249         * wtf/DateMath.cpp:
250         (WTF::calculateUTCOffset):
251         * wtf/FastMalloc.cpp:
252         (WTF::fastMalloc):
253         (WTF::fastCalloc):
254         (WTF::fastMallocSize):
255         * wtf/FastMalloc.h:
256         * wtf/MainThread.cpp:
257         * wtf/MathExtras.h:
258         * wtf/OwnPtrCommon.h:
259         * wtf/Platform.h:
260         * wtf/RandomNumber.cpp:
261         (WTF::randomNumber):
262         * wtf/RandomNumberSeed.h:
263         (WTF::initializeRandomNumberGenerator):
264         * wtf/text/WTFString.h:
265         * wtf/unicode/Unicode.h:
266
267 2011-09-20  Adam Roben  <aroben@apple.com>
268
269         Windows build fix after r95523
270
271         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
272
273 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
274
275         DFG JIT does not speculate aggressively enough on GetById
276         https://bugs.webkit.org/show_bug.cgi?id=68320
277
278         Reviewed by Oliver Hunt.
279         
280         This adds the ability to access properties directly, by offset.
281         This optimization kicks in when at the time of DFG compilation,
282         it appears that the given get_by_id is self-cached by the old JIT.
283         Two new opcodes get introduced: CheckStructure and GetByOffset.
284         CheckStructure performs a speculation check on the object's
285         structure, and returns the storage pointer. GetByOffset performs
286         a direct read of the field from the storage pointer. Both
287         CheckStructure and GetByOffset can be CSE'd, so that we can
288         eliminate redundant structure checks, and redundant reads of the
289         same field.
290         
291         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
292         neutral on SunSpider.
293
294         * bytecode/PredictedType.cpp:
295         (JSC::predictionFromClassInfo):
296         (JSC::predictionFromStructure):
297         (JSC::predictionFromCell):
298         * bytecode/PredictedType.h:
299         * dfg/DFGByteCodeParser.cpp:
300         (JSC::DFG::ByteCodeParser::parseBlock):
301         * dfg/DFGGenerationInfo.h:
302         (JSC::DFG::dataFormatToString):
303         (JSC::DFG::needDataFormatConversion):
304         (JSC::DFG::GenerationInfo::initStorage):
305         (JSC::DFG::GenerationInfo::spill):
306         (JSC::DFG::GenerationInfo::fillStorage):
307         * dfg/DFGGraph.h:
308         (JSC::DFG::Graph::predict):
309         (JSC::DFG::Graph::getPrediction):
310         * dfg/DFGJITCodeGenerator.cpp:
311         (JSC::DFG::JITCodeGenerator::fillInteger):
312         (JSC::DFG::JITCodeGenerator::fillDouble):
313         (JSC::DFG::JITCodeGenerator::fillJSValue):
314         (JSC::DFG::JITCodeGenerator::fillStorage):
315         (JSC::DFG::GPRTemporary::GPRTemporary):
316         * dfg/DFGJITCodeGenerator.h:
317         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
318         (JSC::DFG::JITCodeGenerator::silentFillGPR):
319         (JSC::DFG::JITCodeGenerator::spill):
320         (JSC::DFG::JITCodeGenerator::storageResult):
321         (JSC::DFG::StorageOperand::StorageOperand):
322         (JSC::DFG::StorageOperand::~StorageOperand):
323         (JSC::DFG::StorageOperand::index):
324         (JSC::DFG::StorageOperand::gpr):
325         (JSC::DFG::StorageOperand::use):
326         * dfg/DFGNode.h:
327         (JSC::DFG::OpInfo::OpInfo):
328         (JSC::DFG::Node::Node):
329         (JSC::DFG::Node::hasPrediction):
330         (JSC::DFG::Node::hasStructure):
331         (JSC::DFG::Node::structure):
332         (JSC::DFG::Node::hasStorageAccessData):
333         (JSC::DFG::Node::storageAccessDataIndex):
334         * dfg/DFGPropagator.cpp:
335         (JSC::DFG::Propagator::propagateNode):
336         (JSC::DFG::Propagator::globalVarLoadElimination):
337         (JSC::DFG::Propagator::getMethodLoadElimination):
338         (JSC::DFG::Propagator::checkStructureLoadElimination):
339         (JSC::DFG::Propagator::getByOffsetLoadElimination):
340         (JSC::DFG::Propagator::performNodeCSE):
341         * dfg/DFGSpeculativeJIT.cpp:
342         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
343         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
344         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
345         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
346         (JSC::DFG::SpeculativeJIT::compile):
347         * wtf/StdLibExtras.h:
348         (WTF::safeCast):
349
350 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
351
352         Remove toPrimitive from JSCell
353         https://bugs.webkit.org/show_bug.cgi?id=67875
354
355         Reviewed by Darin Adler.
356
357         Part of the refactoring process to un-virtualize JSCell.  We move 
358         all of the implicit functionality provided by the virtual toPrimitive method 
359         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
360         also de-virtualizing JSCell::toPrimitive.
361
362         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
363         * runtime/JSCell.cpp:
364         (JSC::JSCell::toPrimitive):
365         * runtime/JSCell.h:
366
367         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
368         JSObject.  This pushes the virtual method further down, enabling us to get rid 
369         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
370         again, but we'll cross that bridge when we come to it.
371         * runtime/JSNotAnObject.cpp:
372         (JSC::JSNotAnObject::defaultValue):
373         * runtime/JSNotAnObject.h:
374         * runtime/JSObject.h:
375         * runtime/JSString.h:
376
377 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
378
379         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
380         https://bugs.webkit.org/show_bug.cgi?id=68424
381
382         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
383         
384         This may break WinCE and other ports that have not built and tested with
385         this configuration. I've filed bugs for port maintainers. It's time for
386         WebKit to move forward.
387
388         Reviewed by Mark Rowe.
389
390         * heap/Heap.cpp:
391         (JSC::Heap::Heap):
392         (JSC::Heap::~Heap):
393         (JSC::Heap::destroy):
394         (JSC::Heap::blockFreeingThreadMain):
395         (JSC::Heap::allocateBlock):
396         (JSC::Heap::freeBlocks):
397         (JSC::Heap::releaseFreeBlocks):
398         * heap/Heap.h:
399         * wtf/Platform.h:
400
401 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
402
403         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
404         https://bugs.webkit.org/show_bug.cgi?id=68423
405
406         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
407         
408         This may break WinCE and other ports that have not built and tested with
409         this configuration. I've filed bugs for port maintainers. It's time for
410         WebKit to move forward.
411
412         Reviewed by Mark Rowe.
413
414         * wtf/CryptographicallyRandomNumber.cpp:
415         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
416         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
417         * wtf/FastMalloc.cpp:
418         * wtf/Platform.h:
419         * wtf/RandomNumber.cpp:
420         (WTF::randomNumber):
421         * wtf/RefCountedLeakCounter.cpp:
422         (WTF::RefCountedLeakCounter::increment):
423         (WTF::RefCountedLeakCounter::decrement):
424         * wtf/ThreadingPthreads.cpp:
425         (WTF::initializeThreading):
426         * wtf/ThreadingWin.cpp:
427         (WTF::initializeThreading):
428         * wtf/dtoa.cpp:
429         (WTF::pow5mult):
430         * wtf/gtk/ThreadingGtk.cpp:
431         (WTF::initializeThreading):
432         * wtf/qt/ThreadingQt.cpp:
433         (WTF::initializeThreading):
434
435 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
436
437         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
438         https://bugs.webkit.org/show_bug.cgi?id=68422
439         
440         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
441         
442         This may break WinCE and other ports that have not built and tested with
443         this configuration. I've filed bugs for port maintainers. It's time for
444         WebKit to move forward.
445
446         Reviewed by Sam Weinig.
447
448         * API/APIShims.h:
449         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
450         * API/JSContextRef.cpp:
451         * heap/MachineStackMarker.cpp:
452         (JSC::MachineThreads::MachineThreads):
453         (JSC::MachineThreads::~MachineThreads):
454         (JSC::MachineThreads::gatherConservativeRoots):
455         * heap/MachineStackMarker.h:
456         * runtime/InitializeThreading.cpp:
457         (JSC::initializeThreadingOnce):
458         (JSC::initializeThreading):
459         * runtime/JSGlobalData.cpp:
460         (JSC::JSGlobalData::sharedInstance):
461         * runtime/JSGlobalData.h:
462         (JSC::JSGlobalData::makeUsableFromMultipleThreads):
463         * runtime/JSLock.cpp:
464         * runtime/Structure.cpp:
465         * wtf/Platform.h:
466
467 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
468
469         Unreviewed, rolling out r95493 and r95496.
470         http://trac.webkit.org/changeset/95493
471         http://trac.webkit.org/changeset/95496
472         https://bugs.webkit.org/show_bug.cgi?id=68418
473
474         Broke Windows build (Requested by rniwa on #webkit).
475
476         * CMakeLists.txt:
477         * GNUmakefile.list.am:
478         * JavaScriptCore.exp:
479         * JavaScriptCore.gypi:
480         * JavaScriptCore.pro:
481         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
482         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
483         * JavaScriptCore.xcodeproj/project.pbxproj:
484         * debugger/Debugger.cpp:
485         (JSC::Debugger::recompileAllJSFunctions):
486         * heap/AllocationSpace.cpp: Removed.
487         * heap/AllocationSpace.h: Removed.
488         * heap/Heap.cpp:
489         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
490         (JSC::CountFunctor::TakeIfEmpty::operator()):
491         (JSC::CountFunctor::TakeIfEmpty::returnValue):
492         (JSC::Heap::Heap):
493         (JSC::Heap::reportExtraMemoryCostSlowCase):
494         (JSC::Heap::tryAllocate):
495         (JSC::Heap::allocateSlowCase):
496         (JSC::Heap::getConservativeRegisterRoots):
497         (JSC::Heap::markRoots):
498         (JSC::Heap::clearMarks):
499         (JSC::Heap::sweep):
500         (JSC::Heap::objectCount):
501         (JSC::Heap::size):
502         (JSC::Heap::capacity):
503         (JSC::Heap::globalObjectCount):
504         (JSC::Heap::objectTypeCounts):
505         (JSC::Heap::collect):
506         (JSC::Heap::canonicalizeBlocks):
507         (JSC::Heap::resetAllocator):
508         (JSC::Heap::allocateBlock):
509         (JSC::Heap::freeBlocks):
510         (JSC::Heap::shrink):
511         * heap/Heap.h:
512         (JSC::Heap::markedSpace):
513         (JSC::Heap::forEachCell):
514         (JSC::Heap::forEachBlock):
515         (JSC::Heap::sizeClassFor):
516         (JSC::Heap::allocate):
517         * jit/JITInlineMethods.h:
518         (JSC::JIT::emitAllocateBasicJSObject):
519         * runtime/JSGlobalData.cpp:
520         (JSC::JSGlobalData::recompileAllJSFunctions):
521         (JSC::JSGlobalData::releaseExecutableMemory):
522
523 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
524
525         Errrk, missed stylebot comments in last commit.
526
527         * runtime/StringPrototype.cpp:
528         (JSC::stringProtoFuncSplit):
529
530 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
531
532         String#split is buggy
533         https://bugs.webkit.org/show_bug.cgi?id=68348
534
535         Reviewed by Sam Weinig.
536
537         * runtime/StringPrototype.cpp:
538         (JSC::jsStringWithReuse):
539             - added helper function to reuse original JSString value.
540         (JSC::stringProtoFuncSplit):
541             - Rewritten from the spec.
542         * tests/mozilla/ecma/String/15.5.4.8-2.js:
543         (getTestCases):
544             - This test is not ES5 compliant.
545
546 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
547
548         Removed lots of friend declarations from JSCell, so we can more
549         effectively make use of private and protected.
550
551         Reviewed by Sam Weinig.
552
553         * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
554         confusion for not much safety.
555         (JSC::JSCell::operator new): Made this public because it is used by a
556         few clients, and not really dangerous.
557
558         * runtime/JSObject.cpp:
559         (JSC::JSObject::put):
560         (JSC::JSObject::deleteProperty):
561         (JSC::JSObject::defineGetter):
562         (JSC::JSObject::defineSetter):
563         (JSC::JSObject::getPropertySpecificValue):
564         (JSC::JSObject::getOwnPropertyNames):
565         (JSC::JSObject::seal):
566         (JSC::JSObject::freeze):
567         (JSC::JSObject::preventExtensions):
568         (JSC::JSObject::removeDirect):
569         (JSC::JSObject::createInheritorID):
570         (JSC::JSObject::allocatePropertyStorage):
571         (JSC::JSObject::getOwnPropertyDescriptor):
572         * runtime/JSObject.h:
573         (JSC::JSObject::getDirect):
574         (JSC::JSObject::getDirectLocation):
575         (JSC::JSObject::hasCustomProperties):
576         (JSC::JSObject::hasGetterSetterProperties):
577         (JSC::JSObject::isSealed):
578         (JSC::JSObject::isFrozen):
579         (JSC::JSObject::isExtensible):
580         (JSC::JSObject::flattenDictionaryObject):
581         (JSC::JSObject::finishCreation):
582         (JSC::JSObject::prototype):
583         (JSC::JSObject::setPrototype):
584         (JSC::JSObject::inlineGetOwnPropertySlot):
585         (JSC::JSCell::fastGetOwnProperty):
586         (JSC::JSObject::putDirectInternal):
587         (JSC::JSObject::putDirectWithoutTransition):
588         (JSC::JSObject::transitionTo):
589         (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
590         structure() / setStructure(), so we don't have to be a friend of JSCell.
591
592         * runtime/Structure.h:
593         (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
594         to JSCell::m_structure.
595
596 2011-09-19  Adam Barth  <abarth@webkit.org>
597
598         Always enable ENABLE(EVENTSOURCE)
599         https://bugs.webkit.org/show_bug.cgi?id=68414
600
601         Reviewed by Eric Seidel.
602
603         * Configurations/FeatureDefines.xcconfig:
604
605 2011-09-19  Eli Fidler  <efidler@rim.com>
606
607         Enable JSC_MULTIPLE_THREADS for OS(QNX).
608         https://bugs.webkit.org/show_bug.cgi?id=68047
609
610         Reviewed by Daniel Bates.
611
612         SA_RESTART was required for SIGUSR2-based debugging, but is not
613         present on QNX. This debugging doesn't seem critical to
614         JSC_MULTIPLE_THREADS, so allow it to proceed.
615
616         * heap/MachineStackMarker.cpp:
617         (JSC::MachineThreads::Thread::Thread):
618         (JSC::getPlatformThreadRegisters):
619         (JSC::otherThreadStackPointer):
620         (JSC::freePlatformThreadRegisters):
621         * wtf/Platform.h: enable PTHREADS for OS(QNX)
622
623 2011-09-19  Oliver Hunt  <oliver@apple.com>
624
625         Windows build fix.
626
627         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
628
629 2011-09-19  Oliver Hunt  <oliver@apple.com>
630
631         Refactor Heap allocation logic into separate AllocationSpace class
632         https://bugs.webkit.org/show_bug.cgi?id=68409
633
634         Reviewed by Gavin Barraclough.
635
636         This patch hoists direct manipulation of the MarkedSpace and related
637         data out of Heap and into a separate class.  This will allow us to
638         have multiple allocation spaces in future, so easing the way towards
639         having GC'd backing stores for objects.
640
641         * CMakeLists.txt:
642         * GNUmakefile.list.am:
643         * JavaScriptCore.exp:
644         * JavaScriptCore.gypi:
645         * JavaScriptCore.pro:
646         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
647         * JavaScriptCore.xcodeproj/project.pbxproj:
648         * debugger/Debugger.cpp:
649         (JSC::Debugger::recompileAllJSFunctions):
650         * heap/AllocationSpace.cpp: Added.
651         (JSC::AllocationSpace::tryAllocate):
652         (JSC::AllocationSpace::allocateSlowCase):
653         (JSC::AllocationSpace::allocateBlock):
654         (JSC::AllocationSpace::freeBlocks):
655         (JSC::TakeIfEmpty::TakeIfEmpty):
656         (JSC::TakeIfEmpty::operator()):
657         (JSC::TakeIfEmpty::returnValue):
658         (JSC::AllocationSpace::shrink):
659         * heap/AllocationSpace.h: Added.
660         (JSC::AllocationSpace::AllocationSpace):
661         (JSC::AllocationSpace::blocks):
662         (JSC::AllocationSpace::sizeClassFor):
663         (JSC::AllocationSpace::setHighWaterMark):
664         (JSC::AllocationSpace::highWaterMark):
665         (JSC::AllocationSpace::canonicalizeBlocks):
666         (JSC::AllocationSpace::resetAllocator):
667         (JSC::AllocationSpace::forEachCell):
668         (JSC::AllocationSpace::forEachBlock):
669         (JSC::AllocationSpace::allocate):
670         * heap/Heap.cpp:
671         (JSC::Heap::Heap):
672         (JSC::Heap::reportExtraMemoryCostSlowCase):
673         (JSC::Heap::getConservativeRegisterRoots):
674         (JSC::Heap::markRoots):
675         (JSC::Heap::clearMarks):
676         (JSC::Heap::sweep):
677         (JSC::Heap::objectCount):
678         (JSC::Heap::size):
679         (JSC::Heap::capacity):
680         (JSC::Heap::globalObjectCount):
681         (JSC::Heap::objectTypeCounts):
682         (JSC::Heap::collect):
683         (JSC::Heap::canonicalizeBlocks):
684         (JSC::Heap::resetAllocator):
685         (JSC::Heap::freeBlocks):
686         (JSC::Heap::shrink):
687         * heap/Heap.h:
688         (JSC::Heap::objectSpace):
689         (JSC::Heap::sizeClassForObject):
690         (JSC::Heap::allocate):
691         * jit/JITInlineMethods.h:
692         (JSC::JIT::emitAllocateBasicJSObject):
693         * runtime/JSGlobalData.cpp:
694         (JSC::JSGlobalData::recompileAllJSFunctions):
695         (JSC::JSGlobalData::releaseExecutableMemory):
696
697 2011-09-19  Adam Roben  <aroben@apple.com>
698
699         Windows build fix after r95310
700
701         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
702         include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.
