Build fix attempt after r154156.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2
3         Build fix attempt after r154156.
4
5         * jit/JITStubs.cpp:
6         (JSC::cti_vm_handle_exception): encode!
7
8 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
9
10         [JSC] x86: Use inc and dec when possible
11         https://bugs.webkit.org/show_bug.cgi?id=119831
12
13         Reviewed by Geoffrey Garen.
14
15         When incrementing or decrementing by an immediate of 1, use the insctructions
16         inc and dec instead of add and sub.
17         The instructions have good timing and their encoding is smaller.
18
19         * assembler/MacroAssemblerX86Common.h:
20         (JSC::MacroAssemblerX86_64::add32):
21         (JSC::MacroAssemblerX86_64::sub32):
22         * assembler/MacroAssemblerX86_64.h:
23         (JSC::MacroAssemblerX86_64::add64):
24         (JSC::MacroAssemblerX86_64::sub64):
25         * assembler/X86Assembler.h:
26         (JSC::X86Assembler::dec_r):
27         (JSC::X86Assembler::decq_r):
28         (JSC::X86Assembler::inc_r):
29         (JSC::X86Assembler::incq_r):
30
31 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
32
33         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
34         https://bugs.webkit.org/show_bug.cgi?id=119874
35
36         Reviewed by Oliver Hunt and Mark Hahnenberg.
37         
38         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
39         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
40         sometimes for typed array length accesses, and the FixupPhase assuming that a
41         ForceExit ArrayMode means that it should continue using a generic GetById.
42
43         This fixes the confusion.
44
45         * dfg/DFGFixupPhase.cpp:
46         (JSC::DFG::FixupPhase::fixupNode):
47
48 2013-08-15  Mark Lam  <mark.lam@apple.com>
49
50         Fix crash when performing activation tearoff.
51         https://bugs.webkit.org/show_bug.cgi?id=119848
52
53         Reviewed by Oliver Hunt.
54
55         The activation tearoff crash was due to a bug in the baseline JIT.
56         If we have a scenario where the a baseline JIT frame calls a LLINT
57         frame, an exception may be thrown while in the LLINT.
58
59         Interpreter::throwException() which handles the exception will unwind
60         all frames until it finds a catcher or sees a host frame. When we
61         return from the LLINT to the baseline JIT code, the baseline JIT code
62         errorneously sets topCallFrame to the value in its call frame register,
63         and starts unwinding the stack frames that have already been unwound.
64
65         The fix is:
66         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
67            This is a more accurate description of what this runtime function
68            is supposed to do i.e. it handles the exception which include doing
69            nothing (if there are no more frames to unwind).
70         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
71            set on it.
72         3. Reloading the call frame register from topCallFrame when we're
73            returning from a callee and detect exception handling in progress.
74
75         * interpreter/Interpreter.cpp:
76         (JSC::Interpreter::unwindCallFrame):
77         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
78         (JSC::Interpreter::getStackTrace):
79         * interpreter/Interpreter.h:
80         (JSC::TopCallFrameSetter::TopCallFrameSetter):
81         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
82         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
83         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
84         * jit/JIT.h:
85         * jit/JITExceptions.cpp:
86         (JSC::uncaughtExceptionHandler):
87         - Convenience function to get the handler for uncaught exceptions.
88         * jit/JITExceptions.h:
89         * jit/JITInlines.h:
90         (JSC::JIT::reloadCallFrameFromTopCallFrame):
91         * jit/JITOpcodes32_64.cpp:
92         (JSC::JIT::privateCompileCTINativeCall):
93         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
94         * jit/JITStubs.cpp:
95         (JSC::throwExceptionFromOpCall):
96         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
97         (JSC::cti_vm_handle_exception):
98         - Check for the case when there are no more frames to unwind.
99         * jit/JITStubs.h:
100         * jit/JITStubsARM.h:
101         * jit/JITStubsARMv7.h:
102         * jit/JITStubsMIPS.h:
103         * jit/JITStubsSH4.h:
104         * jit/JITStubsX86.h:
105         * jit/JITStubsX86_64.h:
106         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
107         * jit/SlowPathCall.h:
108         (JSC::JITSlowPathCall::call):
109         - reload cfr from topcallFrame when handling an exception.
110         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
111         * jit/ThunkGenerators.cpp:
112         (JSC::nativeForGenerator):
113         * llint/LowLevelInterpreter32_64.asm:
114         * llint/LowLevelInterpreter64.asm:
115         - reload cfr from topcallFrame when handling an exception.
116         * runtime/VM.cpp:
117         (JSC::VM::VM):
118         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
119
120 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
121
122         Remove some code duplication.
123         
124         Rubber stamped by Mark Hahnenberg.
125
126         * runtime/JSDataViewPrototype.cpp:
127         (JSC::getData):
128         (JSC::setData):
129
130 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
131
132         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
133         https://bugs.webkit.org/show_bug.cgi?id=119794
134
135         Reviewed by Filip Pizlo.
136
137         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
138
139         * dfg/DFGUseKind.h:
140         (JSC::DFG::isNumerical):
141         (JSC::DFG::isDouble):
142
143 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
144
145         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
146
147         Rubber stamped by Oliver Hunt.
148         
149         This was causing some test crashes for me.
150
151         * dfg/DFGCapabilities.cpp:
152         (JSC::DFG::capabilityLevel):
153
154 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
155
156         [Windows] Clear up improper export declaration.
157
158         * runtime/ArrayBufferView.h:
159
160 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
161
162         Unreviewed, remove some unnecessary periods from exceptions.
163
164         * runtime/JSDataViewPrototype.cpp:
165         (JSC::getData):
166         (JSC::setData):
167
168 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
169
170         Unreviewed, fix 32-bit build.
171
172         * dfg/DFGSpeculativeJIT32_64.cpp:
173         (JSC::DFG::SpeculativeJIT::compile):
174
175 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
176
177         Typed arrays should be rewritten
178         https://bugs.webkit.org/show_bug.cgi?id=119064
179
180         Reviewed by Oliver Hunt.
181         
182         Typed arrays were previously deficient in several major ways:
183         
184         - They were defined separately in WebCore and in the jsc shell. The two
185           implementations were different, and the jsc shell one was basically wrong.
186           The WebCore one was quite awful, also.
187         
188         - Typed arrays were not visible to the JIT except through some weird hooks.
189           For example, the JIT could not ask "what is the Structure that this typed
190           array would have if I just allocated it from this global object". Also,
191           it was difficult to wire any of the typed array intrinsics, because most
192           of the functionality wasn't visible anywhere in JSC.
193         
194         - Typed array allocation was brain-dead. Allocating a typed array involved
195           two JS objects, two GC weak handles, and three malloc allocations.
196         
197         - Neutering. It involved keeping tabs on all native views but not the view
198           wrappers, even though the native views can autoneuter just by asking the
199           buffer if it was neutered anytime you touch them; while the JS view
200           wrappers are the ones that you really want to reach out to.
201         
202         - Common case-ing. Most typed arrays have one buffer and one view, and
203           usually nobody touches the buffer. Yet we created all of that stuff
204           anyway, using data structures optimized for the case where you had a lot
205           of views.
206         
207         - Semantic goofs. Typed arrays should, in the future, behave like ES
208           features rather than DOM features, for example when it comes to exceptions.
209           Firefox already does this and I agree with them.
210         
211         This patch cleanses our codebase of these sins:
212         
213         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
214           management of native references to buffers is left to WebCore.
215         
216         - Allocating a typed array requires either two GC allocations (a cell and a
217           copied storage vector) or one GC allocation, a malloc allocation, and a
218           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
219           latter). The latter is only used for oversize arrays. Remember that before
220           it was 7 allocations no matter what.
221         
222         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
223           mode/length, void* vector. Before it was a lot more than that - remember,
224           there were five additional objects that did absolutely nothing for anybody.
225         
226         - Native views aren't tracked by the buffer, or by the wrappers. They are
227           transient. In the future we'll probably switch to not even having them be
228           malloc'd.
229         
230         - Native array buffers have an efficient way of tracking all of their JS view
231           wrappers, both for neutering, and for lifecycle management. The GC
232           special-cases native array buffers. This saves a bunch of grief; for example
233           it means that a JS view wrapper can refer to its buffer via the butterfly,
234           which would be dead by the time we went to finalize.
235         
236         - Typed array semantics now match Firefox, which also happens to be where the
237           standards are going. The discussion on webkit-dev seemed to confirm that
238           Chrome is also heading in this direction. This includes making
239           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
240           ArrayBufferView as a JS-visible construct.
241         
242         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
243         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
244         further typed array optimizations in the JSC JITs, including inlining typed
245         array allocation, inlining more of the accessors, reducing the cost of type
246         checks, etc.
247         
248         An additional property of this patch is that typed arrays are mostly
249         implemented using templates. This deduplicates a bunch of code, but does mean
250         that we need some hacks for exporting s_info's of template classes. See
251         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
252         low-impact compared to code duplication.
253         
254         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
255
256         * CMakeLists.txt:
257         * DerivedSources.make:
258         * GNUmakefile.list.am:
259         * JSCTypedArrayStubs.h: Removed.
260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
261         * JavaScriptCore.xcodeproj/project.pbxproj:
262         * Target.pri:
263         * bytecode/ByValInfo.h:
264         (JSC::hasOptimizableIndexingForClassInfo):
265         (JSC::jitArrayModeForClassInfo):
266         (JSC::typedArrayTypeForJITArrayMode):
267         * bytecode/SpeculatedType.cpp:
268         (JSC::speculationFromClassInfo):
269         * dfg/DFGArrayMode.cpp:
270         (JSC::DFG::toTypedArrayType):
271         * dfg/DFGArrayMode.h:
272         (JSC::DFG::ArrayMode::typedArrayType):
273         * dfg/DFGSpeculativeJIT.cpp:
274         (JSC::DFG::SpeculativeJIT::checkArray):
275         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
276         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
277         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
278         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
279         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
280         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
281         * dfg/DFGSpeculativeJIT.h:
282         * dfg/DFGSpeculativeJIT32_64.cpp:
283         (JSC::DFG::SpeculativeJIT::compile):
284         * dfg/DFGSpeculativeJIT64.cpp:
285         (JSC::DFG::SpeculativeJIT::compile):
286         * heap/CopyToken.h:
287         * heap/DeferGC.h:
288         (JSC::DeferGCForAWhile::DeferGCForAWhile):
289         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
290         * heap/GCIncomingRefCounted.h: Added.
291         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
292         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
293         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
294         (JSC::GCIncomingRefCounted::incomingReferenceAt):
295         (JSC::GCIncomingRefCounted::singletonFlag):
296         (JSC::GCIncomingRefCounted::hasVectorOfCells):
297         (JSC::GCIncomingRefCounted::hasAnyIncoming):
298         (JSC::GCIncomingRefCounted::hasSingleton):
299         (JSC::GCIncomingRefCounted::singleton):
300         (JSC::GCIncomingRefCounted::vectorOfCells):
301         * heap/GCIncomingRefCountedInlines.h: Added.
302         (JSC::::addIncomingReference):
303         (JSC::::filterIncomingReferences):
304         * heap/GCIncomingRefCountedSet.h: Added.
305         (JSC::GCIncomingRefCountedSet::size):
306         * heap/GCIncomingRefCountedSetInlines.h: Added.
307         (JSC::::GCIncomingRefCountedSet):
308         (JSC::::~GCIncomingRefCountedSet):
309         (JSC::::addReference):
310         (JSC::::sweep):
311         (JSC::::removeAll):
312         (JSC::::removeDead):
313         * heap/Heap.cpp:
314         (JSC::Heap::addReference):
315         (JSC::Heap::extraSize):
316         (JSC::Heap::size):
317         (JSC::Heap::capacity):
318         (JSC::Heap::collect):
319         (JSC::Heap::decrementDeferralDepth):
320         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
321         * heap/Heap.h:
322         * interpreter/CallFrame.h:
323         (JSC::ExecState::dataViewTable):
324         * jit/JIT.h:
325         * jit/JITPropertyAccess.cpp:
326         (JSC::JIT::privateCompileGetByVal):
327         (JSC::JIT::privateCompilePutByVal):
328         (JSC::JIT::emitIntTypedArrayGetByVal):
329         (JSC::JIT::emitFloatTypedArrayGetByVal):
330         (JSC::JIT::emitIntTypedArrayPutByVal):
331         (JSC::JIT::emitFloatTypedArrayPutByVal):
332         * jsc.cpp:
333         (GlobalObject::finishCreation):
334         * runtime/ArrayBuffer.cpp:
335         (JSC::ArrayBuffer::transfer):
336         * runtime/ArrayBuffer.h:
337         (JSC::ArrayBuffer::createAdopted):
338         (JSC::ArrayBuffer::ArrayBuffer):
339         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
340         (JSC::ArrayBuffer::pin):
341         (JSC::ArrayBuffer::unpin):
342         (JSC::ArrayBufferContents::tryAllocate):
343         * runtime/ArrayBufferView.cpp:
344         (JSC::ArrayBufferView::ArrayBufferView):
345         (JSC::ArrayBufferView::~ArrayBufferView):
346         (JSC::ArrayBufferView::setNeuterable):
347         * runtime/ArrayBufferView.h:
348         (JSC::ArrayBufferView::isNeutered):
349         (JSC::ArrayBufferView::buffer):
350         (JSC::ArrayBufferView::baseAddress):
351         (JSC::ArrayBufferView::byteOffset):
352         (JSC::ArrayBufferView::verifySubRange):
353         (JSC::ArrayBufferView::clampOffsetAndNumElements):
354         (JSC::ArrayBufferView::calculateOffsetAndLength):
355         * runtime/ClassInfo.h:
356         * runtime/CommonIdentifiers.h:
357         * runtime/DataView.cpp: Added.
358         (JSC::DataView::DataView):
359         (JSC::DataView::create):
360         (JSC::DataView::wrap):
361         * runtime/DataView.h: Added.
362         (JSC::DataView::byteLength):
363         (JSC::DataView::getType):
364         (JSC::DataView::get):
365         (JSC::DataView::set):
366         * runtime/Float32Array.h:
367         * runtime/Float64Array.h:
368         * runtime/GenericTypedArrayView.h: Added.
369         (JSC::GenericTypedArrayView::data):
370         (JSC::GenericTypedArrayView::set):
371         (JSC::GenericTypedArrayView::setRange):
372         (JSC::GenericTypedArrayView::zeroRange):
373         (JSC::GenericTypedArrayView::zeroFill):
374         (JSC::GenericTypedArrayView::length):
375         (JSC::GenericTypedArrayView::byteLength):
376         (JSC::GenericTypedArrayView::item):
377         (JSC::GenericTypedArrayView::checkInboundData):
378         (JSC::GenericTypedArrayView::getType):
379         * runtime/GenericTypedArrayViewInlines.h: Added.
380         (JSC::::GenericTypedArrayView):
381         (JSC::::create):
382         (JSC::::createUninitialized):
383         (JSC::::subarray):
384         (JSC::::wrap):
385         * runtime/IndexingHeader.h:
386         (JSC::IndexingHeader::arrayBuffer):
387         (JSC::IndexingHeader::setArrayBuffer):
388         * runtime/Int16Array.h:
389         * runtime/Int32Array.h:
390         * runtime/Int8Array.h:
391         * runtime/JSArrayBuffer.cpp: Added.
392         (JSC::JSArrayBuffer::JSArrayBuffer):
393         (JSC::JSArrayBuffer::finishCreation):
394         (JSC::JSArrayBuffer::create):
395         (JSC::JSArrayBuffer::createStructure):
396         (JSC::JSArrayBuffer::getOwnPropertySlot):
397         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
398         (JSC::JSArrayBuffer::put):
399         (JSC::JSArrayBuffer::defineOwnProperty):
400         (JSC::JSArrayBuffer::deleteProperty):
401         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
402         * runtime/JSArrayBuffer.h: Added.
403         (JSC::JSArrayBuffer::impl):
404         (JSC::toArrayBuffer):
405         * runtime/JSArrayBufferConstructor.cpp: Added.
406         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
407         (JSC::JSArrayBufferConstructor::finishCreation):
408         (JSC::JSArrayBufferConstructor::create):
409         (JSC::JSArrayBufferConstructor::createStructure):
410         (JSC::constructArrayBuffer):
411         (JSC::JSArrayBufferConstructor::getConstructData):
412         (JSC::JSArrayBufferConstructor::getCallData):
413         * runtime/JSArrayBufferConstructor.h: Added.
414         * runtime/JSArrayBufferPrototype.cpp: Added.
415         (JSC::arrayBufferProtoFuncSlice):
416         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
417         (JSC::JSArrayBufferPrototype::finishCreation):
418         (JSC::JSArrayBufferPrototype::create):
419         (JSC::JSArrayBufferPrototype::createStructure):
420         * runtime/JSArrayBufferPrototype.h: Added.
421         * runtime/JSArrayBufferView.cpp: Added.
422         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
423         (JSC::JSArrayBufferView::JSArrayBufferView):
424         (JSC::JSArrayBufferView::finishCreation):
425         (JSC::JSArrayBufferView::getOwnPropertySlot):
426         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
427         (JSC::JSArrayBufferView::put):
428         (JSC::JSArrayBufferView::defineOwnProperty):
429         (JSC::JSArrayBufferView::deleteProperty):
430         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
431         (JSC::JSArrayBufferView::finalize):
432         * runtime/JSArrayBufferView.h: Added.
433         (JSC::JSArrayBufferView::sizeOf):
434         (JSC::JSArrayBufferView::ConstructionContext::operator!):
435         (JSC::JSArrayBufferView::ConstructionContext::structure):
436         (JSC::JSArrayBufferView::ConstructionContext::vector):
437         (JSC::JSArrayBufferView::ConstructionContext::length):
438         (JSC::JSArrayBufferView::ConstructionContext::mode):
439         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
440         (JSC::JSArrayBufferView::mode):
441         (JSC::JSArrayBufferView::vector):
442         (JSC::JSArrayBufferView::length):
443         (JSC::JSArrayBufferView::offsetOfVector):
444         (JSC::JSArrayBufferView::offsetOfLength):
445         (JSC::JSArrayBufferView::offsetOfMode):
446         * runtime/JSArrayBufferViewInlines.h: Added.
447         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
448         (JSC::JSArrayBufferView::buffer):
449         (JSC::JSArrayBufferView::impl):
450         (JSC::JSArrayBufferView::neuter):
451         (JSC::JSArrayBufferView::byteOffset):
452         * runtime/JSCell.cpp:
453         (JSC::JSCell::slowDownAndWasteMemory):
454         (JSC::JSCell::getTypedArrayImpl):
455         * runtime/JSCell.h:
456         * runtime/JSDataView.cpp: Added.
457         (JSC::JSDataView::JSDataView):
458         (JSC::JSDataView::create):
459         (JSC::JSDataView::createUninitialized):
460         (JSC::JSDataView::set):
461         (JSC::JSDataView::typedImpl):
462         (JSC::JSDataView::getOwnPropertySlot):
463         (JSC::JSDataView::getOwnPropertyDescriptor):
464         (JSC::JSDataView::slowDownAndWasteMemory):
465         (JSC::JSDataView::getTypedArrayImpl):
466         (JSC::JSDataView::createStructure):
467         * runtime/JSDataView.h: Added.
468         * runtime/JSDataViewPrototype.cpp: Added.
469         (JSC::JSDataViewPrototype::JSDataViewPrototype):
470         (JSC::JSDataViewPrototype::create):
471         (JSC::JSDataViewPrototype::createStructure):
472         (JSC::JSDataViewPrototype::getOwnPropertySlot):
473         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
474         (JSC::getData):
475         (JSC::setData):
476         (JSC::dataViewProtoFuncGetInt8):
477         (JSC::dataViewProtoFuncGetInt16):
478         (JSC::dataViewProtoFuncGetInt32):
479         (JSC::dataViewProtoFuncGetUint8):
480         (JSC::dataViewProtoFuncGetUint16):
481         (JSC::dataViewProtoFuncGetUint32):
482         (JSC::dataViewProtoFuncGetFloat32):
483         (JSC::dataViewProtoFuncGetFloat64):
484         (JSC::dataViewProtoFuncSetInt8):
485         (JSC::dataViewProtoFuncSetInt16):
486         (JSC::dataViewProtoFuncSetInt32):
487         (JSC::dataViewProtoFuncSetUint8):
488         (JSC::dataViewProtoFuncSetUint16):
489         (JSC::dataViewProtoFuncSetUint32):
490         (JSC::dataViewProtoFuncSetFloat32):
491         (JSC::dataViewProtoFuncSetFloat64):
492         * runtime/JSDataViewPrototype.h: Added.
493         * runtime/JSFloat32Array.h: Added.
494         * runtime/JSFloat64Array.h: Added.
495         * runtime/JSGenericTypedArrayView.h: Added.
496         (JSC::JSGenericTypedArrayView::byteLength):
497         (JSC::JSGenericTypedArrayView::byteSize):
498         (JSC::JSGenericTypedArrayView::typedVector):
499         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
500         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
501         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
502         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
503         (JSC::JSGenericTypedArrayView::getIndexQuickly):
504         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
505         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
506         (JSC::JSGenericTypedArrayView::setIndexQuickly):
507         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
508         (JSC::JSGenericTypedArrayView::typedImpl):
509         (JSC::JSGenericTypedArrayView::createStructure):
510         (JSC::JSGenericTypedArrayView::info):
511         (JSC::toNativeTypedView):
512         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
513         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
514         (JSC::::JSGenericTypedArrayViewConstructor):
515         (JSC::::finishCreation):
516         (JSC::::create):
517         (JSC::::createStructure):
518         (JSC::constructGenericTypedArrayView):
519         (JSC::::getConstructData):
520         (JSC::::getCallData):
521         * runtime/JSGenericTypedArrayViewInlines.h: Added.
522         (JSC::::JSGenericTypedArrayView):
523         (JSC::::create):
524         (JSC::::createUninitialized):
525         (JSC::::validateRange):
526         (JSC::::setWithSpecificType):
527         (JSC::::set):
528         (JSC::::getOwnPropertySlot):
529         (JSC::::getOwnPropertyDescriptor):
530         (JSC::::put):
531         (JSC::::defineOwnProperty):
532         (JSC::::deleteProperty):
533         (JSC::::getOwnPropertySlotByIndex):
534         (JSC::::putByIndex):
535         (JSC::::deletePropertyByIndex):
536         (JSC::::getOwnNonIndexPropertyNames):
537         (JSC::::getOwnPropertyNames):
538         (JSC::::visitChildren):
539         (JSC::::copyBackingStore):
540         (JSC::::slowDownAndWasteMemory):
541         (JSC::::getTypedArrayImpl):
542         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
543         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
544         (JSC::genericTypedArrayViewProtoFuncSet):
545         (JSC::genericTypedArrayViewProtoFuncSubarray):
546         (JSC::::JSGenericTypedArrayViewPrototype):
547         (JSC::::finishCreation):
548         (JSC::::create):
549         (JSC::::createStructure):
550         * runtime/JSGlobalObject.cpp:
551         (JSC::JSGlobalObject::reset):
552         (JSC::JSGlobalObject::visitChildren):
553         * runtime/JSGlobalObject.h:
554         (JSC::JSGlobalObject::arrayBufferPrototype):
555         (JSC::JSGlobalObject::arrayBufferStructure):
556         (JSC::JSGlobalObject::typedArrayStructure):
557         * runtime/JSInt16Array.h: Added.
558         * runtime/JSInt32Array.h: Added.
559         * runtime/JSInt8Array.h: Added.
560         * runtime/JSTypedArrayConstructors.cpp: Added.
561         * runtime/JSTypedArrayConstructors.h: Added.
562         * runtime/JSTypedArrayPrototypes.cpp: Added.
563         * runtime/JSTypedArrayPrototypes.h: Added.
564         * runtime/JSTypedArrays.cpp: Added.
565         * runtime/JSTypedArrays.h: Added.
566         * runtime/JSUint16Array.h: Added.
567         * runtime/JSUint32Array.h: Added.
568         * runtime/JSUint8Array.h: Added.
569         * runtime/JSUint8ClampedArray.h: Added.
570         * runtime/Operations.h:
571         * runtime/Options.h:
572         * runtime/SimpleTypedArrayController.cpp: Added.
573         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
574         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
575         (JSC::SimpleTypedArrayController::toJS):
576         * runtime/SimpleTypedArrayController.h: Added.
577         * runtime/Structure.h:
578         (JSC::Structure::couldHaveIndexingHeader):
579         * runtime/StructureInlines.h:
580         (JSC::Structure::hasIndexingHeader):
581         * runtime/TypedArrayAdaptors.h: Added.
582         (JSC::IntegralTypedArrayAdaptor::toNative):
583         (JSC::IntegralTypedArrayAdaptor::toJSValue):
584         (JSC::IntegralTypedArrayAdaptor::toDouble):
585         (JSC::FloatTypedArrayAdaptor::toNative):
586         (JSC::FloatTypedArrayAdaptor::toJSValue):
587         (JSC::FloatTypedArrayAdaptor::toDouble):
588         (JSC::Uint8ClampedAdaptor::toNative):
589         (JSC::Uint8ClampedAdaptor::toJSValue):
590         (JSC::Uint8ClampedAdaptor::toDouble):
591         (JSC::Uint8ClampedAdaptor::clamp):
592         * runtime/TypedArrayController.cpp: Added.
593         (JSC::TypedArrayController::TypedArrayController):
594         (JSC::TypedArrayController::~TypedArrayController):
595         * runtime/TypedArrayController.h: Added.
596         * runtime/TypedArrayDescriptor.h: Removed.
597         * runtime/TypedArrayInlines.h: Added.
598         * runtime/TypedArrayType.cpp: Added.
599         (JSC::classInfoForType):
600         (WTF::printInternal):
601         * runtime/TypedArrayType.h: Added.
602         (JSC::toIndex):
603         (JSC::isTypedView):
604         (JSC::elementSize):
605         (JSC::isInt):
606         (JSC::isFloat):
607         (JSC::isSigned):
608         (JSC::isClamped):
609         * runtime/TypedArrays.h: Added.
610         * runtime/Uint16Array.h:
611         * runtime/Uint32Array.h:
612         * runtime/Uint8Array.h:
613         * runtime/Uint8ClampedArray.h:
614         * runtime/VM.cpp:
615         (JSC::VM::VM):
616         (JSC::VM::~VM):
617         * runtime/VM.h:
618
619 2013-08-15  Oliver Hunt  <oliver@apple.com>
620
621         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
622
623         Reviewed by Filip Pizlo.
624
625         Make sure dfgCapabilities doesn't report a Dynamic put as
626         being compilable when we don't actually support it.  
627
628         * bytecode/CodeBlock.cpp:
629         (JSC::CodeBlock::dumpBytecode):
630         * dfg/DFGCapabilities.cpp:
631         (JSC::DFG::capabilityLevel):
632
633 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
634
635         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
636         https://bugs.webkit.org/show_bug.cgi?id=119847
637
638         Reviewed by Oliver Hunt.
639
640         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
641         * runtime/ArrayBufferView.h: Ditto.
642
643 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
644
645         https://bugs.webkit.org/show_bug.cgi?id=119843
646         PropertySlot::setValue is ambiguous
647
648         Reviewed by Geoff Garen.
649
650         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
651         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
652         Unify on always providing the object, and remove the version that just takes a value.
653         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
654         Provide a version of setValue that takes a JSString as the owner of the property.
655         We won't store this, but it makes it clear that this interface should only be used from JSString.
656
657         * API/JSCallbackObjectFunctions.h:
658         (JSC::::getOwnPropertySlot):
659         * JSCTypedArrayStubs.h:
660         * runtime/Arguments.cpp:
661         (JSC::Arguments::getOwnPropertySlotByIndex):
662         (JSC::Arguments::getOwnPropertySlot):
663         * runtime/JSActivation.cpp:
664         (JSC::JSActivation::symbolTableGet):
665         (JSC::JSActivation::getOwnPropertySlot):
666         * runtime/JSArray.cpp:
667         (JSC::JSArray::getOwnPropertySlot):
668         * runtime/JSObject.cpp:
669         (JSC::JSObject::getOwnPropertySlotByIndex):
670         * runtime/JSString.h:
671         (JSC::JSString::getStringPropertySlot):
672         * runtime/JSSymbolTableObject.h:
673         (JSC::symbolTableGet):
674         * runtime/SparseArrayValueMap.cpp:
675         (JSC::SparseArrayEntry::get):
676             - Pass object containing property to PropertySlot::setValue
677         * runtime/PropertySlot.h:
678         (JSC::PropertySlot::setValue):
679             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
680         (JSC::PropertySlot::setUndefined):
681             - removed setValue(JSValue), added setValue(JSString*, JSValue)
682
683 2013-08-15  Oliver Hunt  <oliver@apple.com>
684
685         Remove bogus assertion.
686
687         RS=Filip Pizlo
688
689         * dfg/DFGAbstractInterpreterInlines.h:
690         (JSC::DFG::::executeEffects):
691
692 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
693
694         REGRESSION(r148790) Made 7 tests fail on x86 32bit
695         https://bugs.webkit.org/show_bug.cgi?id=114913
696
697         Reviewed by Filip Pizlo.
698
699         The X87 register was not freed before some calls. Instead
700         of inserting resetX87Registers to the last call sites,
701         the two X87 registers are now freed in every call.
702
703         * llint/LowLevelInterpreter32_64.asm:
704         * llint/LowLevelInterpreter64.asm:
705         * offlineasm/instructions.rb:
706         * offlineasm/x86.rb:
707
708 2013-08-14  Michael Saboff  <msaboff@apple.com>
709
710         Fixed jit on Win64.
711         https://bugs.webkit.org/show_bug.cgi?id=119601
712
713         Reviewed by Oliver Hunt.
714
715         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
716         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
717         * jit/SlowPathCall.h:
718         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
719
720 2013-08-14  Alex Christensen  <achristensen@apple.com>
721
722         Compile fix for Win64 with jit disabled.
723         https://bugs.webkit.org/show_bug.cgi?id=119804
724
725         Reviewed by Michael Saboff.
726
727         * offlineasm/cloop.rb: Added std:: before isnan.
728
729 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
730
731         DFG_JIT implementation for sh4 architecture.
732         https://bugs.webkit.org/show_bug.cgi?id=119737
733
734         Reviewed by Oliver Hunt.
735
736         * assembler/MacroAssemblerSH4.h:
737         (JSC::MacroAssemblerSH4::invert):
738         (JSC::MacroAssemblerSH4::add32):
739         (JSC::MacroAssemblerSH4::and32):
740         (JSC::MacroAssemblerSH4::lshift32):
741         (JSC::MacroAssemblerSH4::mul32):
742         (JSC::MacroAssemblerSH4::or32):
743         (JSC::MacroAssemblerSH4::rshift32):
744         (JSC::MacroAssemblerSH4::sub32):
745         (JSC::MacroAssemblerSH4::xor32):
746         (JSC::MacroAssemblerSH4::store32):
747         (JSC::MacroAssemblerSH4::swapDouble):
748         (JSC::MacroAssemblerSH4::storeDouble):
749         (JSC::MacroAssemblerSH4::subDouble):
750         (JSC::MacroAssemblerSH4::mulDouble):
751         (JSC::MacroAssemblerSH4::divDouble):
752         (JSC::MacroAssemblerSH4::negateDouble):
753         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
754         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
755         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
756         (JSC::MacroAssemblerSH4::swap):
757         (JSC::MacroAssemblerSH4::jump):
758         (JSC::MacroAssemblerSH4::branchNeg32):
759         (JSC::MacroAssemblerSH4::branchAdd32):
760         (JSC::MacroAssemblerSH4::branchMul32):
761         (JSC::MacroAssemblerSH4::urshift32):
762         * assembler/SH4Assembler.h:
763         (JSC::SH4Assembler::SH4Assembler):
764         (JSC::SH4Assembler::labelForWatchpoint):
765         (JSC::SH4Assembler::label):
766         (JSC::SH4Assembler::debugOffset):
767         * dfg/DFGAssemblyHelpers.h:
768         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
769         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
770         (JSC::DFG::AssemblyHelpers::debugCall):
771         * dfg/DFGCCallHelpers.h:
772         (JSC::DFG::CCallHelpers::setupArguments):
773         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
774         * dfg/DFGFPRInfo.h:
775         (JSC::DFG::FPRInfo::toRegister):
776         (JSC::DFG::FPRInfo::toIndex):
777         (JSC::DFG::FPRInfo::debugName):
778         * dfg/DFGGPRInfo.h:
779         (JSC::DFG::GPRInfo::toRegister):
780         (JSC::DFG::GPRInfo::toIndex):
781         (JSC::DFG::GPRInfo::debugName):
782         * dfg/DFGOperations.cpp:
783         * dfg/DFGSpeculativeJIT.h:
784         (JSC::DFG::SpeculativeJIT::callOperation):
785         * jit/JITStubs.h:
786         * jit/JITStubsSH4.h:
787
788 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
789
790         Unreviewed, fix build.
791
792         * API/JSValue.mm:
793         (isDate):
794         (isArray):
795         * API/JSWrapperMap.mm:
796         (tryUnwrapObjcObject):
797         * API/ObjCCallbackFunction.mm:
798         (tryUnwrapBlock):
799
800 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
801
802         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
803         https://bugs.webkit.org/show_bug.cgi?id=119770
804
805         Reviewed by Mark Hahnenberg.
806
807         * API/JSCallbackConstructor.cpp:
808         (JSC::JSCallbackConstructor::finishCreation):
809         * API/JSCallbackConstructor.h:
810         (JSC::JSCallbackConstructor::createStructure):
811         * API/JSCallbackFunction.cpp:
812         (JSC::JSCallbackFunction::finishCreation):
813         * API/JSCallbackFunction.h:
814         (JSC::JSCallbackFunction::createStructure):
815         * API/JSCallbackObject.cpp:
816         (JSC::::createStructure):
817         * API/JSCallbackObject.h:
818         (JSC::JSCallbackObject::visitChildren):
819         * API/JSCallbackObjectFunctions.h:
820         (JSC::::asCallbackObject):
821         (JSC::::finishCreation):
822         * API/JSObjectRef.cpp:
823         (JSObjectGetPrivate):
824         (JSObjectSetPrivate):
825         (JSObjectGetPrivateProperty):
826         (JSObjectSetPrivateProperty):
827         (JSObjectDeletePrivateProperty):
828         * API/JSValueRef.cpp:
829         (JSValueIsObjectOfClass):
830         * API/JSWeakObjectMapRefPrivate.cpp:
831         * API/ObjCCallbackFunction.h:
832         (JSC::ObjCCallbackFunction::createStructure):
833         * JSCTypedArrayStubs.h:
834         * bytecode/CallLinkStatus.cpp:
835         (JSC::CallLinkStatus::CallLinkStatus):
836         (JSC::CallLinkStatus::function):
837         (JSC::CallLinkStatus::internalFunction):
838         * bytecode/CodeBlock.h:
839         (JSC::baselineCodeBlockForInlineCallFrame):
840         * bytecode/SpeculatedType.cpp:
841         (JSC::speculationFromClassInfo):
842         * bytecode/UnlinkedCodeBlock.cpp:
843         (JSC::UnlinkedFunctionExecutable::visitChildren):
844         (JSC::UnlinkedCodeBlock::visitChildren):
845         (JSC::UnlinkedProgramCodeBlock::visitChildren):
846         * bytecode/UnlinkedCodeBlock.h:
847         (JSC::UnlinkedFunctionExecutable::createStructure):
848         (JSC::UnlinkedProgramCodeBlock::createStructure):
849         (JSC::UnlinkedEvalCodeBlock::createStructure):
850         (JSC::UnlinkedFunctionCodeBlock::createStructure):
851         * debugger/Debugger.cpp:
852         * debugger/DebuggerActivation.cpp:
853         (JSC::DebuggerActivation::visitChildren):
854         * debugger/DebuggerActivation.h:
855         (JSC::DebuggerActivation::createStructure):
856         * debugger/DebuggerCallFrame.cpp:
857         (JSC::DebuggerCallFrame::functionName):
858         * dfg/DFGAbstractInterpreterInlines.h:
859         (JSC::DFG::::executeEffects):
860         * dfg/DFGByteCodeParser.cpp:
861         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
862         (JSC::DFG::ByteCodeParser::parseBlock):
863         * dfg/DFGFixupPhase.cpp:
864         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
865         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
866         * dfg/DFGGraph.cpp:
867         (JSC::DFG::Graph::dump):
868         * dfg/DFGGraph.h:
869         (JSC::DFG::Graph::isInternalFunctionConstant):
870         * dfg/DFGOperations.cpp:
871         * dfg/DFGSpeculativeJIT.cpp:
872         (JSC::DFG::SpeculativeJIT::checkArray):
873         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
874         * dfg/DFGThunks.cpp:
875         (JSC::DFG::virtualForThunkGenerator):
876         * interpreter/Interpreter.cpp:
877         (JSC::loadVarargs):
878         * jsc.cpp:
879         (GlobalObject::createStructure):
880         * profiler/LegacyProfiler.cpp:
881         (JSC::LegacyProfiler::createCallIdentifier):
882         * runtime/Arguments.cpp:
883         (JSC::Arguments::visitChildren):
884         * runtime/Arguments.h:
885         (JSC::Arguments::createStructure):
886         (JSC::asArguments):
887         (JSC::Arguments::finishCreation):
888         * runtime/ArrayConstructor.cpp:
889         (JSC::arrayConstructorIsArray):
890         * runtime/ArrayConstructor.h:
891         (JSC::ArrayConstructor::createStructure):
892         * runtime/ArrayPrototype.cpp:
893         (JSC::ArrayPrototype::finishCreation):
894         (JSC::arrayProtoFuncConcat):
895         (JSC::attemptFastSort):
896         * runtime/ArrayPrototype.h:
897         (JSC::ArrayPrototype::createStructure):
898         * runtime/BooleanConstructor.h:
899         (JSC::BooleanConstructor::createStructure):
900         * runtime/BooleanObject.cpp:
901         (JSC::BooleanObject::finishCreation):
902         * runtime/BooleanObject.h:
903         (JSC::BooleanObject::createStructure):
904         (JSC::asBooleanObject):
905         * runtime/BooleanPrototype.cpp:
906         (JSC::BooleanPrototype::finishCreation):
907         (JSC::booleanProtoFuncToString):
908         (JSC::booleanProtoFuncValueOf):
909         * runtime/BooleanPrototype.h:
910         (JSC::BooleanPrototype::createStructure):
911         * runtime/DateConstructor.cpp:
912         (JSC::constructDate):
913         * runtime/DateConstructor.h:
914         (JSC::DateConstructor::createStructure):
915         * runtime/DateInstance.cpp:
916         (JSC::DateInstance::finishCreation):
917         * runtime/DateInstance.h:
918         (JSC::DateInstance::createStructure):
919         (JSC::asDateInstance):
920         * runtime/DatePrototype.cpp:
921         (JSC::formateDateInstance):
922         (JSC::DatePrototype::finishCreation):
923         (JSC::dateProtoFuncToISOString):
924         (JSC::dateProtoFuncToLocaleString):
925         (JSC::dateProtoFuncToLocaleDateString):
926         (JSC::dateProtoFuncToLocaleTimeString):
927         (JSC::dateProtoFuncGetTime):
928         (JSC::dateProtoFuncGetFullYear):
929         (JSC::dateProtoFuncGetUTCFullYear):
930         (JSC::dateProtoFuncGetMonth):
931         (JSC::dateProtoFuncGetUTCMonth):
932         (JSC::dateProtoFuncGetDate):
933         (JSC::dateProtoFuncGetUTCDate):
934         (JSC::dateProtoFuncGetDay):
935         (JSC::dateProtoFuncGetUTCDay):
936         (JSC::dateProtoFuncGetHours):
937         (JSC::dateProtoFuncGetUTCHours):
938         (JSC::dateProtoFuncGetMinutes):
939         (JSC::dateProtoFuncGetUTCMinutes):
940         (JSC::dateProtoFuncGetSeconds):
941         (JSC::dateProtoFuncGetUTCSeconds):
942         (JSC::dateProtoFuncGetMilliSeconds):
943         (JSC::dateProtoFuncGetUTCMilliseconds):
944         (JSC::dateProtoFuncGetTimezoneOffset):
945         (JSC::dateProtoFuncSetTime):
946         (JSC::setNewValueFromTimeArgs):
947         (JSC::setNewValueFromDateArgs):
948         (JSC::dateProtoFuncSetYear):
949         (JSC::dateProtoFuncGetYear):
950         * runtime/DatePrototype.h:
951         (JSC::DatePrototype::createStructure):
952         * runtime/Error.h:
953         (JSC::StrictModeTypeErrorFunction::createStructure):
954         * runtime/ErrorConstructor.h:
955         (JSC::ErrorConstructor::createStructure):
956         * runtime/ErrorInstance.cpp:
957         (JSC::ErrorInstance::finishCreation):
958         * runtime/ErrorInstance.h:
959         (JSC::ErrorInstance::createStructure):
960         * runtime/ErrorPrototype.cpp:
961         (JSC::ErrorPrototype::finishCreation):
962         * runtime/ErrorPrototype.h:
963         (JSC::ErrorPrototype::createStructure):
964         * runtime/ExceptionHelpers.cpp:
965         (JSC::isTerminatedExecutionException):
966         * runtime/ExceptionHelpers.h:
967         (JSC::TerminatedExecutionError::createStructure):
968         * runtime/Executable.cpp:
969         (JSC::EvalExecutable::visitChildren):
970         (JSC::ProgramExecutable::visitChildren):
971         (JSC::FunctionExecutable::visitChildren):
972         (JSC::ExecutableBase::hashFor):
973         * runtime/Executable.h:
974         (JSC::ExecutableBase::createStructure):
975         (JSC::NativeExecutable::createStructure):
976         (JSC::EvalExecutable::createStructure):
977         (JSC::ProgramExecutable::createStructure):
978         (JSC::FunctionExecutable::compileFor):
979         (JSC::FunctionExecutable::compileOptimizedFor):
980         (JSC::FunctionExecutable::createStructure):
981         * runtime/FunctionConstructor.h:
982         (JSC::FunctionConstructor::createStructure):
983         * runtime/FunctionPrototype.cpp:
984         (JSC::functionProtoFuncToString):
985         (JSC::functionProtoFuncApply):
986         (JSC::functionProtoFuncBind):
987         * runtime/FunctionPrototype.h:
988         (JSC::FunctionPrototype::createStructure):
989         * runtime/GetterSetter.cpp:
990         (JSC::GetterSetter::visitChildren):
991         * runtime/GetterSetter.h:
992         (JSC::GetterSetter::createStructure):
993         * runtime/InternalFunction.cpp:
994         (JSC::InternalFunction::finishCreation):
995         * runtime/InternalFunction.h:
996         (JSC::InternalFunction::createStructure):
997         (JSC::asInternalFunction):
998         * runtime/JSAPIValueWrapper.h:
999         (JSC::JSAPIValueWrapper::createStructure):
1000         * runtime/JSActivation.cpp:
1001         (JSC::JSActivation::visitChildren):
1002         (JSC::JSActivation::argumentsGetter):
1003         * runtime/JSActivation.h:
1004         (JSC::JSActivation::createStructure):
1005         (JSC::asActivation):
1006         * runtime/JSArray.h:
1007         (JSC::JSArray::createStructure):
1008         (JSC::asArray):
1009         (JSC::isJSArray):
1010         * runtime/JSBoundFunction.cpp:
1011         (JSC::JSBoundFunction::finishCreation):
1012         (JSC::JSBoundFunction::visitChildren):
1013         * runtime/JSBoundFunction.h:
1014         (JSC::JSBoundFunction::createStructure):
1015         * runtime/JSCJSValue.cpp:
1016         (JSC::JSValue::dumpInContext):
1017         * runtime/JSCJSValueInlines.h:
1018         (JSC::JSValue::isFunction):
1019         * runtime/JSCell.h:
1020         (JSC::jsCast):
1021         (JSC::jsDynamicCast):
1022         * runtime/JSCellInlines.h:
1023         (JSC::allocateCell):
1024         * runtime/JSFunction.cpp:
1025         (JSC::JSFunction::finishCreation):
1026         (JSC::JSFunction::visitChildren):
1027         (JSC::skipOverBoundFunctions):
1028         (JSC::JSFunction::callerGetter):
1029         * runtime/JSFunction.h:
1030         (JSC::JSFunction::createStructure):
1031         * runtime/JSGlobalObject.cpp:
1032         (JSC::JSGlobalObject::visitChildren):
1033         (JSC::slowValidateCell):
1034         * runtime/JSGlobalObject.h:
1035         (JSC::JSGlobalObject::createStructure):
1036         * runtime/JSNameScope.cpp:
1037         (JSC::JSNameScope::visitChildren):
1038         * runtime/JSNameScope.h:
1039         (JSC::JSNameScope::createStructure):
1040         * runtime/JSNotAnObject.h:
1041         (JSC::JSNotAnObject::createStructure):
1042         * runtime/JSONObject.cpp:
1043         (JSC::JSONObject::finishCreation):
1044         (JSC::unwrapBoxedPrimitive):
1045         (JSC::Stringifier::Stringifier):
1046         (JSC::Stringifier::appendStringifiedValue):
1047         (JSC::Stringifier::Holder::Holder):
1048         (JSC::Walker::walk):
1049         (JSC::JSONProtoFuncStringify):
1050         * runtime/JSONObject.h:
1051         (JSC::JSONObject::createStructure):
1052         * runtime/JSObject.cpp:
1053         (JSC::getCallableObjectSlow):
1054         (JSC::JSObject::visitChildren):
1055         (JSC::JSObject::copyBackingStore):
1056         (JSC::JSFinalObject::visitChildren):
1057         (JSC::JSObject::ensureInt32Slow):
1058         (JSC::JSObject::ensureDoubleSlow):
1059         (JSC::JSObject::ensureContiguousSlow):
1060         (JSC::JSObject::ensureArrayStorageSlow):
1061         * runtime/JSObject.h:
1062         (JSC::JSObject::finishCreation):
1063         (JSC::JSObject::createStructure):
1064         (JSC::JSNonFinalObject::createStructure):
1065         (JSC::JSFinalObject::createStructure):
1066         (JSC::isJSFinalObject):
1067         * runtime/JSPropertyNameIterator.cpp:
1068         (JSC::JSPropertyNameIterator::visitChildren):
1069         * runtime/JSPropertyNameIterator.h:
1070         (JSC::JSPropertyNameIterator::createStructure):
1071         * runtime/JSProxy.cpp:
1072         (JSC::JSProxy::visitChildren):
1073         * runtime/JSProxy.h:
1074         (JSC::JSProxy::createStructure):
1075         * runtime/JSScope.cpp:
1076         (JSC::JSScope::visitChildren):
1077         * runtime/JSSegmentedVariableObject.cpp:
1078         (JSC::JSSegmentedVariableObject::visitChildren):
1079         * runtime/JSString.h:
1080         (JSC::JSString::createStructure):
1081         (JSC::isJSString):
1082         * runtime/JSSymbolTableObject.cpp:
1083         (JSC::JSSymbolTableObject::visitChildren):
1084         * runtime/JSVariableObject.h:
1085         * runtime/JSWithScope.cpp:
1086         (JSC::JSWithScope::visitChildren):
1087         * runtime/JSWithScope.h:
1088         (JSC::JSWithScope::createStructure):
1089         * runtime/JSWrapperObject.cpp:
1090         (JSC::JSWrapperObject::visitChildren):
1091         * runtime/JSWrapperObject.h:
1092         (JSC::JSWrapperObject::createStructure):
1093         * runtime/MathObject.cpp:
1094         (JSC::MathObject::finishCreation):
1095         * runtime/MathObject.h:
1096         (JSC::MathObject::createStructure):
1097         * runtime/NameConstructor.h:
1098         (JSC::NameConstructor::createStructure):
1099         * runtime/NameInstance.h:
1100         (JSC::NameInstance::createStructure):
1101         (JSC::NameInstance::finishCreation):
1102         * runtime/NamePrototype.cpp:
1103         (JSC::NamePrototype::finishCreation):
1104         (JSC::privateNameProtoFuncToString):
1105         * runtime/NamePrototype.h:
1106         (JSC::NamePrototype::createStructure):
1107         * runtime/NativeErrorConstructor.cpp:
1108         (JSC::NativeErrorConstructor::visitChildren):
1109         * runtime/NativeErrorConstructor.h:
1110         (JSC::NativeErrorConstructor::createStructure):
1111         (JSC::NativeErrorConstructor::finishCreation):
1112         * runtime/NumberConstructor.cpp:
1113         (JSC::NumberConstructor::finishCreation):
1114         * runtime/NumberConstructor.h:
1115         (JSC::NumberConstructor::createStructure):
1116         * runtime/NumberObject.cpp:
1117         (JSC::NumberObject::finishCreation):
1118         * runtime/NumberObject.h:
1119         (JSC::NumberObject::createStructure):
1120         * runtime/NumberPrototype.cpp:
1121         (JSC::NumberPrototype::finishCreation):
1122         * runtime/NumberPrototype.h:
1123         (JSC::NumberPrototype::createStructure):
1124         * runtime/ObjectConstructor.h:
1125         (JSC::ObjectConstructor::createStructure):
1126         * runtime/ObjectPrototype.cpp:
1127         (JSC::ObjectPrototype::finishCreation):
1128         * runtime/ObjectPrototype.h:
1129         (JSC::ObjectPrototype::createStructure):
1130         * runtime/PropertyMapHashTable.h:
1131         (JSC::PropertyTable::createStructure):
1132         * runtime/PropertyTable.cpp:
1133         (JSC::PropertyTable::visitChildren):
1134         * runtime/RegExp.h:
1135         (JSC::RegExp::createStructure):
1136         * runtime/RegExpConstructor.cpp:
1137         (JSC::RegExpConstructor::finishCreation):
1138         (JSC::RegExpConstructor::visitChildren):
1139         (JSC::constructRegExp):
1140         * runtime/RegExpConstructor.h:
1141         (JSC::RegExpConstructor::createStructure):
1142         (JSC::asRegExpConstructor):
1143         * runtime/RegExpMatchesArray.cpp:
1144         (JSC::RegExpMatchesArray::visitChildren):
1145         * runtime/RegExpMatchesArray.h:
1146         (JSC::RegExpMatchesArray::createStructure):
1147         * runtime/RegExpObject.cpp:
1148         (JSC::RegExpObject::finishCreation):
1149         (JSC::RegExpObject::visitChildren):
1150         * runtime/RegExpObject.h:
1151         (JSC::RegExpObject::createStructure):
1152         (JSC::asRegExpObject):
1153         * runtime/RegExpPrototype.cpp:
1154         (JSC::regExpProtoFuncTest):
1155         (JSC::regExpProtoFuncExec):
1156         (JSC::regExpProtoFuncCompile):
1157         (JSC::regExpProtoFuncToString):
1158         * runtime/RegExpPrototype.h:
1159         (JSC::RegExpPrototype::createStructure):
1160         * runtime/SparseArrayValueMap.cpp:
1161         (JSC::SparseArrayValueMap::createStructure):
1162         * runtime/SparseArrayValueMap.h:
1163         * runtime/StrictEvalActivation.h:
1164         (JSC::StrictEvalActivation::createStructure):
1165         * runtime/StringConstructor.h:
1166         (JSC::StringConstructor::createStructure):
1167         * runtime/StringObject.cpp:
1168         (JSC::StringObject::finishCreation):
1169         * runtime/StringObject.h:
1170         (JSC::StringObject::createStructure):
1171         (JSC::asStringObject):
1172         * runtime/StringPrototype.cpp:
1173         (JSC::StringPrototype::finishCreation):
1174         (JSC::stringProtoFuncReplace):
1175         (JSC::stringProtoFuncToString):
1176         (JSC::stringProtoFuncMatch):
1177         (JSC::stringProtoFuncSearch):
1178         (JSC::stringProtoFuncSplit):
1179         * runtime/StringPrototype.h:
1180         (JSC::StringPrototype::createStructure):
1181         * runtime/Structure.cpp:
1182         (JSC::Structure::Structure):
1183         (JSC::Structure::materializePropertyMap):
1184         (JSC::Structure::get):
1185         (JSC::Structure::visitChildren):
1186         * runtime/Structure.h:
1187         (JSC::Structure::typeInfo):
1188         (JSC::Structure::previousID):
1189         (JSC::Structure::outOfLineSize):
1190         (JSC::Structure::totalStorageCapacity):
1191         (JSC::Structure::materializePropertyMapIfNecessary):
1192         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1193         * runtime/StructureChain.cpp:
1194         (JSC::StructureChain::visitChildren):
1195         * runtime/StructureChain.h:
1196         (JSC::StructureChain::createStructure):
1197         * runtime/StructureInlines.h:
1198         (JSC::Structure::get):
1199         * runtime/StructureRareData.cpp:
1200         (JSC::StructureRareData::createStructure):
1201         (JSC::StructureRareData::visitChildren):
1202         * runtime/StructureRareData.h:
1203         * runtime/SymbolTable.h:
1204         (JSC::SharedSymbolTable::createStructure):
1205         * runtime/VM.cpp:
1206         (JSC::VM::VM):
1207         (JSC::StackPreservingRecompiler::operator()):
1208         (JSC::VM::releaseExecutableMemory):
1209         * runtime/WriteBarrier.h:
1210         (JSC::validateCell):
1211         * testRegExp.cpp:
1212         (GlobalObject::createStructure):
1213
1214 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
1215
1216         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
1217         https://bugs.webkit.org/show_bug.cgi?id=119762
1218
1219         Reviewed by Geoffrey Garen.
1220
1221         * heap/Heap.cpp:
1222         (JSC::Heap::Heap):
1223         (JSC::Heap::markRoots):
1224         (JSC::Heap::collect):
1225         * jsc.cpp:
1226         (StopWatch::start):
1227         (StopWatch::stop):
1228         * testRegExp.cpp:
1229         (StopWatch::start):
1230         (StopWatch::stop):
1231
1232 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1233
1234         [sh4] Prepare LLINT for DFG_JIT implementation.
1235         https://bugs.webkit.org/show_bug.cgi?id=119755
1236
1237         Reviewed by Oliver Hunt.
1238
1239         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
1240         * offlineasm/sh4.rb:
1241             - Handle storeb opcode.
1242             - Make relative jumps when possible using braf opcode.
1243             - Update bmulio implementation to be consistent with baseline JIT.
1244             - Remove useless code from leap opcode.
1245             - Fix incorrect comment.
1246
1247 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
1248
1249         [sh4] Prepare baseline JIT for DFG_JIT implementation.
1250         https://bugs.webkit.org/show_bug.cgi?id=119758
1251
1252         Reviewed by Oliver Hunt.
1253
1254         * assembler/MacroAssemblerSH4.h:
1255             - Introduce a loadEffectiveAddress function to avoid code duplication.
1256             - Add ASSERTs and clean code.
1257         * assembler/SH4Assembler.h:
1258             - Prepare DFG_JIT implementation.
1259             - Add ASSERTs.
1260         * jit/JITStubs.cpp:
1261             - Add SH4 specific call for assertions.
1262         * jit/JITStubs.h:
1263             - Cosmetic change.
1264         * jit/JITStubsSH4.h:
1265             - Use constants to be more flexible with sh4 JIT stack frame.
1266         * jit/JSInterfaceJIT.h:
1267             - Cosmetic change.
1268
1269 2013-08-13  Oliver Hunt  <oliver@apple.com>
1270
1271         Harden executeConstruct against incorrect return types from host functions
1272         https://bugs.webkit.org/show_bug.cgi?id=119757
1273
1274         Reviewed by Mark Hahnenberg.
1275
1276         Add logic to guard against bogus return types.  There doesn't seem to be any
1277         class in webkit that does this wrong, but the typed array stubs in debug JSC
1278         do exhibit this bad behaviour.
1279
1280         * interpreter/Interpreter.cpp:
1281         (JSC::Interpreter::executeConstruct):
1282
1283 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1284
1285         [Qt] Fix C++11 build with gcc 4.4 and 4.5
1286         https://bugs.webkit.org/show_bug.cgi?id=119736
1287
1288         Reviewed by Anders Carlsson.
1289
1290         Don't force C++11 mode off anymore.
1291
1292         * Target.pri:
1293
1294 2013-08-12  Oliver Hunt  <oliver@apple.com>
1295
1296         Remove CodeBlock's notion of adding identifiers entirely
1297         https://bugs.webkit.org/show_bug.cgi?id=119708
1298
1299         Reviewed by Geoffrey Garen.
1300
1301         Remove addAdditionalIdentifier entirely, including the bogus assertion.
1302         Move the addition of identifiers to DFGPlan::reallyAdd
1303
1304         * bytecode/CodeBlock.h:
1305         * dfg/DFGDesiredIdentifiers.cpp:
1306         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1307         * dfg/DFGDesiredIdentifiers.h:
1308         * dfg/DFGPlan.cpp:
1309         (JSC::DFG::Plan::reallyAdd):
1310         (JSC::DFG::Plan::finalize):
1311         * dfg/DFGPlan.h:
1312
1313 2013-08-12  Oliver Hunt  <oliver@apple.com>
1314
1315         Build fix
1316
1317         * runtime/JSCell.h:
1318
1319 2013-08-12  Oliver Hunt  <oliver@apple.com>
1320
1321         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
1322         https://bugs.webkit.org/show_bug.cgi?id=119705
1323
1324         Reviewed by Geoffrey Garen.
1325
1326         Relatively trivial refactoring
1327
1328         * bytecode/CodeBlock.h:
1329         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1330         (JSC::CodeBlock::addAdditionalIdentifier):
1331         (JSC::CodeBlock::identifier):
1332         (JSC::CodeBlock::numberOfIdentifiers):
1333         * dfg/DFGCommonData.h:
1334
1335 2013-08-12  Oliver Hunt  <oliver@apple.com>
1336
1337         Stop making unnecessary copy of CodeBlock Identifier Vector
1338         https://bugs.webkit.org/show_bug.cgi?id=119702
1339
1340         Reviewed by Michael Saboff.
1341
1342         Make CodeBlock simply use a separate Vector for additional Identifiers
1343         and use the UnlinkedCodeBlock for the initial set of identifiers.
1344
1345         * bytecode/CodeBlock.cpp:
1346         (JSC::CodeBlock::printGetByIdOp):
1347         (JSC::dumpStructure):
1348         (JSC::dumpChain):
1349         (JSC::CodeBlock::printGetByIdCacheStatus):
1350         (JSC::CodeBlock::printPutByIdOp):
1351         (JSC::CodeBlock::dumpBytecode):
1352         (JSC::CodeBlock::CodeBlock):
1353         (JSC::CodeBlock::shrinkToFit):
1354         * bytecode/CodeBlock.h:
1355         (JSC::CodeBlock::numberOfIdentifiers):
1356         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
1357         (JSC::CodeBlock::addAdditionalIdentifier):
1358         (JSC::CodeBlock::identifier):
1359         * dfg/DFGDesiredIdentifiers.cpp:
1360         (JSC::DFG::DesiredIdentifiers::reallyAdd):
1361         * jit/JIT.h:
1362         * jit/JITOpcodes.cpp:
1363         (JSC::JIT::emitSlow_op_get_arguments_length):
1364         * jit/JITPropertyAccess.cpp:
1365         (JSC::JIT::emit_op_get_by_id):
1366         (JSC::JIT::compileGetByIdHotPath):
1367         (JSC::JIT::emitSlow_op_get_by_id):
1368         (JSC::JIT::compileGetByIdSlowCase):
1369         (JSC::JIT::emitSlow_op_put_by_id):
1370         * jit/JITPropertyAccess32_64.cpp:
1371         (JSC::JIT::emit_op_get_by_id):
1372         (JSC::JIT::compileGetByIdHotPath):
1373         (JSC::JIT::compileGetByIdSlowCase):
1374         * jit/JITStubs.cpp:
1375         (JSC::DEFINE_STUB_FUNCTION):
1376         * llint/LLIntSlowPaths.cpp:
1377         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1378
1379 2013-08-08  Mark Lam  <mark.lam@apple.com>
1380
1381         Restoring use of StackIterator instead of Interpreter::getStacktrace().
1382         https://bugs.webkit.org/show_bug.cgi?id=119575.
1383
1384         Reviewed by Oliver Hunt.
1385
1386         * interpreter/Interpreter.h:
1387         - Made getStackTrace() private.
1388         * interpreter/StackIterator.cpp:
1389         (JSC::StackIterator::StackIterator):
1390         (JSC::StackIterator::numberOfFrames):
1391         - Computes the number of frames by iterating through the whole stack
1392           from the starting frame. The iterator will save its current frame
1393           position before counting the frames, and then restoring it after
1394           the counting.
1395         (JSC::StackIterator::gotoFrameAtIndex):
1396         (JSC::StackIterator::gotoNextFrame):
1397         (JSC::StackIterator::resetIterator):
1398         - Points the iterator to the starting frame.
1399         * interpreter/StackIteratorPrivate.h:
1400
1401 2013-08-08  Mark Lam  <mark.lam@apple.com>
1402
1403         Moved ErrorConstructor and NativeErrorConstructor helper functions into
1404         the Interpreter class.
1405         https://bugs.webkit.org/show_bug.cgi?id=119576.
1406
1407         Reviewed by Oliver Hunt.
1408
1409         This change is needed to prepare for making Interpreter::getStackTrace()
1410         private. It does not change the behavior of the code, only the lexical
1411         scoping.
1412
1413         * interpreter/Interpreter.h:
1414         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
1415         * runtime/ErrorConstructor.cpp:
1416         (JSC::Interpreter::constructWithErrorConstructor):
1417         (JSC::ErrorConstructor::getConstructData):
1418         (JSC::Interpreter::callErrorConstructor):
1419         (JSC::ErrorConstructor::getCallData):
1420         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
1421           directly. So, we moved the helper functions into the Interpreter
1422           class.
1423         * runtime/NativeErrorConstructor.cpp:
1424         (JSC::Interpreter::constructWithNativeErrorConstructor):
1425         (JSC::NativeErrorConstructor::getConstructData):
1426         (JSC::Interpreter::callNativeErrorConstructor):
1427         (JSC::NativeErrorConstructor::getCallData):
1428         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
1429           directly. So, we moved the helper functions into the Interpreter
1430           class.
1431
1432 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1433
1434         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
1435         https://bugs.webkit.org/show_bug.cgi?id=119555
1436
1437         Reviewed by Geoffrey Garen.
1438
1439         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
1440         This was causing crashes on maps.google.com in 32-bit debug builds.
1441
1442         * dfg/DFGSpeculativeJIT32_64.cpp:
1443         (JSC::DFG::SpeculativeJIT::compile):
1444
1445 2013-08-06  Michael Saboff  <msaboff@apple.com>
1446
1447         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
1448         https://bugs.webkit.org/show_bug.cgi?id=119405
1449
1450         Reviewed by Geoffrey Garen.
1451
1452         * dfg/DFGSpeculativeJIT.cpp:
1453         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
1454         ourselves to save a register and then load from it.
1455
1456 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
1457
1458         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
1459         https://bugs.webkit.org/show_bug.cgi?id=119528
1460
1461         Reviewed by Geoffrey Garen.
1462
1463         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
1464         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
1465         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
1466         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
1467         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
1468
1469         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
1470
1471         * bytecode/CodeBlock.cpp:
1472         (JSC::CodeBlock::finalizeUnconditionally):
1473         * dfg/DFGDriver.cpp:
1474         (JSC::DFG::compile):
1475         * dfg/DFGFixupPhase.cpp:
1476         (JSC::DFG::FixupPhase::fixupNode):
1477         * dfg/DFGGraph.cpp:
1478         (JSC::DFG::Graph::dump):
1479         * dfg/DFGSpeculativeJIT64.cpp:
1480         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1481         * runtime/JSObject.h:
1482         (JSC::JSObject::getIndexQuickly):
1483         (JSC::JSObject::tryGetIndexQuickly):
1484
1485 2013-08-08  Stephanie Lewis  <slewis@apple.com>
1486
1487         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
1488
1489         Unreviewed.
1490
1491         Ensure llint symbols are in source order.
1492
1493         * JavaScriptCore.order:
1494
1495 2013-08-06  Mark Lam  <mark.lam@apple.com>
1496
1497         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
1498         https://bugs.webkit.org/show_bug.cgi?id=119532.
1499
1500         Reviewed by Oliver Hunt.
1501
1502         * parser/Parser.cpp:
1503         (JSC::::Parser):
1504         - Just need to initialize the Parser's JSTokenLocation's initial line and
1505           startOffset as well during Parser construction.
1506
1507 2013-08-06  Stephanie Lewis  <slewis@apple.com>
1508
1509         Update Order Files for Safari
1510         <rdar://problem/14517392>
1511
1512         Unreviewed.
1513
1514         * JavaScriptCore.order:
1515
1516 2013-08-04  Sam Weinig  <sam@webkit.org>
1517
1518         Remove support for HTML5 MicroData
1519         https://bugs.webkit.org/show_bug.cgi?id=119480
1520
1521         Reviewed by Anders Carlsson.
1522
1523         * Configurations/FeatureDefines.xcconfig:
1524
1525 2013-08-05  Oliver Hunt  <oliver@apple.com>
1526
1527         Delay Arguments creation in strict mode
1528         https://bugs.webkit.org/show_bug.cgi?id=119505
1529
1530         Reviewed by Geoffrey Garen.
1531
1532         Make use of the write tracking performed by the parser to
1533         allow us to know if we're modifying the parameters to a function.
1534         Then use that information to make strict mode function opt out
1535         of eager arguments creation.
1536
1537         * bytecompiler/BytecodeGenerator.cpp:
1538         (JSC::BytecodeGenerator::BytecodeGenerator):
1539         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
1540         (JSC::BytecodeGenerator::emitReturn):
1541         * bytecompiler/BytecodeGenerator.h:
1542         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
1543         * parser/Nodes.h:
1544         (JSC::ScopeNode::modifiesParameter):
1545         * parser/Parser.cpp:
1546         (JSC::::parseInner):
1547         * parser/Parser.h:
1548         (JSC::Scope::declareParameter):
1549         (JSC::Scope::getCapturedVariables):
1550         (JSC::Parser::declareWrite):
1551         * parser/ParserModes.h:
1552
1553 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1554
1555         Remove useless code from COMPILER(RVCT) JITStubs
1556         https://bugs.webkit.org/show_bug.cgi?id=119521
1557
1558         Reviewed by Geoffrey Garen.
1559
1560         * jit/JITStubsARMv7.h:
1561         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
1562         (JSC::ctiOpThrowNotCaught): Ditto.
1563
1564 2013-07-23  David Farler  <dfarler@apple.com>
1565
1566         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
1567         https://bugs.webkit.org/show_bug.cgi?id=117762
1568
1569         Reviewed by Mark Rowe.
1570
1571         * Configurations/DebugRelease.xcconfig:
1572         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
1573         * Configurations/JavaScriptCore.xcconfig:
1574         Add ASAN_OTHER_LDFLAGS.
1575         * Configurations/ToolExecutable.xcconfig:
1576         Don't use ASAN for build tools.
1577
1578 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1579
1580         Build fix for ARM MSVC after r153222 and r153648.
1581
1582         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
1583
1584 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
1585
1586         Build fix for ARM MSVC after r150109.
1587
1588         Read the stub template from a header files instead of the JITStubs.cpp.
1589
1590         * CMakeLists.txt:
1591         * DerivedSources.pri:
1592         * create_jit_stubs:
1593
1594 2013-08-05  Oliver Hunt  <oliver@apple.com>
1595
1596         Move TypedArray implementation into JSC
1597         https://bugs.webkit.org/show_bug.cgi?id=119489
1598
1599         Reviewed by Filip Pizlo.
1600
1601         Move TypedArray implementation into JSC in advance of re-implementation
1602
1603         * GNUmakefile.list.am:
1604         * JSCTypedArrayStubs.h:
1605         * JavaScriptCore.xcodeproj/project.pbxproj:
1606         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
1607         (JSC::ArrayBuffer::transfer):
1608         (JSC::ArrayBuffer::addView):
1609         (JSC::ArrayBuffer::removeView):
1610         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
1611         (JSC::ArrayBufferContents::ArrayBufferContents):
1612         (JSC::ArrayBufferContents::data):
1613         (JSC::ArrayBufferContents::sizeInBytes):
1614         (JSC::ArrayBufferContents::transfer):
1615         (JSC::ArrayBufferContents::copyTo):
1616         (JSC::ArrayBuffer::isNeutered):
1617         (JSC::ArrayBuffer::~ArrayBuffer):
1618         (JSC::ArrayBuffer::clampValue):
1619         (JSC::ArrayBuffer::create):
1620         (JSC::ArrayBuffer::createUninitialized):
1621         (JSC::ArrayBuffer::ArrayBuffer):
1622         (JSC::ArrayBuffer::data):
1623         (JSC::ArrayBuffer::byteLength):
1624         (JSC::ArrayBuffer::slice):
1625         (JSC::ArrayBuffer::sliceImpl):
1626         (JSC::ArrayBuffer::clampIndex):
1627         (JSC::ArrayBufferContents::tryAllocate):
1628         (JSC::ArrayBufferContents::~ArrayBufferContents):
1629         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
1630         (JSC::ArrayBufferView::ArrayBufferView):
1631         (JSC::ArrayBufferView::~ArrayBufferView):
1632         (JSC::ArrayBufferView::neuter):
1633         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
1634         (JSC::ArrayBufferView::buffer):
1635         (JSC::ArrayBufferView::baseAddress):
1636         (JSC::ArrayBufferView::byteOffset):
1637         (JSC::ArrayBufferView::setNeuterable):
1638         (JSC::ArrayBufferView::isNeuterable):
1639         (JSC::ArrayBufferView::verifySubRange):
1640         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1641         (JSC::ArrayBufferView::setImpl):
1642         (JSC::ArrayBufferView::setRangeImpl):
1643         (JSC::ArrayBufferView::zeroRangeImpl):
1644         (JSC::ArrayBufferView::calculateOffsetAndLength):
1645         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
1646         (JSC::Float32Array::set):
1647         (JSC::Float32Array::getType):
1648         (JSC::Float32Array::create):
1649         (JSC::Float32Array::createUninitialized):
1650         (JSC::Float32Array::Float32Array):
1651         (JSC::Float32Array::subarray):
1652         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
1653         (JSC::Float64Array::set):
1654         (JSC::Float64Array::getType):
1655         (JSC::Float64Array::create):
1656         (JSC::Float64Array::createUninitialized):
1657         (JSC::Float64Array::Float64Array):
1658         (JSC::Float64Array::subarray):
1659         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
1660         (JSC::Int16Array::getType):
1661         (JSC::Int16Array::create):
1662         (JSC::Int16Array::createUninitialized):
1663         (JSC::Int16Array::Int16Array):
1664         (JSC::Int16Array::subarray):
1665         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
1666         (JSC::Int32Array::getType):
1667         (JSC::Int32Array::create):
1668         (JSC::Int32Array::createUninitialized):
1669         (JSC::Int32Array::Int32Array):
1670         (JSC::Int32Array::subarray):
1671         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
1672         (JSC::Int8Array::getType):
1673         (JSC::Int8Array::create):
1674         (JSC::Int8Array::createUninitialized):
1675         (JSC::Int8Array::Int8Array):
1676         (JSC::Int8Array::subarray):
1677         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
1678         (JSC::IntegralTypedArrayBase::set):
1679         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
1680         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
1681         (JSC::TypedArrayBase::data):
1682         (JSC::TypedArrayBase::set):
1683         (JSC::TypedArrayBase::setRange):
1684         (JSC::TypedArrayBase::zeroRange):
1685         (JSC::TypedArrayBase::length):
1686         (JSC::TypedArrayBase::byteLength):
1687         (JSC::TypedArrayBase::item):
1688         (JSC::TypedArrayBase::checkInboundData):
1689         (JSC::TypedArrayBase::TypedArrayBase):
1690         (JSC::TypedArrayBase::create):
1691         (JSC::TypedArrayBase::createUninitialized):
1692         (JSC::TypedArrayBase::subarrayImpl):
1693         (JSC::TypedArrayBase::neuter):
1694         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
1695         (JSC::Uint16Array::getType):
1696         (JSC::Uint16Array::create):
1697         (JSC::Uint16Array::createUninitialized):
1698         (JSC::Uint16Array::Uint16Array):
1699         (JSC::Uint16Array::subarray):
1700         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
1701         (JSC::Uint32Array::getType):
1702         (JSC::Uint32Array::create):
1703         (JSC::Uint32Array::createUninitialized):
1704         (JSC::Uint32Array::Uint32Array):
1705         (JSC::Uint32Array::subarray):
1706         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
1707         (JSC::Uint8Array::getType):
1708         (JSC::Uint8Array::create):
1709         (JSC::Uint8Array::createUninitialized):
1710         (JSC::Uint8Array::Uint8Array):
1711         (JSC::Uint8Array::subarray):
1712         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
1713         (JSC::Uint8ClampedArray::getType):
1714         (JSC::Uint8ClampedArray::create):
1715         (JSC::Uint8ClampedArray::createUninitialized):
1716         (JSC::Uint8ClampedArray::zeroFill):
1717         (JSC::Uint8ClampedArray::set):
1718         (JSC::Uint8ClampedArray::Uint8ClampedArray):
1719         (JSC::Uint8ClampedArray::subarray):
1720         * runtime/VM.h:
1721
1722 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1723
1724         Copied space should be able to handle more than one copied backing store per JSCell
1725         https://bugs.webkit.org/show_bug.cgi?id=119471
1726
1727         Reviewed by Mark Hahnenberg.
1728         
1729         This allows a cell to call copyLater() multiple times for multiple different
1730         backing stores, and then have copyBackingStore() called exactly once for each
1731         of those. A token tells it which backing store to copy. All backing stores
1732         must be named using the CopyToken, an enumeration which currently cannot
1733         exceed eight entries.
1734         
1735         When copyBackingStore() is called, it's up to the callee to (a) use the token
1736         to decide what to copy and (b) call its base class's copyBackingStore() in
1737         case the base class had something that needed copying. The only exception is
1738         that JSCell never asks anything to be copied, and so if your base is JSCell
1739         then you don't have to do anything.
1740
1741         * GNUmakefile.list.am:
1742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1743         * JavaScriptCore.xcodeproj/project.pbxproj:
1744         * heap/CopiedBlock.h:
1745         * heap/CopiedBlockInlines.h:
1746         (JSC::CopiedBlock::reportLiveBytes):
1747         * heap/CopyToken.h: Added.
1748         * heap/CopyVisitor.cpp:
1749         (JSC::CopyVisitor::copyFromShared):
1750         * heap/CopyVisitor.h:
1751         * heap/CopyVisitorInlines.h:
1752         (JSC::CopyVisitor::visitItem):
1753         * heap/CopyWorkList.h:
1754         (JSC::CopyWorklistItem::CopyWorklistItem):
1755         (JSC::CopyWorklistItem::cell):
1756         (JSC::CopyWorklistItem::token):
1757         (JSC::CopyWorkListSegment::get):
1758         (JSC::CopyWorkListSegment::append):
1759         (JSC::CopyWorkListSegment::data):
1760         (JSC::CopyWorkListIterator::get):
1761         (JSC::CopyWorkListIterator::operator*):
1762         (JSC::CopyWorkListIterator::operator->):
1763         (JSC::CopyWorkList::append):
1764         * heap/SlotVisitor.h:
1765         * heap/SlotVisitorInlines.h:
1766         (JSC::SlotVisitor::copyLater):
1767         * runtime/ClassInfo.h:
1768         * runtime/JSCell.cpp:
1769         (JSC::JSCell::copyBackingStore):
1770         * runtime/JSCell.h:
1771         * runtime/JSObject.cpp:
1772         (JSC::JSObject::visitButterfly):
1773         (JSC::JSObject::copyBackingStore):
1774         * runtime/JSObject.h:
1775
1776 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
1777
1778         [Automake] Define ENABLE_JIT through the Autoconf header
1779         https://bugs.webkit.org/show_bug.cgi?id=119445
1780
1781         Reviewed by Martin Robinson.
1782
1783         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
1784
1785 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
1786
1787         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1788         https://bugs.webkit.org/show_bug.cgi?id=119470
1789
1790         Reviewed by Oliver Hunt.
1791         
1792         Structure can still tell you if the object "could" (in the conservative sense)
1793         have an indexing header; that's used by the compiler.
1794         
1795         Most of the time if you want to know if there's an indexing header, you ask the
1796         JSObject.
1797         
1798         In some cases, the JSObject wants to know if it would have an indexing header if
1799         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1800
1801         * dfg/DFGRepatch.cpp:
1802         (JSC::DFG::tryCachePutByID):
1803         (JSC::DFG::tryBuildPutByIdList):
1804         * dfg/DFGSpeculativeJIT.cpp:
1805         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1806         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1807         * runtime/ButterflyInlines.h:
1808         (JSC::Butterfly::create):
1809         (JSC::Butterfly::growPropertyStorage):
1810         (JSC::Butterfly::growArrayRight):
1811         (JSC::Butterfly::resizeArray):
1812         * runtime/JSObject.cpp:
1813         (JSC::JSObject::copyButterfly):
1814         (JSC::JSObject::visitButterfly):
1815         * runtime/JSObject.h:
1816         (JSC::JSObject::hasIndexingHeader):
1817         (JSC::JSObject::setButterfly):
1818         * runtime/Structure.h:
1819         (JSC::Structure::couldHaveIndexingHeader):
1820         (JSC::Structure::hasIndexingHeader):
1821
1822 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1823
1824         Give the error object's stack property accessor attributes.
1825         https://bugs.webkit.org/show_bug.cgi?id=119404
1826
1827         Reviewed by Geoffrey Garen.
1828         
1829         Changed the attributes of error object's stack property to allow developers to write
1830         and delete the stack property. This will match the functionality of Chrome. Firefox  
1831         allows developers to write the error's stack, but not delete it. 
1832
1833         * interpreter/Interpreter.cpp:
1834         (JSC::Interpreter::addStackTraceIfNecessary):
1835         * runtime/ErrorInstance.cpp:
1836         (JSC::ErrorInstance::finishCreation):
1837
1838 2013-08-02  Oliver Hunt  <oliver@apple.com>
1839
1840         Incorrect type speculation reported by ToPrimitive
1841         https://bugs.webkit.org/show_bug.cgi?id=119458
1842
1843         Reviewed by Mark Hahnenberg.
1844
1845         Make sure that we report the correct type possibilities for the output
1846         from ToPrimitive
1847
1848         * dfg/DFGAbstractInterpreterInlines.h:
1849         (JSC::DFG::::executeEffects):
1850
1851 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
1852
1853         Remove no-arguments constructor to PropertySlot
1854         https://bugs.webkit.org/show_bug.cgi?id=119460
1855
1856         Reviewed by Geoff Garen.
1857
1858         This constructor was unsafe if getValue is subsequently called,
1859         and the property is a getter. Simplest to just remove it.
1860
1861         * runtime/Arguments.cpp:
1862         (JSC::Arguments::defineOwnProperty):
1863         * runtime/JSActivation.cpp:
1864         (JSC::JSActivation::getOwnPropertyDescriptor):
1865         * runtime/JSFunction.cpp:
1866         (JSC::JSFunction::getOwnPropertyDescriptor):
1867         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1868         (JSC::JSFunction::put):
1869         (JSC::JSFunction::defineOwnProperty):
1870         * runtime/JSGlobalObject.cpp:
1871         (JSC::JSGlobalObject::defineOwnProperty):
1872         * runtime/JSGlobalObject.h:
1873         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1874         * runtime/JSNameScope.cpp:
1875         (JSC::JSNameScope::put):
1876         * runtime/JSONObject.cpp:
1877         (JSC::Stringifier::Holder::appendNextProperty):
1878         (JSC::Walker::walk):
1879         * runtime/JSObject.cpp:
1880         (JSC::JSObject::hasProperty):
1881         (JSC::JSObject::hasOwnProperty):
1882         (JSC::JSObject::reifyStaticFunctionsForDelete):
1883         * runtime/Lookup.h:
1884         (JSC::getStaticPropertyDescriptor):
1885         (JSC::getStaticFunctionDescriptor):
1886         (JSC::getStaticValueDescriptor):
1887         * runtime/ObjectConstructor.cpp:
1888         (JSC::defineProperties):
1889         * runtime/PropertySlot.h:
1890
1891 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
1892
1893         DFG validation can cause assertion failures due to dumping
1894         https://bugs.webkit.org/show_bug.cgi?id=119456
1895
1896         Reviewed by Geoffrey Garen.
1897
1898         * bytecode/CodeBlock.cpp:
1899         (JSC::CodeBlock::hasHash):
1900         (JSC::CodeBlock::isSafeToComputeHash):
1901         (JSC::CodeBlock::hash):
1902         (JSC::CodeBlock::dumpAssumingJITType):
1903         * bytecode/CodeBlock.h:
1904
1905 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
1906
1907         Have vm's exceptionStack match java's vm's exceptionStack.
1908         https://bugs.webkit.org/show_bug.cgi?id=119362
1909
1910         Reviewed by Geoffrey Garen.
1911         
1912         The error object's stack is only updated if it does not exist yet. This matches 
1913         the functionality of other browsers, and Java VMs. 
1914
1915         * interpreter/Interpreter.cpp:
1916         (JSC::Interpreter::addStackTraceIfNecessary):
1917         (JSC::Interpreter::throwException):
1918         * runtime/VM.cpp:
1919         (JSC::VM::clearExceptionStack):
1920         * runtime/VM.h:
1921         (JSC::VM::lastExceptionStack):
1922
1923 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1924
1925         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1926         https://bugs.webkit.org/show_bug.cgi?id=119447
1927
1928         Reviewed by Geoffrey Garen.
1929
1930         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1931         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1932         r153583 (sh4) and r153648 (ARM).
1933
1934         * jit/JITStubsMIPS.h:
1935
1936 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
1937
1938         hasIndexingHeader should be a property of the Structure, not just the IndexingType
1939         https://bugs.webkit.org/show_bug.cgi?id=119422
1940
1941         Reviewed by Oliver Hunt.
1942         
1943         This simplifies some code and also allows Structure to claim that an object
1944         has an indexing header even if it doesn't have indexed properties.
1945         
1946         I also changed some calls to use hasIndexedProperties() since in some cases,
1947         that's what we actually meant. Currently the two are synonyms.
1948
1949         * dfg/DFGRepatch.cpp:
1950         (JSC::DFG::tryCachePutByID):
1951         (JSC::DFG::tryBuildPutByIdList):
1952         * dfg/DFGSpeculativeJIT.cpp:
1953         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1954         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1955         * runtime/ButterflyInlines.h:
1956         (JSC::Butterfly::create):
1957         (JSC::Butterfly::growPropertyStorage):
1958         (JSC::Butterfly::growArrayRight):
1959         (JSC::Butterfly::resizeArray):
1960         * runtime/IndexingType.h:
1961         * runtime/JSObject.cpp:
1962         (JSC::JSObject::copyButterfly):
1963         (JSC::JSObject::visitButterfly):
1964         (JSC::JSObject::setPrototype):
1965         * runtime/JSObject.h:
1966         (JSC::JSObject::setButterfly):
1967         * runtime/JSPropertyNameIterator.cpp:
1968         (JSC::JSPropertyNameIterator::create):
1969         * runtime/Structure.h:
1970         (JSC::Structure::hasIndexingHeader):
1971
1972 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
1973
1974         REGRESSION: ARM still crashes after change set r153612.
1975         https://bugs.webkit.org/show_bug.cgi?id=119433
1976
1977         Reviewed by Michael Saboff.
1978
1979         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1980         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1981         for sh4 architecture.
1982
1983         * jit/JITStubsARM.h:
1984         * jit/JITStubsARMv7.h:
1985
1986 2013-08-02  Michael Saboff  <msaboff@apple.com>
1987
1988         REGRESSION(r153612): It made jsc and layout tests crash
1989         https://bugs.webkit.org/show_bug.cgi?id=119440
1990
1991         Reviewed by Csaba Osztrogonác.
1992
1993         Made the changes if changeset r153612 only apply to 32 bit builds.
1994
1995         * jit/JITExceptions.cpp:
1996         * jit/JITExceptions.h:
1997         * jit/JITStubs.cpp:
1998         (JSC::cti_vm_throw_slowpath):
1999         * jit/JITStubs.h:
2000
2001 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
2002
2003         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
2004
2005         * CMakeLists.txt:
2006
2007 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
2008
2009         [Forms: color] <input type='color'> popover color well implementation
2010         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
2011
2012         Reviewed by Benjamin Poulain.
2013
2014         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
2015
2016 2013-08-01  Oliver Hunt  <oliver@apple.com>
2017
2018         DFG is not enforcing correct ordering of ToString conversion in MakeRope
2019         https://bugs.webkit.org/show_bug.cgi?id=119408
2020
2021         Reviewed by Filip Pizlo.
2022
2023         Construct ToString and Phantom nodes in advance of MakeRope
2024         nodes to ensure that ordering is ensured, and correct values
2025         will be reified on OSR exit.
2026
2027         * dfg/DFGByteCodeParser.cpp:
2028         (JSC::DFG::ByteCodeParser::parseBlock):
2029
2030 2013-08-01  Michael Saboff  <msaboff@apple.com>
2031
2032         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
2033         https://bugs.webkit.org/show_bug.cgi?id=119140
2034
2035         Reviewed by Filip Pizlo.
2036
2037         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
2038
2039         * jit/JITExceptions.cpp:
2040         (JSC::encode):
2041         * jit/JITExceptions.h:
2042         * jit/JITStubs.cpp:
2043         (JSC::cti_vm_throw_slowpath):
2044         * jit/JITStubs.h:
2045
2046 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
2047
2048         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
2049         https://bugs.webkit.org/show_bug.cgi?id=119391
2050
2051         Reviewed by Csaba Osztrogonác.
2052
2053         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
2054             - Call frame is in r14 register.
2055             - Do not restore registers from JIT stack frame here.
2056
2057 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2058
2059         More cleanup in PropertySlot
2060         https://bugs.webkit.org/show_bug.cgi?id=119359
2061
2062         Reviewed by Geoff Garen.
2063
2064         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
2065         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
2066
2067         * dfg/DFGRepatch.cpp:
2068         (JSC::DFG::tryCacheGetByID):
2069         (JSC::DFG::tryBuildGetByIDList):
2070             - No need to ASSERT slotBase is an object.
2071         * jit/JITStubs.cpp:
2072         (JSC::tryCacheGetByID):
2073         (JSC::DEFINE_STUB_FUNCTION):
2074             - No need to ASSERT slotBase is an object.
2075         * runtime/JSObject.cpp:
2076         (JSC::JSObject::getOwnPropertySlotByIndex):
2077         (JSC::JSObject::fillGetterPropertySlot):
2078             - Pass an object through to setGetterSlot.
2079         * runtime/JSObject.h:
2080         (JSC::PropertySlot::getValue):
2081             - Moved from PropertySlot (need to know anout JSObject).
2082         * runtime/PropertySlot.cpp:
2083         (JSC::PropertySlot::functionGetter):
2084             - update per member name changes
2085         * runtime/PropertySlot.h:
2086         (JSC::PropertySlot::PropertySlot):
2087             - Argument to constructor set to 'thisValue'.
2088         (JSC::PropertySlot::slotBase):
2089             - This returns a JSObject*.
2090         (JSC::PropertySlot::setValue):
2091         (JSC::PropertySlot::setCustom):
2092         (JSC::PropertySlot::setCacheableCustom):
2093         (JSC::PropertySlot::setCustomIndex):
2094         (JSC::PropertySlot::setGetterSlot):
2095         (JSC::PropertySlot::setCacheableGetterSlot):
2096             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
2097         * runtime/SparseArrayValueMap.cpp:
2098         (JSC::SparseArrayEntry::get):
2099             - Pass an object through to setGetterSlot.
2100         * runtime/SparseArrayValueMap.h:
2101             - Pass an object through to setGetterSlot.
2102
2103 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
2104
2105         Reduce JSC API static value setter/getter overhead.
2106         https://bugs.webkit.org/show_bug.cgi?id=119277
2107
2108         Reviewed by Geoffrey Garen.
2109
2110         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
2111         need to get called every time when set or get the static value.
2112
2113         * API/JSCallbackObjectFunctions.h:
2114         (JSC::::put):
2115         (JSC::::putByIndex):
2116         (JSC::::getStaticValue):
2117         * API/JSClassRef.cpp:
2118         (OpaqueJSClassContextData::OpaqueJSClassContextData):
2119         * API/JSClassRef.h:
2120         (StaticValueEntry::StaticValueEntry):
2121
2122 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
2123
2124         Use emptyString instead of String("")
2125         https://bugs.webkit.org/show_bug.cgi?id=119335
2126
2127         Reviewed by Darin Adler.
2128
2129         Use emptyString() instead of String("") because it is better style and
2130         faster. This is a followup to r116908, removing all occurrences of
2131         String("") from WebKit.
2132
2133         * runtime/RegExpConstructor.cpp:
2134         (JSC::constructRegExp):
2135         * runtime/RegExpPrototype.cpp:
2136         (JSC::regExpProtoFuncCompile):
2137         * runtime/StringPrototype.cpp:
2138         (JSC::stringProtoFuncMatch):
2139         (JSC::stringProtoFuncSearch):
2140
2141 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
2142
2143         <input type=color> Mac UI behaviour
2144         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
2145
2146         Reviewed by Brady Eidson.
2147
2148         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
2149
2150 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2151
2152         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
2153         https://bugs.webkit.org/show_bug.cgi?id=119349
2154
2155         Reviewed by Geoffrey Garen.
2156
2157         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
2158         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
2159         on code it compiled with any switch statements to have been run in the baseline JIT first. 
2160         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
2161         JIT then this resizing never happens and we crash at link time in the DFG.
2162
2163         We can fix this by also doing the resize in the DFG to catch this case.
2164
2165         * dfg/DFGJITCompiler.cpp:
2166         (JSC::DFG::JITCompiler::link):
2167
2168 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
2169
2170         Speculative Windows build fix.
2171
2172         Reviewed by NOBODY
2173
2174         * runtime/JSString.cpp:
2175         (JSC::JSRopeString::getIndexSlowCase):
2176         * runtime/JSString.h:
2177
2178 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
2179
2180         Some cleanup in JSValue::get
2181         https://bugs.webkit.org/show_bug.cgi?id=119343
2182
2183         Reviewed by Geoff Garen.
2184
2185         JSValue::get is implemented to:
2186             1) Check if the value is a cell – if not, synthesize a prototype to search,
2187             2) call getOwnPropertySlot on the cell,
2188             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
2189         By all rights this should crash when passed a string and accessing a property that does not exist, because
2190         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
2191         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
2192         prototype chain, and faking out a return value of undefined if no property is found.
2193
2194         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
2195         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
2196
2197         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
2198         slots anyway.
2199
2200         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
2201
2202 2013-07-31  Michael Saboff  <msaboff@apple.com>
2203
2204         [Win] JavaScript crash.
2205         https://bugs.webkit.org/show_bug.cgi?id=119339
2206
2207         Reviewed by Mark Hahnenberg.
2208
2209         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
2210         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
2211
2212 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2213
2214         GetByVal on Arguments does the wrong size load when checking the Arguments object length
2215         https://bugs.webkit.org/show_bug.cgi?id=119281
2216
2217         Reviewed by Geoffrey Garen.
2218
2219         This leads to out of bounds accesses and subsequent crashes.
2220
2221         * dfg/DFGSpeculativeJIT.cpp:
2222         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2223         * dfg/DFGSpeculativeJIT64.cpp:
2224         (JSC::DFG::SpeculativeJIT::compile):
2225
2226 2013-07-30  Oliver Hunt  <oliver@apple.com>
2227
2228         Add an assertion to SpeculateCellOperand
2229         https://bugs.webkit.org/show_bug.cgi?id=119276
2230
2231         Reviewed by Michael Saboff.
2232
2233         More assertions are better
2234
2235         * dfg/DFGSpeculativeJIT64.cpp:
2236         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2237         (JSC::DFG::SpeculativeJIT::compile):
2238
2239 2013-07-30  Mark Lam  <mark.lam@apple.com>
2240
2241         Fix problems with divot and lineStart mismatches.
2242         https://bugs.webkit.org/show_bug.cgi?id=118662.
2243
2244         Reviewed by Oliver Hunt.
2245
2246         r152494 added the recording of lineStart values for divot positions.
2247         This is needed for the computation of column numbers. Similarly, it also
2248         added the recording of line numbers for the divot positions. One problem
2249         with the approach taken was that the line and lineStart values were
2250         recorded independently, and hence were not always guaranteed to be
2251         sampled at the same place that the divot position is recorded. This
2252         resulted in potential mismatches that cause some assertions to fail.
2253
2254         The solution is to introduce a JSTextPosition abstraction that records
2255         the divot position, line, and lineStart as a single quantity. Wherever
2256         we record the divot position as an unsigned int previously, we now record
2257         its JSTextPosition which captures all 3 values in one go. This ensures
2258         that the captured line and lineStart will always match the captured divot
2259         position.
2260
2261         * bytecompiler/BytecodeGenerator.cpp:
2262         (JSC::BytecodeGenerator::emitCall):
2263         (JSC::BytecodeGenerator::emitCallEval):
2264         (JSC::BytecodeGenerator::emitCallVarargs):
2265         (JSC::BytecodeGenerator::emitConstruct):
2266         (JSC::BytecodeGenerator::emitDebugHook):
2267         - Use JSTextPosition instead of passing line and lineStart explicitly.
2268         * bytecompiler/BytecodeGenerator.h:
2269         (JSC::BytecodeGenerator::emitExpressionInfo):
2270         - Use JSTextPosition instead of passing line and lineStart explicitly.
2271         * bytecompiler/NodesCodegen.cpp:
2272         (JSC::ThrowableExpressionData::emitThrowReferenceError):
2273         (JSC::ResolveNode::emitBytecode):
2274         (JSC::BracketAccessorNode::emitBytecode):
2275         (JSC::DotAccessorNode::emitBytecode):
2276         (JSC::NewExprNode::emitBytecode):
2277         (JSC::EvalFunctionCallNode::emitBytecode):
2278         (JSC::FunctionCallValueNode::emitBytecode):
2279         (JSC::FunctionCallResolveNode::emitBytecode):
2280         (JSC::FunctionCallBracketNode::emitBytecode):
2281         (JSC::FunctionCallDotNode::emitBytecode):
2282         (JSC::CallFunctionCallDotNode::emitBytecode):
2283         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2284         (JSC::PostfixNode::emitResolve):
2285         (JSC::PostfixNode::emitBracket):
2286         (JSC::PostfixNode::emitDot):
2287         (JSC::DeleteResolveNode::emitBytecode):
2288         (JSC::DeleteBracketNode::emitBytecode):
2289         (JSC::DeleteDotNode::emitBytecode):
2290         (JSC::PrefixNode::emitResolve):
2291         (JSC::PrefixNode::emitBracket):
2292         (JSC::PrefixNode::emitDot):
2293         (JSC::UnaryOpNode::emitBytecode):
2294         (JSC::BinaryOpNode::emitStrcat):
2295         (JSC::BinaryOpNode::emitBytecode):
2296         (JSC::ThrowableBinaryOpNode::emitBytecode):
2297         (JSC::InstanceOfNode::emitBytecode):
2298         (JSC::emitReadModifyAssignment):
2299         (JSC::ReadModifyResolveNode::emitBytecode):
2300         (JSC::AssignResolveNode::emitBytecode):
2301         (JSC::AssignDotNode::emitBytecode):
2302         (JSC::ReadModifyDotNode::emitBytecode):
2303         (JSC::AssignBracketNode::emitBytecode):
2304         (JSC::ReadModifyBracketNode::emitBytecode):
2305         (JSC::ForInNode::emitBytecode):
2306         (JSC::WithNode::emitBytecode):
2307         (JSC::ThrowNode::emitBytecode):
2308         - Use JSTextPosition instead of passing line and lineStart explicitly.
2309         * parser/ASTBuilder.h:
2310         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
2311         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
2312         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
2313         (JSC::ASTBuilder::createResolve):
2314         (JSC::ASTBuilder::createBracketAccess):
2315         (JSC::ASTBuilder::createDotAccess):
2316         (JSC::ASTBuilder::createRegExp):
2317         (JSC::ASTBuilder::createNewExpr):
2318         (JSC::ASTBuilder::createAssignResolve):
2319         (JSC::ASTBuilder::createExprStatement):
2320         (JSC::ASTBuilder::createForInLoop):
2321         (JSC::ASTBuilder::createReturnStatement):
2322         (JSC::ASTBuilder::createBreakStatement):
2323         (JSC::ASTBuilder::createContinueStatement):
2324         (JSC::ASTBuilder::createLabelStatement):
2325         (JSC::ASTBuilder::createWithStatement):
2326         (JSC::ASTBuilder::createThrowStatement):
2327         (JSC::ASTBuilder::appendBinaryExpressionInfo):
2328         (JSC::ASTBuilder::appendUnaryToken):
2329         (JSC::ASTBuilder::unaryTokenStackLastStart):
2330         (JSC::ASTBuilder::assignmentStackAppend):
2331         (JSC::ASTBuilder::createAssignment):
2332         (JSC::ASTBuilder::setExceptionLocation):
2333         (JSC::ASTBuilder::makeDeleteNode):
2334         (JSC::ASTBuilder::makeFunctionCallNode):
2335         (JSC::ASTBuilder::makeBinaryNode):
2336         (JSC::ASTBuilder::makeAssignNode):
2337         (JSC::ASTBuilder::makePrefixNode):
2338         (JSC::ASTBuilder::makePostfixNode):
2339         - Use JSTextPosition instead of passing line and lineStart explicitly.
2340         * parser/Lexer.cpp:
2341         (JSC::::lex):
2342         - Added support for capturing the appropriate JSTextPositions instead
2343           of just the character offset.
2344         * parser/Lexer.h:
2345         (JSC::Lexer::currentPosition):
2346         (JSC::::lexExpectIdentifier):
2347         - Added support for capturing the appropriate JSTextPositions instead
2348           of just the character offset.
2349         * parser/NodeConstructors.h:
2350         (JSC::Node::Node):
2351         (JSC::ResolveNode::ResolveNode):
2352         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
2353         (JSC::FunctionCallValueNode::FunctionCallValueNode):
2354         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
2355         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
2356         (JSC::FunctionCallDotNode::FunctionCallDotNode):
2357         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
2358         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
2359         (JSC::PostfixNode::PostfixNode):
2360         (JSC::DeleteResolveNode::DeleteResolveNode):
2361         (JSC::DeleteBracketNode::DeleteBracketNode):
2362         (JSC::DeleteDotNode::DeleteDotNode):
2363         (JSC::PrefixNode::PrefixNode):
2364         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
2365         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
2366         (JSC::AssignBracketNode::AssignBracketNode):
2367         (JSC::AssignDotNode::AssignDotNode):
2368         (JSC::ReadModifyDotNode::ReadModifyDotNode):
2369         (JSC::AssignErrorNode::AssignErrorNode):
2370         (JSC::WithNode::WithNode):
2371         (JSC::ForInNode::ForInNode):
2372         - Use JSTextPosition instead of passing line and lineStart explicitly.
2373         * parser/Nodes.cpp:
2374         (JSC::StatementNode::setLoc):
2375         - Use JSTextPosition instead of passing line and lineStart explicitly.
2376         * parser/Nodes.h:
2377         (JSC::Node::lineNo):
2378         (JSC::Node::startOffset):
2379         (JSC::Node::lineStartOffset):
2380         (JSC::Node::position):
2381         (JSC::ThrowableExpressionData::ThrowableExpressionData):
2382         (JSC::ThrowableExpressionData::setExceptionSourceCode):
2383         (JSC::ThrowableExpressionData::divot):
2384         (JSC::ThrowableExpressionData::divotStart):
2385         (JSC::ThrowableExpressionData::divotEnd):
2386         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
2387         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
2388         (JSC::ThrowableSubExpressionData::subexpressionDivot):
2389         (JSC::ThrowableSubExpressionData::subexpressionStart):
2390         (JSC::ThrowableSubExpressionData::subexpressionEnd):
2391         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
2392         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
2393         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
2394         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
2395         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
2396         - Use JSTextPosition instead of passing line and lineStart explicitly.
2397         * parser/Parser.cpp:
2398         (JSC::::Parser):
2399         (JSC::::parseInner):
2400         - Use JSTextPosition instead of passing line and lineStart explicitly.
2401         (JSC::::didFinishParsing):
2402         - Remove setting of m_lastLine value. We always pass in the value from
2403           m_lastLine anyway. So, this assignment is effectively a nop.
2404         (JSC::::parseVarDeclaration):
2405         (JSC::::parseVarDeclarationList):
2406         (JSC::::parseForStatement):
2407         (JSC::::parseBreakStatement):
2408         (JSC::::parseContinueStatement):
2409         (JSC::::parseReturnStatement):
2410         (JSC::::parseThrowStatement):
2411         (JSC::::parseWithStatement):
2412         (JSC::::parseTryStatement):
2413         (JSC::::parseBlockStatement):
2414         (JSC::::parseFunctionDeclaration):
2415         (JSC::LabelInfo::LabelInfo):
2416         (JSC::::parseExpressionOrLabelStatement):
2417         (JSC::::parseExpressionStatement):
2418         (JSC::::parseAssignmentExpression):
2419         (JSC::::parseBinaryExpression):
2420         (JSC::::parseProperty):
2421         (JSC::::parsePrimaryExpression):
2422         (JSC::::parseMemberExpression):
2423         (JSC::::parseUnaryExpression):
2424         - Use JSTextPosition instead of passing line and lineStart explicitly.
2425         * parser/Parser.h:
2426         (JSC::Parser::next):
2427         (JSC::Parser::nextExpectIdentifier):
2428         (JSC::Parser::getToken):
2429         (JSC::Parser::tokenStartPosition):
2430         (JSC::Parser::tokenEndPosition):
2431         (JSC::Parser::lastTokenEndPosition):
2432         (JSC::::parse):
2433         - Use JSTextPosition instead of passing line and lineStart explicitly.
2434         * parser/ParserTokens.h:
2435         (JSC::JSTextPosition::JSTextPosition):
2436         (JSC::JSTextPosition::operator+):
2437         (JSC::JSTextPosition::operator-):
2438         (JSC::JSTextPosition::operator int):
2439         - Added JSTextPosition.
2440         * parser/SyntaxChecker.h:
2441         (JSC::SyntaxChecker::makeFunctionCallNode):
2442         (JSC::SyntaxChecker::makeAssignNode):
2443         (JSC::SyntaxChecker::makePrefixNode):
2444         (JSC::SyntaxChecker::makePostfixNode):
2445         (JSC::SyntaxChecker::makeDeleteNode):
2446         (JSC::SyntaxChecker::createResolve):
2447         (JSC::SyntaxChecker::createBracketAccess):
2448         (JSC::SyntaxChecker::createDotAccess):
2449         (JSC::SyntaxChecker::createRegExp):
2450         (JSC::SyntaxChecker::createNewExpr):
2451         (JSC::SyntaxChecker::createAssignResolve):
2452         (JSC::SyntaxChecker::createForInLoop):
2453         (JSC::SyntaxChecker::createReturnStatement):
2454         (JSC::SyntaxChecker::createBreakStatement):
2455         (JSC::SyntaxChecker::createContinueStatement):
2456         (JSC::SyntaxChecker::createWithStatement):
2457         (JSC::SyntaxChecker::createLabelStatement):
2458         (JSC::SyntaxChecker::createThrowStatement):
2459         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
2460         (JSC::SyntaxChecker::operatorStackPop):
2461         - Use JSTextPosition instead of passing line and lineStart explicitly.
2462
2463 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
2464
2465         Unreviewed. Fix make distcheck.
2466
2467         * GNUmakefile.list.am: Add missing files to compilation.
2468         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
2469         include FTL header files not included in the compilation.
2470         * dfg/DFGDriver.cpp: Ditto.
2471         * dfg/DFGPlan.cpp: Ditto.
2472
2473 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
2474
2475         Eager stack trace for error objects.
2476         https://bugs.webkit.org/show_bug.cgi?id=118918
2477
2478         Reviewed by Geoffrey Garen.
2479         
2480         Chrome and Firefox give error objects the stack property and we wanted to match
2481         that functionality. This allows developers to see the stack without throwing an object.
2482
2483         * runtime/ErrorInstance.cpp:
2484         (JSC::ErrorInstance::finishCreation):
2485          For error objects that are not thrown as an exception, we pass the stackTrace in 
2486          as a parameter. This allows the error object to have the stack property.
2487         
2488         * interpreter/Interpreter.cpp:
2489         (JSC::stackTraceAsString):
2490         Helper function used to eliminate duplicate code.
2491
2492         (JSC::Interpreter::addStackTraceIfNecessary):
2493         When an error object is created by the user the vm->exceptionStack is not set.
2494         If the user throws this error object later the stack that is in the error object 
2495         may not be the correct stack for the throw, so when we set the vm->exception stack,
2496         the stack property on the error object is set as well.
2497         
2498         * runtime/ErrorConstructor.cpp:
2499         (JSC::constructWithErrorConstructor):
2500         (JSC::callErrorConstructor):
2501         * runtime/NativeErrorConstructor.cpp:
2502         (JSC::constructWithNativeErrorConstructor):
2503         (JSC::callNativeErrorConstructor):
2504         These functions indicate that the user created an error object. For all error objects 
2505         that the user explicitly creates, the topCallFrame is at a new frame created to 
2506         handle the user's call. In this case though, the error object needs the caller's 
2507         frame to create the stack trace correctly.
2508         
2509         * interpreter/Interpreter.h:
2510         * runtime/ErrorInstance.h:
2511         (JSC::ErrorInstance::create):
2512
2513 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
2514
2515         Some cleanup in PropertySlot
2516         https://bugs.webkit.org/show_bug.cgi?id=119189
2517
2518         Reviewed by Geoff Garen.
2519
2520         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
2521         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
2522         is set to a special value to indicate the type (other than custom), and the type is also tracked by
2523         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
2524         (this is invalidOffset if not cacheable).
2525
2526             * Internally, always track the type of the property using an enum value, PropertyType.
2527             * Use m_offset to indicate cacheable.
2528             * Keep the external interface (CachedPropertyType) unchanged.
2529             * Better pack data into the m_data union.
2530
2531         Performance neutral.
2532
2533         * dfg/DFGRepatch.cpp:
2534         (JSC::DFG::tryCacheGetByID):
2535         (JSC::DFG::tryBuildGetByIDList):
2536             - cachedPropertyType() -> isCacheable*()
2537         * jit/JITPropertyAccess.cpp:
2538         (JSC::JIT::privateCompileGetByIdProto):
2539         (JSC::JIT::privateCompileGetByIdSelfList):
2540         (JSC::JIT::privateCompileGetByIdProtoList):
2541         (JSC::JIT::privateCompileGetByIdChainList):
2542         (JSC::JIT::privateCompileGetByIdChain):
2543             - cachedPropertyType() -> isCacheable*()
2544         * jit/JITPropertyAccess32_64.cpp:
2545         (JSC::JIT::privateCompileGetByIdProto):
2546         (JSC::JIT::privateCompileGetByIdSelfList):
2547         (JSC::JIT::privateCompileGetByIdProtoList):
2548         (JSC::JIT::privateCompileGetByIdChainList):
2549         (JSC::JIT::privateCompileGetByIdChain):
2550             - cachedPropertyType() -> isCacheable*()
2551         * jit/JITStubs.cpp:
2552         (JSC::tryCacheGetByID):
2553             - cachedPropertyType() -> isCacheable*()
2554         * llint/LLIntSlowPaths.cpp:
2555         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2556             - cachedPropertyType() -> isCacheable*()
2557         * runtime/PropertySlot.cpp:
2558         (JSC::PropertySlot::functionGetter):
2559             - refactoring described above.
2560         * runtime/PropertySlot.h:
2561         (JSC::PropertySlot::PropertySlot):
2562         (JSC::PropertySlot::getValue):
2563         (JSC::PropertySlot::isCacheable):
2564         (JSC::PropertySlot::isCacheableValue):
2565         (JSC::PropertySlot::isCacheableGetter):
2566         (JSC::PropertySlot::isCacheableCustom):
2567         (JSC::PropertySlot::cachedOffset):
2568         (JSC::PropertySlot::customGetter):
2569         (JSC::PropertySlot::setValue):
2570         (JSC::PropertySlot::setCustom):
2571         (JSC::PropertySlot::setCacheableCustom):
2572         (JSC::PropertySlot::setCustomIndex):
2573         (JSC::PropertySlot::setGetterSlot):
2574         (JSC::PropertySlot::setCacheableGetterSlot):
2575         (JSC::PropertySlot::setUndefined):
2576         (JSC::PropertySlot::slotBase):
2577         (JSC::PropertySlot::setBase):
2578             - refactoring described above.
2579
2580 2013-07-28  Oliver Hunt  <oliver@apple.com>
2581
2582         REGRESSION: Crash when opening Facebook.com
2583         https://bugs.webkit.org/show_bug.cgi?id=119155
2584
2585         Reviewed by Andreas Kling.
2586
2587         Scope nodes are always objects, so we should be using SpecObjectOther
2588         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
2589         contradiction in the CFA, resulting in bogus codegen.
2590
2591         * dfg/DFGAbstractInterpreterInlines.h:
2592         (JSC::DFG::::executeEffects):
2593         * dfg/DFGPredictionPropagationPhase.cpp:
2594         (JSC::DFG::PredictionPropagationPhase::propagate):
2595
2596 2013-07-26  Oliver Hunt  <oliver@apple.com>
2597
2598         REGRESSION(FTL?): Crashes in plugin tests
2599         https://bugs.webkit.org/show_bug.cgi?id=119141
2600
2601         Reviewed by Michael Saboff.
2602
2603         Re-export getStackTrace
2604
2605         * interpreter/Interpreter.h:
2606
2607 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
2608
2609         REGRESSION: Crash when opening a message on Gmail
2610         https://bugs.webkit.org/show_bug.cgi?id=119105
2611
2612         Reviewed by Oliver Hunt and Mark Hahnenberg.
2613         
2614         - GetById patching in the DFG needs to be more disciplined about how it derives the
2615           slow path.
2616         
2617         - Fix some dumping code thread safety issues.
2618
2619         * bytecode/CallLinkStatus.cpp:
2620         (JSC::CallLinkStatus::dump):
2621         * bytecode/CodeBlock.cpp:
2622         (JSC::CodeBlock::dumpBytecode):
2623         * dfg/DFGRepatch.cpp:
2624         (JSC::DFG::getPolymorphicStructureList):
2625         (JSC::DFG::tryBuildGetByIDList):
2626
2627 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
2628
2629         [mips] Fix LLINT build for mips backend
2630         https://bugs.webkit.org/show_bug.cgi?id=119152
2631
2632         Reviewed by Oliver Hunt.
2633
2634         * offlineasm/mips.rb:
2635
2636 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2637
2638         Setting a large numeric property on an object causes it to allocate a huge backing store
2639         https://bugs.webkit.org/show_bug.cgi?id=118914
2640
2641         Reviewed by Geoffrey Garen.
2642
2643         There are two distinct actions that we're trying to optimize for:
2644
2645         new Array(100000);
2646
2647         and:
2648
2649         a = [];
2650         a[100000] = 42;
2651         
2652         In the first case, the programmer has indicated that they expect this Array to be very big, 
2653         so they should get a contiguous array up until some threshold, above which we perform density 
2654         calculations to see if it is indeed dense enough to warrant being contiguous.
2655         
2656         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
2657         we should be more conservative and assume it should be sparse until we've proven otherwise.
2658         
2659         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
2660         between them for the purposes of not over-allocating large backing stores like we see on 
2661         http://www.peekanalytics.com/burgerjoints/
2662         
2663         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
2664         introduce a new heuristic for the second case. If we are putting to an index above a certain 
2665         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
2666         map instead. So for example, in the second case above the empty array has a blank indexing 
2667         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
2668
2669         This fix is ~800x speedup on the accompanying regression test :-o
2670
2671         * runtime/ArrayConventions.h:
2672         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
2673         * runtime/JSObject.cpp:
2674         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2675         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2676         (JSC::JSObject::putByIndexBeyondVectorLength):
2677         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2678
2679 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2680
2681         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
2682         https://bugs.webkit.org/show_bug.cgi?id=119148
2683
2684         Reviewed by Csaba Osztrogonác.
2685
2686         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
2687         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
2688         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
2689         code duplication.
2690
2691 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
2692
2693         REGRESSION(FTL): Crash in sh4 baseline JIT.
2694         https://bugs.webkit.org/show_bug.cgi?id=119138
2695
2696         Reviewed by Csaba Osztrogonác.
2697
2698         This crash is due to incomplete report of r150146 and r148474.
2699
2700         * jit/JITStubsSH4.h:
2701
2702 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
2703
2704         Unreviewed.
2705
2706         * Target.pri: Adding missing DFG files to the Qt build.
2707
2708 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2709
2710         GTK and Qt buildfix after the intrusive win buildfix r153360.
2711
2712         * GNUmakefile.list.am:
2713         * Target.pri:
2714
2715 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
2716
2717         Unreviewed, fix build break after r153360.
2718
2719         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
2720
2721 2013-07-25  Roger Fong  <roger_fong@apple.com>
2722
2723         Unreviewed build fix, AppleWin port.
2724
2725         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2726         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2727         * JavaScriptCore.vcxproj/copy-files.cmd:
2728
2729 2013-07-25  Roger Fong  <roger_fong@apple.com>
2730
2731         Unreviewed. Followup to r153360.
2732
2733         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2734         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2735
2736 2013-07-25  Michael Saboff  <msaboff@apple.com>
2737
2738         [Windows] Speculative build fix.
2739
2740         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
2741         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
2742
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * llint/LLIntExceptions.cpp:
2745         * llint/LLIntExceptions.h:
2746         * llint/LLIntSlowPaths.cpp:
2747         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2748         * runtime/CommonSlowPaths.cpp:
2749         (JSC::SLOW_PATH_DECL):
2750         * runtime/CommonSlowPathsExceptions.cpp: Added.
2751         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2752         * runtime/CommonSlowPathsExceptions.h: Added.
2753
2754 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2755
2756         [Windows] Unreviewed build fix.
2757
2758         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
2759         parser/SourceCode.h,.cpp.
2760         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2761
2762 2013-07-25  Anders Carlsson  <andersca@apple.com>
2763
2764         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
2765         https://bugs.webkit.org/show_bug.cgi?id=119108
2766
2767         Reviewed by Mark Hahnenberg.
2768
2769         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
2770
2771         * heap/CopiedSpace.cpp:
2772         (JSC::CopiedSpace::tryAllocateSlowCase):
2773         * heap/Heap.cpp:
2774         (JSC::Heap::protect):
2775         (JSC::Heap::unprotect):
2776         (JSC::Heap::collect):
2777         * heap/MarkedAllocator.cpp:
2778         (JSC::MarkedAllocator::allocateSlowCase):
2779         * runtime/JSGlobalObject.cpp:
2780         (JSC::JSGlobalObject::init):
2781         * runtime/VM.h:
2782         (JSC::VM::currentThreadIsHoldingAPILock):
2783
2784 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2785
2786         REGRESSION(FTL): Most layout tests crashes
2787         https://bugs.webkit.org/show_bug.cgi?id=119089
2788
2789         Reviewed by Oliver Hunt.
2790
2791         * runtime/ExecutionHarness.h:
2792         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2793         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2794         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2795         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2796         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2797         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2798
2799 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2800
2801         [Windows] Unreviewed build fix.
2802
2803         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2804         include path.
2805
2806 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
2807
2808         [Windows] Unreviewed build fix.
2809
2810         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2811         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2812         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2813
2814 2013-07-25  Oliver Hunt  <oliver@apple.com>
2815
2816         Make all jit & non-jit combos build cleanly
2817         https://bugs.webkit.org/show_bug.cgi?id=119102
2818
2819         Reviewed by Anders Carlsson.
2820
2821         * bytecode/CodeBlock.cpp:
2822         (JSC::CodeBlock::counterValueForOptimizeSoon):
2823         * bytecode/CodeBlock.h:
2824         (JSC::CodeBlock::optimizeAfterWarmUp):
2825         (JSC::CodeBlock::numberOfDFGCompiles):
2826
2827 2013-07-25  Oliver Hunt  <oliver@apple.com>
2828
2829         32 bit portion of load validation logic
2830         https://bugs.webkit.org/show_bug.cgi?id=118878
2831
2832         Reviewed by NOBODY (Build fix).
2833
2834         * dfg/DFGSpeculativeJIT32_64.cpp:
2835         (JSC::DFG::SpeculativeJIT::compile):
2836
2837 2013-07-25  Oliver Hunt  <oliver@apple.com>
2838
2839         More 32bit build fixes
2840
2841         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2842
2843         * API/APICallbackFunction.h:
2844         (JSC::APICallbackFunction::call):
2845         * bytecode/CodeBlock.cpp:
2846         * runtime/Structure.cpp:
2847
2848 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
2849
2850         Optimize the thread locks for API Shims
2851         https://bugs.webkit.org/show_bug.cgi?id=118573
2852
2853         Reviewed by Geoffrey Garen.
2854
2855         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
2856         only used by WebCore's main thread).
2857
2858         * API/APIShims.h:
2859         (JSC::APIEntryShim::APIEntryShim):
2860         (JSC::APICallbackShim::APICallbackShim):
2861         * runtime/JSLock.cpp:
2862         (JSC::JSLockHolder::JSLockHolder):
2863         (JSC::JSLockHolder::init):
2864         (JSC::JSLockHolder::~JSLockHolder):
2865         (JSC::JSLock::DropAllLocks::DropAllLocks):
2866         (JSC::JSLock::DropAllLocks::~DropAllLocks):
2867         * runtime/VM.cpp:
2868         (JSC::VM::VM):
2869         * runtime/VM.h:
2870
2871 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
2872
2873         Unreviewed build fix after r153218.
2874
2875         Broke the EFL port build with gcc 4.7.
2876
2877         * interpreter/StackIterator.cpp:
2878         (JSC::printif):
2879
2880 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2881
2882         Build fix: add missing #include.
2883         https://bugs.webkit.org/show_bug.cgi?id=119087
2884
2885         Reviewed by Allan Sandfeld Jensen.
2886
2887         * bytecode/ArrayProfile.cpp:
2888
2889 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2890
2891         Unreviewed, build fix on the EFL port.
2892
2893         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2894
2895 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2896
2897         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2898         https://bugs.webkit.org/show_bug.cgi?id=119083
2899
2900         Reviewed by Allan Sandfeld Jensen.
2901
2902         * assembler/MacroAssemblerSH4.h:
2903         (JSC::MacroAssemblerSH4::store8):
2904
2905 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2906
2907         [Qt] Fix test build after FTL upstream
2908
2909         Unreviewed build fix.
2910
2911         * Target.pri:
2912
2913 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2914
2915         [Qt] Build fix after FTL.
2916
2917         Un Reviewed build fix.
2918
2919         * Target.pri:
2920         * interpreter/StackIterator.cpp:
2921         (JSC::StackIterator::Frame::print):
2922
2923 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2924
2925         Unreviewed build fix after FTL upstream.
2926
2927         * dfg/DFGWorklist.cpp:
2928         (JSC::DFG::Worklist::~Worklist):
2929
2930 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
2931
2932         Unreviewed, build fix on the EFL port.
2933
2934         * CMakeLists.txt:
2935         Added SourceCode.cpp and removed BlackBerry file.
2936         * jit/JITCode.h:
2937         (JSC::JITCode::nextTierJIT):
2938         Fixed to build break because of -Werror=return-type
2939         * parser/Lexer.cpp: Includes JSFunctionInlines.h
2940         * runtime/JSScope.h:
2941         (JSC::makeType):
2942         Fixed to build break because of -Werror=return-type
2943
2944 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2945
2946         Unreviewed build fixing after FTL upstream.
2947
2948         * runtime/Executable.cpp:
2949         (JSC::FunctionExecutable::produceCodeBlockFor):
2950
2951 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
2952
2953         Add missing implementation of bxxxnz in sh4 LLINT.
2954         https://bugs.webkit.org/show_bug.cgi?id=119079
2955
2956         Reviewed by Allan Sandfeld Jensen.
2957
2958         * offlineasm/sh4.rb:
2959
2960 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
2961
2962         Unreviewed, build fix on the Qt port.
2963
2964         * Target.pri: Add additional build files for the FTL.
2965
2966 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2967
2968         Unreviewed buildfix after FTL upstream..
2969
2970         * interpreter/StackIterator.cpp:
2971         (JSC::StackIterator::Frame::codeType):
2972         (JSC::StackIterator::Frame::functionName):
2973         (JSC::StackIterator::Frame::sourceURL):
2974         (JSC::StackIterator::Frame::logicalFrame):
2975
2976 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2977
2978         Unreviewed.
2979
2980         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2981         method is not left undefined, causing build failures on (at least) the GTK port.
2982
2983 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2984
2985         Unreviewed, further build fixing on the GTK port.
2986
2987         * GNUmakefile.list.am: Add CompilationResult source files to the build.
2988
2989 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
2990
2991         Unreviewed GTK build fixing.
2992
2993         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2994         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2995
2996 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
2997
2998         Buildfix after this error:
2999         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
3000
3001         * dfg/DFGPlan.cpp:
3002         (JSC::DFG::Plan::compileInThread):
3003
3004 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3005
3006         One more buildfix after FTL upstream.
3007
3008         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
3009
3010         * dfg/DFGLazyJSValue.cpp:
3011         (JSC::DFG::LazyJSValue::getValue):
3012         (JSC::DFG::LazyJSValue::strictEqual):
3013
3014 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
3015
3016         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
3017         https://bugs.webkit.org/show_bug.cgi?id=119076
3018
3019         Reviewed by Allan Sandfeld Jensen.
3020
3021         * offlineasm/mips.rb:
3022         * offlineasm/sh4.rb:
3023
3024 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3025
3026         Unreviewed GTK build fix.
3027
3028         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
3029
3030 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3031
3032         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
3033         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
3034
3035         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
3036
3037 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3038
3039         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
3040
3041         * GNUmakefile.am:
3042         * GNUmakefile.list.am:
3043
3044 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
3045
3046         Unreviewed buildfix after FTL upstream.
3047
3048         * runtime/JSScope.h:
3049         (JSC::needsVarInjectionChecks):
3050
3051 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3052
3053         One more fix after FTL upstream.
3054
3055         * Target.pri:
3056         * bytecode/CodeBlock.h:
3057         * bytecode/GetByIdStatus.h:
3058         (JSC::GetByIdStatus::GetByIdStatus):
3059
3060 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3061
3062         Unreviewed buildfix after FTL upstream.
3063
3064         Add ftl directory as include path.
3065
3066         * CMakeLists.txt:
3067         * JavaScriptCore.pri:
3068
3069 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
3070
3071         Unreviewed buildfix after FTL upstream for non C++11 builds.
3072
3073         * interpreter/CallFrame.h:
3074         * interpreter/StackIteratorPrivate.h:
3075         (JSC::StackIterator::end):
3076
3077 2013-07-24  Oliver Hunt  <oliver@apple.com>
3078
3079         Endeavour to fix CMakelist builds
3080
3081         * CMakeLists.txt:
3082
3083 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
3084
3085         fourthTier: DFG IR dumps should be easier to read
3086         https://bugs.webkit.org/show_bug.cgi?id=119050
3087
3088         Reviewed by Mark Hahnenberg.
3089         
3090         Added a DumpContext that includes support for printing an endnote
3091         that describes all structures in full, while the main flow of the
3092         dump just uses made-up names for the structures. This is helpful
3093         since Structure::dump() may print a lot. The stuff it prints is
3094         useful, but if it's all inline with the surrounding thing you're        
3095         dumping (often, a node in the DFG), then you get a ridiculously
3096         long print-out. All classes that dump structures (including
3097         Structure itself) now have dumpInContext() methods that use
3098         inContext() for dumping anything that might transitively print a
3099         structure. If Structure::dumpInContext() is called with a NULL
3100         context, it just uses dump() like before. Hence you don't have to
3101         know anything about DumpContext unless you want to.
3102         
3103         inContext(*structure, context) dumps something like %B4:Array,
3104         and the endnote will have something like:
3105         
3106             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
3107         
3108         where B4 is the inferred name that StringHashDumpContext came up
3109         with.
3110         
3111         Also shortened a bunch of other dumps, removing information that
3112         isn't so important.
3113         
3114         * JavaScriptCore.xcodeproj/project.pbxproj:
3115         * bytecode/ArrayProfile.cpp:
3116         (JSC::dumpArrayModes):
3117         * bytecode/CodeBlockHash.cpp:
3118         (JSC):
3119         (JSC::CodeBlockHash::CodeBlockHash):
3120         (JSC::CodeBlockHash::dump):
3121         * bytecode/CodeOrigin.cpp:
3122         (JSC::CodeOrigin::dumpInContext):
3123         (JSC):
3124         (JSC::InlineCallFrame::dumpInContext):
3125         (JSC::InlineCallFrame::dump):
3126         * bytecode/CodeOrigin.h:
3127         (CodeOrigin):
3128         (InlineCallFrame):
3129         * bytecode/Operands.h:
3130         (JSC::OperandValueTraits::isEmptyForDump):
3131         (Operands):
3132         (JSC::Operands::dump):
3133         (JSC):
3134         * bytecode/OperandsInlines.h: Added.
3135         (JSC):
3136         (JSC::::dumpInContext):
3137         * bytecode/StructureSet.h:
3138         (JSC::StructureSet::dumpInContext):
3139         (JSC::StructureSet::dump):
3140         (StructureSet):
3141         * dfg/DFGAbstractValue.cpp:
3142         (JSC::DFG::AbstractValue::dump):
3143         (DFG):
3144         (JSC::DFG::AbstractValue::dumpInContext):
3145         * dfg/DFGAbstractValue.h:
3146         (JSC::DFG::AbstractValue::operator!):
3147         (AbstractValue):
3148         * dfg/DFGCFAPhase.cpp:
3149         (JSC::DFG::CFAPhase::performBlockCFA):
3150         * dfg/DFGCommon.cpp:
3151         * dfg/DFGCommon.h:
3152         (JSC::DFG::NodePointerTraits::isEmptyForDump):
3153         * dfg/DFGDisassembler.cpp:
3154         (JSC::DFG::Disassembler::createDumpList):
3155         * dfg/DFGDisassembler.h:
3156         (Disassembler):
3157         * dfg/DFGFlushFormat.h:
3158         (WTF::inContext):
3159         (WTF):
3160         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3161         * dfg/DFGGraph.cpp:
3162         (JSC::DFG::Graph::dumpCodeOrigin):
3163         (JSC::DFG::Graph::dump):
3164         (JSC::DFG::Graph::dumpBlockHeader):
3165         * dfg/DFGGraph.h:
3166         (Graph):
3167         * dfg/DFGLazyJSValue.cpp:
3168         (JSC::DFG::LazyJSValue::dumpInContext):
3169         (JSC::DFG::LazyJSValue::dump):
3170         (DFG):
3171         * dfg/DFGLazyJSValue.h:
3172         (LazyJSValue):
3173         * dfg/DFGNode.h:
3174         (JSC::DFG::nodeMapDump):
3175         (WTF::inContext):
3176         (WTF):
3177         * dfg/DFGOSRExitCompiler32_64.cpp:
3178         (JSC::DFG::OSRExitCompiler::compileExit):
3179         * dfg/DFGOSRExitCompiler64.cpp:
3180         (JSC::DFG::OSRExitCompiler::compileExit):
3181         * dfg/DFGStructureAbstractValue.h:
3182         (JSC::DFG::StructureAbstractValue::dumpInContext):
3183         (JSC::DFG::StructureAbstractValue::dump):
3184         (StructureAbstractValue):
3185         * ftl/FTLExitValue.cpp:
3186         (JSC::FTL::ExitValue::dumpInContext):
3187         (JSC::FTL::ExitValue::dump):
3188         (FTL):
3189         * ftl/FTLExitValue.h:
3190         (ExitValue):
3191         * ftl/FTLLowerDFGToLLVM.cpp:
3192         * ftl/FTLValueSource.cpp:
3193         (JSC::FTL::ValueSource::dumpInContext):
3194         (FTL):
3195         * ftl/FTLValueSource.h:
3196         (ValueSource):
3197         * runtime/DumpContext.cpp: Added.
3198         (JSC):
3199         (JSC::DumpContext::DumpContext):
3200         (JSC::DumpContext::~DumpContext):
3201         (JSC::DumpContext::isEmpty):
3202         (JSC::DumpContext::dump):
3203         * runtime/DumpContext.h: Added.
3204         (JSC):
3205         (DumpContext):
3206         * runtime/JSCJSValue.cpp:
3207         (JSC::JSValue::dump):
3208         (JSC):
3209         (JSC::JSValue::dumpInContext):
3210         * runtime/JSCJSValue.h:
3211         (JSC):
3212         (JSValue):
3213         * runtime/Structure.cpp:
3214         (JSC::Structure::dumpInContext):
3215         (JSC):
3216         (JSC::Structure::dumpBrief):
3217         (JSC::Structure::dumpContextHeader):
3218         * runtime/Structure.h:
3219         (JSC):
3220         (Structure):
3221
3222 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
3223
3224         fourthTier: DFG should do a high-level LICM before going to FTL
3225         https://bugs.webkit.org/show_bug.cgi?id=118749
3226
3227         Reviewed by Oliver Hunt.
3228         
3229         Implements LICM hoisting for nodes that never write anything and never read
3230         things that are clobbered by the loop. There are some other preconditions for
3231         hoisting, see DFGLICMPhase.cpp.
3232
3233         Also did a few fixes:
3234         
3235         - ClobberSet::add was failing to switch Super entries to Direct entries in
3236           some cases.
3237         
3238         - DFGClobberize.cpp needed to #include "Operations.h".
3239         
3240         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
3241         
3242         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
3243           Knowing the indexInBlock is an optional optimization that all other clients
3244           of AI still opt into, but LICM doesn't.
3245         
3246         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
3247
3248         * JavaScriptCore.xcodeproj/project.pbxproj:
3249         * dfg/DFGAbstractInterpreter.h:
3250         (AbstractInterpreter):
3251         * dfg/DFGAbstractInterpreterInlines.h:
3252         (JSC::DFG::::executeEffects):
3253         (JSC::DFG::::execute):
3254         (DFG):
3255         (JSC::DFG::::clobberWorld):
3256         (JSC::DFG::::clobberStructures):
3257         * dfg/DFGAtTailAbstractState.cpp: Added.
3258         (DFG):
3259         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
3260         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
3261         (JSC::DFG::AtTailAbstractState::createValueForNode):
3262         (JSC::DFG::AtTailAbstractState::forNode):
3263         * dfg/DFGAtTailAbstractState.h: Added.
3264         (DFG):
3265         (AtTailAbstractState):
3266         (JSC::DFG::AtTailAbstractState::initializeTo):
3267         (JSC::DFG::AtTailAbstractState::forNode):
3268         (JSC::DFG::AtTailAbstractState::variables):
3269         (JSC::DFG::AtTailAbstractState::block):
3270         (JSC::DFG::AtTailAbstractState::isValid):
3271         (JSC::DFG::AtTailAbstractState::setDidClobber):
3272         (JSC::DFG::AtTailAbstractState::setIsValid):
3273         (JSC::DFG::AtTailAbstractState::setBranchDirection):
3274         (JSC::DFG::AtTailAbstractState::setFoundConstants):
3275         (JSC::DFG::AtTailAbstractState::haveStructures):
3276         (JSC::DFG::AtTailAbstractState::setHaveStructures):
3277         * dfg/DFGBasicBlock.h:
3278         (JSC::DFG::BasicBlock::insertBeforeLast):
3279         * dfg/DFGBasicBlockInlines.h:
3280         (DFG):
3281         * dfg/DFGClobberSet.cpp:
3282         (JSC::DFG::ClobberSet::add):
3283         (JSC::DFG::ClobberSet::addAll):
3284         * dfg/DFGClobberize.cpp:
3285         (JSC::DFG::doesWrites):
3286         * dfg/DFGClobberize.h:
3287         (DFG):
3288         * dfg/DFGDCEPhase.cpp:
3289         (JSC::DFG::DCEPhase::DCEPhase):
3290         (JSC::DFG::DCEPhase::run):
3291         (JSC::DFG::DCEPhase::fixupBlock):
3292         (DCEPhase):
3293         * dfg/DFGEdgeDominates.h: Added.
3294         (DFG):
3295         (EdgeDominates):
3296         (JSC::DFG::EdgeDominates::EdgeDominates):
3297         (JSC::DFG::EdgeDominates::operator()):
3298         (JSC::DFG::EdgeDominates::result):
3299         (JSC::DFG::edgesDominate):
3300         * dfg/DFGFixupPhase.cpp:
3301         (JSC::DFG::FixupPhase::fixupNode):
3302         (JSC::DFG::FixupPhase::checkArray):
3303         * dfg/DFGLICMPhase.cpp: Added.
3304         (LICMPhase):
3305         (JSC::DFG::LICMPhase::LICMPhase):
3306         (JSC::DFG::LICMPhase::run):
3307         (JSC::DFG::LICMPhase::attemptHoist):
3308         (DFG):
3309         (JSC::DFG::performLICM):
3310         * dfg/DFGLICMPhase.h: Added.
3311         (DFG):
3312         * dfg/DFGPlan.cpp:
3313         (JSC::DFG::Plan::compileInThreadImpl):
3314
3315 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
3316
3317         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
3318         https://bugs.webkit.org/show_bug.cgi?id=118910
3319
3320         Reviewed by Sam Weinig.
3321         
3322         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
3323         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
3324         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
3325         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
3326         create them all up front). FTL AbstractHeaps also don't actually give you the
3327         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
3328         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
3329         They also give you aliasing machinery. The DFG AbstractHeaps are represented
3330         internally by a int64_t. Many comparisons between them are just integer comaprisons.
3331         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
3332         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
3333         payload is the direct subtype of its corresponding TOP Kind).
3334         
3335         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
3336         clobbered. It represents the set that results from unifying a bunch of
3337         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
3338         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
3339         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
3340         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
3341         member is equal to it, or if any of its ancestors are equal to a direct member.
3342         
3343         Example #1:
3344         
3345             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
3346               is a subtype of Variables, which is a subtype of World.
3347             - You query Variables. I.e. Variables with a TOP payload, which is the
3348               supertype of Variables(X) for any X, and a subtype of World.
3349             
3350             The set will have Variables(5) as a direct member, and Variables and World as
3351             super members. The Variables query will immediately return true, because
3352             Variables is indeed a super member.
3353         
3354         Example #2:
3355         
3356             - I add Variables(5)
3357             - You query NamedProperties
3358             
3359             NamedProperties is not a member at all (neither direct or super). We next
3360             query World. World is a member, but it's a super member, so we return false.
3361         
3362         Example #3:
3363         
3364             - I add Variables
3365             - You query Variables(5)
3366             
3367             The set will have Variables as a direct member, and World as a super member.
3368             The Variables(5) query will not find Variables(5) in the set, but then it
3369             will query Variables. Variables is a direct member, so we return true.
3370         
3371         Example #4:
3372         
3373             - I add Variables
3374             - You query NamedProperties(5)
3375             
3376             Neither NamedProperties nor NamedProperties(5) are members. We next query
3377             World. World is a member, but it's a super member, so we return false.
3378         
3379         Overlap queries require that either the heap being queried is in the set (either
3380         direct or super), or that one of its ancestors is a direct member. Another way to
3381         think about how this works is that two heaps A and B are said to overlap if
3382         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
3383         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
3384         heaps and answers the question, "is any member in the set an ancestor (i.e.
3385         supertype) of some other heap". We would have the set contain the heaps themselves,
3386         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
3387         chain of A, and repeatedly querying its membership in the set. This is what the
3388         "direct" members of our set do. Now consider the other part, where we want to ask if
3389         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
3390         would implement this by implementing set.add(B) as adding not just B but also all of
3391         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
3392         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
3393         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
3394         heap" question. ClobberSet does this, but combines the two sets into a single
3395         HashMap. The HashMap's value, "direct", means that the key is a member of both the
3396         supertype set and the subtype set; if it's false then it's only a member of one of
3397         them.
3398         
3399         Finally, this adds a functorized clobberize() method that adds the read and write
3400         clobbers of a DFG::Node to read and write functors. Common functors for adding to
3401         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
3402         are also provided. This allows you to say things like:
3403         
3404             ClobberSet set;
3405             addWrites(graph, node1, set);
3406