a94ae7fceda65100c4ef23230c8dc4a2e85147e4
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-09-23  Adam Klein  <adamk@chromium.org>
2
3         Add ENABLE_MUTATION_OBSERVERS feature flag
4         https://bugs.webkit.org/show_bug.cgi?id=68732
5
6         Reviewed by Ojan Vafai.
7
8         This flag will guard an implementation of the "Mutation Observers" proposed in
9         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
10
11         * Configurations/FeatureDefines.xcconfig:
12
13 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
14
15         De-virtualize JSCell::getJSNumber
16         https://bugs.webkit.org/show_bug.cgi?id=68651
17
18         Reviewed by Oliver Hunt.
19
20         Added a new JSType to check whether or not something is a 
21         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
22         currently a better way to determine whether something is indeed a NumberObject.
23         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
24         for whether the object is a NumberObject or not.  This patch is part of 
25         the larger process of de-virtualizing JSCell.
26
27         * JavaScriptCore.exp:
28         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
29         * runtime/JSCell.cpp:
30         (JSC::JSCell::getJSNumber):
31         * runtime/JSCell.h:
32         (JSC::JSValue::getJSNumber):
33         * runtime/JSType.h:
34         * runtime/JSTypeInfo.h:
35         (JSC::TypeInfo::isNumberObject):
36         * runtime/JSValue.h:
37         * runtime/NumberObject.cpp:
38         (JSC::NumberObject::getJSNumber):
39         * runtime/NumberObject.h:
40         (JSC::NumberObject::createStructure):
41         * runtime/NumberPrototype.h:
42         (JSC::NumberPrototype::createStructure):
43
44 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
45
46         Resolve opcodes should have value profiling.
47         https://bugs.webkit.org/show_bug.cgi?id=68723
48
49         Reviewed by Oliver Hunt.
50         
51         This adds value profiling to all forms of op_resolve in the
52         old JIT, and patches that information into the DFG along with
53         performing the appropriate type propagation.
54
55         * dfg/DFGByteCodeParser.cpp:
56         (JSC::DFG::ByteCodeParser::parseBlock):
57         * dfg/DFGGraph.h:
58         (JSC::DFG::Graph::predict):
59         * dfg/DFGNode.h:
60         (JSC::DFG::Node::hasIdentifier):
61         (JSC::DFG::Node::resolveGlobalDataIndex):
62         (JSC::DFG::Node::hasPrediction):
63         * dfg/DFGPropagator.cpp:
64         (JSC::DFG::Propagator::propagateNodePredictions):
65         * dfg/DFGSpeculativeJIT.cpp:
66         (JSC::DFG::SpeculativeJIT::compile):
67         * jit/JITOpcodes.cpp:
68         (JSC::JIT::emit_op_resolve):
69         (JSC::JIT::emit_op_resolve_base):
70         (JSC::JIT::emit_op_resolve_skip):
71         (JSC::JIT::emit_op_resolve_global):
72         (JSC::JIT::emitSlow_op_resolve_global):
73         (JSC::JIT::emit_op_resolve_with_base):
74         (JSC::JIT::emit_op_resolve_with_this):
75         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
76         * jit/JITStubCall.h:
77         (JSC::JITStubCall::callWithValueProfiling):
78
79 2011-09-23  Oliver Hunt  <oliver@apple.com>
80
81         Fix windows build.
82
83         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
84
85 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
86
87         Strict mode does not work in non-trivial nested functions.
88         https://bugs.webkit.org/show_bug.cgi?id=68740
89
90         Reviewed by Oliver Hunt.
91
92         Function-info caching does not preserve all state that it should.
93
94         * parser/JSParser.cpp:
95         (JSC::JSParser::Scope::saveFunctionInfo):
96         (JSC::JSParser::Scope::restoreFunctionInfo):
97         (JSC::JSParser::parseFunctionInfo):
98         * parser/SourceProviderCacheItem.h:
99
100 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
101
102         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
103         https://bugs.webkit.org/show_bug.cgi?id=68724
104
105         Reviewed by Oliver Hunt.
106
107         * dfg/DFGPropagator.cpp:
108         (JSC::DFG::Propagator::propagateNodePredictions):
109
110 2011-09-23  Oliver Hunt  <oliver@apple.com>
111
112         Build fix.
113
114         * JavaScriptCore.xcodeproj/project.pbxproj:
115
116 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
117
118         DFG implementation of PutScopedVar corrupts register allocation
119         https://bugs.webkit.org/show_bug.cgi?id=68735
120
121         Reviewed by Oliver Hunt.
122
123         * dfg/DFGSpeculativeJIT.cpp:
124         (JSC::DFG::SpeculativeJIT::compile):
125
126 2011-09-23  Oliver Hunt  <oliver@apple.com>
127
128         Make write barriers actually do something when enabled
129         https://bugs.webkit.org/show_bug.cgi?id=68717
130
131         Reviewed by Geoffrey Garen.
132
133         Add a basic card marking style write barrier to JSC (currently
134         turned off).  This requires two scratch registers in the JIT
135         so there was some register re-arranging to satisfy that requirement.
136         Happily this produced a minor perf bump in sunspider (~0.5%).
137
138         Turning the barriers on causes an overall regression of around 1.5%
139
140         * JavaScriptCore.exp:
141         * JavaScriptCore.xcodeproj/project.pbxproj:
142         * assembler/MacroAssemblerX86Common.h:
143         (JSC::MacroAssemblerX86Common::store8):
144         * assembler/X86Assembler.h:
145         (JSC::X86Assembler::movb_i8m):
146         * dfg/DFGJITCodeGenerator.cpp:
147         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
148         (JSC::DFG::JITCodeGenerator::writeBarrier):
149         (JSC::DFG::JITCodeGenerator::markCellCard):
150         (JSC::DFG::JITCodeGenerator::cachedPutById):
151         * dfg/DFGJITCodeGenerator.h:
152         * dfg/DFGRepatch.cpp:
153         (JSC::DFG::tryCachePutByID):
154         * dfg/DFGSpeculativeJIT.cpp:
155         (JSC::DFG::SpeculativeJIT::compile):
156         * heap/CardSet.h: Added.
157         (JSC::CardSet::CardSet):
158         (JSC::::cardForAtom):
159         (JSC::::cardMarkedForAtom):
160         (JSC::::markCardForAtom):
161         * heap/Heap.cpp:
162         * heap/Heap.h:
163         (JSC::Heap::addressOfCardFor):
164         (JSC::Heap::writeBarrierFastCase):
165         * heap/MarkedBlock.h:
166         (JSC::MarkedBlock::setDirtyObject):
167         (JSC::MarkedBlock::addressOfCardFor):
168         (JSC::MarkedBlock::offsetOfCards):
169         * jit/JIT.h:
170         * jit/JITPropertyAccess.cpp:
171         (JSC::JIT::emit_op_put_by_val):
172         (JSC::JIT::emit_op_put_by_id):
173         (JSC::JIT::privateCompilePutByIdTransition):
174         (JSC::JIT::emit_op_put_scoped_var):
175         (JSC::JIT::emit_op_put_global_var):
176         (JSC::JIT::emitWriteBarrier):
177         * jit/JITPropertyAccess32_64.cpp:
178         (JSC::JIT::emit_op_put_by_val):
179         (JSC::JIT::emit_op_put_by_id):
180         (JSC::JIT::emitSlow_op_put_by_id):
181         (JSC::JIT::privateCompilePutByIdTransition):
182         (JSC::JIT::emit_op_put_scoped_var):
183         (JSC::JIT::emit_op_put_global_var):
184
185 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
186
187         https://bugs.webkit.org/show_bug.cgi?id=68077
188         SH4 assemblers doesn't refer to executable memory handle.
189
190         Reviewed by Gavin Barraclough.
191
192         * assembler/MacroAssemblerSH4.h:
193         (JSC::MacroAssemblerSH4::branch8):
194         * assembler/SH4Assembler.h:
195         (JSC::SH4Assembler::executableCopy):
196
197 2011-09-23  Oliver Hunt  <oliver@apple.com>
198
199         PutScopedVar nodes should report that it has a var number
200         https://bugs.webkit.org/show_bug.cgi?id=68721
201
202         Reviewed by Anders Carlsson.
203
204         Another assertion fix.
205
206         * dfg/DFGNode.h:
207         (JSC::DFG::Node::hasVarNumber):
208
209 2011-09-23  Oliver Hunt  <oliver@apple.com>
210
211         Add a bunch of unhandled node types to the propagator
212         https://bugs.webkit.org/show_bug.cgi?id=68716
213
214         Reviewed by Darin Adler.
215
216         Remove the ASSERT_NOT_REACHED() default for debug builds in the
217         prediction propagator, this way unhandled nodes will just cause
218         compile time failures rather than failing at some point in the
219         future.
220
221         * dfg/DFGPropagator.cpp:
222         (JSC::DFG::Propagator::propagateNodePredictions):
223
224 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
225
226         Add static version of JSCell::visitChildren
227         https://bugs.webkit.org/show_bug.cgi?id=68404
228
229         Reviewed by Darin Adler.
230
231         In this patch we just extract the bodies of the virtual visitChildren methods
232         throughout the JSCell inheritance hierarchy out into static methods, which are 
233         now called from the virtual methods.  This is an intermediate step in trying to 
234         move the virtual-ness of visitChildren into our own custom vtable stored in 
235         ClassInfo.  We need to convert the methods to static methods in order to be 
236         able to more easily store and refer to them in our custom vtable since normal 
237         member methods store some implicit information in their types, making it 
238         impossible to store them generically in ClassInfo.
239
240         * API/JSCallbackObject.h:
241         (JSC::JSCallbackObject::visitChildrenVirtual):
242         (JSC::JSCallbackObject::visitChildren):
243         * JavaScriptCore.exp:
244         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
245         * debugger/DebuggerActivation.cpp:
246         (JSC::DebuggerActivation::visitChildrenVirtual):
247         (JSC::DebuggerActivation::visitChildren):
248         * debugger/DebuggerActivation.h:
249         * heap/MarkStack.cpp:
250         (JSC::SlotVisitor::visitChildren):
251         (JSC::SlotVisitor::drain):
252         * runtime/Arguments.cpp:
253         (JSC::Arguments::visitChildrenVirtual):
254         (JSC::Arguments::visitChildren):
255         * runtime/Arguments.h:
256         * runtime/Executable.cpp:
257         (JSC::EvalExecutable::visitChildrenVirtual):
258         (JSC::EvalExecutable::visitChildren):
259         (JSC::ProgramExecutable::visitChildrenVirtual):
260         (JSC::ProgramExecutable::visitChildren):
261         (JSC::FunctionExecutable::visitChildrenVirtual):
262         (JSC::FunctionExecutable::visitChildren):
263         * runtime/Executable.h:
264         * runtime/GetterSetter.cpp:
265         (JSC::GetterSetter::visitChildrenVirtual):
266         (JSC::GetterSetter::visitChildren):
267         * runtime/GetterSetter.h:
268         * runtime/JSActivation.cpp:
269         (JSC::JSActivation::visitChildrenVirtual):
270         (JSC::JSActivation::visitChildren):
271         * runtime/JSActivation.h:
272         * runtime/JSArray.cpp:
273         (JSC::JSArray::visitChildrenVirtual):
274         (JSC::JSArray::visitChildren):
275         * runtime/JSArray.h:
276         * runtime/JSBoundFunction.cpp:
277         (JSC::JSBoundFunction::visitChildrenVirtual):
278         (JSC::JSBoundFunction::visitChildren):
279         * runtime/JSBoundFunction.h:
280         * runtime/JSCell.h:
281         (JSC::JSCell::visitChildrenVirtual):
282         (JSC::JSCell::visitChildren):
283         * runtime/JSFunction.cpp:
284         (JSC::JSFunction::visitChildrenVirtual):
285         (JSC::JSFunction::visitChildren):
286         * runtime/JSFunction.h:
287         * runtime/JSGlobalObject.cpp:
288         (JSC::JSGlobalObject::visitChildrenVirtual):
289         (JSC::JSGlobalObject::visitChildren):
290         * runtime/JSGlobalObject.h:
291         * runtime/JSObject.cpp:
292         (JSC::JSObject::visitChildrenVirtual):
293         (JSC::JSObject::visitChildren):
294         * runtime/JSObject.h:
295         (JSC::JSObject::visitChildrenDirect):
296         * runtime/JSPropertyNameIterator.cpp:
297         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
298         (JSC::JSPropertyNameIterator::visitChildren):
299         * runtime/JSPropertyNameIterator.h:
300         * runtime/JSStaticScopeObject.cpp:
301         (JSC::JSStaticScopeObject::visitChildrenVirtual):
302         (JSC::JSStaticScopeObject::visitChildren):
303         * runtime/JSStaticScopeObject.h:
304         * runtime/JSWrapperObject.cpp:
305         (JSC::JSWrapperObject::visitChildrenVirtual):
306         (JSC::JSWrapperObject::visitChildren):
307         * runtime/JSWrapperObject.h:
308         * runtime/NativeErrorConstructor.cpp:
309         (JSC::NativeErrorConstructor::visitChildrenVirtual):
310         (JSC::NativeErrorConstructor::visitChildren):
311         * runtime/NativeErrorConstructor.h:
312         * runtime/RegExpObject.cpp:
313         (JSC::RegExpObject::visitChildrenVirtual):
314         (JSC::RegExpObject::visitChildren):
315         * runtime/RegExpObject.h:
316         * runtime/ScopeChain.cpp:
317         (JSC::ScopeChainNode::visitChildrenVirtual):
318         (JSC::ScopeChainNode::visitChildren):
319         * runtime/ScopeChain.h:
320         * runtime/Structure.cpp:
321         (JSC::Structure::visitChildrenVirtual):
322         (JSC::Structure::visitChildren):
323         * runtime/Structure.h:
324         * runtime/StructureChain.cpp:
325         (JSC::StructureChain::visitChildrenVirtual):
326         (JSC::StructureChain::visitChildren):
327         * runtime/StructureChain.h:
328
329 2011-09-23  Oliver Hunt  <oliver@apple.com>
330
331         Node propagation doesn't handle PutScopedVar
332         https://bugs.webkit.org/show_bug.cgi?id=68713
333
334         Reviewed by Sam Weinig.
335
336         This was causing assertion failures.
337
338         * dfg/DFGPropagator.cpp:
339         (JSC::DFG::Propagator::propagateNodePredictions):
340
341 2011-09-23  Anders Carlsson  <andersca@apple.com>
342
343         Make sure to define OVERRIDE and FINAL for older builds of clang.
344
345         * wtf/Compiler.h:
346
347 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
348
349         Implement op_resolve_global in the DFG JIT
350         https://bugs.webkit.org/show_bug.cgi?id=68704
351
352         Reviewed by Oliver Hunt.
353
354         This is performance neutral, but increases coverage.
355
356         * dfg/DFGByteCodeParser.cpp:
357         (JSC::DFG::ByteCodeParser::ByteCodeParser):
358         (JSC::DFG::ByteCodeParser::parseBlock):
359         * dfg/DFGNode.h:
360         (JSC::DFG::Node::hasIdentifier):
361         (JSC::DFG::Node::resolveInfoIndex):
362         * dfg/DFGOperations.cpp:
363         * dfg/DFGOperations.h:
364         * dfg/DFGSpeculativeJIT.cpp:
365         (JSC::DFG::SpeculativeJIT::compile):
366
367 2011-09-23  Mark Rowe  <mrowe@apple.com>
368
369         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
370
371         * wtf/Platform.h:
372
373 2011-09-22  Anders Carlsson  <andersca@apple.com>
374
375         We should add support for OVERRIDE and FINAL annotations
376         https://bugs.webkit.org/show_bug.cgi?id=68654
377
378         Reviewed by David Hyatt.
379
380         Add OVERRIDE and FINAL macros for compilers that support them.
381
382         * wtf/Compiler.h:
383
384 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
385
386         GetScopedVar should have value profiling
387         https://bugs.webkit.org/show_bug.cgi?id=68676
388
389         Reviewed by Oliver Hunt.
390         
391         Added GetScopedVar value profiling and predictin propagation.
392         Added GetScopeChain to CSE.
393
394         * dfg/DFGByteCodeParser.cpp:
395         (JSC::DFG::ByteCodeParser::parseBlock):
396         * dfg/DFGGraph.h:
397         (JSC::DFG::Graph::predict):
398         * dfg/DFGNode.h:
399         (JSC::DFG::Node::hasPrediction):
400         * dfg/DFGPropagator.cpp:
401         (JSC::DFG::Propagator::propagateNodePredictions):
402         (JSC::DFG::Propagator::getScopeChainLoadElimination):
403         (JSC::DFG::Propagator::performNodeCSE):
404         * jit/JITPropertyAccess.cpp:
405         (JSC::JIT::emit_op_get_scoped_var):
406
407 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
408
409         PPC build fix, part 3.
410
411         * runtime/Executable.cpp:
412         (JSC::FunctionExecutable::compileForConstructInternal):
413
414 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
415
416         Another PPC build fix.
417
418         * runtime/Executable.cpp:
419         * runtime/Executable.h:
420
421 2011-09-22  Dean Jackson  <dino@apple.com>
422
423         Add ENABLE_CSS_FILTERS
424         https://bugs.webkit.org/show_bug.cgi?id=68652
425
426         Reviewed by Simon Fraser.
427
428         * Configurations/FeatureDefines.xcconfig:
429
430 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
431
432         Incorrect this value passed to callbacks.
433         https://bugs.webkit.org/show_bug.cgi?id=68668
434
435         Reviewed by Oliver Hunt.
436
437         From Array/String prototype function.  Should be undefined, but
438         global object is passed instead (this is visible for strict callbacks).
439
440         * runtime/ArrayPrototype.cpp:
441         (JSC::arrayProtoFuncSort):
442         (JSC::arrayProtoFuncFilter):
443         (JSC::arrayProtoFuncMap):
444         (JSC::arrayProtoFuncEvery):
445         (JSC::arrayProtoFuncForEach):
446         (JSC::arrayProtoFuncSome):
447         * runtime/JSArray.cpp:
448         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
449         (JSC::JSArray::sort):
450         * runtime/StringPrototype.cpp:
451         (JSC::stringProtoFuncReplace):
452
453 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
454
455         Function.prototype.bind.length shoudl be 1.
456
457         Rubber stamped by Olier Hunt.
458
459         * runtime/FunctionPrototype.cpp:
460         (JSC::FunctionPrototype::addFunctionProperties):
461
462 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
463
464         PPC build fix.
465
466         * bytecode/CodeBlock.h:
467
468 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
469
470         Windows build fix pt. 2
471
472         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
473
474 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
475
476         Windows build fix pt. 1
477
478         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
479
480 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
481
482         DFG JIT does not support to_primitive or strcat
483         https://bugs.webkit.org/show_bug.cgi?id=68582
484
485         Reviewed by Darin Adler.
486         
487         This adds functional support for to_primitive and strcat. It focuses
488         on minimizing the amount of code emitted on to_primitive (if we know
489         that it is a primitive or can speculate cheaply, then we omit the
490         slow path) and on keeping the implementation of strcat simple while
491         leveraging whatever optimizations we have already. In particular,
492         unlike the Call and Construct nodes which require extending the size
493         of the DFG's callee registers, StrCat takes advantage of the fact
494         that no JS code can run while StrCat is in progress and uses a
495         scratch buffer, rather than the register file, to store the list of
496         values to concatenate. This was done mainly to keep the code simple,
497         but there are probably other benefits to keeping call frame sizes
498         down. Essentially, this patch ensures that the presence of an
499         op_strcat does not mess up any other optimizations we might do while
500         ensuring that if you do execute it, it'll work about as well as you'd
501         expect.
502         
503         When combined with the previous patch for integer division, this is a
504         14% speed-up on Kraken. Without it, it would have been a 2% loss.
505
506         * assembler/AbstractMacroAssembler.h:
507         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
508         * dfg/DFGByteCodeParser.cpp:
509         (JSC::DFG::ByteCodeParser::parseBlock):
510         * dfg/DFGCapabilities.h:
511         (JSC::DFG::canCompileOpcode):
512         * dfg/DFGJITCodeGenerator.h:
513         (JSC::DFG::JITCodeGenerator::callOperation):
514         * dfg/DFGJITCompiler.cpp:
515         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
516         * dfg/DFGNode.h:
517         * dfg/DFGOperations.cpp:
518         * dfg/DFGOperations.h:
519         * dfg/DFGPropagator.cpp:
520         (JSC::DFG::Propagator::propagateNodePredictions):
521         (JSC::DFG::Propagator::performNodeCSE):
522         * dfg/DFGSpeculativeJIT.cpp:
523         (JSC::DFG::SpeculativeJIT::compile):
524         * runtime/JSGlobalData.cpp:
525         (JSC::JSGlobalData::JSGlobalData):
526         (JSC::JSGlobalData::~JSGlobalData):
527         * runtime/JSGlobalData.h:
528         (JSC::JSGlobalData::scratchBufferForSize):
529
530 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
531
532         DFG JIT should support integer division
533         https://bugs.webkit.org/show_bug.cgi?id=68597
534
535         Reviewed by Darin Adler.
536         
537         This adds support for ArithDiv speculating integer, and speculating
538         that the result is integer (i.e. remainder = 0).
539         
540         This is a 4% win on Kraken and a 1% loss on V8.
541
542         * bytecode/CodeBlock.h:
543         * dfg/DFGByteCodeParser.cpp:
544         (JSC::DFG::ByteCodeParser::makeDivSafe):
545         (JSC::DFG::ByteCodeParser::parseBlock):
546         * dfg/DFGNode.h:
547         (JSC::DFG::Node::hasArithNodeFlags):
548         * dfg/DFGPropagator.cpp:
549         (JSC::DFG::Propagator::propagateArithNodeFlags):
550         (JSC::DFG::Propagator::propagateNodePredictions):
551         (JSC::DFG::Propagator::fixupNode):
552         * dfg/DFGSpeculativeJIT.cpp:
553         (JSC::DFG::SpeculativeJIT::compile):
554         * jit/JITArithmetic.cpp:
555         (JSC::JIT::emit_op_div):
556
557 2011-09-22  Oliver Hunt  <oliver@apple.com>
558
559         Implement put_scoped_var in the DFG jit
560         https://bugs.webkit.org/show_bug.cgi?id=68653
561
562         Reviewed by Gavin Barraclough.
563
564         Naive implementation of put_scoped_var.  Same story as the
565         get_scoped_var implementation, although I've hoisted scope
566         object acquisition into a separate dfg node.  Ideally in the
567         future we would reuse the resolved scope chain object, but
568         for now we don't.
569
570         * dfg/DFGByteCodeParser.cpp:
571         (JSC::DFG::ByteCodeParser::parseBlock):
572         * dfg/DFGCapabilities.h:
573         (JSC::DFG::canCompileOpcode):
574         * dfg/DFGNode.h:
575         (JSC::DFG::Node::hasScopeChainDepth):
576         (JSC::DFG::Node::scopeChainDepth):
577         * dfg/DFGPropagator.cpp:
578         (JSC::DFG::Propagator::propagateNodePredictions):
579         * dfg/DFGSpeculativeJIT.cpp:
580         (JSC::DFG::SpeculativeJIT::compile):
581
582 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
583
584         Implement Function.prototype.bind
585         https://bugs.webkit.org/show_bug.cgi?id=26382
586
587         Reviewed by Sam Weinig.
588
589         This patch provides a basic functional implementation
590         for Function.bind. It should (hopefully!) be fully
591         functionally correct, and the bound functions can be
592         called to quickly (since they are a subclass of
593         JSFunction, not InternalFunction), but we'll probably
594         want to follow up with some optimization work to keep
595         bound calls in JIT code.
596
597         * JavaScriptCore.JSVALUE32_64only.exp:
598         * JavaScriptCore.JSVALUE64only.exp:
599         * JavaScriptCore.exp:
600         * JavaScriptCore.xcodeproj/project.pbxproj:
601         * jit/JITStubs.cpp:
602         (JSC::JITThunks::hostFunctionStub):
603         * jit/JITStubs.h:
604         * jsc.cpp:
605         (GlobalObject::addFunction):
606         * runtime/CommonIdentifiers.h:
607         * runtime/ConstructData.h:
608         * runtime/Executable.h:
609         (JSC::NativeExecutable::NativeExecutable):
610         * runtime/FunctionPrototype.cpp:
611         (JSC::FunctionPrototype::addFunctionProperties):
612         (JSC::functionProtoFuncBind):
613         * runtime/FunctionPrototype.h:
614         * runtime/JSBoundFunction.cpp: Added.
615         (JSC::boundFunctionCall):
616         (JSC::boundFunctionConstruct):
617         (JSC::JSBoundFunction::create):
618         (JSC::JSBoundFunction::hasInstance):
619         (JSC::JSBoundFunction::getOwnPropertySlot):
620         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
621         (JSC::JSBoundFunction::JSBoundFunction):
622         (JSC::JSBoundFunction::finishCreation):
623         * runtime/JSBoundFunction.h: Added.
624         (JSC::JSBoundFunction::targetFunction):
625         (JSC::JSBoundFunction::boundThis):
626         (JSC::JSBoundFunction::boundArgs):
627         (JSC::JSBoundFunction::createStructure):
628         * runtime/JSFunction.cpp:
629         (JSC::JSFunction::create):
630         (JSC::JSFunction::finishCreation):
631         (JSC::createDescriptorForThrowingProperty):
632         (JSC::JSFunction::getOwnPropertySlot):
633         * runtime/JSFunction.h:
634         * runtime/JSGlobalData.cpp:
635         (JSC::JSGlobalData::getHostFunction):
636         * runtime/JSGlobalData.h:
637         * runtime/JSGlobalObject.cpp:
638         (JSC::JSGlobalObject::reset):
639         (JSC::JSGlobalObject::visitChildren):
640         * runtime/JSGlobalObject.h:
641         (JSC::JSGlobalObject::boundFunctionStructure):
642         * runtime/Lookup.cpp:
643         (JSC::setUpStaticFunctionSlot):
644
645 2011-09-22  Oliver Hunt  <oliver@apple.com>
646
647         Implement get_scoped_var in the DFG
648         https://bugs.webkit.org/show_bug.cgi?id=68640
649
650         Reviewed by Gavin Barraclough.
651
652         Naive implementation of get_scoped_var in the DFG.  Essentially this
653         is the bare minimum required to get correct behaviour, so there's no
654         load/store coalescing or type profiling involved, even though these
655         would be wins.  No impact on SunSpider or V8.
656
657         * dfg/DFGByteCodeParser.cpp:
658         (JSC::DFG::ByteCodeParser::parseBlock):
659         * dfg/DFGCapabilities.h:
660         (JSC::DFG::canCompileOpcode):
661         * dfg/DFGNode.h:
662         (JSC::DFG::Node::hasVarNumber):
663         (JSC::DFG::Node::hasScopeChainDepth):
664         (JSC::DFG::Node::scopeChainDepth):
665         * dfg/DFGPropagator.cpp:
666         (JSC::DFG::Propagator::propagateNodePredictions):
667         * dfg/DFGSpeculativeJIT.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669
670 2011-09-22  Adam Roben  <aroben@apple.com>
671
672         Remove FindSafari from all our .sln files
673
674         It isn't used anymore, so there's no point in building it.
675
676         Part of <http://webkit.org/b/68628> Remove FindSafari
677
678         Reviewed by Steve Falkenburg.
679
680         * JavaScriptCore.vcproj/JavaScriptCore.sln:
681
682 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
683
684         32-bit call code clobbers the function cell tag
685         https://bugs.webkit.org/show_bug.cgi?id=68606
686
687         Reviewed by Csaba Osztrogonác.
688         
689         This is a minimalistic fix: it simply emits code to restore the
690         cell tag on the slow path, if we know that we failed due to
691         emitCallIfNotType.
692
693         * jit/JITCall32_64.cpp:
694         (JSC::JIT::compileOpCallVarargsSlowCase):
695         (JSC::JIT::compileOpCallSlowCase):
696
697 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
698
699         Add missing addPtr->add32 mapping for X86.
700
701         Rubber stamped by Sam Weinig.
702
703         * assembler/MacroAssembler.h:
704         (JSC::MacroAssembler::addPtr):
705
706 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
707
708         Add missing addDouble for AbsoluteAddress to X86
709
710         Rubber stamped by Geoff Garen.
711
712         * assembler/MacroAssemblerX86.h:
713         (JSC::MacroAssemblerX86::addDouble):
714         * assembler/X86Assembler.h:
715         (JSC::X86Assembler::addsd_mr):
716         (JSC::X86Assembler::cvtsi2sd_rr):
717         (JSC::X86Assembler::cvtsi2sd_mr):
718
719 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
720
721         Build fix following fix for bug #68586.
722
723         * jit/JIT.cpp:
724         * jit/JITInlineMethods.h:
725
726 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
727
728         DFG JIT should be able to compile op_throw
729         https://bugs.webkit.org/show_bug.cgi?id=68571
730
731         Reviewed by Geoffrey Garen.
732         
733         This compiles op_throw in the simplest way possible: it's an OSR
734         point back to the old JIT. This is a good step towards increasing
735         coverage, particularly on Kraken, but it's neutral because the
736         same functions that do throw also use some other unsupported
737         opcodes.
738
739         * dfg/DFGByteCodeParser.cpp:
740         (JSC::DFG::ByteCodeParser::parseBlock):
741         * dfg/DFGCapabilities.h:
742         (JSC::DFG::canCompileOpcode):
743         * dfg/DFGNode.h:
744         * dfg/DFGPropagator.cpp:
745         (JSC::DFG::Propagator::propagateNodePredictions):
746         * dfg/DFGSpeculativeJIT.cpp:
747         (JSC::DFG::SpeculativeJIT::compile):
748
749 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
750
751         DFG should support continuous optimization
752         https://bugs.webkit.org/show_bug.cgi?id=68329
753
754         Reviewed by Geoffrey Garen.
755         
756         This adds the ability to reoptimize a code block if speculation
757         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
758         on V8, neutral on SunSpider.
759
760         * CMakeLists.txt:
761         * GNUmakefile.list.am:
762         * JavaScriptCore.pro:
763         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
764         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
765         * JavaScriptCore.xcodeproj/project.pbxproj:
766         * bytecode/CodeBlock.cpp:
767         (JSC::CodeBlock::CodeBlock):
768         (JSC::ProgramCodeBlock::jettison):
769         (JSC::EvalCodeBlock::jettison):
770         (JSC::FunctionCodeBlock::jettison):
771         (JSC::CodeBlock::shouldOptimizeNow):
772         (JSC::CodeBlock::dumpValueProfiles):
773         * bytecode/CodeBlock.h:
774         * dfg/DFGByteCodeParser.cpp:
775         (JSC::DFG::ByteCodeParser::getStrongPrediction):
776         * dfg/DFGJITCompiler.cpp:
777         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
778         (JSC::DFG::JITCompiler::compileEntry):
779         (JSC::DFG::JITCompiler::compileBody):
780         * dfg/DFGJITCompiler.h:
781         (JSC::DFG::JITCompiler::noticeOSREntry):
782         * dfg/DFGOSREntry.cpp:
783         (JSC::DFG::prepareOSREntry):
784         * dfg/DFGOSREntry.h:
785         (JSC::DFG::getOSREntryDataBytecodeIndex):
786         * dfg/DFGSpeculativeJIT.cpp:
787         (JSC::DFG::SpeculativeJIT::compile):
788         * heap/ConservativeRoots.cpp:
789         (JSC::ConservativeRoots::ConservativeRoots):
790         (JSC::ConservativeRoots::~ConservativeRoots):
791         (JSC::DummyMarkHook::mark):
792         (JSC::ConservativeRoots::genericAddPointer):
793         (JSC::ConservativeRoots::genericAddSpan):
794         (JSC::ConservativeRoots::add):
795         * heap/ConservativeRoots.h:
796         * heap/Heap.cpp:
797         (JSC::Heap::addJettisonCodeBlock):
798         (JSC::Heap::markRoots):
799         * heap/Heap.h:
800         * heap/JettisonedCodeBlocks.cpp: Added.
801         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
802         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
803         (JSC::JettisonedCodeBlocks::addCodeBlock):
804         (JSC::JettisonedCodeBlocks::clearMarks):
805         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
806         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
807         * heap/JettisonedCodeBlocks.h: Added.
808         (JSC::JettisonedCodeBlocks::mark):
809         * interpreter/RegisterFile.cpp:
810         (JSC::RegisterFile::gatherConservativeRoots):
811         * interpreter/RegisterFile.h:
812         * jit/JITStubs.cpp:
813         (JSC::DEFINE_STUB_FUNCTION):
814         * runtime/Executable.cpp:
815         (JSC::jettisonCodeBlock):
816         (JSC::EvalExecutable::jettisonOptimizedCode):
817         (JSC::ProgramExecutable::jettisonOptimizedCode):
818         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
819         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
820         * runtime/Executable.h:
821         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
822         * wtf/BitVector.h: Added.
823         (WTF::BitVector::BitVector):
824         (WTF::BitVector::~BitVector):
825         (WTF::BitVector::operator=):
826         (WTF::BitVector::size):
827         (WTF::BitVector::ensureSize):
828         (WTF::BitVector::resize):
829         (WTF::BitVector::clearAll):
830         (WTF::BitVector::get):
831         (WTF::BitVector::set):
832         (WTF::BitVector::clear):
833         (WTF::BitVector::bitsInPointer):
834         (WTF::BitVector::maxInlineBits):
835         (WTF::BitVector::byteCount):
836         (WTF::BitVector::makeInlineBits):
837         (WTF::BitVector::OutOfLineBits::numBits):
838         (WTF::BitVector::OutOfLineBits::numWords):
839         (WTF::BitVector::OutOfLineBits::bits):
840         (WTF::BitVector::OutOfLineBits::create):
841         (WTF::BitVector::OutOfLineBits::destroy):
842         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
843         (WTF::BitVector::isInline):
844         (WTF::BitVector::outOfLineBits):
845         (WTF::BitVector::resizeOutOfLine):
846         (WTF::BitVector::bits):
847
848 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
849
850         Add X86 GPRInfo for DFG JIT.
851         https://bugs.webkit.org/show_bug.cgi?id=68586
852
853         Reviewed by Geoff Garen.
854
855         * dfg/DFGGPRInfo.h:
856         (JSC::DFG::GPRInfo::toRegister):
857         (JSC::DFG::GPRInfo::toIndex):
858         (JSC::DFG::GPRInfo::debugName):
859
860 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
861
862         Should support value profiling on CPU(X86)
863         https://bugs.webkit.org/show_bug.cgi?id=68575
864
865         Reviewed by Sam Weinig.
866
867         Fix verbose profiling in ToT (SlowCaseProfile had been
868         partially renamed to RareCaseProfile), add in-memory
869         bucket counter for CPU(X86), move JIT::m_canBeOptimized
870         out of the DFG_JIT ifdef.
871
872         * bytecode/CodeBlock.cpp:
873         (JSC::CodeBlock::resetRareCaseProfiles):
874         (JSC::CodeBlock::dumpValueProfiles):
875         * bytecode/CodeBlock.h:
876         * dfg/DFGByteCodeParser.cpp:
877         (JSC::DFG::ByteCodeParser::makeSafe):
878         * jit/JIT.cpp:
879         (JSC::JIT::privateCompileSlowCases):
880         (JSC::JIT::privateCompile):
881         * jit/JIT.h:
882         * jit/JITInlineMethods.h:
883         (JSC::JIT::emitValueProfilingSite):
884
885 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
886
887         DFG does not support compiling functions as constructors
888         https://bugs.webkit.org/show_bug.cgi?id=68500
889
890         Reviewed by Oliver Hunt.
891         
892         This adds support for compiling constructors to the DFG. It's a
893         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
894         It's also a 13% win on access-binary-trees, but it's neutral in
895         the SunSpider and Kraken averages.
896
897         * dfg/DFGByteCodeParser.cpp:
898         (JSC::DFG::ByteCodeParser::parseBlock):
899         * dfg/DFGCapabilities.h:
900         (JSC::DFG::mightCompileFunctionForConstruct):
901         (JSC::DFG::canCompileOpcode):
902         * dfg/DFGNode.h:
903         * dfg/DFGOperations.cpp:
904         * dfg/DFGOperations.h:
905         * dfg/DFGPropagator.cpp:
906         (JSC::DFG::Propagator::propagateNodePredictions):
907         (JSC::DFG::Propagator::performNodeCSE):
908         * dfg/DFGSpeculativeJIT.cpp:
909         (JSC::DFG::SpeculativeJIT::compile):
910         * runtime/Executable.cpp:
911         (JSC::FunctionExecutable::compileOptimizedForConstruct):
912         (JSC::FunctionExecutable::compileForConstructInternal):
913         * runtime/Executable.h:
914         (JSC::FunctionExecutable::compileForConstruct):
915         (JSC::FunctionExecutable::compileFor):
916         (JSC::FunctionExecutable::compileOptimizedFor):
917
918 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
919
920         Replace jsFunctionVPtr compares with a type check on the Structure.
921         https://bugs.webkit.org/show_bug.cgi?id=68557
922
923         Reviewed by Oliver Hunt.
924
925         This will permit calls to still optimize to subclasses of JSFunction
926         that have the correct type (but a different C++ vptr).
927
928         This patch stops passing the globalData into numerous functions.
929
930         * dfg/DFGByteCodeParser.cpp:
931         (JSC::DFG::ByteCodeParser::parseBlock):
932         * dfg/DFGGraph.h:
933         (JSC::DFG::Graph::isFunctionConstant):
934         (JSC::DFG::Graph::valueOfFunctionConstant):
935         * dfg/DFGJITCompiler.h:
936         (JSC::DFG::JITCompiler::isFunctionConstant):
937         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
938         * dfg/DFGOperations.cpp:
939         * interpreter/Interpreter.cpp:
940         (JSC::Interpreter::privateExecute):
941         * jit/JIT.h:
942         * jit/JITCall.cpp:
943         (JSC::JIT::compileOpCallVarargs):
944         (JSC::JIT::compileOpCallSlowCase):
945         * jit/JITCall32_64.cpp:
946         (JSC::JIT::compileOpCallVarargs):
947         (JSC::JIT::compileOpCallSlowCase):
948         * jit/JITInlineMethods.h:
949         (JSC::JIT::emitJumpIfNotType):
950         * jit/JITStubs.cpp:
951         (JSC::DEFINE_STUB_FUNCTION):
952         * runtime/Executable.h:
953         (JSC::isHostFunction):
954         * runtime/JSFunction.h:
955         (JSC::JSFunction::createStructure):
956         * runtime/JSObject.cpp:
957         (JSC::JSObject::put):
958         (JSC::JSObject::putWithAttributes):
959         * runtime/JSObject.h:
960         (JSC::getJSFunction):
961         (JSC::JSObject::putDirect):
962         (JSC::JSObject::putDirectWithoutTransition):
963         * runtime/JSType.h:
964
965 2011-09-21  Geoffrey Garen  <ggaren@apple.com>
966
967         Removed WTFTHREADDATA_MULTITHREADED, making it always true
968         https://bugs.webkit.org/show_bug.cgi?id=68549
969
970         Reviewed by Darin Adler.
971         
972         Another part of making threads exist in WebKit.
973
974         * wtf/WTFThreadData.cpp:
975         * wtf/WTFThreadData.h:
976         (WTF::wtfThreadData):
977
978 2011-09-21  Dan Bernstein  <mitz@apple.com>
979
980         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
981         https://bugs.webkit.org/show_bug.cgi?id=68451
982
983         Reviewed by Darin Adler.
984
985         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
986         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
987
988 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
989
990         MacroAssembler fixes.
991         https://bugs.webkit.org/show_bug.cgi?id=68494
992
993         Reviewed by Sam Weinig.
994
995         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
996
997         * assembler/MacroAssembler.h:
998         (JSC::MacroAssembler::orPtr):
999         (JSC::MacroAssembler::loadPtr):
1000         * assembler/MacroAssemblerARM.h:
1001         (JSC::MacroAssemblerARM::or32):
1002         * assembler/MacroAssemblerARMv7.h:
1003         (JSC::MacroAssemblerARMv7::or32):
1004         * assembler/MacroAssemblerMIPS.h:
1005         (JSC::MacroAssemblerMIPS::or32):
1006         * assembler/MacroAssemblerSH4.h:
1007         (JSC::MacroAssemblerSH4::or32):
1008         (JSC::MacroAssemblerSH4::load32):
1009         * assembler/MacroAssemblerX86.h:
1010         (JSC::MacroAssemblerX86::load32):
1011         * assembler/MacroAssemblerX86_64.h:
1012         (JSC::MacroAssemblerX86_64::load32):
1013
1014 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
1015
1016         Some Heap cleanup.
1017
1018         Reviewed by Beth Dakin.
1019
1020         * heap/MarkedBlock.cpp:
1021         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
1022         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
1023         since there is only one now.
1024
1025         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
1026         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
1027         place where we were recalculating it.
1028
1029         * heap/MarkedSpace.cpp:
1030         (JSC::MarkedSpace::addBlock): Updated for rename.
1031
1032 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1033
1034         DFG JIT always speculates integer on modulo
1035         https://bugs.webkit.org/show_bug.cgi?id=68485
1036
1037         Reviewed by Oliver Hunt.
1038         
1039         Added support for double modulo, which is a call to fmod().
1040         Also added support for recording the old JIT's statistics
1041         on op_mod and propagating them along the graph. Finally,
1042         fixed a goof in the ArithNodeFlags propagation logic that
1043         was made obvious when I started testing ArithMod.
1044
1045         * dfg/DFGByteCodeParser.cpp:
1046         (JSC::DFG::ByteCodeParser::makeSafe):
1047         (JSC::DFG::ByteCodeParser::parseBlock):
1048         * dfg/DFGNode.h:
1049         (JSC::DFG::Node::hasArithNodeFlags):
1050         * dfg/DFGPropagator.cpp:
1051         (JSC::DFG::Propagator::propagateArithNodeFlags):
1052         (JSC::DFG::Propagator::propagateNodePredictions):
1053         (JSC::DFG::Propagator::fixupNode):
1054         * dfg/DFGSpeculativeJIT.cpp:
1055         (JSC::DFG::SpeculativeJIT::compile):
1056
1057 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
1058
1059         [GTK] requestAnimationFrame support for gtk port
1060         https://bugs.webkit.org/show_bug.cgi?id=66280
1061
1062         Reviewed by Martin Robinson.
1063
1064         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
1065
1066         * wtf/Platform.h:
1067
1068 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
1069
1070         DFG JIT performs too many negative zero checks, and too many
1071         overflow checks
1072         https://bugs.webkit.org/show_bug.cgi?id=68430
1073
1074         Reviewed by Oliver Hunt.
1075         
1076         This adds comprehensive support for deciding how to perform an
1077         arithmetic operations based on a combination of overflow profiling,
1078         negative zero profiling, value profiling, and a static analysis of
1079         how the results of these operations get used.
1080         
1081         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
1082         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
1083         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
1084         V8-crypto, because apparenty everything we do speeds up crypto.
1085
1086         * dfg/DFGByteCodeParser.cpp:
1087         (JSC::DFG::ByteCodeParser::toInt32):
1088         (JSC::DFG::ByteCodeParser::toNumber):
1089         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
1090         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
1091         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
1092         (JSC::DFG::ByteCodeParser::makeSafe):
1093         (JSC::DFG::ByteCodeParser::handleMinMax):
1094         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1095         (JSC::DFG::ByteCodeParser::parseBlock):
1096         (JSC::DFG::ByteCodeParser::processPhiStack):
1097         (JSC::DFG::ByteCodeParser::parse):
1098         * dfg/DFGGraph.cpp:
1099         (JSC::DFG::Graph::dump):
1100         * dfg/DFGJITCodeGenerator.cpp:
1101         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1102         * dfg/DFGNode.h:
1103         (JSC::DFG::nodeUsedAsNumber):
1104         (JSC::DFG::nodeCanTruncateInteger):
1105         (JSC::DFG::nodeCanIgnoreNegativeZero):
1106         (JSC::DFG::nodeCanSpeculateInteger):
1107         (JSC::DFG::arithNodeFlagsAsString):
1108         (JSC::DFG::Node::Node):
1109         (JSC::DFG::Node::hasArithNodeFlags):
1110         (JSC::DFG::Node::rawArithNodeFlags):
1111         (JSC::DFG::Node::arithNodeFlags):
1112         (JSC::DFG::Node::arithNodeFlagsForCompare):
1113         (JSC::DFG::Node::setArithNodeFlag):
1114         (JSC::DFG::Node::mergeArithNodeFlags):
1115         * dfg/DFGPropagator.cpp:
1116         (JSC::DFG::Propagator::fixpoint):
1117         (JSC::DFG::Propagator::isNotNegZero):
1118         (JSC::DFG::Propagator::isNotZero):
1119         (JSC::DFG::Propagator::propagateArithNodeFlags):
1120         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
1121         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
1122         (JSC::DFG::Propagator::propagateNodePredictions):
1123         (JSC::DFG::Propagator::propagatePredictionsForward):
1124         (JSC::DFG::Propagator::propagatePredictionsBackward):
1125         (JSC::DFG::Propagator::toDouble):
1126         (JSC::DFG::Propagator::fixupNode):
1127         (JSC::DFG::Propagator::fixup):
1128         (JSC::DFG::Propagator::startIndexForChildren):
1129         (JSC::DFG::Propagator::endIndexForPureCSE):
1130         (JSC::DFG::Propagator::pureCSE):
1131         (JSC::DFG::Propagator::clobbersWorld):
1132         (JSC::DFG::Propagator::setReplacement):
1133         (JSC::DFG::Propagator::performNodeCSE):
1134         (JSC::DFG::Propagator::localCSE):
1135         * dfg/DFGSpeculativeJIT.cpp:
1136         (JSC::DFG::SpeculativeJIT::compile):
1137         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1138
1139 2011-09-19  Oliver Hunt  <oliver@apple.com>
1140
1141         Refactor Heap allocation logic into separate AllocationSpace class
1142         https://bugs.webkit.org/show_bug.cgi?id=68409
1143
1144         Reviewed by Gavin Barraclough.
1145
1146         This patch hoists direct manipulation of the MarkedSpace and related
1147         data out of Heap and into a separate class.  This will allow us to
1148         have multiple allocation spaces in future, so easing the way towards
1149         having GC'd backing stores for objects.
1150
1151         * CMakeLists.txt:
1152         * GNUmakefile.list.am:
1153         * JavaScriptCore.exp:
1154         * JavaScriptCore.gypi:
1155         * JavaScriptCore.pro:
1156         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1157         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1158         * JavaScriptCore.xcodeproj/project.pbxproj:
1159         * debugger/Debugger.cpp:
1160         (JSC::Debugger::recompileAllJSFunctions):
1161         * heap/AllocationSpace.cpp: Added.
1162         (JSC::AllocationSpace::tryAllocate):
1163         (JSC::AllocationSpace::allocateSlowCase):
1164         (JSC::AllocationSpace::allocateBlock):
1165         (JSC::AllocationSpace::freeBlocks):
1166         (JSC::TakeIfEmpty::TakeIfEmpty):
1167         (JSC::TakeIfEmpty::operator()):
1168         (JSC::TakeIfEmpty::returnValue):
1169         (JSC::AllocationSpace::shrink):
1170         * heap/AllocationSpace.h: Added.
1171         (JSC::AllocationSpace::AllocationSpace):
1172         (JSC::AllocationSpace::blocks):
1173         (JSC::AllocationSpace::sizeClassFor):
1174         (JSC::AllocationSpace::setHighWaterMark):
1175         (JSC::AllocationSpace::highWaterMark):
1176         (JSC::AllocationSpace::canonicalizeBlocks):
1177         (JSC::AllocationSpace::resetAllocator):
1178         (JSC::AllocationSpace::forEachCell):
1179         (JSC::AllocationSpace::forEachBlock):
1180         (JSC::AllocationSpace::allocate):
1181         * heap/Heap.cpp:
1182         (JSC::Heap::Heap):
1183         (JSC::Heap::reportExtraMemoryCostSlowCase):
1184         (JSC::Heap::getConservativeRegisterRoots):
1185         (JSC::Heap::markRoots):
1186         (JSC::Heap::clearMarks):
1187         (JSC::Heap::sweep):
1188         (JSC::Heap::objectCount):
1189         (JSC::Heap::size):
1190         (JSC::Heap::capacity):
1191         (JSC::Heap::globalObjectCount):
1192         (JSC::Heap::objectTypeCounts):
1193         (JSC::Heap::collect):
1194         (JSC::Heap::canonicalizeBlocks):
1195         (JSC::Heap::resetAllocator):
1196         (JSC::Heap::freeBlocks):
1197         (JSC::Heap::shrink):
1198         * heap/Heap.h:
1199         (JSC::Heap::objectSpace):
1200         (JSC::Heap::sizeClassForObject):
1201         (JSC::Heap::allocate):
1202         * jit/JITInlineMethods.h:
1203         (JSC::JIT::emitAllocateBasicJSObject):
1204         * runtime/JSGlobalData.cpp:
1205         (JSC::JSGlobalData::recompileAllJSFunctions):
1206         (JSC::JSGlobalData::releaseExecutableMemory):
1207
1208 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1209
1210         Removed BREWMP* platform #ifdefs
1211         https://bugs.webkit.org/show_bug.cgi?id=68425
1212         
1213         BREWMP* has no maintainer, and this is dead code.
1214
1215         Reviewed by Darin Adler.
1216
1217         * heap/MarkStack.h:
1218         (JSC::::shrinkAllocation):
1219         * jit/ExecutableAllocator.h:
1220         (JSC::ExecutableAllocator::cacheFlush):
1221         * runtime/TimeoutChecker.cpp:
1222         (JSC::getCPUTime):
1223         * wtf/Assertions.cpp:
1224         * wtf/Assertions.h:
1225         * wtf/CurrentTime.cpp:
1226         * wtf/DateMath.cpp:
1227         (WTF::calculateUTCOffset):
1228         * wtf/FastMalloc.cpp:
1229         (WTF::fastMalloc):
1230         (WTF::fastCalloc):
1231         (WTF::fastMallocSize):
1232         * wtf/FastMalloc.h:
1233         * wtf/MainThread.cpp:
1234         * wtf/MathExtras.h:
1235         * wtf/OwnPtrCommon.h:
1236         * wtf/Platform.h:
1237         * wtf/RandomNumber.cpp:
1238         (WTF::randomNumber):
1239         * wtf/RandomNumberSeed.h:
1240         (WTF::initializeRandomNumberGenerator):
1241         * wtf/text/WTFString.h:
1242         * wtf/unicode/Unicode.h:
1243
1244 2011-09-20  Adam Roben  <aroben@apple.com>
1245
1246         Windows build fix after r95523
1247
1248         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
1249
1250 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
1251
1252         DFG JIT does not speculate aggressively enough on GetById
1253         https://bugs.webkit.org/show_bug.cgi?id=68320
1254
1255         Reviewed by Oliver Hunt.
1256         
1257         This adds the ability to access properties directly, by offset.
1258         This optimization kicks in when at the time of DFG compilation,
1259         it appears that the given get_by_id is self-cached by the old JIT.
1260         Two new opcodes get introduced: CheckStructure and GetByOffset.
1261         CheckStructure performs a speculation check on the object's
1262         structure, and returns the storage pointer. GetByOffset performs
1263         a direct read of the field from the storage pointer. Both
1264         CheckStructure and GetByOffset can be CSE'd, so that we can
1265         eliminate redundant structure checks, and redundant reads of the
1266         same field.
1267         
1268         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
1269         neutral on SunSpider.
1270
1271         * bytecode/PredictedType.cpp:
1272         (JSC::predictionFromClassInfo):
1273         (JSC::predictionFromStructure):
1274         (JSC::predictionFromCell):
1275         * bytecode/PredictedType.h:
1276         * dfg/DFGByteCodeParser.cpp:
1277         (JSC::DFG::ByteCodeParser::parseBlock):
1278         * dfg/DFGGenerationInfo.h:
1279         (JSC::DFG::dataFormatToString):
1280         (JSC::DFG::needDataFormatConversion):
1281         (JSC::DFG::GenerationInfo::initStorage):
1282         (JSC::DFG::GenerationInfo::spill):
1283         (JSC::DFG::GenerationInfo::fillStorage):
1284         * dfg/DFGGraph.h:
1285         (JSC::DFG::Graph::predict):
1286         (JSC::DFG::Graph::getPrediction):
1287         * dfg/DFGJITCodeGenerator.cpp:
1288         (JSC::DFG::JITCodeGenerator::fillInteger):
1289         (JSC::DFG::JITCodeGenerator::fillDouble):
1290         (JSC::DFG::JITCodeGenerator::fillJSValue):
1291         (JSC::DFG::JITCodeGenerator::fillStorage):
1292         (JSC::DFG::GPRTemporary::GPRTemporary):
1293         * dfg/DFGJITCodeGenerator.h:
1294         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
1295         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1296         (JSC::DFG::JITCodeGenerator::spill):
1297         (JSC::DFG::JITCodeGenerator::storageResult):
1298         (JSC::DFG::StorageOperand::StorageOperand):
1299         (JSC::DFG::StorageOperand::~StorageOperand):
1300         (JSC::DFG::StorageOperand::index):
1301         (JSC::DFG::StorageOperand::gpr):
1302         (JSC::DFG::StorageOperand::use):
1303         * dfg/DFGNode.h:
1304         (JSC::DFG::OpInfo::OpInfo):
1305         (JSC::DFG::Node::Node):
1306         (JSC::DFG::Node::hasPrediction):
1307         (JSC::DFG::Node::hasStructure):
1308         (JSC::DFG::Node::structure):
1309         (JSC::DFG::Node::hasStorageAccessData):
1310         (JSC::DFG::Node::storageAccessDataIndex):
1311         * dfg/DFGPropagator.cpp:
1312         (JSC::DFG::Propagator::propagateNode):
1313         (JSC::DFG::Propagator::globalVarLoadElimination):
1314         (JSC::DFG::Propagator::getMethodLoadElimination):
1315         (JSC::DFG::Propagator::checkStructureLoadElimination):
1316         (JSC::DFG::Propagator::getByOffsetLoadElimination):
1317         (JSC::DFG::Propagator::performNodeCSE):
1318         * dfg/DFGSpeculativeJIT.cpp:
1319         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1320         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1321         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1322         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1323         (JSC::DFG::SpeculativeJIT::compile):
1324         * wtf/StdLibExtras.h:
1325         (WTF::safeCast):
1326
1327 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1328
1329         Remove toPrimitive from JSCell
1330         https://bugs.webkit.org/show_bug.cgi?id=67875
1331
1332         Reviewed by Darin Adler.
1333
1334         Part of the refactoring process to un-virtualize JSCell.  We move 
1335         all of the implicit functionality provided by the virtual toPrimitive method 
1336         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
1337         also de-virtualizing JSCell::toPrimitive.
1338
1339         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1340         * runtime/JSCell.cpp:
1341         (JSC::JSCell::toPrimitive):
1342         * runtime/JSCell.h:
1343
1344         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
1345         JSObject.  This pushes the virtual method further down, enabling us to get rid 
1346         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
1347         again, but we'll cross that bridge when we come to it.
1348         * runtime/JSNotAnObject.cpp:
1349         (JSC::JSNotAnObject::defaultValue):
1350         * runtime/JSNotAnObject.h:
1351         * runtime/JSObject.h:
1352         * runtime/JSString.h:
1353
1354 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1355
1356         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
1357         https://bugs.webkit.org/show_bug.cgi?id=68424
1358
1359         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
1360         
1361         This may break WinCE and other ports that have not built and tested with
1362         this configuration. I've filed bugs for port maintainers. It's time for
1363         WebKit to move forward.
1364
1365         Reviewed by Mark Rowe.
1366
1367         * heap/Heap.cpp:
1368         (JSC::Heap::Heap):
1369         (JSC::Heap::~Heap):
1370         (JSC::Heap::destroy):
1371         (JSC::Heap::blockFreeingThreadMain):
1372         (JSC::Heap::allocateBlock):
1373         (JSC::Heap::freeBlocks):
1374         (JSC::Heap::releaseFreeBlocks):
1375         * heap/Heap.h:
1376         * wtf/Platform.h:
1377
1378 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1379
1380         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
1381         https://bugs.webkit.org/show_bug.cgi?id=68423
1382
1383         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
1384         
1385         This may break WinCE and other ports that have not built and tested with
1386         this configuration. I've filed bugs for port maintainers. It's time for
1387         WebKit to move forward.
1388
1389         Reviewed by Mark Rowe.
1390
1391         * wtf/CryptographicallyRandomNumber.cpp:
1392         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
1393         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
1394         * wtf/FastMalloc.cpp:
1395         * wtf/Platform.h:
1396         * wtf/RandomNumber.cpp:
1397         (WTF::randomNumber):
1398         * wtf/RefCountedLeakCounter.cpp:
1399         (WTF::RefCountedLeakCounter::increment):
1400         (WTF::RefCountedLeakCounter::decrement):
1401         * wtf/ThreadingPthreads.cpp:
1402         (WTF::initializeThreading):
1403         * wtf/ThreadingWin.cpp:
1404         (WTF::initializeThreading):
1405         * wtf/dtoa.cpp:
1406         (WTF::pow5mult):
1407         * wtf/gtk/ThreadingGtk.cpp:
1408         (WTF::initializeThreading):
1409         * wtf/qt/ThreadingQt.cpp:
1410         (WTF::initializeThreading):
1411
1412 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1413
1414         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
1415         https://bugs.webkit.org/show_bug.cgi?id=68422
1416         
1417         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
1418         
1419         This may break WinCE and other ports that have not built and tested with
1420         this configuration. I've filed bugs for port maintainers. It's time for
1421         WebKit to move forward.
1422
1423         Reviewed by Sam Weinig.
1424
1425         * API/APIShims.h:
1426         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
1427         * API/JSContextRef.cpp:
1428         * heap/MachineStackMarker.cpp:
1429         (JSC::MachineThreads::MachineThreads):
1430         (JSC::MachineThreads::~MachineThreads):
1431         (JSC::MachineThreads::gatherConservativeRoots):
1432         * heap/MachineStackMarker.h:
1433         * runtime/InitializeThreading.cpp:
1434         (JSC::initializeThreadingOnce):
1435         (JSC::initializeThreading):
1436         * runtime/JSGlobalData.cpp:
1437         (JSC::JSGlobalData::sharedInstance):
1438         * runtime/JSGlobalData.h:
1439         (JSC::JSGlobalData::makeUsableFromMultipleThreads):
1440         * runtime/JSLock.cpp:
1441         * runtime/Structure.cpp:
1442         * wtf/Platform.h:
1443
1444 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
1445
1446         Unreviewed, rolling out r95493 and r95496.
1447         http://trac.webkit.org/changeset/95493
1448         http://trac.webkit.org/changeset/95496
1449         https://bugs.webkit.org/show_bug.cgi?id=68418
1450
1451         Broke Windows build (Requested by rniwa on #webkit).
1452
1453         * CMakeLists.txt:
1454         * GNUmakefile.list.am:
1455         * JavaScriptCore.exp:
1456         * JavaScriptCore.gypi:
1457         * JavaScriptCore.pro:
1458         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1459         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461         * debugger/Debugger.cpp:
1462         (JSC::Debugger::recompileAllJSFunctions):
1463         * heap/AllocationSpace.cpp: Removed.
1464         * heap/AllocationSpace.h: Removed.
1465         * heap/Heap.cpp:
1466         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
1467         (JSC::CountFunctor::TakeIfEmpty::operator()):
1468         (JSC::CountFunctor::TakeIfEmpty::returnValue):
1469         (JSC::Heap::Heap):
1470         (JSC::Heap::reportExtraMemoryCostSlowCase):
1471         (JSC::Heap::tryAllocate):
1472         (JSC::Heap::allocateSlowCase):
1473         (JSC::Heap::getConservativeRegisterRoots):
1474         (JSC::Heap::markRoots):
1475         (JSC::Heap::clearMarks):
1476         (JSC::Heap::sweep):
1477         (JSC::Heap::objectCount):
1478         (JSC::Heap::size):
1479         (JSC::Heap::capacity):
1480         (JSC::Heap::globalObjectCount):
1481         (JSC::Heap::objectTypeCounts):
1482         (JSC::Heap::collect):
1483         (JSC::Heap::canonicalizeBlocks):
1484         (JSC::Heap::resetAllocator):
1485         (JSC::Heap::allocateBlock):
1486         (JSC::Heap::freeBlocks):
1487         (JSC::Heap::shrink):
1488         * heap/Heap.h:
1489         (JSC::Heap::markedSpace):
1490         (JSC::Heap::forEachCell):
1491         (JSC::Heap::forEachBlock):
1492         (JSC::Heap::sizeClassFor):
1493         (JSC::Heap::allocate):
1494         * jit/JITInlineMethods.h:
1495         (JSC::JIT::emitAllocateBasicJSObject):
1496         * runtime/JSGlobalData.cpp:
1497         (JSC::JSGlobalData::recompileAllJSFunctions):
1498         (JSC::JSGlobalData::releaseExecutableMemory):
1499
1500 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
1501
1502         Errrk, missed stylebot comments in last commit.
1503
1504         * runtime/StringPrototype.cpp:
1505         (JSC::stringProtoFuncSplit):
1506
1507 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
1508
1509         String#split is buggy
1510         https://bugs.webkit.org/show_bug.cgi?id=68348
1511
1512         Reviewed by Sam Weinig.
1513
1514         * runtime/StringPrototype.cpp:
1515         (JSC::jsStringWithReuse):
1516             - added helper function to reuse original JSString value.
1517         (JSC::stringProtoFuncSplit):
1518             - Rewritten from the spec.
1519         * tests/mozilla/ecma/String/15.5.4.8-2.js:
1520         (getTestCases):
1521             - This test is not ES5 compliant.
1522
1523 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
1524
1525         Removed lots of friend declarations from JSCell, so we can more
1526         effectively make use of private and protected.
1527
1528         Reviewed by Sam Weinig.
1529
1530         * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
1531         confusion for not much safety.
1532         (JSC::JSCell::operator new): Made this public because it is used by a
1533         few clients, and not really dangerous.
1534
1535         * runtime/JSObject.cpp:
1536         (JSC::JSObject::put):
1537         (JSC::JSObject::deleteProperty):
1538         (JSC::JSObject::defineGetter):
1539         (JSC::JSObject::defineSetter):
1540         (JSC::JSObject::getPropertySpecificValue):
1541         (JSC::JSObject::getOwnPropertyNames):
1542         (JSC::JSObject::seal):
1543         (JSC::JSObject::freeze):
1544         (JSC::JSObject::preventExtensions):
1545         (JSC::JSObject::removeDirect):
1546         (JSC::JSObject::createInheritorID):
1547         (JSC::JSObject::allocatePropertyStorage):
1548         (JSC::JSObject::getOwnPropertyDescriptor):
1549         * runtime/JSObject.h:
1550         (JSC::JSObject::getDirect):
1551         (JSC::JSObject::getDirectLocation):
1552         (JSC::JSObject::hasCustomProperties):
1553         (JSC::JSObject::hasGetterSetterProperties):
1554         (JSC::JSObject::isSealed):
1555         (JSC::JSObject::isFrozen):
1556         (JSC::JSObject::isExtensible):
1557         (JSC::JSObject::flattenDictionaryObject):
1558         (JSC::JSObject::finishCreation):
1559         (JSC::JSObject::prototype):
1560         (JSC::JSObject::setPrototype):
1561         (JSC::JSObject::inlineGetOwnPropertySlot):
1562         (JSC::JSCell::fastGetOwnProperty):
1563         (JSC::JSObject::putDirectInternal):
1564         (JSC::JSObject::putDirectWithoutTransition):
1565         (JSC::JSObject::transitionTo):
1566         (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
1567         structure() / setStructure(), so we don't have to be a friend of JSCell.
1568
1569         * runtime/Structure.h:
1570         (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
1571         to JSCell::m_structure.
1572
1573 2011-09-19  Adam Barth  <abarth@webkit.org>
1574
1575         Always enable ENABLE(EVENTSOURCE)
1576         https://bugs.webkit.org/show_bug.cgi?id=68414
1577
1578         Reviewed by Eric Seidel.
1579
1580         * Configurations/FeatureDefines.xcconfig:
1581
1582 2011-09-19  Eli Fidler  <efidler@rim.com>
1583
1584         Enable JSC_MULTIPLE_THREADS for OS(QNX).
1585         https://bugs.webkit.org/show_bug.cgi?id=68047
1586
1587         Reviewed by Daniel Bates.
1588
1589         SA_RESTART was required for SIGUSR2-based debugging, but is not
1590         present on QNX. This debugging doesn't seem critical to
1591         JSC_MULTIPLE_THREADS, so allow it to proceed.
1592
1593         * heap/MachineStackMarker.cpp:
1594         (JSC::MachineThreads::Thread::Thread):
1595         (JSC::getPlatformThreadRegisters):
1596         (JSC::otherThreadStackPointer):
1597         (JSC::freePlatformThreadRegisters):
1598         * wtf/Platform.h: enable PTHREADS for OS(QNX)
1599
1600 2011-09-19  Oliver Hunt  <oliver@apple.com>
1601
1602         Windows build fix.
1603
1604         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1605
1606 2011-09-19  Oliver Hunt  <oliver@apple.com>
1607
1608         Refactor Heap allocation logic into separate AllocationSpace class
1609         https://bugs.webkit.org/show_bug.cgi?id=68409
1610
1611         Reviewed by Gavin Barraclough.
1612
1613         This patch hoists direct manipulation of the MarkedSpace and related
1614         data out of Heap and into a separate class.  This will allow us to
1615         have multiple allocation spaces in future, so easing the way towards
1616         having GC'd backing stores for objects.
1617
1618         * CMakeLists.txt:
1619         * GNUmakefile.list.am:
1620         * JavaScriptCore.exp:
1621         * JavaScriptCore.gypi:
1622         * JavaScriptCore.pro:
1623         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1624         * JavaScriptCore.xcodeproj/project.pbxproj:
1625         * debugger/Debugger.cpp:
1626         (JSC::Debugger::recompileAllJSFunctions):
1627         * heap/AllocationSpace.cpp: Added.
1628         (JSC::AllocationSpace::tryAllocate):
1629         (JSC::AllocationSpace::allocateSlowCase):
1630         (JSC::AllocationSpace::allocateBlock):
1631         (JSC::AllocationSpace::freeBlocks):
1632         (JSC::TakeIfEmpty::TakeIfEmpty):
1633         (JSC::TakeIfEmpty::operator()):
1634         (JSC::TakeIfEmpty::returnValue):
1635         (JSC::AllocationSpace::shrink):
1636         * heap/AllocationSpace.h: Added.
1637         (JSC::AllocationSpace::AllocationSpace):
1638         (JSC::AllocationSpace::blocks):
1639         (JSC::AllocationSpace::sizeClassFor):
1640         (JSC::AllocationSpace::setHighWaterMark):
1641         (JSC::AllocationSpace::highWaterMark):
1642         (JSC::AllocationSpace::canonicalizeBlocks):
1643         (JSC::AllocationSpace::resetAllocator):
1644         (JSC::AllocationSpace::forEachCell):
1645         (JSC::AllocationSpace::forEachBlock):
1646         (JSC::AllocationSpace::allocate):
1647         * heap/Heap.cpp:
1648         (JSC::Heap::Heap):
1649         (JSC::Heap::reportExtraMemoryCostSlowCase):
1650         (JSC::Heap::getConservativeRegisterRoots):
1651         (JSC::Heap::markRoots):
1652         (JSC::Heap::clearMarks):
1653         (JSC::Heap::sweep):
1654         (JSC::Heap::objectCount):
1655         (JSC::Heap::size):
1656         (JSC::Heap::capacity):
1657         (JSC::Heap::globalObjectCount):
1658         (JSC::Heap::objectTypeCounts):
1659         (JSC::Heap::collect):
1660         (JSC::Heap::canonicalizeBlocks):
1661         (JSC::Heap::resetAllocator):
1662         (JSC::Heap::freeBlocks):
1663         (JSC::Heap::shrink):
1664         * heap/Heap.h:
1665         (JSC::Heap::objectSpace):
1666         (JSC::Heap::sizeClassForObject):
1667         (JSC::Heap::allocate):
1668         * jit/JITInlineMethods.h:
1669         (JSC::JIT::emitAllocateBasicJSObject):
1670         * runtime/JSGlobalData.cpp:
1671         (JSC::JSGlobalData::recompileAllJSFunctions):
1672         (JSC::JSGlobalData::releaseExecutableMemory):
1673
1674 2011-09-19  Adam Roben  <aroben@apple.com>
1675
1676         Windows build fix after r95310
1677
1678         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
1679         include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.
1680
1681 2011-09-19  Filip Pizlo  <fpizlo@apple.com>
1682
1683         DFG speculation failures should act as additional value profiles
1684         https://bugs.webkit.org/show_bug.cgi?id=68335
1685
1686         Reviewed by Oliver Hunt.
1687         
1688         This adds slow-case counters to the old JIT. It also ensures that
1689         negative zero in multiply is handled carefully. The old JIT
1690         previously took slow path if the result of a multiply was zero,
1691         which, without any changes, would cause the DFG to think that
1692         every such multiply produced a double result.
1693         
1694         This also fixes a bug in the old JIT's handling of decrements. It
1695         would take the slow path if the result was zero, but not if it
1696         underflowed.
1697         
1698         By itself, this would be a 1% slow-down on V8 and Kraken. But then
1699         I wrote optimizations in the DFG that take advantage of this new
1700         information. It's no longer the case that every multiply needs to
1701         do a check for negative zero; it only happens if the negative
1702         zero is ignored.
1703         
1704         This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
1705         speed-up in V8. It's mostly neutral on Kraken. I can see an
1706         0.5% slow-down and it appears to be significant.
1707
1708         * bytecode/CodeBlock.cpp:
1709         (JSC::CodeBlock::resetRareCaseProfiles):
1710         (JSC::CodeBlock::dumpValueProfiles):
1711         * bytecode/CodeBlock.h:
1712         * bytecode/ValueProfile.h:
1713         (JSC::RareCaseProfile::RareCaseProfile):
1714         (JSC::getRareCaseProfileBytecodeOffset):
1715         * dfg/DFGByteCodeParser.cpp:
1716         (JSC::DFG::ByteCodeParser::toInt32):
1717         (JSC::DFG::ByteCodeParser::makeSafe):
1718         (JSC::DFG::ByteCodeParser::parseBlock):
1719         * dfg/DFGJITCodeGenerator.cpp:
1720         (JSC::DFG::GPRTemporary::GPRTemporary):
1721         * dfg/DFGJITCodeGenerator.h:
1722         * dfg/DFGNode.h:
1723         * dfg/DFGPropagator.cpp:
1724         (JSC::DFG::Propagator::propagateNode):
1725         (JSC::DFG::Propagator::fixupNode):
1726         (JSC::DFG::Propagator::clobbersWorld):
1727         (JSC::DFG::Propagator::performNodeCSE):
1728         * dfg/DFGSpeculativeJIT.cpp:
1729         (JSC::DFG::SpeculativeJIT::compile):
1730         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1731         * jit/JIT.cpp:
1732         (JSC::JIT::privateCompileSlowCases):
1733         * jit/JIT.h:
1734         (JSC::JIT::linkDummySlowCase):
1735         * jit/JITArithmetic.cpp:
1736         (JSC::JIT::emit_op_post_dec):
1737         (JSC::JIT::emit_op_pre_dec):
1738         (JSC::JIT::compileBinaryArithOp):
1739         (JSC::JIT::emit_op_add):
1740         (JSC::JIT::emitSlow_op_add):
1741         * jit/JITInlineMethods.h:
1742         (JSC::JIT::addSlowCase):
1743
1744 2011-09-19  Adam Roben  <aroben@apple.com>
1745
1746         Windows build fix after r94575
1747
1748         * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
1749         now builds just before FindSafari.
1750
1751 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
1752
1753         Unreviewed, rolling out r95466.
1754         http://trac.webkit.org/changeset/95466
1755         https://bugs.webkit.org/show_bug.cgi?id=68389
1756
1757         Incorrect version of the patch. (Requested by mhahnenberg on
1758         #webkit).
1759
1760         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1761         * runtime/JSCell.cpp:
1762         (JSC::JSCell::toPrimitive):
1763         * runtime/JSCell.h:
1764         (JSC::JSCell::JSValue::toPrimitive):
1765         * runtime/JSNotAnObject.cpp:
1766         (JSC::JSNotAnObject::toPrimitive):
1767         * runtime/JSNotAnObject.h:
1768         * runtime/JSObject.h:
1769         * runtime/JSString.h:
1770
1771 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
1772
1773         Remove toPrimitive from JSCell
1774         https://bugs.webkit.org/show_bug.cgi?id=67875
1775
1776         Reviewed by Geoffrey Garen.
1777
1778         Part of the refactoring process to un-virtualize JSCell.  We move 
1779         all of the implicit functionality provided by the virtual toPrimitive method 
1780         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
1781         also de-virtualizing JSCell::toPrimitive.
1782
1783         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1784         * runtime/JSCell.cpp:
1785         (JSC::JSCell::toPrimitive):
1786         * runtime/JSCell.h:
1787
1788         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
1789         JSObject.  This pushes the virtual method further down, enabling us to get rid 
1790         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
1791         again, but we'll cross that bridge when we come to it.
1792         * runtime/JSNotAnObject.cpp:
1793         (JSC::JSNotAnObject::defaultValue):
1794         * runtime/JSNotAnObject.h:
1795         * runtime/JSObject.h:
1796         * runtime/JSString.h:
1797         (JSC::JSValue::toPrimitive):
1798
1799 2011-09-19  Oliver Hunt  <oliver@apple.com>
1800
1801         Build fix.
1802
1803         * jit/JITPropertyAccess32_64.cpp:
1804         (JSC::JIT::compileGetDirectOffset):
1805
1806 2011-09-19  Oliver Hunt  <oliver@apple.com>
1807
1808         Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
1809         https://bugs.webkit.org/show_bug.cgi?id=68376
1810
1811         Reviewed by Gavin Barraclough.
1812
1813         Renamed the the MarkedSpace files to match new name, and
1814         updated the relevant references.
1815
1816         * CMakeLists.txt:
1817         * GNUmakefile.list.am:
1818         * JavaScriptCore.gypi:
1819         * JavaScriptCore.pro:
1820         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1821         * JavaScriptCore.xcodeproj/project.pbxproj:
1822         * heap/Heap.h:
1823         * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
1824         (JSC::MarkedSpace::MarkedSpace):
1825         (JSC::MarkedSpace::addBlock):
1826         (JSC::MarkedSpace::removeBlock):
1827         (JSC::MarkedSpace::resetAllocator):
1828         (JSC::MarkedSpace::canonicalizeBlocks):
1829         * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
1830         (JSC::MarkedSpace::waterMark):
1831         (JSC::MarkedSpace::highWaterMark):
1832         (JSC::MarkedSpace::setHighWaterMark):
1833         (JSC::MarkedSpace::sizeClassFor):
1834         (JSC::MarkedSpace::allocate):
1835         (JSC::MarkedSpace::forEachBlock):
1836         (JSC::MarkedSpace::SizeClass::SizeClass):
1837         (JSC::MarkedSpace::SizeClass::resetAllocator):
1838         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
1839         * runtime/JSCell.h:
1840
1841 2011-09-19  Oliver Hunt  <oliver@apple.com>
1842
1843         Rename NewSpace to MarkedSpace
1844         https://bugs.webkit.org/show_bug.cgi?id=68375
1845
1846         Reviewed by Gavin Barraclough.
1847
1848         Rename NewSpace to a more accurate name, and update all uses.
1849         This patch doesn't rename the files themselves as that will
1850         just make the patch appear bigger than it is.
1851
1852         * JavaScriptCore.exp:
1853         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1854         * heap/Heap.cpp:
1855         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
1856         (JSC::CountFunctor::TakeIfEmpty::operator()):
1857         (JSC::Heap::Heap):
1858         (JSC::Heap::reportExtraMemoryCostSlowCase):
1859         (JSC::Heap::tryAllocate):
1860         (JSC::Heap::allocateSlowCase):
1861         (JSC::Heap::collect):
1862         (JSC::Heap::canonicalizeBlocks):
1863         (JSC::Heap::resetAllocator):
1864         (JSC::Heap::isValidAllocation):
1865         (JSC::Heap::shrink):
1866         * heap/Heap.h:
1867         (JSC::Heap::markedSpace):
1868         (JSC::Heap::sizeClassFor):
1869         (JSC::Heap::allocate):
1870         * heap/NewSpace.cpp:
1871         (JSC::MarkedSpace::MarkedSpace):
1872         (JSC::MarkedSpace::addBlock):
1873         (JSC::MarkedSpace::removeBlock):
1874         (JSC::MarkedSpace::resetAllocator):
1875         (JSC::MarkedSpace::canonicalizeBlocks):
1876         * heap/NewSpace.h:
1877         (JSC::MarkedSpace::waterMark):
1878         (JSC::MarkedSpace::highWaterMark):
1879         (JSC::MarkedSpace::setHighWaterMark):
1880         (JSC::MarkedSpace::sizeClassFor):
1881         (JSC::MarkedSpace::allocate):
1882         (JSC::MarkedSpace::forEachBlock):
1883         (JSC::MarkedSpace::SizeClass::SizeClass):
1884         (JSC::MarkedSpace::SizeClass::resetAllocator):
1885         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
1886         * jit/JITInlineMethods.h:
1887         (JSC::JIT::emitAllocateBasicJSObject):
1888
1889 2011-09-19  Peter Rybin  <peter.rybin@gmail.com>
1890
1891         TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
1892         https://bugs.webkit.org/show_bug.cgi?id=63541
1893
1894         Reviewed by Adam Barth.
1895
1896         * parser/SourceProvider.h:
1897         (JSC::SourceProvider::startPosition):
1898         * wtf/text/TextPosition.h:
1899         (WTF::OrdinalNumber::fromZeroBasedInt):
1900         (WTF::OrdinalNumber::fromOneBasedInt):
1901         (WTF::OrdinalNumber::OrdinalNumber):
1902         (WTF::OrdinalNumber::zeroBasedInt):
1903         (WTF::OrdinalNumber::oneBasedInt):
1904         (WTF::OrdinalNumber::operator==):
1905         (WTF::OrdinalNumber::operator!=):
1906         (WTF::OrdinalNumber::first):
1907         (WTF::OrdinalNumber::beforeFirst):
1908         (WTF::TextPosition::TextPosition):
1909         (WTF::TextPosition::minimumPosition):
1910         (WTF::TextPosition::belowRangePosition):
1911
1912 2011-09-19  Dan Bernstein  <mitz@apple.com>
1913
1914         JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
1915         https://bugs.webkit.org/show_bug.cgi?id=68323
1916
1917         Reviewed by Sam Weinig.
1918
1919         Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.
1920
1921         * wtf/mac/MainThreadMac.mm:
1922         (WTF::initializeMainThreadPlatform):
1923         (WTF::initializeMainThreadToProcessMainThreadPlatform):
1924
1925 2011-09-19  Oliver Hunt  <oliver@apple.com>
1926
1927         Remove direct property slot pointers from the instruction stream
1928         https://bugs.webkit.org/show_bug.cgi?id=68373
1929
1930         Reviewed by Gavin Barraclough.
1931
1932         Use an indirect load to access prototype properties rather than directly
1933         storing the property address in the instruction stream.  This should allow
1934         further optimisations in future, and also provides a 0.5% win to sunspider.
1935
1936         * dfg/DFGRepatch.cpp:
1937         (JSC::DFG::generateProtoChainAccessStub):
1938         * jit/JITPropertyAccess.cpp:
1939         (JSC::JIT::compileGetDirectOffset):
1940         * jit/JITPropertyAccess32_64.cpp:
1941         (JSC::JIT::compileGetDirectOffset):
1942         * runtime/JSObject.h:
1943         (JSC::JSObject::addressOfPropertyStorage):
1944
1945 2011-09-19  Oliver Hunt  <oliver@apple.com>
1946
1947         Remove bump allocator
1948         https://bugs.webkit.org/show_bug.cgi?id=68370
1949
1950         Reviewed by Sam Weinig.
1951
1952         Can't do anything with this allocator currently, and it's
1953         increasing the complexity of the GC code.  Slight progression
1954         on SunSpider, slight regression (undoing the original progression)
1955         in V8.
1956
1957         * heap/Heap.cpp:
1958         (JSC::Heap::collect):
1959         * heap/Heap.h:
1960         * heap/NewSpace.cpp:
1961         (JSC::NewSpace::NewSpace):
1962         * heap/NewSpace.h:
1963         (JSC::NewSpace::allocate):
1964         * runtime/JSObject.cpp:
1965         (JSC::JSObject::allocatePropertyStorage):
1966         * runtime/JSObject.h:
1967         (JSC::JSObject::~JSObject):
1968         (JSC::JSObject::visitChildrenDirect):
1969         * runtime/StorageBarrier.h:
1970         (JSC::StorageBarrier::set):
1971
1972 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1973
1974         [GTK] Fix distcheck build
1975         https://bugs.webkit.org/show_bug.cgi?id=68346
1976
1977         Reviewed by Philippe Normand.
1978
1979         * GNUmakefile.list.am:
1980
1981 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1982
1983         [GTK] Fix distcheck build
1984         https://bugs.webkit.org/show_bug.cgi?id=68241
1985
1986         Reviewed by Martin Robinson.
1987
1988         * GNUmakefile.list.am:
1989
1990 2011-09-18  Dan Bernstein  <mitz@apple.com>
1991
1992         Removed ProfilerServer.
1993
1994         Reviewed by Mark Rowe.
1995
1996         * JavaScriptCore.gypi:
1997         * JavaScriptCore.xcodeproj/project.pbxproj:
1998         * profiler/ProfilerServer.h: Removed.
1999         * profiler/ProfilerServer.mm: Removed.
2000         * runtime/JSGlobalData.cpp:
2001         (JSC::JSGlobalData::JSGlobalData):
2002         * wscript:
2003
2004 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2005
2006         DFG JIT should inline Math.min, Math.max, and Math.sqrt
2007         https://bugs.webkit.org/show_bug.cgi?id=68318
2008
2009         Reviewed by Gavin Barraclough.
2010         
2011         Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
2012         a function to have an intrinsic but not a thunk generator. This is
2013         a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
2014         we're still not DFG compiling the bulk of the hot code in Kraken audio
2015         benchmarks.
2016
2017         * create_hash_table:
2018         * dfg/DFGByteCodeParser.cpp:
2019         (JSC::DFG::ByteCodeParser::handleMinMax):
2020         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2021         * dfg/DFGIntrinsic.h:
2022         * dfg/DFGNode.h:
2023         * dfg/DFGPropagator.cpp:
2024         (JSC::DFG::Propagator::propagateNode):
2025         (JSC::DFG::Propagator::fixupNode):
2026         * dfg/DFGSpeculativeJIT.cpp:
2027         (JSC::DFG::SpeculativeJIT::compile):
2028         * jit/JITStubs.cpp:
2029         (JSC::JITThunks::hostFunctionStub):
2030         * runtime/Lookup.cpp:
2031         (JSC::setUpStaticFunctionSlot):
2032
2033 2011-09-18  Nico Weber  <thakis@chromium.org>
2034
2035         Remove two files from JavaScriptCore.gypi that were removed in r95240
2036         https://bugs.webkit.org/show_bug.cgi?id=68327
2037
2038         Unreviewed, build warning fix.
2039
2040         * JavaScriptCore.gypi:
2041
2042 2011-09-17  Oliver Hunt  <oliver@apple.com>
2043
2044         Remove special case handling of inline storage from the JIT
2045         https://bugs.webkit.org/show_bug.cgi?id=68319
2046
2047         Reviewed by Gavin Barraclough.
2048
2049         Simplify logic used for reading and writing to property storage
2050         by removing the special cases for inline storage.  This has no
2051         perf impact.
2052
2053         * dfg/DFGRepatch.cpp:
2054         (JSC::DFG::generateProtoChainAccessStub):
2055         (JSC::DFG::tryBuildGetByIDList):
2056         * jit/JIT.h:
2057         * jit/JITPropertyAccess.cpp:
2058         (JSC::JIT::compilePutDirectOffset):
2059         (JSC::JIT::compileGetDirectOffset):
2060         (JSC::JIT::privateCompilePutByIdTransition):
2061         (JSC::JIT::privateCompileGetByIdSelfList):
2062         * jit/JITPropertyAccess32_64.cpp:
2063         (JSC::JIT::compilePutDirectOffset):
2064         (JSC::JIT::compileGetDirectOffset):
2065         (JSC::JIT::privateCompilePutByIdTransition):
2066         (JSC::JIT::privateCompileGetByIdSelfList):
2067
2068 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
2069
2070         DFG JIT does not have full block-local CSE
2071         https://bugs.webkit.org/show_bug.cgi?id=68316
2072
2073         Reviewed by Oliver Hunt.
2074         
2075         This adds block-local CSE to the DFG. CSE runs in the propagator just after
2076         type propagation. It is part of the propagator itself because it needs to
2077         use the propagator's internal data structures to determine which operations
2078         may have side effects. Because it changes the live-ranges of nodes, the
2079         virtual register allocator had to be moved into the propagator so that it
2080         runs after CSE. To ensure that the back-end knows to keep the inputs to
2081         any eliminated node alive for OSR, a new node type, Phantom, was introduced.
2082         It is a no-op but prolonges the live-range of its inputs.
2083         
2084         This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
2085         Kraken.
2086         
2087         * JavaScriptCore.xcodeproj/project.pbxproj:
2088         * dfg/DFGAliasTracker.h: Removed.
2089         * dfg/DFGByteCodeParser.cpp:
2090         (JSC::DFG::ByteCodeParser::parseBlock):
2091         (JSC::DFG::ByteCodeParser::parse):
2092         * dfg/DFGGraph.cpp:
2093         (JSC::DFG::Graph::dump):
2094         * dfg/DFGGraph.h:
2095         (JSC::DFG::MethodCheckData::operator==):
2096         (JSC::DFG::MethodCheckData::operator!=):
2097         * dfg/DFGNode.h:
2098         (JSC::DFG::Node::hasVirtualRegister):
2099         (JSC::DFG::Node::setRefCount):
2100         * dfg/DFGPropagator.cpp:
2101         (JSC::DFG::Propagator::Propagator):
2102         (JSC::DFG::Propagator::fixpoint):
2103         (JSC::DFG::Propagator::propagateNode):
2104         (JSC::DFG::Propagator::canonicalize):
2105         (JSC::DFG::Propagator::computeStartIndex):
2106         (JSC::DFG::Propagator::startIndex):
2107         (JSC::DFG::Propagator::pureCSE):
2108         (JSC::DFG::Propagator::globalVarLoadElimination):
2109         (JSC::DFG::Propagator::getByValLoadElimination):
2110         (JSC::DFG::Propagator::getMethodLoadElimination):
2111         (JSC::DFG::Propagator::performSubstitution):
2112         (JSC::DFG::Propagator::setReplacement):
2113         (JSC::DFG::Propagator::performNodeCSE):
2114         (JSC::DFG::Propagator::performBlockCSE):
2115         (JSC::DFG::Propagator::localCSE):
2116         (JSC::DFG::Propagator::allocateVirtualRegisters):
2117         (JSC::DFG::propagate):
2118         * dfg/DFGSpeculativeJIT.cpp:
2119         (JSC::DFG::SpeculativeJIT::compile):
2120
2121 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2122
2123         method_check should repatch itself if it finds that the new structure(s)
2124         are the result of transitions from the old structure(s)
2125         https://bugs.webkit.org/show_bug.cgi?id=68294
2126
2127         Reviewed by Gavin Barraclough.
2128         
2129         Previously a patched method_check would slow-path to get_by_id. Now it
2130         slow-paths to method_check_update, which attempts to correct the
2131         method_check due to structure transitions before bailing to get_by_id.
2132         
2133         This is a 1-2% speed-up on some benchmarks and is not a slow-down
2134         anywhere, leading to a 0.6% speed-up on the Kraken geomean.
2135
2136         * jit/JITPropertyAccess.cpp:
2137         (JSC::JIT::patchMethodCallProto):
2138         * jit/JITStubs.cpp:
2139         (JSC::DEFINE_STUB_FUNCTION):
2140         * jit/JITStubs.h:
2141         * runtime/Structure.h:
2142         (JSC::Structure::transitivelyTransitionedFrom):
2143
2144 2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>
2145
2146         Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).
2147
2148         * wtf/Platform.h:
2149
2150 2011-09-16  Sam Weinig  <sam@webkit.org>
2151
2152         Rename APIValueWrapper type to APIValueWrapperType for consistency
2153         https://bugs.webkit.org/show_bug.cgi?id=68306
2154
2155         Reviewed by Anders Carlsson.
2156
2157         * runtime/JSAPIValueWrapper.h:
2158         (JSC::JSAPIValueWrapper::createStructure):
2159         Update name.
2160
2161         * runtime/JSType.h:
2162         Update name and un-indent.
2163
2164         * runtime/Structure.h:
2165         (JSC::JSCell::isAPIValueWrapper):
2166         Update name.
2167
2168 2011-09-16  Sam Weinig  <sam@webkit.org>
2169
2170         Remove unused isStrictModeFunction function
2171         https://bugs.webkit.org/show_bug.cgi?id=68305
2172
2173         Reviewed by Anders Carlsson.
2174
2175         * runtime/JSObject.h:
2176         (JSC::JSObject::isStrictModeFunction):
2177
2178 2011-09-16  Sam Weinig  <sam@webkit.org>
2179
2180         Cleanup JSTypeInfo a bit
2181         https://bugs.webkit.org/show_bug.cgi?id=68289
2182
2183         Reviewed by Anders Carlsson.
2184
2185         * dfg/DFGOperations.cpp:
2186         * jit/JITStubs.cpp:
2187         (JSC::DEFINE_STUB_FUNCTION):
2188         Replace direct access to flags() with predicate.
2189
2190         * runtime/JSObject.h:
2191         (JSC::JSFinalObject::createStructure):
2192         Pass FinalObjectType instead of using special IsJSFinalObject.
2193
2194         * runtime/JSTypeInfo.h:
2195         (JSC::TypeInfo::TypeInfo):
2196         Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.
2197
2198         (JSC::TypeInfo::isFinalObject):
2199         Added.
2200
2201         (JSC::TypeInfo::masqueradesAsUndefined):
2202         (JSC::TypeInfo::implementsHasInstance):
2203         (JSC::TypeInfo::isEnvironmentRecord):
2204         (JSC::TypeInfo::overridesHasInstance):
2205         (JSC::TypeInfo::implementsDefaultHasInstance):
2206         (JSC::TypeInfo::overridesGetOwnPropertySlot):
2207         (JSC::TypeInfo::overridesVisitChildren):
2208         (JSC::TypeInfo::overridesGetPropertyNames):
2209         (JSC::TypeInfo::prohibitsPropertyCaching):
2210         (JSC::TypeInfo::isSetOnFlags1):
2211         (JSC::TypeInfo::isSetOnFlags2):
2212         Replace direct bit twiddling with helper functions.
2213
2214         * runtime/Structure.cpp:
2215         (JSC::Structure::Structure):
2216         Use new isFinalObject() predicate.
2217
2218 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
2219
2220         Unsigned bit shift fails under certain conditions in 32 bit builds
2221         https://bugs.webkit.org/show_bug.cgi?id=68166
2222
2223         Reviewed by Geoff Garen.
2224
2225         The major bug here is that the slow case (which handles shifts of
2226         doubles) doesn't check for negative results from an unsigned shift
2227         (which should be unsigned, and as such can't be represented by a
2228         signed integer immediate).  The implementation is also flawed for
2229         shifts by negative shift amounts (treats as shift by zero).
2230
2231         * jit/JITArithmetic32_64.cpp:
2232         (JSC::JIT::emitRightShift):
2233         (JSC::JIT::emitRightShiftSlowCase):
2234
2235 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
2236
2237         Removed undetectable style.filter.
2238
2239         Reviewed by Sam Weinig.
2240         
2241         This feature was added in http://trac.webkit.org/changeset/15557 to
2242         support housingmaps.com. But housingmaps.com no longer needs this hack,
2243         we don't know of other websites that need it, and we don't know of
2244         any other browsers that have implemented this feature.
2245
2246         * GNUmakefile.list.am:
2247         * JavaScriptCore.gypi:
2248         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2249         * JavaScriptCore.xcodeproj/project.pbxproj:
2250         * runtime/JSTypeInfo.h:
2251         * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.
2252
2253 2011-09-15  Sam Weinig  <sam@webkit.org>
2254
2255         Prepare JSTypes for more Object subtypes
2256         https://bugs.webkit.org/show_bug.cgi?id=68200
2257
2258         Reviewed by Gavin Barraclough.
2259
2260         * dfg/DFGJITCompiler.h:
2261         (JSC::DFG::JITCompiler::branchIfNotObject):
2262         * jit/JITInlineMethods.h:
2263         (JSC::JIT::emitJumpIfNotObject):
2264         * runtime/JSGlobalObject.h:
2265         (JSC::Structure::prototypeForLookup):
2266         * runtime/JSObject.h:
2267         (JSC::JSObject::finishCreation):
2268         * runtime/JSType.h:
2269         * runtime/JSTypeInfo.h:
2270         (JSC::TypeInfo::type):
2271         (JSC::TypeInfo::isObject):
2272         (JSC::TypeInfo::isFinal):
2273         (JSC::TypeInfo::prohibitsPropertyCaching):
2274         * runtime/NativeErrorConstructor.h:
2275         (JSC::NativeErrorConstructor::finishCreation):
2276         * runtime/Operations.cpp:
2277         (JSC::jsIsObjectType):
2278         * runtime/Structure.cpp:
2279         (JSC::Structure::addPropertyTransitionToExistingStructure):
2280         (JSC::Structure::addPropertyTransition):
2281         * runtime/Structure.h:
2282         (JSC::Structure::isObject):
2283         (JSC::JSCell::isObject):
2284
2285 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
2286
2287         Rolled back in r95201 with test failure fixed.
2288         
2289         I missed two cases of jumpSlowToHot in rshift -- these cases need to be
2290         sure to initialize regT1 to the int tag, since it will otherwise hold
2291         the top 32 bits of a double.
2292
2293         * jit/JIT.h:
2294         * jit/JITArithmetic32_64.cpp:
2295         (JSC::JIT::emit_op_lshift):
2296         (JSC::JIT::emitRightShift):
2297         (JSC::JIT::emitRightShiftSlowCase):
2298         (JSC::JIT::emit_op_bitand):
2299         (JSC::JIT::emit_op_bitor):
2300         (JSC::JIT::emit_op_bitxor):
2301         (JSC::JIT::emit_op_bitnot):
2302         (JSC::JIT::emit_op_post_inc):
2303         (JSC::JIT::emit_op_post_dec):
2304         (JSC::JIT::emit_op_pre_inc):
2305         (JSC::JIT::emit_op_pre_dec):
2306         * jit/JITInlineMethods.h:
2307         (JSC::JIT::emitStoreAndMapInt32):
2308
2309 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2310
2311         Unreviewed Windows build fix after 95318.
2312
2313         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2314
2315 2011-09-16  Adam Roben  <aroben@apple.com>
2316
2317         Windows build fix after r95310
2318
2319         * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
2320         include path so DFGIntrinsic.h can be found.
2321
2322 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
2323
2324         Rationalize JSObject::putDirect* methods
2325         https://bugs.webkit.org/show_bug.cgi?id=68274
2326
2327         Reviewed by Sam Weinig.
2328         
2329         Delete the *Function variants. These are overall inefficient,
2330         in the way they get the name back from the function rather
2331         than just passing it in.
2332
2333         * JavaScriptCore.exp:
2334         * jsc.cpp:
2335         (GlobalObject::finishCreation):
2336         (GlobalObject::addFunction):
2337         * runtime/FunctionPrototype.cpp:
2338         (JSC::FunctionPrototype::addFunctionProperties):
2339         * runtime/JSGlobalObject.cpp:
2340         (JSC::JSGlobalObject::reset):
2341         * runtime/JSObject.cpp:
2342         (JSC::JSObject::put):
2343         (JSC::JSObject::putWithAttributes):
2344         (JSC::JSObject::defineGetter):
2345         (JSC::JSObject::defineSetter):
2346         * runtime/JSObject.h:
2347         (JSC::JSObject::putDirect):
2348         (JSC::JSObject::putDirectWithoutTransition):
2349         * runtime/Lookup.cpp:
2350         (JSC::setUpStaticFunctionSlot):
2351         * runtime/Lookup.h:
2352         (JSC::lookupPut):
2353
2354 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2355
2356         Unreviewed build fix for Windows.
2357
2358         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2359
2360 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2361
2362         Unreviewed build fix for non-DFG builds.
2363
2364         * runtime/Executable.h:
2365         (JSC::NativeExecutable::finishCreation):
2366
2367 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2368
2369         DFG JIT should inline Math.abs
2370         https://bugs.webkit.org/show_bug.cgi?id=68227
2371
2372         Reviewed by Oliver Hunt.
2373         
2374         This adds the ability to track intrinsic functions throughout the
2375         host function infrastructure, so that the DFG can easily query
2376         whether or not a call's target is intrinsic, and if so, which
2377         intrinsic it is.
2378         
2379         On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
2380         is transformed into ValueToNumber<-ArithAbs nodes. These nodes
2381         then get optimized using the usual tricks.
2382         
2383         Also had to make a completely unrelated change to
2384         DateInstanceCache.h in order to fix a preexisting alphabetical
2385         sorting problem in JSGlobalData.h
2386         
2387         This results in a big win in imaging-gaussian-blur: 61% faster
2388         than before. The net win on Kraken is around 13%.
2389
2390         * JavaScriptCore.xcodeproj/project.pbxproj:
2391         * create_hash_table:
2392         * dfg/DFGByteCodeParser.cpp:
2393         (JSC::DFG::ByteCodeParser::parseBlock):
2394         * dfg/DFGGraph.h:
2395         (JSC::DFG::Graph::isFunctionConstant):
2396         (JSC::DFG::Graph::valueOfFunctionConstant):
2397         * dfg/DFGIntrinsic.h: Added.
2398         * dfg/DFGJITCodeGenerator.h:
2399         (JSC::DFG::JITCodeGenerator::isFunctionConstant):
2400         (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
2401         * dfg/DFGJITCompiler.h:
2402         (JSC::DFG::JITCompiler::isFunctionConstant):
2403         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
2404         * dfg/DFGNode.h:
2405         * dfg/DFGPropagator.cpp:
2406         (JSC::DFG::Propagator::propagateNode):
2407         * dfg/DFGSpeculativeJIT.cpp:
2408         (JSC::DFG::SpeculativeJIT::compile):
2409         * jit/JITStubs.cpp:
2410         (JSC::JITThunks::hostFunctionStub):
2411         * jit/JITStubs.h:
2412         * runtime/DateInstanceCache.h:
2413         * runtime/Executable.cpp:
2414         (JSC::ExecutableBase::intrinsic):
2415         (JSC::NativeExecutable::intrinsic):
2416         * runtime/Executable.h:
2417         (JSC::NativeExecutable::create):
2418         (JSC::NativeExecutable::finishCreation):
2419         * runtime/JSGlobalData.cpp:
2420         (JSC::JSGlobalData::getHostFunction):
2421         * runtime/JSGlobalData.h:
2422         * runtime/Lookup.cpp:
2423         (JSC::HashTable::createTable):
2424         (JSC::setUpStaticFunctionSlot):
2425         * runtime/Lookup.h:
2426         (JSC::HashEntry::initialize):
2427         (JSC::HashEntry::intrinsic):
2428
2429 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
2430
2431         REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
2432         using Domino's online ordering
2433         https://bugs.webkit.org/show_bug.cgi?id=68220
2434
2435         Reviewed by Oliver Hunt.
2436         
2437         Weak handle processing can result in new objects being marked, which
2438         results in new WeakReferencesHarvesters being added. But weak
2439         reference harvesters are only processed before weak handle processing,
2440         so there's the risk that a weak reference harvester will persist
2441         until the next collection, by which time it may have been deleted.
2442
2443         * heap/Heap.cpp:
2444         (JSC::Heap::markRoots):
2445
2446 2011-09-16  Csaba Osztrogonác  <ossy@webkit.org>
2447
2448         REGRESSION(r95201): It made two tests fail
2449         https://bugs.webkit.org/show_bug.cgi?id=68230
2450
2451         Unreviewed rolling out r95201.
2452
2453         * jit/JIT.h:
2454         * jit/JITArithmetic32_64.cpp:
2455         (JSC::JIT::emit_op_lshift):
2456         (JSC::JIT::emitRightShift):
2457         (JSC::JIT::emit_op_bitand):
2458         (JSC::JIT::emit_op_bitor):
2459         (JSC::JIT::emit_op_bitxor):
2460         (JSC::JIT::emit_op_bitnot):
2461         (JSC::JIT::emit_op_post_inc):
2462         (JSC::JIT::emit_op_post_dec):
2463         (JSC::JIT::emit_op_pre_inc):
2464         (JSC::JIT::emit_op_pre_dec):
2465         * jit/JITInlineMethods.h:
2466
2467 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2468
2469         DFG JIT does not optimize method_check
2470         https://bugs.webkit.org/show_bug.cgi?id=68215
2471
2472         Reviewed by Oliver Hunt.
2473         
2474         MethodCallLinkInfo and StructureStubInfo are now searchable by
2475         bytecodeIndex, so that DFG::ByteCodeParser can use that information
2476         to determine how to optimize GetMethod.
2477         
2478         A new node op has been added to DFG: CheckMethod. This is a variant
2479         of GetMethod that has been optimized for the case that GetMethod
2480         always takes the fast path. CheckMethod results in only a very
2481         small amount of code (two loads and two branches in the worst case,
2482         one load and one branch in the best case). CheckMethod behaves as
2483         if it were a constant.  
2484         
2485         Introduced the notion that a DFG node that is not JSConstant
2486         behaves as a constant. CheckMethod uses this functionality.
2487         
2488         This is a 3% speed-up on Kraken, and a small speed-up on V8.
2489         Appears to be neutral on SunSpider.
2490
2491         * bytecode/CodeBlock.h:
2492         (JSC::getStructureStubInfoBytecodeIndex):
2493         (JSC::getMethodCallLinkInfoBytecodeIndex):
2494         * bytecode/PredictedType.cpp:
2495         (JSC::predictionFromCell):
2496         (JSC::predictionFromValue):
2497         * bytecode/PredictedType.h:
2498         * bytecode/StructureStubInfo.h:
2499         * dfg/DFGAliasTracker.h:
2500         (JSC::DFG::AliasTracker::recordGetMethod):
2501         * dfg/DFGByteCodeParser.cpp:
2502         (JSC::DFG::ByteCodeParser::parseBlock):
2503         * dfg/DFGGraph.cpp:
2504         (JSC::DFG::Graph::dump):
2505         * dfg/DFGGraph.h:
2506         (JSC::DFG::Graph::getMethodCheckPrediction):
2507         (JSC::DFG::Graph::getPrediction):
2508         (JSC::DFG::Graph::isConstant):
2509         (JSC::DFG::Graph::isJSConstant):
2510         (JSC::DFG::Graph::valueOfJSConstant):
2511         (JSC::DFG::Graph::valueOfInt32Constant):
2512         (JSC::DFG::Graph::valueOfNumberConstant):
2513         (JSC::DFG::Graph::valueOfBooleanConstant):
2514         (JSC::DFG::Graph::valueOfJSConstantNode):
2515         * dfg/DFGJITCodeGenerator.cpp:
2516         (JSC::DFG::JITCodeGenerator::fillInteger):
2517         (JSC::DFG::JITCodeGenerator::fillDouble):
2518         (JSC::DFG::JITCodeGenerator::fillJSValue):
2519         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
2520         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2521         * dfg/DFGJITCodeGenerator.h:
2522         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
2523         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2524         (JSC::DFG::JITCodeGenerator::silentFillFPR):
2525         * dfg/DFGJITCompiler.cpp:
2526         (JSC::DFG::JITCompiler::fillNumericToDouble):
2527         (JSC::DFG::JITCompiler::fillInt32ToInteger):
2528         (JSC::DFG::JITCompiler::fillToJS):
2529         * dfg/DFGNode.h:
2530         (JSC::DFG::Node::hasConstant):
2531         (JSC::DFG::Node::hasIdentifier):
2532         (JSC::DFG::Node::hasMethodCheckData):
2533         (JSC::DFG::Node::methodCheckDataIndex):
2534         (JSC::DFG::Node::valueOfJSConstant):
2535         * dfg/DFGPropagator.cpp:
2536         (JSC::DFG::Propagator::propagateNode):
2537         * dfg/DFGSpeculativeJIT.cpp:
2538         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2539         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2540         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2541         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2542         (JSC::DFG::SpeculativeJIT::compile):
2543         * jit/JIT.cpp:
2544         (JSC::JIT::privateCompile):
2545         * jit/JIT.h:
2546         (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
2547         (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
2548         * jit/JITPropertyAccess.cpp:
2549         (JSC::JIT::emit_op_method_check):
2550         (JSC::JIT::compileGetByIdHotPath):
2551         (JSC::JIT::emit_op_put_by_id):
2552         * jit/JITPropertyAccess32_64.cpp:
2553         (JSC::JIT::emit_op_method_check):
2554         (JSC::JIT::compileGetByIdHotPath):
2555         (JSC::JIT::emit_op_put_by_id):
2556         * runtime/JSCell.h:
2557         (JSC::JSCell::JSCell::structureAddress):
2558
2559 2011-09-15  Adam Barth  <abarth@webkit.org>
2560
2561         Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
2562         https://bugs.webkit.org/show_bug.cgi?id=68205
2563
2564         Reviewed by Eric Seidel.
2565
2566         * Configurations/FeatureDefines.xcconfig:
2567         * wtf/Platform.h:
2568
2569 2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2570
2571         Unzip initialization lists and constructors in JSCell hierarchy (7/7)
2572         https://bugs.webkit.org/show_bug.cgi?id=68122
2573
2574         Reviewed by Geoffrey Garen.
2575
2576         Completed the seventh and final level of the refactoring to add finishCreation() 
2577         methods to all classes within the JSCell hierarchy with non-trivial 
2578         constructor bodies.
2579
2580         JSCallbackObject was missed in previous patches due to the fact that 
2581         it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
2582         this is just a bit of retroactive cleanup.
2583
2584         * API/JSCallbackObject.h:
2585         (JSC::JSCallbackObject::create):
2586         * API/JSCallbackObjectFunctions.h:
2587         (JSC::::JSCallbackObject):
2588
2589 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2590
2591         The DFG non-speculative JIT is no longer used and should be removed.
2592         https://bugs.webkit.org/show_bug.cgi?id=68177
2593
2594         Reviewed by Geoffrey Garen.
2595         
2596         This removes the non-speculative JIT and everything that relied on it,
2597         including the ability to turn on DFG but not tiered compilation the,
2598         ability to perform speculation failure into non-speculative JIT code,
2599         and the ability to statically terminate speculation.
2600
2601         * GNUmakefile.list.am:
2602         * JavaScriptCore.pro:
2603         * JavaScriptCore.xcodeproj/project.pbxproj:
2604         * bytecode/CodeBlock.h:
2605         * bytecompiler/BytecodeGenerator.cpp:
2606         (JSC::BytecodeGenerator::emitLoopHint):
2607         * dfg/DFGByteCodeParser.cpp:
2608         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2609         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2610         (JSC::DFG::ByteCodeParser::parseBlock):
2611         * dfg/DFGDriver.cpp:
2612         (JSC::DFG::compile):
2613         * dfg/DFGGenerationInfo.h:
2614         * dfg/DFGGraph.cpp:
2615         (JSC::DFG::Graph::predictArgumentTypes):
2616         * dfg/DFGJITCodeGenerator.cpp:
2617         * dfg/DFGJITCompiler.cpp:
2618         (JSC::DFG::JITCompiler::linkOSRExits):
2619         (JSC::DFG::JITCompiler::compileBody):
2620         * dfg/DFGJITCompiler.h:
2621         * dfg/DFGNode.h:
2622         * dfg/DFGNonSpeculativeJIT.cpp: Removed.
2623         * dfg/DFGNonSpeculativeJIT.h: Removed.
2624         * dfg/DFGOSREntry.cpp:
2625         (JSC::DFG::prepareOSREntry):
2626         * dfg/DFGPropagator.cpp:
2627         * dfg/DFGPropagator.h:
2628         * dfg/DFGSpeculativeJIT.cpp:
2629         (JSC::DFG::SpeculativeJIT::compile):
2630         * dfg/DFGSpeculativeJIT.h:
2631         (JSC::DFG::SpeculativeJIT::osrExits):
2632         (JSC::DFG::SpeculativeJIT::speculationRecovery):
2633         (JSC::DFG::SpeculativeJIT::speculationCheck):
2634         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2635         * jit/JIT.cpp:
2636         (JSC::JIT::privateCompileMainPass):
2637         (JSC::JIT::privateCompile):
2638         * jit/JIT.h:
2639         * jit/JITCode.h:
2640         (JSC::JITCode::bottomTierJIT):
2641         * runtime/JSGlobalData.cpp:
2642         (JSC::JSGlobalData::JSGlobalData):
2643         (JSC::JSGlobalData::~JSGlobalData):
2644         * runtime/JSGlobalData.h:
2645         * wtf/Platform.h:
2646
2647 2011-09-15  Eric Seidel  <eric@webkit.org>
2648
2649         Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
2650         https://bugs.webkit.org/show_bug.cgi?id=68182
2651
2652         Reviewed by Adam Barth.
2653
2654         * Configurations/FeatureDefines.xcconfig:
2655
2656 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2657
2658         DFG speculative JIT sometimes asserts that a value is not a number
2659         even when it doesn't know anything about the number
2660         https://bugs.webkit.org/show_bug.cgi?id=68189
2661
2662         Reviewed by Oliver Hunt.
2663
2664         * dfg/DFGGenerationInfo.h:
2665         (JSC::DFG::GenerationInfo::isUnknownJS):
2666         * dfg/DFGJITCodeGenerator.cpp:
2667         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2668
2669 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2670
2671         All of the functionality in the non-speculative JIT should be
2672         available to the speculative JIT via helper methods
2673         https://bugs.webkit.org/show_bug.cgi?id=68186
2674
2675         Reviewed by Oliver Hunt.
2676         
2677         Stole all of the goodness from NonSpeculativeJIT and placed it
2678         in JITCodeGenerator.  Left all of the badness (i.e. subtle code
2679         duplication with SpeculativeJIT, etc).  This is in preparation
2680         for removing the NonSpeculativeJIT entirely, but having its
2681         goodness available for reuse in the SpeculativeJIT if necessary.
2682
2683         * dfg/DFGJITCodeGenerator.cpp:
2684         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
2685         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
2686         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
2687         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
2688         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2689         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
2690         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
2691         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
2692         * dfg/DFGJITCodeGenerator.h:
2693         (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
2694         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
2695         * dfg/DFGNonSpeculativeJIT.cpp:
2696         (JSC::DFG::NonSpeculativeJIT::compile):
2697         * dfg/DFGNonSpeculativeJIT.h:
2698
2699 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
2700
2701         Unreviewed, rolling out r95167.
2702         http://trac.webkit.org/changeset/95167
2703         https://bugs.webkit.org/show_bug.cgi?id=68191
2704
2705         Patch needs further work. (Requested by mhahnenberg on
2706         #webkit).
2707
2708         * JavaScriptCore.exp:
2709         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2710         * runtime/JSCell.cpp:
2711         (JSC::JSCell::toBoolean):
2712         * runtime/JSCell.h:
2713         (JSC::JSCell::JSValue::toBoolean):
2714         * runtime/JSNotAnObject.cpp:
2715         (JSC::JSNotAnObject::toBoolean):
2716         * runtime/JSNotAnObject.h:
2717         * runtime/JSObject.h:
2718         * runtime/JSString.h:
2719         * runtime/StringObjectThatMasqueradesAsUndefined.h:
2720         (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):
2721
2722 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2723
2724         Unreviewed build fix for platforms that expect a linkable symbol
2725         for primitive static const's.
2726
2727         * bytecode/CodeBlock.h:
2728         * jit/JIT.cpp:
2729         (JSC::JIT::emitOptimizationCheck):
2730
2731 2011-09-15  Filip Pizlo  <fpizlo@apple.com>
2732
2733         Unreviewed build fix for assertion on existence of alternative
2734         CodeBlock.
2735
2736         * dfg/DFGGraph.cpp:
2737         (JSC::DFG::Graph::predictArgumentTypes):
2738
2739 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2740
2741         Value profiles collect no information for global variables
2742         https://bugs.webkit.org/show_bug.cgi?id=68143
2743
2744         Reviewed by Geoffrey Garen.
2745         
2746         17% speed-up on string-fasta.  Neutral elsewhere.
2747
2748         * dfg/DFGByteCodeParser.cpp:
2749         (JSC::DFG::ByteCodeParser::getStrongPrediction):
2750         (JSC::DFG::ByteCodeParser::stronglyPredict):
2751         (JSC::DFG::ByteCodeParser::parseBlock):
2752         * jit/JITPropertyAccess.cpp:
2753         (JSC::JIT::emit_op_get_global_var):
2754
2755 2011-09-15  Eric Seidel  <eric@webkit.org>
2756
2757         Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
2758         https://bugs.webkit.org/show_bug.cgi?id=68022
2759
2760         Reviewed by Ryosuke Niwa.
2761
2762         * Configurations/FeatureDefines.xcconfig:
2763
2764 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2765
2766         Ooops, revert accidentally commited unreviewed changes.
2767
2768         * jit/JITOpcodes32_64.cpp:
2769         (JSC::JIT::emit_op_jfalse):
2770         (JSC::JIT::emit_op_jtrue):
2771         * jit/JSInterfaceJIT.h:
2772         * runtime/JSValue.h:
2773
2774 2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>
2775
2776         Unreviewed, rolling out r95163.
2777         http://trac.webkit.org/changeset/95163
2778         https://bugs.webkit.org/show_bug.cgi?id=68180
2779
2780         [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
2781         (Requested by darktears on #webkit).
2782
2783         * JavaScriptCore.pro:
2784
2785 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2786
2787         Windows build fix p1.
2788
2789         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2790         * jit/JITOpcodes32_64.cpp:
2791         (JSC::JIT::emit_op_jfalse):
2792         (JSC::JIT::emit_op_jtrue):
2793         * jit/JSInterfaceJIT.h:
2794         * runtime/JSValue.h:
2795
2796 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2797
2798         Tiered compilation should be enabled by default on platforms
2799         that support the DFG JIT
2800         https://bugs.webkit.org/show_bug.cgi?id=68136
2801
2802         Reviewed by Sam Weinig.
2803         
2804         Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
2805         Kraken.  Large progressions on some benchmarks, including
2806         3x on imaging-desaturate.
2807
2808         * wtf/Platform.h:
2809
2810 2011-09-15  Gavin Barraclough  <barraclough@apple.com>
2811
2812         devirtualize preventExtensions
2813         https://bugs.webkit.org/show_bug.cgi?id=68176
2814
2815         Reviewed by Oliver Hunt.
2816
2817         This is virtual due to problems in JSFunction putting the prototype
2818         property, but we can fix this problem a different way, just setting
2819         the checkReadOnly flag to false in the put.
2820
2821         * runtime/JSFunction.cpp:
2822         (JSC::JSFunction::getOwnPropertySlot):
2823         * runtime/JSFunction.h:
2824         * runtime/JSObject.h:
2825
2826 2011-09-15  Geoffrey Garen  <ggaren@apple.com>
2827
2828         Value chaining for JSValue32_64 bitops.
2829
2830         Reviewed by Sam Weinig.
2831         
2832         SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).
2833
2834         * jit/JIT.h:
2835         * jit/JITInlineMethods.h:
2836         (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
2837         that can chain their results, which is the common case.
2838
2839         * jit/JITArithmetic32_64.cpp:
2840         (JSC::JIT::emit_op_lshift):
2841         (JSC::JIT::emitRightShift):
2842         (JSC::JIT::emit_op_bitand):
2843         (JSC::JIT::emit_op_bitor):
2844         (JSC::JIT::emit_op_bitxor):
2845         (JSC::JIT::emit_op_bitnot):
2846         (JSC::JIT::emit_op_pre_inc):
2847         (JSC::JIT::emit_op_pre_dec): Deployed new function.
2848         (JSC::JIT::emit_op_post_inc):
2849         (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
2850         computed their result values last, to make them elligible for chaining.
2851
2852 2011-09-15  Adam Roben  <aroben@apple.com>
2853
2854         Clang build fix after r95172
2855
2856         * dfg/DFGSpeculativeJIT.h:
2857         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
2858         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
2859         Added parentheses to make precendence clear.
2860
2861 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2862
2863         DFG does not speculate aggressively enough on comparisons
2864         https://bugs.webkit.org/show_bug.cgi?id=68138
2865
2866         Reviewed by Oliver Hunt.
2867         
2868         This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
2869         V8 and an 8.5% win on Kraken.  Neutral on SunSpider.
2870
2871         * dfg/DFGSpeculativeJIT.cpp:
2872         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2873         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2874         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2875         (JSC::DFG::SpeculativeJIT::compare):
2876         * dfg/DFGSpeculativeJIT.h:
2877         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
2878         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
2879         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
2880         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
2881
2882 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
2883
2884         DFG JIT does not leverage integer speculations on branches
2885         https://bugs.webkit.org/show_bug.cgi?id=68140
2886
2887         Reviewed by Oliver Hunt.
2888
2889         * dfg/DFGJITCodeGenerator.cpp:
2890         (JSC::DFG::JITCodeGenerator::isStrictInt32):
2891         * dfg/DFGJITCodeGenerator.h:
2892         * dfg/DFGSpeculativeJIT.cpp:
2893         (JSC::DFG::SpeculativeJIT::compile):
2894
2895 2011-09-14  Gavin Barraclough  <barraclough@apple.com>
2896
2897         [n]stricteq code is bogus in JSValue32_64 JIT
2898         https://bugs.webkit.org/show_bug.cgi?id=68141
2899
2900         Reviewed by Sam Weinig.
2901
2902         The code tries to check for both ints or cells, but this check also
2903         catches cases where values that are undefined, null, etc (probably
2904         was incorrectly assuming cell was the 2nd highest tag?).
2905
2906         Also, there is no need not to handle int on the fast path.
2907         stricteq is just a case of comparing the payloads, if we:
2908             * handle cases of differing tags on a slow path
2909             * handle doubles a slow path
2910             * handle both-are-string on a slow path
2911
2912         * jit/JITOpcodes32_64.cpp:
2913         (JSC::JIT::compileOpStrictEq):
2914         (JSC::JIT::emitSlow_op_stricteq):
2915         (JSC::JIT::emitSlow_op_nstricteq):
2916
2917 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
2918
2919         Make JSCell::toBoolean non-virtual
2920         https://bugs.webkit.org/show_bug.cgi?id=67727
2921
2922         Reviewed by Sam Weinig.
2923
2924         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
2925         before it was simply virtual and would crash if its implementation was called). 
2926         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
2927         explicitly covers all cases of toBoolean, so having a virtual implementation of 
2928         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
2929
2930         * JavaScriptCore.exp:
2931         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2932         * runtime/JSCell.cpp:
2933         * runtime/JSCell.h:
2934         * runtime/JSNotAnObject.cpp:
2935         * runtime/JSNotAnObject.h:
2936         * runtime/JSObject.h:
2937         * runtime/JSString.h:
2938         (JSC::JSCell::toBoolean):
2939         (JSC::JSValue::toBoolean):
2940         * runtime/StringObjectThatMasqueradesAsUndefined.h:
2941
2942 2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>
2943
2944         [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
2945         https://bugs.webkit.org/show_bug.cgi?id=68114
2946
2947         Reviewed by Kenneth Rohde Christiansen.
2948
2949         Use the new GCC_X variables defined in WebKit.pri to replace
2950         the usage of QT_GCC_X.
2951
2952         * JavaScriptCore.pro:
2953
2954 2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>
2955
2956         Unreviewed, rolling out r95145.
2957         http://trac.webkit.org/changeset/95145
2958         https://bugs.webkit.org/show_bug.cgi?id=68139
2959
2960         The GTK+ build is working now, so revert this trial build fix.
2961         (Requested by mrobinson on #webkit).
2962
2963         * GNUmakefile.list.am:
2964
2965 2011-09-14  Patrick Gansterer  <paroga@webkit.org>
2966
2967         Port MachineStackMarker to Windows ARM and MIPS
2968         https://bugs.webkit.org/show_bug.cgi?id=68068
2969
2970         Reviewed by Geoffrey Garen.
2971
2972         Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
2973         Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
2974         CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
2975         CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).
2976
2977         * heap/MachineStackMarker.cpp:
2978         (JSC::getPlatformThreadRegisters):
2979         (JSC::otherThreadStackPointer):
2980
2981 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
2982
2983         DFG JIT always speculates that ValueAdd is a numeric addition
2984         https://bugs.webkit.org/show_bug.cgi?id=67956
2985
2986         Reviewed by Geoffrey Garen.
2987
2988         * dfg/DFGJITCodeGenerator.cpp:
2989         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
2990         * dfg/DFGJITCodeGenerator.h:
2991         * dfg/DFGNonSpeculativeJIT.cpp:
2992         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2993         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2994         * dfg/DFGOperations.cpp:
2995         * dfg/DFGOperations.h:
2996         * dfg/DFGSpeculativeJIT.cpp:
2997         (JSC::DFG::SpeculativeJIT::compile):
2998         * dfg/DFGSpeculativeJIT.h:
2999         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
3000
3001 2011-09-14  Anders Carlsson  <andersca@apple.com>
3002
3003         Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.
3004
3005         * GNUmakefile.list.am:
3006
3007 2011-09-14  Anders Carlsson  <andersca@apple.com>
3008
3009         This is getting old. Yet another build fix attempt.
3010
3011         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3012
3013 2011-09-14  Anders Carlsson  <andersca@apple.com>
3014
3015         Yet another build fix attempt.
3016
3017         * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
3018
3019 2011-09-14  Anders Carlsson  <andersca@apple.com>
3020
3021         How I &quot;love&quot; Visual Studio...
3022
3023         Try to fix build again.
3024
3025         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3026
3027 2011-09-14  Anders Carlsson  <andersca@apple.com>
3028
3029         Try to fix Windows build.
3030
3031         * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:
3032
3033 2011-09-14  Anders Carlsson  <andersca@apple.com>
3034
3035         Add BinarySemaphore class from WebKit2 to WTF
3036         https://bugs.webkit.org/show_bug.cgi?id=68132
3037
3038         Reviewed by Sam Weinig.
3039
3040         * GNUmakefile.list.am:
3041         * JavaScriptCore.gypi:
3042         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3043         * JavaScriptCore.xcodeproj/project.pbxproj:
3044         * wtf/CMakeLists.txt:
3045         Update build systems.
3046
3047         * wtf/threads: Added.
3048         * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
3049         * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
3050         * wtf/threads/win: Added.
3051         * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.
3052
3053 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3054
3055         Unreviewed build fix for Interpreter.
3056
3057         * interpreter/Interpreter.cpp:
3058         (JSC::Interpreter::privateExecute):
3059
3060 2011-09-14  Anders Carlsson  <andersca@apple.com>
3061
3062         Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
3063         bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132
3064
3065         Rubber-stamped by Sam Weinig.
3066
3067         * wtf/threads: Added.
3068         * wtf/threads/win: Added.
3069
3070 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3071
3072         DFG JIT should not speculate integer if the value is always going to be
3073         used as a double anyway
3074         https://bugs.webkit.org/show_bug.cgi?id=68127
3075
3076         Reviewed by Oliver Hunt.
3077         
3078         Added a ValueToDouble node, which is a variant of ValueToNumber that
3079         hints that it will only be used as a double and never as an integer.
3080         Thus, it turns off integer speculation even if the value profiler
3081         told us that the value source is an int. The logic for converting a
3082         ValueToNumber into a ValueToDouble is found in Propagator.
3083         
3084         This appears to be a 22% speed-up in imaging-darkroom.
3085
3086         * dfg/DFGNode.h:
3087         * dfg/DFGNonSpeculativeJIT.cpp:
3088         (JSC::DFG::NonSpeculativeJIT::compile):
3089         * dfg/DFGPropagator.cpp:
3090         (JSC::DFG::Propagator::fixpoint):
3091         (JSC::DFG::Propagator::toDouble):
3092         (JSC::DFG::Propagator::fixupNode):
3093         (JSC::DFG::Propagator::fixup):
3094         * dfg/DFGSpeculativeJIT.cpp:
3095         (JSC::DFG::SpeculativeJIT::compile):
3096         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3097
3098 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3099
3100         Tiered compilation heuristics do not account for value profile fullness
3101         https://bugs.webkit.org/show_bug.cgi?id=68116
3102
3103         Reviewed by Oliver Hunt.
3104         
3105         Tiered compilation avoids invoking the DFG JIT if it finds that value
3106         profiles contain insufficient information. Instead, it produces a
3107         prediction from the current value profile, and then clears the value
3108         profile. This allows the value profile to heat up from scratch for
3109         some number of additional executions. The new profiles will then be
3110         merged with the previous prediction. Once the amount of information
3111         in predictions is enough according to heuristics in CodeBlock.cpp,
3112         DFG optimization is allowed to proceed.
3113
3114         * CMakeLists.txt:
3115         * GNUmakefile.list.am:
3116         * JavaScriptCore.pro:
3117         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3118         * JavaScriptCore.xcodeproj/project.pbxproj:
3119         * bytecode/CodeBlock.cpp:
3120         (JSC::CodeBlock::CodeBlock):
3121         (JSC::CodeBlock::~CodeBlock):
3122         (JSC::CodeBlock::visitAggregate):
3123         (JSC::CodeBlock::visitWeakReferences):
3124         (JSC::CodeBlock::shouldOptimizeNow):
3125         (JSC::CodeBlock::dumpValueProfiles):
3126         * bytecode/CodeBlock.h:
3127         * bytecode/PredictedType.cpp:
3128         (JSC::predictionToString):
3129         * bytecode/PredictedType.h:
3130         * bytecode/ValueProfile.cpp: Added.
3131         (JSC::ValueProfile::computeStatistics):
3132         (JSC::ValueProfile::computeUpdatedPrediction):
3133         * bytecode/ValueProfile.h:
3134         (JSC::ValueProfile::ValueProfile):
3135         (JSC::ValueProfile::classInfo):
3136         (JSC::ValueProfile::numberOfSamples):
3137         (JSC::ValueProfile::totalNumberOfSamples):
3138         (JSC::ValueProfile::isLive):
3139         (JSC::ValueProfile::numberOfInt32s):
3140         (JSC::ValueProfile::numberOfDoubles):
3141         (JSC::ValueProfile::numberOfBooleans):
3142         (JSC::ValueProfile::dump):
3143         (JSC::getValueProfileBytecodeOffset):
3144         * dfg/DFGByteCodeParser.cpp:
3145         (JSC::DFG::ByteCodeParser::stronglyPredict):
3146         * dfg/DFGGraph.cpp:
3147         (JSC::DFG::Graph::predictArgumentTypes):
3148         * dfg/DFGJITCompiler.cpp:
3149         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3150         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
3151         * jit/JIT.cpp:
3152         (JSC::JIT::emitOptimizationCheck):
3153         * jit/JITInlineMethods.h:
3154         (JSC::JIT::emitValueProfilingSite):
3155         * jit/JITStubs.cpp:
3156         (JSC::DEFINE_STUB_FUNCTION):
3157
3158 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3159
3160         DFG should not speculate that the child of LogicalNot is a boolean if
3161         predictions tell us otherwise
3162         https://bugs.webkit.org/show_bug.cgi?id=68118
3163
3164         Reviewed by Geoffrey Garen.
3165
3166         * dfg/DFGJITCodeGenerator.cpp:
3167         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
3168         * dfg/DFGJITCodeGenerator.h:
3169         * dfg/DFGNonSpeculativeJIT.cpp:
3170         (JSC::DFG::NonSpeculativeJIT::compile):
3171         * dfg/DFGSpeculativeJIT.cpp:
3172         (JSC::DFG::SpeculativeJIT::compile):
3173
3174 2011-09-14  Filip Pizlo  <fpizlo@apple.com>
3175
3176         Unreviewed build fix.  Turn off tiered compilation.
3177
3178         * wtf/Platform.h:
3179
3180 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
3181
3182         Prediction tracking is not precise enough
3183         https://bugs.webkit.org/show_bug.cgi?id=67993
3184
3185         Reviewed by Oliver Hunt.
3186         
3187         Added a richer set of type predictions, including JSFinalObject, JSString,
3188         object that is not a JSFinalObject or JSArray (ObjectOther), some object
3189         but we don't or care know what kind (SomeObject), definitely an object,
3190         cell that is not an object or JSString, an value that is none of the above
3191         (so either Undefined or Null). Made the propagator and value profiler work
3192         with the new types.
3193         
3194         Performance is neutral, because the DFG JIT does not take advantage of this
3195         new knowledge yet.
3196         
3197         In the process of writing predictionToString() (which is now considerably
3198         more complex) I decided to finally add a BoundsCheckedPointer, which
3199         should come in handy in other places, like at least the OSR scratch buffer
3200         and the CompactJITCodeMap. It's great for cases where you want to
3201         do pointer arithmetic, you want to have assertions about the
3202         pointer not going out of bounds, but you don't want to write those
3203         assertions yourself.
3204         
3205         This also required refactoring inherits(), since the ValueProfiler may
3206         want to do the equivalent of inherits() but given two ClassInfo's.
3207
3208         * GNUmakefile.list.am:
3209         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
3210         * JavaScriptCore.xcodeproj/project.pbxproj:
3211         * bytecode/PredictedType.cpp: Added.
3212         (JSC::predictionToString):
3213         (JSC::makePrediction):
3214         (JSC::predictionFromValue):
3215         * bytecode/PredictedType.h:
3216         (JSC::isCellPrediction):
3217         (JSC::isObjectPrediction):
3218         (JSC::isFinalObjectPrediction):
3219         (JSC::isStringPrediction):
3220         (JSC::mergePredictions):
3221         * bytecode/ValueProfile.h:
3222         (JSC::ValueProfile::numberOfObjects):
3223         (JSC::ValueProfile::numberOfFinalObjects):
3224         (JSC::ValueProfile::numberOfStrings):
3225         (JSC::ValueProfile::probabilityOfObject):
3226         (JSC::ValueProfile::probabilityOfFinalObject):
3227         (JSC::ValueProfile::probabilityOfString):
3228         (JSC::ValueProfile::dump):
3229         (JSC::ValueProfile::Statistics::Statistics):
3230         (JSC::ValueProfile::computeStatistics):
3231         * dfg/DFGByteCodeParser.cpp:
3232         (JSC::DFG::ByteCodeParser::stronglyPredict):
3233         * dfg/DFGGraph.cpp:
3234         (JSC::DFG::Graph::dump):
3235         (JSC::DFG::Graph::predictArgumentTypes):
3236         * dfg/DFGNode.h:
3237         (JSC::DFG::Node::predict):
3238         * dfg/DFGPropagator.cpp:
3239         (JSC::DFG::Propagator::propagateNode):
3240         * runtime/ClassInfo.h:
3241         (JSC::ClassInfo::isSubClassOf):
3242         * runtime/JSObject.h:
3243         (JSC::JSCell::inherits):
3244         * wtf/BoundsCheckedPointer.h: Added.
3245         (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
3246         (WTF::BoundsCheckedPointer::operator=):
3247         (WTF::BoundsCheckedPointer::operator+=):
3248         (WTF::BoundsCheckedPointer::operator-=):
3249         (WTF::BoundsCheckedPointer::operator+):
3250         (WTF::BoundsCheckedPointer::operator-):
3251         (WTF::BoundsCheckedPointer::operator++):
3252         (WTF::BoundsCheckedPointer::operator--):
3253         (WTF::BoundsCheckedPointer::operator<):
3254         (WTF::BoundsCheckedPointer::operator<=):
3255         (WTF::BoundsCheckedPointer::operator>):
3256         (WTF::BoundsCheckedPointer::operator>=):
3257         (WTF::BoundsCheckedPointer::operator==):
3258         (WTF::BoundsCheckedPointer::operator!=):
3259         (WTF::BoundsCheckedPointer::operator!):
3260         (WTF::BoundsCheckedPointer::get):
3261         (WTF::BoundsCheckedPointer::operator*):
3262         (WTF::BoundsCheckedPointer::operator[]):
3263         (WTF::BoundsCheckedPointer::strcat):
3264         (WTF::BoundsCheckedPointer::validate):
3265         * wtf/CMakeLists.txt:
3266
3267 2011-09-14  Csaba Osztrogonác  <ossy@webkit.org>
3268
3269         [Qt] Win32 builds with threads turned off
3270         https://bugs.webkit.org/show_bug.cgi?id=67864
3271
3272         Reviewed by Geoffrey Garen.
3273
3274         * JavaScriptCore.pri: Link pthread library on Windows platform.
3275         * wtf/Platform.h: Enable multiple threads.
3276
3277 2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
3278
3279         Unzip initialization lists and constructors in JSCell hierarchy (6/7)
3280         https://bugs.webkit.org/show_bug.cgi?id=67692
3281
3282         Reviewed by Geoffrey Garen.
3283
3284         Completed the sixth level of the refactoring to add finishCreation() 
3285         methods to all classes within the JSCell hierarchy with non-trivial 
3286         constructor bodies.
3287
3288         This primarily consists of pushing the calls to finishCreation() down 
3289         into the constructors of the subclasses of the fifth level of the hierarchy 
3290         as well as pulling the finishCreation() calls out into the class's corresponding
3291         create() method if it has one.  Doing both simultaneously allows us to 
3292         maintain the invariant that the finishCreation() method chain is called exactly 
3293         once during the creation of an object, since calling it any other number of 
3294         times (0, 2, or more) will cause an assertion failure.
3295
3296         * API/JSCallbackFunction.cpp:
3297         (JSC::JSCallbackFunction::JSCallbackFunction):
3298         * API/JSCallbackFunction.h:
3299         (JSC::JSCallbackFunction::create):
3300         * jsc.cpp:
3301         (GlobalObject::create):
3302         (GlobalObject::GlobalObject):
3303         * runtime/ArrayConstructor.cpp:
3304         (JSC::ArrayConstructor::ArrayConstructor):
3305         * runtime/ArrayConstructor.h:
3306         (JSC::ArrayConstructor::create):
3307         * runtime/BooleanConstructor.cpp:
3308         (JSC::BooleanConstructor::BooleanConstructor):
3309         * runtime/BooleanConstructor.h:
3310         (JSC::BooleanConstructor::create):
3311         * runtime/BooleanPrototype.cpp:
3312         (JSC::BooleanPrototype::BooleanPrototype):
3313         * runtime/BooleanPrototype.h:
3314         (JSC::BooleanPrototype::create):
3315         * runtime/DateConstructor.cpp:
3316         (JSC::DateConstructor::DateConstructor):
3317         * runtime/DateConstructor.h:
3318         (JSC::DateConstructor::create):
3319         * runtime/DatePrototype.cpp:
3320         (JSC::DatePrototype::DatePrototype):
3321         * runtime/DatePrototype.h:
3322         (JSC::DatePrototype::create):
3323         * runtime/Error.cpp:
3324         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3325         (JSC::StrictModeTypeErrorFunction::create):
3326         * runtime/ErrorConstructor.cpp:
3327         (JSC::ErrorConstructor::ErrorConstructor):
3328         * runtime/ErrorConstructor.h:
3329         (JSC::ErrorConstructor::create):
3330         * runtime/FunctionConstructor.cpp:
3331         (JSC::FunctionConstructor::FunctionConstructor):
3332         * runtime/FunctionConstructor.h:
3333         (JSC::FunctionConstructor::create):
3334         * runtime/FunctionPrototype.cpp:
3335         (JSC::FunctionPrototype::FunctionPrototype):
3336         * runtime/FunctionPrototype.h:
3337         (JSC::FunctionPrototype::create):
3338         * runtime/NativeErrorConstructor.cpp:
3339         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3340         * runtime/NativeErrorConstructor.h:
3341         (JSC::NativeErrorConstructor::create):
3342         * runtime/NativeErrorPrototype.cpp:
3343         (JSC::NativeErrorPrototype::NativeErrorPrototype):
3344         (JSC::NativeErrorPrototype::finishCreation):
3345         * runtime/NativeErrorPrototype.h:
3346         (JSC::NativeErrorPrototype::create):
3347         * runtime/NumberConstructor.cpp:
3348         (JSC::NumberConstructor::NumberConstructor):
3349         * runtime/NumberConstructor.h:
3350         (JSC::NumberConstructor::create):
3351         * runtime/NumberPrototype.cpp:
3352         (JSC::NumberPrototype::NumberPrototype):
3353         * runtime/NumberPrototype.h:
3354         (JSC::NumberPrototype::create):
3355         * runtime/ObjectConstructor.cpp:
3356         (JSC::ObjectConstructor::ObjectConstructor):
3357         * runtime/ObjectConstructor.h:
3358         (JSC::ObjectConstructor::create):
3359         * runtime/RegExpConstructor.cpp:
3360         (JSC::RegExpConstructor::RegExpConstructor):
3361         * runtime/RegExpConstructor.h:
3362         (JSC::RegExpConstructor::create):
3363         * runtime/RegExpPrototype.cpp:
3364         (JSC::RegExpPrototype::RegExpPrototype):
3365         * runtime/RegExpPrototype.h:
3366         (JSC::RegExpPrototype::create):
3367         * runtime/StringConstructor.cpp:
3368         (JSC::StringConstructor::StringConstructor):
3369         * runtime/StringConstructor.h:
3370         (JSC::StringConstructor::create):
3371         * runtime/StringObjectThatMasqueradesAsUndefined.h:
3372         (JSC::StringObjectThatMasqueradesAsUndefined::create):
3373         (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
3374         * runtime/StringPrototype.cpp:
3375         (JSC::StringPrototype::StringPrototype):
3376         * runtime/StringPrototype.h:
3377         (JSC::StringPrototype::create):
3378
3379 2011-09-13  Eric Seidel  <eric@webkit.org>
3380
3381         Remove ENABLE_SVG_USE as <use> is required by HTML5
3382         https://bugs.webkit.org/show_bug.cgi?id=68019
3383
3384         Reviewed by Ryosuke Niwa.
3385
3386         * Configurations/FeatureDefines.xcconfig:
3387
3388 2011-09-14  Iain Merrick  <husky@google.com>
3389
3390         HashTraits.h should include template specialization for WTF::String
3391         https://bugs.webkit.org/show_bug.cgi?id=67851
3392
3393         Ensure that the template specialization for HashTraits<String> is always
3394         picked up. (Previously it was possible to include HashSet and String but
3395         not the correct HashTraits, so you would get an inefficient template
3396         instantiation.)
3397
3398         Reviewed by Darin Adler.
3399
3400         * wtf/HashTraits.h:
3401         * wtf/text/StringHash.h:
3402
3403 2011-09-13  Filip Pizlo  <fpizlo@apple.com>
3404
3405         SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should
3406         return false if either node can be double
3407         https://bugs.webkit.org/show_bug.cgi?id=67985
3408
3409         Reviewed by Geoffrey Garen.
3410         
3411         This is a 17% speed-up on 3d-cube.
3412         
3413         This required allowing us to check if a constant is double but not
3414         integer, and making the shouldSpeculateInteger() check test for
3415         any hints of doubly-ness in its operands. This also required
3416         changing some terminology: previously "isDouble" often meant
3417         "isDouble or isInt32".  Now "isDouble" means exactly what the name
3418         suggests, and "isNumber" means "isDouble or isInt32".
3419
3420         * dfg/DFGByteCodeParser.cpp:
3421         (JSC::DFG::ByteCodeParser::toNumber):
3422         (JSC::DFG::ByteCodeParser::parseBlock):
3423         * dfg/DFGGenerationInfo.h:
3424         (JSC::DFG::isJSFormat):
3425         (JSC::DFG::isJSInteger):
3426         (JSC::DFG::isJSDouble):
3427         (JSC::DFG::isJSCell):
3428         (JSC::DFG::isJSBoolean):
3429         (JSC::DFG::GenerationInfo::isJSFormat):
3430         (JSC::DFG::GenerationInfo::isJSInteger):
3431         (JSC::DFG::GenerationInfo::isJSDouble):
3432         (JSC::DFG::GenerationInfo::isJSCell):
3433         (JSC::DFG::GenerationInfo::isJSBoolean):
3434         * dfg/DFGGraph.h:
3435         (JSC::DFG::Graph::isNumberConstant):
3436         (JSC::DFG::Graph::valueOfNumberConstant):
3437         * dfg/DFGJITCodeGenerator.cpp:
3438         (JSC::DFG::JITCodeGenerator::fillInteger):
3439         (JSC::DFG::JITCodeGenerator::fillDouble):
3440         (JSC::DFG::JITCodeGenerator::fillJSValue):
3441         (JSC::DFG::JITCodeGenerator::isKnownInteger):
3442         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
3443         (JSC::DFG::JITCodeGenerator::isKnownCell):
3444         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
3445         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
3446         * dfg/DFGJITCodeGenerator.h:
3447         (JSC::DFG::JITCodeGenerator::silentFillFPR):
3448         (JSC::DFG::JITCodeGenerator::isNumberConstant):
3449         (JSC::DFG::JITCodeGenerator::valueOfNumberConstant):
3450         (JSC::DFG::JITCodeGenerator::initConstantInfo):
3451         * dfg/DFGJITCompiler.cpp:
3452         (JSC::DFG::JITCompiler::fillNumericToDouble):
3453         (JSC::DFG::JITCompiler::fillToJS):
3454         * dfg/DFGJITCompiler.h:
3455         (JSC::DFG::JITCompiler::isNumberConstant):
3456         (JSC::DFG::JITCompiler::valueOfNumberConstant):
3457         * dfg/DFGNode.h:
3458         (JSC::DFG::Node::isDoubleConstant):
3459         (JSC::DFG::Node::isNumberConstant):
3460         (JSC::DFG::Node::valueOfNumberConstant):
3461         (JSC::DFG::Node::hasNumberResult):
3462         * dfg/DFGNonSpeculativeJIT.cpp:
3463         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
3464         (JSC::DFG::NonSpeculativeJIT::compile):
3465         * dfg/DFGSpeculativeJIT.cpp:
3466         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3467         * dfg/DFGSpeculativeJIT.h:
3468         (JSC::DFG::SpeculativeJIT::isInteger):
3469         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
3470         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
3471         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
3472
3473 2011-09-13  Anders Carlsson  <andersca@apple.com>
3474
3475         Disable C++ exceptions when building with clang
3476         https://bugs.webkit.org/show_bug.cgi?id=68031
3477         <rdar://problem/9556880>
3478
3479         Reviewed by Mark Rowe.
3480
3481         * Configurations/Base.xcconfig:
3482
3483 2011-09-13  Eric Seidel  <eric@webkit.org>
3484
3485         Remove ENABLE_SVG_FOREIGN_OBJECT as it is a required part of HTML5
3486         https://bugs.webkit.org/show_bug.cgi?id=68018
3487
3488         Reviewed by Ryosuke Niwa.
3489
3490         * Configurations/FeatureDefines.xcconfig:
3491
3492 2011-09-13  Sam Weinig  <sam@webkit.org>
3493
3494         Object.getPrototypeOf should use JSValue::get()
3495         https://bugs.webkit.org/show_bug.cgi?id=67973
3496
3497         Reviewed by Darin Adler.
3498
3499         * runtime/ObjectConstructor.cpp:
3500         (JSC::objectConstructorGetPrototypeOf):
3501         Pipe through JSValue::get() to allow overrides.
3502
3503 2011-09-12  Filip Pizlo  <fpizlo@apple.com>
3504
3505         JavaScriptCore does not have baseline->speculative OSR
3506         https://bugs.webkit.org/show_bug.cgi?id=67920
3507
3508         Reviewed by Oliver Hunt.
3509         
3510         This adds the ability to on-stack-replace (OSR) from code that is
3511         running hot in the old JIT to code compiled by the new JIT.  This
3512         ensures that long-running loops benefit from DFG optimization.
3513         It also ensures that if code experiences a speculation failure
3514         in DFG code, it has an opportunity to reenter the DFG once every
3515         1,000 loop iterations or so.
3516         
3517         This results in a 2.88x speed-up on Kraken/imaging-desaturate,
3518         and is a pure win on the main three benchmark suites (SunSpider,
3519         V8, Kraken), when tiered compilation is enabled.
3520
3521         * JavaScriptCore.xcodeproj/project.pbxproj:
3522         * bytecode/CodeBlock.cpp:
3523         (JSC::CodeBlock::dump):
3524         (JSC::CodeBlock::CodeBlock):
3525         (JSC::ProgramCodeBlock::compileOptimized):
3526         (JSC::EvalCodeBlock::compileOptimized):
3527         (JSC::FunctionCodeBlock::compileOptimized):
3528         * bytecode/CodeBlock.h:
3529         * bytecode/Opcode.h:
3530         * bytecode/PredictedType.h: Added.
3531         (JSC::isCellPrediction):
3532         (JSC::isArrayPrediction):
3533         (JSC::isInt32Prediction):
3534         (JSC::isDoublePrediction):
3535         (JSC::isNumberPrediction):
3536         (JSC::isBooleanPrediction):
3537         (JSC::isStrongPrediction):
3538         (JSC::predictionToString):
3539         (JSC::mergePredictions):
3540         (JSC::mergePrediction):
3541         (JSC::makePrediction):
3542         * bytecode/PredictionTracker.h: Added.
3543         (JSC::operandIsArgument):
3544         (JSC::PredictionSlot::PredictionSlot):
3545         (JSC::PredictionTracker::PredictionTracker):
3546         (JSC::PredictionTracker::initializeSimilarTo):
3547         (JSC::PredictionTracker::copyLocalsFrom):
3548         (JSC::PredictionTracker::numberOfArguments):
3549         (JSC::PredictionTracker::numberOfVariables):
3550         (JSC::PredictionTracker::argumentIndexForOperand):
3551         (JSC::PredictionTracker::predictArgument):
3552         (JSC::PredictionTracker::predict):
3553         (JSC::PredictionTracker::predictGlobalVar):
3554         (JSC::PredictionTracker::getArgumentPrediction):
3555         (JSC::PredictionTracker::getPrediction):
3556         (JSC::PredictionTracker::getGlobalVarPrediction):
3557         * bytecompiler/BytecodeGenerator.cpp:
3558         (JSC::BytecodeGenerator::emitLoopHint):
3559         * bytecompiler/BytecodeGenerator.h:
3560         * bytecompiler/NodesCodegen.cpp:
3561         (JSC::DoWhileNode::emitBytecode):
3562         (JSC::WhileNode::emitBytecode):
3563         (JSC::ForNode::emitBytecode):
3564         (JSC::ForInNode::emitBytecode):
3565         * dfg/DFGByteCodeParser.cpp:
3566         (JSC::DFG::ByteCodeParser::parseBlock):
3567         * dfg/DFGCapabilities.h:
3568         (JSC::DFG::canCompileOpcode):
3569         * dfg/DFGDriver.cpp:
3570         (JSC::DFG::compile):
3571         * dfg/DFGGraph.cpp:
3572         (JSC::DFG::Graph::dump):
3573         * dfg/DFGGraph.h:
3574         (JSC::DFG::BasicBlock::BasicBlock):
3575         (JSC::DFG::Graph::predict):
3576         (JSC::DFG::Graph::getPrediction):
3577         * dfg/DFGJITCompiler.cpp:
3578         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3579         (JSC::DFG::JITCompiler::compileEntry):
3580         (JSC::DFG::JITCompiler::compileBody):
3581         * dfg/DFGJITCompiler.h:
3582         (JSC::DFG::JITCompiler::noticeOSREntry):
3583         * dfg/DFGNode.h:
3584         * dfg/DFGOSREntry.cpp: Added.
3585         (JSC::DFG::predictionIsValid):
3586         (JSC::DFG::prepareOSREntry):
3587         * dfg/DFGOSREntry.h: Added.
3588         (JSC::DFG::prepareOSREntry):
3589         * dfg/DFGPredictionTracker.h: Removed.
3590         * dfg/DFGPropagator.cpp:
3591         (JSC::DFG::Propagator::mergeUse):
3592         (JSC::DFG::Propagator::mergePrediction):
3593         * dfg/DFGSpeculativeJIT.cpp:
3594         (JSC::DFG::SpeculativeJIT::compile):
3595         * jit/CompactJITCodeMap.h:
3596         (JSC::CompactJITCodeMap::numberOfEntries):
3597         (JSC::CompactJITCodeMap::decode):
3598         (JSC::CompactJITCodeMap::Decoder::Decoder):
3599         (JSC::CompactJITCodeMap::Decoder::numberOfEntriesRemaining):
3600         (JSC::CompactJITCodeMap::Decoder::read):
3601         * jit/JIT.cpp:
3602         (JSC::JIT::emitOptimizationCheck):
3603         (JSC::JIT::emitTimeoutCheck):
3604         (JSC::JIT::privateCompileMainPass):
3605         * jit/JIT.h:
3606         (JSC::JIT::emit_op_loop_hint):
3607         * jit/JITStubs.cpp:
3608         (JSC::DEFINE_STUB_FUNCTION):
3609         * runtime/Executable.cpp:
3610         (JSC::EvalExecutable::compileInternal):
3611         (JSC::ProgramExecutable::compileInternal):
3612         (JSC::FunctionExecutable::compileForCallInternal):
3613         (JSC::FunctionExecutable::compileForConstructInternal):
3614
3615 2011-09-12  Sam Weinig  <sam@webkit.org>
3616
3617         Don't allow setting __proto__ to be a getter or setter
3618         https://bugs.webkit.org/show_bug.cgi?id=67982
3619
3620         Reviewed by Gavin Barraclough.
3621
3622         * runtime/JSObject.cpp:
3623         (JSC::JSObject::defineGetter):
3624         (JSC::JSObject::defineSetter):
3625         Disallow setting a getter or setter on __proto__.
3626
3627 2011-09-12  James Robinson  <jamesr@chromium.org>
3628
3629         Unreviewed build fix for chromium.
3630
3631         Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which
3632         is currently only compiled in by ports that use JavaScriptCore.  This code is currently unreachable in builds so
3633         no change in functionality.
3634
3635         * yarr/YarrInterpreter.cpp:
3636         (JSC::Yarr::Interpreter::CharAccess::CharAccess):
3637
3638 2011-09-09  Filip Pizlo  <fpizlo@apple.com>
3639
3640         JavaScriptCore does not have speculative->baseline OSR
3641         https://bugs.webkit.org/show_bug.cgi?id=67826
3642
3643         Reviewed by Oliver Hunt.
3644         
3645         This adds the ability to bail out of DFG speculative JIT execution by
3646         performing an on-stack replacement (OSR) that results in the control
3647         flow going to the equivalent code generated by the old JIT.
3648         
3649         This required a number of new features, as well as taking advantage of
3650         some features that happened to already be present:
3651         
3652         We already had a policy of storing the bytecode index for which a DFG
3653         node was generated inside the DFG::Node class. This was previously
3654         called exceptionInfo. It's now renamed to codeOrigin to reflect that
3655         it's used for more than just excpetions. OSR uses this to figure out
3656         which bytecode index to use to look up the machine code location in
3657         the code generated by the old JIT that we should be jumping to.
3658         
3659         CodeBlock now stores a mapping between bytecode indices and machine
3660         code offsets for code generated by the old JIT. This is implemented
3661         by CompactJITCodeMap, which tries to compress this data a bit.  The
3662         OSR compiler decodes this and uses it to find the machine code
3663         locations it should be jumping to.
3664         
3665         We already had a mechanism that emitted SetLocal nodes in the DFG graph
3666         that told us the time at which the old JIT would have stored something
3667         into its register file, and the DFG::Node that corresponds to the value
3668         that it would have stored. These SetLocal's were mostly dead-code-
3669         eliminated, but our DCE leaves the nodes intact except for making them
3670         have 0 as the ref count. This allows the OSR compiler to construct a
3671         mapping between the state as it would have been seen by the old JIT
3672         and the state as the DFG JIT sees it. The OSR compiler uses this to
3673         generate code that reshapes the call frame so that it is like what the
3674         old JIT would expect.
3675         
3676         Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION)
3677         we no longer emit the non-speculative path.
3678
3679         * JavaScriptCore.xcodeproj/project.pbxproj:
3680         * bytecode/CodeBlock.h:
3681         * dfg/DFGByteCodeParser.cpp:
3682         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
3683         (JSC::DFG::ByteCodeParser::addToGraph):
3684         * dfg/DFGGPRInfo.h:
3685         * dfg/DFGGenerationInfo.h:
3686         (JSC::DFG::GenerationInfo::alive):
3687         * dfg/DFGGraph.cpp:
3688         (JSC::DFG::Graph::dump):
3689         * dfg/DFGJITCodeGenerator.cpp:
3690         (JSC::DFG::JITCodeGenerator::emitCall):
3691         * dfg/DFGJITCodeGenerator.h:
3692         (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck):
3693         * dfg/DFGJITCompiler.cpp:
3694         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
3695         (JSC::DFG::JITCompiler::linkOSRExits):
3696         (JSC::DFG::JITCompiler::compileBody):
3697         (JSC::DFG::JITCompiler::link):
3698         * dfg/DFGJITCompiler.h:
3699         (JSC::DFG::CallRecord::CallRecord):
3700         (JSC::DFG::JITCompiler::notifyCall):
3701         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
3702         (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
3703         (JSC::DFG::JITCompiler::addJSCall):
3704         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
3705         * dfg/DFGNode.h:
3706         (JSC::DFG::CodeOrigin::CodeOrigin):
3707         (JSC::DFG::CodeOrigin::isSet):
3708         (JSC::DFG::CodeOrigin::bytecodeIndex):
3709         (JSC::DFG::Node::Node):
3710         (JSC::DFG::Node::child1Unchecked):
3711         * dfg/DFGNonSpeculativeJIT.cpp:
3712         (JSC::DFG::NonSpeculativeJIT::compile):
3713         * dfg/DFGSpeculativeJIT.cpp:
3714         (JSC::DFG::ValueSource::dump):
3715         (JSC::DFG::ValueRecovery::dump):
3716         (JSC::DFG::OSRExit::OSRExit):
3717         (JSC::DFG::SpeculativeJIT::compile):
3718         (JSC::DFG::SpeculativeJIT::compileMovHint):
3719         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3720         * dfg/DFGSpeculativeJIT.h:
3721         (JSC::DFG::ValueSource::ValueSource):
3722         (JSC::DFG::ValueSource::isSet):
3723         (JSC::DFG::ValueSource::nodeIndex):
3724         (JSC::DFG::ValueRecovery::ValueRecovery):
3725         (JSC::DFG::ValueRecovery::alreadyInRegisterFile):
3726         (JSC::DFG::ValueRecovery::inGPR):
3727         (JSC::DFG::ValueRecovery::inFPR):
3728         (JSC::DFG::ValueRecovery::displacedInRegisterFile):
3729         (JSC::DFG::ValueRecovery::constant):
3730         (JSC::DFG::ValueRecovery::technique):
3731         (JSC::DFG::ValueRecovery::gpr):
3732         (JSC::DFG::ValueRecovery::fpr):
3733         (JSC::DFG::ValueRecovery::virtualRegister):
3734         (JSC::DFG::OSRExit::numberOfRecoveries):
3735         (JSC::DFG::OSRExit::valueRecovery):
3736         (JSC::DFG::OSRExit::isArgument):
3737         (JSC::DFG::OSRExit::argumentForIndex):
3738         (JSC::DFG::OSRExit::variableForIndex):
3739         (JSC::DFG::OSRExit::operandForIndex):
3740         (JSC::DFG::SpeculativeJIT::osrExits):
3741         (JSC::DFG::SpeculativeJIT::speculationCheck):
3742         (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
3743         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
3744         (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
3745         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3746         (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator):
3747         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3748         * jit/CompactJITCodeMap.h: Added.
3749         (JSC::BytecodeAndMachineOffset::BytecodeAndMachineOffset):
3750         (JSC::BytecodeAndMachineOffset::getBytecodeIndex):
3751         (JSC::BytecodeAndMachineOffset::getMachineCodeOffset):
3752         (JSC::CompactJITCodeMap::~CompactJITCodeMap):
3753         (JSC::CompactJITCodeMap::decode):
3754         (JSC::CompactJITCodeMap::CompactJITCodeMap):
3755         (JSC::CompactJITCodeMap::at):
3756         (JSC::CompactJITCodeMap::decodeNumber):
3757         (JSC::CompactJITCodeMap::Encoder::Encoder):
3758         (JSC::CompactJITCodeMap::Encoder::~Encoder):
3759         (JSC::CompactJITCodeMap::Encoder::append):
3760         (JSC::CompactJITCodeMap::Encoder::finish):
3761         (JSC::CompactJITCodeMap::Encoder::appendByte):
3762         (JSC::CompactJITCodeMap::Encoder::encodeNumber):
3763         (JSC::CompactJITCodeMap::Encoder::ensureCapacityFor):
3764         * jit/JIT.cpp:
3765         (JSC::JIT::privateCompileMainPass):
3766         (JSC::JIT::privateCompile):
3767         * jit/JIT.h:
3768         * runtime/JSGlobalData.cpp:
3769         (JSC::JSGlobalData::JSGlobalData):
3770         (JSC::JSGlobalData::~JSGlobalData):
3771         * runtime/JSGlobalData.h:
3772         (JSC::JSGlobalData::osrScratchBufferForSize):
3773         * runtime/JSValue.cpp:
3774         (JSC::JSValue::description):
3775
3776 2011-09-12  Geoffrey Garen  <ggaren@apple.com>
3777
3778         Re-enabled ENABLE(LAZY_BLOCK_FREEING).
3779         
3780         Reviewed by Stephanie Lewis.
3781
3782         I accidentally disabled this in r94890, causing a big performance regression.
3783
3784         * wtf/Platform.h:
3785
3786 2011-09-12  Michael Saboff  <msaboff@apple.com>
3787
3788         Broken Build for ARM - lshift32() needs TrustedImm32 arg
3789         https://bugs.webkit.org/show_bug.cgi?id=67965
3790
3791         Change lshift32(16, ARMRegisters::S1); to lshift32(TrustedImm32(16), ARMRegisters::S1);
3792
3793         Reviewed by Anders Carlsson.
3794
3795         * assembler/MacroAssemblerARM.h:
3796         (JSC::MacroAssemblerARM::branch16):
3797
3798 2011-09-12  Michael Saboff  <msaboff@apple.com>
3799
3800         Broken ARM build - missing semicolon in JavaScriptCore/assembler/MacroAssemblerARM.h
3801         https://bugs.webkit.org/show_bug.cgi?id=67961
3802
3803         Added missing semicolon.
3804
3805         Reviewed by Ryosuke Niwa.
3806
3807         * assembler/MacroAssemblerARM.h:
3808         (JSC::MacroAssemblerARM::branch16):
3809
3810 2011-09-12  Michael Saboff  <msaboff@apple.com>
3811
3812         Update RegExp and related classes to use 8 bit strings when available
3813         https://bugs.webkit.org/show_bug.cgi?id=67337
3814
3815         Modified both the Yarr interpreter and JIT to handle 8 bit subject strings.
3816         The code paths are triggered by the UString::is8bit() method which currently
3817         returns false.  Implemented JIT changes for all current architectures.
3818         Tested X86_64 and ARM v7.
3819
3820         This includes some code that will likely change as we complete the
3821         8 bit string changes.  This includes the way the raw buffer pointers
3822         are accessed as well as replacing the CharAccess class with a
3823         string interator returned from UString.
3824
3825         Fixed build breakage in testRegExp.cpp due to globalObject construction
3826         changes.
3827
3828         Reviewed by Gavin Barraclough.
3829
3830         * JavaScriptCore.exp:
3831         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3832         * testRegExp.cpp:
3833         (GlobalObject::finishCreation):
3834         (GlobalObject::GlobalObject):
3835         * assembler/ARMAssembler.cpp:
3836         (JSC::ARMAssembler::baseIndexTransfer32):
3837         * assembler/ARMAssembler.h:
3838         * assembler/ARMv7Assembler.h:
3839         (JSC::ARMv7Assembler::ubfx):
3840         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg40Imm3Reg4Imm20Imm5):
3841         * assembler/MacroAssemblerARM.h:
3842         (JSC::MacroAssemblerARM::load8):
3843         (JSC::MacroAssemblerARM::branch8):
3844         (JSC::MacroAssemblerARM::branch16):
3845         * assembler/MacroAssemblerARMv7.h:
3846         (JSC::MacroAssemblerARMv7::load8):
3847         (JSC::MacroAssemblerARMv7::branch16):
3848         (JSC::MacroAssemblerARMv7::branch8):
3849         * assembler/MacroAssemblerMIPS.h:
3850         (JSC::MacroAssemblerMIPS::load8):
3851         (JSC::MacroAssemblerMIPS::branch8):
3852         (JSC::MacroAssemblerMIPS::branch16):
3853         * assembler/MacroAssemblerSH4.h:
3854         (JSC::MacroAssemblerSH4::load8):
3855         (JSC::MacroAssemblerSH4::branch8):
3856         (JSC::MacroAssemblerSH4::branch16):
3857         * assembler/MacroAssemblerX86Common.h:
3858         (JSC::MacroAssemblerX86Common::load8):
3859         (JSC::MacroAssemblerX86Common::branch16):
3860         (JSC::MacroAssemblerX86Common::branch8):
3861         * assembler/SH4Assembler.h:
3862         (JSC::SH4Assembler::extub):
3863         (JSC::SH4Assembler::printInstr):
3864         * assembler/X86Assembler.h:
3865         (JSC::X86Assembler::cmpw_ir):
3866         (JSC::X86Assembler::movzbl_mr):
3867         * runtime/RegExp.cpp:
3868         (JSC::RegExp::compile):
3869         (JSC::RegExp::compileIfNecessary):
3870         (JSC::RegExp::match):
3871         (JSC::RegExp::matchCompareWithInterpreter):
3872         * runtime/RegExp.h:
3873         * runtime/UString.h:
3874         (JSC::UString::is8Bit):
3875         * yarr/Yarr.h:
3876         * yarr/YarrInterpreter.cpp:
3877         (JSC::Yarr::Interpreter::CharAccess::CharAccess):
3878         (JSC::Yarr::Interpreter::CharAccess::~CharAccess):
3879         (JSC::Yarr::Interpreter::CharAccess::operator[]):
3880         (JSC::Yarr::Interpreter::InputStream::InputStream):
3881         (JSC::Yarr::Interpreter::Interpreter):
3882         (JSC::Yarr::interpret):
3883         * yarr/YarrJIT.cpp:
3884         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
3885         (JSC::Yarr::YarrGenerator::readCharacter):
3886         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3887         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
3888         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
3889         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
3890         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
3891         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3892         (JSC::Yarr::YarrGenerator::YarrGenerator):
3893         (JSC::Yarr::YarrGenerator::compile):
3894         (JSC::Yarr::jitCompile):
3895         (JSC::Yarr::execute):
3896         * yarr/YarrJIT.h:
3897         (JSC::Yarr::YarrCodeBlock::has8BitCode):
3898         (JSC::Yarr::YarrCodeBlock::has16BitCode):
3899         (JSC::Yarr::YarrCodeBlock::set8BitCode):
3900         (JSC::Yarr::YarrCodeBlock::set16BitCode):
3901         (JSC::Yarr::YarrCodeBlock::execute):
3902         * yarr/YarrParser.h:
3903         (JSC::Yarr::Parser::Parser):
3904
3905 2011-09-12  Andras Becsi  <andras.becsi@nokia.com>
3906
3907         [Qt] Build fails after r94920 with strict compiler
3908         https://bugs.webkit.org/show_bug.cgi?id=67928
3909
3910         Reviewed by Csaba Osztrogonác.
3911
3912         * wtf/RedBlackTree.h:
3913         (WTF::RedBlackTree::insert): Remove dead variables updateStart and newSubTreeRoot.
3914
3915 2011-09-12  Patrick Gansterer  <paroga@webkit.org>
3916
3917         Unreviewed build fix after r94871.
3918
3919         * runtime/InitializeThreading.cpp:
3920         (JSC::initializeThreadingOnce):
3921         * wtf/FastMalloc.cpp:
3922         * wtf/RefCountedLeakCounter.h:
3923
3924 2011-09-11  Filip Pizlo  <fpizlo@apple.com>
3925
3926         DFGNode.h has macros that indicate the enabling of a feature, but
3927         they do not use the ENABLE() idiom.
3928         https://bugs.webkit.org/show_bug.cgi?id=67907
3929
3930         Reviewed by Oliver Hunt.
3931
3932         * dfg/DFGByteCodeParser.cpp:
3933         (JSC::DFG::ByteCodeParser::stronglyPredict):
3934         (JSC::DFG::ByteCodeParser::parse):
3935         * dfg/DFGGraph.cpp:
3936         (JSC::DFG::Graph::predictArgumentTypes):
3937         * dfg/DFGJITCodeGenerator.cpp:
3938         * dfg/DFGJITCodeGenerator.h:
3939         * dfg/DFGJITCompiler.cpp:
3940         (JSC::DFG::JITCompiler::fillInt32ToInteger):
3941         (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
3942         (JSC::DFG::JITCompiler::compileBody):
3943         (JSC::DFG::JITCompiler::link):
3944         * dfg/DFGJITCompiler.h:
3945         * dfg/DFGNode.h:
3946         * dfg/DFGNonSpeculativeJIT.cpp:
3947         (JSC::DFG::NonSpeculativeJIT::compile):
3948         * dfg/DFGOperations.cpp:
3949         * dfg/DFGOperations.h:
3950         * dfg/DFGPropagator.cpp:
3951         (JSC::DFG::Propagator::fixpoint):
3952         (JSC::DFG::Propagator::propagateNode):
3953         (JSC::DFG::Propagator::propagateForward):
3954         (JSC::DFG::Propagator::propagateBackward):
3955         (JSC::DFG::propagate):
3956         * dfg/DFGScoreBoard.h:
3957         * dfg/DFGSpeculativeJIT.cpp:
3958         (JSC::DFG::SpeculativeJIT::compile):
3959         * dfg/DFGSpeculativeJIT.h:
3960         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3961         * jit/JIT.cpp:
3962         (JSC::JIT::privateCompile):
3963
3964 2011-09-11  Fumitoshi Ukai  <ukai@chromium.org>
3965
3966         Unreviewed build fix for chromium/mac & clang.
3967
3968         Fix the macro redefinition error by r94927, because chromium set
3969         ENABLE_JSC_MULTIPLE_THREADS=0 in WebKit/chromium/features.gypi and
3970         it is not PLATFORM(QT).
3971          ../../JavaScriptCore/wtf/Platform.h:512:9: error: 'ENABLE_JSC_MULTIPLE_THREADS' macro redefined [-Werror]
3972          #define ENABLE_JSC_MULTIPLE_THREADS 1
3973          <command line>:43:9: note: previous definition is here
3974          #define ENABLE_JSC_MULTIPLE_THREADS 0
3975          1 error generated.
3976
3977         * wtf/Platform.h:
3978
3979 2011-09-11  Sam Weinig  <sam@webkit.org>
3980
3981         Remove JSCell::isPropertyNameIterator(), it is unused
3982         https://bugs.webkit.org/show_bug.cgi?id=67911
3983
3984         Reviewed by Oliver Hunt.
3985
3986         * runtime/JSCell.h:
3987         * runtime/JSPropertyNameIterator.h:
3988
3989 2011-09-11  Sam Weinig  <sam@webkit.org>
3990
3991         De-virtualize JSCell::isAPIValueWrapper
3992         https://bugs.webkit.org/show_bug.cgi?id=67909
3993
3994         Reviewed by Oliver Hunt.
3995
3996         * runtime/JSAPIValueWrapper.h:
3997         (JSC::JSAPIValueWrapper::createStructure):
3998         Set the correct type on structure creation.
3999
4000         * runtime/JSCell.h:
4001         Remove virtual keyword and default implementation.
4002
4003         * runtime/JSType.h:
4004         Add type for APIValueWrapper. It must come after CompoundType since
4005         the APIValueWrapper has children in need of marking.
4006
4007         * runtime/Structure.h:
4008         (JSC::JSCell::isAPIValueWrapper):
4009         Implement predicate using type info.
4010
4011 2011-09-10  Sam Weinig  <sam@webkit.org>
4012
4013         De-virtualize JSCell::isGetterSetter, type information is available for it
4014         https://bugs.webkit.org/show_bug.cgi?id=67902
4015
4016         Reviewed by Dan Bernstein.
4017
4018         * runtime/GetterSetter.cpp:
4019         * runtime/GetterSetter.h:
4020         Remove override of isGetterSetter.
4021
4022         * runtime/JSCell.cpp:
4023         * runtime/JSCell.h:
4024         De-virtualize and remove silly base implementation.
4025
4026         * runtime/Structure.h:
4027         (JSC::JSCell::isGetterSetter):
4028         Use type info to determine getter-setter-hood.
4029
4030 2011-09-09  Oliver Hunt  <oliver@apple.com>
4031
4032         Remove support for anonymous storage from jsobjects
4033         https://bugs.webkit.org/show_bug.cgi?id=67881
4034
4035         Reviewed by Sam Weinig.
4036
4037         Remove all use of anonymous slots, essentially a mechanical change
4038         in JavaScriptCore
4039
4040         * API/JSCallbackConstructor.h:
4041         (JSC::JSCallbackConstructor::createStructure):
4042         * API/JSCallbackFunction.h:
4043         (JSC::JSCallbackFunction::createStructure):
4044         * API/JSCallbackObject.h:
4045         (JSC::JSCallbackObject::createStructure):
4046         * JavaScriptCore.exp:
4047         * debugger/DebuggerActivation.h:
4048         (JSC::DebuggerActivation::createStructure):
4049         * heap/MarkStack.cpp:
4050         (JSC::MarkStack::validateValue):
4051         * heap/MarkStack.h:
4052         * runtime/Arguments.h:
4053         (JSC::Arguments::createStructure):
4054         * runtime/ArrayConstructor.h:
4055         (JSC::ArrayConstructor::createStructure):
4056         * runtime/ArrayPrototype.cpp:
4057         (JSC::ArrayPrototype::finishCreation):
4058         * runtime/ArrayPrototype.h:
4059         (JSC::ArrayPrototype::createStructure):
4060         * runtime/BooleanObject.h:
4061         (JSC::BooleanObject::createStructure):
4062         * runtime/BooleanPrototype.cpp: