Unreviewed, rolling out r141809.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-02-04  Sheriff Bot  <webkit.review.bot@gmail.com>
2
3         Unreviewed, rolling out r141809.
4         http://trac.webkit.org/changeset/141809
5         https://bugs.webkit.org/show_bug.cgi?id=108860
6
7         ARC isn't supported on 32-bit. (Requested by mhahnenberg on
8         #webkit).
9
10         * API/tests/testapi.mm:
11         (+[TestObject testObject]):
12         (testObjectiveCAPI):
13         * JavaScriptCore.xcodeproj/project.pbxproj:
14
15 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
16
17         Objective-C API: testapi.mm should use ARC
18         https://bugs.webkit.org/show_bug.cgi?id=107838
19
20         Reviewed by Oliver Hunt.
21
22         In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 
23         We should enable ARC, since that is what most of our clients will be using.
24
25         * API/tests/testapi.mm:
26         (-[TestObject init]):
27         (-[TestObject dealloc]):
28         (+[TestObject testObject]):
29         (testObjectiveCAPI):
30         * JavaScriptCore.xcodeproj/project.pbxproj:
31
32 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
33
34         Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation
35         https://bugs.webkit.org/show_bug.cgi?id=108843
36
37         Reviewed by Darin Adler.
38
39         Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do 
40         this to prevent crashes when trying to invoke a callback later on.
41
42         * API/ObjCCallbackFunction.mm:
43         (ObjCCallbackFunction::ObjCCallbackFunction):
44         (ObjCCallbackFunction::~ObjCCallbackFunction):
45
46 2013-02-04  Martin Robinson  <mrobinson@igalia.com>
47
48         Fix GTK+ 'make dist' in preparation for the 1.11.5 release.
49
50         * GNUmakefile.list.am: Update the source lists.
51
52 2013-02-04  Michael Saboff  <msaboff@apple.com>
53
54         For ARMv7s use integer divide instruction for divide and modulo when possible
55         https://bugs.webkit.org/show_bug.cgi?id=108840
56
57         Reviewed in person by Filip Pizlo.
58
59         Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
60         This is patterned after the similar code for X86.  Also added modulo power of 2 optimization
61         that uses logical and.  Added sdiv and udiv to the ARMv7 disassembler.  Put all the changes
62         behind #if CPU(APPLE_ARMV7S). 
63
64         * assembler/ARMv7Assembler.h:
65         (ARMv7Assembler):
66         (JSC::ARMv7Assembler::sdiv):
67         (JSC::ARMv7Assembler::udiv):
68         * dfg/DFGCommon.h:
69         (JSC::DFG::isARMv7s):
70         * dfg/DFGFixupPhase.cpp:
71         (JSC::DFG::FixupPhase::fixupNode):
72         * dfg/DFGSpeculativeJIT.cpp:
73         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
74         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
75         * dfg/DFGSpeculativeJIT.h:
76         (SpeculativeJIT):
77         * dfg/DFGSpeculativeJIT32_64.cpp:
78         (JSC::DFG::SpeculativeJIT::compile):
79
80 2013-02-04  David Kilzer  <ddkilzer@apple.com>
81
82         Check PrivateHeaders/JSBasePrivate.h for inappropriate macros
83         <http://webkit.org/b/108749>
84
85         Reviewed by Joseph Pecoraro.
86
87         * JavaScriptCore.xcodeproj/project.pbxproj: Add
88         PrivateHeaders/JSBasePrivate.h to list of headers to check in
89         "Check for Inappropriate Macros in External Headers" build phase
90         script.
91
92 2013-02-04  David Kilzer  <ddkilzer@apple.com>
93
94         Remove duplicate entries from JavaScriptCore Xcode project
95
96             $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R
97             patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
98
99         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates.
100
101 2013-02-04  David Kilzer  <ddkilzer@apple.com>
102
103         Sort JavaScriptCore Xcode project file
104
105         * JavaScriptCore.xcodeproj/project.pbxproj:
106
107 2013-02-03  David Kilzer  <ddkilzer@apple.com>
108
109         Upstream ENABLE_PDFKIT_PLUGIN settting
110         <http://webkit.org/b/108792>
111
112         Reviewed by Tim Horton.
113
114         * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN
115         on iOS since PDFKit is a Mac-only framework.
116
117 2013-02-02  Andreas Kling  <akling@apple.com>
118
119         Vector should consult allocator about ideal size when choosing capacity.
120         <http://webkit.org/b/108410>
121         <rdar://problem/13124002>
122
123         Reviewed by Benjamin Poulain.
124
125         Remove assertion about Vector capacity that won't hold anymore since capacity()
126         may not be what you passed to reserveCapacity().
127         Also export WTF::fastMallocGoodSize() for Windows builds.
128
129         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
130         * bytecode/CodeBlock.cpp:
131         (JSC::CodeBlock::CodeBlock):
132
133 2013-02-02  Patrick Gansterer  <paroga@webkit.org>
134
135         [CMake] Adopt the WinCE port to new CMake
136         https://bugs.webkit.org/show_bug.cgi?id=108754
137
138         Reviewed by Laszlo Gombos.
139
140         * os-win32/WinMain.cpp: Removed.
141         * shell/PlatformWinCE.cmake: Removed.
142
143 2013-02-02  Mark Rowe  <mrowe@apple.com>
144
145         <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us
146
147         Reviewed by Sam Weinig.
148
149         * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use
150         of the generated file moved to WTF.
151
152 2013-02-02  David Kilzer  <ddkilzer@apple.com>
153
154         Upstream iOS FeatureDefines
155         <http://webkit.org/b/108753>
156
157         Reviewed by Anders Carlsson.
158
159         * Configurations/FeatureDefines.xcconfig:
160         - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
161         - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
162         - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO.  Add
163           PLATFORM_NAME variant to reduce future merge conflicts. 
164
165 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
166
167         Structure::m_enumerationCache should be moved to StructureRareData
168         https://bugs.webkit.org/show_bug.cgi?id=108723
169
170         Reviewed by Oliver Hunt.
171
172         m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 
173         field and it can therefore be moved safely to StructureRareData to help with memory savings.
174
175         * runtime/JSPropertyNameIterator.h:
176         (JSPropertyNameIterator):
177         (JSC::Register::propertyNameIterator):
178         (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
179         (JSC::StructureRareData::setEnumerationCache): Ditto.
180         * runtime/Structure.cpp:
181         (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
182         (JSC::Structure::removePropertyWithoutTransition): Ditto.
183         (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
184         * runtime/Structure.h: 
185         (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 
186         the JSPropertyNameIterator type.
187         (JSC::Structure::enumerationCache): Ditto.
188         * runtime/StructureRareData.cpp:
189         (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
190         * runtime/StructureRareData.h: Add new functions/fields.
191         (StructureRareData):
192
193 2013-02-01  Roger Fong  <roger_fong@apple.com>
194
195         Unreviewed. JavaScriptCore VS2010 project cleanup.
196
197         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
198         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
199         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
200         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
201
202 2013-02-01  Sheriff Bot  <webkit.review.bot@gmail.com>
203
204         Unreviewed, rolling out r141662.
205         http://trac.webkit.org/changeset/141662
206         https://bugs.webkit.org/show_bug.cgi?id=108738
207
208         it's an incorrect change since processPhiStack will
209         dereference dangling BasicBlock pointers (Requested by pizlo
210         on #webkit).
211
212         * dfg/DFGByteCodeParser.cpp:
213         (JSC::DFG::ByteCodeParser::parse):
214
215 2013-02-01  Filip Pizlo  <fpizlo@apple.com>
216
217         Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
218         https://bugs.webkit.org/show_bug.cgi?id=108717
219
220         Reviewed by Mark Hahnenberg.
221         
222         I think this makes the code clearer. It doesn't change behavior.
223
224         * dfg/DFGByteCodeParser.cpp:
225         (JSC::DFG::ByteCodeParser::parse):
226
227 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
228
229         Structure should have a StructureRareData field to save space
230         https://bugs.webkit.org/show_bug.cgi?id=108659
231
232         Reviewed by Oliver Hunt.
233
234         Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 
235         pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 
236         many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 
237         refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
238
239         To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 
240         can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 
241         can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 
242         with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 
243         a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 
244         if it has one. There could be some potential for optimizing this process, but the initial implementation will 
245         be dumb since we'd be paying these overhead costs for each Structure anyways.
246
247         Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 
248         continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 
249         Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 
250         Structures (and into StructureRareData).
251
252         * CMakeLists.txt:
253         * GNUmakefile.list.am:
254         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
255         * JavaScriptCore.xcodeproj/project.pbxproj:
256         * Target.pri:
257         * dfg/DFGRepatch.cpp: Includes for linking purposes.
258         * jit/JITStubs.cpp:
259         * jsc.cpp:
260         * llint/LLIntSlowPaths.cpp:
261         * runtime/JSCellInlines.h: Added ifdef guards.
262         * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
263         (JSC::JSGlobalData::JSGlobalData):
264         * runtime/JSGlobalData.h:
265         (JSGlobalData):
266         * runtime/JSGlobalObject.h:
267         * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
268         (JSC::TypeInfo::flags):
269         (JSC::TypeInfo::structureHasRareData):
270         * runtime/ObjectPrototype.cpp:
271         * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
272         (JSC::Structure::dumpStatistics):
273         (JSC::Structure::Structure): 
274         (JSC::Structure::materializePropertyMap):
275         (JSC::Structure::addPropertyTransition):
276         (JSC::Structure::nonPropertyTransition):
277         (JSC::Structure::pin):
278         (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
279         (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 
280         transitions.
281         (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
282         * runtime/Structure.h:
283         (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
284         (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
285         (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 
286         call to it.
287         (JSC::Structure::materializePropertyMapIfNecessary):
288         (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
289         (Structure):
290         (JSC::Structure::clearPreviousID): Ditto.
291         (JSC::Structure::create):
292         * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 
293         from Structure and the functions required to access/modify those fields as Structure would have done.
294         (JSC):
295         (JSC::StructureRareData::createStructure):
296         (JSC::StructureRareData::create):
297         (JSC::StructureRareData::clone):
298         (JSC::StructureRareData::StructureRareData):
299         (JSC::StructureRareData::visitChildren):
300         * runtime/StructureRareData.h: Added.
301         (JSC):
302         (StructureRareData):
303         * runtime/StructureRareDataInlines.h: Added.
304         (JSC):
305         (JSC::StructureRareData::previousID):
306         (JSC::StructureRareData::setPreviousID):
307         (JSC::StructureRareData::clearPreviousID):
308         (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
309         (JSC::Structure::rareData): Ditto.
310         (JSC::StructureRareData::objectToStringValue):
311         (JSC::StructureRareData::setObjectToStringValue):
312
313         * CMakeLists.txt:
314         * GNUmakefile.list.am:
315         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
316         * JavaScriptCore.xcodeproj/project.pbxproj:
317         * Target.pri:
318         * dfg/DFGRepatch.cpp:
319         * jit/JITStubs.cpp:
320         * jsc.cpp:
321         * llint/LLIntSlowPaths.cpp:
322         * runtime/JSCellInlines.h:
323         * runtime/JSGlobalData.cpp:
324         (JSC::JSGlobalData::JSGlobalData):
325         * runtime/JSGlobalData.h:
326         (JSGlobalData):
327         * runtime/JSGlobalObject.h:
328         * runtime/JSTypeInfo.h:
329         (JSC):
330         (JSC::TypeInfo::flags):
331         (JSC::TypeInfo::structureHasRareData):
332         * runtime/ObjectPrototype.cpp:
333         * runtime/Structure.cpp:
334         (JSC::Structure::dumpStatistics):
335         (JSC::Structure::Structure):
336         (JSC::Structure::materializePropertyMap):
337         (JSC::Structure::addPropertyTransition):
338         (JSC::Structure::nonPropertyTransition):
339         (JSC::Structure::pin):
340         (JSC::Structure::allocateRareData):
341         (JSC):
342         (JSC::Structure::cloneRareDataFrom):
343         (JSC::Structure::visitChildren):
344         * runtime/Structure.h:
345         (JSC::Structure::previousID):
346         (JSC::Structure::objectToStringValue):
347         (JSC::Structure::setObjectToStringValue):
348         (JSC::Structure::materializePropertyMapIfNecessary):
349         (JSC::Structure::setPreviousID):
350         (Structure):
351         (JSC::Structure::clearPreviousID):
352         (JSC::Structure::previous):
353         (JSC::Structure::rareData):
354         (JSC::Structure::create):
355         * runtime/StructureRareData.cpp: Added.
356         (JSC):
357         (JSC::StructureRareData::createStructure):
358         (JSC::StructureRareData::create):
359         (JSC::StructureRareData::clone):
360         (JSC::StructureRareData::StructureRareData):
361         (JSC::StructureRareData::visitChildren):
362         * runtime/StructureRareData.h: Added.
363         (JSC):
364         (StructureRareData):
365         * runtime/StructureRareDataInlines.h: Added.
366         (JSC):
367         (JSC::StructureRareData::previousID):
368         (JSC::StructureRareData::setPreviousID):
369         (JSC::StructureRareData::clearPreviousID):
370         (JSC::StructureRareData::objectToStringValue):
371         (JSC::StructureRareData::setObjectToStringValue):
372
373 2013-02-01  Balazs Kilvady  <kilvadyb@homejinni.com>
374
375         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
376         https://bugs.webkit.org/show_bug.cgi?id=108261
377
378         Reviewed by Filip Pizlo.
379
380         offlineasm BaseIndex handling fix on MIPS.
381
382         * offlineasm/mips.rb:
383         * offlineasm/risc.rb:
384
385 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
386
387         Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
388         https://bugs.webkit.org/show_bug.cgi?id=108657
389
390         Reviewed by Anders Carlsson.
391
392         * runtime/JSGlobalObject.cpp:
393         (JSC):
394         * runtime/JSGlobalObject.h:
395         (JSGlobalObject):
396
397 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
398
399         Added TriState to WTF and started using it in one place
400         https://bugs.webkit.org/show_bug.cgi?id=108628
401
402         Reviewed by Beth Dakin.
403
404         * runtime/PrototypeMap.h:
405         (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
406         response to review feedback, this is an attempt to clarify that our
407         'true' condition is actually just a 'maybe'.
408
409         * runtime/PrototypeMap.h:
410         (PrototypeMap):
411         (JSC::PrototypeMap::isPrototype):
412
413 2013-02-01  Alexis Menard  <alexis@webkit.org>
414
415         Enable unprefixed CSS transitions by default.
416         https://bugs.webkit.org/show_bug.cgi?id=108216
417
418         Reviewed by Dean Jackson.
419
420         Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
421         to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 
422         guard the unprefixing work for CSS Transforms and animations.
423
424         * Configurations/FeatureDefines.xcconfig:
425
426 2013-01-31  Filip Pizlo  <fpizlo@apple.com>
427
428         DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
429         https://bugs.webkit.org/show_bug.cgi?id=108580
430
431         Reviewed by Oliver Hunt.
432         
433         This is a harmless bug in that it only results in us keeping a bit too many things
434         for OSR.  But it's worth fixing so that the code is consistent.
435
436         keepOperandAlive() is called when block A has a branch to blocks B and C, but the
437         A->B edge is proven to never be taken and we want to optimize the code to have A
438         unconditionally jump to C.  In that case, for the purposes of OSR, we need to
439         preserve the knowledge that the state that B expected to be live incoming from A
440         ought still to be live up to the point of where the A->B,C branch used to be.  The
441         way we keep things alive is by using the variablesAtTail of A (i.e., we use the
442         knowledge of in what manner A made state available to B and C).  The way we choose
443         which state should be kept alive ought to be chosen by the variablesAtHead of B
444         (i.e. the things B says it needs from its predecessors, including A), except that
445         keepOperandAlive() was previously just using variablesAtTail of A for this
446         purpose.
447         
448         The fix is to have keepOperandAlive() use both liveness and availability in its
449         logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
450         alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
451         keep it alive.
452         
453         This might be a microscopic win on some programs, but it's mainly intended to be
454         a code clean-up so that I don't end up scratching my head in confusion the next
455         time I look at this code.
456
457         * dfg/DFGCFGSimplificationPhase.cpp:
458         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
459         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
460         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
461
462 2013-01-31  Geoffrey Garen  <ggaren@apple.com>
463
464         REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
465         https://bugs.webkit.org/show_bug.cgi?id=108576
466
467         Reviewed by Filip Pizlo.
468
469         This was a long-standing bug. The DFG would destructively reuse a register
470         in op_convert_this, but:
471
472             * The bug only presented during speculation failure for type Other
473
474             * The bug presented by removing the low bits of a pointer, which
475             used to be harmless, since all objects were so aligned anyway.
476
477         * dfg/DFGSpeculativeJIT64.cpp:
478         (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
479         our scratch register. The whole point of our scratch register is to
480         avoid destructively modifying our this register. I'm pretty sure this
481         was a copy-paste error.
482
483 2013-01-31  Roger Fong  <roger_fong@apple.com>
484
485         Unreviewed. Windows build fix.
486
487         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
488
489 2013-01-31  Jessie Berlin  <jberlin@apple.com>
490
491         Rolling out r141407 because it is causing crashes under
492         WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
493
494         * bytecode/CodeBlock.cpp:
495         (JSC::CodeBlock::CodeBlock):
496
497 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
498
499         Objective-C API: JSContext exception property causes reference cycle
500         https://bugs.webkit.org/show_bug.cgi?id=107778
501
502         Reviewed by Darin Adler.
503
504         JSContext has a (retain) JSValue * exception property which, when non-null, creates a 
505         reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
506
507         * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
508         (-[JSContext initWithVirtualMachine:]):
509         (-[JSContext setException:]):
510         (-[JSContext exception]):
511
512 2013-01-31  Roger Fong  <roger_fong@apple.com>
513
514         Unreviewed build fix. Win7 port.
515
516         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
517
518 2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>
519
520         Disable ENABLE_FULLSCREEN_API on iOS
521         https://bugs.webkit.org/show_bug.cgi?id=108250
522
523         Reviewed by Benjamin Poulain.
524
525         * Configurations/FeatureDefines.xcconfig:
526
527 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
528
529         Objective-C API: Fix insertion of values greater than the max index allowed by the spec
530         https://bugs.webkit.org/show_bug.cgi?id=108264
531
532         Reviewed by Oliver Hunt.
533
534         Fixed a bug, added a test to the API tests, cleaned up some code.
535
536         * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 
537         setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
538         * API/JSValue.mm:
539         (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
540         (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
541         (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
542         * API/tests/testapi.mm:
543
544 2013-01-30  Andreas Kling  <akling@apple.com>
545
546         Vector should consult allocator about ideal size when choosing capacity.
547         <http://webkit.org/b/108410>
548         <rdar://problem/13124002>
549
550         Reviewed by Benjamin Poulain.
551
552         Remove assertion about Vector capacity that won't hold anymore since capacity()
553         may not be what you passed to reserveCapacity().
554
555         * bytecode/CodeBlock.cpp:
556         (JSC::CodeBlock::CodeBlock):
557
558 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
559
560         DFG bytecode parser should have more assertions about the status of local accesses
561         https://bugs.webkit.org/show_bug.cgi?id=108417
562
563         Reviewed by Mark Hahnenberg.
564         
565         Assert some things that we already know to be true, just to reassure ourselves that they are true.
566         This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
567         make these rules even stricter.
568
569         * dfg/DFGByteCodeParser.cpp:
570         (JSC::DFG::ByteCodeParser::getLocal):
571         (JSC::DFG::ByteCodeParser::getArgument):
572
573 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
574
575         Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
576         https://bugs.webkit.org/show_bug.cgi?id=107978
577
578         Reviewed by Filip Pizlo.
579
580         We need to add the Identifier table save/restore in JSContextGroupRelease so that we 
581         have the correct table if we end up destroying the JSGlobalData/Heap.
582
583         * API/JSContextRef.cpp:
584         (JSContextGroupRelease):
585
586 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
587
588         Objective-C API: exceptionHandler needs to be released in JSContext dealloc
589         https://bugs.webkit.org/show_bug.cgi?id=108378
590
591         Reviewed by Filip Pizlo.
592
593         JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 
594         That sounds like the potential for a leak. It should be released.
595
596         * API/JSContext.mm:
597         (-[JSContext dealloc]):
598
599 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
600
601         REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
602         https://bugs.webkit.org/show_bug.cgi?id=108366
603
604         Reviewed by Geoffrey Garen and Mark Hahnenberg.
605         
606         This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
607         Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
608         when comparing a possibly redundant node to its possible replacement. It was doing this
609         by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
610         just those flag bits that correspond to actual node behavior and not auxiliary things.
611         Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
612         This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
613         very high probability that matching nodes would also have completely identical flag bits
614         (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
615         r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
616         access. These bits would be mutated as the CSE ran over a basic block, in such a way that
617         there was a very high probability that the possible replacement would already have the
618         bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
619         returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
620         almost every time.
621         
622         The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
623         flags that are relevant to arithmetic behavior. This patch introduces a new mask that
624         represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
625         used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
626         the other flags are relevant to Node::arithNodeFlags() since they either correspond to
627         information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
628         NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
629         the result that the node will produce or any of the queries performed on the result of
630         Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
631         
632         This is a 10% speed-up on Kraken, undoing the regression from r140504.
633
634         * dfg/DFGNode.h:
635         (JSC::DFG::Node::arithNodeFlags):
636         * dfg/DFGNodeFlags.h:
637         (DFG):
638
639 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
640
641         Structure::m_outOfLineCapacity is unnecessary
642         https://bugs.webkit.org/show_bug.cgi?id=108206
643
644         Reviewed by Geoffrey Garen.
645
646         We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
647         According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
648         better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 
649         benchmarks.
650
651         * runtime/Structure.cpp:
652         (JSC::Structure::Structure):
653         (JSC):
654         (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
655         (JSC::Structure::addPropertyTransition):
656         (JSC::Structure::addPropertyWithoutTransition):
657         * runtime/Structure.h:
658         (Structure):
659         (JSC::Structure::outOfLineCapacity):
660         (JSC::Structure::totalStorageCapacity):
661
662 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
663
664         Be a little more conservative about emitting table-based switches
665         https://bugs.webkit.org/show_bug.cgi?id=108292
666
667         Reviewed by Filip Pizlo.
668
669         Profiling shows we're using op_switch in cases where it's a regression.
670
671         * bytecompiler/NodesCodegen.cpp:
672         (JSC):
673         (JSC::length):
674         (JSC::CaseBlockNode::tryTableSwitch):
675         (JSC::CaseBlockNode::emitBytecodeForBlock):
676         * parser/Nodes.h:
677         (CaseBlockNode):
678
679 2013-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>
680
681         Unreviewed, rolling out r140983.
682         http://trac.webkit.org/changeset/140983
683         https://bugs.webkit.org/show_bug.cgi?id=108277
684
685         Unfortunately, this API has one last client (Requested by
686         abarth on #webkit).
687
688         * Configurations/FeatureDefines.xcconfig:
689
690 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
691
692         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
693         https://bugs.webkit.org/show_bug.cgi?id=107839
694
695         Reviewed by Geoffrey Garen.
696
697         Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 
698         m_constructor that they were based on.
699
700         * API/JSWrapperMap.mm:
701         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
702         fields that are null (i.e. have been collected or have never been allocated to begin with).
703         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 
704         reallocating one or both of the prototype/constructor combo.
705         (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
706         (-[JSObjCClassInfo constructor]): Ditto.
707
708 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
709
710         Make precise size classes more precise
711         https://bugs.webkit.org/show_bug.cgi?id=108270
712
713         Reviewed by Mark Hahnenberg.
714
715         Size inference makes this profitable.
716
717         I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
718         byte increments might be better.
719
720         * heap/Heap.h:
721         (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
722
723         * heap/MarkedBlock.h:
724         (MarkedBlock): Updated constants.
725
726         * heap/MarkedSpace.h:
727         (MarkedSpace):
728         (JSC): Also reduced the maximum precise size class because my testing
729         has shown that the smaller size classes are much more common. This
730         offsets some of the size class explosion caused by reducing the precise
731         increment.
732
733         * llint/LLIntData.cpp:
734         (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
735         because we don't rely on firstAllocatorWithoutDestructors anymore, since
736         we pick size classes dynamically now.
737
738 2013-01-29  Oliver Hunt  <oliver@apple.com>
739
740         Add some hardening to methodTable()
741         https://bugs.webkit.org/show_bug.cgi?id=108253
742
743         Reviewed by Mark Hahnenberg.
744
745         When accessing methodTable() we now always make sure that our
746         structure _could_ be valid.  Added a separate method to get a
747         classes methodTable during destruction as it's not possible to
748         validate the structure at that point.  This separation might
749         also make it possible to improve the performance of methodTable
750         access more generally in future.
751
752         * heap/MarkedBlock.cpp:
753         (JSC::MarkedBlock::callDestructor):
754         * runtime/JSCell.h:
755         (JSCell):
756         * runtime/JSCellInlines.h:
757         (JSC::JSCell::methodTableForDestruction):
758         (JSC):
759         (JSC::JSCell::methodTable):
760
761 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
762
763         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
764         https://bugs.webkit.org/show_bug.cgi?id=108261
765
766         Reviewed by Oliver Hunt.
767         
768         Backends shouldn't override each other's methods. That's not cool.
769
770         * offlineasm/mips.rb:
771
772 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
773
774         cloop.rb shouldn't use a method called 'dump' for code generation
775         https://bugs.webkit.org/show_bug.cgi?id=108251
776
777         Reviewed by Mark Hahnenberg.
778         
779         Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
780         
781         Also made trivial build fixes for !ENABLE(JIT).
782
783         * offlineasm/cloop.rb:
784         * runtime/Executable.h:
785         (ExecutableBase):
786         (JSC::ExecutableBase::intrinsicFor):
787         * runtime/JSGlobalData.h:
788
789 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
790
791         Removed GGC because it has been disabled for a long time
792         https://bugs.webkit.org/show_bug.cgi?id=108245
793
794         Reviewed by Filip Pizlo.
795
796         * GNUmakefile.list.am:
797         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
798         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
799         * JavaScriptCore.xcodeproj/project.pbxproj:
800         * dfg/DFGRepatch.cpp:
801         (JSC::DFG::emitPutReplaceStub):
802         (JSC::DFG::emitPutTransitionStub):
803         * dfg/DFGSpeculativeJIT.cpp:
804         (JSC::DFG::SpeculativeJIT::writeBarrier):
805         * dfg/DFGSpeculativeJIT.h:
806         (SpeculativeJIT):
807         * dfg/DFGSpeculativeJIT32_64.cpp:
808         (JSC::DFG::SpeculativeJIT::compile):
809         * dfg/DFGSpeculativeJIT64.cpp:
810         (JSC::DFG::SpeculativeJIT::compile):
811         * heap/CardSet.h: Removed.
812         * heap/Heap.cpp:
813         (JSC::Heap::markRoots):
814         (JSC::Heap::collect):
815         * heap/Heap.h:
816         (Heap):
817         (JSC::Heap::shouldCollect):
818         (JSC::Heap::isWriteBarrierEnabled):
819         (JSC):
820         (JSC::Heap::writeBarrier):
821         * heap/MarkedBlock.h:
822         (MarkedBlock):
823         (JSC):
824         * heap/MarkedSpace.cpp:
825         (JSC):
826         * jit/JITPropertyAccess.cpp:
827         (JSC::JIT::emitWriteBarrier):
828
829 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
830
831         Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
832         https://bugs.webkit.org/show_bug.cgi?id=108247
833
834         Reviewed by Oliver Hunt.
835         
836         Makes offlineasm dumping easier to read and less likely to cause assertion failures.
837         Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
838         but cloop.rb was winning.
839
840         * offlineasm/cloop.rb:
841
842 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
843
844         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
845         https://bugs.webkit.org/show_bug.cgi?id=107839
846
847         Reviewed by Oliver Hunt.
848
849         JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
850         are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
851         m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
852         We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
853         to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
854         to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
855         reallocate them.
856
857         * API/JSContext.mm:
858         (-[JSContext wrapperMap]):
859         * API/JSContextInternal.h:
860         * API/JSWrapperMap.mm:
861         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
862         (-[JSObjCClassInfo dealloc]):
863         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
864         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
865         (-[JSObjCClassInfo wrapperForObject:]):
866         (-[JSObjCClassInfo constructor]):
867
868 2013-01-29  Oliver Hunt  <oliver@apple.com>
869
870         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
871         https://bugs.webkit.org/show_bug.cgi?id=108097
872
873         Reviewed by Geoffrey Garen.
874
875         LiteralParser was accepting a bogus 'var a.b = c' statement
876
877         * runtime/LiteralParser.cpp:
878         (JSC::::tryJSONPParse):
879
880 2013-01-29  Oliver Hunt  <oliver@apple.com>
881
882         Force debug builds to do bounds checks on contiguous property storage
883         https://bugs.webkit.org/show_bug.cgi?id=108212
884
885         Reviewed by Mark Hahnenberg.
886
887         Add a ContiguousData type that we use to represent contiguous property
888         storage.  In release builds it is simply a pointer to the correct type,
889         but in debug builds it also carries the data length and performs bounds
890         checks.  This means we don't have to add as many manual bounds assertions
891         when performing operations over contiguous data.
892
893         * dfg/DFGOperations.cpp:
894         * runtime/ArrayStorage.h:
895         (ArrayStorage):
896         (JSC::ArrayStorage::vector):
897         * runtime/Butterfly.h:
898         (JSC::ContiguousData::ContiguousData):
899         (ContiguousData):
900         (JSC::ContiguousData::operator[]):
901         (JSC::ContiguousData::data):
902         (JSC::ContiguousData::length):
903         (JSC):
904         (JSC::Butterfly::contiguousInt32):
905         (Butterfly):
906         (JSC::Butterfly::contiguousDouble):
907         (JSC::Butterfly::contiguous):
908         * runtime/JSArray.cpp:
909         (JSC::JSArray::sortNumericVector):
910         (ContiguousTypeAccessor):
911         (JSC::ContiguousTypeAccessor::getAsValue):
912         (JSC::ContiguousTypeAccessor::setWithValue):
913         (JSC::ContiguousTypeAccessor::replaceDataReference):
914         (JSC):
915         (JSC::JSArray::sortCompactedVector):
916         (JSC::JSArray::sort):
917         (JSC::JSArray::fillArgList):
918         (JSC::JSArray::copyToArguments):
919         * runtime/JSArray.h:
920         (JSArray):
921         * runtime/JSObject.cpp:
922         (JSC::JSObject::copyButterfly):
923         (JSC::JSObject::visitButterfly):
924         (JSC::JSObject::createInitialInt32):
925         (JSC::JSObject::createInitialDouble):
926         (JSC::JSObject::createInitialContiguous):
927         (JSC::JSObject::convertUndecidedToInt32):
928         (JSC::JSObject::convertUndecidedToDouble):
929         (JSC::JSObject::convertUndecidedToContiguous):
930         (JSC::JSObject::convertInt32ToDouble):
931         (JSC::JSObject::convertInt32ToContiguous):
932         (JSC::JSObject::genericConvertDoubleToContiguous):
933         (JSC::JSObject::convertDoubleToContiguous):
934         (JSC::JSObject::rageConvertDoubleToContiguous):
935         (JSC::JSObject::ensureInt32Slow):
936         (JSC::JSObject::ensureDoubleSlow):
937         (JSC::JSObject::ensureContiguousSlow):
938         (JSC::JSObject::rageEnsureContiguousSlow):
939         (JSC::JSObject::ensureLengthSlow):
940         * runtime/JSObject.h:
941         (JSC::JSObject::ensureInt32):
942         (JSC::JSObject::ensureDouble):
943         (JSC::JSObject::ensureContiguous):
944         (JSC::JSObject::rageEnsureContiguous):
945         (JSObject):
946         (JSC::JSObject::indexingData):
947         (JSC::JSObject::currentIndexingData):
948
949 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
950
951         [Windows, WinCairo] Unreviewed build fix after r141050
952
953         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
954         to match JavaScriptCore.vcproj version.
955
956 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
957
958         [Qt] Implement GCActivityCallback
959         https://bugs.webkit.org/show_bug.cgi?id=103998
960
961         Reviewed by Simon Hausmann.
962
963         Implements the activity triggered garbage collector.
964
965         * runtime/GCActivityCallback.cpp:
966         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
967         (JSC::DefaultGCActivityCallback::scheduleTimer):
968         (JSC::DefaultGCActivityCallback::cancelTimer):
969         * runtime/GCActivityCallback.h:
970         (GCActivityCallback):
971         (DefaultGCActivityCallback):
972
973 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
974
975         Compilation warning in JSC
976         https://bugs.webkit.org/show_bug.cgi?id=108178
977
978         Reviewed by Kentaro Hara.
979
980         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
981
982         * runtime/Structure.cpp:
983         (JSC::Structure::Structure):
984
985 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
986
987         [Qt] Fix the JSC build on Mac
988
989         Unreviewed, build fix.
990
991         * heap/HeapTimer.h:
992         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
993
994 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
995
996         [Qt] Implement IncrementalSweeper and HeapTimer
997         https://bugs.webkit.org/show_bug.cgi?id=103996
998
999         Reviewed by Simon Hausmann.
1000
1001         Implements the incremental sweeping garbage collection for the Qt platform.
1002
1003         * heap/HeapTimer.cpp:
1004         (JSC::HeapTimer::HeapTimer):
1005         (JSC::HeapTimer::~HeapTimer):
1006         (JSC::HeapTimer::timerEvent):
1007         (JSC::HeapTimer::synchronize):
1008         (JSC::HeapTimer::invalidate):
1009         (JSC::HeapTimer::didStartVMShutdown):
1010         * heap/HeapTimer.h:
1011         (HeapTimer):
1012         * heap/IncrementalSweeper.cpp:
1013         (JSC::IncrementalSweeper::IncrementalSweeper):
1014         (JSC::IncrementalSweeper::scheduleTimer):
1015         * heap/IncrementalSweeper.h:
1016         (IncrementalSweeper):
1017
1018 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
1019
1020         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
1021         https://bugs.webkit.org/show_bug.cgi?id=106868
1022
1023         Reviewed by Oliver Hunt.
1024         
1025         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
1026         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
1027         for debugging (Node::index(), which is not guaranteed to be O(1)).
1028         
1029         1% speed-up on SunSpider, presumably because this improves compile times.
1030
1031         * CMakeLists.txt:
1032         * GNUmakefile.list.am:
1033         * JavaScriptCore.xcodeproj/project.pbxproj:
1034         * Target.pri:
1035         * bytecode/DataFormat.h:
1036         (JSC::dataFormatToString):
1037         * dfg/DFGAbstractState.cpp:
1038         (JSC::DFG::AbstractState::initialize):
1039         (JSC::DFG::AbstractState::booleanResult):
1040         (JSC::DFG::AbstractState::execute):
1041         (JSC::DFG::AbstractState::mergeStateAtTail):
1042         (JSC::DFG::AbstractState::mergeToSuccessors):
1043         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
1044         (JSC::DFG::AbstractState::dump):
1045         * dfg/DFGAbstractState.h:
1046         (DFG):
1047         (JSC::DFG::AbstractState::forNode):
1048         (AbstractState):
1049         (JSC::DFG::AbstractState::speculateInt32Unary):
1050         (JSC::DFG::AbstractState::speculateNumberUnary):
1051         (JSC::DFG::AbstractState::speculateBooleanUnary):
1052         (JSC::DFG::AbstractState::speculateInt32Binary):
1053         (JSC::DFG::AbstractState::speculateNumberBinary):
1054         (JSC::DFG::AbstractState::trySetConstant):
1055         * dfg/DFGAbstractValue.h:
1056         (AbstractValue):
1057         * dfg/DFGAdjacencyList.h:
1058         (JSC::DFG::AdjacencyList::AdjacencyList):
1059         (JSC::DFG::AdjacencyList::initialize):
1060         * dfg/DFGAllocator.h: Added.
1061         (DFG):
1062         (Allocator):
1063         (JSC::DFG::Allocator::Region::size):
1064         (JSC::DFG::Allocator::Region::headerSize):
1065         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
1066         (JSC::DFG::Allocator::Region::data):
1067         (JSC::DFG::Allocator::Region::isInThisRegion):
1068         (JSC::DFG::Allocator::Region::regionFor):
1069         (Region):
1070         (JSC::DFG::::Allocator):
1071         (JSC::DFG::::~Allocator):
1072         (JSC::DFG::::allocate):
1073         (JSC::DFG::::free):
1074         (JSC::DFG::::freeAll):
1075         (JSC::DFG::::reset):
1076         (JSC::DFG::::indexOf):
1077         (JSC::DFG::::allocatorOf):
1078         (JSC::DFG::::bumpAllocate):
1079         (JSC::DFG::::freeListAllocate):
1080         (JSC::DFG::::allocateSlow):
1081         (JSC::DFG::::freeRegionsStartingAt):
1082         (JSC::DFG::::startBumpingIn):
1083         * dfg/DFGArgumentsSimplificationPhase.cpp:
1084         (JSC::DFG::ArgumentsSimplificationPhase::run):
1085         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1086         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
1087         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1088         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1089         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1090         * dfg/DFGArrayMode.cpp:
1091         (JSC::DFG::ArrayMode::originalArrayStructure):
1092         (JSC::DFG::ArrayMode::alreadyChecked):
1093         * dfg/DFGArrayMode.h:
1094         (ArrayMode):
1095         * dfg/DFGArrayifySlowPathGenerator.h:
1096         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
1097         * dfg/DFGBasicBlock.h:
1098         (JSC::DFG::BasicBlock::node):
1099         (JSC::DFG::BasicBlock::isInPhis):
1100         (JSC::DFG::BasicBlock::isInBlock):
1101         (BasicBlock):
1102         * dfg/DFGBasicBlockInlines.h:
1103         (DFG):
1104         * dfg/DFGByteCodeParser.cpp:
1105         (ByteCodeParser):
1106         (JSC::DFG::ByteCodeParser::getDirect):
1107         (JSC::DFG::ByteCodeParser::get):
1108         (JSC::DFG::ByteCodeParser::setDirect):
1109         (JSC::DFG::ByteCodeParser::set):
1110         (JSC::DFG::ByteCodeParser::setPair):
1111         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1112         (JSC::DFG::ByteCodeParser::getLocal):
1113         (JSC::DFG::ByteCodeParser::setLocal):
1114         (JSC::DFG::ByteCodeParser::getArgument):
1115         (JSC::DFG::ByteCodeParser::setArgument):
1116         (JSC::DFG::ByteCodeParser::flushDirect):
1117         (JSC::DFG::ByteCodeParser::getToInt32):
1118         (JSC::DFG::ByteCodeParser::toInt32):
1119         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1120         (JSC::DFG::ByteCodeParser::getJSConstant):
1121         (JSC::DFG::ByteCodeParser::getCallee):
1122         (JSC::DFG::ByteCodeParser::getThis):
1123         (JSC::DFG::ByteCodeParser::setThis):
1124         (JSC::DFG::ByteCodeParser::isJSConstant):
1125         (JSC::DFG::ByteCodeParser::isInt32Constant):
1126         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
1127         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
1128         (JSC::DFG::ByteCodeParser::constantUndefined):
1129         (JSC::DFG::ByteCodeParser::constantNull):
1130         (JSC::DFG::ByteCodeParser::one):
1131         (JSC::DFG::ByteCodeParser::constantNaN):
1132         (JSC::DFG::ByteCodeParser::cellConstant):
1133         (JSC::DFG::ByteCodeParser::addToGraph):
1134         (JSC::DFG::ByteCodeParser::insertPhiNode):
1135         (JSC::DFG::ByteCodeParser::addVarArgChild):
1136         (JSC::DFG::ByteCodeParser::addCall):
1137         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
1138         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1139         (JSC::DFG::ByteCodeParser::getPrediction):
1140         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1141         (JSC::DFG::ByteCodeParser::makeSafe):
1142         (JSC::DFG::ByteCodeParser::makeDivSafe):
1143         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
1144         (ConstantRecord):
1145         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
1146         (PhiStackEntry):
1147         (JSC::DFG::ByteCodeParser::handleCall):
1148         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1149         (JSC::DFG::ByteCodeParser::handleInlining):
1150         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
1151         (JSC::DFG::ByteCodeParser::handleMinMax):
1152         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1153         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1154         (JSC::DFG::ByteCodeParser::handleGetById):
1155         (JSC::DFG::ByteCodeParser::getScope):
1156         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1157         (JSC::DFG::ByteCodeParser::parseBlock):
1158         (JSC::DFG::ByteCodeParser::processPhiStack):
1159         (JSC::DFG::ByteCodeParser::linkBlock):
1160         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1161         (JSC::DFG::ByteCodeParser::parse):
1162         * dfg/DFGCFAPhase.cpp:
1163         (JSC::DFG::CFAPhase::performBlockCFA):
1164         * dfg/DFGCFGSimplificationPhase.cpp:
1165         (JSC::DFG::CFGSimplificationPhase::run):
1166         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1167         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1168         (JSC::DFG::CFGSimplificationPhase::fixPhis):
1169         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1170         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
1171         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
1172         (OperandSubstitution):
1173         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
1174         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
1175         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1176         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1177         * dfg/DFGCSEPhase.cpp:
1178         (JSC::DFG::CSEPhase::canonicalize):
1179         (JSC::DFG::CSEPhase::endIndexForPureCSE):
1180         (JSC::DFG::CSEPhase::pureCSE):
1181         (JSC::DFG::CSEPhase::constantCSE):
1182         (JSC::DFG::CSEPhase::weakConstantCSE):
1183         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
1184         (JSC::DFG::CSEPhase::getArrayLengthElimination):
1185         (JSC::DFG::CSEPhase::globalVarLoadElimination):
1186         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1187         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
1188         (JSC::DFG::CSEPhase::globalVarStoreElimination):
1189         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1190         (JSC::DFG::CSEPhase::getByValLoadElimination):
1191         (JSC::DFG::CSEPhase::checkFunctionElimination):
1192         (JSC::DFG::CSEPhase::checkExecutableElimination):
1193         (JSC::DFG::CSEPhase::checkStructureElimination):
1194         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1195         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1196         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1197         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1198         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1199         (JSC::DFG::CSEPhase::checkArrayElimination):
1200         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1201         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
1202         (JSC::DFG::CSEPhase::getLocalLoadElimination):
1203         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1204         (JSC::DFG::CSEPhase::performSubstitution):
1205         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1206         (JSC::DFG::CSEPhase::setReplacement):
1207         (JSC::DFG::CSEPhase::eliminate):
1208         (JSC::DFG::CSEPhase::performNodeCSE):
1209         (JSC::DFG::CSEPhase::performBlockCSE):
1210         (CSEPhase):
1211         * dfg/DFGCommon.cpp: Added.
1212         (DFG):
1213         (JSC::DFG::NodePointerTraits::dump):
1214         * dfg/DFGCommon.h:
1215         (DFG):
1216         (JSC::DFG::NodePointerTraits::defaultValue):
1217         (NodePointerTraits):
1218         (JSC::DFG::verboseCompilationEnabled):
1219         (JSC::DFG::shouldDumpGraphAtEachPhase):
1220         (JSC::DFG::validationEnabled):
1221         * dfg/DFGConstantFoldingPhase.cpp:
1222         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1223         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1224         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1225         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1226         * dfg/DFGDisassembler.cpp:
1227         (JSC::DFG::Disassembler::Disassembler):
1228         (JSC::DFG::Disassembler::createDumpList):
1229         (JSC::DFG::Disassembler::dumpDisassembly):
1230         * dfg/DFGDisassembler.h:
1231         (JSC::DFG::Disassembler::setForNode):
1232         (Disassembler):
1233         * dfg/DFGDriver.cpp:
1234         (JSC::DFG::compile):
1235         * dfg/DFGEdge.cpp: Added.
1236         (DFG):
1237         (JSC::DFG::Edge::dump):
1238         * dfg/DFGEdge.h:
1239         (JSC::DFG::Edge::Edge):
1240         (JSC::DFG::Edge::node):
1241         (JSC::DFG::Edge::operator*):
1242         (JSC::DFG::Edge::operator->):
1243         (Edge):
1244         (JSC::DFG::Edge::setNode):
1245         (JSC::DFG::Edge::useKind):
1246         (JSC::DFG::Edge::setUseKind):
1247         (JSC::DFG::Edge::isSet):
1248         (JSC::DFG::Edge::shift):
1249         (JSC::DFG::Edge::makeWord):
1250         (JSC::DFG::operator==):
1251         (JSC::DFG::operator!=):
1252         * dfg/DFGFixupPhase.cpp:
1253         (JSC::DFG::FixupPhase::fixupBlock):
1254         (JSC::DFG::FixupPhase::fixupNode):
1255         (JSC::DFG::FixupPhase::checkArray):
1256         (JSC::DFG::FixupPhase::blessArrayOperation):
1257         (JSC::DFG::FixupPhase::fixIntEdge):
1258         (JSC::DFG::FixupPhase::fixDoubleEdge):
1259         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1260         (FixupPhase):
1261         * dfg/DFGGenerationInfo.h:
1262         (JSC::DFG::GenerationInfo::GenerationInfo):
1263         (JSC::DFG::GenerationInfo::initConstant):
1264         (JSC::DFG::GenerationInfo::initInteger):
1265         (JSC::DFG::GenerationInfo::initJSValue):
1266         (JSC::DFG::GenerationInfo::initCell):
1267         (JSC::DFG::GenerationInfo::initBoolean):
1268         (JSC::DFG::GenerationInfo::initDouble):
1269         (JSC::DFG::GenerationInfo::initStorage):
1270         (GenerationInfo):
1271         (JSC::DFG::GenerationInfo::node):
1272         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1273         (JSC::DFG::GenerationInfo::use):
1274         (JSC::DFG::GenerationInfo::appendFill):
1275         (JSC::DFG::GenerationInfo::appendSpill):
1276         * dfg/DFGGraph.cpp:
1277         (JSC::DFG::Graph::Graph):
1278         (JSC::DFG::Graph::~Graph):
1279         (DFG):
1280         (JSC::DFG::Graph::dumpCodeOrigin):
1281         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1282         (JSC::DFG::Graph::printNodeWhiteSpace):
1283         (JSC::DFG::Graph::dump):
1284         (JSC::DFG::Graph::dumpBlockHeader):
1285         (JSC::DFG::Graph::refChildren):
1286         (JSC::DFG::Graph::derefChildren):
1287         (JSC::DFG::Graph::predictArgumentTypes):
1288         (JSC::DFG::Graph::collectGarbage):
1289         (JSC::DFG::Graph::determineReachability):
1290         (JSC::DFG::Graph::resetExitStates):
1291         * dfg/DFGGraph.h:
1292         (Graph):
1293         (JSC::DFG::Graph::ref):
1294         (JSC::DFG::Graph::deref):
1295         (JSC::DFG::Graph::changeChild):
1296         (JSC::DFG::Graph::compareAndSwap):
1297         (JSC::DFG::Graph::clearAndDerefChild):
1298         (JSC::DFG::Graph::clearAndDerefChild1):
1299         (JSC::DFG::Graph::clearAndDerefChild2):
1300         (JSC::DFG::Graph::clearAndDerefChild3):
1301         (JSC::DFG::Graph::convertToConstant):
1302         (JSC::DFG::Graph::getJSConstantSpeculation):
1303         (JSC::DFG::Graph::addSpeculationMode):
1304         (JSC::DFG::Graph::valueAddSpeculationMode):
1305         (JSC::DFG::Graph::arithAddSpeculationMode):
1306         (JSC::DFG::Graph::addShouldSpeculateInteger):
1307         (JSC::DFG::Graph::mulShouldSpeculateInteger):
1308         (JSC::DFG::Graph::negateShouldSpeculateInteger):
1309         (JSC::DFG::Graph::isConstant):
1310         (JSC::DFG::Graph::isJSConstant):
1311         (JSC::DFG::Graph::isInt32Constant):
1312         (JSC::DFG::Graph::isDoubleConstant):
1313         (JSC::DFG::Graph::isNumberConstant):
1314         (JSC::DFG::Graph::isBooleanConstant):
1315         (JSC::DFG::Graph::isCellConstant):
1316         (JSC::DFG::Graph::isFunctionConstant):
1317         (JSC::DFG::Graph::isInternalFunctionConstant):
1318         (JSC::DFG::Graph::valueOfJSConstant):
1319         (JSC::DFG::Graph::valueOfInt32Constant):
1320         (JSC::DFG::Graph::valueOfNumberConstant):
1321         (JSC::DFG::Graph::valueOfBooleanConstant):
1322         (JSC::DFG::Graph::valueOfFunctionConstant):
1323         (JSC::DFG::Graph::valueProfileFor):
1324         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1325         (JSC::DFG::Graph::numSuccessors):
1326         (JSC::DFG::Graph::successor):
1327         (JSC::DFG::Graph::successorForCondition):
1328         (JSC::DFG::Graph::isPredictedNumerical):
1329         (JSC::DFG::Graph::byValIsPure):
1330         (JSC::DFG::Graph::clobbersWorld):
1331         (JSC::DFG::Graph::varArgNumChildren):
1332         (JSC::DFG::Graph::numChildren):
1333         (JSC::DFG::Graph::varArgChild):
1334         (JSC::DFG::Graph::child):
1335         (JSC::DFG::Graph::voteNode):
1336         (JSC::DFG::Graph::voteChildren):
1337         (JSC::DFG::Graph::substitute):
1338         (JSC::DFG::Graph::substituteGetLocal):
1339         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
1340         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
1341         * dfg/DFGInsertionSet.h:
1342         (JSC::DFG::Insertion::Insertion):
1343         (JSC::DFG::Insertion::element):
1344         (Insertion):
1345         (JSC::DFG::InsertionSet::insert):
1346         (InsertionSet):
1347         * dfg/DFGJITCompiler.cpp:
1348         * dfg/DFGJITCompiler.h:
1349         (JSC::DFG::JITCompiler::setForNode):
1350         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1351         (JSC::DFG::JITCompiler::noticeOSREntry):
1352         * dfg/DFGLongLivedState.cpp: Added.
1353         (DFG):
1354         (JSC::DFG::LongLivedState::LongLivedState):
1355         (JSC::DFG::LongLivedState::~LongLivedState):
1356         (JSC::DFG::LongLivedState::shrinkToFit):
1357         * dfg/DFGLongLivedState.h: Added.
1358         (DFG):
1359         (LongLivedState):
1360         * dfg/DFGMinifiedID.h:
1361         (JSC::DFG::MinifiedID::MinifiedID):
1362         (JSC::DFG::MinifiedID::node):
1363         * dfg/DFGMinifiedNode.cpp:
1364         (JSC::DFG::MinifiedNode::fromNode):
1365         * dfg/DFGMinifiedNode.h:
1366         (MinifiedNode):
1367         * dfg/DFGNode.cpp: Added.
1368         (DFG):
1369         (JSC::DFG::Node::index):
1370         (WTF):
1371         (WTF::printInternal):
1372         * dfg/DFGNode.h:
1373         (DFG):
1374         (JSC::DFG::Node::Node):
1375         (Node):
1376         (JSC::DFG::Node::convertToGetByOffset):
1377         (JSC::DFG::Node::convertToPutByOffset):
1378         (JSC::DFG::Node::ref):
1379         (JSC::DFG::Node::shouldSpeculateInteger):
1380         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
1381         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
1382         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
1383         (JSC::DFG::Node::shouldSpeculateNumber):
1384         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
1385         (JSC::DFG::Node::shouldSpeculateFinalObject):
1386         (JSC::DFG::Node::shouldSpeculateArray):
1387         (JSC::DFG::Node::dumpChildren):
1388         (WTF):
1389         * dfg/DFGNodeAllocator.h: Added.
1390         (DFG):
1391         (operator new ):
1392         * dfg/DFGOSRExit.cpp:
1393         (JSC::DFG::OSRExit::OSRExit):
1394         * dfg/DFGOSRExit.h:
1395         (OSRExit):
1396         (SpeculationFailureDebugInfo):
1397         * dfg/DFGOSRExitCompiler.cpp:
1398         * dfg/DFGOSRExitCompiler32_64.cpp:
1399         (JSC::DFG::OSRExitCompiler::compileExit):
1400         * dfg/DFGOSRExitCompiler64.cpp:
1401         (JSC::DFG::OSRExitCompiler::compileExit):
1402         * dfg/DFGOperations.cpp:
1403         * dfg/DFGPhase.cpp:
1404         (DFG):
1405         (JSC::DFG::Phase::beginPhase):
1406         (JSC::DFG::Phase::endPhase):
1407         * dfg/DFGPhase.h:
1408         (Phase):
1409         (JSC::DFG::runAndLog):
1410         * dfg/DFGPredictionPropagationPhase.cpp:
1411         (JSC::DFG::PredictionPropagationPhase::setPrediction):
1412         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
1413         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
1414         (JSC::DFG::PredictionPropagationPhase::isNotZero):
1415         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
1416         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
1417         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
1418         (JSC::DFG::PredictionPropagationPhase::propagate):
1419         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
1420         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1421         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1422         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1423         (PredictionPropagationPhase):
1424         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1425         * dfg/DFGScoreBoard.h:
1426         (JSC::DFG::ScoreBoard::ScoreBoard):
1427         (JSC::DFG::ScoreBoard::use):
1428         (JSC::DFG::ScoreBoard::useIfHasResult):
1429         (ScoreBoard):
1430         * dfg/DFGSilentRegisterSavePlan.h:
1431         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
1432         (JSC::DFG::SilentRegisterSavePlan::node):
1433         (SilentRegisterSavePlan):
1434         * dfg/DFGSlowPathGenerator.h:
1435         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
1436         (JSC::DFG::SlowPathGenerator::generate):
1437         (SlowPathGenerator):
1438         * dfg/DFGSpeculativeJIT.cpp:
1439         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1440         (JSC::DFG::SpeculativeJIT::speculationCheck):
1441         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1442         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1443         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1444         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1445         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1446         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
1447         (JSC::DFG::SpeculativeJIT::silentSpill):
1448         (JSC::DFG::SpeculativeJIT::silentFill):
1449         (JSC::DFG::SpeculativeJIT::checkArray):
1450         (JSC::DFG::SpeculativeJIT::arrayify):
1451         (JSC::DFG::SpeculativeJIT::fillStorage):
1452         (JSC::DFG::SpeculativeJIT::useChildren):
1453         (JSC::DFG::SpeculativeJIT::isStrictInt32):
1454         (JSC::DFG::SpeculativeJIT::isKnownInteger):
1455         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
1456         (JSC::DFG::SpeculativeJIT::isKnownCell):
1457         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
1458         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
1459         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
1460         (JSC::DFG::SpeculativeJIT::writeBarrier):
1461         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1462         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1463         (JSC::DFG::GPRTemporary::GPRTemporary):
1464         (JSC::DFG::FPRTemporary::FPRTemporary):
1465         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1466         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1467         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1468         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1469         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
1470         (JSC::DFG::SpeculativeJIT::compileMovHint):
1471         (JSC::DFG::SpeculativeJIT::compile):
1472         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1473         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1474         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1475         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1476         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1477         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1478         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1479         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1480         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1481         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1482         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1483         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1484         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1485         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1486         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1487         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1488         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
1489         (JSC::DFG::SpeculativeJIT::compileAdd):
1490         (JSC::DFG::SpeculativeJIT::compileArithSub):
1491         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1492         (JSC::DFG::SpeculativeJIT::compileArithMul):
1493         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
1494         (JSC::DFG::SpeculativeJIT::compileArithMod):
1495         (JSC::DFG::SpeculativeJIT::compare):
1496         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1497         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1498         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1499         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1500         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1501         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1502         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1503         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1504         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1505         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1506         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1507         * dfg/DFGSpeculativeJIT.h:
1508         (SpeculativeJIT):
1509         (JSC::DFG::SpeculativeJIT::canReuse):
1510         (JSC::DFG::SpeculativeJIT::isFilled):
1511         (JSC::DFG::SpeculativeJIT::isFilledDouble):
1512         (JSC::DFG::SpeculativeJIT::use):
1513         (JSC::DFG::SpeculativeJIT::isConstant):
1514         (JSC::DFG::SpeculativeJIT::isJSConstant):
1515         (JSC::DFG::SpeculativeJIT::isInt32Constant):
1516         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
1517         (JSC::DFG::SpeculativeJIT::isNumberConstant):
1518         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
1519         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
1520         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
1521         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
1522         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
1523         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
1524         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
1525         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
1526         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
1527         (JSC::DFG::SpeculativeJIT::isNullConstant):
1528         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
1529         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1530         (JSC::DFG::SpeculativeJIT::integerResult):
1531         (JSC::DFG::SpeculativeJIT::noResult):
1532         (JSC::DFG::SpeculativeJIT::cellResult):
1533         (JSC::DFG::SpeculativeJIT::booleanResult):
1534         (JSC::DFG::SpeculativeJIT::jsValueResult):
1535         (JSC::DFG::SpeculativeJIT::storageResult):
1536         (JSC::DFG::SpeculativeJIT::doubleResult):
1537         (JSC::DFG::SpeculativeJIT::initConstantInfo):
1538         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1539         (JSC::DFG::SpeculativeJIT::isInteger):
1540         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
1541         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1542         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
1543         (JSC::DFG::IntegerOperand::IntegerOperand):
1544         (JSC::DFG::IntegerOperand::node):
1545         (JSC::DFG::IntegerOperand::gpr):
1546         (JSC::DFG::IntegerOperand::use):
1547         (IntegerOperand):
1548         (JSC::DFG::DoubleOperand::DoubleOperand):
1549         (JSC::DFG::DoubleOperand::node):
1550         (JSC::DFG::DoubleOperand::fpr):
1551         (JSC::DFG::DoubleOperand::use):
1552         (DoubleOperand):
1553         (JSC::DFG::JSValueOperand::JSValueOperand):
1554         (JSC::DFG::JSValueOperand::node):
1555         (JSC::DFG::JSValueOperand::gpr):
1556         (JSC::DFG::JSValueOperand::fill):
1557         (JSC::DFG::JSValueOperand::use):
1558         (JSValueOperand):
1559         (JSC::DFG::StorageOperand::StorageOperand):
1560         (JSC::DFG::StorageOperand::node):
1561         (JSC::DFG::StorageOperand::gpr):
1562         (JSC::DFG::StorageOperand::use):
1563         (StorageOperand):
1564         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1565         (JSC::DFG::SpeculateIntegerOperand::node):
1566         (JSC::DFG::SpeculateIntegerOperand::gpr):
1567         (JSC::DFG::SpeculateIntegerOperand::use):
1568         (SpeculateIntegerOperand):
1569         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
1570         (JSC::DFG::SpeculateStrictInt32Operand::node):
1571         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
1572         (JSC::DFG::SpeculateStrictInt32Operand::use):
1573         (SpeculateStrictInt32Operand):
1574         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1575         (JSC::DFG::SpeculateDoubleOperand::node):
1576         (JSC::DFG::SpeculateDoubleOperand::fpr):
1577         (JSC::DFG::SpeculateDoubleOperand::use):
1578         (SpeculateDoubleOperand):
1579         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1580         (JSC::DFG::SpeculateCellOperand::node):
1581         (JSC::DFG::SpeculateCellOperand::gpr):
1582         (JSC::DFG::SpeculateCellOperand::use):
1583         (SpeculateCellOperand):
1584         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1585         (JSC::DFG::SpeculateBooleanOperand::node):
1586         (JSC::DFG::SpeculateBooleanOperand::gpr):
1587         (JSC::DFG::SpeculateBooleanOperand::use):
1588         (SpeculateBooleanOperand):
1589         * dfg/DFGSpeculativeJIT32_64.cpp:
1590         (JSC::DFG::SpeculativeJIT::fillInteger):
1591         (JSC::DFG::SpeculativeJIT::fillDouble):
1592         (JSC::DFG::SpeculativeJIT::fillJSValue):
1593         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1594         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1595         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1596         (JSC::DFG::SpeculativeJIT::cachedPutById):
1597         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1598         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1599         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1600         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1601         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1602         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1603         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1604         (JSC::DFG::SpeculativeJIT::emitCall):
1605         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1606         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1607         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1608         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1609         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1610         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1611         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1612         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1613         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1614         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1615         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1616         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1617         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1618         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1619         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1620         (JSC::DFG::SpeculativeJIT::emitBranch):
1621         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1622         (JSC::DFG::SpeculativeJIT::compile):
1623         * dfg/DFGSpeculativeJIT64.cpp:
1624         (JSC::DFG::SpeculativeJIT::fillInteger):
1625         (JSC::DFG::SpeculativeJIT::fillDouble):
1626         (JSC::DFG::SpeculativeJIT::fillJSValue):
1627         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1628         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1629         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1630         (JSC::DFG::SpeculativeJIT::cachedPutById):
1631         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1632         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1633         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1634         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1635         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1636         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1637         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1638         (JSC::DFG::SpeculativeJIT::emitCall):
1639         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1640         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1641         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1642         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1643         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1644         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1645         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1646         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1647         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1648         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1649         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1650         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1651         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1652         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1653         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1654         (JSC::DFG::SpeculativeJIT::emitBranch):
1655         (JSC::DFG::SpeculativeJIT::compile):
1656         * dfg/DFGStructureAbstractValue.h:
1657         (StructureAbstractValue):
1658         * dfg/DFGStructureCheckHoistingPhase.cpp:
1659         (JSC::DFG::StructureCheckHoistingPhase::run):
1660         * dfg/DFGValidate.cpp:
1661         (DFG):
1662         (Validate):
1663         (JSC::DFG::Validate::validate):
1664         (JSC::DFG::Validate::reportValidationContext):
1665         * dfg/DFGValidate.h:
1666         * dfg/DFGValueSource.cpp:
1667         (JSC::DFG::ValueSource::dump):
1668         * dfg/DFGValueSource.h:
1669         (JSC::DFG::ValueSource::ValueSource):
1670         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1671         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1672         * runtime/FunctionExecutableDump.cpp: Added.
1673         (JSC):
1674         (JSC::FunctionExecutableDump::dump):
1675         * runtime/FunctionExecutableDump.h: Added.
1676         (JSC):
1677         (FunctionExecutableDump):
1678         (JSC::FunctionExecutableDump::FunctionExecutableDump):
1679         * runtime/JSGlobalData.cpp:
1680         (JSC::JSGlobalData::JSGlobalData):
1681         * runtime/JSGlobalData.h:
1682         (JSC):
1683         (DFG):
1684         (JSGlobalData):
1685         * runtime/Options.h:
1686         (JSC):
1687
1688 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
1689
1690         Collapse testing for a list of PLATFORM() into OS() and USE() tests
1691         https://bugs.webkit.org/show_bug.cgi?id=108018
1692
1693         Reviewed by Eric Seidel.
1694
1695         No functional change as "OS(DARWIN) && USE(CF)" equals to the
1696         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
1697         is not using JavaScriptCore. 
1698
1699         * runtime/DatePrototype.cpp:
1700         (JSC):
1701
1702 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
1703
1704         Static size inference for JavaScript objects
1705         https://bugs.webkit.org/show_bug.cgi?id=108093
1706
1707         Reviewed by Phil Pizlo.
1708
1709         * API/JSObjectRef.cpp:
1710         * JavaScriptCore.order:
1711         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
1712
1713         * bytecode/CodeBlock.cpp:
1714         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
1715         have an extra inferredInlineCapacity argument. This is the statically
1716         inferred inline capacity, just from analyzing source text. op_new_object
1717         also gets a pointer to an allocation profile. (For op_create_this, the
1718         profile is in the construtor function.)
1719
1720         (JSC::CodeBlock::CodeBlock): Link op_new_object.
1721
1722         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
1723
1724         * bytecode/CodeBlock.h:
1725         (CodeBlock): Removed some dead code. Added object allocation profiles.
1726
1727         * bytecode/Instruction.h:
1728         (JSC): New union type, since an instruction operand may point to an
1729         object allocation profile now.
1730
1731         * bytecode/ObjectAllocationProfile.h: Added.
1732         (JSC):
1733         (ObjectAllocationProfile):
1734         (JSC::ObjectAllocationProfile::offsetOfAllocator):
1735         (JSC::ObjectAllocationProfile::offsetOfStructure):
1736         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1737         (JSC::ObjectAllocationProfile::isNull):
1738         (JSC::ObjectAllocationProfile::initialize):
1739         (JSC::ObjectAllocationProfile::structure):
1740         (JSC::ObjectAllocationProfile::inlineCapacity):
1741         (JSC::ObjectAllocationProfile::clear):
1742         (JSC::ObjectAllocationProfile::visitAggregate):
1743         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
1744         for tracking a prediction about object allocation: structure, inline
1745         capacity, allocator to use.
1746
1747         * bytecode/Opcode.h:
1748         (JSC):
1749         (JSC::padOpcodeName): Updated instruction sizes.
1750
1751         * bytecode/UnlinkedCodeBlock.cpp:
1752         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1753         * bytecode/UnlinkedCodeBlock.h:
1754         (JSC):
1755         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
1756         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
1757         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
1758
1759         * bytecompiler/BytecodeGenerator.cpp:
1760         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
1761         end of codegen, since this is our last opportunity.
1762
1763         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
1764         analyzer to bytecode generation. It tracks initializing assignments and
1765         makes a guess about how many will happen.
1766
1767         (JSC::BytecodeGenerator::newObjectAllocationProfile):
1768         (JSC):
1769         (JSC::BytecodeGenerator::emitProfiledOpcode):
1770         (JSC::BytecodeGenerator::emitMove):
1771         (JSC::BytecodeGenerator::emitResolve):
1772         (JSC::BytecodeGenerator::emitResolveBase):
1773         (JSC::BytecodeGenerator::emitResolveBaseForPut):
1774         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
1775         (JSC::BytecodeGenerator::emitResolveWithThis):
1776         (JSC::BytecodeGenerator::emitGetById):
1777         (JSC::BytecodeGenerator::emitPutById):
1778         (JSC::BytecodeGenerator::emitDirectPutById):
1779         (JSC::BytecodeGenerator::emitPutGetterSetter):
1780         (JSC::BytecodeGenerator::emitGetArgumentByVal):
1781         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
1782         analyzer, so it can observe allocations and stores.
1783
1784         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
1785         function because it was a significant amount of logic, and I wanted to
1786         add to it.
1787
1788         (JSC::BytecodeGenerator::emitNewObject):
1789         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1790         (JSC::BytecodeGenerator::emitCall):
1791         (JSC::BytecodeGenerator::emitCallVarargs):
1792         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
1793         to track their stores, in case a store kills a profiled allocation. Since
1794         profiled opcodes are basically the only interesting stores we do, this
1795         is a convenient place to notice any store that might kill an allocation.
1796
1797         * bytecompiler/BytecodeGenerator.h:
1798         (BytecodeGenerator): As above.
1799
1800         * bytecompiler/StaticPropertyAnalysis.h: Added.
1801         (JSC):
1802         (StaticPropertyAnalysis):
1803         (JSC::StaticPropertyAnalysis::create):
1804         (JSC::StaticPropertyAnalysis::addPropertyIndex):
1805         (JSC::StaticPropertyAnalysis::record):
1806         (JSC::StaticPropertyAnalysis::propertyIndexCount):
1807         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
1808         class for tracking allocations and stores.
1809
1810         * bytecompiler/StaticPropertyAnalyzer.h: Added.
1811         (StaticPropertyAnalyzer):
1812         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
1813         (JSC::StaticPropertyAnalyzer::createThis):
1814         (JSC::StaticPropertyAnalyzer::newObject):
1815         (JSC::StaticPropertyAnalyzer::putById):
1816         (JSC::StaticPropertyAnalyzer::mov):
1817         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
1818         and stores and making an inline capacity guess. The heuristics here are
1819         intentionally minimal because we don't want this one class to try to
1820         re-create something like a DFG or a runtime analysis. If we discover that
1821         we need those kinds of analyses, we should just replace this class with
1822         something else.
1823
1824         This class tracks multiple registers that alias the same object -- that
1825         happens a lot, when moving locals into temporary registers -- but it
1826         doesn't track control flow or multiple objects that alias the same register.
1827
1828         * dfg/DFGAbstractState.cpp:
1829         (JSC::DFG::AbstractState::execute): Updated for rename.
1830
1831         * dfg/DFGByteCodeParser.cpp:
1832         (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
1833         allocation profile.
1834
1835         * dfg/DFGNode.h:
1836         (JSC::DFG::Node::hasInlineCapacity):
1837         (Node):
1838         (JSC::DFG::Node::inlineCapacity):
1839         (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
1840         inline capacity for an allocation.
1841
1842         * dfg/DFGNodeType.h:
1843         (DFG): Updated for rename.
1844
1845         * dfg/DFGOperations.cpp: Updated for interface change.
1846
1847         * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
1848         an argument. This is the simplest way, since it's stored as a bytecode operand.
1849
1850         * dfg/DFGPredictionPropagationPhase.cpp:
1851         (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
1852
1853         * dfg/DFGRepatch.cpp:
1854         (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
1855         appears when doing an inline cached load for property number 64 on a 32-bit
1856         system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
1857         offset of the 64bit JSValue -- but we'll actually issue two loads, one for
1858         the payload at that offset, and one for the tag at that offset + 4. We need
1859         to ensure that both loads have a compact representation, or we'll corrupt
1860         the instruction stream.
1861
1862         * dfg/DFGSpeculativeJIT.cpp:
1863         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1864         * dfg/DFGSpeculativeJIT.h:
1865         (JSC::DFG::SpeculativeJIT::callOperation):
1866         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1867         (SpeculativeJIT):
1868         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1869         * dfg/DFGSpeculativeJIT32_64.cpp:
1870         (JSC::DFG::SpeculativeJIT::compile):
1871         * dfg/DFGSpeculativeJIT64.cpp:
1872         (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
1873         passing an allocator to our allocation function, and/or passing a Structure
1874         as a register instead of an immediate.
1875
1876         * heap/MarkedAllocator.h:
1877         (DFG):
1878         (MarkedAllocator):
1879         (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
1880         JIT code generation of allocation from an arbitrary allocator.
1881
1882         * jit/JIT.h:
1883         (JSC):
1884         * jit/JITInlines.h:
1885         (JSC):
1886         (JSC::JIT::emitAllocateJSObject):
1887         * jit/JITOpcodes.cpp:
1888         (JSC::JIT::emit_op_new_object):
1889         (JSC::JIT::emitSlow_op_new_object):
1890         (JSC::JIT::emit_op_create_this):
1891         (JSC::JIT::emitSlow_op_create_this):
1892         * jit/JITOpcodes32_64.cpp:
1893         (JSC::JIT::emit_op_new_object):
1894         (JSC::JIT::emitSlow_op_new_object):
1895         (JSC::JIT::emit_op_create_this):
1896         (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
1897
1898         * jit/JITStubs.cpp:
1899         (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
1900
1901         (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
1902
1903         * llint/LLIntData.cpp:
1904         (JSC::LLInt::Data::performAssertions): Updated for interface changes.
1905
1906         * llint/LLIntSlowPaths.cpp:
1907         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1908         * llint/LowLevelInterpreter.asm:
1909         * llint/LowLevelInterpreter32_64.asm:
1910         * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
1911
1912         * profiler/ProfilerBytecode.cpp:
1913         * profiler/ProfilerBytecodes.cpp:
1914         * profiler/ProfilerCompilation.cpp:
1915         * profiler/ProfilerCompiledBytecode.cpp:
1916         * profiler/ProfilerDatabase.cpp:
1917         * profiler/ProfilerOSRExit.cpp:
1918         * profiler/ProfilerOrigin.cpp:
1919         * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
1920         because that's where createEmptyObject() lives now.
1921
1922         * runtime/Executable.h:
1923         (JSC::JSFunction::JSFunction): Updated for rename.
1924
1925         * runtime/JSCellInlines.h:
1926         (JSC::allocateCell): Updated to match the allocator selection code in
1927         the JIT, so it's clearer that both are correct.
1928
1929         * runtime/JSFunction.cpp:
1930         (JSC::JSFunction::JSFunction):
1931         (JSC::JSFunction::createAllocationProfile):
1932         (JSC::JSFunction::visitChildren):
1933         (JSC::JSFunction::getOwnPropertySlot):
1934         (JSC::JSFunction::put):
1935         (JSC::JSFunction::defineOwnProperty):
1936         (JSC::JSFunction::getConstructData):
1937         * runtime/JSFunction.h:
1938         (JSC::JSFunction::offsetOfScopeChain):
1939         (JSC::JSFunction::offsetOfExecutable):
1940         (JSC::JSFunction::offsetOfAllocationProfile):
1941         (JSC::JSFunction::allocationProfile):
1942         (JSFunction):
1943         (JSC::JSFunction::tryGetAllocationProfile):
1944         (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
1945         data member to be an ObjectAllocationProfile, which includes a pointer
1946         to the desired allocator. This simplifies JIT code, since we don't have
1947         to compute the allocator on the fly. I verified by code inspection that
1948         JSFunction is still only 64 bytes.
1949
1950         * runtime/JSGlobalObject.cpp:
1951         (JSC::JSGlobalObject::reset):
1952         (JSC::JSGlobalObject::visitChildren):
1953         * runtime/JSGlobalObject.h:
1954         (JSGlobalObject):
1955         (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
1956         object structure anymore, because now clients need to specify how much
1957         inline capacity they want.
1958
1959         * runtime/JSONObject.cpp:
1960         * runtime/JSObject.h:
1961         (JSC):
1962         (JSFinalObject):
1963         (JSC::JSFinalObject::defaultInlineCapacity):
1964         (JSC::JSFinalObject::maxInlineCapacity):
1965         (JSC::JSFinalObject::createStructure): A little refactoring to try to 
1966         clarify where some of these constants derive from.
1967
1968         (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
1969
1970         * runtime/JSProxy.cpp:
1971         (JSC::JSProxy::setTarget): Ugly, but effective.
1972
1973         * runtime/LiteralParser.cpp:
1974         * runtime/ObjectConstructor.cpp:
1975         (JSC::constructObject):
1976         (JSC::constructWithObjectConstructor):
1977         (JSC::callObjectConstructor):
1978         (JSC::objectConstructorCreate): Updated for interface changes.
1979
1980         * runtime/ObjectConstructor.h:
1981         (JSC::constructEmptyObject): Clarified your options for how to allocate
1982         an empty object, to emphasize what things can actually vary.
1983
1984         * runtime/PropertyOffset.h: These constants have moved because they're
1985         really higher level concepts to do with the layout of objects and the
1986         collector. PropertyOffset is just an abstract number line, independent
1987         of those things.
1988
1989         * runtime/PrototypeMap.cpp:
1990         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1991         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1992         * runtime/PrototypeMap.h:
1993         (PrototypeMap): The map key is now a pair of prototype and inline capacity,
1994         since Structure encodes inline capacity.
1995
1996         * runtime/Structure.cpp:
1997         (JSC::Structure::Structure):
1998         (JSC::Structure::materializePropertyMap):
1999         (JSC::Structure::addPropertyTransition):
2000         (JSC::Structure::nonPropertyTransition):
2001         (JSC::Structure::copyPropertyTableForPinning):
2002         * runtime/Structure.h:
2003         (Structure):
2004         (JSC::Structure::totalStorageSize):
2005         (JSC::Structure::transitionCount):
2006         (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
2007         up after enabling variable-sized inline capacities: we were passing our
2008         type info where our inline capacity was expected. The compiler didn't
2009         notice because both have type int :(.
2010
2011 2013-01-28  Oliver Hunt  <oliver@apple.com>
2012
2013         Add more assertions to the property storage use in arrays
2014         https://bugs.webkit.org/show_bug.cgi?id=107728
2015
2016         Reviewed by Filip Pizlo.
2017
2018         Add a bunch of assertions to array and object butterfly
2019         usage.  This should make debugging somewhat easier.
2020
2021         I also converted a couple of assertions to release asserts
2022         as they were so low cost it seemed a sensible thing to do.
2023
2024         * runtime/JSArray.cpp:
2025         (JSC::JSArray::sortVector):
2026         (JSC::JSArray::compactForSorting):
2027         * runtime/JSObject.h:
2028         (JSC::JSObject::getHolyIndexQuickly):
2029
2030 2013-01-28  Adam Barth  <abarth@webkit.org>
2031
2032         Remove webkitNotifications.createHTMLNotification
2033         https://bugs.webkit.org/show_bug.cgi?id=107598
2034
2035         Reviewed by Benjamin Poulain.
2036
2037         * Configurations/FeatureDefines.xcconfig:
2038
2039 2013-01-28  Michael Saboff  <msaboff@apple.com>
2040
2041         Cleanup ARM version of debugName() in DFGFPRInfo.h
2042         https://bugs.webkit.org/show_bug.cgi?id=108090
2043
2044         Reviewed by David Kilzer.
2045
2046         Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
2047
2048         * dfg/DFGFPRInfo.h:
2049         (JSC::DFG::FPRInfo::debugName):
2050
2051 2013-01-27  Andreas Kling  <akling@apple.com>
2052
2053         JSC: FunctionParameters are memory hungry.
2054         <http://webkit.org/b/108033>
2055         <rdar://problem/13094803>
2056
2057         Reviewed by Sam Weinig.
2058
2059         Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
2060         with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
2061         roughly in half.
2062
2063         2.73 MB progression on Membuster3.
2064
2065         * bytecode/UnlinkedCodeBlock.cpp:
2066         (JSC::UnlinkedFunctionExecutable::paramString):
2067         * bytecompiler/BytecodeGenerator.cpp:
2068         (JSC::BytecodeGenerator::BytecodeGenerator):
2069         * parser/Nodes.cpp:
2070         (JSC::FunctionParameters::create):
2071         (JSC::FunctionParameters::FunctionParameters):
2072         (JSC::FunctionParameters::~FunctionParameters):
2073         * parser/Nodes.h:
2074         (FunctionParameters):
2075         (JSC::FunctionParameters::size):
2076         (JSC::FunctionParameters::at):
2077         (JSC::FunctionParameters::identifiers):
2078
2079 2013-01-27  Andreas Kling  <akling@apple.com>
2080
2081         JSC: SourceProviderCache is memory hungry.
2082         <http://webkit.org/b/108029>
2083         <rdar://problem/13094806>
2084
2085         Reviewed by Sam Weinig.
2086
2087         Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
2088         Since the lists never change after the object is created, there's no need to keep them in Vectors
2089         and we can instead create the whole cache item in a single allocation.
2090
2091         13.37 MB progression on Membuster3.
2092
2093         * parser/Parser.cpp:
2094         (JSC::::parseFunctionInfo):
2095         * parser/Parser.h:
2096         (JSC::Scope::copyCapturedVariablesToVector):
2097         (JSC::Scope::fillParametersForSourceProviderCache):
2098         (JSC::Scope::restoreFromSourceProviderCache):
2099         * parser/SourceProviderCacheItem.h:
2100         (SourceProviderCacheItemCreationParameters):
2101         (SourceProviderCacheItem):
2102         (JSC::SourceProviderCacheItem::approximateByteSize):
2103         (JSC::SourceProviderCacheItem::usedVariables):
2104         (JSC::SourceProviderCacheItem::writtenVariables):
2105         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
2106         (JSC::SourceProviderCacheItem::create):
2107         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2108
2109 2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
2110
2111         Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
2112         https://bugs.webkit.org/show_bug.cgi?id=106740
2113
2114         Reviewed by Benjamin Poulain.
2115
2116         * config.h:
2117
2118 2013-01-25  Filip Pizlo  <fpizlo@apple.com>
2119
2120         DFG variable event stream shouldn't use NodeIndex
2121         https://bugs.webkit.org/show_bug.cgi?id=107996
2122
2123         Reviewed by Oliver Hunt.
2124         
2125         Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
2126         Internally it currently uses a NodeIndex, but we could change this without having
2127         to recode all of the users of MinifiedID. This effectively decouples the OSR exit
2128         compiler's way of identifying nodes from the speculative JIT's way of identifying
2129         nodes, and should make it easier to make changes to the speculative JIT's internals
2130         in the future.
2131         
2132         Also changed variable event stream logging to exclude information about births and
2133         deaths of constants, since the OSR exit compiler never cares about which register
2134         holds a constant; if a value is constant then the OSR exit compiler can reify it.
2135         
2136         Also changed the variable event stream's value recovery computation to use a
2137         HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
2138         
2139         This appears to be performance-neutral. It's primarily meant as a small step
2140         towards https://bugs.webkit.org/show_bug.cgi?id=106868.
2141
2142         * GNUmakefile.list.am:
2143         * JavaScriptCore.xcodeproj/project.pbxproj:
2144         * dfg/DFGGenerationInfo.h:
2145         (JSC::DFG::GenerationInfo::GenerationInfo):
2146         (JSC::DFG::GenerationInfo::initConstant):
2147         (JSC::DFG::GenerationInfo::initInteger):
2148         (JSC::DFG::GenerationInfo::initJSValue):
2149         (JSC::DFG::GenerationInfo::initCell):
2150         (JSC::DFG::GenerationInfo::initBoolean):
2151         (JSC::DFG::GenerationInfo::initDouble):
2152         (JSC::DFG::GenerationInfo::initStorage):
2153         (JSC::DFG::GenerationInfo::noticeOSRBirth):
2154         (JSC::DFG::GenerationInfo::use):
2155         (JSC::DFG::GenerationInfo::appendFill):
2156         (JSC::DFG::GenerationInfo::appendSpill):
2157         (GenerationInfo):
2158         * dfg/DFGJITCompiler.cpp:
2159         (JSC::DFG::JITCompiler::link):
2160         * dfg/DFGMinifiedGraph.h:
2161         (JSC::DFG::MinifiedGraph::at):
2162         (MinifiedGraph):
2163         * dfg/DFGMinifiedID.h: Added.
2164         (DFG):
2165         (MinifiedID):
2166         (JSC::DFG::MinifiedID::MinifiedID):
2167         (JSC::DFG::MinifiedID::operator!):
2168         (JSC::DFG::MinifiedID::nodeIndex):
2169         (JSC::DFG::MinifiedID::operator==):
2170         (JSC::DFG::MinifiedID::operator!=):
2171         (JSC::DFG::MinifiedID::operator<):
2172         (JSC::DFG::MinifiedID::operator>):
2173         (JSC::DFG::MinifiedID::operator<=):
2174         (JSC::DFG::MinifiedID::operator>=):
2175         (JSC::DFG::MinifiedID::hash):
2176         (JSC::DFG::MinifiedID::dump):
2177         (JSC::DFG::MinifiedID::isHashTableDeletedValue):
2178         (JSC::DFG::MinifiedID::invalidID):
2179         (JSC::DFG::MinifiedID::otherInvalidID):
2180         (JSC::DFG::MinifiedID::fromBits):
2181         (JSC::DFG::MinifiedIDHash::hash):
2182         (JSC::DFG::MinifiedIDHash::equal):
2183         (MinifiedIDHash):
2184         (WTF):
2185         * dfg/DFGMinifiedNode.cpp:
2186         (JSC::DFG::MinifiedNode::fromNode):
2187         * dfg/DFGMinifiedNode.h:
2188         (JSC::DFG::MinifiedNode::id):
2189         (JSC::DFG::MinifiedNode::child1):
2190         (JSC::DFG::MinifiedNode::getID):
2191         (JSC::DFG::MinifiedNode::compareByNodeIndex):
2192         (MinifiedNode):
2193         * dfg/DFGSpeculativeJIT.cpp:
2194         (JSC::DFG::SpeculativeJIT::compileMovHint):
2195         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2196         * dfg/DFGSpeculativeJIT.h:
2197         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
2198         * dfg/DFGValueSource.cpp:
2199         (JSC::DFG::ValueSource::dump):
2200         * dfg/DFGValueSource.h:
2201         (JSC::DFG::ValueSource::ValueSource):
2202         (JSC::DFG::ValueSource::isSet):
2203         (JSC::DFG::ValueSource::kind):
2204         (JSC::DFG::ValueSource::id):
2205         (ValueSource):
2206         (JSC::DFG::ValueSource::idFromKind):
2207         (JSC::DFG::ValueSource::kindFromID):
2208         * dfg/DFGVariableEvent.cpp:
2209         (JSC::DFG::VariableEvent::dump):
2210         (JSC::DFG::VariableEvent::dumpFillInfo):
2211         (JSC::DFG::VariableEvent::dumpSpillInfo):
2212         * dfg/DFGVariableEvent.h:
2213         (JSC::DFG::VariableEvent::fillGPR):
2214         (JSC::DFG::VariableEvent::fillPair):
2215         (JSC::DFG::VariableEvent::fillFPR):
2216         (JSC::DFG::VariableEvent::spill):
2217         (JSC::DFG::VariableEvent::death):
2218         (JSC::DFG::VariableEvent::movHint):
2219         (JSC::DFG::VariableEvent::id):
2220         (VariableEvent):
2221         * dfg/DFGVariableEventStream.cpp:
2222         (DFG):
2223         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2224         (JSC::DFG::VariableEventStream::reconstruct):
2225         * dfg/DFGVariableEventStream.h:
2226         (VariableEventStream):
2227
2228 2013-01-25  Roger Fong  <roger_fong@apple.com>
2229
2230         Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
2231
2232         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
2233         * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
2234         * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
2235         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
2236         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
2237         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
2238         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
2239         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
2240         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
2241         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
2242         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
2243         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
2244         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
2245         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
2246         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
2247         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
2248         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
2249         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
2250         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
2251
2252 2013-01-24  Roger Fong  <roger_fong@apple.com>
2253
2254         VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
2255         https://bugs.webkit.org/show_bug.cgi?id=106987
2256
2257         Reviewed by Brent Fulgham.
2258
2259         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2260         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
2261         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2262         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
2263         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2264         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2265         * JavaScriptCore.vcxproj/jsc/jscDebug.props:
2266         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
2267         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
2268         * JavaScriptCore.vcxproj/testRegExp: Added.
2269         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
2270         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
2271         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
2272         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
2273         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
2274         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
2275         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
2276         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
2277         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
2278         * JavaScriptCore.vcxproj/testapi: Added.
2279         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
2280         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
2281         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
2282         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
2283         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
2284         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
2285         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
2286         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
2287         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
2288
2289 2013-01-24  Roger Fong  <roger_fong@apple.com>
2290
2291         Unreviewed. Windows build fix.
2292
2293         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2294
2295 2013-01-24  Filip Pizlo  <fpizlo@apple.com>
2296
2297         DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
2298         https://bugs.webkit.org/show_bug.cgi?id=107860
2299
2300         Reviewed by Mark Hahnenberg.
2301
2302         * dfg/DFGJITCompiler.h:
2303         (JITCompiler):
2304         * dfg/DFGSpeculativeJIT64.cpp:
2305         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2306         (JSC::DFG::SpeculativeJIT::emitBranch):
2307
2308 2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2309
2310         Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
2311         https://bugs.webkit.org/show_bug.cgi?id=107327
2312
2313         Reviewed by Filip Pizlo.
2314
2315         We're renaming these two files, so we have to replace the names everywhere.
2316
2317         * API/APICast.h:
2318         * API/APIJSValue.h: Removed.
2319         * API/JSBlockAdaptor.mm:
2320         * API/JSStringRefCF.cpp:
2321         * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
2322         * API/JSValue.mm:
2323         * API/JSValueInternal.h:
2324         * API/JSValueRef.cpp:
2325         * API/JSWeakObjectMapRefPrivate.cpp:
2326         * API/JavaScriptCore.h:
2327         * CMakeLists.txt:
2328         * GNUmakefile.list.am:
2329         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2330         * JavaScriptCore.xcodeproj/project.pbxproj:
2331         * Target.pri:
2332         * bytecode/CallLinkStatus.h:
2333         * bytecode/CodeBlock.cpp:
2334         * bytecode/MethodOfGettingAValueProfile.h:
2335         * bytecode/ResolveGlobalStatus.cpp:
2336         * bytecode/ResolveGlobalStatus.h:
2337         * bytecode/SpeculatedType.h:
2338         * bytecode/ValueRecovery.h:
2339         * dfg/DFGByteCodeParser.cpp:
2340         * dfg/DFGJITCompiler.cpp:
2341         * dfg/DFGNode.h:
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         * dfg/DFGSpeculativeJIT64.cpp:
2344         * heap/CopiedBlock.h:
2345         * heap/HandleStack.cpp:
2346         * heap/HandleTypes.h:
2347         * heap/WeakImpl.h:
2348         * interpreter/Interpreter.h:
2349         * interpreter/Register.h:
2350         * interpreter/VMInspector.h:
2351         * jit/HostCallReturnValue.cpp:
2352         * jit/HostCallReturnValue.h:
2353         * jit/JITCode.h:
2354         * jit/JITExceptions.cpp:
2355         * jit/JITExceptions.h:
2356         * jit/JSInterfaceJIT.h:
2357         * llint/LLIntCLoop.h:
2358         * llint/LLIntData.h:
2359         * llint/LLIntSlowPaths.cpp:
2360         * profiler/ProfilerBytecode.h:
2361         * profiler/ProfilerBytecodeSequence.h:
2362         * profiler/ProfilerBytecodes.h:
2363         * profiler/ProfilerCompilation.h:
2364         * profiler/ProfilerCompiledBytecode.h:
2365         * profiler/ProfilerDatabase.h:
2366         * profiler/ProfilerOSRExit.h:
2367         * profiler/ProfilerOSRExitSite.h:
2368         * profiler/ProfilerOrigin.h:
2369         * profiler/ProfilerOriginStack.h:
2370         * runtime/ArgList.cpp:
2371         * runtime/CachedTranscendentalFunction.h:
2372         * runtime/CallData.h:
2373         * runtime/Completion.h:
2374         * runtime/ConstructData.h:
2375         * runtime/DateConstructor.cpp:
2376         * runtime/DateInstance.cpp:
2377         * runtime/DatePrototype.cpp:
2378         * runtime/JSAPIValueWrapper.h:
2379         * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
2380         * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
2381         (JSValue):
2382         * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
2383         * runtime/JSGlobalData.h:
2384         * runtime/JSGlobalObject.cpp:
2385         * runtime/JSGlobalObjectFunctions.h:
2386         * runtime/JSStringJoiner.h:
2387         * runtime/JSValue.cpp: Removed.
2388         * runtime/JSValue.h: Removed.
2389         * runtime/JSValueInlines.h: Removed.
2390         * runtime/LiteralParser.h:
2391         * runtime/Operations.h:
2392         * runtime/PropertyDescriptor.h:
2393         * runtime/PropertySlot.h:
2394         * runtime/Protect.h:
2395         * runtime/RegExpPrototype.cpp:
2396         * runtime/Structure.h:
2397
2398 2013-01-23  Oliver Hunt  <oliver@apple.com>
2399
2400         Harden JSC a bit with RELEASE_ASSERT
2401         https://bugs.webkit.org/show_bug.cgi?id=107766
2402
2403         Reviewed by Mark Hahnenberg.
2404
2405         Went through and replaced a pile of ASSERTs that were covering
2406         significantly important details (bounds checks, etc) where
2407         having the checks did not impact release performance in any
2408         measurable way.
2409
2410         * API/JSContextRef.cpp:
2411         (JSContextCreateBacktrace):
2412         * assembler/MacroAssembler.h:
2413         (JSC::MacroAssembler::branchAdd32):
2414         (JSC::MacroAssembler::branchMul32):
2415         * bytecode/CodeBlock.cpp:
2416         (JSC::CodeBlock::dumpBytecode):
2417         (JSC::CodeBlock::handlerForBytecodeOffset):
2418         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2419         (JSC::CodeBlock::bytecodeOffset):
2420         * bytecode/CodeBlock.h:
2421         (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
2422         (JSC::CodeBlock::bytecodeOffset):
2423         (JSC::CodeBlock::exceptionHandler):
2424         (JSC::CodeBlock::codeOrigin):
2425         (JSC::CodeBlock::immediateSwitchJumpTable):
2426         (JSC::CodeBlock::characterSwitchJumpTable):
2427         (JSC::CodeBlock::stringSwitchJumpTable):
2428         (JSC::CodeBlock::setIdentifiers):
2429         (JSC::baselineCodeBlockForInlineCallFrame):
2430         (JSC::ExecState::uncheckedR):
2431         * bytecode/CodeOrigin.cpp:
2432         (JSC::CodeOrigin::inlineStack):
2433         * bytecode/CodeOrigin.h:
2434         (JSC::CodeOrigin::CodeOrigin):
2435         * dfg/DFGCSEPhase.cpp:
2436         * dfg/DFGOSRExit.cpp:
2437         * dfg/DFGScratchRegisterAllocator.h:
2438         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2439         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2440         * dfg/DFGSpeculativeJIT.h:
2441         (JSC::DFG::SpeculativeJIT::allocate):
2442         (JSC::DFG::SpeculativeJIT::spill):
2443         (JSC::DFG::SpeculativeJIT::integerResult):
2444         * dfg/DFGSpeculativeJIT64.cpp:
2445         (JSC::DFG::SpeculativeJIT::fillInteger):
2446         (JSC::DFG::SpeculativeJIT::fillDouble):
2447         (JSC::DFG::SpeculativeJIT::fillJSValue):
2448         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2449         (JSC::DFG::SpeculativeJIT::emitCall):
2450         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2451         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2452         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2453         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2454         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2455         (JSC::DFG::SpeculativeJIT::compile):
2456         * dfg/DFGValueSource.h:
2457         (JSC::DFG::dataFormatToValueSourceKind):
2458         (JSC::DFG::ValueSource::ValueSource):
2459         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2460         * heap/BlockAllocator.cpp:
2461         (JSC::BlockAllocator::BlockAllocator):
2462         (JSC::BlockAllocator::releaseFreeRegions):
2463         (JSC::BlockAllocator::blockFreeingThreadMain):
2464         * heap/Heap.cpp:
2465         (JSC::Heap::lastChanceToFinalize):
2466         (JSC::Heap::collect):
2467         * interpreter/Interpreter.cpp:
2468         (JSC::Interpreter::throwException):
2469         (JSC::Interpreter::execute):
2470         * jit/GCAwareJITStubRoutine.cpp:
2471         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2472         * jit/JIT.cpp:
2473         (JSC::JIT::privateCompileMainPass):
2474         (JSC::JIT::privateCompileSlowCases):
2475         * jit/JITExceptions.cpp:
2476         (JSC::genericThrow):
2477         * jit/JITInlines.h:
2478         (JSC::JIT::emitLoad):
2479         * jit/JITOpcodes.cpp:
2480         (JSC::JIT::emit_op_end):
2481         (JSC::JIT::emit_resolve_operations):
2482         * jit/JITStubRoutine.cpp:
2483         (JSC::JITStubRoutine::observeZeroRefCount):
2484         * jit/JITStubs.cpp:
2485         (JSC::returnToThrowTrampoline):
2486         * runtime/Arguments.cpp:
2487         (JSC::Arguments::getOwnPropertySlot):
2488         (JSC::Arguments::getOwnPropertyDescriptor):
2489         (JSC::Arguments::deleteProperty):
2490         (JSC::Arguments::defineOwnProperty):
2491         (JSC::Arguments::didTearOffActivation):
2492         * runtime/ArrayPrototype.cpp:
2493         (JSC::shift):
2494         (JSC::unshift):
2495         (JSC::arrayProtoFuncLastIndexOf):
2496         * runtime/ButterflyInlines.h:
2497         (JSC::Butterfly::growPropertyStorage):
2498         * runtime/CodeCache.cpp:
2499         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2500         * runtime/CodeCache.h:
2501         (JSC::CacheMap::add):
2502         * runtime/Completion.cpp:
2503         (JSC::checkSyntax):
2504         (JSC::evaluate):
2505         * runtime/Executable.cpp:
2506         (JSC::FunctionExecutable::FunctionExecutable):
2507         (JSC::EvalExecutable::unlinkCalls):
2508         (JSC::ProgramExecutable::compileOptimized):
2509         (JSC::ProgramExecutable::unlinkCalls):
2510         (JSC::ProgramExecutable::initializeGlobalProperties):
2511         (JSC::FunctionExecutable::baselineCodeBlockFor):
2512         (JSC::FunctionExecutable::compileOptimizedForCall):
2513         (JSC::FunctionExecutable::compileOptimizedForConstruct):
2514         (JSC::FunctionExecutable::compileForCallInternal):
2515         (JSC::FunctionExecutable::compileForConstructInternal):
2516         (JSC::FunctionExecutable::unlinkCalls):
2517         (JSC::NativeExecutable::hashFor):
2518         * runtime/Executable.h:
2519         (JSC::EvalExecutable::compile):
2520         (JSC::ProgramExecutable::compile):
2521         (JSC::FunctionExecutable::compileForCall):
2522         (JSC::FunctionExecutable::compileForConstruct):
2523         * runtime/IndexingHeader.h:
2524         (JSC::IndexingHeader::setVectorLength):
2525         * runtime/JSArray.cpp:
2526         (JSC::JSArray::pop):
2527         (JSC::JSArray::shiftCountWithArrayStorage):
2528         (JSC::JSArray::shiftCountWithAnyIndexingType):
2529         (JSC::JSArray::unshiftCountWithArrayStorage):
2530         * runtime/JSGlobalObjectFunctions.cpp:
2531         (JSC::jsStrDecimalLiteral):
2532         * runtime/JSObject.cpp:
2533         (JSC::JSObject::copyButterfly):
2534         (JSC::JSObject::defineOwnIndexedProperty):
2535         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2536         * runtime/JSString.cpp:
2537         (JSC::JSRopeString::getIndexSlowCase):
2538         * yarr/YarrInterpreter.cpp:
2539         (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
2540
2541 2013-01-23  Filip Pizlo  <fpizlo@apple.com>
2542
2543         Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
2544         https://bugs.webkit.org/show_bug.cgi?id=107750
2545         <rdar://problem/12387265>
2546
2547         Reviewed by Mark Hahnenberg.
2548         
2549         The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
2550         for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
2551         GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
2552         checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
2553         GetLocal we are eliminating, then we allow redundant GetLocals.
2554
2555         * dfg/DFGConstantFoldingPhase.cpp:
2556         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2557         (ConstantFoldingPhase):
2558         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
2559
2560 2013-01-23  Oliver Hunt  <oliver@apple.com>
2561
2562         Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
2563         https://bugs.webkit.org/show_bug.cgi?id=107736
2564
2565         Reviewed by Mark Hahnenberg.
2566
2567         Mechanical change with no performance impact.
2568
2569         * API/JSBlockAdaptor.mm:
2570         (BlockArgumentTypeDelegate::typeVoid):
2571         * API/JSCallbackObjectFunctions.h:
2572         (JSC::::construct):
2573         (JSC::::call):
2574         * API/JSScriptRef.cpp:
2575         * API/ObjCCallbackFunction.mm:
2576         (ArgumentTypeDelegate::typeVoid):
2577         * assembler/ARMv7Assembler.h:
2578         (JSC::ARMv7Assembler::link):
2579         (JSC::ARMv7Assembler::replaceWithLoad):
2580         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2581         * assembler/MacroAssembler.h:
2582         (JSC::MacroAssembler::invert):
2583         * assembler/MacroAssemblerARM.h:
2584         (JSC::MacroAssemblerARM::countLeadingZeros32):
2585         (JSC::MacroAssemblerARM::divDouble):
2586         * assembler/MacroAssemblerMIPS.h:
2587         (JSC::MacroAssemblerMIPS::absDouble):
2588         (JSC::MacroAssemblerMIPS::replaceWithJump):
2589         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2590         * assembler/MacroAssemblerSH4.h:
2591         (JSC::MacroAssemblerSH4::absDouble):
2592         (JSC::MacroAssemblerSH4::replaceWithJump):
2593         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2594         * assembler/SH4Assembler.h:
2595         (JSC::SH4Assembler::shllImm8r):
2596         (JSC::SH4Assembler::shlrImm8r):
2597         (JSC::SH4Assembler::cmplRegReg):
2598         (JSC::SH4Assembler::branch):
2599         * assembler/X86Assembler.h:
2600         (JSC::X86Assembler::replaceWithLoad):
2601         (JSC::X86Assembler::replaceWithAddressComputation):
2602         * bytecode/CallLinkInfo.cpp:
2603         (JSC::CallLinkInfo::unlink):
2604         * bytecode/CodeBlock.cpp:
2605         (JSC::debugHookName):
2606         (JSC::CodeBlock::printGetByIdOp):
2607         (JSC::CodeBlock::printGetByIdCacheStatus):
2608         (JSC::CodeBlock::visitAggregate):
2609         (JSC::CodeBlock::finalizeUnconditionally):
2610         (JSC::CodeBlock::usesOpcode):
2611         * bytecode/DataFormat.h:
2612         (JSC::needDataFormatConversion):
2613         * bytecode/ExitKind.cpp:
2614         (JSC::exitKindToString):
2615         (JSC::exitKindIsCountable):
2616         * bytecode/MethodOfGettingAValueProfile.cpp:
2617         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
2618         * bytecode/Opcode.h:
2619         (JSC::opcodeLength):
2620         * bytecode/PolymorphicPutByIdList.cpp:
2621         (JSC::PutByIdAccess::fromStructureStubInfo):
2622         (JSC::PutByIdAccess::visitWeak):
2623         * bytecode/StructureStubInfo.cpp:
2624         (JSC::StructureStubInfo::deref):
2625         * bytecompiler/BytecodeGenerator.cpp:
2626         (JSC::ResolveResult::checkValidity):
2627         (JSC::BytecodeGenerator::emitGetLocalVar):
2628         (JSC::BytecodeGenerator::beginSwitch):
2629         * bytecompiler/NodesCodegen.cpp:
2630         (JSC::BinaryOpNode::emitBytecode):
2631         (JSC::emitReadModifyAssignment):
2632         * dfg/DFGAbstractState.cpp:
2633         (JSC::DFG::AbstractState::execute):
2634         (JSC::DFG::AbstractState::mergeStateAtTail):
2635         (JSC::DFG::AbstractState::mergeToSuccessors):
2636         * dfg/DFGByteCodeParser.cpp:
2637         (JSC::DFG::ByteCodeParser::makeSafe):
2638         (JSC::DFG::ByteCodeParser::parseBlock):
2639         * dfg/DFGCFGSimplificationPhase.cpp:
2640         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
2641         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
2642         * dfg/DFGCSEPhase.cpp:
2643         (JSC::DFG::CSEPhase::setLocalStoreElimination):
2644         * dfg/DFGCapabilities.cpp:
2645         (JSC::DFG::canHandleOpcodes):
2646         * dfg/DFGCommon.h:
2647         (JSC::DFG::useKindToString):
2648         * dfg/DFGDoubleFormatState.h:
2649         (JSC::DFG::mergeDoubleFormatStates):
2650         (JSC::DFG::doubleFormatStateToString):
2651         * dfg/DFGFixupPhase.cpp:
2652         (JSC::DFG::FixupPhase::blessArrayOperation):
2653         * dfg/DFGGraph.h:
2654         (JSC::DFG::Graph::clobbersWorld):
2655         * dfg/DFGNode.h:
2656         (JSC::DFG::Node::valueOfJSConstant):
2657         (JSC::DFG::Node::successor):
2658         * dfg/DFGNodeFlags.cpp:
2659         (JSC::DFG::nodeFlagsAsString):
2660         * dfg/DFGNodeType.h:
2661         (JSC::DFG::defaultFlags):
2662         * dfg/DFGRepatch.h:
2663         (JSC::DFG::dfgResetGetByID):
2664         (JSC::DFG::dfgResetPutByID):
2665         * dfg/DFGSlowPathGenerator.h:
2666         (JSC::DFG::SlowPathGenerator::call):
2667         * dfg/DFGSpeculativeJIT.cpp:
2668         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2669         (JSC::DFG::SpeculativeJIT::silentSpill):
2670         (JSC::DFG::SpeculativeJIT::silentFill):
2671         (JSC::DFG::SpeculativeJIT::checkArray):
2672         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2673         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2674         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2675         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2676         * dfg/DFGSpeculativeJIT.h:
2677         (JSC::DFG::SpeculativeJIT::bitOp):
2678         (JSC::DFG::SpeculativeJIT::shiftOp):
2679         (JSC::DFG::SpeculativeJIT::integerResult):
2680         * dfg/DFGSpeculativeJIT32_64.cpp:
2681         (JSC::DFG::SpeculativeJIT::fillInteger):
2682         (JSC::DFG::SpeculativeJIT::fillDouble):
2683         (JSC::DFG::SpeculativeJIT::fillJSValue):
2684         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2685         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2686         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2687         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2688         (JSC::DFG::SpeculativeJIT::compile):
2689         * dfg/DFGSpeculativeJIT64.cpp:
2690         (JSC::DFG::SpeculativeJIT::fillInteger):
2691         (JSC::DFG::SpeculativeJIT::fillDouble):
2692         (JSC::DFG::SpeculativeJIT::fillJSValue):
2693         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2694         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2695         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2696         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2697         (JSC::DFG::SpeculativeJIT::compile):
2698         * dfg/DFGStructureCheckHoistingPhase.cpp:
2699         (JSC::DFG::StructureCheckHoistingPhase::run):
2700         * dfg/DFGValueSource.h:
2701         (JSC::DFG::ValueSource::valueRecovery):
2702         * dfg/DFGVariableEvent.cpp:
2703         (JSC::DFG::VariableEvent::dump):
2704         * dfg/DFGVariableEventStream.cpp:
2705         (JSC::DFG::VariableEventStream::reconstruct):
2706         * heap/BlockAllocator.h:
2707         (JSC::BlockAllocator::regionSetFor):
2708         * heap/GCThread.cpp:
2709         (JSC::GCThread::gcThreadMain):
2710         * heap/MarkedBlock.cpp:
2711         (JSC::MarkedBlock::sweepHelper):
2712         * heap/MarkedBlock.h:
2713         (JSC::MarkedBlock::isLive):
2714         * interpreter/CallFrame.h:
2715         (JSC::ExecState::inlineCallFrame):
2716         * interpreter/Interpreter.cpp:
2717         (JSC::getCallerInfo):
2718         (JSC::getStackFrameCodeType):
2719         (JSC::Interpreter::execute):
2720         * jit/ExecutableAllocatorFixedVMPool.cpp:
2721         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
2722         * jit/JIT.cpp:
2723         (JSC::JIT::privateCompileMainPass):
2724         (JSC::JIT::privateCompileSlowCases):
2725         (JSC::JIT::privateCompile):
2726         * jit/JITArithmetic.cpp:
2727         (JSC::JIT::emitSlow_op_mod):
2728         * jit/JITArithmetic32_64.cpp:
2729         (JSC::JIT::emitBinaryDoubleOp):
2730         (JSC::JIT::emitSlow_op_mod):
2731         * jit/JITPropertyAccess.cpp:
2732         (JSC::JIT::isDirectPutById):
2733         * jit/JITStubs.cpp:
2734         (JSC::getPolymorphicAccessStructureListSlot):
2735         (JSC::DEFINE_STUB_FUNCTION):
2736         * llint/LLIntSlowPaths.cpp:
2737         (JSC::LLInt::jitCompileAndSetHeuristics):
2738         * parser/Lexer.cpp:
2739         (JSC::::lex):
2740         * parser/Nodes.h:
2741         (JSC::ExpressionNode::emitBytecodeInConditionContext):
2742         * parser/Parser.h:
2743         (JSC::Parser::getTokenName):
2744         (JSC::Parser::updateErrorMessageSpecialCase):
2745         * parser/SyntaxChecker.h:
2746         (JSC::SyntaxChecker::operatorStackPop):
2747         * runtime/Arguments.cpp:
2748         (JSC::Arguments::tearOffForInlineCallFrame):
2749         * runtime/DatePrototype.cpp:
2750         (JSC::formatLocaleDate):
2751         * runtime/Executable.cpp:
2752         (JSC::samplingDescription):
2753         * runtime/Executable.h:
2754         (JSC::ScriptExecutable::unlinkCalls):
2755         * runtime/Identifier.cpp:
2756         (JSC):
2757         * runtime/InternalFunction.cpp:
2758         (JSC::InternalFunction::getCallData):
2759         * runtime/JSArray.cpp:
2760         (JSC::JSArray::push):
2761         (JSC::JSArray::sort):
2762         * runtime/JSCell.cpp:
2763         (JSC::JSCell::defaultValue):
2764         (JSC::JSCell::getOwnPropertyNames):
2765         (JSC::JSCell::getOwnNonIndexPropertyNames):
2766         (JSC::JSCell::className):
2767         (JSC::JSCell::getPropertyNames):
2768         (JSC::JSCell::customHasInstance):
2769         (JSC::JSCell::putDirectVirtual):
2770         (JSC::JSCell::defineOwnProperty):
2771         (JSC::JSCell::getOwnPropertyDescriptor):
2772         * runtime/JSCell.h:
2773         (JSCell):
2774         * runtime/JSNameScope.cpp:
2775         (JSC::JSNameScope::put):
2776         * runtime/JSObject.cpp:
2777         (JSC::JSObject::getOwnPropertySlotByIndex):
2778         (JSC::JSObject::putByIndex):
2779         (JSC::JSObject::ensureArrayStorageSlow):
2780         (JSC::JSObject::deletePropertyByIndex):
2781         (JSC::JSObject::getOwnPropertyNames):
2782         (JSC::JSObject::putByIndexBeyondVectorLength):
2783         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2784         (JSC::JSObject::getOwnPropertyDescriptor):
2785         * runtime/JSObject.h:
2786         (JSC::JSObject::canGetIndexQuickly):
2787         (JSC::JSObject::getIndexQuickly):
2788         (JSC::JSObject::tryGetIndexQuickly):
2789         (JSC::JSObject::canSetIndexQuickly):
2790         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2791         (JSC::JSObject::setIndexQuickly):
2792         (JSC::JSObject::initializeIndex):
2793         (JSC::JSObject::hasSparseMap):
2794         (JSC::JSObject::inSparseIndexingMode):
2795         * runtime/JSScope.cpp:
2796         (JSC::JSScope::isDynamicScope):
2797         * runtime/JSSymbolTableObject.cpp:
2798         (JSC::JSSymbolTableObject::putDirectVirtual):
2799         * runtime/JSSymbolTableObject.h:
2800         (JSSymbolTableObject):
2801         * runtime/LiteralParser.cpp:
2802         (JSC::::parse):
2803         * runtime/RegExp.cpp:
2804         (JSC::RegExp::compile):
2805         (JSC::RegExp::compileMatchOnly):
2806         * runtime/StructureTransitionTable.h:
2807         (JSC::newIndexingType):
2808         * tools/CodeProfile.cpp:
2809         (JSC::CodeProfile::sample):
2810         * yarr/YarrCanonicalizeUCS2.h:
2811         (JSC::Yarr::getCanonicalPair):
2812         (JSC::Yarr::areCanonicallyEquivalent):
2813         * yarr/YarrInterpreter.cpp:
2814         (JSC::Yarr::Interpreter::matchCharacterClass):
2815         (JSC::Yarr::Interpreter::matchBackReference):
2816         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
2817         (JSC::Yarr::Interpreter::matchParentheses):
2818         (JSC::Yarr::Interpreter::backtrackParentheses):
2819         (JSC::Yarr::Interpreter::matchDisjunction):
2820         * yarr/YarrJIT.cpp:
2821         (JSC::Yarr::YarrGenerator::generateTerm):
2822         (JSC::Yarr::YarrGenerator::backtrackTerm):
2823         * yarr/YarrParser.h:
2824         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
2825         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
2826         * yarr/YarrPattern.cpp:
2827         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
2828
2829 2013-01-23  Tony Chang  <tony@chromium.org>
2830
2831         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
2832
2833         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
2834         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
2835
2836 2013-01-23  Oliver Hunt  <oliver@apple.com>
2837
2838         Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
2839         https://bugs.webkit.org/show_bug.cgi?id=107726
2840
2841         Reviewed by Filip Pizlo.
2842
2843         Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
2844
2845         * assembler/MacroAssembler.h:
2846         (JSC::MacroAssembler::branchAdd32):
2847         (JSC::MacroAssembler::branchMul32):
2848         * bytecode/CodeBlockHash.cpp:
2849         (JSC::CodeBlockHash::CodeBlockHash):
2850         * heap/BlockAllocator.h:
2851         (JSC::Region::create):
2852         (JSC::Region::createCustomSize):
2853         * heap/GCAssertions.h:
2854         * heap/HandleSet.cpp:
2855         (JSC::HandleSet::visitStrongHandles):
2856         (JSC::HandleSet::writeBarrier):
2857         * heap/HandleSet.h:
2858         (JSC::HandleSet::allocate):
2859         * heap/Heap.cpp:
2860         (JSC::Heap::collect):
2861         * heap/SlotVisitor.cpp:
2862         (JSC::SlotVisitor::validate):
2863         * interpreter/Interpreter.cpp:
2864         (JSC::Interpreter::execute):
2865         * jit/ExecutableAllocator.cpp:
2866         (JSC::DemandExecutableAllocator::allocateNewSpace):
2867         (JSC::ExecutableAllocator::allocate):
2868         * jit/ExecutableAllocator.h:
2869         (JSC::roundUpAllocationSize):
2870         * jit/ExecutableAllocatorFixedVMPool.cpp:
2871         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2872         (JSC::ExecutableAllocator::allocate):
2873         * runtime/ButterflyInlines.h:
2874         (JSC::Butterfly::createUninitialized):
2875         * runtime/Completion.cpp:
2876         (JSC::evaluate):
2877         * runtime/JSArray.h:
2878         (JSC::constructArray):
2879         * runtime/JSGlobalObject.cpp:
2880         (JSC::slowValidateCell):
2881         * runtime/JSObject.cpp:
2882         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2883         (JSC::JSObject::createArrayStorage):
2884         * tools/TieredMMapArray.h:
2885         (JSC::TieredMMapArray::append):
2886         * yarr/YarrInterpreter.cpp:
2887         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2888         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2889         (JSC::Yarr::Interpreter::InputStream::readChecked):
2890         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2891         (JSC::Yarr::Interpreter::InputStream::atEnd):
2892         (JSC::Yarr::Interpreter::interpret):
2893
2894 2013-01-22  Filip Pizlo  <fpizlo@apple.com>
2895
2896         Convert CSE phase to not rely too much on NodeIndex
2897         https://bugs.webkit.org/show_bug.cgi?id=107616
2898
2899         Reviewed by Geoffrey Garen.
2900         
2901         - Instead of looping over the graph (which assumes that you can simply loop over all
2902           nodes without considering blocks first) to reset node.replacement, do that in the
2903           loop that sets up relevantToOSR, just before running CSE on the block.
2904         
2905         - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
2906           NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
2907           some reshuffling to fit it in.
2908
2909         * dfg/DFGCSEPhase.cpp:
2910         (JSC::DFG::CSEPhase::CSEPhase):
2911         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2912         (JSC::DFG::CSEPhase::performNodeCSE):
2913         (JSC::DFG::CSEPhase::performBlockCSE):
2914         (CSEPhase):
2915         * dfg/DFGNodeFlags.h:
2916         (DFG):
2917         * dfg/DFGNodeType.h:
2918         (DFG):
2919
2920 2013-01-21  Kentaro Hara  <haraken@chromium.org>
2921
2922         Implement UIEvent constructor
2923         https://bugs.webkit.org/show_bug.cgi?id=107430
2924
2925         Reviewed by Adam Barth.
2926
2927         Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
2928
2929         UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
2930         which is enabled on Safari and Chromium for now.
2931
2932         * Configurations/FeatureDefines.xcconfig:
2933
2934 2013-01-22  Roger Fong  <roger_fong@apple.com>
2935
2936         Unreviewed VS2010 build fix following r140259.
2937
2938         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2939         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2940
2941 2013-01-22  Roger Fong  <roger_fong@apple.com>
2942
2943         JavaScriptCore property sheets, project files and modified build scripts.
2944         https://bugs.webkit.org/show_bug.cgi?id=106987
2945
2946         Reviewed by Brent Fulgham.
2947
2948         * JavaScriptCore.vcxproj: Added.
2949         * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
2950         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
2951         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
2952         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
2953         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
2954         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
2955         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
2956         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
2957         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
2958         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
2959         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
2960         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
2961         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
2962         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
2963         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
2964         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
2965         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
2966         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
2967         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
2968         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
2969         * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
2970         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
2971         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2972         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
2973         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
2974         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2975         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
2976         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2977         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
2978         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
2979         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2980         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
2981         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
2982         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
2983         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
2984         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
2985         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
2986         * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
2987         * JavaScriptCore.vcxproj/copy-files.cmd: Added.
2988         * JavaScriptCore.vcxproj/jsc: Added.
2989         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
2990         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
2991         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
2992         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
2993         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
2994         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
2995         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
2996         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
2997         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
2998         * config.h:
2999
3000 2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>
3001
3002         [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
3003         https://bugs.webkit.org/show_bug.cgi?id=107230
3004
3005         Reviewed by David Kilzer.
3006
3007         * Configurations/FeatureDefines.xcconfig:
3008
3009 2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>
3010
3011         Yarr JIT isn't big endian compatible
3012         https://bugs.webkit.org/show_bug.cgi?id=102897
3013
3014         Reviewed by Oliver Hunt.
3015
3016         This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
3017
3018         * yarr/YarrJIT.cpp:
3019         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3020
3021 2013-01-22  David Kilzer  <ddkilzer@apple.com>
3022
3023         Fix DateMath.cpp to compile with -Wshorten-64-to-32
3024         <http://webkit.org/b/107503>
3025
3026         Reviewed by Darin Adler.
3027
3028         * runtime/JSDateMath.cpp:
3029         (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
3030         static_cast<int>().
3031
3032 2013-01-22  Tim Horton  <timothy_horton@apple.com>
3033
3034         PDFPlugin: Build PDFPlugin everywhere, enable at runtime
3035         https://bugs.webkit.org/show_bug.cgi?id=107117
3036
3037         Reviewed by Alexey Proskuryakov.
3038
3039         Since PDFLayerController SPI is all forward-declared, the plugin should build
3040         on all Mac platforms, and can be enabled at runtime.
3041
3042         * Configurations/FeatureDefines.xcconfig:
3043
3044 2013-01-21  Justin Schuh  <jschuh@chromium.org>
3045
3046         [CHROMIUM] Suppress c4267 build warnings for Win64 targets
3047         https://bugs.webkit.org/show_bug.cgi?id=107499
3048
3049         Reviewed by Abhishek Arya.
3050
3051         * JavaScriptCore.gyp/JavaScriptCore.gyp:
3052
3053 2013-01-21  Dirk Schulze  <dschulze@adobe.com>
3054
3055         Add build flag for Canvas's Path object (disabled by default)
3056         https://bugs.webkit.org/show_bug.cgi?id=107473
3057
3058         Reviewed by Dean Jackson.
3059
3060         Add CANVAS_PATH build flag to build systems.
3061
3062         * Configurations/FeatureDefines.xcconfig:
3063
3064 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
3065
3066         Weak GC maps should be easier to use
3067         https://bugs.webkit.org/show_bug.cgi?id=107312
3068
3069         Reviewed by Sam Weinig.
3070
3071         Follow-up fix.
3072
3073         * runtime/PrototypeMap.cpp:
3074         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
3075         ASSERT, which was disabled because of a bug in WeakGCMap.
3076
3077         * runtime/WeakGCMap.h:
3078         (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
3079         a PassWeak() clears itself when passed to another function. So, we pass
3080         nullptr instead, and fix things up afterwards.
3081
3082 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
3083
3084         Unreviewed.
3085
3086         Temporarily disabling this ASSERT to get the bots green
3087         while I investigate a fix.
3088
3089         * runtime/PrototypeMap.cpp:
3090         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3091
3092 2013-01-20  Filip Pizlo  <fpizlo@apple.com>
3093
3094         Inserting a node into the DFG graph should not require five lines of code
3095         https://bugs.webkit.org/show_bug.cgi?id=107381
3096
3097         Reviewed by Sam Weinig.
3098         
3099         This adds fairly comprehensive support for inserting a node into a DFG graph in one
3100         method call. A common example of this is:
3101         
3102         m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
3103         
3104         The arguments to insert() specify what reference counting you need to have happen
3105         (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
3106         that was created), the prediction to set (SpecNone is a common default), followed by
3107         the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
3108         (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
3109         function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
3110         non-recursively ref() the node being created if the flags say NodeMustGenerate.
3111         
3112         In all, this new mechanism retains the flexibility of the old approach (you get to
3113         manage ref counts yourself, albeit in less code) while ensuring that most code that adds
3114         nodes to the graph now needs less code to do it.
3115         
3116         In the future, we should revisit the reference counting methodology in the DFG: we could
3117         do like most compilers and get rid of it entirely, or we could make it automatic. This
3118         patch doesn't attempt to make any such major changes, and only seeks to simplify the
3119         technique we were already using (manual ref counting).
3120
3121         * GNUmakefile.list.am:
3122         * JavaScriptCore.xcodeproj/project.pbxproj:
3123         * bytecode/Operands.h:
3124         (JSC::dumpOperands):
3125         * dfg/DFGAdjacencyList.h:
3126         (AdjacencyList):
3127         (JSC::DFG::AdjacencyList::kind):
3128         * dfg/DFGArgumentsSimplificationPhase.cpp:
3129         (JSC::DFG::ArgumentsSimplificationPhase::run):
3130         * dfg/DFGBasicBlock.h:
3131         (DFG):
3132         (BasicBlock):
3133         * dfg/DFGBasicBlockInlines.h: Added.
3134         (DFG):
3135         * dfg/DFGCFGSimplificationPhase.cpp:
3136         (JSC::DFG::CFGSimplificationPhase::run):
3137         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
3138         * dfg/DFGCommon.h:
3139         * dfg/DFGConstantFoldingPhase.cpp:
3140         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3141         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3142         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3143         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
3144         (ConstantFoldingPhase):
3145         * dfg/DFGFixupPhase.cpp:
3146         (JSC::DFG::FixupPhase::FixupPhase):
3147         (JSC::DFG::FixupPhase::fixupBlock):
3148         (JSC::DFG::FixupPhase::fixupNode):
3149         (FixupPhase):
3150         (JSC::DFG::FixupPhase::checkArray):
3151         (JSC::DFG::FixupPhase::blessArrayOperation):
3152         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3153         * dfg/DFGGraph.h:
3154         (JSC::DFG::Graph::ref):
3155         (Graph):
3156         * dfg/DFGInsertionSet.h:
3157         (DFG):
3158         (JSC::DFG::Insertion::Insertion):
3159         (JSC::DFG::Insertion::element):
3160         (Insertion):
3161         (JSC::DFG::InsertionSet::InsertionSet):
3162         (JSC::DFG::InsertionSet::insert):
3163         (InsertionSet):
3164         (JSC::DFG::InsertionSet::execute):
3165         * dfg/DFGNode.h:
3166         (JSC::DFG::Node::Node):
3167         (Node):
3168         * dfg/DFGStructureCheckHoistingPhase.cpp:
3169         (JSC::DFG::StructureCheckHoistingPhase::run):
3170         * dfg/DFGVariadicFunction.h: Added.
3171
3172 2013-01-19  Geoffrey Garen  <ggaren@apple.com>
3173
3174         Track inheritance structures in a side table, instead of using a private
3175         name in each prototype
3176         https://bugs.webkit.org/show_bug.cgi?id=107378
3177
3178         Reviewed by Sam Weinig and Phil Pizlo.
3179
3180         This is a step toward object size inference.
3181
3182         Using a side table frees us to use a more complex key (a pair of
3183         prototype and expected inline capacity).
3184
3185         It also avoids ruining inline caches for prototypes. (Adding a new private
3186         name for a new inline capacity would change the prototype's structure,
3187         possibly firing watchpoints, making inline caches go polymorphic, and
3188         generally causing us to have a bad time.)
3189
3190         * CMakeLists.txt:
3191         * GNUmakefile.list.am:
3192         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3193         * JavaScriptCore.xcodeproj/project.pbxproj:
3194         * Target.pri: Buildage.
3195
3196         * runtime/ArrayPrototype.cpp:
3197         (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
3198
3199         * runtime/JSFunction.cpp:
3200         (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
3201
3202         (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
3203         forgot to visit one of its data members (m_cachedInheritorID). This
3204         wasn't a user-visible problem before because JSFunction would always
3205         visit its .prototype property, which visited its m_cachedInheritorID.
3206         But now, function.prototype only weakly owns function.m_cachedInheritorID.
3207
3208         * runtime/JSGlobalData.h:
3209         (JSGlobalData): Added the map, taking care to make sure that its
3210         destructor would run after the heap destructor.
3211
3212         * runtime/JSGlobalObject.cpp:
3213         (JSC::JSGlobalObject::reset): Updated to use new side table API.
3214
3215         * runtime/JSObject.cpp:
3216         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3217         (JSC::JSObject::setPrototype):
3218         * runtime/JSObject.h:
3219         (JSObject): Updated to use new side table API, and removed lots of code
3220         that used to manage the per-object private name.
3221
3222         * runtime/JSProxy.cpp:
3223         (JSC::JSProxy::setTarget):
3224         * runtime/ObjectConstructor.cpp:
3225         (JSC::objectConstructorCreate):
3226         * runtime/ObjectPrototype.cpp:
3227         (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
3228
3229         * runtime/PrototypeMap.cpp: Added.
3230         (JSC):
3231         (JSC::PrototypeMap::addPrototype):
3232         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3233         * runtime/PrototypeMap.h: Added.
3234         (PrototypeMap):
3235         (JSC::PrototypeMap::isPrototype):
3236         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
3237         This is a simple weak map, mapping an object to the structure you should
3238         use when inheriting from that object. (In future, inline capacity will
3239         be a part of the mapping.)
3240
3241         I used two maps to preserve existing behavior that allowed us to speculate
3242         about an object becoming a prototype, even if it wasn't one at the moment.
3243         However, I suspect that behavior can be removed without harm.
3244
3245         * runtime/WeakGCMap.h:
3246         (JSC::WeakGCMap::contains):
3247         (WeakGCMap): I would rate myself a 6 / 10 in C++.
3248
3249 2013-01-18  Dan Bernstein  <mitz@apple.com>
3250
3251         Removed duplicate references to two headers in the project files.
3252
3253         Rubber-stamped by Mark Rowe.
3254
3255         * JavaScriptCore.xcodeproj/project.pbxproj:
3256
3257 2013-01-18  Michael Saboff  <msaboff@apple.com>
3258
3259         Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
3260         Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
3261
3262         * dfg/DFGFixupPhase.cpp:
3263         (JSC::DFG::FixupPhase::fixupNode):
3264
3265 2013-01-18  Michael Saboff  <msaboff@apple.com>
3266
3267         Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
3268
3269         * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
3270
3271 2013-01-18  Michael Saboff  <msaboff@apple.com>
3272
3273         Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
3274         https://bugs.webkit.org/show_bug.cgi?id=107340
3275
3276         Reviewed by Filip Pizlo.
3277
3278         Due to the change landed in r140201, more nodes might end up
3279         generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
3280         constant path of compileInt32ToDouble() to use the more
3281         restrictive isInt32Constant() check on the input.  This check was
3282         the same as the existing ASSERT() so the ASSERT was eliminated.
3283
3284         * dfg/DFGSpeculativeJIT.cpp:
3285         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3286
3287 2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>
3288
3289         Weak GC maps should be easier to use
3290         https://bugs.webkit.org/show_bug.cgi?id=107312
3291
3292         Reviewed by Ryosuke Niwa.
3293
3294         Build fix for linux platforms after r140194.
3295
3296         * runtime/WeakGCMap.h:
3297         (WeakGCMap):
3298
3299 2013-01-18  Michael Saboff  <msaboff@apple.com>
3300
3301         Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
3302         https://bugs.webkit.org/show_bug.cgi?id=107321
3303
3304         Reviewed by  Filip Pizlo.
3305
3306         Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
3307         an ArithDiv node with integer inputs and output for platforms that don't have integer division.
3308         Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
3309         without any further checks.
3310
3311         * dfg/DFGFixupPhase.cpp:
3312         (JSC::DFG::FixupPhase::fixupNode):
3313         (JSC::DFG::FixupPhase::fixDoubleEdge):
3314         (FixupPhase):
3315         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3316
3317 2013-01-18  Michael Saboff  <msaboff@apple.com>
3318
3319         Fix up of ArithDiv nodes for non-x86 CPUs is broken
3320         https://bugs.webkit.org/show_bug.cgi?id=107309
3321
3322         Reviewed by  Filip Pizlo.
3323
3324         Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
3325
3326         * dfg/DFGFixupPhase.cpp:
3327         (JSC::DFG::FixupPhase::fixDoubleEdge):
3328
3329 2013-01-18  Dan Bernstein  <mitz@apple.com>
3330
3331         Tried to fix the build after r140194.
3332
3333         * API/JSWrapperMap.mm:
3334         (-[JSWrapperMap wrapperForObject:]):
3335
3336 2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>
3337
3338         Objective-C API: Update documentation for JSValue and JSContext
3339         https://bugs.webkit.org/show_bug.cgi?id=107313
3340
3341         Reviewed by Geoffrey Garen.
3342
3343         After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
3344
3345         * API/APIJSValue.h:
3346         * API/JSContext.h:
3347
3348 2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>
3349
3350         r134080 causes heap problem on linux systems where PAGESIZE != 4096
3351         https://bugs.webkit.org/show_bug.cgi?id=102828
3352
3353         Reviewed by Mark Hahnenberg.
3354
3355         Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
3356
3357         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3358         * heap/MarkStack.cpp:
3359         (JSC):
3360         (JSC::MarkStackArray::MarkStackArray):
3361         (JSC::MarkStackArray::expand):
3362         (JSC::MarkStackArray::donateSomeCellsTo):
3363         (JSC::MarkStackArray::stealSomeCellsFrom):
3364         * heap/MarkStack.h:
3365         (JSC::MarkStackSegment::data):
3366         (CapacityFromSize):
3367         (MarkStackArray):
3368         * heap/MarkStackInlines.h:
3369         (JSC::MarkStackArray::setTopForFullSegment):
3370         (JSC::MarkStackArray::append):
3371         (JSC::MarkStackArray::isEmpty):
3372         (JSC::MarkStackArray::size):
3373         * runtime/Options.h:
3374         (JSC):
3375
3376 2013-01-18  Geoffrey Garen  <ggaren@apple.com>
3377
3378         Weak GC maps should be easier to use
3379         https://bugs.webkit.org/show_bug.cgi?id=107312
3380
3381         Reviewed by Sam Weinig.
3382
3383         This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
3384         items from the map, and to instead have the map automatically remove
3385         stale items itself upon insertion. This has a few advantages:
3386
3387         (1) WeakGCMap is now compatible with all the specializations you would
3388         use for HashMap.