703
704 2011-09-19  Filip Pizlo  <fpizlo@apple.com>
705
706         DFG speculation failures should act as additional value profiles
707         https://bugs.webkit.org/show_bug.cgi?id=68335
708
709         Reviewed by Oliver Hunt.
710         
711         This adds slow-case counters to the old JIT. It also ensures that
712         negative zero in multiply is handled carefully. The old JIT
713         previously took slow path if the result of a multiply was zero,
714         which, without any changes, would cause the DFG to think that
715         every such multiply produced a double result.
716         
717         This also fixes a bug in the old JIT's handling of decrements. It
718         would take the slow path if the result was zero, but not if it
719         underflowed.
720         
721         By itself, this would be a 1% slow-down on V8 and Kraken. But then
722         I wrote optimizations in the DFG that take advantage of this new
723         information. It's no longer the case that every multiply needs to
724         do a check for negative zero; it only happens if the negative
725         zero is ignored.
726         
727         This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
728         speed-up in V8. It's mostly neutral on Kraken. I can see an
729         0.5% slow-down and it appears to be significant.
730
731         * bytecode/CodeBlock.cpp:
732         (JSC::CodeBlock::resetRareCaseProfiles):
733         (JSC::CodeBlock::dumpValueProfiles):
734         * bytecode/CodeBlock.h:
735         * bytecode/ValueProfile.h:
736         (JSC::RareCaseProfile::RareCaseProfile):
737         (JSC::getRareCaseProfileBytecodeOffset):
738         * dfg/DFGByteCodeParser.cpp:
739         (JSC::DFG::ByteCodeParser::toInt32):
740         (JSC::DFG::ByteCodeParser::makeSafe):
741         (JSC::DFG::ByteCodeParser::parseBlock):
742         * dfg/DFGJITCodeGenerator.cpp:
743         (JSC::DFG::GPRTemporary::GPRTemporary):
744         * dfg/DFGJITCodeGenerator.h:
745         * dfg/DFGNode.h:
746         * dfg/DFGPropagator.cpp:
747         (JSC::DFG::Propagator::propagateNode):
748         (JSC::DFG::Propagator::fixupNode):
749         (JSC::DFG::Propagator::clobbersWorld):
750         (JSC::DFG::Propagator::performNodeCSE):
751         * dfg/DFGSpeculativeJIT.cpp:
752         (JSC::DFG::SpeculativeJIT::compile):
753         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
754         * jit/JIT.cpp:
755         (JSC::JIT::privateCompileSlowCases):
756         * jit/JIT.h:
757         (JSC::JIT::linkDummySlowCase):
758         * jit/JITArithmetic.cpp:
759         (JSC::JIT::emit_op_post_dec):
760         (JSC::JIT::emit_op_pre_dec):
761         (JSC::JIT::compileBinaryArithOp):
762         (JSC::JIT::emit_op_add):
763         (JSC::JIT::emitSlow_op_add):
764         * jit/JITInlineMethods.h:
765         (JSC::JIT::addSlowCase):
766
767 2011-09-19  Adam Roben  <aroben@apple.com>
768
769         Windows build fix after r94575
770
771         * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
772         now builds just before FindSafari.
773
774 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
775
776         Unreviewed, rolling out r95466.
777         http://trac.webkit.org/changeset/95466
778         https://bugs.webkit.org/show_bug.cgi?id=68389
779
780         Incorrect version of the patch. (Requested by mhahnenberg on
781         #webkit).
782
783         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
784         * runtime/JSCell.cpp:
785         (JSC::JSCell::toPrimitive):
786         * runtime/JSCell.h:
787         (JSC::JSCell::JSValue::toPrimitive):
788         * runtime/JSNotAnObject.cpp:
789         (JSC::JSNotAnObject::toPrimitive):
790         * runtime/JSNotAnObject.h:
791         * runtime/JSObject.h:
792         * runtime/JSString.h:
793
794 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
795
796         Remove toPrimitive from JSCell
797         https://bugs.webkit.org/show_bug.cgi?id=67875
798
799         Reviewed by Geoffrey Garen.
800
801         Part of the refactoring process to un-virtualize JSCell.  We move 
802         all of the implicit functionality provided by the virtual toPrimitive method 
803         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
804         also de-virtualizing JSCell::toPrimitive.
805
806         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
807         * runtime/JSCell.cpp:
808         (JSC::JSCell::toPrimitive):
809         * runtime/JSCell.h:
810
811         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
812         JSObject.  This pushes the virtual method further down, enabling us to get rid 
813         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
814         again, but we'll cross that bridge when we come to it.
815         * runtime/JSNotAnObject.cpp:
816         (JSC::JSNotAnObject::defaultValue):
817         * runtime/JSNotAnObject.h:
818         * runtime/JSObject.h:
819         * runtime/JSString.h:
820         (JSC::JSValue::toPrimitive):
821
822 2011-09-19  Oliver Hunt  <oliver@apple.com>
823
824         Build fix.
825
826         * jit/JITPropertyAccess32_64.cpp:
827         (JSC::JIT::compileGetDirectOffset):
828
829 2011-09-19  Oliver Hunt  <oliver@apple.com>
830
831         Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
832         https://bugs.webkit.org/show_bug.cgi?id=68376
833
834         Reviewed by Gavin Barraclough.
835
836         Renamed the the MarkedSpace files to match new name, and
837         updated the relevant references.
838
839         * CMakeLists.txt:
840         * GNUmakefile.list.am:
841         * JavaScriptCore.gypi:
842         * JavaScriptCore.pro:
843         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
844         * JavaScriptCore.xcodeproj/project.pbxproj:
845         * heap/Heap.h:
846         * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
847         (JSC::MarkedSpace::MarkedSpace):
848         (JSC::MarkedSpace::addBlock):
849         (JSC::MarkedSpace::removeBlock):
850         (JSC::MarkedSpace::resetAllocator):
851         (JSC::MarkedSpace::canonicalizeBlocks):
852         * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
853         (JSC::MarkedSpace::waterMark):
854         (JSC::MarkedSpace::highWaterMark):
855         (JSC::MarkedSpace::setHighWaterMark):
856         (JSC::MarkedSpace::sizeClassFor):
857         (JSC::MarkedSpace::allocate):
858         (JSC::MarkedSpace::forEachBlock):
859         (JSC::MarkedSpace::SizeClass::SizeClass):
860         (JSC::MarkedSpace::SizeClass::resetAllocator):
861         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
862         * runtime/JSCell.h:
863
864 2011-09-19  Oliver Hunt  <oliver@apple.com>
865
866         Rename NewSpace to MarkedSpace
867         https://bugs.webkit.org/show_bug.cgi?id=68375
868
869         Reviewed by Gavin Barraclough.
870
871         Rename NewSpace to a more accurate name, and update all uses.
872         This patch doesn't rename the files themselves as that will
873         just make the patch appear bigger than it is.
874
875         * JavaScriptCore.exp:
876         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
877         * heap/Heap.cpp:
878         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
879         (JSC::CountFunctor::TakeIfEmpty::operator()):
880         (JSC::Heap::Heap):
881         (JSC::Heap::reportExtraMemoryCostSlowCase):
882         (JSC::Heap::tryAllocate):
883         (JSC::Heap::allocateSlowCase):
884         (JSC::Heap::collect):
885         (JSC::Heap::canonicalizeBlocks):
886         (JSC::Heap::resetAllocator):
887         (JSC::Heap::isValidAllocation):
888         (JSC::Heap::shrink):
889         * heap/Heap.h:
890         (JSC::Heap::markedSpace):
891         (JSC::Heap::sizeClassFor):
892         (JSC::Heap::allocate):
893         * heap/NewSpace.cpp:
894         (JSC::MarkedSpace::MarkedSpace):
895         (JSC::MarkedSpace::addBlock):
896         (JSC::MarkedSpace::removeBlock):
897         (JSC::MarkedSpace::resetAllocator):
898         (JSC::MarkedSpace::canonicalizeBlocks):
899         * heap/NewSpace.h:
900         (JSC::MarkedSpace::waterMark):
901         (JSC::MarkedSpace::highWaterMark):
902         (JSC::MarkedSpace::setHighWaterMark):
903         (JSC::MarkedSpace::sizeClassFor):
904         (JSC::MarkedSpace::allocate):
905         (JSC::MarkedSpace::forEachBlock):
906         (JSC::MarkedSpace::SizeClass::SizeClass):
907         (JSC::MarkedSpace::SizeClass::resetAllocator):
908         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
909         * jit/JITInlineMethods.h:
910         (JSC::JIT::emitAllocateBasicJSObject):
911
912 2011-09-19  Peter Rybin  <peter.rybin@gmail.com>
913
914         TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
915         https://bugs.webkit.org/show_bug.cgi?id=63541
916
917         Reviewed by Adam Barth.
918
919         * parser/SourceProvider.h:
920         (JSC::SourceProvider::startPosition):
921         * wtf/text/TextPosition.h:
922         (WTF::OrdinalNumber::fromZeroBasedInt):
923         (WTF::OrdinalNumber::fromOneBasedInt):
924         (WTF::OrdinalNumber::OrdinalNumber):
925         (WTF::OrdinalNumber::zeroBasedInt):
926         (WTF::OrdinalNumber::oneBasedInt):
927         (WTF::OrdinalNumber::operator==):
928         (WTF::OrdinalNumber::operator!=):
929         (WTF::OrdinalNumber::first):
930         (WTF::OrdinalNumber::beforeFirst):
931         (WTF::TextPosition::TextPosition):
932         (WTF::TextPosition::minimumPosition):
933         (WTF::TextPosition::belowRangePosition):
934
935 2011-09-19  Dan Bernstein  <mitz@apple.com>
936
937         JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
938         https://bugs.webkit.org/show_bug.cgi?id=68323
939
940         Reviewed by Sam Weinig.
941
942         Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.
943
944         * wtf/mac/MainThreadMac.mm:
945         (WTF::initializeMainThreadPlatform):
946         (WTF::initializeMainThreadToProcessMainThreadPlatform):
947
948 2011-09-19  Oliver Hunt  <oliver@apple.com>
949
950         Remove direct property slot pointers from the instruction stream
951         https://bugs.webkit.org/show_bug.cgi?id=68373
952
953         Reviewed by Gavin Barraclough.
954
955         Use an indirect load to access prototype properties rather than directly
956         storing the property address in the instruction stream.  This should allow
957         further optimisations in future, and also provides a 0.5% win to sunspider.
958
959         * dfg/DFGRepatch.cpp:
960         (JSC::DFG::generateProtoChainAccessStub):
961         * jit/JITPropertyAccess.cpp:
962         (JSC::JIT::compileGetDirectOffset):
963         * jit/JITPropertyAccess32_64.cpp:
964         (JSC::JIT::compileGetDirectOffset):
965         * runtime/JSObject.h:
966         (JSC::JSObject::addressOfPropertyStorage):
967
968 2011-09-19  Oliver Hunt  <oliver@apple.com>
969
970         Remove bump allocator
971         https://bugs.webkit.org/show_bug.cgi?id=68370
972
973         Reviewed by Sam Weinig.
974
975         Can't do anything with this allocator currently, and it's
976         increasing the complexity of the GC code.  Slight progression
977         on SunSpider, slight regression (undoing the original progression)
978         in V8.
979
980         * heap/Heap.cpp:
981         (JSC::Heap::collect):
982         * heap/Heap.h:
983         * heap/NewSpace.cpp:
984         (JSC::NewSpace::NewSpace):
985         * heap/NewSpace.h:
986         (JSC::NewSpace::allocate):
987         * runtime/JSObject.cpp:
988         (JSC::JSObject::allocatePropertyStorage):
989         * runtime/JSObject.h:
990         (JSC::JSObject::~JSObject):
991         (JSC::JSObject::visitChildrenDirect):
992         * runtime/StorageBarrier.h:
993         (JSC::StorageBarrier::set):
994
995 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
996
997         [GTK] Fix distcheck build
998         https://bugs.webkit.org/show_bug.cgi?id=68346
999
1000         Reviewed by Philippe Normand.
1001
1002         * GNUmakefile.list.am:
1003
1004 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1005
1006         [GTK] Fix distcheck build
1007         https://bugs.webkit.org/show_bug.cgi?id=68241
1008
1009         Reviewed by Martin Robinson.
1010
1011         * GNUmakefile.list.am:
1012
1013 2011-09-18  Dan Bernstein  <mitz@apple.com>
1014
1015         Removed ProfilerServer.
1016
1017         Reviewed by Mark Rowe.
1018
1019         * JavaScriptCore.gypi:
1020         * JavaScriptCore.xcodeproj/project.pbxproj:
1021         * profiler/ProfilerServer.h: Removed.
1022         * profiler/ProfilerServer.mm: Removed.
1023         * runtime/JSGlobalData.cpp:
1024         (JSC::JSGlobalData::JSGlobalData):
1025         * wscript:
1026
1027 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
1028
1029         DFG JIT should inline Math.min, Math.max, and Math.sqrt
1030         https://bugs.webkit.org/show_bug.cgi?id=68318
1031
1032         Reviewed by Gavin Barraclough.
1033         
1034         Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
1035         a function to have an intrinsic but not a thunk generator. This is
1036         a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
1037         we're still not DFG compiling the bulk of the hot code in Kraken audio
1038         benchmarks.
1039
1040         * create_hash_table:
1041         * dfg/DFGByteCodeParser.cpp:
1042         (JSC::DFG::ByteCodeParser::handleMinMax):
1043         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1044         * dfg/DFGIntrinsic.h:
1045         * dfg/DFGNode.h:
1046         * dfg/DFGPropagator.cpp:
1047         (JSC::DFG::Propagator::propagateNode):
1048         (JSC::DFG::Propagator::fixupNode):
1049         * dfg/DFGSpeculativeJIT.cpp:
1050         (JSC::DFG::SpeculativeJIT::compile):
1051         * jit/JITStubs.cpp:
1052         (JSC::JITThunks::hostFunctionStub):
1053         * runtime/Lookup.cpp:
1054         (JSC::setUpStaticFunctionSlot):
1055
1056 2011-09-18  Nico Weber  <thakis@chromium.org>
1057
1058         Remove two files from JavaScriptCore.gypi that were removed in r95240
1059         https://bugs.webkit.org/show_bug.cgi?id=68327
1060
1061         Unreviewed, build warning fix.
1062
1063         * JavaScriptCore.gypi:
1064
1065 2011-09-17  Oliver Hunt  <oliver@apple.com>
1066
1067         Remove special case handling of inline storage from the JIT
1068         https://bugs.webkit.org/show_bug.cgi?id=68319
1069
1070         Reviewed by Gavin Barraclough.
1071
1072         Simplify logic used for reading and writing to property storage
1073         by removing the special cases for inline storage.  This has no
1074         perf impact.
1075
1076         * dfg/DFGRepatch.cpp:
1077         (JSC::DFG::generateProtoChainAccessStub):
1078         (JSC::DFG::tryBuildGetByIDList):
1079         * jit/JIT.h:
1080         * jit/JITPropertyAccess.cpp:
1081         (JSC::JIT::compilePutDirectOffset):
1082         (JSC::JIT::compileGetDirectOffset):
1083         (JSC::JIT::privateCompilePutByIdTransition):
1084         (JSC::JIT::privateCompileGetByIdSelfList):
1085         * jit/JITPropertyAccess32_64.cpp:
1086         (JSC::JIT::compilePutDirectOffset):
1087         (JSC::JIT::compileGetDirectOffset):
1088         (JSC::JIT::privateCompilePutByIdTransition):
1089         (JSC::JIT::privateCompileGetByIdSelfList):
1090
1091 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
1092
1093         DFG JIT does not have full block-local CSE
1094         https://bugs.webkit.org/show_bug.cgi?id=68316
1095
1096         Reviewed by Oliver Hunt.
1097         
1098         This adds block-local CSE to the DFG. CSE runs in the propagator just after
1099         type propagation. It is part of the propagator itself because it needs to
1100         use the propagator's internal data structures to determine which operations
1101         may have side effects. Because it changes the live-ranges of nodes, the
1102         virtual register allocator had to be moved into the propagator so that it
1103         runs after CSE. To ensure that the back-end knows to keep the inputs to
1104         any eliminated node alive for OSR, a new node type, Phantom, was introduced.
1105         It is a no-op but prolonges the live-range of its inputs.
1106         
1107         This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
1108         Kraken.
1109         
1110         * JavaScriptCore.xcodeproj/project.pbxproj:
1111         * dfg/DFGAliasTracker.h: Removed.
