671bea68a8659f9d9893bf25b3d754a81b040650
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         Structure::m_enumerationCache should be moved to StructureRareData
4         https://bugs.webkit.org/show_bug.cgi?id=108723
5
6         Reviewed by Oliver Hunt.
7
8         m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 
9         field and it can therefore be moved safely to StructureRareData to help with memory savings.
10
11         * runtime/JSPropertyNameIterator.h:
12         (JSPropertyNameIterator):
13         (JSC::Register::propertyNameIterator):
14         (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
15         (JSC::StructureRareData::setEnumerationCache): Ditto.
16         * runtime/Structure.cpp:
17         (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
18         (JSC::Structure::removePropertyWithoutTransition): Ditto.
19         (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
20         * runtime/Structure.h: 
21         (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 
22         the JSPropertyNameIterator type.
23         (JSC::Structure::enumerationCache): Ditto.
24         * runtime/StructureRareData.cpp:
25         (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
26         * runtime/StructureRareData.h: Add new functions/fields.
27         (StructureRareData):
28
29 2013-02-01  Roger Fong  <roger_fong@apple.com>
30
31         Unreviewed. JavaScriptCore VS2010 project cleanup.
32
33         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
34         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
35         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
36         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
37
38 2013-02-01  Sheriff Bot  <webkit.review.bot@gmail.com>
39
40         Unreviewed, rolling out r141662.
41         http://trac.webkit.org/changeset/141662
42         https://bugs.webkit.org/show_bug.cgi?id=108738
43
44         it's an incorrect change since processPhiStack will
45         dereference dangling BasicBlock pointers (Requested by pizlo
46         on #webkit).
47
48         * dfg/DFGByteCodeParser.cpp:
49         (JSC::DFG::ByteCodeParser::parse):
50
51 2013-02-01  Filip Pizlo  <fpizlo@apple.com>
52
53         Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
54         https://bugs.webkit.org/show_bug.cgi?id=108717
55
56         Reviewed by Mark Hahnenberg.
57         
58         I think this makes the code clearer. It doesn't change behavior.
59
60         * dfg/DFGByteCodeParser.cpp:
61         (JSC::DFG::ByteCodeParser::parse):
62
63 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
64
65         Structure should have a StructureRareData field to save space
66         https://bugs.webkit.org/show_bug.cgi?id=108659
67
68         Reviewed by Oliver Hunt.
69
70         Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 
71         pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 
72         many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 
73         refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
74
75         To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 
76         can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 
77         can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 
78         with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 
79         a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 
80         if it has one. There could be some potential for optimizing this process, but the initial implementation will 
81         be dumb since we'd be paying these overhead costs for each Structure anyways.
82
83         Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 
84         continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 
85         Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 
86         Structures (and into StructureRareData).
87
88         * CMakeLists.txt:
89         * GNUmakefile.list.am:
90         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
91         * JavaScriptCore.xcodeproj/project.pbxproj:
92         * Target.pri:
93         * dfg/DFGRepatch.cpp: Includes for linking purposes.
94         * jit/JITStubs.cpp:
95         * jsc.cpp:
96         * llint/LLIntSlowPaths.cpp:
97         * runtime/JSCellInlines.h: Added ifdef guards.
98         * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
99         (JSC::JSGlobalData::JSGlobalData):
100         * runtime/JSGlobalData.h:
101         (JSGlobalData):
102         * runtime/JSGlobalObject.h:
103         * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
104         (JSC::TypeInfo::flags):
105         (JSC::TypeInfo::structureHasRareData):
106         * runtime/ObjectPrototype.cpp:
107         * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
108         (JSC::Structure::dumpStatistics):
109         (JSC::Structure::Structure): 
110         (JSC::Structure::materializePropertyMap):
111         (JSC::Structure::addPropertyTransition):
112         (JSC::Structure::nonPropertyTransition):
113         (JSC::Structure::pin):
114         (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
115         (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 
116         transitions.
117         (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
118         * runtime/Structure.h:
119         (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
120         (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
121         (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 
122         call to it.
123         (JSC::Structure::materializePropertyMapIfNecessary):
124         (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
125         (Structure):
126         (JSC::Structure::clearPreviousID): Ditto.
127         (JSC::Structure::create):
128         * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 
129         from Structure and the functions required to access/modify those fields as Structure would have done.
130         (JSC):
131         (JSC::StructureRareData::createStructure):
132         (JSC::StructureRareData::create):
133         (JSC::StructureRareData::clone):
134         (JSC::StructureRareData::StructureRareData):
135         (JSC::StructureRareData::visitChildren):
136         * runtime/StructureRareData.h: Added.
137         (JSC):
138         (StructureRareData):
139         * runtime/StructureRareDataInlines.h: Added.
140         (JSC):
141         (JSC::StructureRareData::previousID):
142         (JSC::StructureRareData::setPreviousID):
143         (JSC::StructureRareData::clearPreviousID):
144         (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
145         (JSC::Structure::rareData): Ditto.
146         (JSC::StructureRareData::objectToStringValue):
147         (JSC::StructureRareData::setObjectToStringValue):
148
149         * CMakeLists.txt:
150         * GNUmakefile.list.am:
151         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
152         * JavaScriptCore.xcodeproj/project.pbxproj:
153         * Target.pri:
154         * dfg/DFGRepatch.cpp:
155         * jit/JITStubs.cpp:
156         * jsc.cpp:
157         * llint/LLIntSlowPaths.cpp:
158         * runtime/JSCellInlines.h:
159         * runtime/JSGlobalData.cpp:
160         (JSC::JSGlobalData::JSGlobalData):
161         * runtime/JSGlobalData.h:
162         (JSGlobalData):
163         * runtime/JSGlobalObject.h:
164         * runtime/JSTypeInfo.h:
165         (JSC):
166         (JSC::TypeInfo::flags):
167         (JSC::TypeInfo::structureHasRareData):
168         * runtime/ObjectPrototype.cpp:
169         * runtime/Structure.cpp:
170         (JSC::Structure::dumpStatistics):
171         (JSC::Structure::Structure):
172         (JSC::Structure::materializePropertyMap):
173         (JSC::Structure::addPropertyTransition):
174         (JSC::Structure::nonPropertyTransition):
175         (JSC::Structure::pin):
176         (JSC::Structure::allocateRareData):
177         (JSC):
178         (JSC::Structure::cloneRareDataFrom):
179         (JSC::Structure::visitChildren):
180         * runtime/Structure.h:
181         (JSC::Structure::previousID):
182         (JSC::Structure::objectToStringValue):
183         (JSC::Structure::setObjectToStringValue):
184         (JSC::Structure::materializePropertyMapIfNecessary):
185         (JSC::Structure::setPreviousID):
186         (Structure):
187         (JSC::Structure::clearPreviousID):
188         (JSC::Structure::previous):
189         (JSC::Structure::rareData):
190         (JSC::Structure::create):
191         * runtime/StructureRareData.cpp: Added.
192         (JSC):
193         (JSC::StructureRareData::createStructure):
194         (JSC::StructureRareData::create):
195         (JSC::StructureRareData::clone):
196         (JSC::StructureRareData::StructureRareData):
197         (JSC::StructureRareData::visitChildren):
198         * runtime/StructureRareData.h: Added.
199         (JSC):
200         (StructureRareData):
201         * runtime/StructureRareDataInlines.h: Added.
202         (JSC):
203         (JSC::StructureRareData::previousID):
204         (JSC::StructureRareData::setPreviousID):
205         (JSC::StructureRareData::clearPreviousID):
206         (JSC::StructureRareData::objectToStringValue):
207         (JSC::StructureRareData::setObjectToStringValue):
208
209 2013-02-01  Balazs Kilvady  <kilvadyb@homejinni.com>
210
211         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
212         https://bugs.webkit.org/show_bug.cgi?id=108261
213
214         Reviewed by Filip Pizlo.
215
216         offlineasm BaseIndex handling fix on MIPS.
217
218         * offlineasm/mips.rb:
219         * offlineasm/risc.rb:
220
221 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
222
223         Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
224         https://bugs.webkit.org/show_bug.cgi?id=108657
225
226         Reviewed by Anders Carlsson.
227
228         * runtime/JSGlobalObject.cpp:
229         (JSC):
230         * runtime/JSGlobalObject.h:
231         (JSGlobalObject):
232
233 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
234
235         Added TriState to WTF and started using it in one place
236         https://bugs.webkit.org/show_bug.cgi?id=108628
237
238         Reviewed by Beth Dakin.
239
240         * runtime/PrototypeMap.h:
241         (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
242         response to review feedback, this is an attempt to clarify that our
243         'true' condition is actually just a 'maybe'.
244
245         * runtime/PrototypeMap.h:
246         (PrototypeMap):
247         (JSC::PrototypeMap::isPrototype):
248
249 2013-02-01  Alexis Menard  <alexis@webkit.org>
250
251         Enable unprefixed CSS transitions by default.
252         https://bugs.webkit.org/show_bug.cgi?id=108216
253
254         Reviewed by Dean Jackson.
255
256         Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
257         to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 
258         guard the unprefixing work for CSS Transforms and animations.
259
260         * Configurations/FeatureDefines.xcconfig:
261
262 2013-01-31  Filip Pizlo  <fpizlo@apple.com>
263
264         DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
265         https://bugs.webkit.org/show_bug.cgi?id=108580
266
267         Reviewed by Oliver Hunt.
268         
269         This is a harmless bug in that it only results in us keeping a bit too many things
270         for OSR.  But it's worth fixing so that the code is consistent.
271
272         keepOperandAlive() is called when block A has a branch to blocks B and C, but the
273         A->B edge is proven to never be taken and we want to optimize the code to have A
274         unconditionally jump to C.  In that case, for the purposes of OSR, we need to
275         preserve the knowledge that the state that B expected to be live incoming from A
276         ought still to be live up to the point of where the A->B,C branch used to be.  The
277         way we keep things alive is by using the variablesAtTail of A (i.e., we use the
278         knowledge of in what manner A made state available to B and C).  The way we choose
279         which state should be kept alive ought to be chosen by the variablesAtHead of B
280         (i.e. the things B says it needs from its predecessors, including A), except that
281         keepOperandAlive() was previously just using variablesAtTail of A for this
282         purpose.
283         
284         The fix is to have keepOperandAlive() use both liveness and availability in its
285         logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
286         alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
287         keep it alive.
288         
289         This might be a microscopic win on some programs, but it's mainly intended to be
290         a code clean-up so that I don't end up scratching my head in confusion the next
291         time I look at this code.
292
293         * dfg/DFGCFGSimplificationPhase.cpp:
294         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
295         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
296         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
297
298 2013-01-31  Geoffrey Garen  <ggaren@apple.com>
299
300         REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
301         https://bugs.webkit.org/show_bug.cgi?id=108576
302
303         Reviewed by Filip Pizlo.
304
305         This was a long-standing bug. The DFG would destructively reuse a register
306         in op_convert_this, but:
307
308             * The bug only presented during speculation failure for type Other
309
310             * The bug presented by removing the low bits of a pointer, which
311             used to be harmless, since all objects were so aligned anyway.
312
313         * dfg/DFGSpeculativeJIT64.cpp:
314         (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
315         our scratch register. The whole point of our scratch register is to
316         avoid destructively modifying our this register. I'm pretty sure this
317         was a copy-paste error.
318
319 2013-01-31  Roger Fong  <roger_fong@apple.com>
320
321         Unreviewed. Windows build fix.
322
323         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
324
325 2013-01-31  Jessie Berlin  <jberlin@apple.com>
326
327         Rolling out r141407 because it is causing crashes under
328         WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
329
330         * bytecode/CodeBlock.cpp:
331         (JSC::CodeBlock::CodeBlock):
332
333 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
334
335         Objective-C API: JSContext exception property causes reference cycle
336         https://bugs.webkit.org/show_bug.cgi?id=107778
337
338         Reviewed by Darin Adler.
339
340         JSContext has a (retain) JSValue * exception property which, when non-null, creates a 
341         reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
342
343         * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
344         (-[JSContext initWithVirtualMachine:]):
345         (-[JSContext setException:]):
346         (-[JSContext exception]):
347
348 2013-01-31  Roger Fong  <roger_fong@apple.com>
349
350         Unreviewed build fix. Win7 port.
351
352         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
353
354 2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>
355
356         Disable ENABLE_FULLSCREEN_API on iOS
357         https://bugs.webkit.org/show_bug.cgi?id=108250
358
359         Reviewed by Benjamin Poulain.
360
361         * Configurations/FeatureDefines.xcconfig:
362
363 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
364
365         Objective-C API: Fix insertion of values greater than the max index allowed by the spec
366         https://bugs.webkit.org/show_bug.cgi?id=108264
367
368         Reviewed by Oliver Hunt.
369
370         Fixed a bug, added a test to the API tests, cleaned up some code.
371
372         * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 
373         setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
374         * API/JSValue.mm:
375         (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
376         (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
377         (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
378         * API/tests/testapi.mm:
379
380 2013-01-30  Andreas Kling  <akling@apple.com>
381
382         Vector should consult allocator about ideal size when choosing capacity.
383         <http://webkit.org/b/108410>
384         <rdar://problem/13124002>
385
386         Reviewed by Benjamin Poulain.
387
388         Remove assertion about Vector capacity that won't hold anymore since capacity()
389         may not be what you passed to reserveCapacity().
390
391         * bytecode/CodeBlock.cpp:
392         (JSC::CodeBlock::CodeBlock):
393
394 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
395
396         DFG bytecode parser should have more assertions about the status of local accesses
397         https://bugs.webkit.org/show_bug.cgi?id=108417
398
399         Reviewed by Mark Hahnenberg.
400         
401         Assert some things that we already know to be true, just to reassure ourselves that they are true.
402         This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
403         make these rules even stricter.
404
405         * dfg/DFGByteCodeParser.cpp:
406         (JSC::DFG::ByteCodeParser::getLocal):
407         (JSC::DFG::ByteCodeParser::getArgument):
408
409 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
410
411         Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
412         https://bugs.webkit.org/show_bug.cgi?id=107978
413
414         Reviewed by Filip Pizlo.
415
416         We need to add the Identifier table save/restore in JSContextGroupRelease so that we 
417         have the correct table if we end up destroying the JSGlobalData/Heap.
418
419         * API/JSContextRef.cpp:
420         (JSContextGroupRelease):
421
422 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
423
424         Objective-C API: exceptionHandler needs to be released in JSContext dealloc
425         https://bugs.webkit.org/show_bug.cgi?id=108378
426
427         Reviewed by Filip Pizlo.
428
429         JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 
430         That sounds like the potential for a leak. It should be released.
431
432         * API/JSContext.mm:
433         (-[JSContext dealloc]):
434
435 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
436
437         REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
438         https://bugs.webkit.org/show_bug.cgi?id=108366
439
440         Reviewed by Geoffrey Garen and Mark Hahnenberg.
441         
442         This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
443         Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
444         when comparing a possibly redundant node to its possible replacement. It was doing this
445         by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
446         just those flag bits that correspond to actual node behavior and not auxiliary things.
447         Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
448         This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
449         very high probability that matching nodes would also have completely identical flag bits
450         (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
451         r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
452         access. These bits would be mutated as the CSE ran over a basic block, in such a way that
453         there was a very high probability that the possible replacement would already have the
454         bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
455         returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
456         almost every time.
457         
458         The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
459         flags that are relevant to arithmetic behavior. This patch introduces a new mask that
460         represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
461         used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
462         the other flags are relevant to Node::arithNodeFlags() since they either correspond to
463         information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
464         NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
465         the result that the node will produce or any of the queries performed on the result of
466         Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
467         
468         This is a 10% speed-up on Kraken, undoing the regression from r140504.
469
470         * dfg/DFGNode.h:
471         (JSC::DFG::Node::arithNodeFlags):
472         * dfg/DFGNodeFlags.h:
473         (DFG):
474
475 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
476
477         Structure::m_outOfLineCapacity is unnecessary
478         https://bugs.webkit.org/show_bug.cgi?id=108206
479
480         Reviewed by Geoffrey Garen.
481
482         We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
483         According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
484         better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 
485         benchmarks.
486
487         * runtime/Structure.cpp:
488         (JSC::Structure::Structure):
489         (JSC):
490         (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
491         (JSC::Structure::addPropertyTransition):
492         (JSC::Structure::addPropertyWithoutTransition):
493         * runtime/Structure.h:
494         (Structure):
495         (JSC::Structure::outOfLineCapacity):
496         (JSC::Structure::totalStorageCapacity):
497
498 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
499
500         Be a little more conservative about emitting table-based switches
501         https://bugs.webkit.org/show_bug.cgi?id=108292
502
503         Reviewed by Filip Pizlo.
504
505         Profiling shows we're using op_switch in cases where it's a regression.
506
507         * bytecompiler/NodesCodegen.cpp:
508         (JSC):
509         (JSC::length):
510         (JSC::CaseBlockNode::tryTableSwitch):
511         (JSC::CaseBlockNode::emitBytecodeForBlock):
512         * parser/Nodes.h:
513         (CaseBlockNode):
514
515 2013-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>
516
517         Unreviewed, rolling out r140983.
518         http://trac.webkit.org/changeset/140983
519         https://bugs.webkit.org/show_bug.cgi?id=108277
520
521         Unfortunately, this API has one last client (Requested by
522         abarth on #webkit).
523
524         * Configurations/FeatureDefines.xcconfig:
525
526 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
527
528         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
529         https://bugs.webkit.org/show_bug.cgi?id=107839
530
531         Reviewed by Geoffrey Garen.
532
533         Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 
534         m_constructor that they were based on.
535
536         * API/JSWrapperMap.mm:
537         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
538         fields that are null (i.e. have been collected or have never been allocated to begin with).
539         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 
540         reallocating one or both of the prototype/constructor combo.
541         (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
542         (-[JSObjCClassInfo constructor]): Ditto.
543
544 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
545
546         Make precise size classes more precise
547         https://bugs.webkit.org/show_bug.cgi?id=108270
548
549         Reviewed by Mark Hahnenberg.
550
551         Size inference makes this profitable.
552
553         I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
554         byte increments might be better.
555
556         * heap/Heap.h:
557         (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
558
559         * heap/MarkedBlock.h:
560         (MarkedBlock): Updated constants.
561
562         * heap/MarkedSpace.h:
563         (MarkedSpace):
564         (JSC): Also reduced the maximum precise size class because my testing
565         has shown that the smaller size classes are much more common. This
566         offsets some of the size class explosion caused by reducing the precise
567         increment.
568
569         * llint/LLIntData.cpp:
570         (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
571         because we don't rely on firstAllocatorWithoutDestructors anymore, since
572         we pick size classes dynamically now.
573
574 2013-01-29  Oliver Hunt  <oliver@apple.com>
575
576         Add some hardening to methodTable()
577         https://bugs.webkit.org/show_bug.cgi?id=108253
578
579         Reviewed by Mark Hahnenberg.
580
581         When accessing methodTable() we now always make sure that our
582         structure _could_ be valid.  Added a separate method to get a
583         classes methodTable during destruction as it's not possible to
584         validate the structure at that point.  This separation might
585         also make it possible to improve the performance of methodTable
586         access more generally in future.
587
588         * heap/MarkedBlock.cpp:
589         (JSC::MarkedBlock::callDestructor):
590         * runtime/JSCell.h:
591         (JSCell):
592         * runtime/JSCellInlines.h:
593         (JSC::JSCell::methodTableForDestruction):
594         (JSC):
595         (JSC::JSCell::methodTable):
596
597 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
598
599         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
600         https://bugs.webkit.org/show_bug.cgi?id=108261
601
602         Reviewed by Oliver Hunt.
603         
604         Backends shouldn't override each other's methods. That's not cool.
605
606         * offlineasm/mips.rb:
607
608 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
609
610         cloop.rb shouldn't use a method called 'dump' for code generation
611         https://bugs.webkit.org/show_bug.cgi?id=108251
612
613         Reviewed by Mark Hahnenberg.
614         
615         Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
616         
617         Also made trivial build fixes for !ENABLE(JIT).
618
619         * offlineasm/cloop.rb:
620         * runtime/Executable.h:
621         (ExecutableBase):
622         (JSC::ExecutableBase::intrinsicFor):
623         * runtime/JSGlobalData.h:
624
625 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
626
627         Removed GGC because it has been disabled for a long time
628         https://bugs.webkit.org/show_bug.cgi?id=108245
629
630         Reviewed by Filip Pizlo.
631
632         * GNUmakefile.list.am:
633         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
634         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
635         * JavaScriptCore.xcodeproj/project.pbxproj:
636         * dfg/DFGRepatch.cpp:
637         (JSC::DFG::emitPutReplaceStub):
638         (JSC::DFG::emitPutTransitionStub):
639         * dfg/DFGSpeculativeJIT.cpp:
640         (JSC::DFG::SpeculativeJIT::writeBarrier):
641         * dfg/DFGSpeculativeJIT.h:
642         (SpeculativeJIT):
643         * dfg/DFGSpeculativeJIT32_64.cpp:
644         (JSC::DFG::SpeculativeJIT::compile):
645         * dfg/DFGSpeculativeJIT64.cpp:
646         (JSC::DFG::SpeculativeJIT::compile):
647         * heap/CardSet.h: Removed.
648         * heap/Heap.cpp:
649         (JSC::Heap::markRoots):
650         (JSC::Heap::collect):
651         * heap/Heap.h:
652         (Heap):
653         (JSC::Heap::shouldCollect):
654         (JSC::Heap::isWriteBarrierEnabled):
655         (JSC):
656         (JSC::Heap::writeBarrier):
657         * heap/MarkedBlock.h:
658         (MarkedBlock):
659         (JSC):
660         * heap/MarkedSpace.cpp:
661         (JSC):
662         * jit/JITPropertyAccess.cpp:
663         (JSC::JIT::emitWriteBarrier):
664
665 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
666
667         Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
668         https://bugs.webkit.org/show_bug.cgi?id=108247
669
670         Reviewed by Oliver Hunt.
671         
672         Makes offlineasm dumping easier to read and less likely to cause assertion failures.
673         Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
674         but cloop.rb was winning.
675
676         * offlineasm/cloop.rb:
677
678 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
679
680         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
681         https://bugs.webkit.org/show_bug.cgi?id=107839
682
683         Reviewed by Oliver Hunt.
684
685         JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
686         are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
687         m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
688         We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
689         to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
690         to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
691         reallocate them.
692
693         * API/JSContext.mm:
694         (-[JSContext wrapperMap]):
695         * API/JSContextInternal.h:
696         * API/JSWrapperMap.mm:
697         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
698         (-[JSObjCClassInfo dealloc]):
699         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
700         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
701         (-[JSObjCClassInfo wrapperForObject:]):
702         (-[JSObjCClassInfo constructor]):
703
704 2013-01-29  Oliver Hunt  <oliver@apple.com>
705
706         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
707         https://bugs.webkit.org/show_bug.cgi?id=108097
708
709         Reviewed by Geoffrey Garen.
710
711         LiteralParser was accepting a bogus 'var a.b = c' statement
712
713         * runtime/LiteralParser.cpp:
714         (JSC::::tryJSONPParse):
715
716 2013-01-29  Oliver Hunt  <oliver@apple.com>
717
718         Force debug builds to do bounds checks on contiguous property storage
719         https://bugs.webkit.org/show_bug.cgi?id=108212
720
721         Reviewed by Mark Hahnenberg.
722
723         Add a ContiguousData type that we use to represent contiguous property
724         storage.  In release builds it is simply a pointer to the correct type,
725         but in debug builds it also carries the data length and performs bounds
726         checks.  This means we don't have to add as many manual bounds assertions
727         when performing operations over contiguous data.
728
729         * dfg/DFGOperations.cpp:
730         * runtime/ArrayStorage.h:
731         (ArrayStorage):
732         (JSC::ArrayStorage::vector):
733         * runtime/Butterfly.h:
734         (JSC::ContiguousData::ContiguousData):
735         (ContiguousData):
736         (JSC::ContiguousData::operator[]):
737         (JSC::ContiguousData::data):
738         (JSC::ContiguousData::length):
739         (JSC):
740         (JSC::Butterfly::contiguousInt32):
741         (Butterfly):
742         (JSC::Butterfly::contiguousDouble):
743         (JSC::Butterfly::contiguous):
744         * runtime/JSArray.cpp:
745         (JSC::JSArray::sortNumericVector):
746         (ContiguousTypeAccessor):
747         (JSC::ContiguousTypeAccessor::getAsValue):
748         (JSC::ContiguousTypeAccessor::setWithValue):
749         (JSC::ContiguousTypeAccessor::replaceDataReference):
750         (JSC):
751         (JSC::JSArray::sortCompactedVector):
752         (JSC::JSArray::sort):
753         (JSC::JSArray::fillArgList):
754         (JSC::JSArray::copyToArguments):
755         * runtime/JSArray.h:
756         (JSArray):
757         * runtime/JSObject.cpp:
758         (JSC::JSObject::copyButterfly):
759         (JSC::JSObject::visitButterfly):
760         (JSC::JSObject::createInitialInt32):
761         (JSC::JSObject::createInitialDouble):
762         (JSC::JSObject::createInitialContiguous):
763         (JSC::JSObject::convertUndecidedToInt32):
764         (JSC::JSObject::convertUndecidedToDouble):
765         (JSC::JSObject::convertUndecidedToContiguous):
766         (JSC::JSObject::convertInt32ToDouble):
767         (JSC::JSObject::convertInt32ToContiguous):
768         (JSC::JSObject::genericConvertDoubleToContiguous):
769         (JSC::JSObject::convertDoubleToContiguous):
770         (JSC::JSObject::rageConvertDoubleToContiguous):
771         (JSC::JSObject::ensureInt32Slow):
772         (JSC::JSObject::ensureDoubleSlow):
773         (JSC::JSObject::ensureContiguousSlow):
774         (JSC::JSObject::rageEnsureContiguousSlow):
775         (JSC::JSObject::ensureLengthSlow):
776         * runtime/JSObject.h:
777         (JSC::JSObject::ensureInt32):
778         (JSC::JSObject::ensureDouble):
779         (JSC::JSObject::ensureContiguous):
780         (JSC::JSObject::rageEnsureContiguous):
781         (JSObject):
782         (JSC::JSObject::indexingData):
783         (JSC::JSObject::currentIndexingData):
784
785 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
786
787         [Windows, WinCairo] Unreviewed build fix after r141050
788
789         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
790         to match JavaScriptCore.vcproj version.
791
792 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
793
794         [Qt] Implement GCActivityCallback
795         https://bugs.webkit.org/show_bug.cgi?id=103998
796
797         Reviewed by Simon Hausmann.
798
799         Implements the activity triggered garbage collector.
800
801         * runtime/GCActivityCallback.cpp:
802         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
803         (JSC::DefaultGCActivityCallback::scheduleTimer):
804         (JSC::DefaultGCActivityCallback::cancelTimer):
805         * runtime/GCActivityCallback.h:
806         (GCActivityCallback):
807         (DefaultGCActivityCallback):
808
809 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
810
811         Compilation warning in JSC
812         https://bugs.webkit.org/show_bug.cgi?id=108178
813
814         Reviewed by Kentaro Hara.
815
816         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
817
818         * runtime/Structure.cpp:
819         (JSC::Structure::Structure):
820
821 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
822
823         [Qt] Fix the JSC build on Mac
824
825         Unreviewed, build fix.
826
827         * heap/HeapTimer.h:
828         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
829
830 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
831
832         [Qt] Implement IncrementalSweeper and HeapTimer
833         https://bugs.webkit.org/show_bug.cgi?id=103996
834
835         Reviewed by Simon Hausmann.
836
837         Implements the incremental sweeping garbage collection for the Qt platform.
838
839         * heap/HeapTimer.cpp:
840         (JSC::HeapTimer::HeapTimer):
841         (JSC::HeapTimer::~HeapTimer):
842         (JSC::HeapTimer::timerEvent):
843         (JSC::HeapTimer::synchronize):
844         (JSC::HeapTimer::invalidate):
845         (JSC::HeapTimer::didStartVMShutdown):
846         * heap/HeapTimer.h:
847         (HeapTimer):
848         * heap/IncrementalSweeper.cpp:
849         (JSC::IncrementalSweeper::IncrementalSweeper):
850         (JSC::IncrementalSweeper::scheduleTimer):
851         * heap/IncrementalSweeper.h:
852         (IncrementalSweeper):
853
854 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
855
856         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
857         https://bugs.webkit.org/show_bug.cgi?id=106868
858
859         Reviewed by Oliver Hunt.
860         
861         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
862         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
863         for debugging (Node::index(), which is not guaranteed to be O(1)).
864         
865         1% speed-up on SunSpider, presumably because this improves compile times.
866
867         * CMakeLists.txt:
868         * GNUmakefile.list.am:
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870         * Target.pri:
871         * bytecode/DataFormat.h:
872         (JSC::dataFormatToString):
873         * dfg/DFGAbstractState.cpp:
874         (JSC::DFG::AbstractState::initialize):
875         (JSC::DFG::AbstractState::booleanResult):
876         (JSC::DFG::AbstractState::execute):
877         (JSC::DFG::AbstractState::mergeStateAtTail):
878         (JSC::DFG::AbstractState::mergeToSuccessors):
879         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
880         (JSC::DFG::AbstractState::dump):
881         * dfg/DFGAbstractState.h:
882         (DFG):
883         (JSC::DFG::AbstractState::forNode):
884         (AbstractState):
885         (JSC::DFG::AbstractState::speculateInt32Unary):
886         (JSC::DFG::AbstractState::speculateNumberUnary):
887         (JSC::DFG::AbstractState::speculateBooleanUnary):
888         (JSC::DFG::AbstractState::speculateInt32Binary):
889         (JSC::DFG::AbstractState::speculateNumberBinary):
890         (JSC::DFG::AbstractState::trySetConstant):
891         * dfg/DFGAbstractValue.h:
892         (AbstractValue):
893         * dfg/DFGAdjacencyList.h:
894         (JSC::DFG::AdjacencyList::AdjacencyList):
895         (JSC::DFG::AdjacencyList::initialize):
896         * dfg/DFGAllocator.h: Added.
897         (DFG):
898         (Allocator):
899         (JSC::DFG::Allocator::Region::size):
900         (JSC::DFG::Allocator::Region::headerSize):
901         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
902         (JSC::DFG::Allocator::Region::data):
903         (JSC::DFG::Allocator::Region::isInThisRegion):
904         (JSC::DFG::Allocator::Region::regionFor):
905         (Region):
906         (JSC::DFG::::Allocator):
907         (JSC::DFG::::~Allocator):
908         (JSC::DFG::::allocate):
909         (JSC::DFG::::free):
910         (JSC::DFG::::freeAll):
911         (JSC::DFG::::reset):
912         (JSC::DFG::::indexOf):
913         (JSC::DFG::::allocatorOf):
914         (JSC::DFG::::bumpAllocate):
915         (JSC::DFG::::freeListAllocate):
916         (JSC::DFG::::allocateSlow):
917         (JSC::DFG::::freeRegionsStartingAt):
918         (JSC::DFG::::startBumpingIn):
919         * dfg/DFGArgumentsSimplificationPhase.cpp:
920         (JSC::DFG::ArgumentsSimplificationPhase::run):
921         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
922         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
923         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
924         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
925         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
926         * dfg/DFGArrayMode.cpp:
927         (JSC::DFG::ArrayMode::originalArrayStructure):
928         (JSC::DFG::ArrayMode::alreadyChecked):
929         * dfg/DFGArrayMode.h:
930         (ArrayMode):
931         * dfg/DFGArrayifySlowPathGenerator.h:
932         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
933         * dfg/DFGBasicBlock.h:
934         (JSC::DFG::BasicBlock::node):
935         (JSC::DFG::BasicBlock::isInPhis):
936         (JSC::DFG::BasicBlock::isInBlock):
937         (BasicBlock):
938         * dfg/DFGBasicBlockInlines.h:
939         (DFG):
940         * dfg/DFGByteCodeParser.cpp:
941         (ByteCodeParser):
942         (JSC::DFG::ByteCodeParser::getDirect):
943         (JSC::DFG::ByteCodeParser::get):
944         (JSC::DFG::ByteCodeParser::setDirect):
945         (JSC::DFG::ByteCodeParser::set):
946         (JSC::DFG::ByteCodeParser::setPair):
947         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
948         (JSC::DFG::ByteCodeParser::getLocal):
949         (JSC::DFG::ByteCodeParser::setLocal):
950         (JSC::DFG::ByteCodeParser::getArgument):
951         (JSC::DFG::ByteCodeParser::setArgument):
952         (JSC::DFG::ByteCodeParser::flushDirect):
953         (JSC::DFG::ByteCodeParser::getToInt32):
954         (JSC::DFG::ByteCodeParser::toInt32):
955         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
956         (JSC::DFG::ByteCodeParser::getJSConstant):
957         (JSC::DFG::ByteCodeParser::getCallee):
958         (JSC::DFG::ByteCodeParser::getThis):
959         (JSC::DFG::ByteCodeParser::setThis):
960         (JSC::DFG::ByteCodeParser::isJSConstant):
961         (JSC::DFG::ByteCodeParser::isInt32Constant):
962         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
963         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
964         (JSC::DFG::ByteCodeParser::constantUndefined):
965         (JSC::DFG::ByteCodeParser::constantNull):
966         (JSC::DFG::ByteCodeParser::one):
967         (JSC::DFG::ByteCodeParser::constantNaN):
968         (JSC::DFG::ByteCodeParser::cellConstant):
969         (JSC::DFG::ByteCodeParser::addToGraph):
970         (JSC::DFG::ByteCodeParser::insertPhiNode):
971         (JSC::DFG::ByteCodeParser::addVarArgChild):
972         (JSC::DFG::ByteCodeParser::addCall):
973         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
974         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
975         (JSC::DFG::ByteCodeParser::getPrediction):
976         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
977         (JSC::DFG::ByteCodeParser::makeSafe):
978         (JSC::DFG::ByteCodeParser::makeDivSafe):
979         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
980         (ConstantRecord):
981         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
982         (PhiStackEntry):
983         (JSC::DFG::ByteCodeParser::handleCall):
984         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
985         (JSC::DFG::ByteCodeParser::handleInlining):
986         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
987         (JSC::DFG::ByteCodeParser::handleMinMax):
988         (JSC::DFG::ByteCodeParser::handleIntrinsic):
989         (JSC::DFG::ByteCodeParser::handleGetByOffset):
990         (JSC::DFG::ByteCodeParser::handleGetById):
991         (JSC::DFG::ByteCodeParser::getScope):
992         (JSC::DFG::ByteCodeParser::parseResolveOperations):
993         (JSC::DFG::ByteCodeParser::parseBlock):
994         (JSC::DFG::ByteCodeParser::processPhiStack):
995         (JSC::DFG::ByteCodeParser::linkBlock):
996         (JSC::DFG::ByteCodeParser::parseCodeBlock):
997         (JSC::DFG::ByteCodeParser::parse):
998         * dfg/DFGCFAPhase.cpp:
999         (JSC::DFG::CFAPhase::performBlockCFA):
1000         * dfg/DFGCFGSimplificationPhase.cpp:
1001         (JSC::DFG::CFGSimplificationPhase::run):
1002         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1003         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1004         (JSC::DFG::CFGSimplificationPhase::fixPhis):
1005         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1006         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
1007         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
1008         (OperandSubstitution):
1009         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
1010         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
1011         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1012         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1013         * dfg/DFGCSEPhase.cpp:
1014         (JSC::DFG::CSEPhase::canonicalize):
1015         (JSC::DFG::CSEPhase::endIndexForPureCSE):
1016         (JSC::DFG::CSEPhase::pureCSE):
1017         (JSC::DFG::CSEPhase::constantCSE):
1018         (JSC::DFG::CSEPhase::weakConstantCSE):
1019         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
1020         (JSC::DFG::CSEPhase::getArrayLengthElimination):
1021         (JSC::DFG::CSEPhase::globalVarLoadElimination):
1022         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1023         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
1024         (JSC::DFG::CSEPhase::globalVarStoreElimination):
1025         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1026         (JSC::DFG::CSEPhase::getByValLoadElimination):
1027         (JSC::DFG::CSEPhase::checkFunctionElimination):
1028         (JSC::DFG::CSEPhase::checkExecutableElimination):
1029         (JSC::DFG::CSEPhase::checkStructureElimination):
1030         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1031         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1032         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1033         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1034         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1035         (JSC::DFG::CSEPhase::checkArrayElimination):
1036         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1037         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
1038         (JSC::DFG::CSEPhase::getLocalLoadElimination):
1039         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1040         (JSC::DFG::CSEPhase::performSubstitution):
1041         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1042         (JSC::DFG::CSEPhase::setReplacement):
1043         (JSC::DFG::CSEPhase::eliminate):
1044         (JSC::DFG::CSEPhase::performNodeCSE):
1045         (JSC::DFG::CSEPhase::performBlockCSE):
1046         (CSEPhase):
1047         * dfg/DFGCommon.cpp: Added.
1048         (DFG):
1049         (JSC::DFG::NodePointerTraits::dump):
1050         * dfg/DFGCommon.h:
1051         (DFG):
1052         (JSC::DFG::NodePointerTraits::defaultValue):
1053         (NodePointerTraits):
1054         (JSC::DFG::verboseCompilationEnabled):
1055         (JSC::DFG::shouldDumpGraphAtEachPhase):
1056         (JSC::DFG::validationEnabled):
1057         * dfg/DFGConstantFoldingPhase.cpp:
1058         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1059         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1060         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1061         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1062         * dfg/DFGDisassembler.cpp:
1063         (JSC::DFG::Disassembler::Disassembler):
1064         (JSC::DFG::Disassembler::createDumpList):
1065         (JSC::DFG::Disassembler::dumpDisassembly):
1066         * dfg/DFGDisassembler.h:
1067         (JSC::DFG::Disassembler::setForNode):
1068         (Disassembler):
1069         * dfg/DFGDriver.cpp:
1070         (JSC::DFG::compile):
1071         * dfg/DFGEdge.cpp: Added.
1072         (DFG):
1073         (JSC::DFG::Edge::dump):
1074         * dfg/DFGEdge.h:
1075         (JSC::DFG::Edge::Edge):
1076         (JSC::DFG::Edge::node):
1077         (JSC::DFG::Edge::operator*):
1078         (JSC::DFG::Edge::operator->):
1079         (Edge):
1080         (JSC::DFG::Edge::setNode):
1081         (JSC::DFG::Edge::useKind):
1082         (JSC::DFG::Edge::setUseKind):
1083         (JSC::DFG::Edge::isSet):
1084         (JSC::DFG::Edge::shift):
1085         (JSC::DFG::Edge::makeWord):
1086         (JSC::DFG::operator==):
1087         (JSC::DFG::operator!=):
1088         * dfg/DFGFixupPhase.cpp:
1089         (JSC::DFG::FixupPhase::fixupBlock):
1090         (JSC::DFG::FixupPhase::fixupNode):
1091         (JSC::DFG::FixupPhase::checkArray):
1092         (JSC::DFG::FixupPhase::blessArrayOperation):
1093         (JSC::DFG::FixupPhase::fixIntEdge):
1094         (JSC::DFG::FixupPhase::fixDoubleEdge):
1095         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1096         (FixupPhase):
1097         * dfg/DFGGenerationInfo.h:
1098         (JSC::DFG::GenerationInfo::GenerationInfo):
1099         (JSC::DFG::GenerationInfo::initConstant):
1100         (JSC::DFG::GenerationInfo::initInteger):
1101         (JSC::DFG::GenerationInfo::initJSValue):
1102         (JSC::DFG::GenerationInfo::initCell):
1103         (JSC::DFG::GenerationInfo::initBoolean):
1104         (JSC::DFG::GenerationInfo::initDouble):
1105         (JSC::DFG::GenerationInfo::initStorage):
1106         (GenerationInfo):
1107         (JSC::DFG::GenerationInfo::node):
1108         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1109         (JSC::DFG::GenerationInfo::use):
1110         (JSC::DFG::GenerationInfo::appendFill):
1111         (JSC::DFG::GenerationInfo::appendSpill):
1112         * dfg/DFGGraph.cpp:
1113         (JSC::DFG::Graph::Graph):
1114         (JSC::DFG::Graph::~Graph):
1115         (DFG):
1116         (JSC::DFG::Graph::dumpCodeOrigin):
1117         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1118         (JSC::DFG::Graph::printNodeWhiteSpace):
1119         (JSC::DFG::Graph::dump):
1120         (JSC::DFG::Graph::dumpBlockHeader):
1121         (JSC::DFG::Graph::refChildren):
1122         (JSC::DFG::Graph::derefChildren):
1123         (JSC::DFG::Graph::predictArgumentTypes):
1124         (JSC::DFG::Graph::collectGarbage):
1125         (JSC::DFG::Graph::determineReachability):
1126         (JSC::DFG::Graph::resetExitStates):
1127         * dfg/DFGGraph.h:
1128         (Graph):
1129         (JSC::DFG::Graph::ref):
1130         (JSC::DFG::Graph::deref):
1131         (JSC::DFG::Graph::changeChild):
1132         (JSC::DFG::Graph::compareAndSwap):
1133         (JSC::DFG::Graph::clearAndDerefChild):
1134         (JSC::DFG::Graph::clearAndDerefChild1):
1135         (JSC::DFG::Graph::clearAndDerefChild2):
1136         (JSC::DFG::Graph::clearAndDerefChild3):
1137         (JSC::DFG::Graph::convertToConstant):
1138         (JSC::DFG::Graph::getJSConstantSpeculation):
1139         (JSC::DFG::Graph::addSpeculationMode):
1140         (JSC::DFG::Graph::valueAddSpeculationMode):
1141         (JSC::DFG::Graph::arithAddSpeculationMode):
1142         (JSC::DFG::Graph::addShouldSpeculateInteger):
1143         (JSC::DFG::Graph::mulShouldSpeculateInteger):
1144         (JSC::DFG::Graph::negateShouldSpeculateInteger):
1145         (JSC::DFG::Graph::isConstant):
1146         (JSC::DFG::Graph::isJSConstant):
1147         (JSC::DFG::Graph::isInt32Constant):
1148         (JSC::DFG::Graph::isDoubleConstant):
1149         (JSC::DFG::Graph::isNumberConstant):
1150         (JSC::DFG::Graph::isBooleanConstant):
1151         (JSC::DFG::Graph::isCellConstant):
1152         (JSC::DFG::Graph::isFunctionConstant):
1153         (JSC::DFG::Graph::isInternalFunctionConstant):
1154         (JSC::DFG::Graph::valueOfJSConstant):
1155         (JSC::DFG::Graph::valueOfInt32Constant):
1156         (JSC::DFG::Graph::valueOfNumberConstant):
1157         (JSC::DFG::Graph::valueOfBooleanConstant):
1158         (JSC::DFG::Graph::valueOfFunctionConstant):
1159         (JSC::DFG::Graph::valueProfileFor):
1160         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1161         (JSC::DFG::Graph::numSuccessors):
1162         (JSC::DFG::Graph::successor):
1163         (JSC::DFG::Graph::successorForCondition):
1164         (JSC::DFG::Graph::isPredictedNumerical):
1165         (JSC::DFG::Graph::byValIsPure):
1166         (JSC::DFG::Graph::clobbersWorld):
1167         (JSC::DFG::Graph::varArgNumChildren):
1168         (JSC::DFG::Graph::numChildren):
1169         (JSC::DFG::Graph::varArgChild):
1170         (JSC::DFG::Graph::child):
1171         (JSC::DFG::Graph::voteNode):
1172         (JSC::DFG::Graph::voteChildren):
1173         (JSC::DFG::Graph::substitute):
1174         (JSC::DFG::Graph::substituteGetLocal):
1175         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
1176         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
1177         * dfg/DFGInsertionSet.h:
1178         (JSC::DFG::Insertion::Insertion):
1179         (JSC::DFG::Insertion::element):
1180         (Insertion):
1181         (JSC::DFG::InsertionSet::insert):
1182         (InsertionSet):
1183         * dfg/DFGJITCompiler.cpp:
1184         * dfg/DFGJITCompiler.h:
1185         (JSC::DFG::JITCompiler::setForNode):
1186         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1187         (JSC::DFG::JITCompiler::noticeOSREntry):
1188         * dfg/DFGLongLivedState.cpp: Added.
1189         (DFG):
1190         (JSC::DFG::LongLivedState::LongLivedState):
1191         (JSC::DFG::LongLivedState::~LongLivedState):
1192         (JSC::DFG::LongLivedState::shrinkToFit):
1193         * dfg/DFGLongLivedState.h: Added.
1194         (DFG):
1195         (LongLivedState):
1196         * dfg/DFGMinifiedID.h:
1197         (JSC::DFG::MinifiedID::MinifiedID):
1198         (JSC::DFG::MinifiedID::node):
1199         * dfg/DFGMinifiedNode.cpp:
1200         (JSC::DFG::MinifiedNode::fromNode):
1201         * dfg/DFGMinifiedNode.h:
1202         (MinifiedNode):
1203         * dfg/DFGNode.cpp: Added.
1204         (DFG):
1205         (JSC::DFG::Node::index):
1206         (WTF):
1207         (WTF::printInternal):
1208         * dfg/DFGNode.h:
1209         (DFG):
1210         (JSC::DFG::Node::Node):
1211         (Node):
1212         (JSC::DFG::Node::convertToGetByOffset):
1213         (JSC::DFG::Node::convertToPutByOffset):
1214         (JSC::DFG::Node::ref):
1215         (JSC::DFG::Node::shouldSpeculateInteger):
1216         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
1217         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
1218         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
1219         (JSC::DFG::Node::shouldSpeculateNumber):
1220         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
1221         (JSC::DFG::Node::shouldSpeculateFinalObject):
1222         (JSC::DFG::Node::shouldSpeculateArray):
1223         (JSC::DFG::Node::dumpChildren):
1224         (WTF):
1225         * dfg/DFGNodeAllocator.h: Added.
1226         (DFG):
1227         (operator new ):
1228         * dfg/DFGOSRExit.cpp:
1229         (JSC::DFG::OSRExit::OSRExit):
1230         * dfg/DFGOSRExit.h:
1231         (OSRExit):
1232         (SpeculationFailureDebugInfo):
1233         * dfg/DFGOSRExitCompiler.cpp:
1234         * dfg/DFGOSRExitCompiler32_64.cpp:
1235         (JSC::DFG::OSRExitCompiler::compileExit):
1236         * dfg/DFGOSRExitCompiler64.cpp:
1237         (JSC::DFG::OSRExitCompiler::compileExit):
1238         * dfg/DFGOperations.cpp:
1239         * dfg/DFGPhase.cpp:
1240         (DFG):
1241         (JSC::DFG::Phase::beginPhase):
1242         (JSC::DFG::Phase::endPhase):
1243         * dfg/DFGPhase.h:
1244         (Phase):
1245         (JSC::DFG::runAndLog):
1246         * dfg/DFGPredictionPropagationPhase.cpp:
1247         (JSC::DFG::PredictionPropagationPhase::setPrediction):
1248         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
1249         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
1250         (JSC::DFG::PredictionPropagationPhase::isNotZero):
1251         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
1252         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
1253         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
1254         (JSC::DFG::PredictionPropagationPhase::propagate):
1255         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
1256         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1257         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1258         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1259         (PredictionPropagationPhase):
1260         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1261         * dfg/DFGScoreBoard.h:
1262         (JSC::DFG::ScoreBoard::ScoreBoard):
1263         (JSC::DFG::ScoreBoard::use):
1264         (JSC::DFG::ScoreBoard::useIfHasResult):
1265         (ScoreBoard):
1266         * dfg/DFGSilentRegisterSavePlan.h:
1267         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
1268         (JSC::DFG::SilentRegisterSavePlan::node):
1269         (SilentRegisterSavePlan):
1270         * dfg/DFGSlowPathGenerator.h:
1271         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
1272         (JSC::DFG::SlowPathGenerator::generate):
1273         (SlowPathGenerator):
1274         * dfg/DFGSpeculativeJIT.cpp:
1275         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1276         (JSC::DFG::SpeculativeJIT::speculationCheck):
1277         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1278         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1279         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1280         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1281         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1282         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
1283         (JSC::DFG::SpeculativeJIT::silentSpill):
1284         (JSC::DFG::SpeculativeJIT::silentFill):
1285         (JSC::DFG::SpeculativeJIT::checkArray):
1286         (JSC::DFG::SpeculativeJIT::arrayify):
1287         (JSC::DFG::SpeculativeJIT::fillStorage):
1288         (JSC::DFG::SpeculativeJIT::useChildren):
1289         (JSC::DFG::SpeculativeJIT::isStrictInt32):
1290         (JSC::DFG::SpeculativeJIT::isKnownInteger):
1291         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
1292         (JSC::DFG::SpeculativeJIT::isKnownCell):
1293         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
1294         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
1295         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
1296         (JSC::DFG::SpeculativeJIT::writeBarrier):
1297         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1298         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1299         (JSC::DFG::GPRTemporary::GPRTemporary):
1300         (JSC::DFG::FPRTemporary::FPRTemporary):
1301         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1302         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1303         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1304         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1305         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
1306         (JSC::DFG::SpeculativeJIT::compileMovHint):
1307         (JSC::DFG::SpeculativeJIT::compile):
1308         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1309         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1310         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1311         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1312         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1313         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1314         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1315         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1316         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1317         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1318         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1319         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1320         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1321         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1322         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1323         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1324         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
1325         (JSC::DFG::SpeculativeJIT::compileAdd):
1326         (JSC::DFG::SpeculativeJIT::compileArithSub):
1327         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1328         (JSC::DFG::SpeculativeJIT::compileArithMul):
1329         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
1330         (JSC::DFG::SpeculativeJIT::compileArithMod):
1331         (JSC::DFG::SpeculativeJIT::compare):
1332         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1333         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1334         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1335         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1336         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1337         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1338         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1339         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1340         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1341         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1342         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1343         * dfg/DFGSpeculativeJIT.h:
1344         (SpeculativeJIT):
1345         (JSC::DFG::SpeculativeJIT::canReuse):
1346         (JSC::DFG::SpeculativeJIT::isFilled):
1347         (JSC::DFG::SpeculativeJIT::isFilledDouble):
1348         (JSC::DFG::SpeculativeJIT::use):
1349         (JSC::DFG::SpeculativeJIT::isConstant):
1350         (JSC::DFG::SpeculativeJIT::isJSConstant):
1351         (JSC::DFG::SpeculativeJIT::isInt32Constant):
1352         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
1353         (JSC::DFG::SpeculativeJIT::isNumberConstant):
1354         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
1355         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
1356         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
1357         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
1358         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
1359         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
1360         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
1361         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
1362         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
1363         (JSC::DFG::SpeculativeJIT::isNullConstant):
1364         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
1365         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1366         (JSC::DFG::SpeculativeJIT::integerResult):
1367         (JSC::DFG::SpeculativeJIT::noResult):
1368         (JSC::DFG::SpeculativeJIT::cellResult):
1369         (JSC::DFG::SpeculativeJIT::booleanResult):
1370         (JSC::DFG::SpeculativeJIT::jsValueResult):
1371         (JSC::DFG::SpeculativeJIT::storageResult):
1372         (JSC::DFG::SpeculativeJIT::doubleResult):
1373         (JSC::DFG::SpeculativeJIT::initConstantInfo):
1374         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1375         (JSC::DFG::SpeculativeJIT::isInteger):
1376         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
1377         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1378         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
1379         (JSC::DFG::IntegerOperand::IntegerOperand):
1380         (JSC::DFG::IntegerOperand::node):
1381         (JSC::DFG::IntegerOperand::gpr):
1382         (JSC::DFG::IntegerOperand::use):
1383         (IntegerOperand):
1384         (JSC::DFG::DoubleOperand::DoubleOperand):
1385         (JSC::DFG::DoubleOperand::node):
1386         (JSC::DFG::DoubleOperand::fpr):
1387         (JSC::DFG::DoubleOperand::use):
1388         (DoubleOperand):
1389         (JSC::DFG::JSValueOperand::JSValueOperand):
1390         (JSC::DFG::JSValueOperand::node):
1391         (JSC::DFG::JSValueOperand::gpr):
1392         (JSC::DFG::JSValueOperand::fill):
1393         (JSC::DFG::JSValueOperand::use):
1394         (JSValueOperand):
1395         (JSC::DFG::StorageOperand::StorageOperand):
1396         (JSC::DFG::StorageOperand::node):
1397         (JSC::DFG::StorageOperand::gpr):
1398         (JSC::DFG::StorageOperand::use):
1399         (StorageOperand):
1400         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1401         (JSC::DFG::SpeculateIntegerOperand::node):
1402         (JSC::DFG::SpeculateIntegerOperand::gpr):
1403         (JSC::DFG::SpeculateIntegerOperand::use):
1404         (SpeculateIntegerOperand):
1405         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
1406         (JSC::DFG::SpeculateStrictInt32Operand::node):
1407         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
1408         (JSC::DFG::SpeculateStrictInt32Operand::use):
1409         (SpeculateStrictInt32Operand):
1410         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1411         (JSC::DFG::SpeculateDoubleOperand::node):
1412         (JSC::DFG::SpeculateDoubleOperand::fpr):
1413         (JSC::DFG::SpeculateDoubleOperand::use):
1414         (SpeculateDoubleOperand):
1415         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1416         (JSC::DFG::SpeculateCellOperand::node):
1417         (JSC::DFG::SpeculateCellOperand::gpr):
1418         (JSC::DFG::SpeculateCellOperand::use):
1419         (SpeculateCellOperand):
1420         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1421         (JSC::DFG::SpeculateBooleanOperand::node):
1422         (JSC::DFG::SpeculateBooleanOperand::gpr):
1423         (JSC::DFG::SpeculateBooleanOperand::use):
1424         (SpeculateBooleanOperand):
1425         * dfg/DFGSpeculativeJIT32_64.cpp:
1426         (JSC::DFG::SpeculativeJIT::fillInteger):
1427         (JSC::DFG::SpeculativeJIT::fillDouble):
1428         (JSC::DFG::SpeculativeJIT::fillJSValue):
1429         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1430         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1431         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1432         (JSC::DFG::SpeculativeJIT::cachedPutById):
1433         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1434         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1435         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1436         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1437         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1438         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1439         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1440         (JSC::DFG::SpeculativeJIT::emitCall):
1441         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1442         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1443         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1444         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1445         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1446         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1447         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1448         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1449         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1450         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1451         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1452         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1453         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1454         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1455         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1456         (JSC::DFG::SpeculativeJIT::emitBranch):
1457         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1458         (JSC::DFG::SpeculativeJIT::compile):
1459         * dfg/DFGSpeculativeJIT64.cpp:
1460         (JSC::DFG::SpeculativeJIT::fillInteger):
1461         (JSC::DFG::SpeculativeJIT::fillDouble):
1462         (JSC::DFG::SpeculativeJIT::fillJSValue):
1463         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1464         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1465         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1466         (JSC::DFG::SpeculativeJIT::cachedPutById):
1467         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1468         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1469         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1470         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1471         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1472         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1473         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1474         (JSC::DFG::SpeculativeJIT::emitCall):
1475         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1476         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1477         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1478         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1479         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1480         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1481         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1482         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1483         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1484         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1485         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1486         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1487         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1488         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1489         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1490         (JSC::DFG::SpeculativeJIT::emitBranch):
1491         (JSC::DFG::SpeculativeJIT::compile):
1492         * dfg/DFGStructureAbstractValue.h:
1493         (StructureAbstractValue):
1494         * dfg/DFGStructureCheckHoistingPhase.cpp:
1495         (JSC::DFG::StructureCheckHoistingPhase::run):
1496         * dfg/DFGValidate.cpp:
1497         (DFG):
1498         (Validate):
1499         (JSC::DFG::Validate::validate):
1500         (JSC::DFG::Validate::reportValidationContext):
1501         * dfg/DFGValidate.h:
1502         * dfg/DFGValueSource.cpp:
1503         (JSC::DFG::ValueSource::dump):
1504         * dfg/DFGValueSource.h:
1505         (JSC::DFG::ValueSource::ValueSource):
1506         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1507         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1508         * runtime/FunctionExecutableDump.cpp: Added.
1509         (JSC):
1510         (JSC::FunctionExecutableDump::dump):
1511         * runtime/FunctionExecutableDump.h: Added.
1512         (JSC):
1513         (FunctionExecutableDump):
1514         (JSC::FunctionExecutableDump::FunctionExecutableDump):
1515         * runtime/JSGlobalData.cpp:
1516         (JSC::JSGlobalData::JSGlobalData):
1517         * runtime/JSGlobalData.h:
1518         (JSC):
1519         (DFG):
1520         (JSGlobalData):
1521         * runtime/Options.h:
1522         (JSC):
1523
1524 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
1525
1526         Collapse testing for a list of PLATFORM() into OS() and USE() tests
1527         https://bugs.webkit.org/show_bug.cgi?id=108018
1528
1529         Reviewed by Eric Seidel.
1530
1531         No functional change as "OS(DARWIN) && USE(CF)" equals to the
1532         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
1533         is not using JavaScriptCore. 
1534
1535         * runtime/DatePrototype.cpp:
1536         (JSC):
1537
1538 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
1539
1540         Static size inference for JavaScript objects
1541         https://bugs.webkit.org/show_bug.cgi?id=108093
1542
1543         Reviewed by Phil Pizlo.
1544
1545         * API/JSObjectRef.cpp:
1546         * JavaScriptCore.order:
1547         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
1548
1549         * bytecode/CodeBlock.cpp:
1550         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
1551         have an extra inferredInlineCapacity argument. This is the statically
1552         inferred inline capacity, just from analyzing source text. op_new_object
1553         also gets a pointer to an allocation profile. (For op_create_this, the
1554         profile is in the construtor function.)
1555
1556         (JSC::CodeBlock::CodeBlock): Link op_new_object.
1557
1558         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
1559
1560         * bytecode/CodeBlock.h:
1561         (CodeBlock): Removed some dead code. Added object allocation profiles.
1562
1563         * bytecode/Instruction.h:
1564         (JSC): New union type, since an instruction operand may point to an
1565         object allocation profile now.
1566
1567         * bytecode/ObjectAllocationProfile.h: Added.
1568         (JSC):
1569         (ObjectAllocationProfile):
1570         (JSC::ObjectAllocationProfile::offsetOfAllocator):
1571         (JSC::ObjectAllocationProfile::offsetOfStructure):
1572         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1573         (JSC::ObjectAllocationProfile::isNull):
1574         (JSC::ObjectAllocationProfile::initialize):
1575         (JSC::ObjectAllocationProfile::structure):
1576         (JSC::ObjectAllocationProfile::inlineCapacity):
1577         (JSC::ObjectAllocationProfile::clear):
1578         (JSC::ObjectAllocationProfile::visitAggregate):
1579         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
1580         for tracking a prediction about object allocation: structure, inline
1581         capacity, allocator to use.
1582
1583         * bytecode/Opcode.h:
1584         (JSC):
1585         (JSC::padOpcodeName): Updated instruction sizes.
1586
1587         * bytecode/UnlinkedCodeBlock.cpp:
1588         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1589         * bytecode/UnlinkedCodeBlock.h:
1590         (JSC):
1591         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
1592         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
1593         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
1594
1595         * bytecompiler/BytecodeGenerator.cpp:
1596         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
1597         end of codegen, since this is our last opportunity.
1598
1599         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
1600         analyzer to bytecode generation. It tracks initializing assignments and
1601         makes a guess about how many will happen.
1602
1603         (JSC::BytecodeGenerator::newObjectAllocationProfile):
1604         (JSC):
1605         (JSC::BytecodeGenerator::emitProfiledOpcode):
1606         (JSC::BytecodeGenerator::emitMove):
1607         (JSC::BytecodeGenerator::emitResolve):
1608         (JSC::BytecodeGenerator::emitResolveBase):
1609         (JSC::BytecodeGenerator::emitResolveBaseForPut):
1610         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
1611         (JSC::BytecodeGenerator::emitResolveWithThis):
1612         (JSC::BytecodeGenerator::emitGetById):
1613         (JSC::BytecodeGenerator::emitPutById):
1614         (JSC::BytecodeGenerator::emitDirectPutById):
1615         (JSC::BytecodeGenerator::emitPutGetterSetter):
1616         (JSC::BytecodeGenerator::emitGetArgumentByVal):
1617         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
1618         analyzer, so it can observe allocations and stores.
1619
1620         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
1621         function because it was a significant amount of logic, and I wanted to
1622         add to it.
1623
1624         (JSC::BytecodeGenerator::emitNewObject):
1625         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1626         (JSC::BytecodeGenerator::emitCall):
1627         (JSC::BytecodeGenerator::emitCallVarargs):
1628         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
1629         to track their stores, in case a store kills a profiled allocation. Since
1630         profiled opcodes are basically the only interesting stores we do, this
1631         is a convenient place to notice any store that might kill an allocation.
1632
1633         * bytecompiler/BytecodeGenerator.h:
1634         (BytecodeGenerator): As above.
1635
1636         * bytecompiler/StaticPropertyAnalysis.h: Added.
1637         (JSC):
1638         (StaticPropertyAnalysis):
1639         (JSC::StaticPropertyAnalysis::create):
1640         (JSC::StaticPropertyAnalysis::addPropertyIndex):
1641         (JSC::StaticPropertyAnalysis::record):
1642         (JSC::StaticPropertyAnalysis::propertyIndexCount):
1643         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
1644         class for tracking allocations and stores.
1645
1646         * bytecompiler/StaticPropertyAnalyzer.h: Added.
1647         (StaticPropertyAnalyzer):
1648         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
1649         (JSC::StaticPropertyAnalyzer::createThis):
1650         (JSC::StaticPropertyAnalyzer::newObject):
1651         (JSC::StaticPropertyAnalyzer::putById):
1652         (JSC::StaticPropertyAnalyzer::mov):
1653         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
1654         and stores and making an inline capacity guess. The heuristics here are
1655         intentionally minimal because we don't want this one class to try to
1656         re-create something like a DFG or a runtime analysis. If we discover that
1657         we need those kinds of analyses, we should just replace this class with
1658         something else.
1659
1660         This class tracks multiple registers that alias the same object -- that
1661         happens a lot, when moving locals into temporary registers -- but it
1662         doesn't track control flow or multiple objects that alias the same register.
1663
1664         * dfg/DFGAbstractState.cpp:
1665         (JSC::DFG::AbstractState::execute): Updated for rename.
1666
1667         * dfg/DFGByteCodeParser.cpp:
1668         (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
1669         allocation profile.
1670
1671         * dfg/DFGNode.h:
1672         (JSC::DFG::Node::hasInlineCapacity):
1673         (Node):
1674         (JSC::DFG::Node::inlineCapacity):
1675         (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
1676         inline capacity for an allocation.
1677
1678         * dfg/DFGNodeType.h:
1679         (DFG): Updated for rename.
1680
1681         * dfg/DFGOperations.cpp: Updated for interface change.
1682
1683         * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
1684         an argument. This is the simplest way, since it's stored as a bytecode operand.
1685
1686         * dfg/DFGPredictionPropagationPhase.cpp:
1687         (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
1688
1689         * dfg/DFGRepatch.cpp:
1690         (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
1691         appears when doing an inline cached load for property number 64 on a 32-bit
1692         system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
1693         offset of the 64bit JSValue -- but we'll actually issue two loads, one for
1694         the payload at that offset, and one for the tag at that offset + 4. We need
1695         to ensure that both loads have a compact representation, or we'll corrupt
1696         the instruction stream.
1697
1698         * dfg/DFGSpeculativeJIT.cpp:
1699         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1700         * dfg/DFGSpeculativeJIT.h:
1701         (JSC::DFG::SpeculativeJIT::callOperation):
1702         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1703         (SpeculativeJIT):
1704         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1705         * dfg/DFGSpeculativeJIT32_64.cpp:
1706         (JSC::DFG::SpeculativeJIT::compile):
1707         * dfg/DFGSpeculativeJIT64.cpp:
1708         (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
1709         passing an allocator to our allocation function, and/or passing a Structure
1710         as a register instead of an immediate.
1711
1712         * heap/MarkedAllocator.h:
1713         (DFG):
1714         (MarkedAllocator):
1715         (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
1716         JIT code generation of allocation from an arbitrary allocator.
1717
1718         * jit/JIT.h:
1719         (JSC):
1720         * jit/JITInlines.h:
1721         (JSC):
1722         (JSC::JIT::emitAllocateJSObject):
1723         * jit/JITOpcodes.cpp:
1724         (JSC::JIT::emit_op_new_object):
1725         (JSC::JIT::emitSlow_op_new_object):
1726         (JSC::JIT::emit_op_create_this):
1727         (JSC::JIT::emitSlow_op_create_this):
1728         * jit/JITOpcodes32_64.cpp:
1729         (JSC::JIT::emit_op_new_object):
1730         (JSC::JIT::emitSlow_op_new_object):
1731         (JSC::JIT::emit_op_create_this):
1732         (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
1733
1734         * jit/JITStubs.cpp:
1735         (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
1736
1737         (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
1738
1739         * llint/LLIntData.cpp:
1740         (JSC::LLInt::Data::performAssertions): Updated for interface changes.
1741
1742         * llint/LLIntSlowPaths.cpp:
1743         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1744         * llint/LowLevelInterpreter.asm:
1745         * llint/LowLevelInterpreter32_64.asm:
1746         * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
1747
1748         * profiler/ProfilerBytecode.cpp:
1749         * profiler/ProfilerBytecodes.cpp:
1750         * profiler/ProfilerCompilation.cpp:
1751         * profiler/ProfilerCompiledBytecode.cpp:
1752         * profiler/ProfilerDatabase.cpp:
1753         * profiler/ProfilerOSRExit.cpp:
1754         * profiler/ProfilerOrigin.cpp:
1755         * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
1756         because that's where createEmptyObject() lives now.
1757
1758         * runtime/Executable.h:
1759         (JSC::JSFunction::JSFunction): Updated for rename.
1760
1761         * runtime/JSCellInlines.h:
1762         (JSC::allocateCell): Updated to match the allocator selection code in
1763         the JIT, so it's clearer that both are correct.
1764
1765         * runtime/JSFunction.cpp:
1766         (JSC::JSFunction::JSFunction):
1767         (JSC::JSFunction::createAllocationProfile):
1768         (JSC::JSFunction::visitChildren):
1769         (JSC::JSFunction::getOwnPropertySlot):
1770         (JSC::JSFunction::put):
1771         (JSC::JSFunction::defineOwnProperty):
1772         (JSC::JSFunction::getConstructData):
1773         * runtime/JSFunction.h:
1774         (JSC::JSFunction::offsetOfScopeChain):
1775         (JSC::JSFunction::offsetOfExecutable):
1776         (JSC::JSFunction::offsetOfAllocationProfile):
1777         (JSC::JSFunction::allocationProfile):
1778         (JSFunction):
1779         (JSC::JSFunction::tryGetAllocationProfile):
1780         (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
1781         data member to be an ObjectAllocationProfile, which includes a pointer
1782         to the desired allocator. This simplifies JIT code, since we don't have
1783         to compute the allocator on the fly. I verified by code inspection that
1784         JSFunction is still only 64 bytes.
1785
1786         * runtime/JSGlobalObject.cpp:
1787         (JSC::JSGlobalObject::reset):
1788         (JSC::JSGlobalObject::visitChildren):
1789         * runtime/JSGlobalObject.h:
1790         (JSGlobalObject):
1791         (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
1792         object structure anymore, because now clients need to specify how much
1793         inline capacity they want.
1794
1795         * runtime/JSONObject.cpp:
1796         * runtime/JSObject.h:
1797         (JSC):
1798         (JSFinalObject):
1799         (JSC::JSFinalObject::defaultInlineCapacity):
1800         (JSC::JSFinalObject::maxInlineCapacity):
1801         (JSC::JSFinalObject::createStructure): A little refactoring to try to 
1802         clarify where some of these constants derive from.
1803
1804         (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
1805
1806         * runtime/JSProxy.cpp:
1807         (JSC::JSProxy::setTarget): Ugly, but effective.
1808
1809         * runtime/LiteralParser.cpp:
1810         * runtime/ObjectConstructor.cpp:
1811         (JSC::constructObject):
1812         (JSC::constructWithObjectConstructor):
1813         (JSC::callObjectConstructor):
1814         (JSC::objectConstructorCreate): Updated for interface changes.
1815
1816         * runtime/ObjectConstructor.h:
1817         (JSC::constructEmptyObject): Clarified your options for how to allocate
1818         an empty object, to emphasize what things can actually vary.
1819
1820         * runtime/PropertyOffset.h: These constants have moved because they're
1821         really higher level concepts to do with the layout of objects and the
1822         collector. PropertyOffset is just an abstract number line, independent
1823         of those things.
1824
1825         * runtime/PrototypeMap.cpp:
1826         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1827         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1828         * runtime/PrototypeMap.h:
1829         (PrototypeMap): The map key is now a pair of prototype and inline capacity,
1830         since Structure encodes inline capacity.
1831
1832         * runtime/Structure.cpp:
1833         (JSC::Structure::Structure):
1834         (JSC::Structure::materializePropertyMap):
1835         (JSC::Structure::addPropertyTransition):
1836         (JSC::Structure::nonPropertyTransition):
1837         (JSC::Structure::copyPropertyTableForPinning):
1838         * runtime/Structure.h:
1839         (Structure):
1840         (JSC::Structure::totalStorageSize):
1841         (JSC::Structure::transitionCount):
1842         (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
1843         up after enabling variable-sized inline capacities: we were passing our
1844         type info where our inline capacity was expected. The compiler didn't
1845         notice because both have type int :(.
1846
1847 2013-01-28  Oliver Hunt  <oliver@apple.com>
1848
1849         Add more assertions to the property storage use in arrays
1850         https://bugs.webkit.org/show_bug.cgi?id=107728
1851
1852         Reviewed by Filip Pizlo.
1853
1854         Add a bunch of assertions to array and object butterfly
1855         usage.  This should make debugging somewhat easier.
1856
1857         I also converted a couple of assertions to release asserts
1858         as they were so low cost it seemed a sensible thing to do.
1859
1860         * runtime/JSArray.cpp:
1861         (JSC::JSArray::sortVector):
1862         (JSC::JSArray::compactForSorting):
1863         * runtime/JSObject.h:
1864         (JSC::JSObject::getHolyIndexQuickly):
1865
1866 2013-01-28  Adam Barth  <abarth@webkit.org>
1867
1868         Remove webkitNotifications.createHTMLNotification
1869         https://bugs.webkit.org/show_bug.cgi?id=107598
1870
1871         Reviewed by Benjamin Poulain.
1872
1873         * Configurations/FeatureDefines.xcconfig:
1874
1875 2013-01-28  Michael Saboff  <msaboff@apple.com>
1876
1877         Cleanup ARM version of debugName() in DFGFPRInfo.h
1878         https://bugs.webkit.org/show_bug.cgi?id=108090
1879
1880         Reviewed by David Kilzer.
1881
1882         Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
1883
1884         * dfg/DFGFPRInfo.h:
1885         (JSC::DFG::FPRInfo::debugName):
1886
1887 2013-01-27  Andreas Kling  <akling@apple.com>
1888
1889         JSC: FunctionParameters are memory hungry.
1890         <http://webkit.org/b/108033>
1891         <rdar://problem/13094803>
1892
1893         Reviewed by Sam Weinig.
1894
1895         Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
1896         with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
1897         roughly in half.
1898
1899         2.73 MB progression on Membuster3.
1900
1901         * bytecode/UnlinkedCodeBlock.cpp:
1902         (JSC::UnlinkedFunctionExecutable::paramString):
1903         * bytecompiler/BytecodeGenerator.cpp:
1904         (JSC::BytecodeGenerator::BytecodeGenerator):
1905         * parser/Nodes.cpp:
1906         (JSC::FunctionParameters::create):
1907         (JSC::FunctionParameters::FunctionParameters):
1908         (JSC::FunctionParameters::~FunctionParameters):
1909         * parser/Nodes.h:
1910         (FunctionParameters):
1911         (JSC::FunctionParameters::size):
1912         (JSC::FunctionParameters::at):
1913         (JSC::FunctionParameters::identifiers):
1914
1915 2013-01-27  Andreas Kling  <akling@apple.com>
1916
1917         JSC: SourceProviderCache is memory hungry.
1918         <http://webkit.org/b/108029>
1919         <rdar://problem/13094806>
1920
1921         Reviewed by Sam Weinig.
1922
1923         Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
1924         Since the lists never change after the object is created, there's no need to keep them in Vectors
1925         and we can instead create the whole cache item in a single allocation.
1926
1927         13.37 MB progression on Membuster3.
1928
1929         * parser/Parser.cpp:
1930         (JSC::::parseFunctionInfo):
1931         * parser/Parser.h:
1932         (JSC::Scope::copyCapturedVariablesToVector):
1933         (JSC::Scope::fillParametersForSourceProviderCache):
1934         (JSC::Scope::restoreFromSourceProviderCache):
1935         * parser/SourceProviderCacheItem.h:
1936         (SourceProviderCacheItemCreationParameters):
1937         (SourceProviderCacheItem):
1938         (JSC::SourceProviderCacheItem::approximateByteSize):
1939         (JSC::SourceProviderCacheItem::usedVariables):
1940         (JSC::SourceProviderCacheItem::writtenVariables):
1941         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
1942         (JSC::SourceProviderCacheItem::create):
1943         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1944
1945 2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
1946
1947         Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
1948         https://bugs.webkit.org/show_bug.cgi?id=106740
1949
1950         Reviewed by Benjamin Poulain.
1951
1952         * config.h:
1953
1954 2013-01-25  Filip Pizlo  <fpizlo@apple.com>
1955
1956         DFG variable event stream shouldn't use NodeIndex
1957         https://bugs.webkit.org/show_bug.cgi?id=107996
1958
1959         Reviewed by Oliver Hunt.
1960         
1961         Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
1962         Internally it currently uses a NodeIndex, but we could change this without having
1963         to recode all of the users of MinifiedID. This effectively decouples the OSR exit
1964         compiler's way of identifying nodes from the speculative JIT's way of identifying
1965         nodes, and should make it easier to make changes to the speculative JIT's internals
1966         in the future.
1967         
1968         Also changed variable event stream logging to exclude information about births and
1969         deaths of constants, since the OSR exit compiler never cares about which register
1970         holds a constant; if a value is constant then the OSR exit compiler can reify it.
1971         
1972         Also changed the variable event stream's value recovery computation to use a
1973         HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
1974         
1975         This appears to be performance-neutral. It's primarily meant as a small step
1976         towards https://bugs.webkit.org/show_bug.cgi?id=106868.
1977
1978         * GNUmakefile.list.am:
1979         * JavaScriptCore.xcodeproj/project.pbxproj:
1980         * dfg/DFGGenerationInfo.h:
1981         (JSC::DFG::GenerationInfo::GenerationInfo):
1982         (JSC::DFG::GenerationInfo::initConstant):
1983         (JSC::DFG::GenerationInfo::initInteger):
1984         (JSC::DFG::GenerationInfo::initJSValue):
1985         (JSC::DFG::GenerationInfo::initCell):
1986         (JSC::DFG::GenerationInfo::initBoolean):
1987         (JSC::DFG::GenerationInfo::initDouble):
1988         (JSC::DFG::GenerationInfo::initStorage):
1989         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1990         (JSC::DFG::GenerationInfo::use):
1991         (JSC::DFG::GenerationInfo::appendFill):
1992         (JSC::DFG::GenerationInfo::appendSpill):
1993         (GenerationInfo):
1994         * dfg/DFGJITCompiler.cpp:
1995         (JSC::DFG::JITCompiler::link):
1996         * dfg/DFGMinifiedGraph.h:
1997         (JSC::DFG::MinifiedGraph::at):
1998         (MinifiedGraph):
1999         * dfg/DFGMinifiedID.h: Added.
