9033fea8fbbff6011f5d094570797664fb349b1e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-07-31  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG OSR exit profiling has unusual oversights
4         https://bugs.webkit.org/show_bug.cgi?id=92728
5
6         Reviewed by Geoffrey Garen.
7
8         * dfg/DFGOSRExit.cpp:
9         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
10         * dfg/DFGSpeculativeJIT.h:
11         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
12         * dfg/DFGSpeculativeJIT32_64.cpp:
13         (JSC::DFG::SpeculativeJIT::compile):
14         * dfg/DFGSpeculativeJIT64.cpp:
15         (JSC::DFG::SpeculativeJIT::compile):
16
17 2012-07-31  Chao-ying Fu  <fu@mips.com>
18
19         Add MIPS add32 function
20         https://bugs.webkit.org/show_bug.cgi?id=91522
21
22         Reviewed by Oliver Hunt.
23
24         Add isCompactPtrAlignedAddressOffset.
25         Add a new version of add32 that accepts AbsoluteAddress as inputs.
26
27         * assembler/MacroAssemblerMIPS.h:
28         (JSC::MacroAssemblerMIPS::isCompactPtrAlignedAddressOffset): New.
29         (MacroAssemblerMIPS):
30         (JSC::MacroAssemblerMIPS::add32): Support AbsoluteAddress as inputs.
31
32 2012-07-30  Sheriff Bot  <webkit.review.bot@gmail.com>
33
34         Unreviewed, rolling out r124123.
35         http://trac.webkit.org/changeset/124123
36         https://bugs.webkit.org/show_bug.cgi?id=92700
37
38         ASSERT crashes terminate webkit Layout tests (Requested by
39         msaboff on #webkit).
40
41         * heap/Heap.cpp:
42         * heap/Heap.h:
43         (Heap):
44         * heap/IncrementalSweeper.cpp:
45         (JSC::IncrementalSweeper::doSweep):
46         (JSC::IncrementalSweeper::startSweeping):
47         (JSC::IncrementalSweeper::IncrementalSweeper):
48         (JSC):
49         * heap/IncrementalSweeper.h:
50         (IncrementalSweeper):
51         * heap/MarkedAllocator.cpp:
52         (JSC::MarkedAllocator::tryAllocateHelper):
53         (JSC::MarkedAllocator::addBlock):
54         * heap/MarkedAllocator.h:
55         (JSC::MarkedAllocator::zapFreeList):
56         * heap/MarkedBlock.cpp:
57         (JSC::MarkedBlock::sweepHelper):
58         * heap/MarkedSpace.cpp:
59         * heap/MarkedSpace.h:
60         (JSC::MarkedSpace::sweep):
61         (JSC):
62         * runtime/JSGlobalData.cpp:
63         (JSC::JSGlobalData::~JSGlobalData):
64
65 2012-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
66
67         Structures should be swept after all other objects
68         https://bugs.webkit.org/show_bug.cgi?id=92679
69
70         Reviewed by Filip Pizlo.
71
72         In order to get rid of ClassInfo from our objects, we need to be able to safely get the 
73         ClassInfo during the destruction of objects. We'd like to get the ClassInfo out of the 
74         Structure, but currently it is not safe to do so because the order of destruction of objects 
75         is not guaranteed to sweep objects before their corresponding Structure. We can fix this by 
76         sweeping Structures after everything else.
77
78         * heap/Heap.cpp:
79         (JSC::Heap::isSafeToSweepStructures): Add a function that checks if it is safe to sweep Structures.
80         If the Heap's IncrementalSweeper member is null, that means we're shutting down this VM and it is 
81         safe to sweep structures since we'll always do Structures last anyways due to the ordering of 
82         MarkedSpace::forEachBlock.
83         (JSC):
84         (JSC::Heap::didStartVMShutdown): Add this intermediate function to the Heap that ~JSGlobalData now
85         calls rather than calling the two HeapTimer objects individually. This allows the Heap to null out 
86         these pointers after it has invalidated them to prevent accidental use-after-free in the sweep() 
87         calls during lastChanceToFinalize().
88         * heap/Heap.h:
89         (Heap):
90         * heap/HeapTimer.h:
91         (HeapTimer):
92         * heap/IncrementalSweeper.cpp:
93         (JSC::IncrementalSweeper::structuresCanBeSwept): Determines if it is currently safe to sweep Structures.
94         This decision is based on whether we have gotten to the end of the vector of blocks that need sweeping
95         the first time.
96         (JSC):
97         (JSC::IncrementalSweeper::doSweep): We add a second pass over the vector to sweep Structures after we 
98         make our first pass. We now null out the slots as we sweep them so that we can quickly find the 
99         Structures during the second pass.
100         (JSC::IncrementalSweeper::startSweeping): Initialize our new Structure sweeping index.
101         (JSC::IncrementalSweeper::willFinishSweeping): Callback that is called by MarkedSpace::sweep to notify 
102         the IncrementalSweeper that we are going to sweep all of the remaining blocks in the Heap so it can 
103         assume that everything is taken care of in the correct order. Since MarkedSpace::forEachBlock 
104         iterates over the Structure blocks after all other blocks, the ordering property for sweeping Structures holds.
105         (JSC::IncrementalSweeper::IncrementalSweeper): Initialize Structure sweeping index.
106         * heap/IncrementalSweeper.h: Add declarations for new stuff.
107         (IncrementalSweeper):
108         * heap/MarkedAllocator.cpp:
109         (JSC::MarkedAllocator::tryAllocateHelper): We now check if the current block only contains structures and 
110         if so and it isn't safe to sweep Structures according to the Heap, we just return early instead of doing 
111         the normal lazy sweep. If this proves to be too much of a waste in the future we can add an extra clause that 
112         will sweep some number of other blocks in place of the current block to mitigate the cost of the floating 
113         Structure garbage.
114         (JSC::MarkedAllocator::addBlock):
115         * heap/MarkedAllocator.h:
116         (JSC::MarkedAllocator::zapFreeList): When we zap the free list in the MarkedAllocator, the current block is no 
117         longer valid to allocate from, so we set the current block to null.
118         * heap/MarkedBlock.cpp:
119         (JSC::MarkedBlock::sweepHelper): Added a couple assertions to make sure that we weren't trying to sweep Structures
120         at an unsafe time.
121         * heap/MarkedSpace.cpp:
122         (JSC::MarkedSpace::sweep): Notify the IncrementalSweeper that the MarkedSpace will finish all currently remaining sweeping.
123         (JSC): 
124         * heap/MarkedSpace.h:
125         (JSC):
126         * runtime/JSGlobalData.cpp:
127         (JSC::JSGlobalData::~JSGlobalData): Call the new Heap::didStartVMShutdown.
128
129 2012-07-29  Filip Pizlo  <fpizlo@apple.com>
130
131         PropertyNameArray::m_shouldCache is only assigned and never used
132         https://bugs.webkit.org/show_bug.cgi?id=92598
133
134         Reviewed by Dan Bernstein.
135
136         * runtime/PropertyNameArray.h:
137         (JSC::PropertyNameArray::PropertyNameArray):
138         (PropertyNameArray):
139
140 2012-07-29  Rik Cabanier  <cabanier@adobe.com>
141
142         Add ENABLE_CSS_COMPOSITING flag
143         https://bugs.webkit.org/show_bug.cgi?id=92553
144
145         Reviewed by Dirk Schulze.
146
147         Adds compiler flag CSS_COMPOSITING to build systems to enable CSS blending and compositing. See spec https://dvcs.w3.org/hg/FXTF/rawfile/tip/compositing/index.html
148
149         * Configurations/FeatureDefines.xcconfig:
150
151 2012-07-27  Mark Hahnenberg  <mhahnenberg@apple.com>
152
153         Split functionality of MarkedAllocator::m_currentBlock
154         https://bugs.webkit.org/show_bug.cgi?id=92550
155
156         Reviewed by Filip Pizlo.
157
158         MarkedAllocator::m_currentBlock serves two purposes right now; it indicates the block that is currently 
159         being used for allocation and the beginning of the list of blocks that need to be swept. We should split 
160         these two functionalities into two separate fields.
161
162         * heap/MarkedAllocator.cpp:
163         (JSC::MarkedAllocator::tryAllocateHelper): Use m_blocksToSweep instead of m_currentBlock as the 
164         initializer/reference of the loop. Only change m_currentBlock when we know what the result will be.
165         (JSC::MarkedAllocator::addBlock): When we add a new block we know that both m_blocksToSweep and 
166         m_currentBlock are null. In order to preserve the invariant that m_currentBlock <= m_blocksToSweep, 
167         we assign both of them to point to the new block.
168         (JSC::MarkedAllocator::removeBlock): We need a separate check to see if the block we're removing is 
169         m_blocksToSweep and if so, advance it to the next block in the list.
170         * heap/MarkedAllocator.h:
171         (MarkedAllocator): Initialize m_blocksToSweep.
172         (JSC::MarkedAllocator::MarkedAllocator):
173         (JSC::MarkedAllocator::reset): We set m_blocksToSweep to be the head of our list. This function is called
174         at the end of a collection, so all of the blocks in our allocator need to be swept. We need to sweep a 
175         block before we can start allocating, so m_currentBlock is set to null. We also set the freeList to 
176         the empty FreeList to emphasize the fact that we can't start allocating until we do some sweeping.
177
178 2012-07-27  Mark Hahnenberg  <mhahnenberg@apple.com>
179
180         Increase inline storage for JSFinalObjects by one
181         https://bugs.webkit.org/show_bug.cgi?id=92526
182
183         Reviewed by Geoffrey Garen.
184
185         Now that we've removed the inheritorID from objects, we can increase our inline storage for JSFinalObjects on 
186         64-bit platforms by 1.
187
188         * llint/LowLevelInterpreter.asm: Change the constant.
189         * runtime/PropertyOffset.h: Change the constant.
190         (JSC):
191
192 2012-07-27  Jer Noble  <jer.noble@apple.com>
193
194         Support a rational time class for use by media elements.
195         https://bugs.webkit.org/show_bug.cgi?id=88787
196
197         Re-export WTF::MediaTime from JavaScriptCore.
198
199         Reviewed by Eric Carlson.
200
201         * JavaScriptCore.order:
202         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
203
204 2012-07-26  Filip Pizlo  <fpizlo@apple.com>
205
206         JSObject::reallocateStorageIfNecessary is neither used nor defined
207         https://bugs.webkit.org/show_bug.cgi?id=92417
208
209         Reviewed by Mark Rowe.
210
211         * runtime/JSObject.h:
212         (JSObject):
213
214 2012-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>
215
216         Allocate Structures in a separate part of the Heap
217         https://bugs.webkit.org/show_bug.cgi?id=92420
218
219         Reviewed by Filip Pizlo.
220
221         To fix our issue with destruction/finalization of Structures before their objects, we can move Structures to a separate 
222         part of the Heap that will be swept after all other objects. This first patch will just be separating Structures 
223         out into their own separate MarkedAllocator. Everything else will behave identically.
224
225         * heap/Heap.h: New function to allocate Structures in the Heap.
226         (Heap):
227         (JSC):
228         (JSC::Heap::allocateStructure):
229         * heap/MarkedAllocator.cpp: Pass whether or not we're allocated Structures to the MarkedBlock.
230         (JSC::MarkedAllocator::allocateBlock):
231         * heap/MarkedAllocator.h: Add tracking for whether or not we're allocating only Structures.
232         (JSC::MarkedAllocator::onlyContainsStructures):
233         (MarkedAllocator):
234         (JSC::MarkedAllocator::MarkedAllocator):
235         (JSC::MarkedAllocator::init):
236         * heap/MarkedBlock.cpp: Add tracking for whether or not we're allocating only Structures. We need this to be able to 
237         distinguish the various MarkedBlock types in MarkedSpace::allocatorFor(MarkedBlock*).
238         (JSC::MarkedBlock::create):
239         (JSC::MarkedBlock::MarkedBlock):
240         * heap/MarkedBlock.h:
241         (MarkedBlock):
242         (JSC::MarkedBlock::onlyContainsStructures):
243         (JSC):
244         * heap/MarkedSpace.cpp: Include the new Structure allocator in all the places that all the other allocators are used/modified.
245         (JSC::MarkedSpace::MarkedSpace):
246         (JSC::MarkedSpace::resetAllocators):
247         (JSC::MarkedSpace::canonicalizeCellLivenessData):
248         (JSC::MarkedSpace::isPagedOut):
249         * heap/MarkedSpace.h: Add new MarkedAllocator just for Structures.
250         (MarkedSpace):
251         (JSC::MarkedSpace::allocatorFor):
252         (JSC::MarkedSpace::allocateStructure):
253         (JSC):
254         (JSC::MarkedSpace::forEachBlock):
255         * runtime/Structure.h: Move all of the functions that call allocateCell<Structure> down below the explicit template specialization
256         for allocateCell<Structure>. The new inline specialization for allocateCell directly calls the allocateStructure() function in the
257         Heap.
258         (Structure):
259         (JSC::Structure):
260         (JSC):
261         (JSC::Structure::create):
262         (JSC::Structure::createStructure):
263
264 2012-07-26  Filip Pizlo  <fpizlo@apple.com>
265
266         JSArray has methods that are neither used nor defined
267         https://bugs.webkit.org/show_bug.cgi?id=92416
268
269         Reviewed by Simon Fraser.
270
271         * runtime/JSArray.h:
272         (JSArray):
273
274 2012-07-26  Zoltan Herczeg  <zherczeg@webkit.org>
275
276         [Qt][ARM]ARMAssembler needs buildfix afert r123417
277         https://bugs.webkit.org/show_bug.cgi?id=92086
278
279         Reviewed by Csaba Osztrogonác.
280
281         The ARM implementation of this should be optimized code path
282         is covered by a non-optimized code path. This patch fixes this,
283         and adds a new function which returns with the offset range.
284
285         * assembler/ARMAssembler.h:
286         (JSC::ARMAssembler::readPointer):
287         (ARMAssembler):
288         (JSC::ARMAssembler::repatchInt32):
289         (JSC::ARMAssembler::repatchCompact):
290         * assembler/MacroAssemblerARM.h:
291         (MacroAssemblerARM):
292         (JSC::MacroAssemblerARM::isCompactPtrAlignedAddressOffset):
293         (JSC::MacroAssemblerARM::load32WithCompactAddressOffsetPatch):
294
295 2012-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
296
297         Build fix for 32-bit after r123682
298
299         * runtime/JSObject.h: Need to pad out JSObjects on 32-bit so that they're the correct size since
300         we only removed one 4-byte word and we need to be 8-byte aligned.
301         (JSObject):
302
303 2012-07-25  Filip Pizlo  <fpizlo@apple.com>
304
305         JSC GC object copying APIs should allow for greater flexibility
306         https://bugs.webkit.org/show_bug.cgi?id=92316
307
308         Reviewed by Mark Hahnenberg.
309
310         It's now the case that visitChildren() methods can directly pin and allocate in new space during copying.
311         They can also do the copying and marking themselves. This new API is only used for JSObjects for now.
312
313         * JavaScriptCore.xcodeproj/project.pbxproj:
314         * heap/MarkStack.cpp:
315         (JSC::SlotVisitor::allocateNewSpaceSlow):
316         (JSC::SlotVisitor::allocateNewSpaceOrPin):
317         (JSC):
318         (JSC::SlotVisitor::copyAndAppend):
319         * heap/MarkStack.h:
320         (MarkStack):
321         (JSC::MarkStack::appendUnbarrieredValue):
322         (JSC):
323         * heap/SlotVisitor.h:
324         * heap/SlotVisitorInlineMethods.h: Added.
325         (JSC):
326         (JSC::SlotVisitor::checkIfShouldCopyAndPinOtherwise):
327         (JSC::SlotVisitor::allocateNewSpace):
328         * runtime/JSObject.cpp:
329         (JSC::JSObject::visitOutOfLineStorage):
330         (JSC):
331         (JSC::JSObject::visitChildren):
332         (JSC::JSFinalObject::visitChildren):
333         * runtime/JSObject.h:
334         (JSObject):
335
336 2012-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
337
338         Remove JSObject::m_inheritorID
339         https://bugs.webkit.org/show_bug.cgi?id=88378
340
341         Reviewed by Filip Pizlo.
342
343         This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
344         and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
345         Instead use a private named value in the object's property storage.
346
347         * dfg/DFGSpeculativeJIT.h:
348         (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): No need m_inheritorID to initialize!
349         * jit/JITInlineMethods.h:
350         (JSC::JIT::emitAllocateBasicJSObject): No need m_inheritorID to initialize!
351         * llint/LowLevelInterpreter.asm: No need m_inheritorID to initialize!
352         * runtime/JSGlobalData.h:
353         (JSGlobalData): Added private name 'm_inheritorIDKey'.
354         * runtime/JSGlobalThis.cpp:
355         (JSC::JSGlobalThis::setUnwrappedObject): resetInheritorID is now passed a JSGlobalData&.
356         * runtime/JSObject.cpp:
357         (JSC::JSObject::visitChildren): No m_inheritorID to be marked.
358         (JSC::JSFinalObject::visitChildren): No m_inheritorID to be marked.
359         (JSC::JSObject::createInheritorID): Store the newly created inheritorID in the property map. Make sure 
360         it's got the DontEnum attribute!!
361         * runtime/JSObject.h:
362         (JSObject):
363         (JSC::JSObject::resetInheritorID): Remove the inheritorID from property storage.
364         (JSC):
365         (JSC::JSObject::inheritorID): Read the inheritorID from property storage.
366
367 2012-07-25  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
368
369         Create a specialized pair for use in HashMap iterators
370         https://bugs.webkit.org/show_bug.cgi?id=92137
371
372         Reviewed by Ryosuke Niwa.
373
374         Update a couple of sites that relied on the fact that "contents" of iterators were
375         std::pairs.
376
377         * profiler/Profile.cpp:
378         (JSC): This code kept a vector of the pairs that were the "contents" of the iterators. This
379         is changed to use a KeyValuePair. We make use HashCount's ValueType (which represents only
380         the key) to get the proper key parameter for KeyValuePair.
381         * tools/ProfileTreeNode.h:
382         (ProfileTreeNode): Use HashMap::ValueType to declare the type of the contents of the hash
383         instead of declaring it manually. This will make use of the new KeyValuePair.
384
385 2012-07-25  Patrick Gansterer  <paroga@webkit.org>
386
387         REGRESSION(r123505): Date.getYear() returns the same as Date.getFullYear()
388         https://bugs.webkit.org/show_bug.cgi?id=92218
389
390         Reviewed by Csaba Osztrogonác.
391
392         * runtime/DatePrototype.cpp:
393         (JSC::dateProtoFuncGetYear): Added the missing offset of 1900 to the return value.
394
395 2012-07-24  Filip Pizlo  <fpizlo@apple.com>
396
397         REGRESSION(r123417): It made tests assert/crash on 32 bit
398         https://bugs.webkit.org/show_bug.cgi?id=92088
399
400         Reviewed by Mark Hahnenberg.
401
402         The pointer arithmetic was wrong, because negative numbers are hard to think about.
403
404         * dfg/DFGRepatch.cpp:
405         (JSC::DFG::emitPutTransitionStub):
406         * dfg/DFGSpeculativeJIT.cpp:
407         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
408
409 2012-07-24  Patrick Gansterer  <paroga@webkit.org>
410
411         Store the full year in GregorianDateTime
412         https://bugs.webkit.org/show_bug.cgi?id=92067
413
414         Reviewed by Geoffrey Garen.
415
416         Use the full year instead of the offset from year 1900
417         for the year member variable of GregorianDateTime.
418
419         * runtime/DateConstructor.cpp:
420         (JSC::constructDate):
421         (JSC::dateUTC):
422         * runtime/DateConversion.cpp:
423         (JSC::formatDate):
424         (JSC::formatDateUTCVariant):
425         * runtime/DatePrototype.cpp:
426         (JSC::formatLocaleDate):
427         (JSC::fillStructuresUsingDateArgs):
428         (JSC::dateProtoFuncToISOString):
429         (JSC::dateProtoFuncGetFullYear):
430         (JSC::dateProtoFuncGetUTCFullYear):
431         (JSC::dateProtoFuncSetYear):
432         * runtime/JSDateMath.cpp:
433         (JSC::gregorianDateTimeToMS):
434         (JSC::msToGregorianDateTime):
435
436 2012-07-24  Patrick Gansterer  <paroga@webkit.org>
437
438         [WIN] Build fix after r123417.
439
440         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
441
442 2012-07-23  Patrick Gansterer  <paroga@webkit.org>
443
444         Move GregorianDateTime from JSC to WTF namespace
445         https://bugs.webkit.org/show_bug.cgi?id=91948
446
447         Reviewed by Geoffrey Garen.
448
449         Moving GregorianDateTime into the WTF namespace allows us to us to
450         use it in WebCore too. The new class has the same behaviour as the
451         old struct. Only the unused timeZone member has been removed.
452
453         * runtime/DateConstructor.cpp:
454         * runtime/DateConversion.cpp:
455         * runtime/DateConversion.h:
456         * runtime/DateInstance.h:
457         * runtime/DatePrototype.cpp:
458         * runtime/JSDateMath.cpp:
459         * runtime/JSDateMath.h:
460
461 2012-07-23  Filip Pizlo  <fpizlo@apple.com>
462
463         Property storage should grow in reverse address direction, to support butterflies
464         https://bugs.webkit.org/show_bug.cgi?id=91788
465
466         Reviewed by Geoffrey Garen.
467
468         Changes property storage to grow to the left, and changes the property storage pointer to point
469         one 8-byte word (i.e. JSValue) to the right of the first value in the storage.
470         
471         Also improved debug support somewhat, by adding a describe() function to the jsc command-line,
472         and a slow mode of object access in LLInt.
473
474         * assembler/ARMv7Assembler.h:
475         (JSC::ARMv7Assembler::repatchCompact):
476         * assembler/MacroAssemblerARMv7.h:
477         (MacroAssemblerARMv7):
478         (JSC::MacroAssemblerARMv7::isCompactPtrAlignedAddressOffset):
479         (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
480         * assembler/MacroAssemblerX86Common.h:
481         (JSC::MacroAssemblerX86Common::isCompactPtrAlignedAddressOffset):
482         (JSC::MacroAssemblerX86Common::repatchCompact):
483         * assembler/X86Assembler.h:
484         (JSC::X86Assembler::repatchCompact):
485         * bytecode/CodeBlock.cpp:
486         (JSC::dumpStructure):
487         * bytecode/GetByIdStatus.h:
488         (JSC::GetByIdStatus::GetByIdStatus):
489         * dfg/DFGOperations.cpp:
490         * dfg/DFGOperations.h:
491         * dfg/DFGRepatch.cpp:
492         (JSC::DFG::tryCacheGetByID):
493         (JSC::DFG::emitPutTransitionStub):
494         * dfg/DFGSpeculativeJIT.cpp:
495         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
496         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
497         * dfg/DFGSpeculativeJIT.h:
498         (JSC::DFG::SpeculativeJIT::callOperation):
499         * dfg/DFGSpeculativeJIT32_64.cpp:
500         (JSC::DFG::SpeculativeJIT::compile):
501         * dfg/DFGSpeculativeJIT64.cpp:
502         (JSC::DFG::SpeculativeJIT::compile):
503         * heap/ConservativeRoots.cpp:
504         (JSC::ConservativeRoots::genericAddPointer):
505         * heap/CopiedSpace.h:
506         (CopiedSpace):
507         * heap/CopiedSpaceInlineMethods.h:
508         (JSC::CopiedSpace::pinIfNecessary):
509         (JSC):
510         * jit/JITPropertyAccess.cpp:
511         (JSC::JIT::compileGetDirectOffset):
512         * jit/JITPropertyAccess32_64.cpp:
513         (JSC::JIT::compileGetDirectOffset):
514         * jit/JITStubs.cpp:
515         (JSC::JITThunks::tryCacheGetByID):
516         * jsc.cpp:
517         (GlobalObject::finishCreation):
518         (functionDescribe):
519         * llint/LLIntCommon.h:
520         * llint/LLIntSlowPaths.cpp:
521         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
522         * llint/LowLevelInterpreter32_64.asm:
523         * llint/LowLevelInterpreter64.asm:
524         * runtime/JSObject.cpp:
525         (JSC::JSObject::visitChildren):
526         (JSC::JSFinalObject::visitChildren):
527         (JSC::JSObject::growOutOfLineStorage):
528         * runtime/JSObject.h:
529         (JSC::JSObject::getDirectLocation):
530         (JSC::JSObject::offsetForLocation):
531         * runtime/JSValue.h:
532         (JSValue):
533         * runtime/PropertyOffset.h:
534         (JSC::offsetInOutOfLineStorage):
535
536 2012-07-23  Filip Pizlo  <fpizlo@apple.com>
537
538         DFG is too aggressive in performing the specific value optimization on loads
539         https://bugs.webkit.org/show_bug.cgi?id=92034
540
541         Reviewed by Mark Hahnenberg.
542
543         This ensures that we don't do optimizations based on a structure having a specific
544         value, if there is no way to detect that the value is despecified. This is the
545         case for dictionaries, since despecifying a value in a dictionary does not lead to
546         a transition and so cannot be caught by either structure checks or structure
547         transition watchpoints.
548
549         * bytecode/GetByIdStatus.cpp:
550         (JSC::GetByIdStatus::computeFromLLInt):
551         (JSC::GetByIdStatus::computeForChain):
552         (JSC::GetByIdStatus::computeFor):
553         * bytecode/ResolveGlobalStatus.cpp:
554         (JSC::computeForStructure):
555
556 2012-07-23  Filip Pizlo  <fpizlo@apple.com>
557
558         REGRESSION(r123169): It made fast/js/dfg-inline-arguments-use-from-uninlined-code.html fail on 32 bit platforms
559         https://bugs.webkit.org/show_bug.cgi?id=92002
560
561         Reviewed by Mark Hahnenberg.
562         
563         In the process of changing the nature of local variable typing, I forgot to modify one of the places where
564         we glue the DFG's notion of variable prediction to the runtime's notion of variable tagging.
565
566         * dfg/DFGSpeculativeJIT.cpp:
567         (JSC::DFG::SpeculativeJIT::compile):
568
569 2012-07-23  Simon Fraser  <simon.fraser@apple.com>
570
571         Part 2 of: Implement sticky positioning
572         https://bugs.webkit.org/show_bug.cgi?id=90046
573
574         Reviewed by Ojan Vafai.
575
576         Turn on ENABLE_CSS_STICKY_POSITION.
577
578         * Configurations/FeatureDefines.xcconfig:
579
580 2012-07-23  Patrick Gansterer  <paroga@webkit.org>
581
582         Move JSC::parseDate() from DateConversion to JSDateMath
583         https://bugs.webkit.org/show_bug.cgi?id=91982
584
585         Reviewed by Geoffrey Garen.
586
587         Moveing this function into the other files removes the dependency
588         on JSC spcific classes in DateConversion.{cpp|h}.
589
590         * runtime/DateConversion.cpp:
591         * runtime/DateConversion.h:
592         (JSC):
593         * runtime/JSDateMath.cpp:
594         (JSC::parseDate):
595         (JSC):
596         * runtime/JSDateMath.h:
597         (JSC):
598
599 2012-07-23  Simon Fraser  <simon.fraser@apple.com>
600
601         Part 1 of: Implement sticky positioning
602         https://bugs.webkit.org/show_bug.cgi?id=90046
603
604         Reviewed by Ojan Vafai.
605
606         Add ENABLE_CSS_STICKY_POSITION, defaulting to off initially.
607         
608         Sort the ENABLE_CSS lines in the file. Make sure all the flags
609         are in FEATURE_DEFINES.
610
611         * Configurations/FeatureDefines.xcconfig:
612
613 2012-07-23  Yong Li  <yoli@rim.com>
614
615         [BlackBerry] Implement GCActivityCallback with platform timer
616         https://bugs.webkit.org/show_bug.cgi?id=90175
617
618         Reviewed by Rob Buis.
619
620         Use JSLock when performing GC to avoid assertions.
621
622         * runtime/GCActivityCallbackBlackBerry.cpp:
623         (JSC::DefaultGCActivityCallback::doWork):
624
625 2012-07-23  Kent Tamura  <tkent@chromium.org>
626
627         Rename ENABLE_METER_TAG and ENABLE_PROGRESS_TAG to ENABLE_METER_ELEMENT and ENABLE_PROGRESS_ELEMENT respectively
628         https://bugs.webkit.org/show_bug.cgi?id=91941
629
630         Reviewed by Kentaro Hara.
631
632         A flag name for an elmement should be ENABLE_*_ELEMENT.
633
634         * Configurations/FeatureDefines.xcconfig:
635
636 2012-07-22  Kent Tamura  <tkent@chromium.org>
637
638         Rename ENABLE_DETAILS to ENABLE_DETAILS_ELEMENT
639         https://bugs.webkit.org/show_bug.cgi?id=91928
640
641         Reviewed by Kentaro Hara.
642
643         A flag name for an elmement should be ENABLE_*_ELEMENT.
644
645         * Configurations/FeatureDefines.xcconfig:
646
647 2012-07-21  Patrick Gansterer  <paroga@webkit.org>
648
649         [WIN] Use GetDateFormat and GetTimeFormat instead of strftime
650         https://bugs.webkit.org/show_bug.cgi?id=83436
651
652         Reviewed by Brent Fulgham.
653
654         The MS CRT implementation of strftime calls the same two functions.
655         Using them directly avoids the overhead of parsing the format string and removes
656         the dependency on strftime() for WinCE where this function does not exist.
657
658         * runtime/DatePrototype.cpp:
659         (JSC::formatLocaleDate):
660
661 2012-07-20  Kent Tamura  <tkent@chromium.org>
662
663         Rename ENABLE_DATALIST to ENABLE_DATALIST_ELEMENT
664         https://bugs.webkit.org/show_bug.cgi?id=91846
665
666         Reviewed by Kentaro Hara.
667
668         A flag name for an elmement should be ENABLE_*_ELEMENT.
669
670         * Configurations/FeatureDefines.xcconfig:
671
672 2012-07-20  Han Shen  <shenhan@google.com>
673
674         [Chromium] Compilation fails under gcc 4.7
675         https://bugs.webkit.org/show_bug.cgi?id=90227
676
677         Reviewed by Tony Chang.
678
679         Disable warnings about c++0x compatibility in gcc newer than 4.6.
680
681         * JavaScriptCore.gyp/JavaScriptCore.gyp:
682
683 2012-07-18  Filip Pizlo  <fpizlo@apple.com>
684
685         DFG cell checks should be hoisted
686         https://bugs.webkit.org/show_bug.cgi?id=91717
687
688         Reviewed by Geoffrey Garen.
689
690         The DFG has always had the policy of hoisting array and integer checks to
691         the point of variable assignment. Eventually, we added doubles and booleans
692         to the mix. But cells should really be part of this as well, particularly
693         for 32-bit where accessing a known-type variable is dramatically cheaper
694         than accessing a variable whose types is only predicted but otherwise
695         unproven.
696         
697         This appears to be a definite speed-up for V8 on 32-bit, a possible speed-up
698         for Kraken, and a possible slow-down for V8 on 64-bit (around 0.2% if at
699         all). Any slow-downs can, and should, be addressed by making the hoisting
700         logic cognizant of variables that are never used in a manner that requires
701         type checks, and by sinking argument checks to the point(s) of first use.
702         
703         To make this work I had to change some OSR machinery, and special-case the
704         type predictions of the 'this' argument for constructors. OSR exit normally
705         assumes that arguments are boxed, which happens to be true because the
706         type prediction used for check hoisting is LUB'd with the type of the
707         argument that was passed in - so either the arguments are always stored to
708         with the full tag+payload, or if only the payload is stored then the tag
709         matches whatever the caller would have set. But not so with the 'this'
710         argument for constructors, which is not initialized by the caller. We
711         could make this more precise by having argument types for OSR be inferred
712         using similar machinery to other locals, but I figured that for this patch
713         I should use the surgical fix.
714
715         * assembler/MacroAssemblerX86_64.h:
716         (JSC::MacroAssemblerX86_64::branchTestPtr):
717         (MacroAssemblerX86_64):
718         * assembler/X86Assembler.h:
719         (JSC::X86Assembler::testq_rm):
720         (X86Assembler):
721         * dfg/DFGAbstractState.cpp:
722         (JSC::DFG::AbstractState::initialize):
723         (JSC::DFG::AbstractState::execute):
724         * dfg/DFGDriver.cpp:
725         (JSC::DFG::compile):
726         * dfg/DFGGraph.h:
727         (JSC::DFG::Graph::isCreatedThisArgument):
728         (Graph):
729         * dfg/DFGSpeculativeJIT.cpp:
730         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
731         * dfg/DFGSpeculativeJIT32_64.cpp:
732         (JSC::DFG::SpeculativeJIT::compile):
733         * dfg/DFGSpeculativeJIT64.cpp:
734         (JSC::DFG::SpeculativeJIT::compile):
735         * dfg/DFGValueSource.h:
736         (JSC::DFG::ValueSource::forSpeculation):
737
738 2012-07-19  Filip Pizlo  <fpizlo@apple.com>
739
740         Fast path of storage resize should be removed from property storage reallocation, since it is only useful for arrays
741         https://bugs.webkit.org/show_bug.cgi?id=91796
742
743         Reviewed by Geoffrey Garen.
744
745         * dfg/DFGRepatch.cpp:
746         (JSC::DFG::emitPutTransitionStub):
747         * dfg/DFGSpeculativeJIT.cpp:
748         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
749         * runtime/JSObject.cpp:
750         (JSC::JSObject::growOutOfLineStorage):
751
752 2012-07-19  Mark Lam  <mark.lam@apple.com>
753
754         Bug fixes and enhancements for OfflineASM annotation system.
755         https://bugs.webkit.org/show_bug.cgi?id=91690
756
757         Reviewed by Filip Pizlo.
758
759         * offlineasm/armv7.rb: added default handling of Instruction lower().
760         * offlineasm/asm.rb: added more support for annotations and more pretty printing.
761         * offlineasm/ast.rb: added more support for annotations.
762         * offlineasm/config.rb: added $preferredCommentStartColumn, simplified $enableInstrAnnotations.
763         * offlineasm/parser.rb: added more support for annotations.
764         * offlineasm/transform.rb: added more support for annotations.
765         * offlineasm/x86.rb: added default handling of Instruction lower().
766
767 2012-07-19  Patrick Gansterer  <paroga@webkit.org>
768
769         [WIN] Fix compilation of JSGlobalData.h with ENABLE(DFG_JIT)
770         https://bugs.webkit.org/show_bug.cgi?id=91243
771
772         Reviewed by Geoffrey Garen.
773
774         Disable MSVC warning 4200 "zero-sized array in struct/union" for JSC::ScratchBuffer.
775
776         * runtime/JSGlobalData.h:
777         (JSC):
778
779 2012-07-19  Mark Lam  <mark.lam@apple.com>
780
781         Fixed broken ENABLE_JIT=0 build.
782         https://bugs.webkit.org/show_bug.cgi?id=91725
783
784         Reviewed by Oliver Hunt.
785
786         * bytecode/Watchpoint.cpp:
787         * heap/JITStubRoutineSet.h:
788         (JSC):
789         (JITStubRoutineSet):
790         (JSC::JITStubRoutineSet::JITStubRoutineSet):
791         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
792         (JSC::JITStubRoutineSet::add):
793         (JSC::JITStubRoutineSet::clearMarks):
794         (JSC::JITStubRoutineSet::mark):
795         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
796         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
797
798 2012-07-19  Kristóf Kosztyó  <kkristof@inf.u-szeged.hu>
799
800         [Qt] Unreviewed buildfix after r123042.
801
802         * interpreter/Interpreter.cpp:
803         (JSC::Interpreter::dumpRegisters):
804
805 2012-07-18  Filip Pizlo  <fpizlo@apple.com>
806
807         DFG should emit inline code for property storage (re)allocation
808         https://bugs.webkit.org/show_bug.cgi?id=91597
809
810         Reviewed by Oliver Hunt.
811
812         This adds two new ops to the DFG IR: AllocatePropertyStorage and
813         ReallocatePropertyStorage. It enables these to interact properly with
814         CSE so that a GetPropertyStorage on something for which we have
815         obviously done a (Re)AllocatePropertyStorage will result in the
816         GetPropertyStorage being eliminated. Other than that, the code
817         emitted for these ops is identical to the code we were emitting in
818         the corresponding PutById stub.
819
820         * dfg/DFGAbstractState.cpp:
821         (JSC::DFG::AbstractState::execute):
822         * dfg/DFGByteCodeParser.cpp:
823         (JSC::DFG::ByteCodeParser::parseBlock):
824         * dfg/DFGCSEPhase.cpp:
825         (JSC::DFG::CSEPhase::putStructureStoreElimination):
826         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
827         * dfg/DFGNode.h:
828         (JSC::DFG::Node::hasStructureTransitionData):
829         * dfg/DFGNodeType.h:
830         (DFG):
831         * dfg/DFGOperations.cpp:
832         * dfg/DFGOperations.h:
833         * dfg/DFGPredictionPropagationPhase.cpp:
834         (JSC::DFG::PredictionPropagationPhase::propagate):
835         * dfg/DFGSpeculativeJIT.cpp:
836         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
837         (DFG):
838         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
839         * dfg/DFGSpeculativeJIT.h:
840         (JSC::DFG::SpeculativeJIT::callOperation):
841         (SpeculativeJIT):
842         * dfg/DFGSpeculativeJIT32_64.cpp:
843         (JSC::DFG::SpeculativeJIT::compile):
844         * dfg/DFGSpeculativeJIT64.cpp:
845         (JSC::DFG::SpeculativeJIT::compile):
846         * runtime/Structure.cpp:
847         (JSC::nextOutOfLineStorageCapacity):
848         * runtime/Structure.h:
849         (JSC):
850
851 2012-07-16  Oliver Hunt  <oliver@apple.com>
852
853         dumpCallFrame is broken in ToT
854         https://bugs.webkit.org/show_bug.cgi?id=91444
855
856         Reviewed by Gavin Barraclough.
857
858         Various changes have been made to the SF calling convention, but
859         dumpCallFrame has not been updated to reflect these changes.
860         That resulted in both bogus information, as well as numerous
861         assertions of sadness.
862
863         This patch makes dumpCallFrame actually work again and adds the
864         wonderful feature of telling you the name of the variable that a
865         register reflects, or what value it contains.
866
867         * bytecode/CodeBlock.cpp:
868         (JSC::CodeBlock::nameForRegister):
869             A really innefficient mechanism for finding the name of a local register.
870             This should only ever be used by debug code so this should be okay.
871         * bytecode/CodeBlock.h:
872         (CodeBlock):
873         * bytecompiler/BytecodeGenerator.cpp:
874         (JSC::BytecodeGenerator::generate):
875             Debug builds no longer throw away a functions symbol table, this allows
876             us to actually perform a register# to name mapping
877         * dfg/DFGJITCompiler.cpp:
878         (JSC::DFG::JITCompiler::link):
879             We weren't propogating the bytecode offset here leading to assertions
880             in debug builds when dumping bytecode of DFG compiled code.
881         * interpreter/Interpreter.cpp:
882         (JSC):
883         (JSC::Interpreter::dumpRegisters):
884              Rework to actually be correct.
885         (JSC::getCallerInfo):
886              Return the byteocde offset as well now, given we have to determine it
887              anyway.
888         (JSC::Interpreter::getStackTrace):
889         (JSC::Interpreter::retrieveCallerFromVMCode):
890         * interpreter/Interpreter.h:
891         (Interpreter):
892         * jsc.cpp:
893         (GlobalObject::finishCreation):
894         (functionDumpCallFrame):
895              Give debug builds of JSC a method for calling dumpCallFrame so we can
896              inspect a callframe without requiring us to break in a debugger.
897
898 2012-07-18  Filip Pizlo  <fpizlo@apple.com>
899
900         DFG 32-bit PutById transition stub storage reallocation case copies the first pointer of each JSValue instead of the whole JSValue
901         https://bugs.webkit.org/show_bug.cgi?id=91599
902
903         Reviewed by Geoffrey Garen.
904
905         * dfg/DFGRepatch.cpp:
906         (JSC::DFG::emitPutTransitionStub):
907
908 2012-07-17  Filip Pizlo  <fpizlo@apple.com>
909
910         DFG 32-bit PutById transition stub passes the payload/tag arguments to a DFG operation in the wrong order
911         https://bugs.webkit.org/show_bug.cgi?id=91576
912
913         Reviewed by Gavin Barraclough.
914
915         * dfg/DFGRepatch.cpp:
916         (JSC::DFG::emitPutTransitionStub):
917
918 2012-07-17  Filip Pizlo  <fpizlo@apple.com>
919
920         [Qt] REGRESSION(r122768, r122771): They broke jquery/data.html and inspector/elements/edit-dom-actions.html
921         https://bugs.webkit.org/show_bug.cgi?id=91476
922
923         Reviewed by Mark Hahnenberg.
924
925         The 32-bit repatching code was not correctly adapted to the new world where there may not always
926         be an available scratch register. Fixed it by ensuring that the scratch register we select does
927         not overlap with the value tag.
928
929         * dfg/DFGRepatch.cpp:
930         (JSC::DFG::generateProtoChainAccessStub):
931         (JSC::DFG::tryCacheGetByID):
932         (JSC::DFG::tryBuildGetByIDList):
933         (JSC::DFG::emitPutReplaceStub):
934
935 2012-07-17  Gabor Rapcsanyi  <rgabor@webkit.org>
936
937         Unreviewed buildfix from Zoltan Herczeg after 122768.
938
939         * dfg/DFGCCallHelpers.h:
940         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
941         (CCallHelpers):
942
943 2012-07-17  David Barr  <davidbarr@chromium.org>
944
945         Introduce ENABLE_CSS_IMAGE_ORIENTATION compile flag
946         https://bugs.webkit.org/show_bug.cgi?id=89055
947
948         Reviewed by Kent Tamura.
949
950         The css3-images module is at candidate recommendation.
951         http://www.w3.org/TR/2012/CR-css3-images-20120417/#the-image-orientation
952
953         Add a configuration option for CSS image-orientation support, disabling it by default.
954
955         * Configurations/FeatureDefines.xcconfig:
956
957 2012-07-16  Filip Pizlo  <fpizlo@apple.com>
958
959         Unreviewed, roll out 122790 because it broke the Windows build. I'm not
960         sure what to do with exported symbols that are predicated on NDEBUG.
961
962         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
963         * bytecode/CodeBlock.cpp:
964         (JSC):
965         * bytecode/CodeBlock.h:
966         (CodeBlock):
967         * bytecompiler/BytecodeGenerator.cpp:
968         (JSC::BytecodeGenerator::generate):
969         * dfg/DFGJITCompiler.cpp:
970         (JSC::DFG::JITCompiler::link):
971         * interpreter/Interpreter.cpp:
972         (JSC):
973         (JSC::Interpreter::dumpRegisters):
974         (JSC::getCallerInfo):
975         (JSC::Interpreter::getStackTrace):
976         (JSC::Interpreter::retrieveCallerFromVMCode):
977         * interpreter/Interpreter.h:
978         (Interpreter):
979         * jsc.cpp:
980         (GlobalObject::finishCreation):
981
982 2012-07-16  Oliver Hunt  <oliver@apple.com>
983
984         dumpCallFrame is broken in ToT
985         https://bugs.webkit.org/show_bug.cgi?id=91444
986
987         Reviewed by Gavin Barraclough.
988
989         Various changes have been made to the SF calling convention, but
990         dumpCallFrame has not been updated to reflect these changes.
991         That resulted in both bogus information, as well as numerous
992         assertions of sadness.
993
994         This patch makes dumpCallFrame actually work again and adds the
995         wonderful feature of telling you the name of the variable that a
996         register reflects, or what value it contains.
997
998         * bytecode/CodeBlock.cpp:
999         (JSC::CodeBlock::nameForRegister):
1000             A really innefficient mechanism for finding the name of a local register.
1001             This should only ever be used by debug code so this should be okay.
1002         * bytecode/CodeBlock.h:
1003         (CodeBlock):
1004         * bytecompiler/BytecodeGenerator.cpp:
1005         (JSC::BytecodeGenerator::generate):
1006             Debug builds no longer throw away a functions symbol table, this allows
1007             us to actually perform a register# to name mapping
1008         * dfg/DFGJITCompiler.cpp:
1009         (JSC::DFG::JITCompiler::link):
1010             We weren't propogating the bytecode offset here leading to assertions
1011             in debug builds when dumping bytecode of DFG compiled code.
1012         * interpreter/Interpreter.cpp:
1013         (JSC):
1014         (JSC::Interpreter::dumpRegisters):
1015              Rework to actually be correct.
1016         (JSC::getCallerInfo):
1017              Return the byteocde offset as well now, given we have to determine it
1018              anyway.
1019         (JSC::Interpreter::getStackTrace):
1020         (JSC::Interpreter::retrieveCallerFromVMCode):
1021         * interpreter/Interpreter.h:
1022         (Interpreter):
1023         * jsc.cpp:
1024         (GlobalObject::finishCreation):
1025         (functionDumpCallFrame):
1026              Give debug builds of JSC a method for calling dumpCallFrame so we can
1027              inspect a callframe without requiring us to break in a debugger.
1028
1029 2012-07-16  Filip Pizlo  <fpizlo@apple.com>
1030
1031         Unreviewed, adding forgotten files.
1032
1033         * dfg/DFGRegisterSet.h: Added.
1034         (DFG):
1035         (RegisterSet):
1036         (JSC::DFG::RegisterSet::RegisterSet):
1037         (JSC::DFG::RegisterSet::asPOD):
1038         (JSC::DFG::RegisterSet::copyInfo):
1039         (JSC::DFG::RegisterSet::set):
1040         (JSC::DFG::RegisterSet::setGPRByIndex):
1041         (JSC::DFG::RegisterSet::clear):
1042         (JSC::DFG::RegisterSet::get):
1043         (JSC::DFG::RegisterSet::getGPRByIndex):
1044         (JSC::DFG::RegisterSet::getFreeGPR):
1045         (JSC::DFG::RegisterSet::setFPRByIndex):
1046         (JSC::DFG::RegisterSet::getFPRByIndex):
1047         (JSC::DFG::RegisterSet::setByIndex):
1048         (JSC::DFG::RegisterSet::getByIndex):
1049         (JSC::DFG::RegisterSet::numberOfSetGPRs):
1050         (JSC::DFG::RegisterSet::numberOfSetFPRs):
1051         (JSC::DFG::RegisterSet::numberOfSetRegisters):
1052         (JSC::DFG::RegisterSet::setBit):
1053         (JSC::DFG::RegisterSet::clearBit):
1054         (JSC::DFG::RegisterSet::getBit):
1055         * dfg/DFGScratchRegisterAllocator.h: Added.
1056         (DFG):
1057         (ScratchRegisterAllocator):
1058         (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
1059         (JSC::DFG::ScratchRegisterAllocator::lock):
1060         (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
1061         (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
1062         (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
1063         (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
1064         (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1065         (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1066         (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
1067         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1068         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1069
1070 2012-07-15  Filip Pizlo  <fpizlo@apple.com>
1071
1072         DFG PutById transition should handle storage allocation, and inline it
1073         https://bugs.webkit.org/show_bug.cgi?id=91337
1074
1075         Reviewed by Oliver Hunt.
1076
1077         This enables the patching of DFG PutById to handle the out-of-line storage
1078         allocation case. Furthermore, it inlines out-of-line storage allocation (and
1079         reallocation) into the generated stubs.  
1080         
1081         To do this, this patch adds the ability to store the relevant register
1082         allocation state (i.e. the set of in-use registers) in the structure stub
1083         info so that the stub generation code can more flexibly select scratch
1084         registers: sometimes it needs none, sometimes one - or sometimes up to
1085         three. Moreover, to make the stub generation register allocation simple and
1086         maintainable, this patch introduces a reusable scratch register allocator
1087         class. This register allocator understands that some registers are in use by
1088         the main path code and so must be spilled as necessary, other registers are
1089         locked for use in the stub itself and so cannot even be spilled, while still
1090         others may be allocated for scratch purposes. A scratch register that is
1091         used must be spilled. If a register is locked, it cannot be used as a
1092         scratch register. If a register is used, it can be used as a scratch
1093         register so long as it is spilled.
1094         
1095         This is a sub-1% speed-up on V8 and neutral elsewhere.
1096
1097         * GNUmakefile.list.am:
1098         * JavaScriptCore.xcodeproj/project.pbxproj:
1099         * assembler/MacroAssemblerCodeRef.h:
1100         (FunctionPtr):
1101         (JSC::FunctionPtr::FunctionPtr):
1102         * bytecode/StructureStubInfo.h:
1103         * dfg/DFGCCallHelpers.h:
1104         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1105         (CCallHelpers):
1106         * dfg/DFGGPRInfo.h:
1107         * dfg/DFGJITCompiler.cpp:
1108         (JSC::DFG::JITCompiler::link):
1109         * dfg/DFGJITCompiler.h:
1110         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
1111         (PropertyAccessRecord):
1112         * dfg/DFGOperations.cpp:
1113         * dfg/DFGOperations.h:
1114         * dfg/DFGRegisterBank.h:
1115         (JSC::DFG::RegisterBank::isInUse):
1116         (RegisterBank):
1117         * dfg/DFGRegisterSet.h: Added.
1118         (DFG):
1119         (RegisterSet):
1120         (JSC::DFG::RegisterSet::RegisterSet):
1121         (JSC::DFG::RegisterSet::asPOD):
1122         (JSC::DFG::RegisterSet::copyInfo):
1123         (JSC::DFG::RegisterSet::set):
1124         (JSC::DFG::RegisterSet::setGPRByIndex):
1125         (JSC::DFG::RegisterSet::clear):
1126         (JSC::DFG::RegisterSet::get):
1127         (JSC::DFG::RegisterSet::getGPRByIndex):
1128         (JSC::DFG::RegisterSet::getFreeGPR):
1129         (JSC::DFG::RegisterSet::setFPRByIndex):
1130         (JSC::DFG::RegisterSet::getFPRByIndex):
1131         (JSC::DFG::RegisterSet::setByIndex):
1132         (JSC::DFG::RegisterSet::getByIndex):
1133         (JSC::DFG::RegisterSet::numberOfSetGPRs):
1134         (JSC::DFG::RegisterSet::numberOfSetFPRs):
1135         (JSC::DFG::RegisterSet::numberOfSetRegisters):
1136         (JSC::DFG::RegisterSet::setBit):
1137         (JSC::DFG::RegisterSet::clearBit):
1138         (JSC::DFG::RegisterSet::getBit):
1139         * dfg/DFGRepatch.cpp:
1140         (JSC::DFG::generateProtoChainAccessStub):
1141         (JSC::DFG::tryCacheGetByID):
1142         (JSC::DFG::tryBuildGetByIDList):
1143         (JSC::DFG::emitPutReplaceStub):
1144         (JSC::DFG::emitPutTransitionStub):
1145         (JSC::DFG::tryCachePutByID):
1146         (JSC::DFG::tryBuildPutByIdList):
1147         * dfg/DFGScratchRegisterAllocator.h: Added.
1148         (DFG):
1149         (ScratchRegisterAllocator):
1150         (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
1151         (JSC::DFG::ScratchRegisterAllocator::lock):
1152         (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
1153         (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
1154         (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
1155         (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
1156         (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1157         (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1158         (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
1159         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
1160         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
1161         * dfg/DFGSpeculativeJIT.h:
1162         (SpeculativeJIT):
1163         (JSC::DFG::SpeculativeJIT::usedRegisters):
1164         * dfg/DFGSpeculativeJIT32_64.cpp:
1165         (JSC::DFG::SpeculativeJIT::cachedGetById):
1166         (JSC::DFG::SpeculativeJIT::cachedPutById):
1167         (JSC::DFG::SpeculativeJIT::compile):
1168         * dfg/DFGSpeculativeJIT64.cpp:
1169         (JSC::DFG::SpeculativeJIT::cachedGetById):
1170         (JSC::DFG::SpeculativeJIT::cachedPutById):
1171         (JSC::DFG::SpeculativeJIT::compile):
1172         * heap/CopiedAllocator.h:
1173         (CopiedAllocator):
1174         (JSC::CopiedAllocator::fastPathShouldSucceed):
1175         (JSC):
1176
1177 2012-07-16  Patrick Gansterer  <paroga@webkit.org>
1178
1179         Add dfg switch to create_jit_stubs script
1180         https://bugs.webkit.org/show_bug.cgi?id=91256
1181
1182         Reviewed by Geoffrey Garen.
1183
1184         * create_jit_stubs: Add a switch to enable or disable the generation of
1185                             stub functions in #if ENABLE(DFG_JIT) conditions.
1186
1187 2012-07-16  Gabor Rapcsanyi  <rgabor@webkit.org>
1188
1189         Unreviewed buildfix after r122729. Typo fix.
1190
1191         * assembler/MacroAssemblerARM.h:
1192         (JSC::MacroAssemblerARM::add32):
1193
1194 2012-07-16  Gabor Rapcsanyi  <rgabor@webkit.org>
1195
1196         Unreviewed buildfix from Zoltan Herczeg after r122677.
1197         Implement missing add32 function to MacroAssemblerARM.
1198
1199         * assembler/MacroAssemblerARM.h:
1200         (JSC::MacroAssemblerARM::add32):
1201         (MacroAssemblerARM):
1202
1203 2012-07-14  Filip Pizlo  <fpizlo@apple.com>
1204
1205         DFG PutByVal opcodes should accept more than 3 operands
1206         https://bugs.webkit.org/show_bug.cgi?id=91332
1207
1208         Reviewed by Oliver Hunt.
1209
1210         Turned PutByVal/PutByValAlias into var-arg nodes, so that we can give them
1211         4 or more operands in the future.
1212
1213         * dfg/DFGAbstractState.cpp:
1214         (JSC::DFG::AbstractState::execute):
1215         * dfg/DFGByteCodeParser.cpp:
1216         (JSC::DFG::ByteCodeParser::parseBlock):
1217         * dfg/DFGCSEPhase.cpp:
1218         (JSC::DFG::CSEPhase::getByValLoadElimination):
1219         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1220         (JSC::DFG::CSEPhase::performNodeCSE):
1221         * dfg/DFGFixupPhase.cpp:
1222         (JSC::DFG::FixupPhase::fixupNode):
1223         (JSC::DFG::FixupPhase::fixDoubleEdge):
1224         * dfg/DFGGraph.h:
1225         (JSC::DFG::Graph::byValIsPure):
1226         (JSC::DFG::Graph::varArgNumChildren):
1227         (Graph):
1228         (JSC::DFG::Graph::numChildren):
1229         (JSC::DFG::Graph::varArgChild):
1230         (JSC::DFG::Graph::child):
1231         * dfg/DFGNodeType.h:
1232         (DFG):
1233         * dfg/DFGPredictionPropagationPhase.cpp:
1234         (JSC::DFG::PredictionPropagationPhase::propagate):
1235         * dfg/DFGSpeculativeJIT.cpp:
1236         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1237         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1238         * dfg/DFGSpeculativeJIT32_64.cpp:
1239         (JSC::DFG::SpeculativeJIT::compile):
1240         * dfg/DFGSpeculativeJIT64.cpp:
1241         (JSC::DFG::SpeculativeJIT::compile):
1242
1243 2012-07-14  Filip Pizlo  <fpizlo@apple.com>
1244
1245         Rationalize and optimize storage allocation
1246         https://bugs.webkit.org/show_bug.cgi?id=91303
1247
1248         Reviewed by Oliver Hunt.
1249
1250         This implements a backwards bump allocator for copied space storage
1251         allocation, shown in pseudo-code below:
1252         
1253             pointer bump(size) {
1254                 pointer tmp = allocator->remaining;
1255                 tmp -= size;
1256                 if (tmp < 0)
1257                     fail;
1258                 allocator->remaining = tmp;
1259                 return allocator->payloadEnd - tmp - size;
1260             }
1261
1262         The advantage of this allocator is that it:
1263         
1264         - Only requires one comparison in the common case where size is known to
1265           not be huge, and this comparison can be done by checking the sign bit
1266           of the subtraction.
1267         
1268         - Can be implemented even when only one register is available. This
1269           register is reused for both temporary storage during allocation and
1270           for the result.
1271         
1272         - Preserves the behavior that memory in a block is filled in from lowest
1273           address to highest address, which allows for a cheap reallocation fast
1274           path.
1275         
1276         - Is resilient against the block used for allocation being the last one
1277           in virtual memory, thereby otherwise leading to the risk of overflow
1278           in the bump pointer, despite only doing one branch.
1279         
1280         In order to implement this allocator using the smallest possible chunk
1281         of code, I refactored the copied space code so that all of the allocation
1282         logic is in CopiedAllocator, and all of the state is in either
1283         CopiedBlock or CopiedAllocator. This should make changing the allocation
1284         fast path easier in the future.
1285         
1286         In order to do this, I needed to add some new assembler support,
1287         particularly for various forms of add(address, register) and negPtr().
1288         
1289         This is performance neutral. The purpose of this change is to facilitate
1290         further inlining of storage allocation without having to reserve
1291         additional registers or emit too much code.
1292
1293         * assembler/MacroAssembler.h:
1294         (JSC::MacroAssembler::addPtr):
1295         (MacroAssembler):
1296         (JSC::MacroAssembler::negPtr):
1297         * assembler/MacroAssemblerARMv7.h:
1298         (MacroAssemblerARMv7):
1299         (JSC::MacroAssemblerARMv7::add32):
1300         * assembler/MacroAssemblerX86.h:
1301         (JSC::MacroAssemblerX86::add32):
1302         (MacroAssemblerX86):
1303         * assembler/MacroAssemblerX86_64.h:
1304         (MacroAssemblerX86_64):
1305         (JSC::MacroAssemblerX86_64::addPtr):
1306         (JSC::MacroAssemblerX86_64::negPtr):
1307         * assembler/X86Assembler.h:
1308         (X86Assembler):
1309         (JSC::X86Assembler::addl_mr):
1310         (JSC::X86Assembler::addq_mr):
1311         (JSC::X86Assembler::negq_r):
1312         * heap/CopiedAllocator.h:
1313         (CopiedAllocator):
1314         (JSC::CopiedAllocator::isValid):
1315         (JSC::CopiedAllocator::CopiedAllocator):
1316         (JSC::CopiedAllocator::tryAllocate):
1317         (JSC):
1318         (JSC::CopiedAllocator::tryReallocate):
1319         (JSC::CopiedAllocator::forceAllocate):
1320         (JSC::CopiedAllocator::resetCurrentBlock):
1321         (JSC::CopiedAllocator::setCurrentBlock):
1322         (JSC::CopiedAllocator::currentCapacity):
1323         * heap/CopiedBlock.h:
1324         (CopiedBlock):
1325         (JSC::CopiedBlock::create):
1326         (JSC::CopiedBlock::zeroFillWilderness):
1327         (JSC::CopiedBlock::CopiedBlock):
1328         (JSC::CopiedBlock::payloadEnd):
1329         (JSC):
1330         (JSC::CopiedBlock::payloadCapacity):
1331         (JSC::CopiedBlock::data):
1332         (JSC::CopiedBlock::dataEnd):
1333         (JSC::CopiedBlock::dataSize):
1334         (JSC::CopiedBlock::wilderness):
1335         (JSC::CopiedBlock::wildernessEnd):
1336         (JSC::CopiedBlock::wildernessSize):
1337         (JSC::CopiedBlock::size):
1338         * heap/CopiedSpace.cpp:
1339         (JSC::CopiedSpace::tryAllocateSlowCase):
1340         (JSC::CopiedSpace::tryAllocateOversize):
1341         (JSC::CopiedSpace::tryReallocate):
1342         (JSC::CopiedSpace::doneFillingBlock):
1343         (JSC::CopiedSpace::doneCopying):
1344         * heap/CopiedSpace.h:
1345         (CopiedSpace):
1346         * heap/CopiedSpaceInlineMethods.h:
1347         (JSC::CopiedSpace::startedCopying):
1348         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1349         (JSC::CopiedSpace::allocateBlock):
1350         (JSC::CopiedSpace::tryAllocate):
1351         (JSC):
1352         * heap/MarkStack.cpp:
1353         (JSC::SlotVisitor::startCopying):
1354         (JSC::SlotVisitor::allocateNewSpace):
1355         (JSC::SlotVisitor::doneCopying):
1356         * heap/SlotVisitor.h:
1357         (JSC::SlotVisitor::SlotVisitor):
1358         * jit/JIT.h:
1359         * jit/JITInlineMethods.h:
1360         (JSC::JIT::emitAllocateBasicStorage):
1361         (JSC::JIT::emitAllocateJSArray):
1362
1363 2012-07-13  Mark Lam  <mark.lam@apple.com>
1364
1365         OfflineASM Pretty printing and commenting enhancements.
1366         https://bugs.webkit.org/show_bug.cgi?id=91281
1367
1368         Reviewed by Filip Pizlo.
1369
1370         Added some minor pretty printing in the OfflineASM.
1371         Also added infrastruture for adding multiple types of comments and
1372         annotations with the ability to enable/disable them in the generated
1373         output as desired.
1374
1375         * GNUmakefile.list.am: add new file config.rb.
1376         * llint/LLIntOfflineAsmConfig.h:
1377           Added OFFLINE_ASM_BEGIN, OFFLINE_ASM_END, and OFFLINE_ASM_LOCAL_LABEL macros.
1378           This will allow us to redefine these for other backends later.
1379         * llint/LowLevelInterpreter32_64.asm:
1380           Add a small example of instruction annotations for now.
1381         * llint/LowLevelInterpreter64.asm:
1382           Add a small example of instruction annotations for now.
1383         * offlineasm/armv7.rb: Added handling of annotations.
1384         * offlineasm/asm.rb:
1385           Added machinery to dump the new comments and annotations.
1386           Also added some indentations to make the output a little prettier.
1387         * offlineasm/ast.rb: Added annotation field in class Instruction. 
1388         * offlineasm/backends.rb:
1389         * offlineasm/config.rb: Added.
1390           Currently only contains commenting options.  This file is meant to be
1391           a centralized place for build config values much like config.h for
1392           JavaScriptCore.
1393         * offlineasm/generate_offset_extractor.rb:
1394         * offlineasm/instructions.rb:
1395         * offlineasm/offsets.rb:
1396         * offlineasm/opt.rb:
1397         * offlineasm/parser.rb: Parse and record annotations.
1398         * offlineasm/registers.rb:
1399         * offlineasm/self_hash.rb:
1400         * offlineasm/settings.rb:
1401         * offlineasm/transform.rb:
1402         * offlineasm/x86.rb: Added handling of annotations.
1403
1404 2012-07-13  Filip Pizlo  <fpizlo@apple.com>
1405
1406         ASSERTION FAILED: use.useKind() != DoubleUse
1407         https://bugs.webkit.org/show_bug.cgi?id=91082
1408
1409         Reviewed by Geoffrey Garen.
1410
1411         The implementation of Branch() was unwisely relying on register allocation state
1412         to decide what speculations to perform. That's never correct.
1413
1414         * dfg/DFGSpeculativeJIT32_64.cpp:
1415         (JSC::DFG::SpeculativeJIT::compile):
1416         * dfg/DFGSpeculativeJIT64.cpp:
1417         (JSC::DFG::SpeculativeJIT::compile):
1418
1419 2012-07-13  Sheriff Bot  <webkit.review.bot@gmail.com>
1420
1421         Unreviewed, rolling out r122640.
1422         http://trac.webkit.org/changeset/122640
1423         https://bugs.webkit.org/show_bug.cgi?id=91298
1424
1425         LLInt apparently does not expect to mark these (Requested by
1426         olliej on #webkit).
1427
1428         * bytecode/CodeBlock.cpp:
1429         (JSC::CodeBlock::visitStructures):
1430         (JSC::CodeBlock::stronglyVisitStrongReferences):
1431
1432 2012-07-13  Oliver Hunt  <oliver@apple.com>
1433
1434         LLInt fails to mark structures stored in the bytecode
1435         https://bugs.webkit.org/show_bug.cgi?id=91296
1436
1437         Reviewed by Geoffrey Garen.
1438
1439         LLInt stores structures in the bytecode, so we need to visit the appropriate
1440         instructions as we would if we were running in the classic interpreter.
1441         This requires adding additional checks for the LLInt specific opcodes, and
1442         the lint specific variants of operand ordering. 
1443
1444         * bytecode/CodeBlock.cpp:
1445         (JSC::CodeBlock::visitStructures):
1446         (JSC::CodeBlock::stronglyVisitStrongReferences):
1447
1448 2012-07-13  Yong Li  <yoli@rim.com>
1449
1450         [BlackBerry] Implement GCActivityCallback with platform timer
1451         https://bugs.webkit.org/show_bug.cgi?id=90175
1452
1453         Reviewed by Rob Buis.
1454
1455         Implement GCActivityCallback and HeapTimer for BlackBerry port.
1456
1457         * heap/HeapTimer.cpp:
1458         (JSC):
1459         (JSC::HeapTimer::HeapTimer):
1460         (JSC::HeapTimer::~HeapTimer):
1461         (JSC::HeapTimer::timerDidFire):
1462         (JSC::HeapTimer::synchronize):
1463         (JSC::HeapTimer::invalidate):
1464         (JSC::HeapTimer::didStartVMShutdown):
1465         * heap/HeapTimer.h:
1466         (HeapTimer):
1467         * runtime/GCActivityCallbackBlackBerry.cpp:
1468         (JSC):
1469         (JSC::DefaultGCActivityCallback::doWork):
1470         (JSC::DefaultGCActivityCallback::didAllocate):
1471         (JSC::DefaultGCActivityCallback::willCollect):
1472         (JSC::DefaultGCActivityCallback::cancel):
1473
1474 2012-07-13  Patrick Gansterer  <paroga@webkit.org>
1475
1476         [WIN] Fix compilation of DFGRepatch.cpp
1477         https://bugs.webkit.org/show_bug.cgi?id=91241
1478
1479         Reviewed by Geoffrey Garen.
1480
1481         Use intptr_t instead of uintptr_t when calling CodeLocationCommon::dataLabelPtrAtOffset(int)
1482         to fix MSVC "unary minus operator applied to unsigned type, result still unsigned" warning.
1483
1484         * dfg/DFGRepatch.cpp:
1485         (JSC::DFG::dfgResetGetByID):
1486         (JSC::DFG::dfgResetPutByID):
1487
1488 2012-07-13  Patrick Gansterer  <paroga@webkit.org>
1489
1490         Fix ARM_TRADITIONAL JIT for COMPILER(MSVC) and COMPILER(RVCT) after r121885
1491         https://bugs.webkit.org/show_bug.cgi?id=91238
1492
1493         Reviewed by Zoltan Herczeg.
1494
1495         r121885 changed the assembler instruction only for COMPILER(GCC).
1496         Use the same instructions for the other compilers too.
1497
1498         * jit/JITStubs.cpp:
1499         (JSC::ctiTrampoline):
1500         (JSC::ctiTrampolineEnd):
1501         (JSC::ctiVMThrowTrampoline):
1502
1503 2012-07-12  Filip Pizlo  <fpizlo@apple.com>
1504
1505         DFG property access stubs should use structure transition watchpoints
1506         https://bugs.webkit.org/show_bug.cgi?id=91135
1507
1508         Reviewed by Geoffrey Garen.
1509
1510         This adds a Watchpoint subclass that will clear a structure stub (i.e.
1511         a property access stub) when fired. The DFG stub generation code now
1512         uses this optimization.
1513
1514         * CMakeLists.txt:
1515         * GNUmakefile.list.am:
1516         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1517         * JavaScriptCore.xcodeproj/project.pbxproj:
1518         * Target.pri:
1519         * bytecode/CodeBlock.cpp:
1520         (JSC):
1521         (JSC::CodeBlock::finalizeUnconditionally):
1522         (JSC::CodeBlock::resetStub):
1523         (JSC::CodeBlock::resetStubInternal):
1524         * bytecode/CodeBlock.h:
1525         (JSC):
1526         (CodeBlock):
1527         * bytecode/StructureStubClearingWatchpoint.cpp: Added.
1528         (JSC):
1529         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
1530         (JSC::StructureStubClearingWatchpoint::push):
1531         (JSC::StructureStubClearingWatchpoint::fireInternal):
1532         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
1533         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
1534         (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
1535         * bytecode/StructureStubClearingWatchpoint.h: Added.
1536         (JSC):
1537         (StructureStubClearingWatchpoint):
1538         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
1539         (WatchpointsOnStructureStubInfo):
1540         (JSC::WatchpointsOnStructureStubInfo::WatchpointsOnStructureStubInfo):
1541         (JSC::WatchpointsOnStructureStubInfo::codeBlock):
1542         (JSC::WatchpointsOnStructureStubInfo::stubInfo):
1543         * bytecode/StructureStubInfo.h:
1544         (JSC::StructureStubInfo::reset):
1545         (JSC::StructureStubInfo::addWatchpoint):
1546         (StructureStubInfo):
1547         * dfg/DFGRepatch.cpp:
1548         (JSC::DFG::addStructureTransitionCheck):
1549         (DFG):
1550         (JSC::DFG::generateProtoChainAccessStub):
1551         (JSC::DFG::emitPutTransitionStub):
1552         * jit/JumpReplacementWatchpoint.h:
1553
1554 2012-07-12  Filip Pizlo  <fpizlo@apple.com>
1555
1556         DFG CFA may get overzealous in loops that have code that must exit
1557         https://bugs.webkit.org/show_bug.cgi?id=91188
1558
1559         Reviewed by Gavin Barraclough.
1560
1561         Ensure that if the CFA assumes that an operation must exit, then it will always exit
1562         no matter what happens after. That's necessary to preserve soundness.
1563         
1564         Remove a broken fixup done by the DFG simplifier, where it was trying to say that the
1565         variable-at-head was the first access in the second block in the merge, if the first
1566         block did not read the variable. That's totally wrong, if the first block was in fact
1567         doing a phantom read. I removed that fixup and instead hardened the rest of the
1568         compiler.
1569
1570         * dfg/DFGAbstractState.cpp:
1571         (JSC::DFG::AbstractState::endBasicBlock):
1572         * dfg/DFGBasicBlock.h:
1573         (JSC::DFG::BasicBlock::BasicBlock):
1574         (BasicBlock):
1575         * dfg/DFGCFAPhase.cpp:
1576         (JSC::DFG::CFAPhase::performBlockCFA):
1577         * dfg/DFGCFGSimplificationPhase.cpp:
1578         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1579         * dfg/DFGConstantFoldingPhase.cpp:
1580         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
1581         (JSC::DFG::ConstantFoldingPhase::run):
1582         (ConstantFoldingPhase):
1583         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1584         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1585         * dfg/DFGVariableEventStream.cpp:
1586         (JSC::DFG::VariableEventStream::reconstruct):
1587
1588 2012-07-12  Allan Sandfeld Jensen  <allan.jensen@nokia.com>
1589
1590         [Qt] Implement MemoryUsageSupport
1591         https://bugs.webkit.org/show_bug.cgi?id=91094
1592
1593         Reviewed by Adam Barth.
1594
1595         Compile in MemoryStatistics so we can make use of the interface.
1596
1597         * Target.pri:
1598
1599 2012-07-12  Csaba Osztrogonác  <ossy@webkit.org>
1600
1601         Remove dead code after r122392.
1602         https://bugs.webkit.org/show_bug.cgi?id=91049
1603
1604         Reviewed by Filip Pizlo.
1605
1606         * dfg/DFGSpeculativeJIT64.cpp:
1607         (JSC::DFG::SpeculativeJIT::emitCall):
1608
1609 2012-07-11  Adenilson Cavalcanti  <cavalcantii@gmail.com>
1610
1611         Build fix + remove dead code
1612         https://bugs.webkit.org/show_bug.cgi?id=91039
1613
1614         Reviewed by Filip Pizlo.
1615
1616         An unused variable was breaking compilation (thanks to warnings being treated as errors).
1617
1618         * dfg/DFGSpeculativeJIT32_64.cpp:
1619         (JSC::DFG::SpeculativeJIT::emitCall):
1620
1621 2012-07-11  Mark Rowe  <mrowe@apple.com>
1622
1623         <http://webkit.org/b/91024> Build against the latest SDK when targeting older OS X versions.
1624
1625         Reviewed by Dan Bernstein.
1626
1627         The deployment target is already set to the version that we're targeting, and it's that setting
1628         which determines which functionality from the SDK is available to us.
1629
1630         * Configurations/Base.xcconfig:
1631
1632 2012-07-11  Filip Pizlo  <fpizlo@apple.com>
1633
1634         DFG should have fast virtual calls
1635         https://bugs.webkit.org/show_bug.cgi?id=90924
1636
1637         Reviewed by Gavin Barraclough.
1638         
1639         Implements virtual call support in the style of the old JIT, with the
1640         caveat that we still use the same slow path for both InternalFunction
1641         calls and JSFunction calls. Also rationalized the way that our
1642         CodeOrigin indices tie into exception checks (previously it was a
1643         strange one-to-one mapping with fairly limited assertions; now it's a
1644         one-to-many mapping for CodeOrigins to exception checks, respectively).
1645         I also took the opportunity to clean up
1646         CallLinkInfo::callReturnLocation, which previously was either a Call or
1647         a NearCall. Now it's just a NearCall. As well, exceptions during slow
1648         path call resolution are now handled by returning an exception throwing
1649         thunk rather than returning null. And finally, I made a few things
1650         public that were previously private-with-lots-of-friends, because I
1651         truly despise the thought of listing each thunk generating function as
1652         a friend of JSValue and friends.
1653         
1654         * bytecode/CallLinkInfo.cpp:
1655         (JSC::CallLinkInfo::unlink):
1656         * bytecode/CallLinkInfo.h:
1657         (CallLinkInfo):
1658         * bytecode/CodeOrigin.h:
1659         (JSC::CodeOrigin::CodeOrigin):
1660         (JSC::CodeOrigin::isSet):
1661         * dfg/DFGAssemblyHelpers.h:
1662         (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
1663         * dfg/DFGCCallHelpers.h:
1664         (JSC::DFG::CCallHelpers::CCallHelpers):
1665         * dfg/DFGGPRInfo.h:
1666         (GPRInfo):
1667         * dfg/DFGJITCompiler.cpp:
1668         (JSC::DFG::JITCompiler::link):
1669         (JSC::DFG::JITCompiler::compileFunction):
1670         * dfg/DFGJITCompiler.h:
1671         (JSC::DFG::CallBeginToken::CallBeginToken):
1672         (JSC::DFG::CallBeginToken::~CallBeginToken):
1673         (CallBeginToken):
1674         (JSC::DFG::CallBeginToken::set):
1675         (JSC::DFG::CallBeginToken::registerWithExceptionCheck):
1676         (JSC::DFG::CallBeginToken::codeOrigin):
1677         (JSC::DFG::CallExceptionRecord::CallExceptionRecord):
1678         (CallExceptionRecord):
1679         (JSC::DFG::JITCompiler::currentCodeOriginIndex):
1680         (JITCompiler):
1681         (JSC::DFG::JITCompiler::beginCall):
1682         (JSC::DFG::JITCompiler::notifyCall):
1683         (JSC::DFG::JITCompiler::prepareForExceptionCheck):
1684         (JSC::DFG::JITCompiler::addExceptionCheck):
1685         (JSC::DFG::JITCompiler::addFastExceptionCheck):
1686         * dfg/DFGOperations.cpp:
1687         * dfg/DFGRepatch.cpp:
1688         (JSC::DFG::dfgLinkFor):
1689         * dfg/DFGSpeculativeJIT.h:
1690         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1691         * dfg/DFGSpeculativeJIT32_64.cpp:
1692         (JSC::DFG::SpeculativeJIT::emitCall):
1693         * dfg/DFGSpeculativeJIT64.cpp:
1694         (JSC::DFG::SpeculativeJIT::emitCall):
1695         * dfg/DFGThunks.cpp:
1696         (JSC::DFG::emitPointerValidation):
1697         (DFG):
1698         (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
1699         (JSC::DFG::slowPathFor):
1700         (JSC::DFG::linkForThunkGenerator):
1701         (JSC::DFG::linkCallThunkGenerator):
1702         (JSC::DFG::linkConstructThunkGenerator):
1703         (JSC::DFG::virtualForThunkGenerator):
1704         (JSC::DFG::virtualCallThunkGenerator):
1705         (JSC::DFG::virtualConstructThunkGenerator):
1706         * dfg/DFGThunks.h:
1707         (DFG):
1708         * jit/JIT.cpp:
1709         (JSC::JIT::privateCompile):
1710         (JSC::JIT::linkFor):
1711         * runtime/Executable.h:
1712         (ExecutableBase):
1713         (JSC::ExecutableBase::offsetOfJITCodeFor):
1714         (JSC::ExecutableBase::offsetOfNumParametersFor):
1715         * runtime/JSValue.h:
1716         (JSValue):
1717
1718 2012-07-11  Filip Pizlo  <fpizlo@apple.com>
1719
1720         Accidentally used the wrong license (3-clause instead of 2-clause) in some
1721         files I just committed.
1722
1723         Rubber stamped by Oliver Hunt.
1724
1725         * bytecode/Watchpoint.cpp:
1726         * bytecode/Watchpoint.h:
1727         * jit/JumpReplacementWatchpoint.cpp:
1728         * jit/JumpReplacementWatchpoint.h:
1729
1730 2012-07-11  Filip Pizlo  <fpizlo@apple.com>
1731
1732         Watchpoints and jump replacement should be decoupled
1733         https://bugs.webkit.org/show_bug.cgi?id=91016
1734
1735         Reviewed by Oliver Hunt.
1736
1737         * CMakeLists.txt:
1738         * GNUmakefile.list.am:
1739         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1740         * JavaScriptCore.xcodeproj/project.pbxproj:
1741         * Target.pri:
1742         * assembler/AbstractMacroAssembler.h:
1743         (JSC):
1744         (Label):
1745         * bytecode/CodeBlock.h:
1746         (JSC::CodeBlock::appendWatchpoint):
1747         (JSC::CodeBlock::watchpoint):
1748         (DFGData):
1749         * bytecode/Watchpoint.cpp:
1750         (JSC):
1751         * bytecode/Watchpoint.h:
1752         (JSC::Watchpoint::Watchpoint):
1753         (Watchpoint):
1754         (JSC::Watchpoint::fire):
1755         * dfg/DFGSpeculativeJIT.h:
1756         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1757         * jit/JumpReplacementWatchpoint.cpp: Added.
1758         (JSC):
1759         (JSC::JumpReplacementWatchpoint::correctLabels):
1760         (JSC::JumpReplacementWatchpoint::fireInternal):
1761         * jit/JumpReplacementWatchpoint.h: Added.
1762         (JSC):
1763         (JumpReplacementWatchpoint):
1764         (JSC::JumpReplacementWatchpoint::JumpReplacementWatchpoint):
1765         (JSC::JumpReplacementWatchpoint::setDestination):
1766
1767 2012-07-11  Kevin Ollivier  <kevino@theolliviers.com>
1768
1769         [wx] Unreviewed build fix. Don't try to build udis86_itab.c since it's included by 
1770         another file.
1771
1772         * wscript:
1773
1774 2012-07-11  Chao-ying Fu  <fu@mips.com>
1775
1776         Add MIPS convertibleLoadPtr and other functions
1777         https://bugs.webkit.org/show_bug.cgi?id=90714
1778
1779         Reviewed by Oliver Hunt.
1780
1781         * assembler/MIPSAssembler.h:
1782         (JSC::MIPSAssembler::labelIgnoringWatchpoints):
1783         (MIPSAssembler):
1784         (JSC::MIPSAssembler::replaceWithLoad):
1785         (JSC::MIPSAssembler::replaceWithAddressComputation):
1786         * assembler/MacroAssemblerMIPS.h:
1787         (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
1788         (MacroAssemblerMIPS):
1789
1790 2012-07-11  Anders Carlsson  <andersca@apple.com>
1791
1792         Add -Wtautological-compare and -Wsign-compare warning flags
1793         https://bugs.webkit.org/show_bug.cgi?id=90994
1794
1795         Reviewed by Mark Rowe.
1796
1797         * Configurations/Base.xcconfig:
1798
1799 2012-07-11  Benjamin Poulain  <bpoulain@apple.com>
1800
1801         Simplify the copying of JSC ARMv7's LinkRecord
1802         https://bugs.webkit.org/show_bug.cgi?id=90930
1803
1804         Reviewed by Filip Pizlo.
1805
1806         The class LinkRecord is used by value everywhere in ARMv7Assembler. The compiler uses
1807         memmove() to move the objects.
1808
1809         The problem is memmove() is overkill for this object, moving the value can be done with
1810         3 load-store. This patch adds an operator= to the class doing more efficient copying.
1811         This reduces the link time by 19%.
1812
1813         * assembler/ARMv7Assembler.h:
1814         (JSC::ARMv7Assembler::LinkRecord::LinkRecord):
1815         (JSC::ARMv7Assembler::LinkRecord::operator=):
1816         (JSC::ARMv7Assembler::LinkRecord::from):
1817         (JSC::ARMv7Assembler::LinkRecord::setFrom):
1818         (JSC::ARMv7Assembler::LinkRecord::to):
1819         (JSC::ARMv7Assembler::LinkRecord::type):
1820         (JSC::ARMv7Assembler::LinkRecord::linkType):
1821         (JSC::ARMv7Assembler::LinkRecord::setLinkType):
1822         (JSC::ARMv7Assembler::LinkRecord::condition):
1823
1824 2012-07-11  Andy Wingo  <wingo@igalia.com>
1825
1826         jsc: Parse options before creating global data
1827         https://bugs.webkit.org/show_bug.cgi?id=90975
1828
1829         Reviewed by Filip Pizlo.
1830
1831         This patch moves the options parsing in "jsc" before the creation
1832         of the JSGlobalData, so that --useJIT=no has a chance to take
1833         effect.
1834
1835         * jsc.cpp:
1836         (CommandLine::parseArguments): Refactor to be a class, and take
1837         argc and argv as constructor arguments.
1838         (jscmain): Move arg parsing before JSGlobalData creation.
1839
1840 2012-07-10  Filip Pizlo  <fpizlo@apple.com>
1841
1842         REGRESSION(r122166): It made 170 tests crash on 32 bit platforms
1843         https://bugs.webkit.org/show_bug.cgi?id=90852
1844
1845         Reviewed by Zoltan Herczeg.
1846         
1847         If we can't use the range filter, we should still make sure that the
1848         address is remotely sane, otherwise the hashtables will assert.
1849
1850         * jit/JITStubRoutine.h:
1851         (JSC::JITStubRoutine::passesFilter):
1852
1853 2012-07-10  Filip Pizlo  <fpizlo@apple.com>
1854
1855         DFG recompilation heuristics should be based on count, not rate
1856         https://bugs.webkit.org/show_bug.cgi?id=90146
1857
1858         Reviewed by Oliver Hunt.
1859         
1860         Rolling r121511 back in after fixing the DFG's interpretation of op_div
1861         profiling, with Gavin's rubber stamp.
1862
1863         This removes a bunch of code that was previously trying to prevent spurious
1864         reoptimizations if a large enough majority of executions of a code block did
1865         not result in OSR exit. It turns out that this code was purely harmful. This
1866         patch removes all of that logic and replaces it with a dead-simple
1867         heuristic: if you exit more than N times (where N is an exponential function
1868         of the number of times the code block has already been recompiled) then we
1869         will recompile.
1870         
1871         This appears to be a broad ~1% win on many benchmarks large and small.
1872
1873         * bytecode/CodeBlock.cpp:
1874         (JSC::CodeBlock::CodeBlock):
1875         * bytecode/CodeBlock.h:
1876         (JSC::CodeBlock::couldTakeSpecialFastCase):
1877         (CodeBlock):
1878         (JSC::CodeBlock::osrExitCounter):
1879         (JSC::CodeBlock::countOSRExit):
1880         (JSC::CodeBlock::addressOfOSRExitCounter):
1881         (JSC::CodeBlock::offsetOfOSRExitCounter):
1882         (JSC::CodeBlock::adjustedExitCountThreshold):
1883         (JSC::CodeBlock::exitCountThresholdForReoptimization):
1884         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
1885         (JSC::CodeBlock::shouldReoptimizeNow):
1886         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
1887         * bytecode/ExecutionCounter.cpp:
1888         (JSC::ExecutionCounter::setThreshold):
1889         * bytecode/ExecutionCounter.h:
1890         (ExecutionCounter):
1891         (JSC::ExecutionCounter::clippedThreshold):
1892         * dfg/DFGByteCodeParser.cpp:
1893         (JSC::DFG::ByteCodeParser::makeDivSafe):
1894         * dfg/DFGJITCompiler.cpp:
1895         (JSC::DFG::JITCompiler::compileBody):
1896         * dfg/DFGOSRExit.cpp:
1897         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
1898         * dfg/DFGOSRExitCompiler.cpp:
1899         (JSC::DFG::OSRExitCompiler::handleExitCounts):
1900         * dfg/DFGOperations.cpp:
1901         * jit/JITStubs.cpp:
1902         (JSC::DEFINE_STUB_FUNCTION):
1903         * runtime/Options.h:
1904         (JSC):
1905
1906 2012-07-09  Matt Falkenhagen  <falken@chromium.org>
1907
1908         Add ENABLE_DIALOG_ELEMENT and skeleton files
1909         https://bugs.webkit.org/show_bug.cgi?id=90521
1910
1911         Reviewed by Kent Tamura.
1912
1913         * Configurations/FeatureDefines.xcconfig:
1914
1915 2012-07-09  Filip Pizlo  <fpizlo@apple.com>
1916
1917         Unreviewed, roll out http://trac.webkit.org/changeset/121511
1918         It made in-browser V8v7 10% slower.
1919
1920         * bytecode/CodeBlock.cpp:
1921         (JSC::CodeBlock::CodeBlock):
1922         * bytecode/CodeBlock.h:
1923         (CodeBlock):
1924         (JSC::CodeBlock::countSpeculationSuccess):
1925         (JSC::CodeBlock::countSpeculationFailure):
1926         (JSC::CodeBlock::speculativeSuccessCounter):
1927         (JSC::CodeBlock::speculativeFailCounter):
1928         (JSC::CodeBlock::forcedOSRExitCounter):
1929         (JSC::CodeBlock::addressOfSpeculativeSuccessCounter):
1930         (JSC::CodeBlock::addressOfSpeculativeFailCounter):
1931         (JSC::CodeBlock::addressOfForcedOSRExitCounter):
1932         (JSC::CodeBlock::offsetOfSpeculativeSuccessCounter):
1933         (JSC::CodeBlock::offsetOfSpeculativeFailCounter):
1934         (JSC::CodeBlock::offsetOfForcedOSRExitCounter):
1935         (JSC::CodeBlock::largeFailCountThreshold):
1936         (JSC::CodeBlock::largeFailCountThresholdForLoop):
1937         (JSC::CodeBlock::shouldReoptimizeNow):
1938         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
1939         * bytecode/ExecutionCounter.cpp:
1940         (JSC::ExecutionCounter::setThreshold):
1941         * bytecode/ExecutionCounter.h:
1942         (ExecutionCounter):
1943         * dfg/DFGJITCompiler.cpp:
1944         (JSC::DFG::JITCompiler::compileBody):
1945         * dfg/DFGOSRExit.cpp:
1946         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
1947         * dfg/DFGOSRExitCompiler.cpp:
1948         (JSC::DFG::OSRExitCompiler::handleExitCounts):
1949         * dfg/DFGOperations.cpp:
1950         * jit/JITStubs.cpp:
1951         (JSC::DEFINE_STUB_FUNCTION):
1952         * runtime/Options.h:
1953         (JSC):
1954
1955 2012-07-09  Filip Pizlo  <fpizlo@apple.com>
1956
1957         DFG may get stuck in an infinite fix point if it constant folds a mispredicted node
1958         https://bugs.webkit.org/show_bug.cgi?id=90829
1959         <rdar://problem/11823843>
1960
1961         Reviewed by Oliver Hunt.
1962         
1963         If a node is shown to have been mispredicted during CFA, then don't allow constant
1964         folding to make the graph even more degenerate. Instead, pull back on constant folding
1965         and allow the normal OSR machinery to fix our profiling so that a future recompilation
1966         doesn't see the same mistake.
1967
1968         * dfg/DFGAbstractState.cpp:
1969         (JSC::DFG::AbstractState::execute):
1970         * dfg/DFGAbstractState.h:
1971         (JSC::DFG::AbstractState::trySetConstant):
1972         (AbstractState):
1973         * dfg/DFGPhase.h:
1974         (JSC::DFG::Phase::name):
1975         (Phase):
1976         (JSC::DFG::runAndLog):
1977         (DFG):
1978         (JSC::DFG::runPhase):
1979
1980 2012-07-09  Filip Pizlo  <fpizlo@apple.com>
1981
1982         It should be possible to jettison JIT stub routines even if they are currently running
1983         https://bugs.webkit.org/show_bug.cgi?id=90731
1984
1985         Reviewed by Gavin Barraclough.
1986         
1987         This gives the GC awareness of all JIT-generated stubs for inline caches. That
1988         means that if you want to delete a JIT-generated stub, you don't have to worry
1989         about whether or not it is currently running: if there is a chance that it might
1990         be, the GC will kindly defer deletion until non-running-ness is proved.
1991
1992         * CMakeLists.txt:
1993         * GNUmakefile.list.am:
1994         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1995         * JavaScriptCore.xcodeproj/project.pbxproj:
1996         * Target.pri:
1997         * bytecode/Instruction.h:
1998         (JSC):
1999         (PolymorphicStubInfo):
2000         (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
2001         (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
2002         * bytecode/PolymorphicPutByIdList.cpp:
2003         (JSC::PutByIdAccess::fromStructureStubInfo):
2004         * bytecode/PolymorphicPutByIdList.h:
2005         (JSC::PutByIdAccess::transition):
2006         (JSC::PutByIdAccess::replace):
2007         (JSC::PutByIdAccess::stubRoutine):
2008         (PutByIdAccess):
2009         (JSC::PolymorphicPutByIdList::currentSlowPathTarget):
2010         * bytecode/StructureStubInfo.h:
2011         (JSC::StructureStubInfo::reset):
2012         * dfg/DFGRepatch.cpp:
2013         (JSC::DFG::generateProtoChainAccessStub):
2014         (JSC::DFG::tryCacheGetByID):
2015         (JSC::DFG::tryBuildGetByIDList):
2016         (JSC::DFG::tryBuildGetByIDProtoList):
2017         (JSC::DFG::emitPutReplaceStub):
2018         (JSC::DFG::emitPutTransitionStub):
2019         (JSC::DFG::tryCachePutByID):
2020         (JSC::DFG::tryBuildPutByIdList):
2021         * heap/ConservativeRoots.cpp:
2022         (JSC):
2023         (DummyMarkHook):
2024         (JSC::DummyMarkHook::mark):
2025         (JSC::ConservativeRoots::add):
2026         (CompositeMarkHook):
2027         (JSC::CompositeMarkHook::CompositeMarkHook):
2028         (JSC::CompositeMarkHook::mark):
2029         * heap/ConservativeRoots.h:
2030         (JSC):
2031         (ConservativeRoots):
2032         * heap/Heap.cpp:
2033         (JSC::Heap::markRoots):
2034         (JSC::Heap::deleteUnmarkedCompiledCode):
2035         * heap/Heap.h:
2036         (JSC):
2037         (Heap):
2038         * heap/JITStubRoutineSet.cpp: Added.
2039         (JSC):
2040         (JSC::JITStubRoutineSet::JITStubRoutineSet):
2041         (JSC::JITStubRoutineSet::~JITStubRoutineSet):
2042         (JSC::JITStubRoutineSet::add):
2043         (JSC::JITStubRoutineSet::clearMarks):
2044         (JSC::JITStubRoutineSet::markSlow):
2045         (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
2046         (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
2047         * heap/JITStubRoutineSet.h: Added.
2048         (JSC):
2049         (JITStubRoutineSet):
2050         (JSC::JITStubRoutineSet::mark):
2051         * heap/MachineStackMarker.h:
2052         (JSC):
2053         * interpreter/RegisterFile.cpp:
2054         (JSC::RegisterFile::gatherConservativeRoots):
2055         * interpreter/RegisterFile.h:
2056         (JSC):
2057         * jit/ExecutableAllocator.cpp:
2058         (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
2059         * jit/ExecutableAllocator.h:
2060         (JSC):
2061         * jit/ExecutableAllocatorFixedVMPool.cpp:
2062         (JSC):
2063         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2064         * jit/GCAwareJITStubRoutine.cpp: Added.
2065         (JSC):
2066         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2067         (JSC::GCAwareJITStubRoutine::~GCAwareJITStubRoutine):
2068         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2069         (JSC::GCAwareJITStubRoutine::deleteFromGC):
2070         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
2071         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject):
2072         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject):
2073         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal):
2074         (JSC::createJITStubRoutine):
2075         * jit/GCAwareJITStubRoutine.h: Added.
2076         (JSC):
2077         (GCAwareJITStubRoutine):
2078         (JSC::GCAwareJITStubRoutine::markRequiredObjects):
2079         (MarkingGCAwareJITStubRoutineWithOneObject):
2080         * jit/JITPropertyAccess.cpp:
2081         (JSC::JIT::privateCompilePutByIdTransition):
2082         (JSC::JIT::privateCompilePatchGetArrayLength):
2083         (JSC::JIT::privateCompileGetByIdProto):
2084         (JSC::JIT::privateCompileGetByIdSelfList):
2085         (JSC::JIT::privateCompileGetByIdProtoList):
2086         (JSC::JIT::privateCompileGetByIdChainList):
2087         (JSC::JIT::privateCompileGetByIdChain):
2088         * jit/JITPropertyAccess32_64.cpp:
2089         (JSC::JIT::privateCompilePutByIdTransition):
2090         (JSC::JIT::privateCompilePatchGetArrayLength):
2091         (JSC::JIT::privateCompileGetByIdProto):
2092         (JSC::JIT::privateCompileGetByIdSelfList):
2093         (JSC::JIT::privateCompileGetByIdProtoList):
2094         (JSC::JIT::privateCompileGetByIdChainList):
2095         (JSC::JIT::privateCompileGetByIdChain):
2096         * jit/JITStubRoutine.cpp: Added.
2097         (JSC):
2098         (JSC::JITStubRoutine::~JITStubRoutine):
2099         (JSC::JITStubRoutine::observeZeroRefCount):
2100         * jit/JITStubRoutine.h: Added.
2101         (JSC):
2102         (JITStubRoutine):
2103         (JSC::JITStubRoutine::JITStubRoutine):
2104         (JSC::JITStubRoutine::createSelfManagedRoutine):
2105         (JSC::JITStubRoutine::code):
2106         (JSC::JITStubRoutine::asCodePtr):
2107         (JSC::JITStubRoutine::ref):
2108         (JSC::JITStubRoutine::deref):
2109         (JSC::JITStubRoutine::startAddress):
2110         (JSC::JITStubRoutine::endAddress):
2111         (JSC::JITStubRoutine::addressStep):
2112         (JSC::JITStubRoutine::canPerformRangeFilter):
2113         (JSC::JITStubRoutine::filteringStartAddress):
2114         (JSC::JITStubRoutine::filteringExtentSize):
2115         (JSC::JITStubRoutine::passesFilter):
2116         * jit/JITStubs.cpp:
2117         (JSC::DEFINE_STUB_FUNCTION):
2118         (JSC::getPolymorphicAccessStructureListSlot):
2119
2120 2012-07-09  Sheriff Bot  <webkit.review.bot@gmail.com>
2121
2122         Unreviewed, rolling out r122107.
2123         http://trac.webkit.org/changeset/122107
2124         https://bugs.webkit.org/show_bug.cgi?id=90794
2125
2126         Build failure on Mac debug bots (Requested by falken_ on
2127         #webkit).
2128
2129         * Configurations/FeatureDefines.xcconfig:
2130
2131 2012-07-09  Matt Falkenhagen  <falken@chromium.org>
2132
2133         Add ENABLE_DIALOG_ELEMENT and skeleton files
2134         https://bugs.webkit.org/show_bug.cgi?id=90521
2135
2136         Reviewed by Kent Tamura.
2137
2138         * Configurations/FeatureDefines.xcconfig:
2139
2140 2012-07-08  Ryosuke Niwa  <rniwa@webkit.org>
2141
2142         gcc build fix after r121925.
2143
2144         * runtime/JSObject.h:
2145         (JSC::JSFinalObject::finishCreation):
2146
2147 2012-07-08  Zoltan Herczeg  <zherczeg@webkit.org>
2148
2149         [Qt][ARM] Implementing missing macro assembler instructions after r121925
2150         https://bugs.webkit.org/show_bug.cgi?id=90657
2151
2152         Reviewed by Csaba Osztrogonác.
2153
2154         Implementing convertibleLoadPtr, replaceWithLoad and
2155         replaceWithAddressComputation.
2156
2157         * assembler/ARMAssembler.h:
2158         (JSC::ARMAssembler::replaceWithLoad):
2159         (ARMAssembler):
2160         (JSC::ARMAssembler::replaceWithAddressComputation):
2161         * assembler/MacroAssemblerARM.h:
2162         (JSC::MacroAssemblerARM::convertibleLoadPtr):
2163         (MacroAssemblerARM):
2164
2165 2012-07-06  Filip Pizlo  <fpizlo@apple.com>
2166
2167         WebKit Version 5.1.7 (6534.57.2, r121935): Double-click no longer works on OpenStreetMap
2168         https://bugs.webkit.org/show_bug.cgi?id=90703
2169
2170         Reviewed by Michael Saboff.
2171         
2172         It turns out that in my object model refactoring, I managed to fix get_by_pname in all
2173         execution engines except 64-bit baseline JIT.
2174
2175         * jit/JITPropertyAccess.cpp:
2176         (JSC::JIT::emit_op_get_by_pname):
2177
2178 2012-07-06  Pravin D  <pravind.2k4@gmail.com>
2179
2180         Build Error on Qt Linux build
2181         https://bugs.webkit.org/show_bug.cgi?id=90699
2182
2183         Reviewed by Laszlo Gombos.
2184
2185         * parser/Parser.cpp:
2186         (JSC::::parseForStatement):
2187         Removed unused boolean variable as this was causing build error on Qt Linux.
2188
2189 2012-07-06  Nuno Lopes  <nlopes@apple.com>
2190
2191         Fix build with recent clang.
2192         https://bugs.webkit.org/show_bug.cgi?id=90634
2193
2194         Reviewed by Oliver Hunt.
2195
2196         * jit/SpecializedThunkJIT.h:
2197         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2198         (SpecializedThunkJIT):
2199         * jit/ThunkGenerators.cpp:
2200         (JSC::charCodeAtThunkGenerator):
2201         (JSC::charAtThunkGenerator):
2202         (JSC::fromCharCodeThunkGenerator):
2203         (JSC::sqrtThunkGenerator):
2204         (JSC::floorThunkGenerator):
2205         (JSC::ceilThunkGenerator):
2206         (JSC::roundThunkGenerator):
2207         (JSC::expThunkGenerator):
2208         (JSC::logThunkGenerator):
2209         (JSC::absThunkGenerator):
2210         (JSC::powThunkGenerator):
2211         * parser/ASTBuilder.h:
2212         (JSC::ASTBuilder::createAssignResolve):
2213         (JSC::ASTBuilder::createForLoop):
2214         (JSC::ASTBuilder::createForInLoop):
2215         (JSC::ASTBuilder::makeAssignNode):
2216         (JSC::ASTBuilder::makePrefixNode):
2217         (JSC::ASTBuilder::makePostfixNode):
2218         * parser/NodeConstructors.h:
2219         (JSC::PostfixErrorNode::PostfixErrorNode):
2220         (JSC::PrefixErrorNode::PrefixErrorNode):
2221         (JSC::AssignResolveNode::AssignResolveNode):
2222         (JSC::AssignErrorNode::AssignErrorNode):
2223         (JSC::ForNode::ForNode):
2224         (JSC::ForInNode::ForInNode):
2225         * parser/Nodes.h:
2226         (FunctionCallResolveNode):
2227         (PostfixErrorNode):
2228         (PrefixErrorNode):
2229         (ReadModifyResolveNode):
2230         (AssignResolveNode):
2231         (AssignErrorNode):
2232         (ForNode):
2233         (ForInNode):
2234         * parser/Parser.cpp:
2235         (JSC::::parseVarDeclarationList):
2236         (JSC::::parseForStatement):
2237         * parser/SyntaxChecker.h:
2238         (JSC::SyntaxChecker::createAssignResolve):
2239         (JSC::SyntaxChecker::createForLoop):
2240
2241 2012-07-06  Zoltan Herczeg  <zherczeg@webkit.org>
2242
2243         [Qt][ARM] REGRESSION(r121885): It broke 30 jsc tests, 500+ layout tests
2244         https://bugs.webkit.org/show_bug.cgi?id=90656
2245
2246         Reviewed by Csaba Osztrogonác.
2247
2248         Typo fixes.
2249
2250         * assembler/MacroAssemblerARM.cpp:
2251         (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
2252         Rename getOp2Byte() -> getOp2Half()
2253         * assembler/MacroAssemblerARMv7.h:
2254         (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
2255         Add a necessary space.
2256         * jit/JITStubs.cpp:
2257         (JSC):
2258         Revert INLINE_ARM_FUNCTION macro.
2259
2260 2012-07-05  Filip Pizlo  <fpizlo@apple.com>
2261
2262         REGRESSION(r121925): It broke 5 sputnik tests on x86 platforms
2263         https://bugs.webkit.org/show_bug.cgi?id=90658
2264
2265         Reviewed by Zoltan Herczeg.
2266         
2267         Under the new object model, out-of-line property accesses such as those
2268         in ResolveGlobal must account for the fact that the offset to the Kth
2269         property is represented by K + inlineStorageCapacity. Hence, the property
2270         loads in ResolveGlobal must have an additional -inlineStorageCapacity *
2271         sizeof(JSValue) offset.
2272
2273         * dfg/DFGSpeculativeJIT32_64.cpp:
2274         (JSC::DFG::SpeculativeJIT::compile):
2275
2276 2012-07-05  Csaba Osztrogonác  <ossy@webkit.org>
2277
2278         [Qt] Unreviewed 64 bit buildfix after r121925.
2279
2280         * bytecode/PutByIdStatus.cpp:
2281         (JSC::PutByIdStatus::computeFromLLInt):
2282
2283 2012-07-05  Michael Saboff  <msaboff@apple.com>
2284
2285         JSString::tryHashConstLock() fails to get exclusive lock
2286         https://bugs.webkit.org/show_bug.cgi?id=90639
2287
2288         Reviewed by Oliver Hunt.
2289
2290         Added check that the string is already locked even before compare and swap.
2291
2292         * heap/MarkStack.cpp:
2293         (JSC::JSString::tryHashConstLock):
2294
2295 2012-07-04  Filip Pizlo  <fpizlo@apple.com>
2296
2297         Inline property storage should not be wasted when it is exhausted
2298         https://bugs.webkit.org/show_bug.cgi?id=90347
2299
2300         Reviewed by Gavin Barraclough.
2301         
2302         Previously, if we switched an object from using inline storage to out-of-line
2303         storage, we would abandon the inline storage. This would have two main implications:
2304         (i) all accesses to the object, even for properties that were previously in inline
2305         storage, must now take an extra indirection; and (ii) we waste a non-trivial amount
2306         of space since we must allocate additional out-of-line storage to hold properties
2307         that would have fit in the inline storage. There's also the copying cost when
2308         switching to out-of-line storage - we must copy all inline properties into ouf-of-line
2309         storage.
2310         
2311         This patch changes the way that object property storage works so that we can use both
2312         inline and out-of-line storage concurrently. This is accomplished by introducing a
2313         new notion of property offset. This PropertyOffset is a 32-bit signed integer and it
2314         behaves as follows:
2315         
2316         offset == -1: invalid offset, indicating a property that does not exist.
2317         
2318         0 <= offset <= inlineStorageCapacity: offset into inline storage.
2319         
2320         inlineStorageCapacity < offset: offset into out-of-line storage.
2321         
2322         Because non-final objects don't have inline storage, the only valid PropertyOffsets
2323         for those objects' properties are -1 or > inlineStorageCapacity.
2324         
2325         This now means that the decision to use inline or out-of-line storage for an access is
2326         made based on the offset, rather than the structure. It also means that any access
2327         where the offset is a variable must have an extra branch, unless the type of the
2328         object is also known (if it's known to be a non-final object then we can just assert
2329         that the offset is >= inlineStorageCapacity).
2330         
2331         This looks like a big Kraken speed-up and a slight V8 speed-up.
2332
2333         * GNUmakefile.list.am:
2334         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2335         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2336         * JavaScriptCore.xcodeproj/project.pbxproj:
2337         * assembler/ARMv7Assembler.h:
2338         (ARMv7Assembler):
2339         (JSC::ARMv7Assembler::ldrWide8BitImmediate):
2340         (JSC::ARMv7Assembler::replaceWithLoad):
2341         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2342         * assembler/AbstractMacroAssembler.h:
2343         (AbstractMacroAssembler):
2344         (ConvertibleLoadLabel):
2345         (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel):
2346         (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::isSet):
2347         (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
2348         (JSC::AbstractMacroAssembler::replaceWithLoad):
2349         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2350         * assembler/CodeLocation.h:
2351         (JSC):
2352         (CodeLocationCommon):
2353         (CodeLocationConvertibleLoad):
2354         (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
2355         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2356         * assembler/LinkBuffer.cpp:
2357         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2358         * assembler/LinkBuffer.h:
2359         (LinkBuffer):
2360         (JSC::LinkBuffer::locationOf):
2361         * assembler/MacroAssemblerARMv7.h:
2362         (MacroAssemblerARMv7):
2363         (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
2364         * assembler/MacroAssemblerX86.h:
2365         (JSC::MacroAssemblerX86::convertibleLoadPtr):
2366         (MacroAssemblerX86):
2367         * assembler/MacroAssemblerX86_64.h:
2368         (JSC::MacroAssemblerX86_64::convertibleLoadPtr):
2369         (MacroAssemblerX86_64):
2370         * assembler/RepatchBuffer.h:
2371         (RepatchBuffer):
2372         (JSC::RepatchBuffer::replaceWithLoad):
2373         (JSC::RepatchBuffer::replaceWithAddressComputation):
2374         (JSC::RepatchBuffer::setLoadInstructionIsActive):
2375         * assembler/X86Assembler.h:
2376         (JSC::X86Assembler::replaceWithLoad):
2377         (X86Assembler):
2378         (JSC::X86Assembler::replaceWithAddressComputation):
2379         * bytecode/CodeBlock.cpp:
2380         (JSC::CodeBlock::printGetByIdOp):
2381         (JSC::CodeBlock::dump):
2382         (JSC::CodeBlock::finalizeUnconditionally):
2383         * bytecode/GetByIdStatus.cpp:
2384         (JSC::GetByIdStatus::computeFromLLInt):
2385         (JSC::GetByIdStatus::computeForChain):
2386         (JSC::GetByIdStatus::computeFor):
2387         * bytecode/GetByIdStatus.h:
2388         (JSC::GetByIdStatus::GetByIdStatus):
2389         (JSC::GetByIdStatus::offset):
2390         (GetByIdStatus):
2391         * bytecode/Opcode.h:
2392         (JSC):
2393         (JSC::padOpcodeName):
2394         * bytecode/PutByIdStatus.cpp:
2395         (JSC::PutByIdStatus::computeFromLLInt):
2396         (JSC::PutByIdStatus::computeFor):
2397         * bytecode/PutByIdStatus.h:
2398         (JSC::PutByIdStatus::PutByIdStatus):
2399         (JSC::PutByIdStatus::offset):
2400         (PutByIdStatus):
2401         * bytecode/ResolveGlobalStatus.cpp:
2402         (JSC):
2403         (JSC::computeForStructure):
2404         * bytecode/ResolveGlobalStatus.h:
2405         (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
2406         (JSC::ResolveGlobalStatus::offset):
2407         (ResolveGlobalStatus):
2408         * bytecode/StructureSet.h:
2409         (StructureSet):
2410         * bytecode/StructureStubInfo.h:
2411         * dfg/DFGByteCodeParser.cpp:
2412         (ByteCodeParser):
2413         (JSC::DFG::ByteCodeParser::handleGetByOffset):
2414         (JSC::DFG::ByteCodeParser::handleGetById):
2415         (JSC::DFG::ByteCodeParser::parseBlock):
2416         * dfg/DFGCapabilities.h:
2417         (JSC::DFG::canCompileOpcode):
2418         * dfg/DFGJITCompiler.cpp:
2419         (JSC::DFG::JITCompiler::link):
2420         * dfg/DFGJITCompiler.h:
2421         (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
2422         (PropertyAccessRecord):
2423         * dfg/DFGRepatch.cpp:
2424         (JSC::DFG::dfgRepatchByIdSelfAccess):
2425         (JSC::DFG::generateProtoChainAccessStub):
2426         (JSC::DFG::tryCacheGetByID):
2427         (JSC::DFG::tryBuildGetByIDList):
2428         (JSC::DFG::tryBuildGetByIDProtoList):
2429         (JSC::DFG::emitPutReplaceStub):
2430         (JSC::DFG::emitPutTransitionStub):
2431         (JSC::DFG::tryCachePutByID):
2432         (JSC::DFG::tryBuildPutByIdList):
2433         * dfg/DFGSpeculativeJIT.h:
2434         (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
2435         * dfg/DFGSpeculativeJIT32_64.cpp:
2436         (JSC::DFG::SpeculativeJIT::cachedGetById):
2437         (JSC::DFG::SpeculativeJIT::cachedPutById):
2438         (JSC::DFG::SpeculativeJIT::compile):
2439         * dfg/DFGSpeculativeJIT64.cpp:
2440         (JSC::DFG::SpeculativeJIT::cachedGetById):
2441         (JSC::DFG::SpeculativeJIT::cachedPutById):
2442         (JSC::DFG::SpeculativeJIT::compile):
2443         * heap/MarkStack.cpp:
2444         (JSC::visitChildren):
2445         * interpreter/Interpreter.cpp:
2446         (JSC::Interpreter::tryCacheGetByID):
2447         (JSC::Interpreter::privateExecute):
2448         * jit/JIT.cpp:
2449         (JSC::JIT::privateCompileMainPass):
2450         (JSC::JIT::privateCompileSlowCases):
2451         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
2452         * jit/JIT.h:
2453         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2454         (JSC::JIT::compileGetByIdProto):
2455         (JSC::JIT::compileGetByIdSelfList):
2456         (JSC::JIT::compileGetByIdProtoList):
2457         (JSC::JIT::compileGetByIdChainList):
2458         (JSC::JIT::compileGetByIdChain):
2459         (JSC::JIT::compilePutByIdTransition):
2460         (JIT):
2461         * jit/JITInlineMethods.h:
2462         (JSC::JIT::emitAllocateBasicJSObject):
2463         * jit/JITOpcodes.cpp:
2464         (JSC::JIT::emit_op_resolve_global):
2465         * jit/JITOpcodes32_64.cpp:
2466         (JSC::JIT::emit_op_resolve_global):
2467         * jit/JITPropertyAccess.cpp:
2468         (JSC::JIT::compileGetDirectOffset):
2469         (JSC::JIT::emit_op_method_check):
2470         (JSC::JIT::compileGetByIdHotPath):
2471         (JSC::JIT::emit_op_put_by_id):
2472         (JSC::JIT::compilePutDirectOffset):
2473         (JSC::JIT::privateCompilePutByIdTransition):
2474         (JSC::JIT::patchGetByIdSelf):
2475         (JSC::JIT::patchPutByIdReplace):
2476         (JSC::JIT::privateCompileGetByIdProto):
2477         (JSC::JIT::privateCompileGetByIdSelfList):
2478         (JSC::JIT::privateCompileGetByIdProtoList):
2479         (JSC::JIT::privateCompileGetByIdChainList):
2480         (JSC::JIT::privateCompileGetByIdChain):
2481         * jit/JITPropertyAccess32_64.cpp:
2482         (JSC::JIT::emit_op_method_check):
2483         (JSC::JIT::compileGetByIdHotPath):
2484         (JSC::JIT::emit_op_put_by_id):
2485         (JSC::JIT::compilePutDirectOffset):
2486         (JSC::JIT::compileGetDirectOffset):
2487         (JSC::JIT::privateCompilePutByIdTransition):
2488         (JSC::JIT::patchGetByIdSelf):
2489         (JSC::JIT::patchPutByIdReplace):
2490         (JSC::JIT::privateCompileGetByIdProto):
2491         (JSC::JIT::privateCompileGetByIdSelfList):
2492         (JSC::JIT::privateCompileGetByIdProtoList):
2493         (JSC::JIT::privateCompileGetByIdChainList):
2494         (JSC::JIT::privateCompileGetByIdChain):
2495         (JSC::JIT::emit_op_get_by_pname):
2496         * jit/JITStubs.cpp:
2497         (JSC::JITThunks::tryCacheGetByID):
2498         (JSC::DEFINE_STUB_FUNCTION):
2499         * llint/LLIntSlowPaths.cpp:
2500         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2501         * llint/LowLevelInterpreter.asm:
2502         * llint/LowLevelInterpreter32_64.asm:
2503         * llint/LowLevelInterpreter64.asm:
2504         * offlineasm/x86.rb:
2505         * runtime/JSGlobalObject.h:
2506         (JSGlobalObject):
2507         (JSC::JSGlobalObject::functionNameOffset):
2508         * runtime/JSObject.cpp:
2509         (JSC::JSObject::visitChildren):
2510         (JSC):
2511         (JSC::JSFinalObject::visitChildren):
2512         (JSC::JSObject::put):
2513         (JSC::JSObject::deleteProperty):
2514         (JSC::JSObject::getPropertySpecificValue):
2515         (JSC::JSObject::removeDirect):
2516         (JSC::JSObject::growOutOfLineStorage):
2517         (JSC::JSObject::getOwnPropertyDescriptor):
2518         * runtime/JSObject.h:
2519         (JSObject):
2520         (JSC::JSObject::getDirect):
2521         (JSC::JSObject::getDirectLocation):
2522         (JSC::JSObject::hasInlineStorage):
2523         (JSC::JSObject::inlineStorageUnsafe):
2524         (JSC::JSObject::inlineStorage):
2525         (JSC::JSObject::outOfLineStorage):
2526         (JSC::JSObject::locationForOffset):
2527         (JSC::JSObject::offsetForLocation):
2528         (JSC::JSObject::getDirectOffset):
2529         (JSC::JSObject::putDirectOffset):
2530         (JSC::JSObject::putUndefinedAtDirectOffset):
2531         (JSC::JSObject::addressOfOutOfLineStorage):
2532         (JSC::JSObject::finishCreation):
2533         (JSC::JSNonFinalObject::JSNonFinalObject):
2534         (JSC::JSNonFinalObject::finishCreation):
2535         (JSFinalObject):
2536         (JSC::JSFinalObject::finishCreation):
2537         (JSC::JSFinalObject::JSFinalObject):
2538         (JSC::JSObject::offsetOfOutOfLineStorage):
2539         (JSC::JSObject::setOutOfLineStorage):
2540         (JSC::JSObject::JSObject):
2541         (JSC):
2542         (JSC::JSCell::fastGetOwnProperty):
2543         (JSC::JSObject::putDirectInternal):
2544         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2545         (JSC::JSObject::putDirectWithoutTransition):
2546         (JSC::offsetRelativeToPatchedStorage):
2547         (JSC::indexRelativeToBase):
2548         (JSC::offsetRelativeToBase):
2549         * runtime/JSPropertyNameIterator.cpp:
2550         (JSC::JSPropertyNameIterator::create):
2551         * runtime/JSPropertyNameIterator.h:
2552         (JSPropertyNameIterator):
2553         (JSC::JSPropertyNameIterator::getOffset):
2554         (JSC::JSPropertyNameIterator::finishCreation):
2555         * runtime/JSValue.cpp:
2556         (JSC::JSValue::putToPrimitive):
2557         * runtime/Operations.h:
2558         (JSC::normalizePrototypeChain):
2559         * runtime/Options.cpp:
2560         (JSC):
2561         (JSC::Options::initialize):
2562         * runtime/PropertyMapHashTable.h:
2563         (PropertyMapEntry):
2564         (JSC::PropertyMapEntry::PropertyMapEntry):
2565         (PropertyTable):
2566         (JSC::PropertyTable::PropertyTable):
2567         (JSC::PropertyTable::getDeletedOffset):
2568         (JSC::PropertyTable::addDeletedOffset):
2569         (JSC::PropertyTable::nextOffset):
2570         (JSC):
2571         (JSC::PropertyTable::sizeInMemory):
2572         * runtime/PropertyOffset.h: Added.
2573         (JSC):
2574         (JSC::checkOffset):
2575         (JSC::validateOffset):
2576         (JSC::isValidOffset):
2577         (JSC::isInlineOffset):
2578         (JSC::isOutOfLineOffset):
2579         (JSC::offsetInInlineStorage):
2580         (JSC::offsetInOutOfLineStorage):
2581         (JSC::offsetInRespectiveStorage):
2582         (JSC::numberOfOutOfLineSlotsForLastOffset):
2583         (JSC::numberOfSlotsForLastOffset):
2584         (JSC::nextPropertyOffsetFor):
2585         (JSC::firstPropertyOffsetFor):
2586         * runtime/PropertySlot.h:
2587         (JSC::PropertySlot::cachedOffset):
2588         (JSC::PropertySlot::setValue):
2589         (JSC::PropertySlot::setCacheableGetterSlot):
2590         (JSC::PropertySlot::clearOffset):
2591         * runtime/PutPropertySlot.h:
2592         (JSC::PutPropertySlot::setExistingProperty):
2593         (JSC::PutPropertySlot::setNewProperty):
2594         (JSC::PutPropertySlot::cachedOffset):
2595         (PutPropertySlot):
2596         * runtime/Structure.cpp:
2597         (JSC::Structure::Structure):
2598         (JSC::Structure::materializePropertyMap):
2599         (JSC::nextOutOfLineStorageCapacity):
2600         (JSC::Structure::growOutOfLineCapacity):
2601         (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
2602         (JSC::Structure::addPropertyTransitionToExistingStructure):
2603         (JSC::Structure::addPropertyTransition):
2604         (JSC::Structure::removePropertyTransition):
2605         (JSC::Structure::flattenDictionaryStructure):
2606         (JSC::Structure::addPropertyWithoutTransition):
2607         (JSC::Structure::removePropertyWithoutTransition):
2608         (JSC::Structure::copyPropertyTableForPinning):
2609         (JSC::Structure::get):
2610         (JSC::Structure::putSpecificValue):
2611         (JSC::Structure::remove):
2612         * runtime/Structure.h:
2613         (Structure):
2614         (JSC::Structure::putWillGrowOutOfLineStorage):
2615         (JSC::Structure::previousID):
2616         (JSC::Structure::outOfLineCapacity):
2617         (JSC::Structure::outOfLineSizeForKnownFinalObject):
2618         (JSC::Structure::outOfLineSizeForKnownNonFinalObject):
2619         (JSC::Structure::outOfLineSize):
2620         (JSC::Structure::hasInlineStorage):
2621         (JSC::Structure::inlineCapacity):
2622         (JSC::Structure::inlineSizeForKnownFinalObject):
2623         (JSC::Structure::inlineSize):
2624         (JSC::Structure::totalStorageSize):
2625         (JSC::Structure::totalStorageCapacity):
2626         (JSC::Structure::firstValidOffset):
2627         (JSC::Structure::lastValidOffset):
2628         (JSC::Structure::isValidOffset):
2629         (JSC::Structure::isEmpty):
2630         (JSC::Structure::transitionCount):
2631         (JSC::Structure::get):
2632
2633 2012-07-05  Oliver Hunt  <oliver@apple.com>
2634
2635         JSObjectCallAsFunction should thisConvert the provided thisObject
2636         https://bugs.webkit.org/show_bug.cgi?id=90628
2637
2638         Reviewed by Gavin Barraclough.
2639
2640         Perform this conversion on the provided this object.
2641
2642         * API/JSObjectRef.cpp:
2643         (JSObjectCallAsFunction):
2644
2645 2012-07-05  Zoltan Herczeg  <zherczeg@webkit.org>
2646
2647         [Qt] Unreviewed buildfix after r121886. Typo fix.
2648
2649         * assembler/MacroAssemblerARM.cpp:
2650         (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
2651
2652 2012-07-05  Zoltan Herczeg  <zherczeg@webkit.org>
2653
2654         Port DFG JIT to traditional ARM
2655         https://bugs.webkit.org/show_bug.cgi?id=90198
2656
2657         Reviewed by Filip Pizlo.
2658
2659         This patch contains the macro assembler part of the
2660         DFG JIT support on ARM systems with fixed 32 bit instruction
2661         width. A large amount of old code was refactored, and the ARMv4
2662         or lower support is removed from the macro assembler.
2663
2664         Sunspider is improved by 8%, and V8 is 92%.
2665
2666         * assembler/ARMAssembler.cpp:
2667         (JSC::ARMAssembler::dataTransfer32):
2668         (JSC::ARMAssembler::baseIndexTransfer32):
2669         (JSC):
2670         (JSC::ARMAssembler::dataTransfer16):
2671         (JSC::ARMAssembler::baseIndexTransfer16):
2672         (JSC::ARMAssembler::dataTransferFloat):
2673         (JSC::ARMAssembler::baseIndexTransferFloat):
2674         (JSC::ARMAssembler::executableCopy):
2675         * assembler/ARMAssembler.h:
2676         (JSC::ARMAssembler::ARMAssembler):
2677         (JSC::ARMAssembler::emitInst):
2678         (JSC::ARMAssembler::vmov_f64_r):
2679         (ARMAssembler):
2680         (JSC::ARMAssembler::vabs_f64_r):
2681         (JSC::ARMAssembler::vneg_f64_r):
2682         (JSC::ARMAssembler::ldr_imm):
2683         (JSC::ARMAssembler::ldr_un_imm):
2684         (JSC::ARMAssembler::dtr_u):
2685         (JSC::ARMAssembler::dtr_ur):
2686         (JSC::ARMAssembler::dtr_d):
2687         (JSC::ARMAssembler::dtr_dr):
2688         (JSC::ARMAssembler::dtrh_u):
2689         (JSC::ARMAssembler::dtrh_ur):
2690         (JSC::ARMAssembler::dtrh_d):
2691         (JSC::ARMAssembler::dtrh_dr):
2692         (JSC::ARMAssembler::fdtr_u):
2693         (JSC::ARMAssembler::fdtr_d):
2694         (JSC::ARMAssembler::push_r):
2695         (JSC::ARMAssembler::pop_r):
2696         (JSC::ARMAssembler::poke_r):
2697         (JSC::ARMAssembler::peek_r):
2698         (JSC::ARMAssembler::vmov_vfp64_r):
2699         (JSC::ARMAssembler::vmov_arm64_r):
2700         (JSC::ARMAssembler::vmov_vfp32_r):
2701         (JSC::ARMAssembler::vmov_arm32_r):
2702         (JSC::ARMAssembler::vcvt_u32_f64_r):
2703         (JSC::ARMAssembler::vcvt_f64_f32_r):
2704         (JSC::ARMAssembler::vcvt_f32_f64_r):
2705         (JSC::ARMAssembler::clz_r):
2706         (JSC::ARMAssembler::bkpt):
2707         (JSC::ARMAssembler::bx):
2708         (JSC::ARMAssembler::blx):
2709         (JSC::ARMAssembler::labelIgnoringWatchpoints):
2710         (JSC::ARMAssembler::labelForWatchpoint):
2711         (JSC::ARMAssembler::label):
2712         (JSC::ARMAssembler::getLdrImmAddress):
2713         (JSC::ARMAssembler::replaceWithJump):
2714         (JSC::ARMAssembler::maxJumpReplacementSize):
2715         (JSC::ARMAssembler::getOp2Byte):
2716         (JSC::ARMAssembler::getOp2Half):
2717         (JSC::ARMAssembler::RM):
2718         (JSC::ARMAssembler::RS):
2719         (JSC::ARMAssembler::RD):
2720         (JSC::ARMAssembler::RN):
2721         * assembler/AssemblerBufferWithConstantPool.h:
2722         (JSC::AssemblerBufferWithConstantPool::ensureSpaceForAnyInstruction):
2723         * assembler/MacroAssemblerARM.cpp:
2724         (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
2725         * assembler/MacroAssemblerARM.h:
2726         (JSC::MacroAssemblerARM::add32):
2727         (MacroAssemblerARM):
2728         (JSC::MacroAssemblerARM::and32):
2729         (JSC::MacroAssemblerARM::lshift32):
2730         (JSC::MacroAssemblerARM::mul32):
2731         (JSC::MacroAssemblerARM::neg32):
2732         (JSC::MacroAssemblerARM::rshift32):
2733         (JSC::MacroAssemblerARM::urshift32):
2734         (JSC::MacroAssemblerARM::xor32):
2735         (JSC::MacroAssemblerARM::load8):
2736         (JSC::MacroAssemblerARM::load8Signed):
2737         (JSC::MacroAssemblerARM::load16):
2738         (JSC::MacroAssemblerARM::load16Signed):
2739         (JSC::MacroAssemblerARM::load32):
2740         (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
2741         (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
2742         (JSC::MacroAssemblerARM::store8):
2743         (JSC::MacroAssemblerARM::store16):
2744         (JSC::MacroAssemblerARM::store32):
2745         (JSC::MacroAssemblerARM::move):
2746         (JSC::MacroAssemblerARM::jump):
2747         (JSC::MacroAssemblerARM::branchAdd32):
2748         (JSC::MacroAssemblerARM::mull32):
2749         (JSC::MacroAssemblerARM::branchMul32):
2750         (JSC::MacroAssemblerARM::nearCall):
2751         (JSC::MacroAssemblerARM::compare32):
2752         (JSC::MacroAssemblerARM::test32):
2753         (JSC::MacroAssemblerARM::sub32):
2754         (JSC::MacroAssemblerARM::call):
2755         (JSC::MacroAssemblerARM::loadFloat):
2756         (JSC::MacroAssemblerARM::loadDouble):
2757         (JSC::MacroAssemblerARM::storeFloat):
2758         (JSC::MacroAssemblerARM::storeDouble):
2759         (JSC::MacroAssemblerARM::moveDouble):
2760         (JSC::MacroAssemblerARM::addDouble):
2761         (JSC::MacroAssemblerARM::divDouble):
2762         (JSC::MacroAssemblerARM::subDouble):
2763         (JSC::MacroAssemblerARM::mulDouble):
2764         (JSC::MacroAssemblerARM::absDouble):
2765         (JSC::MacroAssemblerARM::negateDouble):
2766         (JSC::MacroAssemblerARM::convertInt32ToDouble):
2767         (JSC::MacroAssemblerARM::convertFloatToDouble):
2768         (JSC::MacroAssemblerARM::convertDoubleToFloat):
2769         (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
2770         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32):
2771         (JSC::MacroAssemblerARM::truncateDoubleToInt32):
2772         (JSC::MacroAssemblerARM::truncateDoubleToUint32):
2773         (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
2774         (JSC::MacroAssemblerARM::branchDoubleNonZero):
2775         (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
2776         (JSC::MacroAssemblerARM::invert):
2777         (JSC::MacroAssemblerARM::replaceWithJump):
2778         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2779         (JSC::MacroAssemblerARM::call32):
2780         * assembler/SH4Assembler.h:
2781         (JSC::SH4Assembler::label):
2782         * dfg/DFGAssemblyHelpers.h:
2783         (JSC::DFG::AssemblyHelpers::debugCall):
2784         (JSC::DFG::AssemblyHelpers::boxDouble):
2785         (JSC::DFG::AssemblyHelpers::unboxDouble):
2786         * dfg/DFGCCallHelpers.h:
2787         (CCallHelpers):
2788         (JSC::DFG::CCallHelpers::setupArguments):
2789         * dfg/DFGFPRInfo.h:
2790         (DFG):
2791         * dfg/DFGGPRInfo.h:
2792         (DFG):
2793         (GPRInfo):
2794         * dfg/DFGOperations.cpp:
2795         (JSC):
2796         * dfg/DFGSpeculativeJIT.h:
2797         (SpeculativeJIT):
2798         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
2799         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2800         * jit/JITStubs.cpp:
2801         (JSC):
2802         * jit/JITStubs.h:
2803         (JITStackFrame):
2804         * jit/JSInterfaceJIT.h:
2805         (JSInterfaceJIT):
2806
2807 2012-07-04  Anthony Scian  <ascian@rim.com>
2808
2809         Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
2810         https://bugs.webkit.org/show_bug.cgi?id=40118
2811
2812         Reviewed by Yong Li.
2813
2814         Added member functions to expose function name, urlString, and line #.
2815         Refactored toString to make use of these member functions to reduce
2816         duplicated code for future maintenance.
2817
2818         Manually tested refactoring of toString by tracing thrown exceptions.
2819
2820         * interpreter/Interpreter.h:
2821         (JSC::StackFrame::toString):
2822         (JSC::StackFrame::friendlySourceURL):
2823         (JSC::StackFrame::friendlyFunctionName):
2824         (JSC::StackFrame::friendlyLineNumber):
2825
2826 2012-07-04  Andy Wingo  <wingo@igalia.com>
2827
2828         [GTK] Enable parallel GC
2829         https://bugs.webkit.org/show_bug.cgi?id=90568
2830
2831         Reviewed by Martin Robinson.
2832
2833         * runtime/Options.cpp: Include <algorithm.h> for std::min.
2834
2835 2012-07-04  John Mellor  <johnme@chromium.org>
2836
2837         Text Autosizing: Add compile flag and runtime setting
2838         https://bugs.webkit.org/show_bug.cgi?id=87394
2839
2840         This patch renames Font Boosting to Text Autosizing.
2841
2842         Reviewed by Adam Barth.
2843
2844         * Configurations/FeatureDefines.xcconfig:
2845
2846 2012-07-03  Michael Saboff  <msaboff@apple.com>
2847
2848         Enh: Hash Const JSString in Backing Stores to Save Memory
2849         https://bugs.webkit.org/show_bug.cgi?id=86024
2850
2851         Reviewed by Oliver Hunt.
2852
2853         During garbage collection, each marking thread keeps a HashMap of
2854         strings.  While visiting via MarkStack::copyAndAppend(), we check to
2855         see if the string we are visiting is already in the HashMap.  If not
2856         we add it. If so, we change the reference to the current string we're
2857         visiting to the prior string.
2858
2859         To reduce the performance impact of this change, two throttles have
2860         ben added.  1) We only try hash consting if a significant number of new 
2861         strings have been created since the last hash const.  Currently this is
2862         set at 100 strings.  2) If a string is unique at the end of a marking
2863         it will not be checked during further GC phases. In some cases this
2864         won't catch all duplicates, but we are trying to catch the growth of
2865         duplicate strings.
2866
2867         * heap/Heap.cpp:
2868         (JSC::Heap::markRoots):
2869         * heap/MarkStack.cpp:
2870         (JSC::MarkStackThreadSharedData::resetChildren):
2871         (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
2872         (JSC::MarkStackThreadSharedData::reset):
2873         (JSC::MarkStack::setup): Check to see if enough strings have been created
2874         to hash const.
2875         (JSC::MarkStack::reset): Added call to clear m_uniqueStrings.
2876         (JSC::JSString::tryHashConstLock): New method to lock JSString for
2877         hash consting.
2878         (JSC::JSString::releaseHashConstLock): New unlock method.
2879         (JSC::JSString::shouldTryHashConst): Set of checks to see if we should
2880         try to hash const the string.
2881         (JSC::MarkStack::internalAppend): New method that performs the hash consting.
2882         (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash
2883         consting internalAppend().
2884         * heap/MarkStack.h:
2885         (MarkStackThreadSharedData):
2886         (MarkStack):
2887         * runtime/JSGlobalData.cpp:
2888         (JSC::JSGlobalData::JSGlobalData):
2889         * runtime/JSGlobalData.h:
2890         (JSGlobalData):
2891         (JSC::JSGlobalData::haveEnoughNewStringsToHashConst):
2892         (JSC::JSGlobalData::resetNewStringsSinceLastHashConst):
2893         * runtime/JSString.h:
2894         (JSString): Changed from using bool flags to using an unsigned
2895         m_flags field.  This works better with the weakCompareAndSwap in
2896         JSString::tryHashConstLock(). Changed the 8bitness setting and
2897         checking to use new accessors.
2898         (JSC::JSString::JSString):
2899         (JSC::JSString::finishCreation):
2900         (JSC::JSString::is8Bit): Updated for new m_flags.
2901         (JSC::JSString::setIs8Bit): New setter.
2902         New hash const flags accessors:
2903         (JSC::JSString::isHashConstSingleton):
2904         (JSC::JSString::clearHashConstSingleton):
2905         (JSC::JSString::setHashConstSingleton):
2906         (JSC::JSRopeString::finishCreation):
2907         (JSC::JSRopeString::append):
2908
2909 2012-07-03  Tony Chang  <tony@chromium.org>
2910
2911         [chromium] Unreviewed, update .gitignore to handle VS2010 files.
2912
2913         * JavaScriptCore.gyp/.gitignore:
2914
2915 2012-07-03  Mark Lam  <mark.lam@apple.com>
2916
2917         Add ability to symbolically set and dump JSC VM options.
2918         See comments in runtime/Options.h for details on how the options work.
2919         https://bugs.webkit.org/show_bug.cgi?id=90420
2920
2921         Reviewed by Filip Pizlo.
2922
2923         * assembler/LinkBuffer.cpp:
2924         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2925         * assembler/LinkBuffer.h:
2926         (JSC):
2927         * bytecode/CodeBlock.cpp:
2928         (JSC::CodeBlock::shouldOptimizeNow):
2929         * bytecode/CodeBlock.h:
2930         (JSC::CodeBlock::likelyToTakeSlowCase):
2931         (JSC::CodeBlock::couldTakeSlowCase):
2932         (JSC::CodeBlock::likelyToTakeSpecialFastCase):
2933         (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
2934         (JSC::CodeBlock::likelyToTakeAnySlowCase):
2935         (JSC::CodeBlock::jitAfterWarmUp):
2936         (JSC::CodeBlock::jitSoon):
2937         (JSC::CodeBlock::reoptimizationRetryCounter):
2938         (JSC::CodeBlock::countReoptimization):
2939         (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
2940         (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
2941         (JSC::CodeBlock::optimizeSoon):
2942         (JSC::CodeBlock::exitCountThresholdForReoptimization):
2943         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
2944         * bytecode/ExecutionCounter.h:
2945         (JSC::ExecutionCounter::clippedThreshold):
2946         * dfg/DFGByteCodeParser.cpp:
2947         (JSC::DFG::ByteCodeParser::handleInlining):
2948         * dfg/DFGCapabilities.h:
2949         (JSC::DFG::mightCompileEval):
2950         (JSC::DFG::mightCompileProgram):
2951         (JSC::DFG::mightCompileFunctionForCall):
2952         (JSC::DFG::mightCompileFunctionForConstruct):
2953         (JSC::DFG::mightInlineFunctionForCall):
2954         (JSC::DFG::mightInlineFunctionForConstruct):
2955         * dfg/DFGCommon.h:
2956         (JSC::DFG::shouldShowDisassembly):
2957         * dfg/DFGDriver.cpp:
2958         (JSC::DFG::compile):
2959         * dfg/DFGOSRExit.cpp:
2960         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
2961         * dfg/DFGVariableAccessData.h:
2962         (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
2963         * heap/MarkStack.cpp:
2964         (JSC::MarkStackSegmentAllocator::allocate):
2965         (JSC::MarkStackSegmentAllocator::shrinkReserve):
2966         (JSC::MarkStackArray::MarkStackArray):
2967         (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
2968         (JSC::SlotVisitor::donateKnownParallel):
2969         (JSC::SlotVisitor::drain):
2970         (JSC::SlotVisitor::drainFromShared):
2971         * heap/MarkStack.h:
2972         (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
2973         (JSC::MarkStack::addOpaqueRoot):
2974         * heap/SlotVisitor.h:
2975         (JSC::SlotVisitor::donate):
2976         * jit/JIT.cpp:
2977         (JSC::JIT::emitOptimizationCheck):
2978         * jsc.cpp:
2979         (printUsageStatement):
2980         (parseArguments):
2981         * runtime/InitializeThreading.cpp:
2982         (JSC::initializeThreadingOnce):
2983         * runtime/JSGlobalData.cpp:
2984         (JSC::enableAssembler):
2985         * runtime/JSGlobalObject.cpp:
2986         (JSC::JSGlobalObject::JSGlobalObject):
2987         * runtime/Options.cpp:
2988         (JSC):
2989         (JSC::overrideOptionWithHeuristic):
2990         (JSC::Options::initialize):
2991         (JSC::Options::setOption):
2992         (JSC::Options::dumpAllOptions):
2993         (JSC::Options::dumpOption):
2994         * runtime/Options.h:
2995         (JSC):
2996         (Options):
2997         (EntryInfo):
2998
2999 2012-07-03  Jocelyn Turcotte  <jocelyn.turcotte@nokia.com>  Joel Dillon <joel.dillon@codethink.co.uk>
3000
3001         [Qt][Win] Fix broken QtWebKit5.lib linking
3002         https://bugs.webkit.org/show_bug.cgi?id=88321
3003
3004         Reviewed by Kenneth Rohde Christiansen.
3005
3006         The goal is to have different ports build systems define STATICALLY_LINKED_WITH_WTF
3007         when building JavaScriptCore, if both are packaged in the same DLL, instead
3008         of relying on the code to handle this.
3009         The effects of BUILDING_* and STATICALLY_LINKED_WITH_* are currently the same
3010         except for a check in Source/JavaScriptCore/config.h.
3011
3012         Keeping the old way for the WX port as requested by the port's contributors.
3013         For non-Windows ports there is no difference between IMPORT and EXPORT, no
3014         change is needed.
3015
3016         * API/JSBase.h:
3017           JS symbols shouldn't be included by WTF objects anymore. Remove the export when BUILDING_WTF.
3018         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
3019           Make sure that JavaScriptCore uses import symbols of WTF for the Win port.
3020         * runtime/JSExportMacros.h:
3021
3022 2012-07-02  Filip Pizlo  <fpizlo@apple.com>
3023
3024         DFG OSR exit value recoveries should be computed lazily
3025         https://bugs.webkit.org/show_bug.cgi?id=82155
3026
3027         Reviewed by Gavin Barraclough.
3028         
3029         This change aims to reduce one aspect of DFG compile times: the fact
3030         that we currently compute the value recoveries for each local and
3031         argument on every speculation check. We compile many speculation checks,
3032         so this can add up quick. The strategy that this change takes is to
3033         have the DFG save just enough information about how the compiler is
3034         choosing to represent state, that the DFG::OSRExitCompiler can reify
3035         the value recoveries lazily.
3036         
3037         This appears to be an 0.3% SunSpider speed-up and is neutral elsewhere.
3038         
3039         I also took the opportunity to fix the sampling regions profiler (it
3040         was missing an export macro) and to put in more sampling regions in
3041         the DFG (which are disabled so long as ENABLE(SAMPLING_REGIONS) is
3042         false).
3043         
3044         * CMakeLists.txt:
3045         * GNUmakefile.list.am:
3046         * JavaScriptCore.xcodeproj/project.pbxproj:
3047         * Target.pri:
3048         * bytecode/CodeBlock.cpp:
3049         (JSC):
3050         (JSC::CodeBlock::shrinkDFGDataToFit):
3051         * bytecode/CodeBlock.h:
3052         (CodeBlock):
3053         (JSC::CodeBlock::minifiedDFG):
3054         (JSC::CodeBlock::variableEventStream):
3055         (DFGData):
3056         * bytecode/Operands.h:
3057         (JSC::Operands::hasOperand):
3058         (Operands):
3059         (JSC::Operands::size):
3060         (JSC::Operands::at):
3061         (JSC::Operands::operator[]):
3062         (JSC::Operands::isArgument):
3063         (JSC::Operands::isVariable):
3064         (JSC::Operands::argumentForIndex):
3065         (JSC::Operands::variableForIndex):
3066         (JSC::Operands::operandForIndex):
3067         (JSC):
3068         (JSC::dumpOperands):
3069         * bytecode/SamplingTool.h:
3070         (SamplingRegion):
3071         * dfg/DFGByteCodeParser.cpp:
3072         (JSC::DFG::parse):
3073         * dfg/DFGCFAPhase.cpp:
3074         (JSC::DFG::performCFA):
3075         * dfg/DFGCSEPhase.cpp:
3076         (JSC::DFG::performCSE):
3077         * dfg/DFGFixupPhase.cpp:
3078         (JSC::DFG::performFixup):
3079         * dfg/DFGGenerationInfo.h:
3080         (JSC::DFG::GenerationInfo::GenerationInfo):
3081         (JSC::DFG::GenerationInfo::initConstant):
3082         (JSC::DFG::GenerationInfo::initInteger):
3083         (JSC::DFG::GenerationInfo::initJSValue):
3084         (JSC::DFG::GenerationInfo::initCell):
3085         (JSC::DFG::GenerationInfo::initBoolean):
3086         (JSC::DFG::GenerationInfo::initDouble):
3087         (JSC::DFG::GenerationInfo::initStorage):
3088         (GenerationInfo):
3089         (JSC::DFG::GenerationInfo::noticeOSRBirth):
3090         (JSC::DFG::GenerationInfo::use):
3091         (JSC::DFG::GenerationInfo::spill):
3092         (JSC::DFG::GenerationInfo::setSpilled):
3093         (JSC::DFG::GenerationInfo::fillJSValue):
3094         (JSC::DFG::GenerationInfo::fillCell):
3095         (JSC::DFG::GenerationInfo::fillInteger):
3096         (JSC::DFG::GenerationInfo::fillBoolean):
3097         (JSC::DFG::GenerationInfo::fillDouble):
3098         (JSC::DFG::GenerationInfo::fillStorage):
3099         (JSC::DFG::GenerationInfo::appendFill):
3100         (JSC::DFG::GenerationInfo::appendSpill):
3101         * dfg/DFGJITCompiler.cpp:
3102         (JSC::DFG::JITCompiler::link):
3103         (JSC::DFG::JITCompiler::compile):
3104         (JSC::DFG::JITCompiler::compileFunction):
3105         * dfg/DFGMinifiedGraph.h: Added.
3106         (DFG):
3107         (MinifiedGraph):
3108         (JSC::DFG::MinifiedGraph::MinifiedGraph):
3109         (JSC::DFG::MinifiedGraph::at):
3110         (JSC::DFG::MinifiedGraph::append):
3111         (JSC::DFG::MinifiedGraph::prepareAndShrink):
3112         (JSC::DFG::MinifiedGraph::setOriginalGraphSize):
3113         (JSC::DFG::MinifiedGraph::originalGraphSize):
3114         * dfg/DFGMinifiedNode.cpp: Added.
3115         (DFG):
3116         (JSC::DFG::MinifiedNode::fromNode):
3117         * dfg/DFGMinifiedNode.h: Added.
3118         (DFG):
3119         (JSC::DFG::belongsInMinifiedGraph):
3120         (MinifiedNode):
3121         (JSC::DFG::MinifiedNode::MinifiedNode):
3122         (JSC::DFG::MinifiedNode::index):
3123         (JSC::DFG::MinifiedNode::op):
3124         (JSC::DFG::MinifiedNode::hasChild1):
3125         (JSC::DFG::MinifiedNode::child1):
3126         (JSC::DFG::MinifiedNode::hasConstant):
3127         (JSC::DFG::MinifiedNode::hasConstantNumber):
3128         (JSC::DFG::MinifiedNode::constantNumber):
3129         (JSC::DFG::MinifiedNode::hasWeakConstant):
3130         (JSC::DFG::MinifiedNode::weakConstant):
3131         (JSC::DFG::MinifiedNode::getIndex):
3132         (JSC::DFG::MinifiedNode::compareByNodeIndex):
3133         (JSC::DFG::MinifiedNode::hasChild):
3134         * dfg/DFGNode.h:
3135         (Node):
3136         * dfg/DFGOSRExit.cpp:
3137         (JSC::DFG::OSRExit::OSRExit):
3138         * dfg/DFGOSRExit.h:
3139         (OSRExit):
3140         * dfg/DFGOSRExitCompiler.cpp:
3141         * dfg/DFGOSRExitCompiler.h:
3142         (OSRExitCompiler):
3143         * dfg/DFGOSRExitCompiler32_64.cpp:
3144         (JSC::DFG::OSRExitCompiler::compileExit):
3145         * dfg/DFGOSRExitCompiler64.cpp:
3146         (JSC::DFG::OSRExitCompiler::compileExit):
3147         * dfg/DFGPredictionPropagationPhase.cpp:
3148         (JSC::DFG::performPredictionPropagation):
3149         * dfg/DFGRedundantPhiEliminationPhase.cpp:
3150         (JSC::DFG::performRedundantPhiElimination):
3151         * dfg/DFGSpeculativeJIT.cpp:
3152         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3153         (DFG):
3154         (JSC::DFG::SpeculativeJIT::fillStorage):
3155         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
3156         (JSC::DFG::SpeculativeJIT::compileMovHint):
3157         (JSC::DFG::SpeculativeJIT::compile):
3158         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3159         * dfg/DFGSpeculativeJIT.h:
3160         (DFG):
3161         (JSC::DFG::SpeculativeJIT::use):
3162         (SpeculativeJIT):
3163         (JSC::DFG::SpeculativeJIT::spill):
3164         (JSC::DFG::SpeculativeJIT::speculationCheck):
3165         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
3166         (JSC::DFG::SpeculativeJIT::recordSetLocal):
3167         * dfg/DFGSpeculativeJIT32_64.cpp:
3168         (JSC::DFG::SpeculativeJIT::fillInteger):
3169         (JSC::DFG::SpeculativeJIT::fillDouble):
3170         (JSC::DFG::SpeculativeJIT::fillJSValue):
3171         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3172         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3173         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3174         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3175         (JSC::DFG::SpeculativeJIT::compile):
3176         * dfg/DFGSpeculativeJIT64.cpp:
3177         (JSC::DFG::SpeculativeJIT::fillInteger):
3178         (JSC::DFG::SpeculativeJIT::fillDouble):
3179         (JSC::DFG::SpeculativeJIT::fillJSValue):
3180         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3181         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3182         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3183         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3184         (JSC::DFG::SpeculativeJIT::compile):
3185         * dfg/DFGValueRecoveryOverride.h: Added.
3186         (DFG):
3187         (ValueRecoveryOverride):
3188         (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
3189         * dfg/DFGValueSource.cpp: Added.
3190         (DFG):
3191         (JSC::DFG::ValueSource::dump):
3192         * dfg/DFGValueSource.h: Added.
3193         (DFG):
3194         (JSC::DFG::dataFormatToValueSourceKind):
3195         (JSC::DFG::valueSourceKindToDataFormat):
3196         (JSC::DFG::isInRegisterFile):
3197         (ValueSource):
3198         (JSC::DFG::ValueSource::ValueSource):
3199         (JSC::DFG::ValueSource::forPrediction):
3200         (JSC::DFG::ValueSource::forDataFormat):
3201         (JSC::DFG::ValueSource::isSet):
3202         (JSC::DFG::ValueSource::kind):
3203         (JSC::DFG::ValueSource::isInRegisterFile):
3204         (JSC::DFG::ValueSource::dataFormat):
3205         (JSC::DFG::ValueSource::valueRecovery):
3206         (JSC::DFG::ValueSource::nodeIndex):
3207         (JSC::DFG::ValueSource::nodeIndexFromKind):
3208         (JSC::DFG::ValueSource::kindFromNodeIndex):
3209         * dfg/DFGVariableEvent.cpp: Added.
3210         (DFG):
3211         (JSC::DFG::VariableEvent::dump):
3212         (JSC::DFG::VariableEvent::dumpFillInfo):
3213         (JSC::DFG::VariableEvent::dumpSpillInfo):
3214         * dfg/DFGVariableEvent.h: Added.
3215         (DFG):
3216         (VariableEvent):
3217         (JSC::DFG::VariableEvent::VariableEvent):
3218         (JSC::DFG::VariableEvent::reset):
3219         (JSC::DFG::VariableEvent::fillGPR):
3220         (JSC::DFG::VariableEvent::fillPair):
3221         (JSC::DFG::VariableEvent::fillFPR):
3222         (JSC::DFG::VariableEvent::spill):
3223         (JSC::DFG::VariableEvent::death):
3224         (JSC::DFG::VariableEvent::setLocal):
3225         (JSC::DFG::VariableEvent::movHint):
3226         (JSC::DFG::VariableEvent::kind):
3227         (JSC::DFG::VariableEvent::nodeIndex):
3228         (JSC::DFG::VariableEvent::dataFormat):
3229         (JSC::DFG::VariableEvent::gpr):
3230         (JSC::DFG::VariableEvent::tagGPR):
3231         (JSC::DFG::VariableEvent::payloadGPR):
3232         (JSC::DFG::VariableEvent::fpr):
3233         (JSC::DFG::VariableEvent::virtualRegister):
3234         (JSC::DFG::VariableEvent::operand):
3235         (JSC::DFG::VariableEvent::variableRepresentation):
3236         * dfg/DFGVariableEventStream.cpp: Added.
3237         (DFG):
3238         (JSC::DFG::VariableEventStream::logEvent):
3239         (MinifiedGenerationInfo):
3240         (JSC::DFG::MinifiedGenerationInfo::MinifiedGenerationInfo):
3241         (JSC::DFG::MinifiedGenerationInfo::update):
3242         (JSC::DFG::VariableEventStream::reconstruct):
3243         * dfg/DFGVariableEventStream.h: Added.
3244         (DFG):
3245         (VariableEventStream):
3246         (JSC::DFG::VariableEventStream::appendAndLog):
3247         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3248         (JSC::DFG::performVirtualRegisterAllocation):
3249
3250 2012-07-02  Filip Pizlo  <fpizlo@apple.com>
3251
3252         DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
3253         https://bugs.webkit.org/show_bug.cgi?id=90407
3254
3255         Reviewed by Mark Hahnenberg.
3256
3257         * dfg/DFGArgumentsSimplificationPhase.cpp:
3258         (JSC::DFG::ArgumentsSimplificationPhase::run):
3259
3260 2012-07-02  Gavin Barraclough  <barraclough@apple.com>
3261
3262         Array.prototype.pop should throw if property is not configurable
3263         https://bugs.webkit.org/show_bug.cgi?id=75788
3264
3265         Rubber Stamped by Oliver Hunt.
3266
3267         No real bug here any more, but the error we throw sometimes has a misleading message.
3268  
3269         * runtime/JSArray.cpp:
3270         (JSC::JSArray::pop):
3271
3272 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
3273
3274         JSObject wastes too much memory on unused property slots
3275         https://bugs.webkit.org/show_bug.cgi?id=90255
3276
3277         Reviewed by Mark Hahnenberg.
3278         
3279         Rolling back in after applying a simple fix: it appears that
3280         JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
3281         property storage than necessary. Fixing this appears to resolve the crash.
3282         
3283         This does a few things:
3284         
3285         - JSNonFinalObject no longer has inline property storage.
3286         
3287         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
3288           or 2x the inline storage for JSFinalObject.
3289         
3290         - Property storage is only reallocated if it needs to be. Previously, we
3291           would reallocate the property storage on any transition where the original
3292           structure said shouldGrowProperyStorage(), but this led to spurious
3293           reallocations when doing transitionless property adds and there are
3294           deleted property slots available. That in turn led to crashes, because we
3295           would switch to out-of-line storage even if the capacity matched the
3296           criteria for inline storage.
3297         
3298         - Inline JSFunction allocation is killed off because we don't have a good
3299           way of inlining property storage allocation. This didn't hurt performance.
3300           Killing off code is better than fixing it if that code wasn't doing any
3301           good.
3302         
3303         This looks like a 1% progression on V8.
3304
3305         * interpreter/Interpreter.cpp:
3306         (JSC::Interpreter::privateExecute):
3307         * jit/JIT.cpp:
3308         (JSC::JIT::privateCompileSlowCases):
3309         * jit/JIT.h:
3310         * jit/JITInlineMethods.h:
3311         (JSC::JIT::emitAllocateBasicJSObject):
3312         (JSC):
3313         * jit/JITOpcodes.cpp:
3314         (JSC::JIT::emit_op_new_func):
3315         (JSC):
3316         (JSC::JIT::emit_op_new_func_exp):
3317         * runtime/JSFunction.cpp:
3318         (JSC::JSFunction::finishCreation):
3319         * runtime/JSObject.h:
3320         (JSC::JSObject::isUsingInlineStorage):
3321         (JSObject):
3322         (JSC::JSObject::finishCreation):
3323         (JSC):
3324         (JSC::JSNonFinalObject::hasInlineStorage):
3325         (JSNonFinalObject):
3326         (JSC::JSNonFinalObject::JSNonFinalObject):
3327         (JSC::JSNonFinalObject::finishCreation):
3328         (JSC::JSFinalObject::hasInlineStorage):
3329         (JSC::JSFinalObject::finishCreation):
3330         (JSC::JSObject::offsetOfInlineStorage):
3331         (JSC::JSObject::setPropertyStorage):
3332         (JSC::Structure::inlineStorageCapacity):
3333         (JSC::Structure::isUsingInlineStorage):
3334         (JSC::JSObject::putDirectInternal):
3335         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3336         (JSC::JSObject::putDirectWithoutTransition):
3337         * runtime/Structure.cpp:
3338         (JSC::Structure::Structure):
3339         (JSC::nextPropertyStorageCapacity):
3340         (JSC):
3341         (JSC::Structure::growPropertyStorageCapacity):
3342         (JSC::Structure::suggestedNewPropertyStorageSize):
3343         * runtime/Structure.h:
3344         (JSC::Structure::putWillGrowPropertyStorage):
3345         (Structure):
3346
3347 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
3348
3349         Webkit crashes in DFG on Google Docs when creating a new document
3350         https://bugs.webkit.org/show_bug.cgi?id=90209
3351
3352         Reviewed by Gavin Barraclough.
3353         
3354         Don't attempt to short-circuit Phantom(GetLocal) if the GetLocal is for a
3355         captured variable.
3356
3357         * dfg/DFGCFGSimplificationPhase.cpp:
3358         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3359
3360 2012-06-30  Zan Dobersek  <zandobersek@gmail.com>
3361
3362         Unreviewed, rolling out r121605.
3363         http://trac.webkit.org/changeset/121605
3364         https://bugs.webkit.org/show_bug.cgi?id=90336
3365
3366         Changes caused flaky crashes in sputnik/Unicode tests on Apple
3367         WK1 and GTK Linux builders
3368
3369         * interpreter/Interpreter.cpp:
3370         (JSC::Interpreter::privateExecute):
3371         * jit/JIT.cpp:
3372         (JSC::JIT::privateCompileSlowCases):
3373         * jit/JIT.h:
3374         * jit/JITInlineMethods.h:
3375         (JSC::JIT::emitAllocateBasicJSObject):
3376         (JSC::JIT::emitAllocateJSFinalObject):
3377         (JSC):
3378         (JSC::JIT::emitAllocateJSFunction):
3379         * jit/JITOpcodes.cpp:
3380         (JSC::JIT::emit_op_new_func):
3381         (JSC::JIT::emitSlow_op_new_func):
3382         (JSC):
3383         (JSC::JIT::emit_op_new_func_exp):
3384         (JSC::JIT::emitSlow_op_new_func_exp):
3385         * runtime/JSFunction.cpp:
3386         (JSC::JSFunction::finishCreation):
3387         * runtime/JSObject.h:
3388         (JSC::JSObject::isUsingInlineStorage):
3389         (JSObject):
3390         (JSC::JSObject::finishCreation):
3391         (JSC):
3392         (JSNonFinalObject):
3393         (JSC::JSNonFinalObject::JSNonFinalObject):
3394         (JSC::JSNonFinalObject::finishCreation):
3395         (JSFinalObject):
3396         (JSC::JSFinalObject::finishCreation):
3397         (JSC::JSObject::offsetOfInlineStorage):
3398         (JSC::JSObject::setPropertyStorage):
3399         (JSC::Structure::isUsingInlineStorage):
3400         (JSC::JSObject::putDirectInternal):
3401         (JSC::JSObject::putDirectWithoutTransition):
3402         (JSC::JSObject::transitionTo):
3403         * runtime/Structure.cpp:
3404         (JSC::Structure::Structure):
3405         (JSC):
3406         (JSC::Structure::growPropertyStorageCapacity):
3407         (JSC::Structure::suggestedNewPropertyStorageSize):
3408         * runtime/Structure.h:
3409         (JSC::Structure::shouldGrowPropertyStorage):
3410         (JSC::Structure::propertyStorageSize):
3411
3412 2012-06-29  Mark Hahnenberg  <mhahnenberg@apple.com>
3413
3414         Remove warning about protected values when the Heap is being destroyed
3415         https://bugs.webkit.org/show_bug.cgi?id=90302
3416
3417         Reviewed by Geoffrey Garen.
3418
3419         Having to do book-keeping about whether values allocated from a certain 
3420         VM are or are not protected makes the JSC API much more difficult to use 
3421         correctly. Clients should be able to throw an entire VM away and not have 
3422         to worry about unprotecting all of the values that they protected earlier.
3423
3424         * heap/Heap.cpp:
3425         (JSC::Heap::lastChanceToFinalize):
3426
3427 2012-06-29  Filip Pizlo  <fpizlo@apple.com>
3428
3429         JSObject wastes too much memory on unused property slots
3430         https://bugs.webkit.org/show_bug.cgi?id=90255
3431
3432         Reviewed by Mark Hahnenberg.
3433         
3434         This does a few things:
3435         
3436         - JSNonFinalObject no longer has inline property storage.
3437         
3438         - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
3439           or 2x the inline storage for JSFinalObject.
3440         
3441         - Property storage is only reallocated if it needs to be. Previously, we
3442           would reallocate the property storage on any transition where the original
3443           structure said shouldGrowProperyStorage(), but this led to spurious
3444           reallocations when doing transitionless property adds and there are
3445           deleted property slots available. That in turn led to crashes, because we
3446           would switch to out-of-line storage even if the capacity matched the
3447           criteria for inline storage.
3448         
3449         - Inline JSFunction allocation is killed off because we don't have a good
3450           way of inlining property storage allocation. This didn't hurt performance.
3451           Killing off code is better than fixing it if that code wasn't doing any
3452           good.
3453         
3454         This looks like a 1% progression on V8.
3455
3456         * interpreter/Interpreter.cpp:
3457         (JSC::Interpreter::privateExecute):
3458         * jit/JIT.cpp:
3459         (JSC::JIT::privateCompileSlowCases):
3460         * jit/JIT.h:
3461         * jit/JITInlineMethods.h:
3462         (JSC::JIT::emitAllocateBasicJSObject):
3463         (JSC):
3464         * jit/JITOpcodes.cpp:
3465         (JSC::JIT::emit_op_new_func):
3466         (JSC):
3467         (JSC::JIT::emit_op_new_func_exp):
3468         * runtime/JSFunction.cpp:
3469         (JSC::JSFunction::finishCreation):
3470         * runtime/JSObject.h:
3471         (JSC::JSObject::isUsingInlineStorage):
3472         (JSObject):
3473         (JSC::JSObject::finishCreation):
3474         (JSC):
3475         (JSC::JSNonFinalObject::hasInlineStorage):
3476         (JSNonFinalObject):
3477         (JSC::JSNonFinalObject::JSNonFinalObject):
3478         (JSC::JSNonFinalObject::finishCreation):
3479         (JSC::JSFinalObject::hasInlineStorage):
3480         (JSC::JSFinalObject::finishCreation):
3481         (JSC::JSObject::offsetOfInlineStorage):
3482         (JSC::JSObject::setPropertyStorage):
3483         (JSC::Structure::inlineStorageCapacity):
3484         (JSC::Structure::isUsingInlineStorage):
3485         (JSC::JSObject::putDirectInternal):
3486         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3487         (JSC::JSObject::putDirectWithoutTransition):
3488         * runtime/Structure.cpp:
3489         (JSC::Structure::Structure):
3490         (JSC::nextPropertyStorageCapacity):
3491         (JSC):
3492         (JSC::Structure::growPropertyStorageCapacity):
3493         (JSC::Structure::suggestedNewPropertyStorageSize):
3494         * runtime/Structure.h:
3495         (JSC::Structure::putWillGrowPropertyStorage):
3496         (Structure):
3497
3498 2012-06-28  Filip Pizlo  <fpizlo@apple.com>
3499
3500         DFG recompilation heuristics should be based on count, not rate
3501         https://bugs.webkit.org/show_bug.cgi?id=90146
3502
3503         Reviewed by Oliver Hunt.
3504         
3505         This removes a bunch of code that was previously trying to prevent spurious
3506         reoptimizations if a large enough majority of executions of a code block did
3507         not result in OSR exit. It turns out that this code was purely harmful. This
3508         patch removes all of that logic and replaces it with a dead-simple
3509         heuristic: if you exit more than N times (where N is an exponential function
3510         of the number of times the code block has already been recompiled) then we
3511         will recompile.
3512         
3513         This appears to be a broad ~1% win on many benchmarks large and small.
3514
3515         * bytecode/CodeBlock.cpp:
3516         (JSC::CodeBlock::CodeBlock):
3517         * bytecode/CodeBlock.h:
3518         (JSC::CodeBlock::osrExitCounter):
3519         (JSC::CodeBlock::countOSRExit):
3520         (CodeBlock):
3521         (JSC::CodeBlock::addressOfOSRExitCounter):
3522         (JSC::CodeBlock::offsetOfOSRExitCounter):
3523         (JSC::CodeBlock::adjustedExitCountThreshold):
3524         (JSC::CodeBlock::exitCountThresholdForReoptimization):
3525         (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
3526         (JSC::CodeBlock::shouldReoptimizeNow):
3527         (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
3528         * bytecode/ExecutionCounter.cpp:
3529         (JSC::ExecutionCounter::setThreshold):
3530         * bytecode/ExecutionCounter.h:
3531         (ExecutionCounter):
3532         (JSC::ExecutionCounter::clippedThreshold):
3533         * dfg/DFGJITCompiler.cpp:
3534         (JSC::DFG::JITCompiler::compileBody):
3535         * dfg/DFGOSRExit.cpp:
3536         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
3537         * dfg/DFGOSRExitCompiler.cpp:
3538         (JSC::DFG::OSRExitCompiler::handleExitCounts):
3539         * dfg/DFGOperations.cpp:
3540         * jit/JITStubs.cpp:
3541         (JSC::DEFINE_STUB_FUNCTION):
3542         * runtime/Options.cpp:
3543         (Options):
3544         (JSC::Options::initializeOptions):
3545         * runtime/Options.h:
3546         (Options):
3547
3548 2012-06-28  Mark Lam  <mark.lam@apple.com>
3549
3550         Adding a commenting utility to record BytecodeGenerator comments
3551         with opcodes that are emitted.  Presently, the comments can only
3552         be constant strings.  Adding comments for opcodes is optional.
3553         If a comment is added, the comment will be printed following the
3554         opcode when CodeBlock::dump() is called.
3555
3556         This utility is disabled by default, and is only meant for VM
3557         development purposes.  It should not be enabled for product builds.
3558
3559         To enable this utility, set ENABLE_BYTECODE_COMMENTS in CodeBlock.h
3560         to 1.
3561
3562         https://bugs.webkit.org/show_bug.cgi?id=90095
3563
3564         Reviewed by Geoffrey Garen.
3565
3566         * GNUmakefile.list.am:
3567         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3568         * JavaScriptCore.xcodeproj/project.pbxproj:
3569         * bytecode/CodeBlock.cpp:
3570         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): Dumps the comment.
3571         (JSC):
3572         (JSC::CodeBlock::printUnaryOp): Add comment dumps.
3573         (JSC::CodeBlock::printBinaryOp): Add comment dumps.
3574         (JSC::CodeBlock::printConditionalJump): Add comment dumps.
3575         (JSC::CodeBlock::printCallOp): Add comment dumps.
3576         (JSC::CodeBlock::printPutByIdOp): Add comment dumps.
3577         (JSC::CodeBlock::dump): Add comment dumps.
3578         (JSC::CodeBlock::CodeBlock):
3579         (JSC::CodeBlock::commentForBytecodeOffset):
3580             Finds the comment for an opcode if available.
3581         (JSC::CodeBlock::dumpBytecodeComments):
3582             For debugging whether comments are collected.
3583             It is not being called anywhere.
3584         * bytecode/CodeBlock.h:
3585         (CodeBlock):
3586         (JSC::CodeBlock::bytecodeComments):
3587         * bytecode/Comment.h: Added.
3588         (JSC):
3589         (Comment):
3590         * bytecompiler/BytecodeGenerator.cpp:
3591         (JSC::BytecodeGenerator::BytecodeGenerator):
3592         (JSC::BytecodeGenerator::emitOpcode): Calls emitComment().
3593         (JSC):
3594         (JSC::BytecodeGenerator::emitComment): Adds comment to CodeBlock.
3595         (JSC::BytecodeGenerator::prependComment):
3596             Registers a comment for emitComemnt() to use later.
3597         * bytecompiler/BytecodeGenerator.h:
3598         (BytecodeGenerator):
3599         (JSC::BytecodeGenerator::emitComment):
3600         (JSC::BytecodeGenerator::prependComment):
3601             These are inlined versions of these functions that nullify them
3602             when ENABLE_BYTECODE_COMMENTS is 0.
3603         (JSC::BytecodeGenerator::comments):
3604
3605 2012-06-28  Oliver Hunt  <oliver@apple.com>
3606
3607         32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
3608         https://bugs.webkit.org/show_bug.cgi?id=90127
3609
3610         Reviewed by Filip Pizlo.
3611
3612         The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
3613         correctly.  This patch fixes this by killing the fill info in the GenerationInfo
3614         when the spillFormat doesn't guarantee the value is a double.
3615
3616         * dfg/DFGSpeculativeJIT32_64.cpp:
3617         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3618
3619 2012-06-28  Kent Tamura  <tkent@chromium.org>
3620
3621         Classify form control states by their owner forms
3622         https://bugs.webkit.org/show_bug.cgi?id=89950
3623
3624         Reviewed by Hajime Morita.
3625
3626         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3627         Expose WTF::StringBuilder::canShrink()
3628
3629 2012-06-27  Michael Saboff  <msaboff@apple.com>
3630
3631         [Win] jscore-tests flakey
3632         https://bugs.webkit.org/show_bug.cgi?id=88118
3633
3634         Reviewed by Jessie Berlin.
3635
3636         jsDriver.pl on windows intermittently doesn't get the returned value from jsc,
3637         instead it gets 126.  Added a new option to jsc (-x) which prints the exit
3638         code before exiting.  jsDriver.pl uses this option on Windows and parses the
3639         exit code output for the exit code, removing it before comparing the actual
3640         and expected outputs.  Filed a follow on "FIXME" defect:
3641         [WIN] Intermittent failure for jsc return value to propagate through jsDriver.pl
3642         https://bugs.webkit.org/show_bug.cgi?id=90119
3643
3644         * jsc.cpp:
3645         (CommandLine::CommandLine):
3646         (CommandLine):
3647         (printUsageStatement):
3648         (parseArguments):
3649         (jscmain):
3650         * tests/mozilla/jsDriver.pl:
3651         (execute_tests):
3652
3653 2012-06-27  Sheriff Bot  <webkit.review.bot@gmail.com>
3654
3655         Unreviewed, rolling out r121359.
3656         http://trac.webkit.org/changeset/121359
3657         https://bugs.webkit.org/show_bug.cgi?id=90115
3658
3659         Broke many inspector tests (Requested by jpfau on #webkit).
3660
3661         * interpreter/Interpreter.h:
3662         (JSC::StackFrame::toString):
3663
3664 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
3665
3666         Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on
3667         https://bugs.webkit.org/show_bug.cgi?id=90053
3668         <rdar://problem/11764613>
3669
3670         Reviewed by Mark Hahnenberg.
3671         
3672         The problem is that the code was assuming that the recovery should be Undefined if the source of
3673         the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a
3674         UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive.
3675         In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this
3676         was already in place but the fast check for !shouldGenerate() broke it.
3677
3678         * dfg/DFGSpeculativeJIT.cpp:
3679         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3680
3681 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
3682
3683         DFG disassembly should be easier to read
3684         https://bugs.webkit.org/show_bug.cgi?id=90106
3685
3686         Reviewed by Mark Hahnenberg.
3687         
3688         Did a few things:
3689         
3690         - Options::showDFGDisassembly now shows OSR exit disassembly as well.
3691         
3692         - Phi node dumping doesn't attempt to do line wrapping since it just made the dump harder
3693           to read.
3694         
3695         - DFG graph disassembly view shows a few additional node types that turn out to be
3696           essential for understanding OSR exits.
3697         
3698         Put together, these changes reinforce the philosophy that anything needed for computing
3699         OSR exit is just as important as the machine code itself. Of course, we still don't take
3700         that philosophy to its full extreme - for example Phantom nodes are not dumped. We may
3701         revisit that in the future.
3702
3703         * assembler/LinkBuffer.cpp:
3704         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3705         * assembler/LinkBuffer.h:
3706         (JSC):
3707         * dfg/DFGDisassembler.cpp:
3708         (JSC::DFG::Disassembler::dump):
3709         * dfg/DFGGraph.cpp:
3710         (JSC::DFG::Graph::dumpBlockHeader):
3711         * dfg/DFGNode.h:
3712         (JSC::DFG::Node::willHaveCodeGenOrOSR):
3713         * dfg/DFGOSRExitCompiler.cpp:
3714         * jit/JIT.cpp:
3715         (JSC::JIT::privateCompile):
3716
3717 2012-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
3718
3719         JSLock should be per-JSGlobalData
3720         https://bugs.webkit.org/show_bug.cgi?id=89123
3721
3722         Reviewed by Geoffrey Garen.
3723
3724         * API/APIShims.h:
3725         (APIEntryShimWithoutLock):
3726         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
3727         determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
3728         HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
3729         JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
3730         its destruction has begun. 
3731         (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
3732         (JSC::APIEntryShim::APIEntryShim):
3733         (APIEntryShim):
3734         (JSC::APIEntryShim::~APIEntryShim):
3735         (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
3736         Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
3737         and before we've released it, which can only done in APIEntryShim.
3738         (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
3739         * API/JSContextRef.cpp:
3740         (JSGlobalContextCreate):
3741         (JSGlobalContextCreateInGroup):
3742         (JSGlobalContextRelease):
3743         (JSContextCreateBacktrace):
3744         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3745         * heap/CopiedSpace.cpp:
3746         (JSC::CopiedSpace::tryAllocateSlowCase):
3747         * heap/Heap.cpp:
3748         (JSC::Heap::protect):
3749         (JSC::Heap::unprotect):
3750         (JSC::Heap::collect):
3751         (JSC::Heap::setActivityCallback):
3752         (JSC::Heap::activityCallback):
3753         (JSC::Heap::sweeper):
3754         * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
3755         are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
3756         and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
3757         prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
3758         (Heap):
3759         * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
3760         (JSC::HeapTimer::~HeapTimer):
3761         (JSC::HeapTimer::invalidate):
3762         (JSC):
3763         (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
3764         that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
3765         HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
3766         (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
3767         out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
3768         but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
3769         we were interrupted between releasing our mutex and trying to grab the APILock.
3770         * heap/HeapTimer.h:
3771         (HeapTimer):
3772         * heap/IncrementalSweeper.cpp:
3773         (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
3774         all of that for us. 
3775         (JSC::IncrementalSweeper::create):
3776         * heap/IncrementalSweeper.h:
3777         (IncrementalSweeper):
3778         * heap/MarkedAllocator.cpp:
3779         (JSC::MarkedAllocator::allocateSlowCase):
3780         * heap/WeakBlock.cpp:
3781         (JSC::WeakBlock::reap):
3782         * jsc.cpp:
3783         (functionGC):
3784         (functionReleaseExecutableMemory):
3785         (jscmain):
3786         * runtime/Completion.cpp:
3787         (JSC::checkSyntax):
3788         (JSC::evaluate):
3789         * runtime/GCActivityCallback.h:
3790         (DefaultGCActivityCallback):
3791         (JSC::DefaultGCActivityCallback::create):
3792         * runtime/JSGlobalData.cpp:
3793         (JSC::JSGlobalData::JSGlobalData):
3794         (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
3795         that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
3796         it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
3797         APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
3798         (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
3799         (JSC::JSGlobalData::sharedInstanceInternal):
3800         * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
3801         de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
3802         (JSGlobalData):
3803         (JSC::JSGlobalData::apiLock):
3804         * runtime/JSGlobalObject.cpp:
3805         (JSC::JSGlobalObject::~JSGlobalObject):
3806         (JSC::JSGlobalObject::init):
3807         * runtime/JSLock.cpp:
3808         (JSC):
3809         (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
3810         (JSC::GlobalJSLock::~GlobalJSLock):
3811         (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
3812         it can successfully unlock it later without it disappearing from underneath it.
3813         (JSC::JSLockHolder::~JSLockHolder):
3814         (JSC::JSLock::JSLock):
3815         (JSC::JSLock::~JSLock):
3816         (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
3817         actually waiting for long periods. 
3818         (JSC::JSLock::unlock):
3819         (JSC::JSLock::currentThreadIsHoldingLock):
3820         (JSC::JSLock::dropAllLocks):
3821         (JSC::JSLock::dropAllLocksUnconditionally):
3822         (JSC::JSLock::grabAllLocks):
3823         (JSC::JSLock::DropAllLocks::DropAllLocks):
3824         (JSC::JSLock::DropAllLocks::~DropAllLocks):
3825         * runtime/JSLock.h:
3826         (JSC):
3827         (GlobalJSLock):
3828         (JSLockHolder):
3829         (JSLock):
3830         (DropAllLocks):
3831         * runtime/WeakGCMap.h:
3832         (JSC::WeakGCMap::set):
3833         * testRegExp.cpp:
3834         (realMain):
3835
3836 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
3837
3838         x86 disassembler confuses immediates with addresses
3839         https://bugs.webkit.org/show_bug.cgi?id=90099
3840
3841         Reviewed by Mark Hahnenberg.
3842         
3843         Prepend "$" to immediates to disambiguate between immediates and addresses. This is in
3844         accordance with the gas and AT&T syntax.
3845
3846         * disassembler/udis86/udis86_syn-att.c:
3847         (gen_operand):
3848
3849 2012-06-27  Filip Pizlo  <fpizlo@apple.com>
3850
3851         Add a comment clarifying Options::showDisassembly versus Options::showDFGDisassembly.
3852
3853         Rubber stamped by Mark Hahnenberg.
3854
3855         * runtime/Options.cpp:
3856         (JSC::Options::initializeOptions):
3857
3858 2012-06-27  Anthony Scian  <ascian@rim.com>
3859
3860         Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
3861         https://bugs.webkit.org/show_bug.cgi?id=40118
3862
3863         Reviewed by Yong Li.
3864
3865         Added member functions to expose function name, urlString, and line #.
3866         Refactored toString to make use of these member functions to reduce
3867         duplicated code for future maintenance.
3868
3869         Manually tested refactoring of toString by tracing thrown exceptions.
3870
3871         * interpreter/Interpreter.h:
3872         (StackFrame):
3873         (JSC::StackFrame::toString):
3874         (JSC::StackFrame::friendlySourceURL):
3875         (JSC::StackFrame::friendlyFunctionName):
3876         (JSC::StackFrame::friendlyLineNumber):
3877
3878 2012-06-27  Oswald Buddenhagen  <oswald.buddenhagen@nokia.com>
3879
3880         [Qt] Remove redundant c++11 warning suppression code
3881
3882         This is already handled in default_post.
3883
3884         Reviewed by Tor Arne Vestbø.
3885
3886         * Target.pri:
3887
3888 2012-06-26  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>
3889
3890         [Qt] Add missing heades to HEADERS
3891
3892         For JavaScriptCore there aren't any Qt specific files, so we include all
3893         headers for easy editing in Qt Creator.
3894
3895         Reviewed by Simon Hausmann.
3896
3897         * Target.pri:
3898
3899 2012-06-26  Dominic Cooney  <dominicc@chromium.org>
3900
3901         [Chromium] Remove unused build scripts and empty folders for JavaScriptCore w/ gyp
3902         https://bugs.webkit.org/show_bug.cgi?id=90029
3903
3904         Reviewed by Adam Barth.
3905
3906         * gyp: Removed.
3907         * gyp/generate-derived-sources.sh: Removed.
3908         * gyp/generate-dtrace-header.sh: Removed.
3909         * gyp/run-if-exists.sh: Removed.
3910         * gyp/update-info-plist.sh: Removed.
3911
3912 2012-06-26  Geoffrey Garen  <ggaren@apple.com>
3913
3914         Reduced (but did not eliminate) use of "berzerker GC"
3915         https://bugs.webkit.org/show_bug.cgi?id=89237
3916
3917         Reviewed by Gavin Barraclough.
3918
3919         (PART 2)
3920
3921         This part turns off "berzerker GC" and turns on incremental shrinking.
3922
3923         * heap/IncrementalSweeper.cpp:
3924         (JSC::IncrementalSweeper::doSweep): Free or shrink after sweeping to
3925         maintain the behavior we used to get from the occasional berzerker GC,
3926         which would run all finalizers and then free or shrink all blocks
3927         synchronously.
3928
3929         * heap/MarkedBlock.h:
3930         (JSC::MarkedBlock::needsSweeping): Sweep zapped blocks, too. It's always
3931         safe to sweep a zapped block (that's the point of zapping), and it's
3932         sometimes profitable. For example, consider this case: Block A does some
3933         allocation (transitioning Block A from Marked to FreeListed), then GC
3934         happens (transitioning Block A to Zapped), then all objects in Block A
3935         are free, then the incremental sweeper visits Block A. If we skipped
3936         Zapped blocks, we'd skip Block A, even though it would be profitable to
3937         run its destructors and free its memory.
3938
3939         * runtime/GCActivityCallback.cpp:
3940         (JSC::DefaultGCActivityCallback::doWork): Don't sweep eagerly; we'll do
3941         this incrementally.
3942
3943 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
3944
3945         DFG PutByValAlias is too aggressive
3946         https://bugs.webkit.org/show_bug.cgi?id=90026
3947         <rdar://problem/11751830>
3948
3949         Reviewed by Gavin Barraclough.
3950         
3951         For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
3952         performance by much.
3953         
3954         For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
3955         is within bounds. This also has the effect of making our out-of-bounds handling consistent
3956         with WebCore.
3957
3958         * dfg/DFGCSEPhase.cpp:
3959         (JSC::DFG::CSEPhase::performNodeCSE):
3960         * dfg/DFGGraph.h:
3961         (JSC::DFG::Graph::byValIsPure):
3962         (JSC::DFG::Graph::clobbersWorld):
3963         * dfg/DFGNodeType.h:
3964         (DFG):
3965         * dfg/DFGSpeculativeJIT.cpp:
3966         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3967         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3968
3969 2012-06-26  Yong Li  <yoli@rim.com>