1112         * dfg/DFGByteCodeParser.cpp:
1113         (JSC::DFG::ByteCodeParser::parseBlock):
1114         (JSC::DFG::ByteCodeParser::parse):
1115         * dfg/DFGGraph.cpp:
1116         (JSC::DFG::Graph::dump):
1117         * dfg/DFGGraph.h:
1118         (JSC::DFG::MethodCheckData::operator==):
1119         (JSC::DFG::MethodCheckData::operator!=):
1120         * dfg/DFGNode.h:
1121         (JSC::DFG::Node::hasVirtualRegister):
1122         (JSC::DFG::Node::setRefCount):
1123         * dfg/DFGPropagator.cpp:
1124         (JSC::DFG::Propagator::Propagator):
1125         (JSC::DFG::Propagator::fixpoint):
1126         (JSC::DFG::Propagator::propagateNode):
1127         (JSC::DFG::Propagator::canonicalize):
1128         (JSC::DFG::Propagator::computeStartIndex):
1129         (JSC::DFG::Propagator::startIndex):
1130         (JSC::DFG::Propagator::pureCSE):
1131         (JSC::DFG::Propagator::globalVarLoadElimination):
1132         (JSC::DFG::Propagator::getByValLoadElimination):
1133         (JSC::DFG::Propagator::getMethodLoadElimination):
1134         (JSC::DFG::Propagator::performSubstitution):
1135         (JSC::DFG::Propagator::setReplacement):
1136         (JSC::DFG::Propagator::performNodeCSE):
1137         (JSC::DFG::Propagator::performBlockCSE):
1138         (JSC::DFG::Propagator::localCSE):
1139         (JSC::DFG::Propagator::allocateVirtualRegisters):
1140         (JSC::DFG::propagate):
1141         * dfg/DFGSpeculativeJIT.cpp:
1142         (JSC::DFG::SpeculativeJIT::compile):
1143
1144 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1145
1146         method_check should repatch itself if it finds that the new structure(s)
1147         are the result of transitions from the old structure(s)
1148         https://bugs.webkit.org/show_bug.cgi?id=68294
1149
1150         Reviewed by Gavin Barraclough.
1151         
1152         Previously a patched method_check would slow-path to get_by_id. Now it
1153         slow-paths to method_check_update, which attempts to correct the
1154         method_check due to structure transitions before bailing to get_by_id.
1155         
1156         This is a 1-2% speed-up on some benchmarks and is not a slow-down
1157         anywhere, leading to a 0.6% speed-up on the Kraken geomean.
1158
1159         * jit/JITPropertyAccess.cpp:
1160         (JSC::JIT::patchMethodCallProto):
1161         * jit/JITStubs.cpp:
1162         (JSC::DEFINE_STUB_FUNCTION):
1163         * jit/JITStubs.h:
1164         * runtime/Structure.h:
1165         (JSC::Structure::transitivelyTransitionedFrom):
1166
1167 2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>
1168
1169         Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).
1170
1171         * wtf/Platform.h:
1172
1173 2011-09-16  Sam Weinig  <sam@webkit.org>
1174
1175         Rename APIValueWrapper type to APIValueWrapperType for consistency
1176         https://bugs.webkit.org/show_bug.cgi?id=68306
1177
1178         Reviewed by Anders Carlsson.
1179
1180         * runtime/JSAPIValueWrapper.h:
1181         (JSC::JSAPIValueWrapper::createStructure):
1182         Update name.
1183
1184         * runtime/JSType.h:
1185         Update name and un-indent.
1186
1187         * runtime/Structure.h:
1188         (JSC::JSCell::isAPIValueWrapper):
1189         Update name.
1190
1191 2011-09-16  Sam Weinig  <sam@webkit.org>
1192
1193         Remove unused isStrictModeFunction function
1194         https://bugs.webkit.org/show_bug.cgi?id=68305
1195
1196         Reviewed by Anders Carlsson.
1197
1198         * runtime/JSObject.h:
1199         (JSC::JSObject::isStrictModeFunction):
1200
1201 2011-09-16  Sam Weinig  <sam@webkit.org>
1202
1203         Cleanup JSTypeInfo a bit
1204         https://bugs.webkit.org/show_bug.cgi?id=68289
1205
1206         Reviewed by Anders Carlsson.
1207
1208         * dfg/DFGOperations.cpp:
1209         * jit/JITStubs.cpp:
1210         (JSC::DEFINE_STUB_FUNCTION):
1211         Replace direct access to flags() with predicate.
1212
1213         * runtime/JSObject.h:
1214         (JSC::JSFinalObject::createStructure):
1215         Pass FinalObjectType instead of using special IsJSFinalObject.
1216
1217         * runtime/JSTypeInfo.h:
1218         (JSC::TypeInfo::TypeInfo):
1219         Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.
1220
1221         (JSC::TypeInfo::isFinalObject):
1222         Added.
1223
1224         (JSC::TypeInfo::masqueradesAsUndefined):
1225         (JSC::TypeInfo::implementsHasInstance):
1226         (JSC::TypeInfo::isEnvironmentRecord):
1227         (JSC::TypeInfo::overridesHasInstance):
1228         (JSC::TypeInfo::implementsDefaultHasInstance):
1229         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1230         (JSC::TypeInfo::overridesVisitChildren):
1231         (JSC::TypeInfo::overridesGetPropertyNames):
1232         (JSC::TypeInfo::prohibitsPropertyCaching):
1233         (JSC::TypeInfo::isSetOnFlags1):
1234         (JSC::TypeInfo::isSetOnFlags2):
1235         Replace direct bit twiddling with helper functions.
1236
1237         * runtime/Structure.cpp:
1238         (JSC::Structure::Structure):
1239         Use new isFinalObject() predicate.
1240
1241 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
1242
1243         Unsigned bit shift fails under certain conditions in 32 bit builds
1244         https://bugs.webkit.org/show_bug.cgi?id=68166
1245
1246         Reviewed by Geoff Garen.
1247
1248         The major bug here is that the slow case (which handles shifts of
1249         doubles) doesn't check for negative results from an unsigned shift
1250         (which should be unsigned, and as such can't be represented by a
1251         signed integer immediate).  The implementation is also flawed for
1252         shifts by negative shift amounts (treats as shift by zero).
1253
1254         * jit/JITArithmetic32_64.cpp:
1255         (JSC::JIT::emitRightShift):
1256         (JSC::JIT::emitRightShiftSlowCase):
1257
1258 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
1259
1260         Removed undetectable style.filter.
1261
1262         Reviewed by Sam Weinig.
1263         
1264         This feature was added in http://trac.webkit.org/changeset/15557 to
1265         support housingmaps.com. But housingmaps.com no longer needs this hack,
1266         we don't know of other websites that need it, and we don't know of
1267         any other browsers that have implemented this feature.
1268
1269         * GNUmakefile.list.am:
1270         * JavaScriptCore.gypi:
1271         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1272         * JavaScriptCore.xcodeproj/project.pbxproj:
1273         * runtime/JSTypeInfo.h:
1274         * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.
1275
1276 2011-09-15  Sam Weinig  <sam@webkit.org>
1277
1278         Prepare JSTypes for more Object subtypes
1279         https://bugs.webkit.org/show_bug.cgi?id=68200
1280
1281         Reviewed by Gavin Barraclough.
1282
1283         * dfg/DFGJITCompiler.h:
1284         (JSC::DFG::JITCompiler::branchIfNotObject):
1285         * jit/JITInlineMethods.h:
1286         (JSC::JIT::emitJumpIfNotObject):
1287         * runtime/JSGlobalObject.h:
1288         (JSC::Structure::prototypeForLookup):
1289         * runtime/JSObject.h:
1290         (JSC::JSObject::finishCreation):
1291         * runtime/JSType.h:
1292         * runtime/JSTypeInfo.h:
1293         (JSC::TypeInfo::type):
1294         (JSC::TypeInfo::isObject):
1295         (JSC::TypeInfo::isFinal):
1296         (JSC::TypeInfo::prohibitsPropertyCaching):
1297         * runtime/NativeErrorConstructor.h:
1298         (JSC::NativeErrorConstructor::finishCreation):
1299         * runtime/Operations.cpp:
1300         (JSC::jsIsObjectType):
1301         * runtime/Structure.cpp:
1302         (JSC::Structure::addPropertyTransitionToExistingStructure):
1303         (JSC::Structure::addPropertyTransition):
1304         * runtime/Structure.h:
1305         (JSC::Structure::isObject):
1306         (JSC::JSCell::isObject):
1307
1308 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
1309
1310         Rolled back in r95201 with test failure fixed.
1311         
1312         I missed two cases of jumpSlowToHot in rshift -- these cases need to be
1313         sure to initialize regT1 to the int tag, since it will otherwise hold
1314         the top 32 bits of a double.
1315
1316         * jit/JIT.h:
1317         * jit/JITArithmetic32_64.cpp:
1318         (JSC::JIT::emit_op_lshift):
1319         (JSC::JIT::emitRightShift):
1320         (JSC::JIT::emitRightShiftSlowCase):
1321         (JSC::JIT::emit_op_bitand):
1322         (JSC::JIT::emit_op_bitor):
1323         (JSC::JIT::emit_op_bitxor):
1324         (JSC::JIT::emit_op_bitnot):
1325         (JSC::JIT::emit_op_post_inc):
1326         (JSC::JIT::emit_op_post_dec):
1327         (JSC::JIT::emit_op_pre_inc):
1328         (JSC::JIT::emit_op_pre_dec):
1329         * jit/JITInlineMethods.h:
1330         (JSC::JIT::emitStoreAndMapInt32):
1331
1332 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1333
1334         Unreviewed Windows build fix after 95318.
1335
1336         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1337
1338 2011-09-16  Adam Roben  <aroben@apple.com>
1339
1340         Windows build fix after r95310
1341
1342         * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
1343         include path so DFGIntrinsic.h can be found.
1344
1345 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
1346
1347         Rationalize JSObject::putDirect* methods
1348         https://bugs.webkit.org/show_bug.cgi?id=68274
1349
1350         Reviewed by Sam Weinig.
1351         
1352         Delete the *Function variants. These are overall inefficient,
1353         in the way they get the name back from the function rather
1354         than just passing it in.
1355
1356         * JavaScriptCore.exp:
1357         * jsc.cpp:
1358         (GlobalObject::finishCreation):
1359         (GlobalObject::addFunction):
1360         * runtime/FunctionPrototype.cpp:
1361         (JSC::FunctionPrototype::addFunctionProperties):
1362         * runtime/JSGlobalObject.cpp:
1363         (JSC::JSGlobalObject::reset):
1364         * runtime/JSObject.cpp:
1365         (JSC::JSObject::put):
1366         (JSC::JSObject::putWithAttributes):
1367         (JSC::JSObject::defineGetter):
1368         (JSC::JSObject::defineSetter):
1369         * runtime/JSObject.h:
1370         (JSC::JSObject::putDirect):
1371         (JSC::JSObject::putDirectWithoutTransition):
1372         * runtime/Lookup.cpp:
1373         (JSC::setUpStaticFunctionSlot):
1374         * runtime/Lookup.h:
1375         (JSC::lookupPut):
1376
1377 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1378
1379         Unreviewed build fix for Windows.
1380
1381         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1382
1383 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1384
1385         Unreviewed build fix for non-DFG builds.
1386
1387         * runtime/Executable.h:
1388         (JSC::NativeExecutable::finishCreation):
1389
1390 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1391
1392         DFG JIT should inline Math.abs
1393         https://bugs.webkit.org/show_bug.cgi?id=68227
1394
1395         Reviewed by Oliver Hunt.
1396         
1397         This adds the ability to track intrinsic functions throughout the
1398         host function infrastructure, so that the DFG can easily query
1399         whether or not a call's target is intrinsic, and if so, which
1400         intrinsic it is.
1401         
1402         On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
1403         is transformed into ValueToNumber<-ArithAbs nodes. These nodes
1404         then get optimized using the usual tricks.
1405         
1406         Also had to make a completely unrelated change to
1407         DateInstanceCache.h in order to fix a preexisting alphabetical
1408         sorting problem in JSGlobalData.h
1409         
1410         This results in a big win in imaging-gaussian-blur: 61% faster
1411         than before. The net win on Kraken is around 13%.
1412
1413         * JavaScriptCore.xcodeproj/project.pbxproj:
1414         * create_hash_table:
1415         * dfg/DFGByteCodeParser.cpp:
1416         (JSC::DFG::ByteCodeParser::parseBlock):
1417         * dfg/DFGGraph.h:
1418         (JSC::DFG::Graph::isFunctionConstant):
1419         (JSC::DFG::Graph::valueOfFunctionConstant):
1420         * dfg/DFGIntrinsic.h: Added.
1421         * dfg/DFGJITCodeGenerator.h:
1422         (JSC::DFG::JITCodeGenerator::isFunctionConstant):
1423         (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
1424         * dfg/DFGJITCompiler.h:
1425         (JSC::DFG::JITCompiler::isFunctionConstant):
1426         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
1427         * dfg/DFGNode.h:
1428         * dfg/DFGPropagator.cpp:
1429         (JSC::DFG::Propagator::propagateNode):
1430         * dfg/DFGSpeculativeJIT.cpp:
1431         (JSC::DFG::SpeculativeJIT::compile):
1432         * jit/JITStubs.cpp:
1433         (JSC::JITThunks::hostFunctionStub):
1434         * jit/JITStubs.h:
1435         * runtime/DateInstanceCache.h:
1436         * runtime/Executable.cpp:
1437         (JSC::ExecutableBase::intrinsic):
1438         (JSC::NativeExecutable::intrinsic):
1439         * runtime/Executable.h:
1440         (JSC::NativeExecutable::create):
1441         (JSC::NativeExecutable::finishCreation):
1442         * runtime/JSGlobalData.cpp:
1443         (JSC::JSGlobalData::getHostFunction):
1444         * runtime/JSGlobalData.h:
1445         * runtime/Lookup.cpp:
1446         (JSC::HashTable::createTable):
1447         (JSC::setUpStaticFunctionSlot):
1448         * runtime/Lookup.h:
1449         (JSC::HashEntry::initialize):
1450         (JSC::HashEntry::intrinsic):
1451
1452 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
1453
1454         REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
1455         using Domino's online ordering
1456         https://bugs.webkit.org/show_bug.cgi?id=68220
1457
1458         Reviewed by Oliver Hunt.
1459         
1460         Weak handle processing can result in new objects being marked, which
1461         results in new WeakReferencesHarvesters being added. But weak
1462         reference harvesters are only processed before weak handle processing,
1463         so there's the risk that a weak reference harvester will persist
1464         until the next collection, by which time it may have been deleted.
1465
1466         * heap/Heap.cpp:
1467         (JSC::Heap::markRoots):
1468
1469 2011-09-16  Csaba Osztrogonác  <ossy@webkit.org>
1470
1471         REGRESSION(r95201): It made two tests fail
1472         https://bugs.webkit.org/show_bug.cgi?id=68230
1473
1474         Unreviewed rolling out r95201.
1475
1476         * jit/JIT.h:
1477         * jit/JITArithmetic32_64.cpp:
1478         (JSC::JIT::emit_op_lshift):
1479         (JSC::JIT::emitRightShift):
1480         (JSC::JIT::emit_op_bitand):
1481         (JSC::JIT::emit_op_bitor):
1482         (JSC::JIT::emit_op_bitxor):
1483         (JSC::JIT::emit_op_bitnot):
1484         (JSC::JIT::emit_op_post_inc):
1485         (JSC::JIT::emit_op_post_dec):
1486         (JSC::JIT::emit_op_pre_inc):
1487         (JSC::JIT::emit_op_pre_dec):
1488         * jit/JITInlineMethods.h:
1489
1490 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1491
1492         DFG JIT does not optimize method_check
1493         https://bugs.webkit.org/show_bug.cgi?id=68215
1494
1495         Reviewed by Oliver Hunt.
1496         
1497         MethodCallLinkInfo and StructureStubInfo are now searchable by
1498         bytecodeIndex, so that DFG::ByteCodeParser can use that information
1499         to determine how to optimize GetMethod.
1500         
1501         A new node op has been added to DFG: CheckMethod. This is a variant
1502         of GetMethod that has been optimized for the case that GetMethod
1503         always takes the fast path. CheckMethod results in only a very
1504         small amount of code (two loads and two branches in the worst case,
1505         one load and one branch in the best case). CheckMethod behaves as
1506         if it were a constant.  
1507         
1508         Introduced the notion that a DFG node that is not JSConstant
1509         behaves as a constant. CheckMethod uses this functionality.
1510         
1511         This is a 3% speed-up on Kraken, and a small speed-up on V8.
1512         Appears to be neutral on SunSpider.
1513
1514         * bytecode/CodeBlock.h:
1515         (JSC::getStructureStubInfoBytecodeIndex):
1516         (JSC::getMethodCallLinkInfoBytecodeIndex):
1517         * bytecode/PredictedType.cpp:
1518         (JSC::predictionFromCell):
1519         (JSC::predictionFromValue):
1520         * bytecode/PredictedType.h:
1521         * bytecode/StructureStubInfo.h:
1522         * dfg/DFGAliasTracker.h:
1523         (JSC::DFG::AliasTracker::recordGetMethod):
1524         * dfg/DFGByteCodeParser.cpp:
1525         (JSC::DFG::ByteCodeParser::parseBlock):
1526         * dfg/DFGGraph.cpp:
1527         (JSC::DFG::Graph::dump):
1528         * dfg/DFGGraph.h:
1529         (JSC::DFG::Graph::getMethodCheckPrediction):
1530         (JSC::DFG::Graph::getPrediction):
1531         (JSC::DFG::Graph::isConstant):
1532         (JSC::DFG::Graph::isJSConstant):
1533         (JSC::DFG::Graph::valueOfJSConstant):
1534         (JSC::DFG::Graph::valueOfInt32Constant):
1535         (JSC::DFG::Graph::valueOfNumberConstant):
1536         (JSC::DFG::Graph::valueOfBooleanConstant):
1537         (JSC::DFG::Graph::valueOfJSConstantNode):
1538         * dfg/DFGJITCodeGenerator.cpp:
1539         (JSC::DFG::JITCodeGenerator::fillInteger):
1540         (JSC::DFG::JITCodeGenerator::fillDouble):
1541         (JSC::DFG::JITCodeGenerator::fillJSValue):
1542         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
1543         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
1544         * dfg/DFGJITCodeGenerator.h:
1545         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
1546         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1547         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1548         * dfg/DFGJITCompiler.cpp:
1549         (JSC::DFG::JITCompiler::fillNumericToDouble):
1550         (JSC::DFG::JITCompiler::fillInt32ToInteger):
1551         (JSC::DFG::JITCompiler::fillToJS):
1552         * dfg/DFGNode.h:
1553         (JSC::DFG::Node::hasConstant):
1554         (JSC::DFG::Node::hasIdentifier):
1555         (JSC::DFG::Node::hasMethodCheckData):
1556         (JSC::DFG::Node::methodCheckDataIndex):
1557         (JSC::DFG::Node::valueOfJSConstant):
1558         * dfg/DFGPropagator.cpp:
1559         (JSC::DFG::Propagator::propagateNode):
1560         * dfg/DFGSpeculativeJIT.cpp:
1561         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1562         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1563         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1564         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1565         (JSC::DFG::SpeculativeJIT::compile):
1566         * jit/JIT.cpp:
1567         (JSC::JIT::privateCompile):
1568         * jit/JIT.h:
1569         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
1570         (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
1571         * jit/JITPropertyAccess.cpp:
1572         (JSC::JIT::emit_op_method_check):
1573         (JSC::JIT::compileGetByIdHotPath):
1574         (JSC::JIT::emit_op_put_by_id):
1575         * jit/JITPropertyAccess32_64.cpp:
1576         (JSC::JIT::emit_op_method_check):
1577         (JSC::JIT::compileGetByIdHotPath):
1578         (JSC::JIT::emit_op_put_by_id):
1579         * runtime/JSCell.h:
1580         (JSC::JSCell::JSCell::structureAddress):
1581
1582 2011-09-15  Adam Barth  <abarth@webkit.org>
1583
1584         Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
1585         https://bugs.webkit.org/show_bug.cgi?id=68205
1586
1587         Reviewed by Eric Seidel.
1588
1589         * Configurations/FeatureDefines.xcconfig:
1590         * wtf/Platform.h:
1591
1592 2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1593
1594         Unzip initialization lists and constructors in JSCell hierarchy (7/7)
1595         https://bugs.webkit.org/show_bug.cgi?id=68122
1596
1597         Reviewed by Geoffrey Garen.
1598
1599         Completed the seventh and final level of the refactoring to add finishCreation() 
1600         methods to all classes within the JSCell hierarchy with non-trivial 
1601         constructor bodies.
1602
1603         JSCallbackObject was missed in previous patches due to the fact that 
1604         it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
1605         this is just a bit of retroactive cleanup.
1606
1607         * API/JSCallbackObject.h:
1608         (JSC::JSCallbackObject::create):
1609         * API/JSCallbackObjectFunctions.h:
1610         (JSC::::JSCallbackObject):
1611
1612 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1613
1614         The DFG non-speculative JIT is no longer used and should be removed.
1615         https://bugs.webkit.org/show_bug.cgi?id=68177
1616
1617         Reviewed by Geoffrey Garen.
1618         
1619         This removes the non-speculative JIT and everything that relied on it,
1620         including the ability to turn on DFG but not tiered compilation the,
1621         ability to perform speculation failure into non-speculative JIT code,
1622         and the ability to statically terminate speculation.
1623
1624         * GNUmakefile.list.am:
1625         * JavaScriptCore.pro:
1626         * JavaScriptCore.xcodeproj/project.pbxproj:
1627         * bytecode/CodeBlock.h:
1628         * bytecompiler/BytecodeGenerator.cpp:
1629         (JSC::BytecodeGenerator::emitLoopHint):
1630         * dfg/DFGByteCodeParser.cpp:
1631         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1632         (JSC::DFG::ByteCodeParser::getStrongPrediction):
1633         (JSC::DFG::ByteCodeParser::parseBlock):
1634         * dfg/DFGDriver.cpp:
1635         (JSC::DFG::compile):
1636         * dfg/DFGGenerationInfo.h:
1637         * dfg/DFGGraph.cpp:
1638         (JSC::DFG::Graph::predictArgumentTypes):
1639         * dfg/DFGJITCodeGenerator.cpp:
1640         * dfg/DFGJITCompiler.cpp:
1641         (JSC::DFG::JITCompiler::linkOSRExits):
1642         (JSC::DFG::JITCompiler::compileBody):
1643         * dfg/DFGJITCompiler.h:
1644         * dfg/DFGNode.h:
1645         * dfg/DFGNonSpeculativeJIT.cpp: Removed.
1646         * dfg/DFGNonSpeculativeJIT.h: Removed.
1647         * dfg/DFGOSREntry.cpp:
1648         (JSC::DFG::prepareOSREntry):
1649         * dfg/DFGPropagator.cpp:
1650         * dfg/DFGPropagator.h:
1651         * dfg/DFGSpeculativeJIT.cpp:
1652         (JSC::DFG::SpeculativeJIT::compile):
1653         * dfg/DFGSpeculativeJIT.h:
1654         (JSC::DFG::SpeculativeJIT::osrExits):
1655         (JSC::DFG::SpeculativeJIT::speculationRecovery):
1656         (JSC::DFG::SpeculativeJIT::speculationCheck):
1657         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1658         * jit/JIT.cpp:
1659         (JSC::JIT::privateCompileMainPass):
1660         (JSC::JIT::privateCompile):
1661         * jit/JIT.h:
1662         * jit/JITCode.h:
1663         (JSC::JITCode::bottomTierJIT):
1664         * runtime/JSGlobalData.cpp:
1665         (JSC::JSGlobalData::JSGlobalData):
1666         (JSC::JSGlobalData::~JSGlobalData):
1667         * runtime/JSGlobalData.h:
1668         * wtf/Platform.h:
1669
1670 2011-09-15  Eric Seidel  <eric@webkit.org>
1671
1672         Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
1673         https://bugs.webkit.org/show_bug.cgi?id=68182
1674
1675         Reviewed by Adam Barth.
1676
1677         * Configurations/FeatureDefines.xcconfig:
1678
1679 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1680
1681         DFG speculative JIT sometimes asserts that a value is not a number
1682         even when it doesn't know anything about the number
1683         https://bugs.webkit.org/show_bug.cgi?id=68189
1684
1685         Reviewed by Oliver Hunt.
1686
1687         * dfg/DFGGenerationInfo.h:
1688         (JSC::DFG::GenerationInfo::isUnknownJS):
1689         * dfg/DFGJITCodeGenerator.cpp:
1690         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
1691
1692 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1693
1694         All of the functionality in the non-speculative JIT should be
1695         available to the speculative JIT via helper methods
1696         https://bugs.webkit.org/show_bug.cgi?id=68186
1697
1698         Reviewed by Oliver Hunt.
1699         
1700         Stole all of the goodness from NonSpeculativeJIT and placed it
1701         in JITCodeGenerator.  Left all of the badness (i.e. subtle code
1702         duplication with SpeculativeJIT, etc).  This is in preparation
1703         for removing the NonSpeculativeJIT entirely, but having its
1704         goodness available for reuse in the SpeculativeJIT if necessary.
1705
1706         * dfg/DFGJITCodeGenerator.cpp:
1707         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1708         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1709         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
1710         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1711         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1712         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
1713         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
1714         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
1715         * dfg/DFGJITCodeGenerator.h:
1716         (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
1717         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
1718         * dfg/DFGNonSpeculativeJIT.cpp:
1719         (JSC::DFG::NonSpeculativeJIT::compile):
1720         * dfg/DFGNonSpeculativeJIT.h:
1721
1722 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
1723
1724         Unreviewed, rolling out r95167.
1725         http://trac.webkit.org/changeset/95167
1726         https://bugs.webkit.org/show_bug.cgi?id=68191
1727
1728         Patch needs further work. (Requested by mhahnenberg on
1729         #webkit).
1730
1731         * JavaScriptCore.exp:
1732         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1733         * runtime/JSCell.cpp:
1734         (JSC::JSCell::toBoolean):
1735         * runtime/JSCell.h:
1736         (JSC::JSCell::JSValue::toBoolean):
1737         * runtime/JSNotAnObject.cpp:
1738         (JSC::JSNotAnObject::toBoolean):
1739         * runtime/JSNotAnObject.h:
1740         * runtime/JSObject.h:
1741         * runtime/JSString.h:
1742         * runtime/StringObjectThatMasqueradesAsUndefined.h:
1743         (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):
1744
1745 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1746
1747         Unreviewed build fix for platforms that expect a linkable symbol
1748         for primitive static const's.
1749
1750         * bytecode/CodeBlock.h:
1751         * jit/JIT.cpp:
1752         (JSC::JIT::emitOptimizationCheck):
1753
1754 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
1755
1756         Unreviewed build fix for assertion on existence of alternative
1757         CodeBlock.
1758
1759         * dfg/DFGGraph.cpp:
1760         (JSC::DFG::Graph::predictArgumentTypes):
1761
1762 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
1763
1764         Value profiles collect no information for global variables
1765         https://bugs.webkit.org/show_bug.cgi?id=68143
1766
1767         Reviewed by Geoffrey Garen.
1768         
1769         17% speed-up on string-fasta.  Neutral elsewhere.
1770
1771         * dfg/DFGByteCodeParser.cpp:
1772         (JSC::DFG::ByteCodeParser::getStrongPrediction):
1773         (JSC::DFG::ByteCodeParser::stronglyPredict):
1774         (JSC::DFG::ByteCodeParser::parseBlock):
1775         * jit/JITPropertyAccess.cpp:
1776         (JSC::JIT::emit_op_get_global_var):
1777
1778 2011-09-15  Eric Seidel  <eric@webkit.org>
1779
1780         Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
1781         https://bugs.webkit.org/show_bug.cgi?id=68022
1782
1783         Reviewed by Ryosuke Niwa.
1784
1785         * Configurations/FeatureDefines.xcconfig:
1786
1787 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
1788
1789         Ooops, revert accidentally commited unreviewed changes.
1790
1791         * jit/JITOpcodes32_64.cpp:
1792         (JSC::JIT::emit_op_jfalse):
1793         (JSC::JIT::emit_op_jtrue):
1794         * jit/JSInterfaceJIT.h:
1795         * runtime/JSValue.h:
1796
1797 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
1798
1799         Unreviewed, rolling out r95163.
1800         http://trac.webkit.org/changeset/95163
1801         https://bugs.webkit.org/show_bug.cgi?id=68180
1802
1803         [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
1804         (Requested by darktears on #webkit).
1805
1806         * JavaScriptCore.pro:
1807
1808 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
1809
1810         Windows build fix p1.
1811
1812         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1813         * jit/JITOpcodes32_64.cpp:
1814         (JSC::JIT::emit_op_jfalse):
1815         (JSC::JIT::emit_op_jtrue):
1816         * jit/JSInterfaceJIT.h:
1817         * runtime/JSValue.h:
1818
1819 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
1820
1821         Tiered compilation should be enabled by default on platforms
1822         that support the DFG JIT
1823         https://bugs.webkit.org/show_bug.cgi?id=68136
1824
1825         Reviewed by Sam Weinig.
1826         
1827         Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
1828         Kraken.  Large progressions on some benchmarks, including
1829         3x on imaging-desaturate.
1830
1831         * wtf/Platform.h:
1832
1833 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
1834
1835         devirtualize preventExtensions
1836         https://bugs.webkit.org/show_bug.cgi?id=68176
1837
1838         Reviewed by Oliver Hunt.
1839
1840         This is virtual due to problems in JSFunction putting the prototype
1841         property, but we can fix this problem a different way, just setting
1842         the checkReadOnly flag to false in the put.
1843
1844         * runtime/JSFunction.cpp:
1845         (JSC::JSFunction::getOwnPropertySlot):
1846         * runtime/JSFunction.h:
1847         * runtime/JSObject.h:
1848
1849 2011-09-15  Geoffrey Garen  <ggaren@apple.com>
1850
1851         Value chaining for JSValue32_64 bitops.
1852
1853         Reviewed by Sam Weinig.
1854         
1855         SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).
1856
1857         * jit/JIT.h:
1858         * jit/JITInlineMethods.h:
1859         (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
1860         that can chain their results, which is the common case.
1861
1862         * jit/JITArithmetic32_64.cpp:
1863         (JSC::JIT::emit_op_lshift):
1864         (JSC::JIT::emitRightShift):
1865         (JSC::JIT::emit_op_bitand):
1866         (JSC::JIT::emit_op_bitor):
1867         (JSC::JIT::emit_op_bitxor):
1868         (JSC::JIT::emit_op_bitnot):
1869         (JSC::JIT::emit_op_pre_inc):
1870         (JSC::JIT::emit_op_pre_dec): Deployed new function.
1871         (JSC::JIT::emit_op_post_inc):
1872         (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
1873         computed their result values last, to make them elligible for chaining.
1874
1875 2011-09-15  Adam Roben  <aroben@apple.com>
1876
1877         Clang build fix after r95172
1878
1879         * dfg/DFGSpeculativeJIT.h:
1880         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
1881         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
1882         Added parentheses to make precendence clear.
1883
1884 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
1885
1886         DFG does not speculate aggressively enough on comparisons
1887         https://bugs.webkit.org/show_bug.cgi?id=68138
1888
1889         Reviewed by Oliver Hunt.
1890         
1891         This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
1892         V8 and an 8.5% win on Kraken.  Neutral on SunSpider.
1893
1894         * dfg/DFGSpeculativeJIT.cpp:
1895         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1896         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1897         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1898         (JSC::DFG::SpeculativeJIT::compare):
1899         * dfg/DFGSpeculativeJIT.h:
1900         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
1901         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
1902         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
1903         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
1904
1905 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
1906
1907         DFG JIT does not leverage integer speculations on branches
1908         https://bugs.webkit.org/show_bug.cgi?id=68140
1909
1910         Reviewed by Oliver Hunt.
1911
1912         * dfg/DFGJITCodeGenerator.cpp:
1913         (JSC::DFG::JITCodeGenerator::isStrictInt32):
1914         * dfg/DFGJITCodeGenerator.h:
1915         * dfg/DFGSpeculativeJIT.cpp:
1916         (JSC::DFG::SpeculativeJIT::compile):
1917
1918 2011-09-14  Gavin Barraclough  <barraclough@apple.com>
1919
1920         [n]stricteq code is bogus in JSValue32_64 JIT
1921         https://bugs.webkit.org/show_bug.cgi?id=68141
1922
1923         Reviewed by Sam Weinig.
1924
1925         The code tries to check for both ints or cells, but this check also
1926         catches cases where values that are undefined, null, etc (probably
1927         was incorrectly assuming cell was the 2nd highest tag?).
1928
1929         Also, there is no need not to handle int on the fast path.
1930         stricteq is just a case of comparing the payloads, if we:
1931             * handle cases of differing tags on a slow path
1932             * handle doubles a slow path
1933             * handle both-are-string on a slow path
1934
1935         * jit/JITOpcodes32_64.cpp:
1936         (JSC::JIT::compileOpStrictEq):
1937         (JSC::JIT::emitSlow_op_stricteq):
1938         (JSC::JIT::emitSlow_op_nstricteq):
1939
1940 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
1941
1942         Make JSCell::toBoolean non-virtual
1943         https://bugs.webkit.org/show_bug.cgi?id=67727
1944
1945         Reviewed by Sam Weinig.
1946
1947         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
1948         before it was simply virtual and would crash if its implementation was called). 
1949         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
1950         explicitly covers all cases of toBoolean, so having a virtual implementation of 
1951         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
1952
1953         * JavaScriptCore.exp:
1954         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1955         * runtime/JSCell.cpp:
1956         * runtime/JSCell.h:
1957         * runtime/JSNotAnObject.cpp:
1958         * runtime/JSNotAnObject.h:
1959         * runtime/JSObject.h:
1960         * runtime/JSString.h:
1961         (JSC::JSCell::toBoolean):
1962         (JSC::JSValue::toBoolean):
1963         * runtime/StringObjectThatMasqueradesAsUndefined.h:
1964
1965 2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>
1966
1967         [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
1968         https://bugs.webkit.org/show_bug.cgi?id=68114
1969
1970         Reviewed by Kenneth Rohde Christiansen.
1971
1972         Use the new GCC_X variables defined in WebKit.pri to replace
1973         the usage of QT_GCC_X.
1974
1975         * JavaScriptCore.pro:
1976
1977 2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>
1978
1979         Unreviewed, rolling out r95145.
1980         http://trac.webkit.org/changeset/95145
1981         https://bugs.webkit.org/show_bug.cgi?id=68139
1982
1983         The GTK+ build is working now, so revert this trial build fix.
1984         (Requested by mrobinson on #webkit).
1985
1986         * GNUmakefile.list.am:
1987
1988 2011-09-14  Patrick Gansterer  <paroga@webkit.org>
1989
1990         Port MachineStackMarker to Windows ARM and MIPS
1991         https://bugs.webkit.org/show_bug.cgi?id=68068
1992
1993         Reviewed by Geoffrey Garen.
1994
1995         Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
1996         Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
1997         CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
1998         CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).
1999
2000         * heap/MachineStackMarker.cpp:
2001         (JSC::getPlatformThreadRegisters):
2002         (JSC::otherThreadStackPointer):
2003
2004 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
2005
2006         DFG JIT always speculates that ValueAdd is a numeric addition
2007         https://bugs.webkit.org/show_bug.cgi?id=67956
2008
2009         Reviewed by Geoffrey Garen.
2010
2011         * dfg/DFGJITCodeGenerator.cpp:
2012         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2013         * dfg/DFGJITCodeGenerator.h:
2014         * dfg/DFGNonSpeculativeJIT.cpp:
2015         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2016         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2017         * dfg/DFGOperations.cpp:
2018         * dfg/DFGOperations.h:
2019         * dfg/DFGSpeculativeJIT.cpp:
2020         (JSC::DFG::SpeculativeJIT::compile):
2021         * dfg/DFGSpeculativeJIT.h:
2022         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
2023
2024 2011-09-14  Anders Carlsson  <andersca@apple.com>
2025
2026         Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.
2027
2028         * GNUmakefile.list.am:
2029
2030 2011-09-14  Anders Carlsson  <andersca@apple.com>
2031
2032         This is getting old. Yet another build fix attempt.
2033
2034         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
2035
2036 2011-09-14  Anders Carlsson  <andersca@apple.com>
2037
2038         Yet another build fix attempt.
2039
2040         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
2041
2042 2011-09-14  Anders Carlsson  <andersca@apple.com>
2043
2044         How I &quot;love&quot; Visual Studio...
2045
2046         Try to fix build again.
2047
2048         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
2049
2050 2011-09-14  Anders Carlsson  <andersca@apple.com>
2051
2052         Try to fix Windows build.
2053
2054         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
2055
2056 2011-09-14  Anders Carlsson  <andersca@apple.com>
2057
2058         Add BinarySemaphore class from WebKit2 to WTF
2059         https://bugs.webkit.org/show_bug.cgi?id=68132
2060
2061         Reviewed by Sam Weinig.
2062
2063         * GNUmakefile.list.am:
2064         * JavaScriptCore.gypi:
2065         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
2066         * JavaScriptCore.xcodeproj/project.pbxproj:
2067         * wtf/CMakeLists.txt:
2068         Update build systems.
2069
2070         * wtf/threads: Added.
2071         * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
2072         * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
2073         * wtf/threads/win: Added.
2074         * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.
2075
2076 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2077
2078         Unreviewed build fix for Interpreter.
2079
2080         * interpreter/Interpreter.cpp:
2081         (JSC::Interpreter::privateExecute):
2082
2083 2011-09-14  Anders Carlsson  <andersca@apple.com>
2084
2085         Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
2086         bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132
2087
2088         Rubber-stamped by Sam Weinig.
2089
2090         * wtf/threads: Added.
2091         * wtf/threads/win: Added.
2092
2093 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2094
2095         DFG JIT should not speculate integer if the value is always going to be
2096         used as a double anyway
2097         https://bugs.webkit.org/show_bug.cgi?id=68127
2098
2099         Reviewed by Oliver Hunt.
2100         
2101         Added a ValueToDouble node, which is a variant of ValueToNumber that
2102         hints that it will only be used as a double and never as an integer.
2103         Thus, it turns off integer speculation even if the value profiler
2104         told us that the value source is an int. The logic for converting a
2105         ValueToNumber into a ValueToDouble is found in Propagator.
2106         
2107         This appears to be a 22% speed-up in imaging-darkroom.
2108
2109         * dfg/DFGNode.h:
2110         * dfg/DFGNonSpeculativeJIT.cpp:
2111         (JSC::DFG::NonSpeculativeJIT::compile):
2112         * dfg/DFGPropagator.cpp:
2113         (JSC::DFG::Propagator::fixpoint):
2114         (JSC::DFG::Propagator::toDouble):
2115         (JSC::DFG::Propagator::fixupNode):
2116         (JSC::DFG::Propagator::fixup):
2117         * dfg/DFGSpeculativeJIT.cpp:
2118         (JSC::DFG::SpeculativeJIT::compile):
2119         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2120
2121 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2122
2123         Tiered compilation heuristics do not account for value profile fullness
2124         https://bugs.webkit.org/show_bug.cgi?id=68116
2125
2126         Reviewed by Oliver Hunt.
2127         
2128         Tiered compilation avoids invoking the DFG JIT if it finds that value
2129         profiles contain insufficient information. Instead, it produces a
2130         prediction from the current value profile, and then clears the value
2131         profile. This allows the value profile to heat up from scratch for
2132         some number of additional executions. The new profiles will then be
2133         merged with the previous prediction. Once the amount of information
2134         in predictions is enough according to heuristics in CodeBlock.cpp,
2135         DFG optimization is allowed to proceed.
2136
2137         * CMakeLists.txt:
2138         * GNUmakefile.list.am:
2139         * JavaScriptCore.pro:
2140         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2141         * JavaScriptCore.xcodeproj/project.pbxproj:
2142         * bytecode/CodeBlock.cpp:
2143         (JSC::CodeBlock::CodeBlock):
2144         (JSC::CodeBlock::~CodeBlock):
2145         (JSC::CodeBlock::visitAggregate):
2146         (JSC::CodeBlock::visitWeakReferences):
2147         (JSC::CodeBlock::shouldOptimizeNow):
2148         (JSC::CodeBlock::dumpValueProfiles):
2149         * bytecode/CodeBlock.h:
2150         * bytecode/PredictedType.cpp:
2151         (JSC::predictionToString):
2152         * bytecode/PredictedType.h:
2153         * bytecode/ValueProfile.cpp: Added.
2154         (JSC::ValueProfile::computeStatistics):
2155         (JSC::ValueProfile::computeUpdatedPrediction):
2156         * bytecode/ValueProfile.h:
2157         (JSC::ValueProfile::ValueProfile):
2158         (JSC::ValueProfile::classInfo):
2159         (JSC::ValueProfile::numberOfSamples):
2160         (JSC::ValueProfile::totalNumberOfSamples):
2161         (JSC::ValueProfile::isLive):
2162         (JSC::ValueProfile::numberOfInt32s):
2163         (JSC::ValueProfile::numberOfDoubles):
2164         (JSC::ValueProfile::numberOfBooleans):
2165         (JSC::ValueProfile::dump):
2166         (JSC::getValueProfileBytecodeOffset):
2167         * dfg/DFGByteCodeParser.cpp:
2168         (JSC::DFG::ByteCodeParser::stronglyPredict):
2169         * dfg/DFGGraph.cpp:
2170         (JSC::DFG::Graph::predictArgumentTypes):
2171         * dfg/DFGJITCompiler.cpp:
2172         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2173         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
2174         * jit/JIT.cpp:
2175         (JSC::JIT::emitOptimizationCheck):
2176         * jit/JITInlineMethods.h:
2177         (JSC::JIT::emitValueProfilingSite):
2178         * jit/JITStubs.cpp:
2179         (JSC::DEFINE_STUB_FUNCTION):
2180
2181 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2182
2183         DFG should not speculate that the child of LogicalNot is a boolean if
2184         predictions tell us otherwise
2185         https://bugs.webkit.org/show_bug.cgi?id=68118
2186
2187         Reviewed by Geoffrey Garen.
2188
2189         * dfg/DFGJITCodeGenerator.cpp:
2190         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
2191         * dfg/DFGJITCodeGenerator.h:
2192         * dfg/DFGNonSpeculativeJIT.cpp:
2193         (JSC::DFG::NonSpeculativeJIT::compile):
2194         * dfg/DFGSpeculativeJIT.cpp:
2195         (JSC::DFG::SpeculativeJIT::compile):
2196
2197 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2198
2199         Unreviewed build fix.  Turn off tiered compilation.
2200
2201         * wtf/Platform.h:
2202
2203 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
2204
2205         Prediction tracking is not precise enough
2206         https://bugs.webkit.org/show_bug.cgi?id=67993
2207
2208         Reviewed by Oliver Hunt.
2209         
2210         Added a richer set of type predictions, including JSFinalObject, JSString,
2211         object that is not a JSFinalObject or JSArray (ObjectOther), some object
2212         but we don't or care know what kind (SomeObject), definitely an object,
2213         cell that is not an object or JSString, an value that is none of the above
2214         (so either Undefined or Null). Made the propagator and value profiler work
2215         with the new types.
2216         
2217         Performance is neutral, because the DFG JIT does not take advantage of this
2218         new knowledge yet.
2219         
2220         In the process of writing predictionToString() (which is now considerably
2221         more complex) I decided to finally add a BoundsCheckedPointer, which
2222         should come in handy in other places, like at least the OSR scratch buffer
2223         and the CompactJITCodeMap. It's great for cases where you want to
2224         do pointer arithmetic, you want to have assertions about the
2225         pointer not going out of bounds, but you don't want to write those
2226         assertions yourself.
2227         
2228         This also required refactoring inherits(), since the ValueProfiler may
2229         want to do the equivalent of inherits() but given two ClassInfo's.
2230
2231         * GNUmakefile.list.am:
2232         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
2233         * JavaScriptCore.xcodeproj/project.pbxproj:
2234         * bytecode/PredictedType.cpp: Added.
2235         (JSC::predictionToString):
2236         (JSC::makePrediction):
2237         (JSC::predictionFromValue):
2238         * bytecode/PredictedType.h:
2239         (JSC::isCellPrediction):
2240         (JSC::isObjectPrediction):
2241         (JSC::isFinalObjectPrediction):
2242         (JSC::isStringPrediction):
2243         (JSC::mergePredictions):
2244         * bytecode/ValueProfile.h:
2245         (JSC::ValueProfile::numberOfObjects):
2246         (JSC::ValueProfile::numberOfFinalObjects):
2247         (JSC::ValueProfile::numberOfStrings):
2248         (JSC::ValueProfile::probabilityOfObject):
2249         (JSC::ValueProfile::probabilityOfFinalObject):
2250         (JSC::ValueProfile::probabilityOfString):
2251         (JSC::ValueProfile::dump):
2252         (JSC::ValueProfile::Statistics::Statistics):
2253         (JSC::ValueProfile::computeStatistics):
2254         * dfg/DFGByteCodeParser.cpp:
2255         (JSC::DFG::ByteCodeParser::stronglyPredict):
2256         * dfg/DFGGraph.cpp:
2257         (JSC::DFG::Graph::dump):
2258         (JSC::DFG::Graph::predictArgumentTypes):
2259         * dfg/DFGNode.h:
2260         (JSC::DFG::Node::predict):
2261         * dfg/DFGPropagator.cpp:
2262         (JSC::DFG::Propagator::propagateNode):
2263         * runtime/ClassInfo.h:
2264         (JSC::ClassInfo::isSubClassOf):
2265         * runtime/JSObject.h:
2266         (JSC::JSCell::inherits):
2267         * wtf/BoundsCheckedPointer.h: Added.
2268         (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
2269         (WTF::BoundsCheckedPointer::operator=):
2270         (WTF::BoundsCheckedPointer::operator+=):
2271         (WTF::BoundsCheckedPointer::operator-=):
2272         (WTF::BoundsCheckedPointer::operator+):
2273         (WTF::BoundsCheckedPointer::operator-):
2274         (WTF::BoundsCheckedPointer::operator++):
2275         (WTF::BoundsCheckedPointer::operator--):
2276         (WTF::BoundsCheckedPointer::operator<):
2277         (WTF::BoundsCheckedPointer::operator<=):
2278         (WTF::BoundsCheckedPointer::operator>):
2279         (WTF::BoundsCheckedPointer::operator>=):
2280         (WTF::BoundsCheckedPointer::operator==):
2281         (WTF::BoundsCheckedPointer::operator!=):
2282         (WTF::BoundsCheckedPointer::operator!):
2283         (WTF::BoundsCheckedPointer::get):
2284         (WTF::BoundsCheckedPointer::operator*):
2285         (WTF::BoundsCheckedPointer::operator[]):
2286         (WTF::BoundsCheckedPointer::strcat):
2287         (WTF::BoundsCheckedPointer::validate):
2288         * wtf/CMakeLists.txt:
2289
2290 2011-09-14  Csaba Osztrogonác  <ossy@webkit.org>
2291
2292         [Qt] Win32 builds with threads turned off
2293         https://bugs.webkit.org/show_bug.cgi?id=67864
2294
2295         Reviewed by Geoffrey Garen.
2296
2297         * JavaScriptCore.pri: Link pthread library on Windows platform.
2298         * wtf/Platform.h: Enable multiple threads.
2299
2300 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2301
2302         Unzip initialization lists and constructors in JSCell hierarchy (6/7)
2303         https://bugs.webkit.org/show_bug.cgi?id=67692
2304
2305         Reviewed by Geoffrey Garen.
2306
2307         Completed the sixth level of the refactoring to add finishCreation() 
2308         methods to all classes within the JSCell hierarchy with non-trivial 
2309         constructor bodies.
2310
2311         This primarily consists of pushing the calls to finishCreation() down 
2312         into the constructors of the subclasses of the fifth level of the hierarchy 
2313         as well as pulling the finishCreation() calls out into the class's corresponding
2314         create() method if it has one.  Doing both simultaneously allows us to 
2315         maintain the invariant that the finishCreation() method chain is called exactly 
2316         once during the creation of an object, since calling it any other number of 
2317         times (0, 2, or more) will cause an assertion failure.
2318
2319         * API/JSCallbackFunction.cpp:
2320         (JSC::JSCallbackFunction::JSCallbackFunction):
2321         * API/JSCallbackFunction.h:
2322         (JSC::JSCallbackFunction::create):
2323         * jsc.cpp:
2324         (GlobalObject::create):
2325         (GlobalObject::GlobalObject):
2326         * runtime/ArrayConstructor.cpp:
2327         (JSC::ArrayConstructor::ArrayConstructor):
2328         * runtime/ArrayConstructor.h:
2329         (JSC::ArrayConstructor::create):
2330         * runtime/BooleanConstructor.cpp:
2331         (JSC::BooleanConstructor::BooleanConstructor):
2332         * runtime/BooleanConstructor.h:
2333         (JSC::BooleanConstructor::create):
2334         * runtime/BooleanPrototype.cpp:
2335         (JSC::BooleanPrototype::BooleanPrototype):
2336         * runtime/BooleanPrototype.h:
2337         (JSC::BooleanPrototype::create):
2338         * runtime/DateConstructor.cpp:
2339         (JSC::DateConstructor::DateConstructor):
2340         * runtime/DateConstructor.h:
2341         (JSC::DateConstructor::create):
2342         * runtime/DatePrototype.cpp:
2343         (JSC::DatePrototype::DatePrototype):
2344         * runtime/DatePrototype.h:
2345         (JSC::DatePrototype::create):
2346         * runtime/Error.cpp:
2347         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2348         (JSC::StrictModeTypeErrorFunction::create):
2349         * runtime/ErrorConstructor.cpp:
2350         (JSC::ErrorConstructor::ErrorConstructor):
2351         * runtime/ErrorConstructor.h:
2352         (JSC::ErrorConstructor::create):
2353         * runtime/FunctionConstructor.cpp:
2354         (JSC::FunctionConstructor::FunctionConstructor):
2355         * runtime/FunctionConstructor.h:
2356         (JSC::FunctionConstructor::create):
2357         * runtime/FunctionPrototype.cpp:
2358         (JSC::FunctionPrototype::FunctionPrototype):
2359         * runtime/FunctionPrototype.h:
2360         (JSC::FunctionPrototype::create):
2361         * runtime/NativeErrorConstructor.cpp:
2362         (JSC::NativeErrorConstructor::NativeErrorConstructor):
2363         * runtime/NativeErrorConstructor.h:
2364         (JSC::NativeErrorConstructor::create):
2365         * runtime/NativeErrorPrototype.cpp:
2366         (JSC::NativeErrorPrototype::NativeErrorPrototype):
2367         (JSC::NativeErrorPrototype::finishCreation):
2368         * runtime/NativeErrorPrototype.h:
2369         (JSC::NativeErrorPrototype::create):
2370         * runtime/NumberConstructor.cpp:
2371         (JSC::NumberConstructor::NumberConstructor):
2372         * runtime/NumberConstructor.h:
2373         (JSC::NumberConstructor::create):
2374         * runtime/NumberPrototype.cpp:
2375         (JSC::NumberPrototype::NumberPrototype):
2376         * runtime/NumberPrototype.h:
2377         (JSC::NumberPrototype::create):
2378         * runtime/ObjectConstructor.cpp:
2379         (JSC::ObjectConstructor::ObjectConstructor):
2380         * runtime/ObjectConstructor.h:
2381         (JSC::ObjectConstructor::create):
2382         * runtime/RegExpConstructor.cpp:
2383         (JSC::RegExpConstructor::RegExpConstructor):
2384         * runtime/RegExpConstructor.h:
2385         (JSC::RegExpConstructor::create):
2386         * runtime/RegExpPrototype.cpp:
2387         (JSC::RegExpPrototype::RegExpPrototype):
2388         * runtime/RegExpPrototype.h:
2389         (JSC::RegExpPrototype::create):
2390         * runtime/StringConstructor.cpp:
2391         (JSC::StringConstructor::StringConstructor):
2392         * runtime/StringConstructor.h:
2393         (JSC::StringConstructor::create):
2394         * runtime/StringObjectThatMasqueradesAsUndefined.h:
2395         (JSC::StringObjectThatMasqueradesAsUndefined::create):
2396         (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
2397         * runtime/StringPrototype.cpp:
2398         (JSC::StringPrototype::StringPrototype):
2399         * runtime/StringPrototype.h:
2400         (JSC::StringPrototype::create):
2401
2402 2011-09-13  Eric Seidel  <eric@webkit.org>
2403
2404         Remove ENABLE_SVG_USE as <use> is required by HTML5
2405         https://bugs.webkit.org/show_bug.cgi?id=68019
2406
2407         Reviewed by Ryosuke Niwa.
2408
2409         * Configurations/FeatureDefines.xcconfig:
2410
2411 2011-09-14  Iain Merrick  <husky@google.com>
2412
2413         HashTraits.h should include template specialization for WTF::String
2414         https://bugs.webkit.org/show_bug.cgi?id=67851
2415
2416         Ensure that the template specialization for HashTraits<String> is always
2417         picked up. (Previously it was possible to include HashSet and String but
2418         not the correct HashTraits, so you would get an inefficient template
2419         instantiation.)
2420
2421         Reviewed by Darin Adler.
2422
2423         * wtf/HashTraits.h:
2424         * wtf/text/StringHash.h:
2425
2426 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
2427
2428         SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should
2429         return false if either node can be double
2430         https://bugs.webkit.org/show_bug.cgi?id=67985
2431
2432         Reviewed by Geoffrey Garen.
2433         
2434         This is a 17% speed-up on 3d-cube.
2435         
2436         This required allowing us to check if a constant is double but not
2437         integer, and making the shouldSpeculateInteger() check test for
2438         any hints of doubly-ness in its operands. This also required
2439         changing some terminology: previously "isDouble" often meant
2440         "isDouble or isInt32".  Now "isDouble" means exactly what the name
2441         suggests, and "isNumber" means "isDouble or isInt32".
2442
2443         * dfg/DFGByteCodeParser.cpp:
2444         (JSC::DFG::ByteCodeParser::toNumber):
2445         (JSC::DFG::ByteCodeParser::parseBlock):
2446         * dfg/DFGGenerationInfo.h:
2447         (JSC::DFG::isJSFormat):
2448         (JSC::DFG::isJSInteger):
2449         (JSC::DFG::isJSDouble):
2450         (JSC::DFG::isJSCell):
2451         (JSC::DFG::isJSBoolean):
2452         (JSC::DFG::GenerationInfo::isJSFormat):
2453         (JSC::DFG::GenerationInfo::isJSInteger):
2454         (JSC::DFG::GenerationInfo::isJSDouble):
2455         (JSC::DFG::GenerationInfo::isJSCell):
2456         (JSC::DFG::GenerationInfo::isJSBoolean):
2457         * dfg/DFGGraph.h:
2458         (JSC::DFG::Graph::isNumberConstant):
2459         (JSC::DFG::Graph::valueOfNumberConstant):
2460         * dfg/DFGJITCodeGenerator.cpp:
2461         (JSC::DFG::JITCodeGenerator::fillInteger):
2462         (JSC::DFG::JITCodeGenerator::fillDouble):
2463         (JSC::DFG::JITCodeGenerator::fillJSValue):
2464         (JSC::DFG::JITCodeGenerator::isKnownInteger):
2465         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
2466         (JSC::DFG::JITCodeGenerator::isKnownCell):
2467         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
2468         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
2469         * dfg/DFGJITCodeGenerator.h:
2470         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2471         (JSC::DFG::JITCodeGenerator::isNumberConstant):
2472         (JSC::DFG::JITCodeGenerator::valueOfNumberConstant):
2473         (JSC::DFG::JITCodeGenerator::initConstantInfo):
2474         * dfg/DFGJITCompiler.cpp:
2475         (JSC::DFG::JITCompiler::fillNumericToDouble):
2476         (JSC::DFG::JITCompiler::fillToJS):
2477         * dfg/DFGJITCompiler.h:
2478         (JSC::DFG::JITCompiler::isNumberConstant):
2479         (JSC::DFG::JITCompiler::valueOfNumberConstant):
2480         * dfg/DFGNode.h:
2481         (JSC::DFG::Node::isDoubleConstant):
2482         (JSC::DFG::Node::isNumberConstant):
2483         (JSC::DFG::Node::valueOfNumberConstant):
2484         (JSC::DFG::Node::hasNumberResult):
2485         * dfg/DFGNonSpeculativeJIT.cpp:
2486         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2487         (JSC::DFG::NonSpeculativeJIT::compile):
2488         * dfg/DFGSpeculativeJIT.cpp:
2489         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2490         * dfg/DFGSpeculativeJIT.h:
2491         (JSC::DFG::SpeculativeJIT::isInteger):
2492         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
2493         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
2494         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
2495
2496 2011-09-13  Anders Carlsson  <andersca@apple.com>
2497
2498         Disable C++ exceptions when building with clang
2499         https://bugs.webkit.org/show_bug.cgi?id=68031
2500         <rdar://problem/9556880>
2501
2502         Reviewed by Mark Rowe.
2503
2504         * Configurations/Base.xcconfig:
2505
2506 2011-09-13  Eric Seidel  <eric@webkit.org>
2507
2508         Remove ENABLE_SVG_FOREIGN_OBJECT as it is a required part of HTML5
2509         https://bugs.webkit.org/show_bug.cgi?id=68018
2510
2511         Reviewed by Ryosuke Niwa.
2512
2513         * Configurations/FeatureDefines.xcconfig:
2514
2515 2011-09-13  Sam Weinig  <sam@webkit.org>
2516
2517         Object.getPrototypeOf should use JSValue::get()
2518         https://bugs.webkit.org/show_bug.cgi?id=67973
2519
2520         Reviewed by Darin Adler.
2521
2522         * runtime/ObjectConstructor.cpp:
2523         (JSC::objectConstructorGetPrototypeOf):
2524         Pipe through JSValue::get() to allow overrides.
2525
2526 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
2527
2528         JavaScriptCore does not have baseline->speculative OSR
2529         https://bugs.webkit.org/show_bug.cgi?id=67920
2530
2531         Reviewed by Oliver Hunt.
2532         
2533         This adds the ability to on-stack-replace (OSR) from code that is
2534         running hot in the old JIT to code compiled by the new JIT.  This
2535         ensures that long-running loops benefit from DFG optimization.
2536         It also ensures that if code experiences a speculation failure
2537         in DFG code, it has an opportunity to reenter the DFG once every
2538         1,000 loop iterations or so.
2539         
2540         This results in a 2.88x speed-up on Kraken/imaging-desaturate,
2541         and is a pure win on the main three benchmark suites (SunSpider,
2542         V8, Kraken), when tiered compilation is enabled.
2543
2544         * JavaScriptCore.xcodeproj/project.pbxproj:
2545         * bytecode/CodeBlock.cpp:
2546         (JSC::CodeBlock::dump):
2547         (JSC::CodeBlock::CodeBlock):
2548         (JSC::ProgramCodeBlock::compileOptimized):
2549         (JSC::EvalCodeBlock::compileOptimized):
2550         (JSC::FunctionCodeBlock::compileOptimized):
2551         * bytecode/CodeBlock.h:
2552         * bytecode/Opcode.h:
2553         * bytecode/PredictedType.h: Added.
2554         (JSC::isCellPrediction):
2555         (JSC::isArrayPrediction):
2556         (JSC::isInt32Prediction):
2557         (JSC::isDoublePrediction):
2558         (JSC::isNumberPrediction):
2559         (JSC::isBooleanPrediction):
2560         (JSC::isStrongPrediction):
2561         (JSC::predictionToString):
2562         (JSC::mergePredictions):
2563         (JSC::mergePrediction):
2564         (JSC::makePrediction):
2565         * bytecode/PredictionTracker.h: Added.
2566         (JSC::operandIsArgument):
2567         (JSC::PredictionSlot::PredictionSlot):
2568         (JSC::PredictionTracker::PredictionTracker):
2569         (JSC::PredictionTracker::initializeSimilarTo):
2570         (JSC::PredictionTracker::copyLocalsFrom):
2571         (JSC::PredictionTracker::numberOfArguments):
2572         (JSC::PredictionTracker::numberOfVariables):
2573         (JSC::PredictionTracker::argumentIndexForOperand):
2574         (JSC::PredictionTracker::predictArgument):
2575         (JSC::PredictionTracker::predict):
2576         (JSC::PredictionTracker::predictGlobalVar):
2577         (JSC::PredictionTracker::getArgumentPrediction):
2578         (JSC::PredictionTracker::getPrediction):
2579         (JSC::PredictionTracker::getGlobalVarPrediction):
2580         * bytecompiler/BytecodeGenerator.cpp:
2581         (JSC::BytecodeGenerator::emitLoopHint):
2582         * bytecompiler/BytecodeGenerator.h:
2583         * bytecompiler/NodesCodegen.cpp:
2584         (JSC::DoWhileNode::emitBytecode):
2585         (JSC::WhileNode::emitBytecode):
2586         (JSC::ForNode::emitBytecode):
2587         (JSC::ForInNode::emitBytecode):
2588         * dfg/DFGByteCodeParser.cpp:
2589         (JSC::DFG::ByteCodeParser::parseBlock):
2590         * dfg/DFGCapabilities.h:
2591         (JSC::DFG::canCompileOpcode):
2592         * dfg/DFGDriver.cpp:
2593         (JSC::DFG::compile):
2594         * dfg/DFGGraph.cpp:
2595         (JSC::DFG::Graph::dump):
2596         * dfg/DFGGraph.h:
2597         (JSC::DFG::BasicBlock::BasicBlock):
2598         (JSC::DFG::Graph::predict):
2599         (JSC::DFG::Graph::getPrediction):
2600         * dfg/DFGJITCompiler.cpp:
2601         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2602         (JSC::DFG::JITCompiler::compileEntry):
2603         (JSC::DFG::JITCompiler::compileBody):
2604         * dfg/DFGJITCompiler.h:
2605         (JSC::DFG::JITCompiler::noticeOSREntry):
2606         * dfg/DFGNode.h:
2607         * dfg/DFGOSREntry.cpp: Added.
2608         (JSC::DFG::predictionIsValid):
2609         (JSC::DFG::prepareOSREntry):
2610         * dfg/DFGOSREntry.h: Added.
2611         (JSC::DFG::prepareOSREntry):
2612         * dfg/DFGPredictionTracker.h: Removed.
2613         * dfg/DFGPropagator.cpp:
2614         (JSC::DFG::Propagator::mergeUse):
2615         (JSC::DFG::Propagator::mergePrediction):
2616         * dfg/DFGSpeculativeJIT.cpp:
2617         (JSC::DFG::SpeculativeJIT::compile):
2618         * jit/CompactJITCodeMap.h:
2619         (JSC::CompactJITCodeMap::numberOfEntries):
2620         (JSC::CompactJITCodeMap::decode):
2621         (JSC::CompactJITCodeMap::Decoder::Decoder):
2622         (JSC::CompactJITCodeMap::Decoder::numberOfEntriesRemaining):
2623         (JSC::CompactJITCodeMap::Decoder::read):
2624         * jit/JIT.cpp:
2625         (JSC::JIT::emitOptimizationCheck):
2626         (JSC::JIT::emitTimeoutCheck):
2627         (JSC::JIT::privateCompileMainPass):
2628         * jit/JIT.h:
2629         (JSC::JIT::emit_op_loop_hint):
2630         * jit/JITStubs.cpp:
2631         (JSC::DEFINE_STUB_FUNCTION):
2632         * runtime/Executable.cpp:
2633         (JSC::EvalExecutable::compileInternal):
2634         (JSC::ProgramExecutable::compileInternal):
2635         (JSC::FunctionExecutable::compileForCallInternal):
2636         (JSC::FunctionExecutable::compileForConstructInternal):
2637
2638 2011-09-12  Sam Weinig  <sam@webkit.org>
2639
2640         Don't allow setting __proto__ to be a getter or setter
2641         https://bugs.webkit.org/show_bug.cgi?id=67982
2642
2643         Reviewed by Gavin Barraclough.
2644
2645         * runtime/JSObject.cpp:
2646         (JSC::JSObject::defineGetter):
2647         (JSC::JSObject::defineSetter):
2648         Disallow setting a getter or setter on __proto__.
2649
2650 2011-09-12  James Robinson  <jamesr@chromium.org>
2651
2652         Unreviewed build fix for chromium.
2653
2654         Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which
2655         is currently only compiled in by ports that use JavaScriptCore.  This code is currently unreachable in builds so
2656         no change in functionality.
2657
2658         * yarr/YarrInterpreter.cpp:
2659         (JSC::Yarr::Interpreter::CharAccess::CharAccess):
2660
2661 2011-09-09  Filip Pizlo  <fpizlo@apple.com>
2662
2663         JavaScriptCore does not have speculative->baseline OSR
2664         https://bugs.webkit.org/show_bug.cgi?id=67826
2665
2666         Reviewed by Oliver Hunt.
2667         
2668         This adds the ability to bail out of DFG speculative JIT execution by
2669         performing an on-stack replacement (OSR) that results in the control
2670         flow going to the equivalent code generated by the old JIT.
2671         
2672         This required a number of new features, as well as taking advantage of
2673         some features that happened to already be present:
2674         
2675         We already had a policy of storing the bytecode index for which a DFG
2676         node was generated inside the DFG::Node class. This was previously
2677         called exceptionInfo. It's now renamed to codeOrigin to reflect that
2678         it's used for more than just excpetions. OSR uses this to figure out
2679         which bytecode index to use to look up the machine code location in
2680         the code generated by the old JIT that we should be jumping to.
2681         
2682         CodeBlock now stores a mapping between bytecode indices and machine
2683         code offsets for code generated by the old JIT. This is implemented
2684         by CompactJITCodeMap, which tries to compress this data a bit.  The
2685         OSR compiler decodes this and uses it to find the machine code
2686         locations it should be jumping to.
2687         
2688         We already had a mechanism that emitted SetLocal nodes in the DFG graph
2689         that told us the time at which the old JIT would have stored something
2690         into its register file, and the DFG::Node that corresponds to the value
2691         that it would have stored. These SetLocal's were mostly dead-code-
2692         eliminated, but our DCE leaves the nodes intact except for making them
2693         have 0 as the ref count. This allows the OSR compiler to construct a
2694         mapping between the state as it would have been seen by the old JIT
2695         and the state as the DFG JIT sees it. The OSR compiler uses this to
2696         generate code that reshapes the call frame so that it is like what the
2697         old JIT would expect.
2698         
2699         Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION)
2700         we no longer emit the non-speculative path.
2701
2702         * JavaScriptCore.xcodeproj/project.pbxproj:
2703         * bytecode/CodeBlock.h:
2704         * dfg/DFGByteCodeParser.cpp:
2705         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
2706         (JSC::DFG::ByteCodeParser::addToGraph):
2707         * dfg/DFGGPRInfo.h:
2708         * dfg/DFGGenerationInfo.h:
2709         (JSC::DFG::GenerationInfo::alive):
2710         * dfg/DFGGraph.cpp:
2711         (JSC::DFG::Graph::dump):
2712         * dfg/DFGJITCodeGenerator.cpp:
2713         (JSC::DFG::JITCodeGenerator::emitCall):
2714         * dfg/DFGJITCodeGenerator.h:
2715         (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck):
2716         * dfg/DFGJITCompiler.cpp:
2717         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
2718         (JSC::DFG::JITCompiler::linkOSRExits):
2719         (JSC::DFG::JITCompiler::compileBody):
2720         (JSC::DFG::JITCompiler::link):
2721         * dfg/DFGJITCompiler.h:
2722         (JSC::DFG::CallRecord::CallRecord):
2723         (JSC::DFG::JITCompiler::notifyCall):
2724         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
2725         (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
2726         (JSC::DFG::JITCompiler::addJSCall):
2727         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
2728         * dfg/DFGNode.h:
2729         (JSC::DFG::CodeOrigin::CodeOrigin):
2730         (JSC::DFG::CodeOrigin::isSet):
2731         (JSC::DFG::CodeOrigin::bytecodeIndex):
2732         (JSC::DFG::Node::Node):
2733         (JSC::DFG::Node::child1Unchecked):
2734         * dfg/DFGNonSpeculativeJIT.cpp:
2735         (JSC::DFG::NonSpeculativeJIT::compile):
2736         * dfg/DFGSpeculativeJIT.cpp:
2737         (JSC::DFG::ValueSource::dump):
2738         (JSC::DFG::ValueRecovery::dump):
2739         (JSC::DFG::OSRExit::OSRExit):
2740         (JSC::DFG::SpeculativeJIT::compile):
2741         (JSC::DFG::SpeculativeJIT::compileMovHint):
2742         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2743         * dfg/DFGSpeculativeJIT.h:
2744         (JSC::DFG::ValueSource::ValueSource):
2745         (JSC::DFG::ValueSource::isSet):
2746         (JSC::DFG::ValueSource::nodeIndex):
2747         (JSC::DFG::ValueRecovery::ValueRecovery):
2748         (JSC::DFG::ValueRecovery::alreadyInRegisterFile):
2749         (JSC::DFG::ValueRecovery::inGPR):
2750         (JSC::DFG::ValueRecovery::inFPR):
2751         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
2752         (JSC::DFG::ValueRecovery::constant):
2753         (JSC::DFG::ValueRecovery::technique):
2754         (JSC::DFG::ValueRecovery::gpr):
2755         (JSC::DFG::ValueRecovery::fpr):
2756         (JSC::DFG::ValueRecovery::virtualRegister):
2757         (JSC::DFG::OSRExit::numberOfRecoveries):
2758         (JSC::DFG::OSRExit::valueRecovery):
2759         (JSC::DFG::OSRExit::isArgument):
2760         (JSC::DFG::OSRExit::argumentForIndex):
2761         (JSC::DFG::OSRExit::variableForIndex):
2762         (JSC::DFG::OSRExit::operandForIndex):
2763         (JSC::DFG::SpeculativeJIT::osrExits):
2764         (JSC::DFG::SpeculativeJIT::speculationCheck):
2765         (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
2766         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
2767         (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
2768         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2769         (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator):
2770         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2771         * jit/CompactJITCodeMap.h: Added.
2772         (JSC::BytecodeAndMachineOffset::BytecodeAndMachineOffset):
2773         (JSC::BytecodeAndMachineOffset::getBytecodeIndex):
2774         (JSC::BytecodeAndMachineOffset::getMachineCodeOffset):
2775         (JSC::CompactJITCodeMap::~CompactJITCodeMap):
2776         (JSC::CompactJITCodeMap::decode):
2777         (JSC::CompactJITCodeMap::CompactJITCodeMap):
2778         (JSC::CompactJITCodeMap::at):
2779         (JSC::CompactJITCodeMap::decodeNumber):
2780         (JSC::CompactJITCodeMap::Encoder::Encoder):
2781         (JSC::CompactJITCodeMap::Encoder::~Encoder):
2782         (JSC::CompactJITCodeMap::Encoder::append):
2783         (JSC::CompactJITCodeMap::Encoder::finish):
2784         (JSC::CompactJITCodeMap::Encoder::appendByte):
2785         (JSC::CompactJITCodeMap::Encoder::encodeNumber):
2786         (JSC::CompactJITCodeMap::Encoder::ensureCapacityFor):
2787         * jit/JIT.cpp:
2788         (JSC::JIT::privateCompileMainPass):
2789         (JSC::JIT::privateCompile):
2790         * jit/JIT.h:
2791         * runtime/JSGlobalData.cpp:
2792         (JSC::JSGlobalData::JSGlobalData):
2793         (JSC::JSGlobalData::~JSGlobalData):
2794         * runtime/JSGlobalData.h:
2795         (JSC::JSGlobalData::osrScratchBufferForSize):
2796         * runtime/JSValue.cpp:
2797         (JSC::JSValue::description):
2798
2799 2011-09-12  Geoffrey Garen  <ggaren@apple.com>
2800
2801         Re-enabled ENABLE(LAZY_BLOCK_FREEING).
2802         
2803         Reviewed by Stephanie Lewis.
2804
2805         I accidentally disabled this in r94890, causing a big performance regression.
2806
2807         * wtf/Platform.h:
2808
2809 2011-09-12  Michael Saboff  <msaboff@apple.com>
2810
2811         Broken Build for ARM - lshift32() needs TrustedImm32 arg
2812         https://bugs.webkit.org/show_bug.cgi?id=67965
2813
2814         Change lshift32(16, ARMRegisters::S1); to lshift32(TrustedImm32(16), ARMRegisters::S1);
2815
2816         Reviewed by Anders Carlsson.
2817
2818         * assembler/MacroAssemblerARM.h:
2819         (JSC::MacroAssemblerARM::branch16):
2820
2821 2011-09-12  Michael Saboff  <msaboff@apple.com>
2822
2823         Broken ARM build - missing semicolon in JavaScriptCore/assembler/MacroAssemblerARM.h
2824         https://bugs.webkit.org/show_bug.cgi?id=67961
2825
2826         Added missing semicolon.
2827
2828         Reviewed by Ryosuke Niwa.
2829
2830         * assembler/MacroAssemblerARM.h:
2831         (JSC::MacroAssemblerARM::branch16):
2832
2833 2011-09-12  Michael Saboff  <msaboff@apple.com>
2834
2835         Update RegExp and related classes to use 8 bit strings when available
2836         https://bugs.webkit.org/show_bug.cgi?id=67337
2837
2838         Modified both the Yarr interpreter and JIT to handle 8 bit subject strings.
2839         The code paths are triggered by the UString::is8bit() method which currently
2840         returns false.  Implemented JIT changes for all current architectures.
2841         Tested X86_64 and ARM v7.
2842
2843         This includes some code that will likely change as we complete the
2844         8 bit string changes.  This includes the way the raw buffer pointers
2845         are accessed as well as replacing the CharAccess class with a
2846         string interator returned from UString.
2847
2848         Fixed build breakage in testRegExp.cpp due to globalObject construction
2849         changes.
2850
2851         Reviewed by Gavin Barraclough.
2852
2853         * JavaScriptCore.exp:
2854         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2855         * testRegExp.cpp:
2856         (GlobalObject::finishCreation):
2857         (GlobalObject::GlobalObject):
2858         * assembler/ARMAssembler.cpp:
2859         (JSC::ARMAssembler::baseIndexTransfer32):
2860         * assembler/ARMAssembler.h:
2861         * assembler/ARMv7Assembler.h:
2862         (JSC::ARMv7Assembler::ubfx):
2863         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg40Imm3Reg4Imm20Imm5):
2864         * assembler/MacroAssemblerARM.h:
2865         (JSC::MacroAssemblerARM::load8):
2866         (JSC::MacroAssemblerARM::branch8):
2867         (JSC::MacroAssemblerARM::branch16):
2868         * assembler/MacroAssemblerARMv7.h:
2869         (JSC::MacroAssemblerARMv7::load8):
2870         (JSC::MacroAssemblerARMv7::branch16):
2871         (JSC::MacroAssemblerARMv7::branch8):
2872         * assembler/MacroAssemblerMIPS.h:
2873         (JSC::MacroAssemblerMIPS::load8):
2874         (JSC::MacroAssemblerMIPS::branch8):
2875         (JSC::MacroAssemblerMIPS::branch16):
2876         * assembler/MacroAssemblerSH4.h:
2877         (JSC::MacroAssemblerSH4::load8):
2878         (JSC::MacroAssemblerSH4::branch8):
2879         (JSC::MacroAssemblerSH4::branch16):
2880         * assembler/MacroAssemblerX86Common.h:
2881         (JSC::MacroAssemblerX86Common::load8):
2882         (JSC::MacroAssemblerX86Common::branch16):
2883         (JSC::MacroAssemblerX86Common::branch8):
2884         * assembler/SH4Assembler.h:
2885         (JSC::SH4Assembler::extub):
2886         (JSC::SH4Assembler::printInstr):
2887         * assembler/X86Assembler.h:
2888         (JSC::X86Assembler::cmpw_ir):
2889         (JSC::X86Assembler::movzbl_mr):
2890         * runtime/RegExp.cpp:
2891         (JSC::RegExp::compile):
2892         (JSC::RegExp::compileIfNecessary):
2893         (JSC::RegExp::match):
2894         (JSC::RegExp::matchCompareWithInterpreter):
2895         * runtime/RegExp.h:
2896         * runtime/UString.h:
2897         (JSC::UString::is8Bit):
2898         * yarr/Yarr.h:
2899         * yarr/YarrInterpreter.cpp:
2900         (JSC::Yarr::Interpreter::CharAccess::CharAccess):
2901         (JSC::Yarr::Interpreter::CharAccess::~CharAccess):
2902         (JSC::Yarr::Interpreter::CharAccess::operator[]):
2903         (JSC::Yarr::Interpreter::InputStream::InputStream):
2904         (JSC::Yarr::Interpreter::Interpreter):
2905         (JSC::Yarr::interpret):
2906         * yarr/YarrJIT.cpp:
2907         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
2908         (JSC::Yarr::YarrGenerator::readCharacter):
2909         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2910         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
2911         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
2912         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
2913         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2914         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
2915         (JSC::Yarr::YarrGenerator::YarrGenerator):
2916         (JSC::Yarr::YarrGenerator::compile):
2917         (JSC::Yarr::jitCompile):
2918         (JSC::Yarr::execute):
2919         * yarr/YarrJIT.h:
2920         (JSC::Yarr::YarrCodeBlock::has8BitCode):
2921         (JSC::Yarr::YarrCodeBlock::has16BitCode):
2922         (JSC::Yarr::YarrCodeBlock::set8BitCode):
2923         (JSC::Yarr::YarrCodeBlock::set16BitCode):
2924         (JSC::Yarr::YarrCodeBlock::execute):
2925         * yarr/YarrParser.h:
2926         (JSC::Yarr::Parser::Parser):
2927
2928 2011-09-12  Andras Becsi  <andras.becsi@nokia.com>
2929
2930         [Qt] Build fails after r94920 with strict compiler
2931         https://bugs.webkit.org/show_bug.cgi?id=67928
2932
2933         Reviewed by Csaba Osztrogonác.
2934
2935         * wtf/RedBlackTree.h:
2936         (WTF::RedBlackTree::insert): Remove dead variables updateStart and newSubTreeRoot.
2937
2938 2011-09-12  Patrick Gansterer  <paroga@webkit.org>
2939
2940         Unreviewed build fix after r94871.
2941
2942         * runtime/InitializeThreading.cpp:
2943         (JSC::initializeThreadingOnce):
2944         * wtf/FastMalloc.cpp:
2945         * wtf/RefCountedLeakCounter.h:
2946
2947 2011-09-11  Filip Pizlo  <fpizlo@apple.com>
2948
2949         DFGNode.h has macros that indicate the enabling of a feature, but
2950         they do not use the ENABLE() idiom.
2951         https://bugs.webkit.org/show_bug.cgi?id=67907
2952
2953         Reviewed by Oliver Hunt.
2954
2955         * dfg/DFGByteCodeParser.cpp:
2956         (JSC::DFG::ByteCodeParser::stronglyPredict):
2957         (JSC::DFG::ByteCodeParser::parse):
2958         * dfg/DFGGraph.cpp:
2959         (JSC::DFG::Graph::predictArgumentTypes):
2960         * dfg/DFGJITCodeGenerator.cpp:
2961         * dfg/DFGJITCodeGenerator.h:
2962         * dfg/DFGJITCompiler.cpp:
2963         (JSC::DFG::JITCompiler::fillInt32ToInteger):
2964         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
2965         (JSC::DFG::JITCompiler::compileBody):
2966         (JSC::DFG::JITCompiler::link):
2967         * dfg/DFGJITCompiler.h:
2968         * dfg/DFGNode.h:
2969         * dfg/DFGNonSpeculativeJIT.cpp:
2970         (JSC::DFG::NonSpeculativeJIT::compile):
2971         * dfg/DFGOperations.cpp:
2972         * dfg/DFGOperations.h:
2973         * dfg/DFGPropagator.cpp:
2974         (JSC::DFG::Propagator::fixpoint):
2975         (JSC::DFG::Propagator::propagateNode):
2976         (JSC::DFG::Propagator::propagateForward):
2977         (JSC::DFG::Propagator::propagateBackward):
2978         (JSC::DFG::propagate):
2979         * dfg/DFGScoreBoard.h:
2980         * dfg/DFGSpeculativeJIT.cpp:
2981         (JSC::DFG::SpeculativeJIT::compile):
2982         * dfg/DFGSpeculativeJIT.h:
2983         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2984         * jit/JIT.cpp:
2985         (JSC::JIT::privateCompile):
2986
2987 2011-09-11  Fumitoshi Ukai  <ukai@chromium.org>
2988
2989         Unreviewed build fix for chromium/mac & clang.
2990
2991         Fix the macro redefinition error by r94927, because chromium set
2992         ENABLE_JSC_MULTIPLE_THREADS=0 in WebKit/chromium/features.gypi and
2993         it is not PLATFORM(QT).
2994          ../../JavaScriptCore/wtf/Platform.h:512:9: error: 'ENABLE_JSC_MULTIPLE_THREADS' macro redefined [-Werror]
2995          #define ENABLE_JSC_MULTIPLE_THREADS 1
2996          <command line>:43:9: note: previous definition is here
2997          #define ENABLE_JSC_MULTIPLE_THREADS 0
2998          1 error generated.
2999
3000         * wtf/Platform.h:
3001
3002 2011-09-11  Sam Weinig  <sam@webkit.org>
3003
3004         Remove JSCell::isPropertyNameIterator(), it is unused
3005         https://bugs.webkit.org/show_bug.cgi?id=67911
3006
3007         Reviewed by Oliver Hunt.
3008
3009         * runtime/JSCell.h:
3010         * runtime/JSPropertyNameIterator.h:
3011
3012 2011-09-11  Sam Weinig  <sam@webkit.org>
3013
3014         De-virtualize JSCell::isAPIValueWrapper
3015         https://bugs.webkit.org/show_bug.cgi?id=67909
3016
3017         Reviewed by Oliver Hunt.
3018
3019         * runtime/JSAPIValueWrapper.h:
3020         (JSC::JSAPIValueWrapper::createStructure):
3021         Set the correct type on structure creation.
3022
3023         * runtime/JSCell.h:
3024         Remove virtual keyword and default implementation.
3025
3026         * runtime/JSType.h:
3027         Add type for APIValueWrapper. It must come after CompoundType since
3028         the APIValueWrapper has children in need of marking.
3029
3030         * runtime/Structure.h:
3031         (JSC::JSCell::isAPIValueWrapper):
3032         Implement predicate using type info.
3033
3034 2011-09-10  Sam Weinig  <sam@webkit.org>
3035
3036         De-virtualize JSCell::isGetterSetter, type information is available for it
3037         https://bugs.webkit.org/show_bug.cgi?id=67902
3038
3039         Reviewed by Dan Bernstein.
3040
3041         * runtime/GetterSetter.cpp:
3042         * runtime/GetterSetter.h:
3043         Remove override of isGetterSetter.
3044
3045         * runtime/JSCell.cpp:
3046         * runtime/JSCell.h:
3047         De-virtualize and remove silly base implementation.
3048
3049         * runtime/Structure.h:
3050         (JSC::JSCell::isGetterSetter):
3051         Use type info to determine getter-setter-hood.
3052
3053 2011-09-09  Oliver Hunt  <oliver@apple.com>
3054
3055         Remove support for anonymous storage from jsobjects
3056         https://bugs.webkit.org/show_bug.cgi?id=67881
3057
3058         Reviewed by Sam Weinig.
3059
3060         Remove all use of anonymous slots, essentially a mechanical change
3061         in JavaScriptCore
3062
3063         * API/JSCallbackConstructor.h:
3064         (JSC::JSCallbackConstructor::createStructure):
3065         * API/JSCallbackFunction.h:
3066         (JSC::JSCallbackFunction::createStructure):
3067         * API/JSCallbackObject.h:
3068         (JSC::JSCallbackObject::createStructure):
3069         * JavaScriptCore.exp:
3070         * debugger/DebuggerActivation.h:
3071         (JSC::DebuggerActivation::createStructure):
3072         * heap/MarkStack.cpp:
3073         (JSC::MarkStack::validateValue):
3074         * heap/MarkStack.h:
3075         * runtime/Arguments.h:
3076         (JSC::Arguments::createStructure):
3077         * runtime/ArrayConstructor.h:
3078         (JSC::ArrayConstructor::createStructure):
3079         * runtime/ArrayPrototype.cpp:
3080         (JSC::ArrayPrototype::finishCreation):
3081         * runtime/ArrayPrototype.h:
3082         (JSC::ArrayPrototype::createStructure):
3083         * runtime/BooleanObject.h:
3084         (JSC::BooleanObject::createStructure):
3085         * runtime/BooleanPrototype.cpp:
3086         (JSC::BooleanPrototype::BooleanPrototype):
3087         * runtime/BooleanPrototype.h:
3088         (JSC::BooleanPrototype::createStructure):
3089         * runtime/DateConstructor.h:
3090         (JSC::DateConstructor::createStructure):
3091         * runtime/DateInstance.h:
3092         (JSC::DateInstance::createStructure):
3093         * runtime/DatePrototype.cpp:
3094         (JSC::DatePrototype::DatePrototype):
3095         * runtime/DatePrototype.h:
3096         (JSC::DatePrototype::createStructure):
3097         * runtime/ErrorInstance.h:
3098         (JSC::ErrorInstance::createStructure):
3099         * runtime/ErrorPrototype.cpp:
3100         (JSC::ErrorPrototype::finishCreation):
3101         * runtime/ErrorPrototype.h:
3102         (JSC::ErrorPrototype::createStructure):
3103         * runtime/ExceptionHelpers.h:
3104         (JSC::InterruptedExecutionError::createStructure):
3105         (JSC::TerminatedExecutionError::createStructure):
3106         * runtime/Executable.h:
3107         (JSC::ExecutableBase::createStructure):
3108         (JSC::NativeExecutable::createStructure):
3109         (JSC::EvalExecutable::createStructure):
3110         (JSC::ProgramExecutable::createStructure):
3111         (JSC::FunctionExecutable::createStructure):
3112         * runtime/FunctionPrototype.h:
3113         (JSC::FunctionPrototype::createStructure):
3114         * runtime/GetterSetter.h:
3115         (JSC::GetterSetter::createStructure):
3116         * runtime/InternalFunction.h:
3117         (JSC::InternalFunction::createStructure):
3118         * runtime/JSAPIValueWrapper.h:
3119         (JSC::JSAPIValueWrapper::createStructure):
3120         * runtime/JSActivation.h:
3121         (JSC::JSActivation::createStructure):
3122         * runtime/JSArray.h:
3123         (JSC::JSArray::createStructure):
3124         * runtime/JSByteArray.cpp:
3125         (JSC::JSByteArray::createStructure):
3126         * runtime/JSCell.h:
3127         * runtime/JSFunction.h:
3128         (JSC::JSFunction::createStructure):
3129         * runtime/JSGlobalObject.h:
3130         (JSC::JSGlobalObject::finishCreation):
3131         (JSC::JSGlobalObject::createStructure):
3132         * runtime/JSNotAnObject.h:
3133         (JSC::JSNotAnObject::createStructure):
3134         * runtime/JSONObject.h:
3135         (JSC::JSONObject::createStructure):
3136         * runtime/JSObject.h:
3137         (JSC::JSObject::createStructure):
3138         (JSC::JSNonFinalObject::createStructure):
3139         (JSC::JSFinalObject::createStructure):
3140         * runtime/JSPropertyNameIterator.cpp:
3141         (JSC::JSPropertyNameIterator::create):
3142         * runtime/JSPropertyNameIterator.h:
3143         (JSC::JSPropertyNameIterator::createStructure):
3144         * runtime/JSStaticScopeObject.h:
3145         (JSC::JSStaticScopeObject::createStructure):
3146         * runtime/JSString.h:
3147         (JSC::RopeBuilder::createStructure):
3148         * runtime/JSVariableObject.h:
3149         (JSC::JSVariableObject::createStructure):
3150         * runtime/JSWrapperObject.h:
3151         (JSC::JSWrapperObject::createStructure):
3152         * runtime/MathObject.h:
3153         (JSC::MathObject::createStructure):
3154         * runtime/NativeErrorConstructor.h:
3155         (JSC::NativeErrorConstructor::createStructure):
3156         * runtime/NumberConstructor.h:
3157         (JSC::NumberConstructor::createStructure):
3158         * runtime/NumberObject.h:
3159         (JSC::NumberObject::createStructure):
3160         * runtime/NumberPrototype.cpp:
3161         (JSC::NumberPrototype::NumberPrototype):
3162         * runtime/NumberPrototype.h:
3163         (JSC::NumberPrototype::createStructure):
3164         * runtime/ObjectConstructor.h:
3165         (JSC::ObjectConstructor::createStructure):
3166         * runtime/ObjectPrototype.cpp:
3167         (JSC::ObjectPrototype::finishCreation):
3168         * runtime/ObjectPrototype.h:
3169         (JSC::ObjectPrototype::createStructure):
3170         * runtime/RegExp.h:
3171         (JSC::RegExp::createStructure):
3172         * runtime/RegExpConstructor.h:
3173         (JSC::RegExpConstructor::createStructure):
3174         * runtime/RegExpObject.h:
3175         (JSC::RegExpObject::createStructure):
3176         * runtime/RegExpPrototype.h:
3177         (JSC::RegExpPrototype::createStructure):
3178         * runtime/ScopeChain.h:
3179         (JSC::ScopeChainNode::createStructure):
3180         * runtime/StrictEvalActivation.h:
3181         (JSC::StrictEvalActivation::createStructure):
3182         * runtime/StringConstructor.h:
3183         (JSC::StringConstructor::createStructure):
3184         * runtime/StringObject.h:
3185         (JSC::StringObject::createStructure):
3186         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3187         (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
3188         * runtime/StringPrototype.cpp:
3189         (JSC::StringPrototype::StringPrototype):
3190         * runtime/StringPrototype.h:
3191         (JSC::StringPrototype::createStructure):
3192         * runtime/Structure.cpp:
3193         (JSC::Structure::Structure):
3194         (JSC::Structure::materializePropertyMap):
3195         (JSC::Structure::addPropertyTransitionToExistingStructure):
3196         (JSC::Structure::addPropertyTransition):
3197         (JSC::Structure::removePropertyTransition):
3198         (JSC::Structure::changePrototypeTransition):
3199         (JSC::Structure::despecifyFunctionTransition):
3200         (JSC::Structure::getterSetterTransition):
3201         (JSC::Structure::toDictionaryTransition):
3202         (JSC::Structure::preventExtensionsTransition):
3203         (JSC::Structure::flattenDictionaryStructure):
3204         (JSC::Structure::addPropertyWithoutTransition):
3205         (JSC::Structure::removePropertyWithoutTransition):
3206         (JSC::Structure::get):
3207         (JSC::Structure::putSpecificValue):
3208         (JSC::Structure::remove):
3209         (JSC::Structure::checkConsistency):
3210         * runtime/Structure.h:
3211         (JSC::Structure::create):
3212         (JSC::Structure::propertyStorageSize):
3213         (JSC::Structure::get):
3214         * runtime/StructureChain.h:
3215         (JSC::StructureChain::createStructure):
3216
3217 2011-09-11  Jarred Nicholls  <jarred@sencha.com>
3218
3219         [Qt] Win32 build broken due to MachineStackMarker.cpp/.o failing to link against pthreads library
3220         https://bugs.webkit.org/show_bug.cgi?id=67864
3221         
3222         Qt Win32 is not pthread compatible and cannot participate in multithreaded JSC or it fails to build.
3223
3224         Reviewed by Csaba Osztrogonác.
3225
3226         * wtf/Platform.h:
3227
3228 2011-09-11  Filip Pizlo  <fpizlo@apple.com>
3229
3230         ARM and MIPS assemblers still refer to executable pools.
3231         https://bugs.webkit.org/show_bug.cgi?id=67903
3232
3233         Reviewed by Csaba Osztrogonác.
3234
3235         * assembler/ARMAssembler.cpp:
3236         (JSC::ARMAssembler::executableCopy):
3237         * assembler/ARMAssembler.h:
3238         * assembler/AssemblerBufferWithConstantPool.h:
3239         * assembler/MIPSAssembler.h:
3240         (JSC::MIPSAssembler::executableCopy):
3241
3242 2011-09-08  Filip Pizlo  <fpizlo@apple.com>
3243
3244         The executable allocator makes it difficult to free individual
3245         chunks of executable memory
3246         https://bugs.webkit.org/show_bug.cgi?id=66363
3247
3248         Reviewed by Oliver Hunt.
3249         
3250         Introduced a best-fit, balanced-tree based allocator. The allocator
3251         required a balanced tree that does not allocate memory and that
3252         permits the removal of individual nodes directly (as opposed to by
3253         key); neither AVLTree nor WebCore's PODRedBlackTree supported this.
3254         Changed all references to executable code to use a reference counted
3255         handle.
3256
3257         * GNUmakefile.list.am:
3258         * JavaScriptCore.exp:
3259         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3260         * JavaScriptCore.xcodeproj/project.pbxproj:
3261         * assembler/AssemblerBuffer.h:
3262         (JSC::AssemblerBuffer::executableCopy):
3263         * assembler/LinkBuffer.h:
3264         (JSC::LinkBuffer::LinkBuffer):
3265         (JSC::LinkBuffer::finalizeCode):
3266         (JSC::LinkBuffer::linkCode):
3267         * assembler/MacroAssemblerCodeRef.h:
3268         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3269         (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
3270         (JSC::MacroAssemblerCodeRef::executableMemory):
3271         (JSC::MacroAssemblerCodeRef::code):
3272         (JSC::MacroAssemblerCodeRef::size):
3273         (JSC::MacroAssemblerCodeRef::operator!):
3274         * assembler/X86Assembler.h:
3275         (JSC::X86Assembler::executableCopy):
3276         (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
3277         * bytecode/CodeBlock.h:
3278         * bytecode/Instruction.h:
3279         * bytecode/StructureStubInfo.h:
3280         * dfg/DFGJITCompiler.cpp:
3281         (JSC::DFG::JITCompiler::compile):
3282         (JSC::DFG::JITCompiler::compileFunction):
3283         * dfg/DFGRepatch.cpp:
3284         (JSC::DFG::generateProtoChainAccessStub):
3285         (JSC::DFG::tryCacheGetByID):
3286         (JSC::DFG::tryBuildGetByIDList):
3287         (JSC::DFG::tryBuildGetByIDProtoList):
3288         (JSC::DFG::tryCachePutByID):
3289         * jit/ExecutableAllocator.cpp:
3290         (JSC::ExecutableAllocator::initializeAllocator):
3291         (JSC::ExecutableAllocator::ExecutableAllocator):
3292         (JSC::ExecutableAllocator::allocate):
3293         (JSC::ExecutableAllocator::committedByteCount):
3294         (JSC::ExecutableAllocator::dumpProfile):
3295         * jit/ExecutableAllocator.h:
3296         (JSC::ExecutableAllocator::dumpProfile):
3297         * jit/ExecutableAllocatorFixedVMPool.cpp:
3298         (JSC::ExecutableAllocator::initializeAllocator):
3299         (JSC::ExecutableAllocator::ExecutableAllocator):
3300         (JSC::ExecutableAllocator::isValid):
3301         (JSC::ExecutableAllocator::underMemoryPressure):
3302         (JSC::ExecutableAllocator::allocate):
3303         (JSC::ExecutableAllocator::committedByteCount):
3304         (JSC::ExecutableAllocator::dumpProfile):
3305         * jit/JIT.cpp:
3306         (JSC::JIT::privateCompile):
3307         * jit/JIT.h:
3308         (JSC::JIT::compileCTIMachineTrampolines):
3309         (JSC::JIT::compileCTINativeCall):
3310         * jit/JITCode.h:
3311         (JSC::JITCode::operator !):
3312         (JSC::JITCode::addressForCall):
3313         (JSC::JITCode::offsetOf):
3314         (JSC::JITCode::execute):
3315         (JSC::JITCode::start):
3316         (JSC::JITCode::size):
3317         (JSC::JITCode::getExecutableMemory):
3318         (JSC::JITCode::HostFunction):
3319         (JSC::JITCode::JITCode):
3320         * jit/JITOpcodes.cpp:
3321         (JSC::JIT::privateCompileCTIMachineTrampolines):
3322         (JSC::JIT::privateCompileCTINativeCall):
3323         * jit/JITOpcodes32_64.cpp:
3324         (JSC::JIT::privateCompileCTIMachineTrampolines):
3325         (JSC::JIT::privateCompileCTINativeCall):
3326         * jit/JITPropertyAccess.cpp:
3327         (JSC::JIT::stringGetByValStubGenerator):
3328         (JSC::JIT::emitSlow_op_get_by_val):
3329         (JSC::JIT::privateCompilePutByIdTransition):
3330         (JSC::JIT::privateCompilePatchGetArrayLength):
3331         (JSC::JIT::privateCompileGetByIdProto):
3332         (JSC::JIT::privateCompileGetByIdSelfList):
3333         (JSC::JIT::privateCompileGetByIdProtoList):
3334         (JSC::JIT::privateCompileGetByIdChainList):
3335         (JSC::JIT::privateCompileGetByIdChain):
3336         * jit/JITPropertyAccess32_64.cpp:
3337         (JSC::JIT::stringGetByValStubGenerator):
3338         (JSC::JIT::emitSlow_op_get_by_val):
3339         (JSC::JIT::privateCompilePutByIdTransition):
3340         (JSC::JIT::privateCompilePatchGetArrayLength):
3341         (JSC::JIT::privateCompileGetByIdProto):
3342         (JSC::JIT::privateCompileGetByIdSelfList):
3343         (JSC::JIT::privateCompileGetByIdProtoList):
3344         (JSC::JIT::privateCompileGetByIdChainList):
3345         (JSC::JIT::privateCompileGetByIdChain):
3346         * jit/JITStubs.cpp:
3347         (JSC::JITThunks::JITThunks):
3348         (JSC::DEFINE_STUB_FUNCTION):
3349         (JSC::getPolymorphicAccessStructureListSlot):
3350         (JSC::JITThunks::ctiStub):
3351         (JSC::JITThunks::hostFunctionStub):
3352         * jit/JITStubs.h:
3353         * jit/SpecializedThunkJIT.h:
3354         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
3355         (JSC::SpecializedThunkJIT::finalize):
3356         * jit/ThunkGenerators.cpp:
3357         (JSC::charCodeAtThunkGenerator):
3358         (JSC::charAtThunkGenerator):
3359         (JSC::fromCharCodeThunkGenerator):
3360         (JSC::sqrtThunkGenerator):
3361         (JSC::floorThunkGenerator):
3362         (JSC::ceilThunkGenerator):
3363         (JSC::roundThunkGenerator):
3364         (JSC::expThunkGenerator):
3365         (JSC::logThunkGenerator):
3366         (JSC::absThunkGenerator):
3367         (JSC::powThunkGenerator):
3368         * jit/ThunkGenerators.h:
3369         * runtime/Executable.h:
3370         (JSC::NativeExecutable::create):
3371         * runtime/InitializeThreading.cpp:
3372         (JSC::initializeThreadingOnce):
3373         * runtime/JSGlobalData.cpp:
3374         (JSC::JSGlobalData::JSGlobalData):
3375         (JSC::JSGlobalData::dumpSampleData):
3376         * runtime/JSGlobalData.h:
3377         (JSC::JSGlobalData::getCTIStub):
3378         * wtf/CMakeLists.txt:
3379         * wtf/MetaAllocator.cpp: Added.
3380         (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
3381         (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
3382         (WTF::MetaAllocatorHandle::shrink):
3383         (WTF::MetaAllocator::MetaAllocator):
3384         (WTF::MetaAllocator::allocate):
3385         (WTF::MetaAllocator::currentStatistics):
3386         (WTF::MetaAllocator::findAndRemoveFreeSpace):
3387         (WTF::MetaAllocator::addFreeSpaceFromReleasedHandle):
3388         (WTF::MetaAllocator::addFreshFreeSpace):
3389         (WTF::MetaAllocator::debugFreeSpaceSize):
3390         (WTF::MetaAllocator::addFreeSpace):
3391         (WTF::MetaAllocator::incrementPageOccupancy):
3392         (WTF::MetaAllocator::decrementPageOccupancy):
3393         (WTF::MetaAllocator::roundUp):
3394         (WTF::MetaAllocator::allocFreeSpaceNode):
3395         (WTF::MetaAllocator::freeFreeSpaceNode):
3396         (WTF::MetaAllocator::dumpProfile):
3397         * wtf/MetaAllocator.h: Added.
3398         (WTF::MetaAllocator::bytesAllocated):
3399         (WTF::MetaAllocator::bytesReserved):
3400         (WTF::MetaAllocator::bytesCommitted):
3401         (WTF::MetaAllocator::dumpProfile):
3402         (WTF::MetaAllocator::~MetaAllocator):
3403         * wtf/MetaAllocatorHandle.h: Added.
3404         * wtf/RedBlackTree.h: Added.
3405         (WTF::RedBlackTree::Node::Node):
3406         (WTF::RedBlackTree::Node::successor):
3407         (WTF::RedBlackTree::Node::predecessor):
3408         (WTF::RedBlackTree::Node::reset):
3409         (WTF::RedBlackTree::Node::parent):
3410         (WTF::RedBlackTree::Node::setParent):
3411         (WTF::RedBlackTree::Node::left):
3412         (WTF::RedBlackTree::Node::setLeft):
3413         (WTF::RedBlackTree::Node::right):
3414         (WTF::RedBlackTree::Node::setRight):
3415         (WTF::RedBlackTree::Node::color):
3416         (WTF::RedBlackTree::Node::setColor):
3417         (WTF::RedBlackTree::RedBlackTree):
3418         (WTF::RedBlackTree::insert):
3419         (WTF::RedBlackTree::remove):
3420         (WTF::RedBlackTree::findExact):
3421         (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
3422         (WTF::RedBlackTree::findGreatestLessThanOrEqual):
3423         (WTF::RedBlackTree::first):
3424         (WTF::RedBlackTree::last):
3425         (WTF::RedBlackTree::size):
3426         (WTF::RedBlackTree::isEmpty):
3427         (WTF::RedBlackTree::treeMinimum):
3428         (WTF::RedBlackTree::treeMaximum):
3429         (WTF::RedBlackTree::treeInsert):
3430         (WTF::RedBlackTree::leftRotate):
3431         (WTF::RedBlackTree::rightRotate):
3432         (WTF::RedBlackTree::removeFixup):
3433         * wtf/wtf.pri:
3434         * yarr/YarrJIT.cpp:
3435         (JSC::Yarr::YarrGenerator::compile):
3436         * yarr/YarrJIT.h:
3437         (JSC::Yarr::YarrCodeBlock::execute):
3438         (JSC::Yarr::YarrCodeBlock::getAddr):
3439
3440 2011-09-10  Sam Weinig  <sam@webkit.org>
3441
3442         Remove JSC::isZombie() function, it did nothing and was called by no-one.
3443         https://bugs.webkit.org/show_bug.cgi?id=67901
3444
3445         Reviewed by Andy Estes.
3446
3447         * JavaScriptCore.exp:
3448         * runtime/JSCell.cpp:
3449         * runtime/JSValue.h:
3450
3451 2011-09-10  Sam Weinig  <sam@webkit.org>