2000         (DFG):
2001         (MinifiedID):
2002         (JSC::DFG::MinifiedID::MinifiedID):
2003         (JSC::DFG::MinifiedID::operator!):
2004         (JSC::DFG::MinifiedID::nodeIndex):
2005         (JSC::DFG::MinifiedID::operator==):
2006         (JSC::DFG::MinifiedID::operator!=):
2007         (JSC::DFG::MinifiedID::operator<):
2008         (JSC::DFG::MinifiedID::operator>):
2009         (JSC::DFG::MinifiedID::operator<=):
2010         (JSC::DFG::MinifiedID::operator>=):
2011         (JSC::DFG::MinifiedID::hash):
2012         (JSC::DFG::MinifiedID::dump):
2013         (JSC::DFG::MinifiedID::isHashTableDeletedValue):
2014         (JSC::DFG::MinifiedID::invalidID):
2015         (JSC::DFG::MinifiedID::otherInvalidID):
2016         (JSC::DFG::MinifiedID::fromBits):
2017         (JSC::DFG::MinifiedIDHash::hash):
2018         (JSC::DFG::MinifiedIDHash::equal):
2019         (MinifiedIDHash):
2020         (WTF):
2021         * dfg/DFGMinifiedNode.cpp:
2022         (JSC::DFG::MinifiedNode::fromNode):
2023         * dfg/DFGMinifiedNode.h:
2024         (JSC::DFG::MinifiedNode::id):
2025         (JSC::DFG::MinifiedNode::child1):
2026         (JSC::DFG::MinifiedNode::getID):
2027         (JSC::DFG::MinifiedNode::compareByNodeIndex):
2028         (MinifiedNode):
2029         * dfg/DFGSpeculativeJIT.cpp:
2030         (JSC::DFG::SpeculativeJIT::compileMovHint):
2031         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2032         * dfg/DFGSpeculativeJIT.h:
2033         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
2034         * dfg/DFGValueSource.cpp:
2035         (JSC::DFG::ValueSource::dump):
2036         * dfg/DFGValueSource.h:
2037         (JSC::DFG::ValueSource::ValueSource):
2038         (JSC::DFG::ValueSource::isSet):
2039         (JSC::DFG::ValueSource::kind):
2040         (JSC::DFG::ValueSource::id):
2041         (ValueSource):
2042         (JSC::DFG::ValueSource::idFromKind):
2043         (JSC::DFG::ValueSource::kindFromID):
2044         * dfg/DFGVariableEvent.cpp:
2045         (JSC::DFG::VariableEvent::dump):
2046         (JSC::DFG::VariableEvent::dumpFillInfo):
2047         (JSC::DFG::VariableEvent::dumpSpillInfo):
2048         * dfg/DFGVariableEvent.h:
2049         (JSC::DFG::VariableEvent::fillGPR):
2050         (JSC::DFG::VariableEvent::fillPair):
2051         (JSC::DFG::VariableEvent::fillFPR):
2052         (JSC::DFG::VariableEvent::spill):
2053         (JSC::DFG::VariableEvent::death):
2054         (JSC::DFG::VariableEvent::movHint):
2055         (JSC::DFG::VariableEvent::id):
2056         (VariableEvent):
2057         * dfg/DFGVariableEventStream.cpp:
2058         (DFG):
2059         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2060         (JSC::DFG::VariableEventStream::reconstruct):
2061         * dfg/DFGVariableEventStream.h:
2062         (VariableEventStream):
2063
2064 2013-01-25  Roger Fong  <roger_fong@apple.com>
2065
2066         Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
2067
2068         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
2069         * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
2070         * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
2071         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
2072         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
2073         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
2074         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
2075         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
2076         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
2077         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
2078         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
2079         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
2080         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
2081         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
2082         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
2083         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
2084         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
2085         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
2086         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
2087
2088 2013-01-24  Roger Fong  <roger_fong@apple.com>
2089
2090         VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
2091         https://bugs.webkit.org/show_bug.cgi?id=106987
2092
2093         Reviewed by Brent Fulgham.
2094
2095         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2096         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
2097         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2098         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
2099         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2100         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2101         * JavaScriptCore.vcxproj/jsc/jscDebug.props:
2102         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
2103         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
2104         * JavaScriptCore.vcxproj/testRegExp: Added.
2105         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
2106         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
2107         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
2108         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
2109         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
2110         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
2111         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
2112         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
2113         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
2114         * JavaScriptCore.vcxproj/testapi: Added.
2115         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
2116         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
2117         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
2118         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
2119         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
2120         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
2121         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
2122         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
2123         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
2124
2125 2013-01-24  Roger Fong  <roger_fong@apple.com>
2126
2127         Unreviewed. Windows build fix.
2128
2129         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2130
2131 2013-01-24  Filip Pizlo  <fpizlo@apple.com>
2132
2133         DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
2134         https://bugs.webkit.org/show_bug.cgi?id=107860
2135
2136         Reviewed by Mark Hahnenberg.
2137
2138         * dfg/DFGJITCompiler.h:
2139         (JITCompiler):
2140         * dfg/DFGSpeculativeJIT64.cpp:
2141         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2142         (JSC::DFG::SpeculativeJIT::emitBranch):
2143
2144 2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2145
2146         Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
2147         https://bugs.webkit.org/show_bug.cgi?id=107327
2148
2149         Reviewed by Filip Pizlo.
2150
2151         We're renaming these two files, so we have to replace the names everywhere.
2152
2153         * API/APICast.h:
2154         * API/APIJSValue.h: Removed.
2155         * API/JSBlockAdaptor.mm:
2156         * API/JSStringRefCF.cpp:
2157         * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
2158         * API/JSValue.mm:
2159         * API/JSValueInternal.h:
2160         * API/JSValueRef.cpp:
2161         * API/JSWeakObjectMapRefPrivate.cpp:
2162         * API/JavaScriptCore.h:
2163         * CMakeLists.txt:
2164         * GNUmakefile.list.am:
2165         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2166         * JavaScriptCore.xcodeproj/project.pbxproj:
2167         * Target.pri:
2168         * bytecode/CallLinkStatus.h:
2169         * bytecode/CodeBlock.cpp:
2170         * bytecode/MethodOfGettingAValueProfile.h:
2171         * bytecode/ResolveGlobalStatus.cpp:
2172         * bytecode/ResolveGlobalStatus.h:
2173         * bytecode/SpeculatedType.h:
2174         * bytecode/ValueRecovery.h:
2175         * dfg/DFGByteCodeParser.cpp:
2176         * dfg/DFGJITCompiler.cpp:
2177         * dfg/DFGNode.h:
2178         * dfg/DFGSpeculativeJIT.cpp:
2179         * dfg/DFGSpeculativeJIT64.cpp:
2180         * heap/CopiedBlock.h:
2181         * heap/HandleStack.cpp:
2182         * heap/HandleTypes.h:
2183         * heap/WeakImpl.h:
2184         * interpreter/Interpreter.h:
2185         * interpreter/Register.h:
2186         * interpreter/VMInspector.h:
2187         * jit/HostCallReturnValue.cpp:
2188         * jit/HostCallReturnValue.h:
2189         * jit/JITCode.h:
2190         * jit/JITExceptions.cpp:
2191         * jit/JITExceptions.h:
2192         * jit/JSInterfaceJIT.h:
2193         * llint/LLIntCLoop.h:
2194         * llint/LLIntData.h:
2195         * llint/LLIntSlowPaths.cpp:
2196         * profiler/ProfilerBytecode.h:
2197         * profiler/ProfilerBytecodeSequence.h:
2198         * profiler/ProfilerBytecodes.h:
2199         * profiler/ProfilerCompilation.h:
2200         * profiler/ProfilerCompiledBytecode.h:
2201         * profiler/ProfilerDatabase.h:
2202         * profiler/ProfilerOSRExit.h:
2203         * profiler/ProfilerOSRExitSite.h:
2204         * profiler/ProfilerOrigin.h:
2205         * profiler/ProfilerOriginStack.h:
2206         * runtime/ArgList.cpp:
2207         * runtime/CachedTranscendentalFunction.h:
2208         * runtime/CallData.h:
2209         * runtime/Completion.h:
2210         * runtime/ConstructData.h:
2211         * runtime/DateConstructor.cpp:
2212         * runtime/DateInstance.cpp:
2213         * runtime/DatePrototype.cpp:
2214         * runtime/JSAPIValueWrapper.h:
2215         * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
2216         * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
2217         (JSValue):
2218         * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
2219         * runtime/JSGlobalData.h:
2220         * runtime/JSGlobalObject.cpp:
2221         * runtime/JSGlobalObjectFunctions.h:
2222         * runtime/JSStringJoiner.h:
2223         * runtime/JSValue.cpp: Removed.
2224         * runtime/JSValue.h: Removed.
2225         * runtime/JSValueInlines.h: Removed.
2226         * runtime/LiteralParser.h:
2227         * runtime/Operations.h:
2228         * runtime/PropertyDescriptor.h:
2229         * runtime/PropertySlot.h:
2230         * runtime/Protect.h:
2231         * runtime/RegExpPrototype.cpp:
2232         * runtime/Structure.h:
2233
2234 2013-01-23  Oliver Hunt  <oliver@apple.com>
2235
2236         Harden JSC a bit with RELEASE_ASSERT
2237         https://bugs.webkit.org/show_bug.cgi?id=107766
2238
2239         Reviewed by Mark Hahnenberg.
2240
2241         Went through and replaced a pile of ASSERTs that were covering
2242         significantly important details (bounds checks, etc) where
2243         having the checks did not impact release performance in any
2244         measurable way.
2245
2246         * API/JSContextRef.cpp:
2247         (JSContextCreateBacktrace):
2248         * assembler/MacroAssembler.h:
2249         (JSC::MacroAssembler::branchAdd32):
2250         (JSC::MacroAssembler::branchMul32):
2251         * bytecode/CodeBlock.cpp:
2252         (JSC::CodeBlock::dumpBytecode):
2253         (JSC::CodeBlock::handlerForBytecodeOffset):
2254         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2255         (JSC::CodeBlock::bytecodeOffset):
2256         * bytecode/CodeBlock.h:
2257         (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
2258         (JSC::CodeBlock::bytecodeOffset):
2259         (JSC::CodeBlock::exceptionHandler):
2260         (JSC::CodeBlock::codeOrigin):
2261         (JSC::CodeBlock::immediateSwitchJumpTable):
2262         (JSC::CodeBlock::characterSwitchJumpTable):
2263         (JSC::CodeBlock::stringSwitchJumpTable):
2264         (JSC::CodeBlock::setIdentifiers):
2265         (JSC::baselineCodeBlockForInlineCallFrame):
2266         (JSC::ExecState::uncheckedR):
2267         * bytecode/CodeOrigin.cpp:
2268         (JSC::CodeOrigin::inlineStack):
2269         * bytecode/CodeOrigin.h:
2270         (JSC::CodeOrigin::CodeOrigin):
2271         * dfg/DFGCSEPhase.cpp:
2272         * dfg/DFGOSRExit.cpp:
2273         * dfg/DFGScratchRegisterAllocator.h:
2274         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2275         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2276         * dfg/DFGSpeculativeJIT.h:
2277         (JSC::DFG::SpeculativeJIT::allocate):
2278         (JSC::DFG::SpeculativeJIT::spill):
2279         (JSC::DFG::SpeculativeJIT::integerResult):
2280         * dfg/DFGSpeculativeJIT64.cpp:
2281         (JSC::DFG::SpeculativeJIT::fillInteger):
2282         (JSC::DFG::SpeculativeJIT::fillDouble):
2283         (JSC::DFG::SpeculativeJIT::fillJSValue):
2284         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2285         (JSC::DFG::SpeculativeJIT::emitCall):
2286         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2287         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2288         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2289         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2290         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2291         (JSC::DFG::SpeculativeJIT::compile):
2292         * dfg/DFGValueSource.h:
2293         (JSC::DFG::dataFormatToValueSourceKind):
2294         (JSC::DFG::ValueSource::ValueSource):
2295         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2296         * heap/BlockAllocator.cpp:
2297         (JSC::BlockAllocator::BlockAllocator):
2298         (JSC::BlockAllocator::releaseFreeRegions):
2299         (JSC::BlockAllocator::blockFreeingThreadMain):
2300         * heap/Heap.cpp:
2301         (JSC::Heap::lastChanceToFinalize):
2302         (JSC::Heap::collect):
2303         * interpreter/Interpreter.cpp:
2304         (JSC::Interpreter::throwException):
2305         (JSC::Interpreter::execute):
2306         * jit/GCAwareJITStubRoutine.cpp:
2307         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2308         * jit/JIT.cpp:
2309         (JSC::JIT::privateCompileMainPass):
2310         (JSC::JIT::privateCompileSlowCases):
2311         * jit/JITExceptions.cpp:
2312         (JSC::genericThrow):
2313         * jit/JITInlines.h:
2314         (JSC::JIT::emitLoad):
2315         * jit/JITOpcodes.cpp:
2316         (JSC::JIT::emit_op_end):
2317         (JSC::JIT::emit_resolve_operations):
2318         * jit/JITStubRoutine.cpp:
2319         (JSC::JITStubRoutine::observeZeroRefCount):
2320         * jit/JITStubs.cpp:
2321         (JSC::returnToThrowTrampoline):
2322         * runtime/Arguments.cpp:
2323         (JSC::Arguments::getOwnPropertySlot):
2324         (JSC::Arguments::getOwnPropertyDescriptor):
2325         (JSC::Arguments::deleteProperty):
2326         (JSC::Arguments::defineOwnProperty):
2327         (JSC::Arguments::didTearOffActivation):
2328         * runtime/ArrayPrototype.cpp:
2329         (JSC::shift):
2330         (JSC::unshift):
2331         (JSC::arrayProtoFuncLastIndexOf):
2332         * runtime/ButterflyInlines.h:
2333         (JSC::Butterfly::growPropertyStorage):
2334         * runtime/CodeCache.cpp:
2335         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2336         * runtime/CodeCache.h:
2337         (JSC::CacheMap::add):
2338         * runtime/Completion.cpp:
2339         (JSC::checkSyntax):
2340         (JSC::evaluate):
2341         * runtime/Executable.cpp:
2342         (JSC::FunctionExecutable::FunctionExecutable):
2343         (JSC::EvalExecutable::unlinkCalls):
2344         (JSC::ProgramExecutable::compileOptimized):
2345         (JSC::ProgramExecutable::unlinkCalls):
2346         (JSC::ProgramExecutable::initializeGlobalProperties):
2347         (JSC::FunctionExecutable::baselineCodeBlockFor):
2348         (JSC::FunctionExecutable::compileOptimizedForCall):
2349         (JSC::FunctionExecutable::compileOptimizedForConstruct):
2350         (JSC::FunctionExecutable::compileForCallInternal):
2351         (JSC::FunctionExecutable::compileForConstructInternal):
2352         (JSC::FunctionExecutable::unlinkCalls):
2353         (JSC::NativeExecutable::hashFor):
2354         * runtime/Executable.h:
2355         (JSC::EvalExecutable::compile):
2356         (JSC::ProgramExecutable::compile):
2357         (JSC::FunctionExecutable::compileForCall):
2358         (JSC::FunctionExecutable::compileForConstruct):
2359         * runtime/IndexingHeader.h:
2360         (JSC::IndexingHeader::setVectorLength):
2361         * runtime/JSArray.cpp:
2362         (JSC::JSArray::pop):
2363         (JSC::JSArray::shiftCountWithArrayStorage):
2364         (JSC::JSArray::shiftCountWithAnyIndexingType):
2365         (JSC::JSArray::unshiftCountWithArrayStorage):
2366         * runtime/JSGlobalObjectFunctions.cpp:
2367         (JSC::jsStrDecimalLiteral):
2368         * runtime/JSObject.cpp:
2369         (JSC::JSObject::copyButterfly):
2370         (JSC::JSObject::defineOwnIndexedProperty):
2371         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2372         * runtime/JSString.cpp:
2373         (JSC::JSRopeString::getIndexSlowCase):
2374         * yarr/YarrInterpreter.cpp:
2375         (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
2376
2377 2013-01-23  Filip Pizlo  <fpizlo@apple.com>
2378
2379         Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
2380         https://bugs.webkit.org/show_bug.cgi?id=107750
2381         <rdar://problem/12387265>
2382
2383         Reviewed by Mark Hahnenberg.
2384         
2385         The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
2386         for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
2387         GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
2388         checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
2389         GetLocal we are eliminating, then we allow redundant GetLocals.
2390
2391         * dfg/DFGConstantFoldingPhase.cpp:
2392         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2393         (ConstantFoldingPhase):
2394         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
2395
2396 2013-01-23  Oliver Hunt  <oliver@apple.com>
2397
2398         Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
2399         https://bugs.webkit.org/show_bug.cgi?id=107736
2400
2401         Reviewed by Mark Hahnenberg.
2402
2403         Mechanical change with no performance impact.
2404
2405         * API/JSBlockAdaptor.mm:
2406         (BlockArgumentTypeDelegate::typeVoid):
2407         * API/JSCallbackObjectFunctions.h:
2408         (JSC::::construct):
2409         (JSC::::call):
2410         * API/JSScriptRef.cpp:
2411         * API/ObjCCallbackFunction.mm:
2412         (ArgumentTypeDelegate::typeVoid):
2413         * assembler/ARMv7Assembler.h:
2414         (JSC::ARMv7Assembler::link):
2415         (JSC::ARMv7Assembler::replaceWithLoad):
2416         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2417         * assembler/MacroAssembler.h:
2418         (JSC::MacroAssembler::invert):
2419         * assembler/MacroAssemblerARM.h:
2420         (JSC::MacroAssemblerARM::countLeadingZeros32):
2421         (JSC::MacroAssemblerARM::divDouble):
2422         * assembler/MacroAssemblerMIPS.h:
2423         (JSC::MacroAssemblerMIPS::absDouble):
2424         (JSC::MacroAssemblerMIPS::replaceWithJump):
2425         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2426         * assembler/MacroAssemblerSH4.h:
2427         (JSC::MacroAssemblerSH4::absDouble):
2428         (JSC::MacroAssemblerSH4::replaceWithJump):
2429         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2430         * assembler/SH4Assembler.h:
2431         (JSC::SH4Assembler::shllImm8r):
2432         (JSC::SH4Assembler::shlrImm8r):
2433         (JSC::SH4Assembler::cmplRegReg):
2434         (JSC::SH4Assembler::branch):
2435         * assembler/X86Assembler.h:
2436         (JSC::X86Assembler::replaceWithLoad):
2437         (JSC::X86Assembler::replaceWithAddressComputation):
2438         * bytecode/CallLinkInfo.cpp:
2439         (JSC::CallLinkInfo::unlink):
2440         * bytecode/CodeBlock.cpp:
2441         (JSC::debugHookName):
2442         (JSC::CodeBlock::printGetByIdOp):
2443         (JSC::CodeBlock::printGetByIdCacheStatus):
2444         (JSC::CodeBlock::visitAggregate):
2445         (JSC::CodeBlock::finalizeUnconditionally):
2446         (JSC::CodeBlock::usesOpcode):
2447         * bytecode/DataFormat.h:
2448         (JSC::needDataFormatConversion):
2449         * bytecode/ExitKind.cpp:
2450         (JSC::exitKindToString):
2451         (JSC::exitKindIsCountable):
2452         * bytecode/MethodOfGettingAValueProfile.cpp:
2453         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
2454         * bytecode/Opcode.h:
2455         (JSC::opcodeLength):
2456         * bytecode/PolymorphicPutByIdList.cpp:
2457         (JSC::PutByIdAccess::fromStructureStubInfo):
2458         (JSC::PutByIdAccess::visitWeak):
2459         * bytecode/StructureStubInfo.cpp:
2460         (JSC::StructureStubInfo::deref):
2461         * bytecompiler/BytecodeGenerator.cpp:
2462         (JSC::ResolveResult::checkValidity):
2463         (JSC::BytecodeGenerator::emitGetLocalVar):
2464         (JSC::BytecodeGenerator::beginSwitch):
2465         * bytecompiler/NodesCodegen.cpp:
2466         (JSC::BinaryOpNode::emitBytecode):
2467         (JSC::emitReadModifyAssignment):
2468         * dfg/DFGAbstractState.cpp:
2469         (JSC::DFG::AbstractState::execute):
2470         (JSC::DFG::AbstractState::mergeStateAtTail):
2471         (JSC::DFG::AbstractState::mergeToSuccessors):
2472         * dfg/DFGByteCodeParser.cpp:
2473         (JSC::DFG::ByteCodeParser::makeSafe):
2474         (JSC::DFG::ByteCodeParser::parseBlock):
2475         * dfg/DFGCFGSimplificationPhase.cpp:
2476         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
2477         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
2478         * dfg/DFGCSEPhase.cpp:
2479         (JSC::DFG::CSEPhase::setLocalStoreElimination):
2480         * dfg/DFGCapabilities.cpp:
2481         (JSC::DFG::canHandleOpcodes):
2482         * dfg/DFGCommon.h:
2483         (JSC::DFG::useKindToString):
2484         * dfg/DFGDoubleFormatState.h:
2485         (JSC::DFG::mergeDoubleFormatStates):
2486         (JSC::DFG::doubleFormatStateToString):
2487         * dfg/DFGFixupPhase.cpp:
2488         (JSC::DFG::FixupPhase::blessArrayOperation):
2489         * dfg/DFGGraph.h:
2490         (JSC::DFG::Graph::clobbersWorld):
2491         * dfg/DFGNode.h:
2492         (JSC::DFG::Node::valueOfJSConstant):
2493         (JSC::DFG::Node::successor):
2494         * dfg/DFGNodeFlags.cpp:
2495         (JSC::DFG::nodeFlagsAsString):
2496         * dfg/DFGNodeType.h:
2497         (JSC::DFG::defaultFlags):
2498         * dfg/DFGRepatch.h:
2499         (JSC::DFG::dfgResetGetByID):
2500         (JSC::DFG::dfgResetPutByID):
2501         * dfg/DFGSlowPathGenerator.h:
2502         (JSC::DFG::SlowPathGenerator::call):
2503         * dfg/DFGSpeculativeJIT.cpp:
2504         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2505         (JSC::DFG::SpeculativeJIT::silentSpill):
2506         (JSC::DFG::SpeculativeJIT::silentFill):
2507         (JSC::DFG::SpeculativeJIT::checkArray):
2508         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2509         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2510         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2511         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2512         * dfg/DFGSpeculativeJIT.h:
2513         (JSC::DFG::SpeculativeJIT::bitOp):
2514         (JSC::DFG::SpeculativeJIT::shiftOp):
2515         (JSC::DFG::SpeculativeJIT::integerResult):
2516         * dfg/DFGSpeculativeJIT32_64.cpp:
2517         (JSC::DFG::SpeculativeJIT::fillInteger):
2518         (JSC::DFG::SpeculativeJIT::fillDouble):
2519         (JSC::DFG::SpeculativeJIT::fillJSValue):
2520         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2521         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2522         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2523         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2524         (JSC::DFG::SpeculativeJIT::compile):
2525         * dfg/DFGSpeculativeJIT64.cpp:
2526         (JSC::DFG::SpeculativeJIT::fillInteger):
2527         (JSC::DFG::SpeculativeJIT::fillDouble):
2528         (JSC::DFG::SpeculativeJIT::fillJSValue):
2529         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2530         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2531         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2532         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2533         (JSC::DFG::SpeculativeJIT::compile):
2534         * dfg/DFGStructureCheckHoistingPhase.cpp:
2535         (JSC::DFG::StructureCheckHoistingPhase::run):
2536         * dfg/DFGValueSource.h:
2537         (JSC::DFG::ValueSource::valueRecovery):
2538         * dfg/DFGVariableEvent.cpp:
2539         (JSC::DFG::VariableEvent::dump):
2540         * dfg/DFGVariableEventStream.cpp:
2541         (JSC::DFG::VariableEventStream::reconstruct):
2542         * heap/BlockAllocator.h:
2543         (JSC::BlockAllocator::regionSetFor):
2544         * heap/GCThread.cpp:
2545         (JSC::GCThread::gcThreadMain):
2546         * heap/MarkedBlock.cpp:
2547         (JSC::MarkedBlock::sweepHelper):
2548         * heap/MarkedBlock.h:
2549         (JSC::MarkedBlock::isLive):
2550         * interpreter/CallFrame.h:
2551         (JSC::ExecState::inlineCallFrame):
2552         * interpreter/Interpreter.cpp:
2553         (JSC::getCallerInfo):
2554         (JSC::getStackFrameCodeType):
2555         (JSC::Interpreter::execute):
2556         * jit/ExecutableAllocatorFixedVMPool.cpp:
2557         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
2558         * jit/JIT.cpp:
2559         (JSC::JIT::privateCompileMainPass):
2560         (JSC::JIT::privateCompileSlowCases):
2561         (JSC::JIT::privateCompile):
2562         * jit/JITArithmetic.cpp:
2563         (JSC::JIT::emitSlow_op_mod):
2564         * jit/JITArithmetic32_64.cpp:
2565         (JSC::JIT::emitBinaryDoubleOp):
2566         (JSC::JIT::emitSlow_op_mod):
2567         * jit/JITPropertyAccess.cpp:
2568         (JSC::JIT::isDirectPutById):
2569         * jit/JITStubs.cpp:
2570         (JSC::getPolymorphicAccessStructureListSlot):
2571         (JSC::DEFINE_STUB_FUNCTION):
2572         * llint/LLIntSlowPaths.cpp:
2573         (JSC::LLInt::jitCompileAndSetHeuristics):
2574         * parser/Lexer.cpp:
2575         (JSC::::lex):
2576         * parser/Nodes.h:
2577         (JSC::ExpressionNode::emitBytecodeInConditionContext):
2578         * parser/Parser.h:
2579         (JSC::Parser::getTokenName):
2580         (JSC::Parser::updateErrorMessageSpecialCase):
2581         * parser/SyntaxChecker.h:
2582         (JSC::SyntaxChecker::operatorStackPop):
2583         * runtime/Arguments.cpp:
2584         (JSC::Arguments::tearOffForInlineCallFrame):
2585         * runtime/DatePrototype.cpp:
2586         (JSC::formatLocaleDate):
2587         * runtime/Executable.cpp:
2588         (JSC::samplingDescription):
2589         * runtime/Executable.h:
2590         (JSC::ScriptExecutable::unlinkCalls):
2591         * runtime/Identifier.cpp:
2592         (JSC):
2593         * runtime/InternalFunction.cpp:
2594         (JSC::InternalFunction::getCallData):
2595         * runtime/JSArray.cpp:
2596         (JSC::JSArray::push):
2597         (JSC::JSArray::sort):
2598         * runtime/JSCell.cpp:
2599         (JSC::JSCell::defaultValue):
2600         (JSC::JSCell::getOwnPropertyNames):
2601         (JSC::JSCell::getOwnNonIndexPropertyNames):
2602         (JSC::JSCell::className):
2603         (JSC::JSCell::getPropertyNames):
2604         (JSC::JSCell::customHasInstance):
2605         (JSC::JSCell::putDirectVirtual):
2606         (JSC::JSCell::defineOwnProperty):
2607         (JSC::JSCell::getOwnPropertyDescriptor):
2608         * runtime/JSCell.h:
2609         (JSCell):
2610         * runtime/JSNameScope.cpp:
2611         (JSC::JSNameScope::put):
2612         * runtime/JSObject.cpp:
2613         (JSC::JSObject::getOwnPropertySlotByIndex):
2614         (JSC::JSObject::putByIndex):
2615         (JSC::JSObject::ensureArrayStorageSlow):
2616         (JSC::JSObject::deletePropertyByIndex):
2617         (JSC::JSObject::getOwnPropertyNames):
2618         (JSC::JSObject::putByIndexBeyondVectorLength):
2619         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2620         (JSC::JSObject::getOwnPropertyDescriptor):
2621         * runtime/JSObject.h:
2622         (JSC::JSObject::canGetIndexQuickly):
2623         (JSC::JSObject::getIndexQuickly):
2624         (JSC::JSObject::tryGetIndexQuickly):
2625         (JSC::JSObject::canSetIndexQuickly):
2626         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2627         (JSC::JSObject::setIndexQuickly):
2628         (JSC::JSObject::initializeIndex):
2629         (JSC::JSObject::hasSparseMap):
2630         (JSC::JSObject::inSparseIndexingMode):
2631         * runtime/JSScope.cpp:
2632         (JSC::JSScope::isDynamicScope):
2633         * runtime/JSSymbolTableObject.cpp:
2634         (JSC::JSSymbolTableObject::putDirectVirtual):
2635         * runtime/JSSymbolTableObject.h:
2636         (JSSymbolTableObject):
2637         * runtime/LiteralParser.cpp:
2638         (JSC::::parse):
2639         * runtime/RegExp.cpp:
2640         (JSC::RegExp::compile):
2641         (JSC::RegExp::compileMatchOnly):
2642         * runtime/StructureTransitionTable.h:
2643         (JSC::newIndexingType):
2644         * tools/CodeProfile.cpp:
2645         (JSC::CodeProfile::sample):
2646         * yarr/YarrCanonicalizeUCS2.h:
2647         (JSC::Yarr::getCanonicalPair):
2648         (JSC::Yarr::areCanonicallyEquivalent):
2649         * yarr/YarrInterpreter.cpp:
2650         (JSC::Yarr::Interpreter::matchCharacterClass):
2651         (JSC::Yarr::Interpreter::matchBackReference):
2652         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
2653         (JSC::Yarr::Interpreter::matchParentheses):
2654         (JSC::Yarr::Interpreter::backtrackParentheses):
2655         (JSC::Yarr::Interpreter::matchDisjunction):
2656         * yarr/YarrJIT.cpp:
2657         (JSC::Yarr::YarrGenerator::generateTerm):
2658         (JSC::Yarr::YarrGenerator::backtrackTerm):
2659         * yarr/YarrParser.h:
2660         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
2661         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
2662         * yarr/YarrPattern.cpp:
2663         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
2664
2665 2013-01-23  Tony Chang  <tony@chromium.org>
2666
2667         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
2668
2669         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
2670         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
2671
2672 2013-01-23  Oliver Hunt  <oliver@apple.com>
2673
2674         Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
2675         https://bugs.webkit.org/show_bug.cgi?id=107726
2676
2677         Reviewed by Filip Pizlo.
2678
2679         Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
2680
2681         * assembler/MacroAssembler.h:
2682         (JSC::MacroAssembler::branchAdd32):
2683         (JSC::MacroAssembler::branchMul32):
2684         * bytecode/CodeBlockHash.cpp:
2685         (JSC::CodeBlockHash::CodeBlockHash):
2686         * heap/BlockAllocator.h:
2687         (JSC::Region::create):
2688         (JSC::Region::createCustomSize):
2689         * heap/GCAssertions.h:
2690         * heap/HandleSet.cpp:
2691         (JSC::HandleSet::visitStrongHandles):
2692         (JSC::HandleSet::writeBarrier):
2693         * heap/HandleSet.h:
2694         (JSC::HandleSet::allocate):
2695         * heap/Heap.cpp:
2696         (JSC::Heap::collect):
2697         * heap/SlotVisitor.cpp:
2698         (JSC::SlotVisitor::validate):
2699         * interpreter/Interpreter.cpp:
2700         (JSC::Interpreter::execute):
2701         * jit/ExecutableAllocator.cpp:
2702         (JSC::DemandExecutableAllocator::allocateNewSpace):
2703         (JSC::ExecutableAllocator::allocate):
2704         * jit/ExecutableAllocator.h:
2705         (JSC::roundUpAllocationSize):
2706         * jit/ExecutableAllocatorFixedVMPool.cpp:
2707         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2708         (JSC::ExecutableAllocator::allocate):
2709         * runtime/ButterflyInlines.h:
2710         (JSC::Butterfly::createUninitialized):
2711         * runtime/Completion.cpp:
2712         (JSC::evaluate):
2713         * runtime/JSArray.h:
2714         (JSC::constructArray):
2715         * runtime/JSGlobalObject.cpp:
2716         (JSC::slowValidateCell):
2717         * runtime/JSObject.cpp:
2718         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2719         (JSC::JSObject::createArrayStorage):
2720         * tools/TieredMMapArray.h:
2721         (JSC::TieredMMapArray::append):
2722         * yarr/YarrInterpreter.cpp:
2723         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2724         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2725         (JSC::Yarr::Interpreter::InputStream::readChecked):
2726         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2727         (JSC::Yarr::Interpreter::InputStream::atEnd):
2728         (JSC::Yarr::Interpreter::interpret):
2729
2730 2013-01-22  Filip Pizlo  <fpizlo@apple.com>
2731
2732         Convert CSE phase to not rely too much on NodeIndex
2733         https://bugs.webkit.org/show_bug.cgi?id=107616
2734
2735         Reviewed by Geoffrey Garen.
2736         
2737         - Instead of looping over the graph (which assumes that you can simply loop over all
2738           nodes without considering blocks first) to reset node.replacement, do that in the
2739           loop that sets up relevantToOSR, just before running CSE on the block.
2740         
2741         - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
2742           NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
2743           some reshuffling to fit it in.
2744
2745         * dfg/DFGCSEPhase.cpp:
2746         (JSC::DFG::CSEPhase::CSEPhase):
2747         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2748         (JSC::DFG::CSEPhase::performNodeCSE):
2749         (JSC::DFG::CSEPhase::performBlockCSE):
2750         (CSEPhase):
2751         * dfg/DFGNodeFlags.h:
2752         (DFG):
2753         * dfg/DFGNodeType.h:
2754         (DFG):
2755
2756 2013-01-21  Kentaro Hara  <haraken@chromium.org>
2757
2758         Implement UIEvent constructor
2759         https://bugs.webkit.org/show_bug.cgi?id=107430
2760
2761         Reviewed by Adam Barth.
2762
2763         Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
2764
2765         UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
2766         which is enabled on Safari and Chromium for now.
2767
2768         * Configurations/FeatureDefines.xcconfig:
2769
2770 2013-01-22  Roger Fong  <roger_fong@apple.com>
2771
2772         Unreviewed VS2010 build fix following r140259.
2773
2774         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2775         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2776
2777 2013-01-22  Roger Fong  <roger_fong@apple.com>
2778
2779         JavaScriptCore property sheets, project files and modified build scripts.
2780         https://bugs.webkit.org/show_bug.cgi?id=106987
2781
2782         Reviewed by Brent Fulgham.
2783
2784         * JavaScriptCore.vcxproj: Added.
2785         * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
2786         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
2787         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
2788         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
2789         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
2790         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
2791         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
2792         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
2793         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
2794         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
2795         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
2796         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
2797         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
2798         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
2799         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
2800         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
2801         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
2802         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
2803         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
2804         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
2805         * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
2806         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
2807         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2808         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
2809         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
2810         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2811         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
2812         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2813         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
2814         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
2815         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2816         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
2817         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
2818         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
2819         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
2820         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
2821         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
2822         * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
2823         * JavaScriptCore.vcxproj/copy-files.cmd: Added.
2824         * JavaScriptCore.vcxproj/jsc: Added.
2825         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
2826         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
2827         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
2828         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
2829         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
2830         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
2831         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
2832         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
2833         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
2834         * config.h:
2835
2836 2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>
2837
2838         [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
2839         https://bugs.webkit.org/show_bug.cgi?id=107230
2840
2841         Reviewed by David Kilzer.
2842
2843         * Configurations/FeatureDefines.xcconfig:
2844
2845 2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>
2846
2847         Yarr JIT isn't big endian compatible
2848         https://bugs.webkit.org/show_bug.cgi?id=102897
2849
2850         Reviewed by Oliver Hunt.
2851
2852         This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
2853
2854         * yarr/YarrJIT.cpp:
2855         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2856
2857 2013-01-22  David Kilzer  <ddkilzer@apple.com>
2858
2859         Fix DateMath.cpp to compile with -Wshorten-64-to-32
2860         <http://webkit.org/b/107503>
2861
2862         Reviewed by Darin Adler.
2863
2864         * runtime/JSDateMath.cpp:
2865         (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
2866         static_cast<int>().
2867
2868 2013-01-22  Tim Horton  <timothy_horton@apple.com>
2869
2870         PDFPlugin: Build PDFPlugin everywhere, enable at runtime
2871         https://bugs.webkit.org/show_bug.cgi?id=107117
2872
2873         Reviewed by Alexey Proskuryakov.
2874
2875         Since PDFLayerController SPI is all forward-declared, the plugin should build
2876         on all Mac platforms, and can be enabled at runtime.
2877
2878         * Configurations/FeatureDefines.xcconfig:
2879
2880 2013-01-21  Justin Schuh  <jschuh@chromium.org>
2881
2882         [CHROMIUM] Suppress c4267 build warnings for Win64 targets
2883         https://bugs.webkit.org/show_bug.cgi?id=107499
2884
2885         Reviewed by Abhishek Arya.
2886
2887         * JavaScriptCore.gyp/JavaScriptCore.gyp:
2888
2889 2013-01-21  Dirk Schulze  <dschulze@adobe.com>
2890
2891         Add build flag for Canvas's Path object (disabled by default)
2892         https://bugs.webkit.org/show_bug.cgi?id=107473
2893
2894         Reviewed by Dean Jackson.
2895
2896         Add CANVAS_PATH build flag to build systems.
2897
2898         * Configurations/FeatureDefines.xcconfig:
2899
2900 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2901
2902         Weak GC maps should be easier to use
2903         https://bugs.webkit.org/show_bug.cgi?id=107312
2904
2905         Reviewed by Sam Weinig.
2906
2907         Follow-up fix.
2908
2909         * runtime/PrototypeMap.cpp:
2910         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
2911         ASSERT, which was disabled because of a bug in WeakGCMap.
2912
2913         * runtime/WeakGCMap.h:
2914         (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
2915         a PassWeak() clears itself when passed to another function. So, we pass
2916         nullptr instead, and fix things up afterwards.
2917
2918 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
2919
2920         Unreviewed.
2921
2922         Temporarily disabling this ASSERT to get the bots green
2923         while I investigate a fix.
2924
2925         * runtime/PrototypeMap.cpp:
2926         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2927
2928 2013-01-20  Filip Pizlo  <fpizlo@apple.com>
2929
2930         Inserting a node into the DFG graph should not require five lines of code
2931         https://bugs.webkit.org/show_bug.cgi?id=107381
2932
2933         Reviewed by Sam Weinig.
2934         
2935         This adds fairly comprehensive support for inserting a node into a DFG graph in one
2936         method call. A common example of this is:
2937         
2938         m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
2939         
2940         The arguments to insert() specify what reference counting you need to have happen
2941         (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
2942         that was created), the prediction to set (SpecNone is a common default), followed by
2943         the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
2944         (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
2945         function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
2946         non-recursively ref() the node being created if the flags say NodeMustGenerate.
2947         
2948         In all, this new mechanism retains the flexibility of the old approach (you get to
2949         manage ref counts yourself, albeit in less code) while ensuring that most code that adds
2950         nodes to the graph now needs less code to do it.
2951         
2952         In the future, we should revisit the reference counting methodology in the DFG: we could
2953         do like most compilers and get rid of it entirely, or we could make it automatic. This
2954         patch doesn't attempt to make any such major changes, and only seeks to simplify the
2955         technique we were already using (manual ref counting).
2956
2957         * GNUmakefile.list.am:
2958         * JavaScriptCore.xcodeproj/project.pbxproj:
2959         * bytecode/Operands.h:
2960         (JSC::dumpOperands):
2961         * dfg/DFGAdjacencyList.h:
2962         (AdjacencyList):
2963         (JSC::DFG::AdjacencyList::kind):
2964         * dfg/DFGArgumentsSimplificationPhase.cpp:
2965         (JSC::DFG::ArgumentsSimplificationPhase::run):
2966         * dfg/DFGBasicBlock.h:
2967         (DFG):
2968         (BasicBlock):
2969         * dfg/DFGBasicBlockInlines.h: Added.
2970         (DFG):
2971         * dfg/DFGCFGSimplificationPhase.cpp:
2972         (JSC::DFG::CFGSimplificationPhase::run):
2973         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2974         * dfg/DFGCommon.h:
2975         * dfg/DFGConstantFoldingPhase.cpp:
2976         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
2977         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2978         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2979         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
2980         (ConstantFoldingPhase):
2981         * dfg/DFGFixupPhase.cpp:
2982         (JSC::DFG::FixupPhase::FixupPhase):
2983         (JSC::DFG::FixupPhase::fixupBlock):
2984         (JSC::DFG::FixupPhase::fixupNode):
2985         (FixupPhase):
2986         (JSC::DFG::FixupPhase::checkArray):
2987         (JSC::DFG::FixupPhase::blessArrayOperation):
2988         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2989         * dfg/DFGGraph.h:
2990         (JSC::DFG::Graph::ref):
2991         (Graph):
2992         * dfg/DFGInsertionSet.h:
2993         (DFG):
2994         (JSC::DFG::Insertion::Insertion):
2995         (JSC::DFG::Insertion::element):
2996         (Insertion):
2997         (JSC::DFG::InsertionSet::InsertionSet):
2998         (JSC::DFG::InsertionSet::insert):
2999         (InsertionSet):
3000         (JSC::DFG::InsertionSet::execute):
3001         * dfg/DFGNode.h:
3002         (JSC::DFG::Node::Node):
3003         (Node):
3004         * dfg/DFGStructureCheckHoistingPhase.cpp:
3005         (JSC::DFG::StructureCheckHoistingPhase::run):
3006         * dfg/DFGVariadicFunction.h: Added.
3007
3008 2013-01-19  Geoffrey Garen  <ggaren@apple.com>
3009
3010         Track inheritance structures in a side table, instead of using a private
3011         name in each prototype
3012         https://bugs.webkit.org/show_bug.cgi?id=107378
3013
3014         Reviewed by Sam Weinig and Phil Pizlo.
3015
3016         This is a step toward object size inference.
3017
3018         Using a side table frees us to use a more complex key (a pair of
3019         prototype and expected inline capacity).
3020
3021         It also avoids ruining inline caches for prototypes. (Adding a new private
3022         name for a new inline capacity would change the prototype's structure,
3023         possibly firing watchpoints, making inline caches go polymorphic, and
3024         generally causing us to have a bad time.)
3025
3026         * CMakeLists.txt:
3027         * GNUmakefile.list.am:
3028         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3029         * JavaScriptCore.xcodeproj/project.pbxproj:
3030         * Target.pri: Buildage.
3031
3032         * runtime/ArrayPrototype.cpp:
3033         (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
3034
3035         * runtime/JSFunction.cpp:
3036         (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
3037
3038         (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
3039         forgot to visit one of its data members (m_cachedInheritorID). This
3040         wasn't a user-visible problem before because JSFunction would always
3041         visit its .prototype property, which visited its m_cachedInheritorID.
3042         But now, function.prototype only weakly owns function.m_cachedInheritorID.
3043
3044         * runtime/JSGlobalData.h:
3045         (JSGlobalData): Added the map, taking care to make sure that its
3046         destructor would run after the heap destructor.
3047
3048         * runtime/JSGlobalObject.cpp:
3049         (JSC::JSGlobalObject::reset): Updated to use new side table API.
3050
3051         * runtime/JSObject.cpp:
3052         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3053         (JSC::JSObject::setPrototype):
3054         * runtime/JSObject.h:
3055         (JSObject): Updated to use new side table API, and removed lots of code
3056         that used to manage the per-object private name.
3057
3058         * runtime/JSProxy.cpp:
3059         (JSC::JSProxy::setTarget):
3060         * runtime/ObjectConstructor.cpp:
3061         (JSC::objectConstructorCreate):
3062         * runtime/ObjectPrototype.cpp:
3063         (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
3064
3065         * runtime/PrototypeMap.cpp: Added.
3066         (JSC):
3067         (JSC::PrototypeMap::addPrototype):
3068         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3069         * runtime/PrototypeMap.h: Added.
3070         (PrototypeMap):
3071         (JSC::PrototypeMap::isPrototype):
3072         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
3073         This is a simple weak map, mapping an object to the structure you should
3074         use when inheriting from that object. (In future, inline capacity will
3075         be a part of the mapping.)
3076
3077         I used two maps to preserve existing behavior that allowed us to speculate
3078         about an object becoming a prototype, even if it wasn't one at the moment.
3079         However, I suspect that behavior can be removed without harm.
3080
3081         * runtime/WeakGCMap.h:
3082         (JSC::WeakGCMap::contains):
3083         (WeakGCMap): I would rate myself a 6 / 10 in C++.
3084
3085 2013-01-18  Dan Bernstein  <mitz@apple.com>
3086
3087         Removed duplicate references to two headers in the project files.
3088
3089         Rubber-stamped by Mark Rowe.
3090
3091         * JavaScriptCore.xcodeproj/project.pbxproj:
3092
3093 2013-01-18  Michael Saboff  <msaboff@apple.com>
3094
3095         Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
3096         Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
3097
3098         * dfg/DFGFixupPhase.cpp:
3099         (JSC::DFG::FixupPhase::fixupNode):
3100
3101 2013-01-18  Michael Saboff  <msaboff@apple.com>
3102
3103         Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
3104
3105         * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
3106
3107 2013-01-18  Michael Saboff  <msaboff@apple.com>
3108
3109         Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
3110         https://bugs.webkit.org/show_bug.cgi?id=107340
3111
3112         Reviewed by Filip Pizlo.
3113
3114         Due to the change landed in r140201, more nodes might end up
3115         generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
3116         constant path of compileInt32ToDouble() to use the more
3117         restrictive isInt32Constant() check on the input.  This check was
3118         the same as the existing ASSERT() so the ASSERT was eliminated.
3119
3120         * dfg/DFGSpeculativeJIT.cpp:
3121         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3122
3123 2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>
3124
3125         Weak GC maps should be easier to use
3126         https://bugs.webkit.org/show_bug.cgi?id=107312
3127
3128         Reviewed by Ryosuke Niwa.
3129
3130         Build fix for linux platforms after r140194.
3131
3132         * runtime/WeakGCMap.h:
3133         (WeakGCMap):
3134
3135 2013-01-18  Michael Saboff  <msaboff@apple.com>
3136
3137         Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
3138         https://bugs.webkit.org/show_bug.cgi?id=107321
3139
3140         Reviewed by  Filip Pizlo.
3141
3142         Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
3143         an ArithDiv node with integer inputs and output for platforms that don't have integer division.
3144         Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
3145         without any further checks.
3146
3147         * dfg/DFGFixupPhase.cpp:
3148         (JSC::DFG::FixupPhase::fixupNode):
3149         (JSC::DFG::FixupPhase::fixDoubleEdge):
3150         (FixupPhase):
3151         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3152
3153 2013-01-18  Michael Saboff  <msaboff@apple.com>
3154
3155         Fix up of ArithDiv nodes for non-x86 CPUs is broken
3156         https://bugs.webkit.org/show_bug.cgi?id=107309
3157
3158         Reviewed by  Filip Pizlo.
3159
3160         Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
3161
3162         * dfg/DFGFixupPhase.cpp:
3163         (JSC::DFG::FixupPhase::fixDoubleEdge):
3164
3165 2013-01-18  Dan Bernstein  <mitz@apple.com>
3166
3167         Tried to fix the build after r140194.
3168
3169         * API/JSWrapperMap.mm:
3170         (-[JSWrapperMap wrapperForObject:]):
3171
3172 2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>
3173
3174         Objective-C API: Update documentation for JSValue and JSContext
3175         https://bugs.webkit.org/show_bug.cgi?id=107313
3176
3177         Reviewed by Geoffrey Garen.
3178
3179         After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
3180
3181         * API/APIJSValue.h:
3182         * API/JSContext.h:
3183
3184 2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>
3185
3186         r134080 causes heap problem on linux systems where PAGESIZE != 4096
3187         https://bugs.webkit.org/show_bug.cgi?id=102828
3188
3189         Reviewed by Mark Hahnenberg.
3190
3191         Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
3192
3193         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3194         * heap/MarkStack.cpp:
3195         (JSC):
3196         (JSC::MarkStackArray::MarkStackArray):
3197         (JSC::MarkStackArray::expand):
3198         (JSC::MarkStackArray::donateSomeCellsTo):
3199         (JSC::MarkStackArray::stealSomeCellsFrom):
3200         * heap/MarkStack.h:
3201         (JSC::MarkStackSegment::data):
3202         (CapacityFromSize):
3203         (MarkStackArray):
3204         * heap/MarkStackInlines.h:
3205         (JSC::MarkStackArray::setTopForFullSegment):
3206         (JSC::MarkStackArray::append):
3207         (JSC::MarkStackArray::isEmpty):
3208         (JSC::MarkStackArray::size):
3209         * runtime/Options.h:
3210         (JSC):
3211
3212 2013-01-18  Geoffrey Garen  <ggaren@apple.com>
3213
3214         Weak GC maps should be easier to use
3215         https://bugs.webkit.org/show_bug.cgi?id=107312
3216
3217         Reviewed by Sam Weinig.
3218
3219         This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
3220         items from the map, and to instead have the map automatically remove
3221         stale items itself upon insertion. This has a few advantages:
3222
3223         (1) WeakGCMap is now compatible with all the specializations you would
3224         use for HashMap.
3225
3226         (2) There's no need for clients to write special finalization munging
3227         functions.
3228
3229         (3) Clients can specify custom value finalizers if they like.
3230
3231         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
3232
3233         * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
3234         data, since we've reduced interdependency.
3235
3236         * heap/Handle.h: No more need to forward declare, since we've reduced
3237         interdependency.
3238
3239         * heap/Weak.h:
3240         (Weak): Use explicit so we can assign directly to a weak map iterator
3241         without ambiguity between Weak<T> and PassWeak<T>.
3242
3243         * runtime/Structure.cpp:
3244         (JSC::StructureTransitionTable::add): See above.
3245
3246         * runtime/Structure.h:
3247         (JSC):
3248         * runtime/StructureTransitionTable.h:
3249         (StructureTransitionTable): Bad code goes away, programmer happy.
3250
3251         * runtime/WeakGCMap.h:
3252         (JSC):
3253         (WeakGCMap):
3254         (JSC::WeakGCMap::WeakGCMap):
3255         (JSC::WeakGCMap::set):
3256         (JSC::WeakGCMap::add):
3257         (JSC::WeakGCMap::find):
3258         (JSC::WeakGCMap::contains):
3259         (JSC::WeakGCMap::gcMap):
3260         (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
3261         function that might observe a Weak<T> that has died, just enough to
3262         make such items appear as if they are not in the table.
3263
3264 2013-01-18  Michael Saboff  <msaboff@apple.com>
3265
3266         Refactor isPowerOf2() and add getLSBSet()
3267         https://bugs.webkit.org/show_bug.cgi?id=107306
3268
3269         Reviewed by Filip Pizlo.
3270
3271         Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
3272
3273         * runtime/PropertyMapHashTable.h:
3274         (JSC::isPowerOf2):
3275
3276 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
3277
3278         Objective-C API: Clean up JSValue.mm
3279         https://bugs.webkit.org/show_bug.cgi?id=107163
3280
3281         Reviewed by Darin Adler.
3282
3283         m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 
3284         on every API call.  In the head of just about every method in JSValue.mm we're doing:
3285
3286         JSContext *context = [self context];
3287         if (!context)
3288             return nil;
3289
3290         This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.  
3291         We can just delete all these lines from all functions doing this, and where they were referring to the local 
3292         variable 'context', instead we can just access m_context directly.
3293
3294         Since we're already going to be modifying most of JSValue.mm, we'll also do the following:
3295
3296         1) context @property is no longer weak – the context property is declared as:
3297
3298             @property(readonly, weak) JSContext *context;
3299
3300         This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading. 
3301         We should change it to:
3302
3303             @property(readonly, retain) JSContext *context;
3304
3305         2) the JSContext ivar and accessor can be automatically generated.  Since we're no longer doing anything 
3306         special with m_context, we can just let the compiler handle the ivar for us.  We'll delete:
3307
3308             JSContext *m_context;
3309
3310         and:
3311
3312             - (JSContext *)context
3313             {
3314                 return m_context;
3315         
3316             }
3317
3318         and find&replace "m_context" to "_context" in JSValue.mm.
3319
3320         * API/APIJSValue.h:
3321         * API/JSValue.mm:
3322         (-[JSValue toObject]):
3323         (-[JSValue toBool]):
3324         (-[JSValue toDouble]):
3325         (-[JSValue toNumber]):
3326         (-[JSValue toString]):
3327         (-[JSValue toDate]):
3328         (-[JSValue toArray]):
3329         (-[JSValue toDictionary]):
3330         (-[JSValue valueForProperty:]):
3331         (-[JSValue setValue:forProperty:]):
3332         (-[JSValue deleteProperty:]):
3333         (-[JSValue hasProperty:]):
3334         (-[JSValue defineProperty:descriptor:]):
3335         (-[JSValue valueAtIndex:]):
3336         (-[JSValue setValue:atIndex:]):
3337         (-[JSValue isUndefined]):
3338         (-[JSValue isNull]):
3339         (-[JSValue isBoolean]):
3340         (-[JSValue isNumber]):
3341         (-[JSValue isString]):
3342         (-[JSValue isObject]):
3343         (-[JSValue isEqualToObject:]):
3344         (-[JSValue isEqualWithTypeCoercionToObject:]):
3345         (-[JSValue isInstanceOf:]):
3346         (-[JSValue callWithArguments:]):
3347         (-[JSValue constructWithArguments:]):
3348         (-[JSValue invokeMethod:withArguments:]):
3349         (-[JSValue objectForKeyedSubscript:]):
3350         (-[JSValue setObject:forKeyedSubscript:]):
3351         (-[JSValue initWithValue:inContext:]):
3352         (-[JSValue dealloc]):
3353         (-[JSValue description]):
3354
3355 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
3356
3357         Objective-C API: Clean up JSValue
3358         https://bugs.webkit.org/show_bug.cgi?id=107156
3359
3360         Reviewed by Oliver Hunt.
3361
3362         JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.  
3363         These exist to handle the context going away before the value does; the context needs to be able to unprotect 
3364         values early.  Since the value is now keeping the context alive there is no longer any danger of this happening; 
3365         instead we should just protect/unprotect the value in JSValue's init/dealloc methods.
3366
3367         * API/JSContext.mm:
3368         (-[JSContext dealloc]):
3369         * API/JSContextInternal.h:
3370         * API/JSValue.mm:
3371         (-[JSValue initWithValue:inContext:]):
3372         (-[JSValue dealloc]):
3373
3374 2013-01-17  Filip Pizlo  <fpizlo@apple.com>
3375
3376         DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants
3377         https://bugs.webkit.org/show_bug.cgi?id=107147
3378
3379         Reviewed by Mark Hahnenberg.
3380         
3381         This small refactoring will enable a world where ref() returns Node*, which is useful for
3382         https://bugs.webkit.org/show_bug.cgi?id=106868.  Also, while this refactoring does lead to
3383         slightly less terse code, it's also slightly more self-explanatory.  I could never quite
3384         remember what the meaning of the bool return from ref() and deref() was.
3385
3386         * dfg/DFGGraph.cpp:
3387         (JSC::DFG::Graph::collectGarbage):
3388         * dfg/DFGGraph.h:
3389         (JSC::DFG::Graph::ref):
3390         (JSC::DFG::Graph::deref):
3391         * dfg/DFGNode.h:
3392         (JSC::DFG::Node::ref):
3393         (Node):
3394         (JSC::DFG::Node::postfixRef):
3395         (JSC::DFG::Node::deref):
3396         (JSC::DFG::Node::postfixDeref):
3397
3398 2013-01-17  Alexey Proskuryakov  <ap@apple.com>
3399
3400         Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up
3401         in svn stat.
3402
3403         * disassembler/udis86: Added property svn:ignore.
3404
3405 2013-01-16  Filip Pizlo  <fpizlo@apple.com>
3406
3407         DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
3408         https://bugs.webkit.org/show_bug.cgi?id=107081
3409
3410         Reviewed by Michael Saboff.
3411
3412         This bug led to the 32_64 backend emitting contiguous allocation code to allocate
3413         ArrayStorage arrays. This then led to all manner of heap corruption, since
3414         subsequent array accesses would be accessing the contiguous array "as if" it was
3415         an arraystorage array.
3416
3417         * dfg/DFGSpeculativeJIT32_64.cpp:
3418         (JSC::DFG::SpeculativeJIT::compile):
3419
3420 2013-01-16  Jonathan Liu  <net147@gmail.com>
3421
3422         Add missing sys/mman.h include on Mac
3423         https://bugs.webkit.org/show_bug.cgi?id=98089
3424
3425         Reviewed by Darin Adler.
3426
3427         The madvise function and MADV_FREE constant require sys/mman.h.
3428
3429         * jit/ExecutableAllocatorFixedVMPool.cpp:
3430
3431 2013-01-15  Michael Saboff  <msaboff@apple.com>
3432
3433         DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
3434         https://bugs.webkit.org/show_bug.cgi?id=106978
3435
3436         Reviewed by Filip Pizlo.
3437
3438         Changed the numerator equal to -2^31 check to just return if we expect an integer
3439         result, since the check is after we have determined that the denominator is -1.
3440         The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.
3441
3442         * dfg/DFGSpeculativeJIT.cpp:
3443         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
3444
3445 2013-01-15  Levi Weintraub  <leviw@chromium.org>
3446
3447         Unreviewed, rolling out r139792.
3448         http://trac.webkit.org/changeset/139792
3449         https://bugs.webkit.org/show_bug.cgi?id=106970
3450
3451         Broke the windows build.
3452
3453         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
3454
3455 2013-01-15  Pratik Solanki  <psolanki@apple.com>
3456
3457         Use MADV_FREE_REUSABLE to return JIT memory to OS
3458         https://bugs.webkit.org/show_bug.cgi?id=106830
3459         <rdar://problem/11437701>
3460
3461         Reviewed by Geoffrey Garen.
3462
3463         Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug
3464         fixed.
3465
3466         * jit/ExecutableAllocatorFixedVMPool.cpp:
3467         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
3468
3469 2013-01-15  Levi Weintraub  <leviw@chromium.org>
3470
3471         Unreviewed, rolling out r139790.
3472         http://trac.webkit.org/changeset/139790
3473         https://bugs.webkit.org/show_bug.cgi?id=106948
3474
3475         The patch is failing its own test.
3476
3477         * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
3478
3479 2013-01-15  Zan Dobersek  <zandobersek@gmail.com>
3480
3481         [Autotools] Unify JavaScriptCore sources list, regardless of target OS
3482         https://bugs.webkit.org/show_bug.cgi?id=106007
3483
3484         Reviewed by Gustavo Noronha Silva.
3485
3486         Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target
3487         in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED
3488         feature define. This define is only used on 64-bit architecture and indirectly depends
3489         on enabling either JIT or YARR JIT feature. Both of these defines are disabled on
3490         Windows OS when using 64-bit architecture so there's no need to add this target to
3491         sources only when the target OS is Windows.
3492
3493         * GNUmakefile.list.am:
3494
3495 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3496
3497         DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value
3498         https://bugs.webkit.org/show_bug.cgi?id=106727
3499
3500         Reviewed by Oliver Hunt.
3501         
3502         The problem was this statement:
3503         
3504         if (m_value != other.m_value)
3505             m_value = JSValue();
3506         
3507         This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other
3508         abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its
3509         claim that it has been proven to be constant. But this misses the special case that if the other abstract value is
3510         completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change
3511         this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it
3512         didn't have to.
3513         
3514         This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently
3515         precise as often as possible.
3516
3517         * dfg/DFGAbstractValue.h:
3518         (JSC::DFG::AbstractValue::merge):
3519
3520 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3521
3522         Python implementation reports "MemoryError" instead of doing things
3523         https://bugs.webkit.org/show_bug.cgi?id=106690
3524
3525         Reviewed by Oliver Hunt.
3526         
3527         The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to
3528         be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it
3529         doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the
3530         variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the
3531         variable is used in the next block then the next block will have a reference to the last mention in our block unless
3532         that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that
3533         the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible
3534         refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the
3535         variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us.
3536         Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible
3537         for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if
3538         there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the
3539         parser.
3540         
3541         This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't
3542         matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in
3543         the next block, so we must merge it no matter what.
3544         
3545         Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next
3546         to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps
3547         that involve a lot of variables.
3548
3549         * bytecode/Operands.h:
3550         (JSC::dumpOperands):
3551         * dfg/DFGAbstractState.cpp:
3552         (JSC::DFG::AbstractState::mergeStateAtTail):
3553
3554 2013-01-14  Roger Fong  <roger_fong@apple.com>
3555
3556         Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541.
3557
3558         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3559
3560 2013-01-13  Filip Pizlo  <fpizlo@apple.com>
3561
3562         DFG phases that store per-node information should store it in Node itself rather than using a secondary vector
3563         https://bugs.webkit.org/show_bug.cgi?id=106753
3564
3565         Reviewed by Geoffrey Garen.
3566
3567         * dfg/DFGAbstractState.cpp:
3568         (JSC::DFG::AbstractState::AbstractState):
3569         (JSC::DFG::AbstractState::beginBasicBlock):
3570         (JSC::DFG::AbstractState::dump):
3571         * dfg/DFGAbstractState.h:
3572         (JSC::DFG::AbstractState::forNode):
3573         (AbstractState):
3574         * dfg/DFGCFGSimplificationPhase.cpp:
3575         * dfg/DFGCSEPhase.cpp:
3576         (JSC::DFG::CSEPhase::CSEPhase):
3577         (JSC::DFG::CSEPhase::performSubstitution):
3578         (JSC::DFG::CSEPhase::setReplacement):
3579         (CSEPhase):
3580         * dfg/DFGNode.h:
3581         (Node):
3582
3583 2013-01-12  Tim Horton  <timothy_horton@apple.com>
3584
3585         Unreviewed build fix.
3586
3587         * API/JSBlockAdaptor.mm:
3588         * API/JSContext.mm:
3589         * API/JSValue.mm:
3590
3591 2013-01-12  Csaba Osztrogonác  <ossy@webkit.org>
3592
3593         Unreviewed 64 bit buildfix after r139496.
3594
3595         * dfg/DFGOperations.cpp:
3596
3597 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3598
3599         Unreviewed, speculative build fix.
3600
3601         * API/JSWrapperMap.mm:
3602
3603 2013-01-10  Filip Pizlo  <fpizlo@apple.com>
3604
3605         JITThunks should not compile only because of luck
3606         https://bugs.webkit.org/show_bug.cgi?id=105696
3607
3608         Rubber stamped by Sam Weinig and Geoffrey Garen.
3609         
3610         This patch was supposed to just move JITThunks into its own file. But then I
3611         realized that there is a horrible circular dependency chain between JSCell,
3612         JSGlobalData, CallFrame, and Weak, which only works because of magical include
3613         order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
3614         before it includes JSCell or JSValue.
3615         
3616         I first tried to just get JITThunks.h to just magically do the same pointless
3617         includes that JITStubs.h had, but then I decided to actually fix the underflying
3618         problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
3619         JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
3620         Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
3621         also gave me an opportunity to move JSValue inline methods from JSCell.h into
3622         JSValueInlines.h. But to make this really work, I needed to remove includes of
3623         *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
3624         which defeats the whole entire purpose of having an Inlines.h file), and I needed
3625         to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
3626         having .cpp files include Operations.h. In future, if you're adding a .cpp file
3627         to JSC, you'll almost certainly have to include Operations.h unless you enjoy
3628         link errors.
3629
3630         * API/JSBase.cpp:
3631         * API/JSCallbackConstructor.cpp:
3632         * API/JSCallbackFunction.cpp:
3633         * API/JSCallbackObject.cpp:
3634         * API/JSClassRef.cpp:
3635         * API/JSContextRef.cpp:
3636         * API/JSObjectRef.cpp:
3637         * API/JSScriptRef.cpp:
3638         * API/JSWeakObjectMapRefPrivate.cpp:
3639         * JSCTypedArrayStubs.h:
3640         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3641         * JavaScriptCore.xcodeproj/project.pbxproj:
3642         * bytecode/ArrayAllocationProfile.cpp:
3643         * bytecode/CodeBlock.cpp:
3644         * bytecode/GetByIdStatus.cpp:
3645         * bytecode/LazyOperandValueProfile.cpp:
3646         * bytecode/ResolveGlobalStatus.cpp:
3647         * bytecode/SpeculatedType.cpp:
3648         * bytecode/UnlinkedCodeBlock.cpp:
3649         * bytecompiler/BytecodeGenerator.cpp:
3650         * debugger/Debugger.cpp:
3651         * debugger/DebuggerActivation.cpp:
3652         * debugger/DebuggerCallFrame.cpp:
3653         * dfg/DFGArgumentsSimplificationPhase.cpp:
3654         * dfg/DFGArrayMode.cpp:
3655         * dfg/DFGByteCodeParser.cpp:
3656         * dfg/DFGConstantFoldingPhase.cpp:
3657         * dfg/DFGDriver.cpp:
3658         * dfg/DFGFixupPhase.cpp:
3659         * dfg/DFGGraph.cpp:
3660         * dfg/DFGJITCompiler.cpp:
3661         * dfg/DFGOSREntry.cpp:
3662         * dfg/DFGOSRExitCompiler.cpp:
3663         * dfg/DFGOSRExitCompiler32_64.cpp:
3664         * dfg/DFGOSRExitCompiler64.cpp:
3665         * dfg/DFGPredictionPropagationPhase.cpp:
3666         * dfg/DFGSpeculativeJIT.cpp:
3667         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3668         (DFG):
3669         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3670         (JSC::DFG::SpeculativeJIT::silentSpill):
3671         (JSC::DFG::SpeculativeJIT::silentFill):
3672         * dfg/DFGSpeculativeJIT.h:
3673         (SpeculativeJIT):
3674         * dfg/DFGSpeculativeJIT32_64.cpp:
3675         * dfg/DFGSpeculativeJIT64.cpp:
3676         * dfg/DFGStructureCheckHoistingPhase.cpp:
3677         * dfg/DFGVariableEventStream.cpp:
3678         * heap/CopiedBlock.h:
3679         * heap/CopiedSpace.cpp:
3680         * heap/HandleSet.cpp:
3681         * heap/Heap.cpp:
3682         * heap/HeapStatistics.cpp:
3683         * heap/SlotVisitor.cpp:
3684         * heap/WeakBlock.cpp:
3685         * interpreter/CallFrame.cpp:
3686         * interpreter/CallFrame.h:
3687         * jit/ClosureCallStubRoutine.cpp:
3688         * jit/GCAwareJITStubRoutine.cpp:
3689         * jit/JIT.cpp:
3690         * jit/JITArithmetic.cpp:
3691         * jit/JITArithmetic32_64.cpp:
3692         * jit/JITCall.cpp:
3693         * jit/JITCall32_64.cpp:
3694         * jit/JITCode.h:
3695         * jit/JITExceptions.cpp:
3696         * jit/JITStubs.h:
3697         * jit/JITThunks.h:
3698         * jsc.cpp:
3699         * llint/LLIntExceptions.cpp:
3700         * profiler/LegacyProfiler.cpp:
3701         * profiler/ProfileGenerator.cpp:
3702         * profiler/ProfilerBytecode.cpp:
3703         * profiler/ProfilerBytecodeSequence.cpp:
3704         * profiler/ProfilerBytecodes.cpp:
3705         * profiler/ProfilerCompilation.cpp:
3706         * profiler/ProfilerCompiledBytecode.cpp:
3707         * profiler/ProfilerDatabase.cpp:
3708         * profiler/ProfilerOSRExit.cpp:
3709         * profiler/ProfilerOSRExitSite.cpp:
3710         * profiler/ProfilerOrigin.cpp:
3711         * profiler/ProfilerOriginStack.cpp:
3712         * profiler/ProfilerProfiledBytecodes.cpp:
3713         * runtime/ArgList.cpp:
3714         * runtime/Arguments.cpp:
3715         * runtime/ArrayConstructor.cpp:
3716         * runtime/BooleanConstructor.cpp:
3717         * runtime/BooleanObject.cpp:
3718         * runtime/BooleanPrototype.cpp:
3719         * runtime/CallData.cpp:
3720         * runtime/CodeCache.cpp:
3721         * runtime/Completion.cpp:
3722         * runtime/ConstructData.cpp:
3723         * runtime/DateConstructor.cpp:
3724         * runtime/DateInstance.cpp:
3725         * runtime/DatePrototype.cpp:
3726         * runtime/Error.cpp:
3727         * runtime/ErrorConstructor.cpp:
3728         * runtime/ErrorInstance.cpp:
3729         * runtime/ErrorPrototype.cpp:
3730         * runtime/ExceptionHelpers.cpp:
3731         * runtime/Executable.cpp:
3732         * runtime/FunctionConstructor.cpp:
3733         * runtime/FunctionPrototype.cpp:
3734         * runtime/GetterSetter.cpp:
3735         * runtime/Identifier.cpp:
3736         * runtime/InternalFunction.cpp:
3737         * runtime/JSActivation.cpp:
3738         * runtime/JSBoundFunction.cpp:
3739         * runtime/JSCell.cpp:
3740         * runtime/JSCell.h:
3741         (JSC):
3742         * runtime/JSCellInlines.h: Added.
3743         (JSC):
3744         (JSC::JSCell::JSCell):
3745         (JSC::JSCell::finishCreation):
3746         (JSC::JSCell::structure):
3747         (JSC::JSCell::visitChildren):
3748         (JSC::allocateCell):
3749         (JSC::isZapped):
3750         (JSC::JSCell::isObject):
3751         (JSC::JSCell::isString):
3752         (JSC::JSCell::isGetterSetter):
3753         (JSC::JSCell::isProxy):
3754         (JSC::JSCell::isAPIValueWrapper):
3755         (JSC::JSCell::setStructure):
3756         (JSC::JSCell::methodTable):
3757         (JSC::JSCell::inherits):
3758         (JSC::JSCell::fastGetOwnPropertySlot):
3759         (JSC::JSCell::fastGetOwnProperty):
3760         (JSC::JSCell::toBoolean):
3761         * runtime/JSDateMath.cpp:
3762         * runtime/JSFunction.cpp:
3763         * runtime/JSFunction.h:
3764         (JSC):
3765         * runtime/JSGlobalData.h:
3766         (JSC):
3767         (JSGlobalData):
3768         * runtime/JSGlobalObject.cpp:
3769         * runtime/JSGlobalObjectFunctions.cpp:
3770         * runtime/JSLock.cpp:
3771         * runtime/JSNameScope.cpp:
3772         * runtime/JSNotAnObject.cpp:
3773         * runtime/JSONObject.cpp:
3774         * runtime/JSObject.h:
3775         (JSC):
3776         * runtime/JSProxy.cpp:
3777         * runtime/JSScope.cpp:
3778         * runtime/JSSegmentedVariableObject.cpp:
3779         * runtime/JSString.h:
3780         (JSC):
3781         * runtime/JSStringJoiner.cpp:
3782         * runtime/JSSymbolTableObject.cpp:
3783         * runtime/JSValue.cpp:
3784         * runtime/JSValueInlines.h:
3785         (JSC::JSValue::toInt32):
3786         (JSC::JSValue::toUInt32):
3787         (JSC):
3788         (JSC::JSValue::isUInt32):
3789         (JSC::JSValue::asUInt32):
3790         (JSC::JSValue::asNumber):
3791         (JSC::jsNaN):
3792         (JSC::JSValue::JSValue):
3793         (JSC::JSValue::encode):
3794         (JSC::JSValue::decode):
3795         (JSC::JSValue::operator bool):
3796         (JSC::JSValue::operator==):
3797         (JSC::JSValue::operator!=):
3798         (JSC::JSValue::isEmpty):
3799         (JSC::JSValue::isUndefined):
3800         (JSC::JSValue::isNull):
3801         (JSC::JSValue::isUndefinedOrNull):
3802         (JSC::JSValue::isCell):
3803         (JSC::JSValue::isInt32):
3804         (JSC::JSValue::isDouble):
3805         (JSC::JSValue::isTrue):
3806         (JSC::JSValue::isFalse):
3807         (JSC::JSValue::tag):
3808         (JSC::JSValue::payload):
3809         (JSC::JSValue::asInt32):
3810         (JSC::JSValue::asDouble):
3811         (JSC::JSValue::asCell):
3812         (JSC::JSValue::isNumber):
3813         (JSC::JSValue::isBoolean):
3814         (JSC::JSValue::asBoolean):
3815         (JSC::reinterpretDoubleToInt64):
3816         (JSC::reinterpretInt64ToDouble):
3817         (JSC::JSValue::isString):
3818         (JSC::JSValue::isPrimitive):
3819         (JSC::JSValue::isGetterSetter):
3820         (JSC::JSValue::isObject):
3821         (JSC::JSValue::getString):
3822         (JSC::::getString):
3823         (JSC::JSValue::getObject):
3824         (JSC::JSValue::getUInt32):
3825         (JSC::JSValue::toPrimitive):
3826         (JSC::JSValue::getPrimitiveNumber):
3827         (JSC::JSValue::toNumber):
3828         (JSC::JSValue::toObject):
3829         (JSC::JSValue::isFunction):
3830         (JSC::JSValue::inherits):
3831         (JSC::JSValue::toThisObject):
3832         (JSC::JSValue::get):
3833         (JSC::JSValue::put):
3834         (JSC::JSValue::putByIndex):
3835         (JSC::JSValue::structureOrUndefined):
3836         (JSC::JSValue::equal):
3837         (JSC::JSValue::equalSlowCaseInline):
3838         (JSC::JSValue::strictEqualSlowCaseInline):
3839         (JSC::JSValue::strictEqual):
3840         * runtime/JSVariableObject.cpp:
3841         * runtime/JSWithScope.cpp:
3842         * runtime/JSWrapperObject.cpp:
3843         * runtime/LiteralParser.cpp:
3844         * runtime/Lookup.cpp:
3845         * runtime/NameConstructor.cpp:
3846         * runtime/NameInstance.cpp:
3847         * runtime/NamePrototype.cpp:
3848         * runtime/NativeErrorConstructor.cpp:
3849         * runtime/NativeErrorPrototype.cpp:
3850         * runtime/NumberConstructor.cpp:
3851         * runtime/NumberObject.cpp:
3852         * runtime/ObjectConstructor.cpp:
3853         * runtime/ObjectPrototype.cpp:
3854         * runtime/Operations.h:
3855         (JSC):
3856         * runtime/PropertySlot.cpp:
3857         * runtime/RegExp.cpp:
3858         * runtime/RegExpCache.cpp:
3859         * runtime/RegExpCachedResult.cpp:
3860         * runtime/RegExpConstructor.cpp:
3861         * runtime/RegExpMatchesArray.cpp:
3862         * runtime/RegExpObject.cpp:
3863         * runtime/RegExpPrototype.cpp:
3864         * runtime/SmallStrings.cpp:
3865         * runtime/SparseArrayValueMap.cpp:
3866         * runtime/StrictEvalActivation.cpp:
3867         * runtime/StringConstructor.cpp:
3868         * runtime/StringObject.cpp:
3869         * runtime/StringRecursionChecker.cpp:
3870         * runtime/Structure.h:
3871         (JSC):
3872         * runtime/StructureChain.cpp:
3873         * runtime/TimeoutChecker.cpp:
3874         * testRegExp.cpp:
3875
3876 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3877
3878         If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
3879         https://bugs.webkit.org/show_bug.cgi?id=106724
3880
3881         Reviewed by Oliver Hunt.
3882         
3883         In cases where we were getting it wrong, I think it was benign because we would either already have an
3884         OSR exit prior to there, or the operand would be a constant.  But still, it's good to get this right.
3885
3886         * dfg/DFGByteCodeParser.cpp:
3887         (JSC::DFG::ByteCodeParser::parseBlock):
3888
3889 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3890
3891         Phantom(GetLocal) should be treated as relevant to OSR
3892         https://bugs.webkit.org/show_bug.cgi?id=106715
3893
3894         Reviewed by Mark Hahnenberg.
3895
3896         * dfg/DFGCSEPhase.cpp:
3897         (JSC::DFG::CSEPhase::performBlockCSE):
3898
3899 2013-01-11  Pratik Solanki  <psolanki@apple.com>
3900
3901         Fix function name typo ProgramExecutable::initalizeGlobalProperties()
3902         https://bugs.webkit.org/show_bug.cgi?id=106701
3903
3904         Reviewed by Geoffrey Garen.
3905
3906         * interpreter/Interpreter.cpp:
3907         (JSC::Interpreter::execute):
3908         * runtime/Executable.cpp:
3909         (JSC::ProgramExecutable::initializeGlobalProperties):
3910         * runtime/Executable.h:
3911
3912 2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>
3913
3914         testapi is failing with a block-related error in the Objc API
3915         https://bugs.webkit.org/show_bug.cgi?id=106055
3916
3917         Reviewed by Filip Pizlo.
3918
3919         Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool.
3920
3921         * API/ObjCCallbackFunction.mm:
3922         (blockSignatureContainsClass):
3923
3924 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3925
3926         Add a run-time option to print bytecode at DFG compile time
3927         https://bugs.webkit.org/show_bug.cgi?id=106704
3928
3929         Reviewed by Mark Hahnenberg.
3930
3931         * dfg/DFGByteCodeParser.cpp:
3932         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3933         * runtime/Options.h:
3934         (JSC):
3935
3936 2013-01-11  Filip Pizlo  <fpizlo@apple.com>
3937
3938         It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state
3939         https://bugs.webkit.org/show_bug.cgi?id=106700
3940
3941         Reviewed by Mark Hahnenberg.
3942
3943         * dfg/DFGAssemblyHelpers.h:
3944         (DFG):
3945         (JSC::DFG::AssemblyHelpers::debugCall):
3946         * dfg/DFGCommon.h:
3947         * dfg/DFGOSRExit.h:
3948         (DFG):
3949         * dfg/DFGOSRExitCompiler32_64.cpp:
3950         (JSC::DFG::OSRExitCompiler::compileExit):
3951         * dfg/DFGOSRExitCompiler64.cpp: