b7cd46fe52e79d599408e1ddcc85ed33d4b6bcb0
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2012-12-03  Filip Pizlo  <fpizlo@apple.com>
2
3         Replace JSValue::description() with JSValue::dump(PrintStream&)
4         https://bugs.webkit.org/show_bug.cgi?id=103866
5
6         Reviewed by Darin Adler.
7
8         JSValue now has a dump() method. Anywhere that you would have wanted to use
9         description(), you can either do toCString(value).data(), or if the callee
10         is a print()/dataLog() method then you just pass the value directly.
11
12         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
13         * bytecode/CodeBlock.cpp:
14         (JSC::valueToSourceString):
15         (JSC::CodeBlock::finalizeUnconditionally):
16         * bytecode/ValueProfile.h:
17         (JSC::ValueProfileBase::dump):
18         * bytecode/ValueRecovery.h:
19         (JSC::ValueRecovery::dump):
20         * dfg/DFGAbstractValue.h:
21         (JSC::DFG::AbstractValue::dump):
22         * dfg/DFGGraph.cpp:
23         (JSC::DFG::Graph::dump):
24         * interpreter/Interpreter.cpp:
25         (JSC::Interpreter::dumpRegisters):
26         * jsc.cpp:
27         (functionDescribe):
28         * llint/LLIntSlowPaths.cpp:
29         (JSC::LLInt::llint_trace_value):
30         * runtime/JSValue.cpp:
31         (JSC::JSValue::dump):
32         * runtime/JSValue.h:
33
34 2012-12-04  Filip Pizlo  <fpizlo@apple.com>
35
36         jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
37         https://bugs.webkit.org/show_bug.cgi?id=104020
38         <rdar://problem/12802478>
39
40         Reviewed by Mark Hahnenberg.
41
42         Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
43         and that is indeed the contract of ArrayBuffer and TypedArrayBase.
44
45         * JSCTypedArrayStubs.h:
46         (JSC):
47
48 2012-12-03  Peter Rybin  <prybin@chromium.org>
49
50         Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
51         https://bugs.webkit.org/show_bug.cgi?id=103254
52
53         Reviewed by Pavel Feldman.
54
55         Missing symbol WTFReportFatalError is added to the linker list.
56
57         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
58
59 2012-12-03  Alexis Menard  <alexis@webkit.org>
60
61         [Mac] Enable CSS3 background-position offset by default.
62         https://bugs.webkit.org/show_bug.cgi?id=103905
63
64         Reviewed by Simon Fraser.
65
66         Turn the flag on by default.
67
68         * Configurations/FeatureDefines.xcconfig:
69
70 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
71
72         DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
73         https://bugs.webkit.org/show_bug.cgi?id=103858
74
75         Reviewed by Gavin Barraclough.
76
77         A rage conversion from double to contiguous is one where you try to convert each
78         double to an int32.
79
80         This is probably not the last we'll hear of rage conversion from double to contiguous.
81         It may be better to do this right during parsing, which will result in fewer cases of
82         Arrayification. But even so, this looks like a straight win already - 1% speed-up on
83         Kraken, no major regression anywhere else.
84
85         * dfg/DFGAbstractState.cpp:
86         (JSC::DFG::AbstractState::execute):
87         * dfg/DFGArrayMode.cpp:
88         (JSC::DFG::ArrayMode::refine):
89         (JSC::DFG::arrayConversionToString):
90         (JSC::DFG::ArrayMode::dump):
91         (WTF):
92         (WTF::printInternal):
93         * dfg/DFGArrayMode.h:
94         (JSC::DFG::ArrayMode::withConversion):
95         (ArrayMode):
96         (JSC::DFG::ArrayMode::doesConversion):
97         (WTF):
98         * dfg/DFGFixupPhase.cpp:
99         (JSC::DFG::FixupPhase::fixupBlock):
100         (JSC::DFG::FixupPhase::fixupNode):
101         (JSC::DFG::FixupPhase::checkArray):
102         (FixupPhase):
103         * dfg/DFGGraph.cpp:
104         (JSC::DFG::Graph::dump):
105         * dfg/DFGNodeFlags.h:
106         (DFG):
107         * dfg/DFGOperations.cpp:
108         * dfg/DFGOperations.h:
109         * dfg/DFGPredictionPropagationPhase.cpp:
110         (JSC::DFG::PredictionPropagationPhase::propagate):
111         * dfg/DFGSpeculativeJIT.cpp:
112         (JSC::DFG::SpeculativeJIT::arrayify):
113         * dfg/DFGStructureCheckHoistingPhase.cpp:
114         (JSC::DFG::StructureCheckHoistingPhase::run):
115         * runtime/JSObject.cpp:
116         (JSC):
117         (JSC::JSObject::genericConvertDoubleToContiguous):
118         (JSC::JSObject::convertDoubleToContiguous):
119         (JSC::JSObject::rageConvertDoubleToContiguous):
120         (JSC::JSObject::ensureContiguousSlow):
121         (JSC::JSObject::rageEnsureContiguousSlow):
122         * runtime/JSObject.h:
123         (JSObject):
124         (JSC::JSObject::rageEnsureContiguous):
125
126 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
127
128         DFG CSE should not keep alive things that aren't relevant to OSR
129         https://bugs.webkit.org/show_bug.cgi?id=103849
130
131         Reviewed by Oliver Hunt.
132
133         Most Phantom nodes are inserted by CSE, and by default have the same children as the
134         node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
135         those it creates and those that were created by other phases) to see if they have
136         children that are redundant - i.e. children that are not interesting to OSR, which
137         is the only reason why Phantoms exist in the first place. Being relevant to OSR is
138         defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
139         your definition and the Phantom there was a SetLocal that referred to you.
140         
141         This is a slight speed-up in a few places.
142
143         * dfg/DFGCSEPhase.cpp:
144         (JSC::DFG::CSEPhase::CSEPhase):
145         (JSC::DFG::CSEPhase::run):
146         (JSC::DFG::CSEPhase::performSubstitution):
147         (CSEPhase):
148         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
149         (JSC::DFG::CSEPhase::setReplacement):
150         (JSC::DFG::CSEPhase::eliminate):
151         (JSC::DFG::CSEPhase::performNodeCSE):
152         (JSC::DFG::CSEPhase::performBlockCSE):
153
154 2012-12-02  Filip Pizlo  <fpizlo@apple.com>
155
156         It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
157         https://bugs.webkit.org/show_bug.cgi?id=103848
158
159         Reviewed by Sam Weinig.
160
161         Fix random dataLog() and print() statements.
162
163         * dfg/DFGArgumentsSimplificationPhase.cpp:
164         (JSC::DFG::ArgumentsSimplificationPhase::run):
165         * dfg/DFGByteCodeParser.cpp:
166         (JSC::DFG::ByteCodeParser::parseCodeBlock):
167         * dfg/DFGGraph.cpp:
168         (JSC::DFG::Graph::dumpBlockHeader):
169         * dfg/DFGPredictionPropagationPhase.cpp:
170         (JSC::DFG::PredictionPropagationPhase::propagate):
171         * dfg/DFGStructureCheckHoistingPhase.cpp:
172         (JSC::DFG::StructureCheckHoistingPhase::run):
173
174 2012-12-01  Filip Pizlo  <fpizlo@apple.com>
175
176         CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
177         https://bugs.webkit.org/show_bug.cgi?id=103832
178
179         Reviewed by Oliver Hunt.
180
181         Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.
182
183         * bytecode/CodeBlock.cpp:
184         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
185         (JSC::CodeBlock::printUnaryOp):
186         (JSC::CodeBlock::printBinaryOp):
187         (JSC::CodeBlock::printConditionalJump):
188         (JSC::CodeBlock::printGetByIdOp):
189         (JSC::dumpStructure):
190         (JSC::dumpChain):
191         (JSC::CodeBlock::printGetByIdCacheStatus):
192         (JSC::CodeBlock::printCallOp):
193         (JSC::CodeBlock::printPutByIdOp):
194         (JSC::CodeBlock::printStructure):
195         (JSC::CodeBlock::printStructures):
196         (JSC::CodeBlock::dumpBytecode):
197         * bytecode/CodeBlock.h:
198         (CodeBlock):
199         * jit/JITDisassembler.cpp:
200         (JSC::JITDisassembler::dumpForInstructions):
201
202 2012-11-30  Pierre Rossi  <pierre.rossi@gmail.com>
203
204         [Qt] Unreviewed speculative Mac build fix after r136232
205
206         Update the include path so that LLIntAssembly.h is picked up.
207         The bot didn't break until later when a clean build was triggered.
208
209         * JavaScriptCore.pri:
210
211 2012-11-30  Oliver Hunt  <oliver@apple.com>
212
213         Optimise more cases of op_typeof
214         https://bugs.webkit.org/show_bug.cgi?id=103783
215
216         Reviewed by Mark Hahnenberg.
217
218         Increase our coverage of typeof based typechecks by
219         making sure that the codegenerators always uses
220         consistent operand ordering when feeding typeof operations
221         into equality operations.
222
223         * bytecompiler/NodesCodegen.cpp:
224         (JSC::BinaryOpNode::emitBytecode):
225         (JSC::EqualNode::emitBytecode):
226         (JSC::StrictEqualNode::emitBytecode):
227
228 2012-11-30  Filip Pizlo  <fpizlo@apple.com>
229
230         Rationalize and clean up DFG handling of scoped accesses
231         https://bugs.webkit.org/show_bug.cgi?id=103715
232
233         Reviewed by Oliver Hunt.
234
235         Previously, we had a GetScope node that specified the depth to which you wanted
236         to travel to get a JSScope, and the backend implementation of the node would
237         perform all of the necessary footwork, including potentially skipping the top
238         scope if necessary, and doing however many loads were needed. But there were
239         strange things. First, if you had accesses at different scope depths, then the
240         loads to get to the common depth could not be CSE'd - CSE would match only
241         GetScope's that had identical depth. Second, GetScope would be emitted even if
242         we already had the scope, for example in put_to_base. And finally, even though
243         the ResolveOperations could tell us whether or not we had to skip the top scope,
244         the backend would recompute this information itself, often pessimistically.
245         
246         This eliminates GetScope and replaces it with the following:
247         
248         GetMyScope: just get the JSScope from the call frame header. This will forever
249         mean getting the JSScope associated with the machine call frame; it will not
250         mean getting the scope of an inlined function. Or at least that's the intent.
251         
252         SkipTopScope: check if there is an activation, and if so, skip a scope. This
253         takes a scope as a child and returns a scope.
254         
255         SkipScope: skip one scope level.
256         
257         The bytecode parser now emits the right combination of the above, and
258         potentially emits multiple SkipScope's, based on the ResolveOperations.
259         
260         This change also includes some fixups to debug logging. We now always print
261         the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
262         and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
263         
264         This is performance-neutral. It's just meant to be a clean-up.
265
266         * bytecode/CodeBlock.cpp:
267         (JSC::CodeBlock::dumpAssumingJITType):
268         * bytecode/CodeOrigin.cpp:
269         (JSC::CodeOrigin::inlineStack):
270         (JSC::CodeOrigin::dump):
271         (JSC):
272         (JSC::InlineCallFrame::dump):
273         * bytecode/CodeOrigin.h:
274         (CodeOrigin):
275         (InlineCallFrame):
276         * dfg/DFGAbstractState.cpp:
277         (JSC::DFG::AbstractState::execute):
278         * dfg/DFGByteCodeParser.cpp:
279         (ByteCodeParser):
280         (JSC::DFG::ByteCodeParser::getScope):
281         (DFG):
282         (JSC::DFG::ByteCodeParser::parseResolveOperations):
283         (JSC::DFG::ByteCodeParser::parseBlock):
284         * dfg/DFGCSEPhase.cpp:
285         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
286         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
287         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
288         (JSC::DFG::CSEPhase::setLocalStoreElimination):
289         (JSC::DFG::CSEPhase::performNodeCSE):
290         * dfg/DFGDisassembler.cpp:
291         (JSC::DFG::Disassembler::dump):
292         * dfg/DFGGraph.cpp:
293         (JSC::DFG::Graph::dumpCodeOrigin):
294         (JSC::DFG::Graph::dumpBlockHeader):
295         * dfg/DFGNode.h:
296         (Node):
297         * dfg/DFGNodeType.h:
298         (DFG):
299         * dfg/DFGPredictionPropagationPhase.cpp:
300         (JSC::DFG::PredictionPropagationPhase::propagate):
301         * dfg/DFGSpeculativeJIT32_64.cpp:
302         (JSC::DFG::SpeculativeJIT::compile):
303         * dfg/DFGSpeculativeJIT64.cpp:
304         (JSC::DFG::SpeculativeJIT::compile):
305         * jit/JITDisassembler.cpp:
306         (JSC::JITDisassembler::dump):
307
308 2012-11-30  Oliver Hunt  <oliver@apple.com>
309
310         Add direct string->function code cache
311         https://bugs.webkit.org/show_bug.cgi?id=103764
312
313         Reviewed by Michael Saboff.
314
315         A fairly logically simple patch.  We now track the start of the
316         unique portion of a functions body, and use that as our key for
317         unlinked function code.  This allows us to cache identical code
318         in different contexts, leading to a small but consistent improvement
319         on the benchmarks we track.
320
321         * bytecode/UnlinkedCodeBlock.cpp:
322         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
323         * bytecode/UnlinkedCodeBlock.h:
324         (JSC::UnlinkedFunctionExecutable::functionStartOffset):
325         (UnlinkedFunctionExecutable):
326         * parser/ASTBuilder.h:
327         (ASTBuilder):
328         (JSC::ASTBuilder::setFunctionStart):
329         * parser/Nodes.cpp:
330         * parser/Nodes.h:
331         (JSC::FunctionBodyNode::setFunctionStart):
332         (JSC::FunctionBodyNode::functionStart):
333         (FunctionBodyNode):
334         * parser/Parser.cpp:
335         (JSC::::parseFunctionInfo):
336         * parser/Parser.h:
337         (JSC::Parser::findCachedFunctionInfo):
338         * parser/SyntaxChecker.h:
339         (JSC::SyntaxChecker::setFunctionStart):
340         * runtime/CodeCache.cpp:
341         (JSC::CodeCache::generateFunctionCodeBlock):
342         (JSC::CodeCache::getFunctionCodeBlock):
343         (JSC::CodeCache::usedFunctionCode):
344         * runtime/CodeCache.h:
345
346 2012-11-30  Allan Sandfeld Jensen  <allan.jensen@digia.com>
347
348         Crash in conversion of empty OpaqueJSString to Identifier 
349         https://bugs.webkit.org/show_bug.cgi?id=101867
350
351         Reviewed by Michael Saboff.
352
353         The constructor call used for both null and empty OpaqueJSStrings results
354         in an assertion voilation and crash. This patch instead uses the Identifier
355         constructors which are specifically for null and empty Identifier.
356
357         * API/OpaqueJSString.cpp:
358         (OpaqueJSString::identifier):
359
360 2012-11-30  Tor Arne Vestbø  <tor.arne.vestbo@digia.com>
361
362         [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac
363
364         Otherwise we'll end up using the same LLIntAssembly.h for both build
365         configs of JavaScriptCore -- one of them which will be for the wrong
366         config.
367
368         Reviewed by Simon Hausmann.
369
370         * LLIntOffsetsExtractor.pro:
371
372 2012-11-30  Julien BRIANCEAU   <jbrianceau@nds.com>
373
374         [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
375         https://bugs.webkit.org/show_bug.cgi?id=103378
376
377         Reviewed by Filip Pizlo.
378
379         * assembler/MacroAssemblerSH4.h:
380         (JSC::MacroAssemblerSH4::branchTest32):
381         (JSC::MacroAssemblerSH4::branchAdd32):
382         (JSC::MacroAssemblerSH4::branchMul32):
383         (JSC::MacroAssemblerSH4::branchSub32):
384         (JSC::MacroAssemblerSH4::branchOr32):
385
386 2012-11-29  Rafael Weinstein  <rafaelw@chromium.org>
387
388         [HTMLTemplateElement] Add feature flag
389         https://bugs.webkit.org/show_bug.cgi?id=103694
390
391         Reviewed by Adam Barth.
392
393         This flag will guard the implementation of the HTMLTemplateElement.
394         http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html
395
396         * Configurations/FeatureDefines.xcconfig:
397
398 2012-11-29  Filip Pizlo  <fpizlo@apple.com>
399
400         It should be easy to find code blocks in debug dumps
401         https://bugs.webkit.org/show_bug.cgi?id=103623
402
403         Reviewed by Goeffrey Garen.
404
405         This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
406         it lazily so that it only impacts run-time when debug support is enabled. We stringify
407         it smartly so that it's short and easy to type. We base it on the source code so that
408         the optimization level is irrelevant. And, we use SHA1 since it's already in our code
409         base. Now, when a piece of code wants to print some debugging to say that it's operating
410         on some code block, it can use this CodeBlockHash instead of memory addresses.
411
412         This also takes CodeBlock debugging into the new world of print() and dataLog(). In
413         particular, CodeBlock::dump() corresponds to the thing you want printed if you do:
414
415         dataLog("I heart ", *myCodeBlock);
416
417         Probably, you want to just print some identifying information at this point rather than
418         the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
419         CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
420         a few little tidbits.
421         
422         Here's an example of CodeBlock::dump() output:
423         
424         EkILzr:[0x103883a00, BaselineFunctionCall]
425         
426         EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
427         part is self-explanatory.
428
429         Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
430         breakage. As such CodeBlockHash has all of the comparison operator overloads. When
431         bisecting in DFGDriver.cpp, you can now say things like:
432         
433         if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
434             return false;
435         
436         And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
437         is life when you use base 62 to encode a 32-bit number.
438
439         * CMakeLists.txt:
440         * GNUmakefile.list.am:
441         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
442         * JavaScriptCore.xcodeproj/project.pbxproj:
443         * Target.pri:
444         * bytecode/CallLinkInfo.h:
445         (CallLinkInfo):
446         (JSC::CallLinkInfo::specializationKind):
447         * bytecode/CodeBlock.cpp:
448         (JSC::CodeBlock::hash):
449         (JSC):
450         (JSC::CodeBlock::dumpAssumingJITType):
451         (JSC::CodeBlock::dump):
452         (JSC::CodeBlock::dumpBytecode):
453         (JSC::CodeBlock::CodeBlock):
454         (JSC::CodeBlock::finalizeUnconditionally):
455         (JSC::CodeBlock::resetStubInternal):
456         (JSC::CodeBlock::reoptimize):
457         (JSC::ProgramCodeBlock::jettison):
458         (JSC::EvalCodeBlock::jettison):
459         (JSC::FunctionCodeBlock::jettison):
460         (JSC::CodeBlock::shouldOptimizeNow):
461         (JSC::CodeBlock::tallyFrequentExitSites):
462         (JSC::CodeBlock::dumpValueProfiles):
463         * bytecode/CodeBlock.h:
464         (JSC::CodeBlock::specializationKind):
465         (CodeBlock):
466         (JSC::CodeBlock::getJITType):
467         * bytecode/CodeBlockHash.cpp: Added.
468         (JSC):
469         (JSC::CodeBlockHash::CodeBlockHash):
470         (JSC::CodeBlockHash::dump):
471         * bytecode/CodeBlockHash.h: Added.
472         (JSC):
473         (CodeBlockHash):
474         (JSC::CodeBlockHash::CodeBlockHash):
475         (JSC::CodeBlockHash::hash):
476         (JSC::CodeBlockHash::operator==):
477         (JSC::CodeBlockHash::operator!=):
478         (JSC::CodeBlockHash::operator<):
479         (JSC::CodeBlockHash::operator>):
480         (JSC::CodeBlockHash::operator<=):
481         (JSC::CodeBlockHash::operator>=):
482         * bytecode/CodeBlockWithJITType.h: Added.
483         (JSC):
484         (CodeBlockWithJITType):
485         (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
486         (JSC::CodeBlockWithJITType::dump):
487         * bytecode/CodeOrigin.cpp: Added.
488         (JSC):
489         (JSC::CodeOrigin::inlineDepthForCallFrame):
490         (JSC::CodeOrigin::inlineDepth):
491         (JSC::CodeOrigin::inlineStack):
492         (JSC::InlineCallFrame::hash):
493         * bytecode/CodeOrigin.h:
494         (InlineCallFrame):
495         (JSC::InlineCallFrame::specializationKind):
496         (JSC):
497         * bytecode/CodeType.cpp: Added.
498         (WTF):
499         (WTF::printInternal):
500         * bytecode/CodeType.h:
501         (WTF):
502         * bytecode/ExecutionCounter.cpp:
503         (JSC::ExecutionCounter::dump):
504         * bytecode/ExecutionCounter.h:
505         (ExecutionCounter):
506         * dfg/DFGByteCodeParser.cpp:
507         (JSC::DFG::ByteCodeParser::parseCodeBlock):
508         * dfg/DFGDisassembler.cpp:
509         (JSC::DFG::Disassembler::dump):
510         * dfg/DFGGraph.cpp:
511         (JSC::DFG::Graph::dumpCodeOrigin):
512         * dfg/DFGOSRExitCompiler.cpp:
513         * dfg/DFGOperations.cpp:
514         * dfg/DFGRepatch.cpp:
515         (JSC::DFG::generateProtoChainAccessStub):
516         (JSC::DFG::tryCacheGetByID):
517         (JSC::DFG::tryBuildGetByIDList):
518         (JSC::DFG::emitPutReplaceStub):
519         (JSC::DFG::emitPutTransitionStub):
520         (JSC::DFG::dfgLinkClosureCall):
521         * interpreter/Interpreter.cpp:
522         (JSC::Interpreter::dumpCallFrame):
523         * jit/JITCode.cpp: Added.
524         (WTF):
525         (WTF::printInternal):
526         * jit/JITCode.h:
527         (JSC::JITCode::jitType):
528         (WTF):
529         * jit/JITDisassembler.cpp:
530         (JSC::JITDisassembler::dump):
531         (JSC::JITDisassembler::dumpForInstructions):
532         * jit/JITPropertyAccess.cpp:
533         (JSC::JIT::privateCompilePutByIdTransition):
534         (JSC::JIT::privateCompilePatchGetArrayLength):
535         (JSC::JIT::privateCompileGetByIdProto):
536         (JSC::JIT::privateCompileGetByIdSelfList):
537         (JSC::JIT::privateCompileGetByIdProtoList):
538         (JSC::JIT::privateCompileGetByIdChainList):
539         (JSC::JIT::privateCompileGetByIdChain):
540         (JSC::JIT::privateCompileGetByVal):
541         (JSC::JIT::privateCompilePutByVal):
542         * jit/JITPropertyAccess32_64.cpp:
543         (JSC::JIT::privateCompilePutByIdTransition):
544         (JSC::JIT::privateCompilePatchGetArrayLength):
545         (JSC::JIT::privateCompileGetByIdProto):
546         (JSC::JIT::privateCompileGetByIdSelfList):
547         (JSC::JIT::privateCompileGetByIdProtoList):
548         (JSC::JIT::privateCompileGetByIdChainList):
549         (JSC::JIT::privateCompileGetByIdChain):
550         * jit/JITStubs.cpp:
551         (JSC::DEFINE_STUB_FUNCTION):
552         * runtime/CodeSpecializationKind.cpp: Added.
553         (WTF):
554         (WTF::printInternal):
555         * runtime/CodeSpecializationKind.h:
556         (JSC::specializationFromIsCall):
557         (JSC):
558         (JSC::specializationFromIsConstruct):
559         (WTF):
560         * runtime/Executable.cpp:
561         (JSC::ExecutableBase::hashFor):
562         (JSC):
563         (JSC::NativeExecutable::hashFor):
564         (JSC::ScriptExecutable::hashFor):
565         * runtime/Executable.h:
566         (ExecutableBase):
567         (NativeExecutable):
568         (ScriptExecutable):
569         (JSC::ScriptExecutable::source):
570
571 2012-11-29  Michael Saboff  <msaboff@apple.com>
572
573         Speculative Windows build fix after r136086.
574
575         Unreviewed build fix.
576
577         Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
578         export list since the symbol was removed in r136086.
579
580         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
581
582 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
583
584         SpeculatedType dumping should not use the static char buffer[thingy] idiom
585         https://bugs.webkit.org/show_bug.cgi?id=103584
586
587         Reviewed by Michael Saboff.
588
589         Changed SpeculatedType to be "dumpable" by saying things like:
590         
591         dataLog("thingy = ", SpeculationDump(thingy))
592         
593         Removed the old stringification functions, and changed all code that referred to them
594         to use the new dataLog()/print() style.
595
596         * CMakeLists.txt:
597         * GNUmakefile.list.am:
598         * JavaScriptCore.xcodeproj/project.pbxproj:
599         * Target.pri:
600         * bytecode/SpeculatedType.cpp:
601         (JSC::dumpSpeculation):
602         (JSC::speculationToAbbreviatedString):
603         (JSC::dumpSpeculationAbbreviated):
604         * bytecode/SpeculatedType.h:
605         * bytecode/ValueProfile.h:
606         (JSC::ValueProfileBase::dump):
607         * bytecode/VirtualRegister.h:
608         (WTF::printInternal):
609         * dfg/DFGAbstractValue.h:
610         (JSC::DFG::AbstractValue::dump):
611         * dfg/DFGByteCodeParser.cpp:
612         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
613         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
614         * dfg/DFGGraph.cpp:
615         (JSC::DFG::Graph::dump):
616         (JSC::DFG::Graph::predictArgumentTypes):
617         * dfg/DFGGraph.h:
618         (Graph):
619         * dfg/DFGStructureAbstractValue.h:
620         * dfg/DFGVariableAccessDataDump.cpp: Added.
621         (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
622         (JSC::DFG::VariableAccessDataDump::dump):
623         * dfg/DFGVariableAccessDataDump.h: Added.
624         (VariableAccessDataDump):
625
626 2012-11-28  Michael Saboff  <msaboff@apple.com>
627
628         Change Bytecompiler s_dumpsGeneratedCode to an Options value
629         https://bugs.webkit.org/show_bug.cgi?id=103588
630
631         Reviewed by Filip Pizlo.
632
633         Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.
634
635         * bytecode/CodeBlock.cpp:
636         (JSC::CodeBlock::CodeBlock):
637         * bytecompiler/BytecodeGenerator.cpp:
638         * bytecompiler/BytecodeGenerator.h:
639         * jsc.cpp:
640         (runWithScripts):
641         * runtime/Options.h:
642
643 2012-11-28  Mark Hahnenberg  <mhahnenberg@apple.com>
644
645         Copying phase should use work lists
646         https://bugs.webkit.org/show_bug.cgi?id=101390
647
648         Reviewed by Filip Pizlo.
649
650         * JavaScriptCore.xcodeproj/project.pbxproj:
651         * heap/BlockAllocator.cpp:
652         (JSC::BlockAllocator::BlockAllocator):
653         * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
654         (BlockAllocator):
655         (JSC::CopyWorkListSegment):
656         * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
657         phase to copy their backing stores.
658         (CopiedBlock):
659         (JSC::CopiedBlock::CopiedBlock): 
660         (JSC::CopiedBlock::didSurviveGC):
661         (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're 
662         responsible for evacuating, we no longer need any of that fancy compare and swap stuff. 
663         (JSC::CopiedBlock::pin):
664         (JSC::CopiedBlock::hasWorkList): 
665         (JSC::CopiedBlock::workList):
666         * heap/CopiedBlockInlines.h: Added.
667         (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
668         we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
669         * heap/CopiedSpace.h:
670         (CopiedSpace):
671         * heap/CopiedSpaceInlines.h:
672         (JSC::CopiedSpace::pin):
673         * heap/CopyVisitor.cpp:
674         (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
675         blocks' CopyWorkLists.
676         * heap/CopyVisitor.h:
677         (CopyVisitor):
678         * heap/CopyVisitorInlines.h:
679         (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from 
680         a CopiedBlock's CopyWorkList.
681         (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done 
682         evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
683         * heap/CopyWorkList.h: Added.
684         (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
685         (JSC::CopyWorkListSegment::create):
686         (JSC::CopyWorkListSegment::size):
687         (JSC::CopyWorkListSegment::isFull):
688         (JSC::CopyWorkListSegment::get):
689         (JSC::CopyWorkListSegment::append):
690         (JSC::CopyWorkListSegment::CopyWorkListSegment):
691         (JSC::CopyWorkListSegment::data):
692         (JSC::CopyWorkListSegment::endOfBlock):
693         (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
694         that make up each CopyWorkList.
695         (JSC::CopyWorkListIterator::get):
696         (JSC::CopyWorkListIterator::operator*):
697         (JSC::CopyWorkListIterator::operator->):
698         (JSC::CopyWorkListIterator::operator++):
699         (JSC::CopyWorkListIterator::operator==):
700         (JSC::CopyWorkListIterator::operator!=):
701         (JSC::CopyWorkListIterator::CopyWorkListIterator):
702         (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
703         (JSC::CopyWorkList::CopyWorkList):
704         (JSC::CopyWorkList::~CopyWorkList):
705         (JSC::CopyWorkList::append):
706         (JSC::CopyWorkList::begin):
707         (JSC::CopyWorkList::end):
708         * heap/GCThreadSharedData.cpp:
709         (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
710         (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for 
711         iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and 
712         recycled throughout the copying phase.
713         * heap/GCThreadSharedData.h:
714         (GCThreadSharedData): 
715         * heap/Heap.h:
716         (Heap):
717         * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it 
718         in a CopyWorkList to revisit later during the copying phase.
719         * heap/SlotVisitorInlines.h:
720         (JSC::SlotVisitor::copyLater):
721         * runtime/JSObject.cpp:
722         (JSC::JSObject::visitButterfly):
723
724 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
725
726         Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
727         https://bugs.webkit.org/show_bug.cgi?id=103492
728
729         Reviewed by Mark Hahnenberg.
730
731         Switched disassembly code to use PrintStream&, and to use print() rather than printf().
732
733         * dfg/DFGDisassembler.cpp:
734         (JSC::DFG::Disassembler::dump):
735         (DFG):
736         (JSC::DFG::Disassembler::dumpDisassembly):
737         * dfg/DFGDisassembler.h:
738         (Disassembler):
739         * dfg/DFGGraph.cpp:
740         (JSC::DFG::printWhiteSpace):
741         (JSC::DFG::Graph::dumpCodeOrigin):
742         (JSC::DFG::Graph::printNodeWhiteSpace):
743         (JSC::DFG::Graph::dump):
744         (DFG):
745         (JSC::DFG::Graph::dumpBlockHeader):
746         * dfg/DFGGraph.h:
747         (Graph):
748         * jit/JITDisassembler.cpp:
749         (JSC::JITDisassembler::dump):
750         (JSC::JITDisassembler::dumpForInstructions):
751         (JSC::JITDisassembler::dumpDisassembly):
752         * jit/JITDisassembler.h:
753         (JITDisassembler):
754
755 2012-11-28  Filip Pizlo  <fpizlo@apple.com>
756
757         It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
758         https://bugs.webkit.org/show_bug.cgi?id=103009
759
760         Reviewed by Michael Saboff.
761
762         Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
763         one place: dumping of abstract values. This is mainly just to ensure that the code I
764         added to WTF is actually doing things.
765
766         * bytecode/CodeBlock.cpp:
767         (JSC::CodeBlock::dump):
768         * dfg/DFGAbstractValue.h:
769         (JSC::DFG::AbstractValue::dump):
770         (WTF):
771         (WTF::printInternal):
772         * dfg/DFGStructureAbstractValue.h:
773         (JSC::DFG::StructureAbstractValue::dump):
774         (WTF):
775         (WTF::printInternal):
776
777 2012-11-28  Oliver Hunt  <oliver@apple.com>
778
779         Make source cache include more information about the function extent.
780         https://bugs.webkit.org/show_bug.cgi?id=103552
781
782         Reviewed by Gavin Barraclough.
783
784         Add a bit more information to the source cache.
785
786         * parser/Parser.cpp:
787         (JSC::::parseFunctionInfo):
788            Store the function start offset
789         * parser/SourceProviderCacheItem.h:
790         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
791         (SourceProviderCacheItem):
792            Add additional field for the start of the real function string, and re-arrange
793            fields to avoid growing the struct.
794
795 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
796
797         Convert some remaining uses of FILE* to PrintStream&.
798
799         Rubber stamped by Mark Hahnenberg.
800
801         * bytecode/ValueProfile.h:
802         (JSC::ValueProfileBase::dump):
803         * bytecode/ValueRecovery.h:
804         (JSC::ValueRecovery::dump):
805         * dfg/DFGByteCodeParser.cpp:
806         (JSC::DFG::ByteCodeParser::parseCodeBlock):
807         * dfg/DFGNode.h:
808         (JSC::DFG::Node::dumpChildren):
809
810 2012-11-27  Filip Pizlo  <fpizlo@apple.com>
811
812         Fix indentation in JSValue.h
813
814         Rubber stamped by Mark Hahnenberg.
815
816         * runtime/JSValue.h:
817
818 2012-11-26  Filip Pizlo  <fpizlo@apple.com>
819
820         DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
821         https://bugs.webkit.org/show_bug.cgi?id=103353
822
823         Reviewed by Oliver Hunt and Gavin Barraclough.
824
825         Made it possible to use forward speculations for most of the operand classes. Changed the conditional
826         direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
827         to use forward speculations and got rid of its half-baked version of same.
828         
829         Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.
830
831         * dfg/DFGByteCodeParser.cpp:
832         (JSC::DFG::ByteCodeParser::parseBlock):
833         * dfg/DFGDisassembler.cpp:
834         (JSC::DFG::Disassembler::dump):
835         * dfg/DFGDriver.cpp:
836         (JSC::DFG::compile):
837         * dfg/DFGSpeculativeJIT.cpp:
838         (JSC::DFG::SpeculativeJIT::speculationCheck):
839         (DFG):
840         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
841         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
842         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
843         (JSC::DFG::SpeculativeJIT::fillStorage):
844         * dfg/DFGSpeculativeJIT.h:
845         (SpeculativeJIT):
846         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
847         (JSC::DFG::SpeculateIntegerOperand::gpr):
848         (SpeculateIntegerOperand):
849         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
850         (JSC::DFG::SpeculateDoubleOperand::fpr):
851         (SpeculateDoubleOperand):
852         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
853         (JSC::DFG::SpeculateCellOperand::gpr):
854         (SpeculateCellOperand):
855         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
856         (JSC::DFG::SpeculateBooleanOperand::gpr):
857         (SpeculateBooleanOperand):
858         * dfg/DFGSpeculativeJIT32_64.cpp:
859         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
860         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
861         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
862         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
863         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
864         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
865         (JSC::DFG::SpeculativeJIT::compile):
866         * dfg/DFGSpeculativeJIT64.cpp:
867         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
868         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
869         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
870         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
871         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
872         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
873         (JSC::DFG::SpeculativeJIT::compile):
874         * runtime/Options.h:
875         (JSC):
876
877 2012-11-26  Daniel Bates  <dbates@webkit.org>
878
879         Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
880         <https://bugs.webkit.org/show_bug.cgi?id=103303>
881
882         Reviewed by Simon Fraser.
883
884         Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().
885
886         * runtime/StringPrototype.cpp:
887         (JSC::jsSpliceSubstringsWithSeparators):
888
889 2012-11-26  Daniel Bates  <dbates@webkit.org>
890
891         JavaScript fails to handle String.replace() with large replacement string
892         https://bugs.webkit.org/show_bug.cgi?id=102956
893         <rdar://problem/12738012>
894
895         Reviewed by Oliver Hunt.
896
897         Fix an issue where we didn't check for overflow when computing the length
898         of the result of String.replace() with a large replacement string.
899
900         * runtime/StringPrototype.cpp:
901         (JSC::jsSpliceSubstringsWithSeparators):
902
903 2012-11-26  Zeno Albisser  <zeno@webkit.org>
904
905         [Qt] Fix the LLInt build on Mac
906         https://bugs.webkit.org/show_bug.cgi?id=97587
907
908         Reviewed by Simon Hausmann.
909
910         * DerivedSources.pri:
911         * JavaScriptCore.pro:
912
913 2012-11-26  Oliver Hunt  <oliver@apple.com>
914
915         32-bit build fix.  Move the method decalration outside of the X86_64 only section.
916
917         * assembler/MacroAssembler.h:
918         (MacroAssembler):
919         (JSC::MacroAssembler::shouldConsiderBlinding):
920
921 2012-11-26  Oliver Hunt  <oliver@apple.com>
922
923         Don't blind all the things.
924         https://bugs.webkit.org/show_bug.cgi?id=102572
925
926         Reviewed by Gavin Barraclough.
927
928         No longer blind all the constants in the instruction stream.  We use a
929         simple non-deterministic filter to avoid blinding everything.  Also modified
930         the basic integer blinding logic to avoid blinding small negative values.
931
932         * assembler/MacroAssembler.h:
933         (MacroAssembler):
934         (JSC::MacroAssembler::shouldConsiderBlinding):
935         (JSC::MacroAssembler::shouldBlind):
936
937 2012-11-26  Mark Hahnenberg  <mhahnenberg@apple.com>
938
939         JSObject::copyButterfly doesn't handle undecided indexing types correctly
940         https://bugs.webkit.org/show_bug.cgi?id=102573
941
942         Reviewed by Filip Pizlo.
943
944         We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 
945         during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 
946         types. We should just do the actual memcpy from the old block to the new one. 
947
948         * runtime/JSObject.cpp:
949         (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
950
951 2012-11-26  Julien BRIANCEAU   <jbrianceau@nds.com>
952
953         [sh4] JavaScriptCore JIT build is broken since r135330
954         Add missing implementation for sh4 arch.
955         https://bugs.webkit.org/show_bug.cgi?id=103145
956
957         Reviewed by Oliver Hunt.
958
959         * assembler/MacroAssemblerSH4.h:
960         (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
961         (MacroAssemblerSH4):
962         (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
963         (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
964         (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
965         (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
966         * assembler/SH4Assembler.h:
967         (JSC::SH4Assembler::revertJump):
968         (SH4Assembler):
969         (JSC::SH4Assembler::printInstr):
970
971 2012-11-26  Yuqiang Xian  <yuqiang.xian@intel.com>
972
973         Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
974         https://bugs.webkit.org/show_bug.cgi?id=100909
975
976         Reviewed by Brent Fulgham.
977
978         This is a (trivial) fix after r132701.
979
980         * dfg/DFGOSRExitCompiler64.cpp:
981         (JSC::DFG::OSRExitCompiler::compileExit):
982
983 2012-11-26  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
984
985         [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
986         https://bugs.webkit.org/show_bug.cgi?id=98857
987
988         Reviewed by Zoltan Herczeg.
989
990         Implement a new version of patchableBranch32 to fix crashing JSC
991         tests.
992
993         * assembler/MacroAssembler.h:
994         (MacroAssembler):
995         * assembler/MacroAssemblerARM.h:
996         (JSC::MacroAssemblerARM::patchableBranch32):
997         (MacroAssemblerARM):
998
999 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1000
1001         Any function that can log things should be able to easily log them to a memory buffer as well
1002         https://bugs.webkit.org/show_bug.cgi?id=103000
1003
1004         Reviewed by Sam Weinig.
1005
1006         Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.
1007
1008         * bytecode/Operands.h:
1009         (JSC::OperandValueTraits::dump):
1010         (JSC::dumpOperands):
1011         (JSC):
1012         * dfg/DFGAbstractState.cpp:
1013         (JSC::DFG::AbstractState::dump):
1014         * dfg/DFGAbstractState.h:
1015         (AbstractState):
1016         * dfg/DFGAbstractValue.h:
1017         (JSC::DFG::AbstractValue::dump):
1018         * dfg/DFGCommon.h:
1019         (JSC::DFG::NodeIndexTraits::dump):
1020         * dfg/DFGStructureAbstractValue.h:
1021         (JSC::DFG::StructureAbstractValue::dump):
1022         * dfg/DFGVariableEvent.cpp:
1023         (JSC::DFG::VariableEvent::dump):
1024         (JSC::DFG::VariableEvent::dumpFillInfo):
1025         (JSC::DFG::VariableEvent::dumpSpillInfo):
1026         * dfg/DFGVariableEvent.h:
1027         (VariableEvent):
1028         * disassembler/Disassembler.h:
1029         (JSC):
1030         (JSC::tryToDisassemble):
1031         * disassembler/UDis86Disassembler.cpp:
1032         (JSC::tryToDisassemble):
1033
1034 2012-11-23  Alexis Menard  <alexis@webkit.org>
1035
1036         [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
1037         https://bugs.webkit.org/show_bug.cgi?id=102104
1038
1039         Reviewed by Julien Chaffraix.
1040
1041         Protect the new feature behind a feature flag.
1042
1043         * Configurations/FeatureDefines.xcconfig:
1044
1045 2012-11-23  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
1046
1047         Fix the ARM traditional build after r135330
1048         https://bugs.webkit.org/show_bug.cgi?id=102871
1049
1050         Reviewed by Zoltan Herczeg.
1051
1052         Added missing functionality to traditional ARM architecture.
1053
1054         * assembler/ARMAssembler.h:
1055         (JSC::ARMAssembler::revertJump):
1056         (ARMAssembler):
1057         * assembler/MacroAssemblerARM.h:
1058         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1059         (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1060         (MacroAssemblerARM):
1061         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1062
1063 2012-11-16  Yury Semikhatsky  <yurys@chromium.org>
1064
1065         Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
1066         https://bugs.webkit.org/show_bug.cgi?id=102510
1067
1068         Reviewed by Pavel Feldman.
1069
1070         Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp
1071
1072         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1073
1074 2012-11-23  Julien BRIANCEAU   <jbrianceau@nds.com>
1075
1076         [sh4] JavaScriptCore JIT build is broken since r130839
1077         Add missing implementation for sh4 arch.
1078         https://bugs.webkit.org/show_bug.cgi?id=101479
1079
1080         Reviewed by Filip Pizlo.
1081
1082         * assembler/MacroAssemblerSH4.h:
1083         (JSC::MacroAssemblerSH4::load8Signed):
1084         (MacroAssemblerSH4):
1085         (JSC::MacroAssemblerSH4::load16Signed):
1086         (JSC::MacroAssemblerSH4::store8):
1087         (JSC::MacroAssemblerSH4::store16):
1088         (JSC::MacroAssemblerSH4::moveDoubleToInts):
1089         (JSC::MacroAssemblerSH4::moveIntsToDouble):
1090         (JSC::MacroAssemblerSH4::loadFloat):
1091         (JSC::MacroAssemblerSH4::loadDouble):
1092         (JSC::MacroAssemblerSH4::storeFloat):
1093         (JSC::MacroAssemblerSH4::storeDouble):
1094         (JSC::MacroAssemblerSH4::addDouble):
1095         (JSC::MacroAssemblerSH4::convertFloatToDouble):
1096         (JSC::MacroAssemblerSH4::convertDoubleToFloat):
1097         (JSC::MacroAssemblerSH4::urshift32):
1098         * assembler/SH4Assembler.h:
1099         (JSC::SH4Assembler::sublRegReg):
1100         (JSC::SH4Assembler::subvlRegReg):
1101         (JSC::SH4Assembler::floatfpulfrn):
1102         (JSC::SH4Assembler::fldsfpul):
1103         (JSC::SH4Assembler::fstsfpul):
1104         (JSC::SH4Assembler::dcnvsd):
1105         (SH4Assembler):
1106         (JSC::SH4Assembler::movbRegMem):
1107         (JSC::SH4Assembler::sizeOfConstantPool):
1108         (JSC::SH4Assembler::linkJump):
1109         (JSC::SH4Assembler::printInstr):
1110         (JSC::SH4Assembler::printBlockInstr):
1111
1112 2012-11-22  Balazs Kilvady  <kilvadyb@homejinni.com>
1113
1114         Fix the MIPS build after r135330
1115         https://bugs.webkit.org/show_bug.cgi?id=102872
1116
1117         Reviewed by Gavin Barraclough.
1118
1119         Revert/replace functions added to MIPS port.
1120
1121         * assembler/MIPSAssembler.h:
1122         (JSC::MIPSAssembler::revertJumpToMove):
1123         (MIPSAssembler):
1124         (JSC::MIPSAssembler::replaceWithJump):
1125         * assembler/MacroAssemblerMIPS.h:
1126         (MacroAssemblerMIPS):
1127         (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1128         (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1129         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1130
1131 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
1134         https://bugs.webkit.org/show_bug.cgi?id=103001
1135
1136         Rubber stamped by Dan Bernstein.
1137
1138         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1139         * assembler/LinkBuffer.cpp:
1140         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1141         (JSC::LinkBuffer::dumpLinkStatistics):
1142         (JSC::LinkBuffer::dumpCode):
1143         * assembler/LinkBuffer.h:
1144         (JSC):
1145         * assembler/SH4Assembler.h:
1146         (JSC::SH4Assembler::vprintfStdoutInstr):
1147         * bytecode/CodeBlock.cpp:
1148         (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
1149         (JSC::CodeBlock::printUnaryOp):
1150         (JSC::CodeBlock::printBinaryOp):
1151         (JSC::CodeBlock::printConditionalJump):
1152         (JSC::CodeBlock::printGetByIdOp):
1153         (JSC::dumpStructure):
1154         (JSC::dumpChain):
1155         (JSC::CodeBlock::printGetByIdCacheStatus):
1156         (JSC::CodeBlock::printCallOp):
1157         (JSC::CodeBlock::printPutByIdOp):
1158         (JSC::CodeBlock::printStructure):
1159         (JSC::CodeBlock::printStructures):
1160         (JSC::CodeBlock::dump):
1161         (JSC::CodeBlock::dumpStatistics):
1162         (JSC::CodeBlock::finalizeUnconditionally):
1163         (JSC::CodeBlock::resetStubInternal):
1164         (JSC::CodeBlock::reoptimize):
1165         (JSC::ProgramCodeBlock::jettison):
1166         (JSC::EvalCodeBlock::jettison):
1167         (JSC::FunctionCodeBlock::jettison):
1168         (JSC::CodeBlock::shouldOptimizeNow):
1169         (JSC::CodeBlock::tallyFrequentExitSites):
1170         (JSC::CodeBlock::dumpValueProfiles):
1171         * bytecode/Opcode.cpp:
1172         (JSC::OpcodeStats::~OpcodeStats):
1173         * bytecode/SamplingTool.cpp:
1174         (JSC::SamplingFlags::stop):
1175         (JSC::SamplingRegion::dumpInternal):
1176         (JSC::SamplingTool::dump):
1177         * dfg/DFGAbstractState.cpp:
1178         (JSC::DFG::AbstractState::initialize):
1179         (JSC::DFG::AbstractState::endBasicBlock):
1180         (JSC::DFG::AbstractState::mergeStateAtTail):
1181         (JSC::DFG::AbstractState::mergeToSuccessors):
1182         * dfg/DFGAbstractValue.h:
1183         (JSC::DFG::AbstractValue::dump):
1184         * dfg/DFGArgumentsSimplificationPhase.cpp:
1185         (JSC::DFG::ArgumentsSimplificationPhase::run):
1186         * dfg/DFGByteCodeParser.cpp:
1187         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1188         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1189         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1190         (JSC::DFG::ByteCodeParser::makeSafe):
1191         (JSC::DFG::ByteCodeParser::makeDivSafe):
1192         (JSC::DFG::ByteCodeParser::handleCall):
1193         (JSC::DFG::ByteCodeParser::handleInlining):
1194         (JSC::DFG::ByteCodeParser::parseBlock):
1195         (JSC::DFG::ByteCodeParser::processPhiStack):
1196         (JSC::DFG::ByteCodeParser::linkBlock):
1197         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1198         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1199         (JSC::DFG::ByteCodeParser::parse):
1200         * dfg/DFGCFAPhase.cpp:
1201         (JSC::DFG::CFAPhase::performBlockCFA):
1202         (JSC::DFG::CFAPhase::performForwardCFA):
1203         * dfg/DFGCFGSimplificationPhase.cpp:
1204         (JSC::DFG::CFGSimplificationPhase::run):
1205         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1206         (JSC::DFG::CFGSimplificationPhase::fixPhis):
1207         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
1208         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1209         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1210         * dfg/DFGCSEPhase.cpp:
1211         (JSC::DFG::CSEPhase::endIndexForPureCSE):
1212         (JSC::DFG::CSEPhase::setReplacement):
1213         (JSC::DFG::CSEPhase::eliminate):
1214         (JSC::DFG::CSEPhase::performNodeCSE):
1215         * dfg/DFGCapabilities.cpp:
1216         (JSC::DFG::debugFail):
1217         * dfg/DFGConstantFoldingPhase.cpp:
1218         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1219         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1220         * dfg/DFGDisassembler.cpp:
1221         (JSC::DFG::Disassembler::dump):
1222         * dfg/DFGDriver.cpp:
1223         (JSC::DFG::compile):
1224         * dfg/DFGFixupPhase.cpp:
1225         (JSC::DFG::FixupPhase::fixupNode):
1226         (JSC::DFG::FixupPhase::fixDoubleEdge):
1227         * dfg/DFGGraph.cpp:
1228         (JSC::DFG::printWhiteSpace):
1229         (JSC::DFG::Graph::dumpCodeOrigin):
1230         (JSC::DFG::Graph::dump):
1231         (JSC::DFG::Graph::dumpBlockHeader):
1232         (JSC::DFG::Graph::predictArgumentTypes):
1233         * dfg/DFGJITCompiler.cpp:
1234         (JSC::DFG::JITCompiler::link):
1235         * dfg/DFGOSREntry.cpp:
1236         (JSC::DFG::prepareOSREntry):
1237         * dfg/DFGOSRExitCompiler.cpp:
1238         * dfg/DFGOSRExitCompiler32_64.cpp:
1239         (JSC::DFG::OSRExitCompiler::compileExit):
1240         * dfg/DFGOSRExitCompiler64.cpp:
1241         (JSC::DFG::OSRExitCompiler::compileExit):
1242         * dfg/DFGOperations.cpp:
1243         * dfg/DFGPhase.cpp:
1244         (JSC::DFG::Phase::beginPhase):
1245         * dfg/DFGPhase.h:
1246         (JSC::DFG::runAndLog):
1247         * dfg/DFGPredictionPropagationPhase.cpp:
1248         (JSC::DFG::PredictionPropagationPhase::propagate):
1249         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1250         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1251         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1252         * dfg/DFGRegisterBank.h:
1253         (JSC::DFG::RegisterBank::dump):
1254         * dfg/DFGScoreBoard.h:
1255         (JSC::DFG::ScoreBoard::use):
1256         (JSC::DFG::ScoreBoard::dump):
1257         * dfg/DFGSlowPathGenerator.h:
1258         (JSC::DFG::SlowPathGenerator::generate):
1259         * dfg/DFGSpeculativeJIT.cpp:
1260         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1261         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
1262         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1263         (JSC::DFG::SpeculativeJIT::dump):
1264         (JSC::DFG::SpeculativeJIT::checkConsistency):
1265         (JSC::DFG::SpeculativeJIT::compile):
1266         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1267         * dfg/DFGSpeculativeJIT32_64.cpp:
1268         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1269         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1270         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1271         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1272         * dfg/DFGSpeculativeJIT64.cpp:
1273         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1274         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1275         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1276         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1277         * dfg/DFGStructureCheckHoistingPhase.cpp:
1278         (JSC::DFG::StructureCheckHoistingPhase::run):
1279         * dfg/DFGValidate.cpp:
1280         (Validate):
1281         (JSC::DFG::Validate::reportValidationContext):
1282         (JSC::DFG::Validate::dumpData):
1283         (JSC::DFG::Validate::dumpGraphIfAppropriate):
1284         * dfg/DFGVariableEventStream.cpp:
1285         (JSC::DFG::VariableEventStream::logEvent):
1286         (JSC::DFG::VariableEventStream::reconstruct):
1287         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1288         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1289         * heap/Heap.cpp:
1290         * heap/HeapStatistics.cpp:
1291         (JSC::HeapStatistics::logStatistics):
1292         (JSC::HeapStatistics::showObjectStatistics):
1293         * heap/MarkStack.h:
1294         * heap/MarkedBlock.h:
1295         * heap/SlotVisitor.cpp:
1296         (JSC::SlotVisitor::validate):
1297         * interpreter/CallFrame.cpp:
1298         (JSC::CallFrame::dumpCaller):
1299         * interpreter/Interpreter.cpp:
1300         (JSC::Interpreter::dumpRegisters):
1301         * jit/JIT.cpp:
1302         (JSC::JIT::privateCompileMainPass):
1303         (JSC::JIT::privateCompileSlowCases):
1304         (JSC::JIT::privateCompile):
1305         * jit/JITDisassembler.cpp:
1306         (JSC::JITDisassembler::dump):
1307         (JSC::JITDisassembler::dumpForInstructions):
1308         * jit/JITStubRoutine.h:
1309         (JSC):
1310         * jit/JITStubs.cpp:
1311         (JSC::DEFINE_STUB_FUNCTION):
1312         * jit/JumpReplacementWatchpoint.cpp:
1313         (JSC::JumpReplacementWatchpoint::fireInternal):
1314         * llint/LLIntExceptions.cpp:
1315         (JSC::LLInt::interpreterThrowInCaller):
1316         (JSC::LLInt::returnToThrow):
1317         (JSC::LLInt::callToThrow):
1318         * llint/LLIntSlowPaths.cpp:
1319         (JSC::LLInt::llint_trace_operand):
1320         (JSC::LLInt::llint_trace_value):
1321         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1322         (JSC::LLInt::traceFunctionPrologue):
1323         (JSC::LLInt::jitCompileAndSetHeuristics):
1324         (JSC::LLInt::entryOSR):
1325         (JSC::LLInt::handleHostCall):
1326         (JSC::LLInt::setUpCall):
1327         * profiler/Profile.cpp:
1328         (JSC::Profile::debugPrintData):
1329         (JSC::Profile::debugPrintDataSampleStyle):
1330         * profiler/ProfileNode.cpp:
1331         (JSC::ProfileNode::debugPrintData):
1332         (JSC::ProfileNode::debugPrintDataSampleStyle):
1333         * runtime/JSGlobalData.cpp:
1334         (JSC::JSGlobalData::dumpRegExpTrace):
1335         * runtime/RegExp.cpp:
1336         (JSC::RegExp::matchCompareWithInterpreter):
1337         * runtime/SamplingCounter.cpp:
1338         (JSC::AbstractSamplingCounter::dump):
1339         * runtime/Structure.cpp:
1340         (JSC::Structure::dumpStatistics):
1341         (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1342         * tools/CodeProfile.cpp:
1343         (JSC::CodeProfile::report):
1344         * tools/ProfileTreeNode.h:
1345         (JSC::ProfileTreeNode::dumpInternal):
1346         * yarr/YarrInterpreter.cpp:
1347         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1348
1349 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1350
1351         It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
1352         https://bugs.webkit.org/show_bug.cgi?id=103010
1353
1354         Reviewed by Anders Carlsson.
1355
1356         You can still say tryToDisassemble(), which will tell you if it failed; you can then
1357         decide what to do instead. But it's better to say disassemble(), which will just print
1358         the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
1359         since that's what all previous users of tryToDisassemble() would have done in some
1360         form or another.
1361
1362         * CMakeLists.txt:
1363         * GNUmakefile.list.am:
1364         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1365         * JavaScriptCore.xcodeproj/project.pbxproj:
1366         * Target.pri:
1367         * assembler/LinkBuffer.cpp:
1368         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1369         * dfg/DFGDisassembler.cpp:
1370         (JSC::DFG::Disassembler::dumpDisassembly):
1371         * disassembler/Disassembler.cpp: Added.
1372         (JSC):
1373         (JSC::disassemble):
1374         * disassembler/Disassembler.h:
1375         (JSC):
1376         * jit/JITDisassembler.cpp:
1377         (JSC::JITDisassembler::dumpDisassembly):
1378
1379 2012-11-21  Filip Pizlo  <fpizlo@apple.com>
1380
1381         dumpOperands() claims that it needs a non-const Operands& when that is completely false
1382         https://bugs.webkit.org/show_bug.cgi?id=103005
1383
1384         Reviewed by Eric Carlson.
1385
1386         * bytecode/Operands.h:
1387         (JSC::dumpOperands):
1388         (JSC):
1389
1390 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
1391
1392         Baseline JIT's disassembly should be just as pretty as the DFG's
1393         https://bugs.webkit.org/show_bug.cgi?id=102873
1394
1395         Reviewed by Sam Weinig.
1396
1397         Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
1398         some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
1399         iterator makes no sense) and stream-lined some things (you don't actually need a
1400         full-fledged ExecState* to dump bytecode).
1401
1402         * CMakeLists.txt:
1403         * GNUmakefile.list.am:
1404         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1405         * JavaScriptCore.xcodeproj/project.pbxproj:
1406         * Target.pri:
1407         * bytecode/CodeBlock.cpp:
1408         (JSC::CodeBlock::printUnaryOp):
1409         (JSC::CodeBlock::printBinaryOp):
1410         (JSC::CodeBlock::printConditionalJump):
1411         (JSC::CodeBlock::printGetByIdOp):
1412         (JSC::CodeBlock::printCallOp):
1413         (JSC::CodeBlock::printPutByIdOp):
1414         (JSC::CodeBlock::dump):
1415         (JSC):
1416         (JSC::CodeBlock::CodeBlock):
1417         * bytecode/CodeBlock.h:
1418         (CodeBlock):
1419         * interpreter/Interpreter.cpp:
1420         (JSC::Interpreter::dumpCallFrame):
1421         * jit/JIT.cpp:
1422         (JSC::JIT::privateCompileMainPass):
1423         (JSC::JIT::privateCompileSlowCases):
1424         (JSC::JIT::privateCompile):
1425         * jit/JIT.h:
1426         (JIT):
1427         * jit/JITDisassembler.cpp: Added.
1428         (JSC):
1429         (JSC::JITDisassembler::JITDisassembler):
1430         (JSC::JITDisassembler::~JITDisassembler):
1431         (JSC::JITDisassembler::dump):
1432         (JSC::JITDisassembler::dumpForInstructions):
1433         (JSC::JITDisassembler::dumpDisassembly):
1434         * jit/JITDisassembler.h: Added.
1435         (JSC):
1436         (JITDisassembler):
1437         (JSC::JITDisassembler::setStartOfCode):
1438         (JSC::JITDisassembler::setForBytecodeMainPath):
1439         (JSC::JITDisassembler::setForBytecodeSlowPath):
1440         (JSC::JITDisassembler::setEndOfSlowPath):
1441         (JSC::JITDisassembler::setEndOfCode):
1442
1443 2012-11-21  Daniel Bates  <dbates@webkit.org>
1444
1445         JavaScript fails to concatenate large strings
1446         <https://bugs.webkit.org/show_bug.cgi?id=102963>
1447
1448         Reviewed by Michael Saboff.
1449
1450         Fixes an issue where we inadvertently didn't check the length of
1451         a JavaScript string for overflow.
1452
1453         * runtime/Operations.h:
1454         (JSC::jsString):
1455         (JSC::jsStringFromArguments):
1456
1457 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
1458
1459         DFG should be able to cache closure calls (part 2/2)
1460         https://bugs.webkit.org/show_bug.cgi?id=102662
1461
1462         Reviewed by Gavin Barraclough.
1463
1464         Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
1465         stay the same. This is accomplished by replacing the branch that compares against a constant
1466         JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
1467         and jumps slow directly to the virtual call thunk.
1468
1469         Looks like a 1% win on V8v7.
1470
1471         * CMakeLists.txt:
1472         * GNUmakefile.list.am:
1473         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1474         * JavaScriptCore.xcodeproj/project.pbxproj:
1475         * Target.pri:
1476         * bytecode/CallLinkInfo.cpp:
1477         (JSC::CallLinkInfo::unlink):
1478         * bytecode/CallLinkInfo.h:
1479         (CallLinkInfo):
1480         (JSC::CallLinkInfo::isLinked):
1481         (JSC::getCallLinkInfoBytecodeIndex):
1482         * bytecode/CodeBlock.cpp:
1483         (JSC::CodeBlock::finalizeUnconditionally):
1484         (JSC):
1485         (JSC::CodeBlock::findClosureCallForReturnPC):
1486         (JSC::CodeBlock::bytecodeOffset):
1487         (JSC::CodeBlock::codeOriginForReturn):
1488         * bytecode/CodeBlock.h:
1489         (JSC::CodeBlock::getCallLinkInfo):
1490         (CodeBlock):
1491         (JSC::CodeBlock::isIncomingCallAlreadyLinked):
1492         * dfg/DFGJITCompiler.cpp:
1493         (JSC::DFG::JITCompiler::link):
1494         * dfg/DFGJITCompiler.h:
1495         (JSC::DFG::JITCompiler::addJSCall):
1496         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1497         (JSCallRecord):
1498         * dfg/DFGOperations.cpp:
1499         * dfg/DFGOperations.h:
1500         * dfg/DFGRepatch.cpp:
1501         (JSC::DFG::linkSlowFor):
1502         (DFG):
1503         (JSC::DFG::dfgLinkFor):
1504         (JSC::DFG::dfgLinkSlowFor):
1505         (JSC::DFG::dfgLinkClosureCall):
1506         * dfg/DFGRepatch.h:
1507         (DFG):
1508         * dfg/DFGSpeculativeJIT32_64.cpp:
1509         (JSC::DFG::SpeculativeJIT::emitCall):
1510         * dfg/DFGSpeculativeJIT64.cpp:
1511         (JSC::DFG::SpeculativeJIT::emitCall):
1512         * dfg/DFGThunks.cpp:
1513         (DFG):
1514         (JSC::DFG::linkClosureCallThunkGenerator):
1515         * dfg/DFGThunks.h:
1516         (DFG):
1517         * heap/Heap.h:
1518         (Heap):
1519         (JSC::Heap::jitStubRoutines):
1520         * heap/JITStubRoutineSet.h:
1521         (JSC::JITStubRoutineSet::size):
1522         (JSC::JITStubRoutineSet::at):
1523         (JITStubRoutineSet):
1524         * jit/ClosureCallStubRoutine.cpp: Added.
1525         (JSC):
1526         (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
1527         (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
1528         (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
1529         * jit/ClosureCallStubRoutine.h: Added.
1530         (JSC):
1531         (ClosureCallStubRoutine):
1532         (JSC::ClosureCallStubRoutine::structure):
1533         (JSC::ClosureCallStubRoutine::executable):
1534         (JSC::ClosureCallStubRoutine::codeOrigin):
1535         * jit/GCAwareJITStubRoutine.cpp:
1536         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1537         * jit/GCAwareJITStubRoutine.h:
1538         (GCAwareJITStubRoutine):
1539         (JSC::GCAwareJITStubRoutine::isClosureCall):
1540         * jit/JIT.cpp:
1541         (JSC::JIT::privateCompile):
1542
1543 2012-11-20  Filip Pizlo  <fpizlo@apple.com>
1544
1545         DFG should be able to cache closure calls (part 1/2)
1546         https://bugs.webkit.org/show_bug.cgi?id=102662
1547
1548         Reviewed by Gavin Barraclough.
1549
1550         Add ability to revert a jump replacement back to
1551         branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
1552         a mandatory piece of functionality for all assemblers. I also renamed some of
1553         the functions for reverting jump replacements back to
1554         patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
1555         confusion.
1556
1557         * assembler/ARMv7Assembler.h:
1558         (JSC::ARMv7Assembler::BadReg):
1559         (ARMv7Assembler):
1560         (JSC::ARMv7Assembler::revertJumpTo_movT3):
1561         * assembler/LinkBuffer.h:
1562         (JSC):
1563         * assembler/MacroAssemblerARMv7.h:
1564         (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1565         (MacroAssemblerARMv7):
1566         (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1567         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1568         * assembler/MacroAssemblerX86.h:
1569         (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1570         (MacroAssemblerX86):
1571         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1572         (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1573         * assembler/MacroAssemblerX86_64.h:
1574         (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1575         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1576         (MacroAssemblerX86_64):
1577         (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1578         * assembler/RepatchBuffer.h:
1579         (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
1580         (RepatchBuffer):
1581         (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
1582         (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
1583         * assembler/X86Assembler.h:
1584         (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
1585         (X86Assembler):
1586         * dfg/DFGRepatch.cpp:
1587         (JSC::DFG::replaceWithJump):
1588         (JSC::DFG::dfgResetGetByID):
1589         (JSC::DFG::dfgResetPutByID):
1590
1591 2012-11-20  Yong Li  <yoli@rim.com>
1592
1593         [ARMv7] Neither linkCall() nor linkPointer() should flush code.
1594         https://bugs.webkit.org/show_bug.cgi?id=99213
1595
1596         Reviewed by George Staikos.
1597
1598         LinkBuffer doesn't need to flush code during linking. It will
1599         eventually flush the whole executable. Fixing this gives >%5
1600         sunspider boost (on QNX).
1601
1602         Also make replaceWithLoad() and replaceWithAddressComputation() flush
1603         only when necessary.
1604
1605         * assembler/ARMv7Assembler.h:
1606         (JSC::ARMv7Assembler::linkCall):
1607         (JSC::ARMv7Assembler::linkPointer):
1608         (JSC::ARMv7Assembler::relinkCall):
1609         (JSC::ARMv7Assembler::repatchInt32):
1610         (JSC::ARMv7Assembler::repatchPointer):
1611         (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
1612         (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
1613         (JSC::ARMv7Assembler::setInt32):
1614         (JSC::ARMv7Assembler::setPointer):
1615
1616 2012-11-19  Filip Pizlo  <fpizlo@apple.com>
1617
1618         Remove support for ARMv7 errata from the jump code
1619         https://bugs.webkit.org/show_bug.cgi?id=102759
1620
1621         Reviewed by Oliver Hunt.
1622
1623         The jump replacement code was wrong to begin with since it wasn't doing
1624         a cache flush on the inserted padding. And, to my knowledge, we don't need
1625         this anymore, so this patch removes all errata code from the ARMv7 port.
1626
1627         * assembler/ARMv7Assembler.h:
1628         (JSC::ARMv7Assembler::computeJumpType):
1629         (JSC::ARMv7Assembler::replaceWithJump):
1630         (JSC::ARMv7Assembler::maxJumpReplacementSize):
1631         (JSC::ARMv7Assembler::canBeJumpT3):
1632         (JSC::ARMv7Assembler::canBeJumpT4):
1633
1634 2012-11-19  Patrick Gansterer  <paroga@webkit.org>
1635
1636         [CMake] Create JavaScriptCore ForwardingHeaders
1637         https://bugs.webkit.org/show_bug.cgi?id=92665
1638
1639         Reviewed by Brent Fulgham.
1640
1641         When using CMake to build the Windows port, we need
1642         to generate the forwarding headers with it too.
1643
1644         * CMakeLists.txt:
1645
1646 2012-11-19  Kihong Kwon  <kihong.kwon@samsung.com>
1647
1648         Add PROXIMITY_EVENTS feature
1649         https://bugs.webkit.org/show_bug.cgi?id=102658
1650
1651         Reviewed by Kentaro Hara.
1652
1653         Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.
1654
1655         * Configurations/FeatureDefines.xcconfig:
1656
1657 2012-11-18  Dan Bernstein  <mitz@apple.com>
1658
1659         Try to fix the DFG build after r135099.
1660
1661         * dfg/DFGCommon.h:
1662         (JSC::DFG::shouldShowDisassembly):
1663
1664 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
1665
1666         Unreviewed, build fix for !ENABLE(DFG_JIT).
1667
1668         * dfg/DFGCommon.h:
1669         (JSC::DFG::shouldShowDisassembly):
1670         (DFG):
1671
1672 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
1673
1674         JSC should have more logging in structure-related code
1675         https://bugs.webkit.org/show_bug.cgi?id=102630
1676
1677         Reviewed by Simon Fraser.
1678
1679         - JSValue::description() now tells you if something is a structure, and if so,
1680           what kind of structure it is.
1681         
1682         - Jettisoning logic now tells you why things are being jettisoned.
1683         
1684         - It's now possible to turn off GC-triggered jettisoning entirely.
1685
1686         * bytecode/CodeBlock.cpp:
1687         (JSC::CodeBlock::finalizeUnconditionally):
1688         (JSC::CodeBlock::reoptimize):
1689         (JSC::ProgramCodeBlock::jettison):
1690         (JSC::EvalCodeBlock::jettison):
1691         (JSC::FunctionCodeBlock::jettison):
1692         * bytecode/CodeBlock.h:
1693         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1694         * runtime/JSValue.cpp:
1695         (JSC::JSValue::description):
1696         * runtime/Options.h:
1697         (JSC):
1698
1699 2012-11-18  Filip Pizlo  <fpizlo@apple.com>
1700
1701         DFG constant folding phase should say 'changed = true' whenever it changes the graph
1702         https://bugs.webkit.org/show_bug.cgi?id=102550
1703
1704         Rubber stamped by Mark Hahnenberg.
1705
1706         * dfg/DFGConstantFoldingPhase.cpp:
1707         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1708
1709 2012-11-17  Elliott Sprehn  <esprehn@chromium.org>
1710
1711         Expose JSObject removeDirect and PrivateName to WebCore
1712         https://bugs.webkit.org/show_bug.cgi?id=102546
1713
1714         Reviewed by Geoffrey Garen.
1715
1716         Export removeDirect for use in WebCore so JSDependentRetained works.
1717
1718         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1719
1720 2012-11-16  Filip Pizlo  <fpizlo@apple.com>
1721
1722         Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
1723         https://bugs.webkit.org/show_bug.cgi?id=102327
1724
1725         Reviewed by Mark Hahnenberg.
1726
1727         If the profiler tells us that a GetById or PutById may be polymorphic but our
1728         control flow analysis proves that it isn't, we should trust the control flow
1729         analysis over the profiler. This arises in cases where GetById or PutById were
1730         inlined: the inlined function may have been called from other places that led
1731         to polymorphism, but in the current inlined context, there is no polymorphism.
1732
1733         * bytecode/CodeBlock.cpp:
1734         (JSC::CodeBlock::dump):
1735         * bytecode/GetByIdStatus.cpp:
1736         (JSC::GetByIdStatus::computeFor):
1737         (JSC):
1738         * bytecode/GetByIdStatus.h:
1739         (JSC::GetByIdStatus::GetByIdStatus):
1740         (GetByIdStatus):
1741         * bytecode/PutByIdStatus.cpp:
1742         (JSC::PutByIdStatus::computeFor):
1743         (JSC):
1744         * bytecode/PutByIdStatus.h:
1745         (JSC):
1746         (JSC::PutByIdStatus::PutByIdStatus):
1747         (PutByIdStatus):
1748         * dfg/DFGAbstractState.cpp:
1749         (JSC::DFG::AbstractState::execute):
1750         * dfg/DFGAbstractValue.h:
1751         (JSC::DFG::AbstractValue::bestProvenStructure):
1752         (AbstractValue):
1753         * dfg/DFGConstantFoldingPhase.cpp:
1754         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1755         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1756         (ConstantFoldingPhase):
1757         * dfg/DFGNode.h:
1758         (JSC::DFG::Node::convertToGetByOffset):
1759         (Node):
1760         (JSC::DFG::Node::convertToPutByOffset):
1761         (JSC::DFG::Node::hasStorageResult):
1762         * runtime/JSGlobalObject.h:
1763         (JSC::Structure::prototypeChain):
1764         (JSC):
1765         (JSC::Structure::isValid):
1766         * runtime/Operations.h:
1767         (JSC::isPrototypeChainNormalized):
1768         (JSC):
1769         * runtime/Structure.h:
1770         (Structure):
1771         (JSC::Structure::transitionDidInvolveSpecificValue):
1772
1773 2012-11-16  Tony Chang  <tony@chromium.org>
1774
1775         Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
1776         https://bugs.webkit.org/show_bug.cgi?id=102554
1777
1778         Reviewed by Andreas Kling.
1779
1780         As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
1781         we're going to revist this feature once additional vendor support is
1782         achieved.
1783
1784         * Configurations/FeatureDefines.xcconfig:
1785
1786 2012-11-16  Patrick Gansterer  <paroga@webkit.org>
1787
1788         Build fix for WinCE after r133688.
1789
1790         Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.
1791
1792         * runtime/CodeCache.h:
1793         (JSC::CacheMap::CacheMap):
1794
1795 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
1796
1797         ClassInfo.h should have correct indentation.
1798
1799         Rubber stamped by Mark Hahnenberg.
1800
1801         ClassInfo.h had some true creativity in its use of whitespace. Some things within
1802         the namespace were indented four spaces and others where not. One #define had its
1803         contents indented four spaces, while another didn't. I applied the following rule:
1804         
1805         - Non-macro things in the namespace should not be indented (that's our current
1806           accepted practice).
1807         
1808         - Macros should never be indented but if they are multi-line then their subsequent
1809           bodies should be indented four spaces. I believe that is consistent with what we
1810           do elsewhere.
1811
1812         * runtime/ClassInfo.h:
1813         (JSC):
1814         (MethodTable):
1815         (ClassInfo):
1816         (JSC::ClassInfo::propHashTable):
1817         (JSC::ClassInfo::isSubClassOf):
1818         (JSC::ClassInfo::hasStaticProperties):
1819
1820 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
1821
1822         DFG should copy propagate trivially no-op ConvertThis
1823         https://bugs.webkit.org/show_bug.cgi?id=102445
1824
1825         Reviewed by Oliver Hunt.
1826
1827         Copy propagation is always a good thing, since it reveals must-alias relationships
1828         to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
1829         converting it to an Identity node (which is done by the constant folder since it
1830         has access to CFA results) and then performing substitution of references to
1831         Identity with references to Identity's child in the CSE.
1832         
1833         I'm not aiming for a big speed-up here; I just think that this will be useful for
1834         the work on https://bugs.webkit.org/show_bug.cgi?id=102327.
1835
1836         * dfg/DFGAbstractState.cpp:
1837         (JSC::DFG::AbstractState::execute):
1838         * dfg/DFGCSEPhase.cpp:
1839         (JSC::DFG::CSEPhase::performNodeCSE):
1840         * dfg/DFGConstantFoldingPhase.cpp:
1841         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1842         * dfg/DFGNodeType.h:
1843         (DFG):
1844         * dfg/DFGPredictionPropagationPhase.cpp:
1845         (JSC::DFG::PredictionPropagationPhase::propagate):
1846         * dfg/DFGSpeculativeJIT32_64.cpp:
1847         (JSC::DFG::SpeculativeJIT::compile):
1848         * dfg/DFGSpeculativeJIT64.cpp:
1849         (JSC::DFG::SpeculativeJIT::compile):
1850
1851 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
1852
1853         CallData.h should have correct indentation.
1854
1855         Rubber stamped by Mark Hahneberg.
1856
1857         * runtime/CallData.h:
1858         (JSC):
1859
1860 2012-11-15  Filip Pizlo  <fpizlo@apple.com>
1861
1862         Remove methodCallDummy since it is not used anymore.
1863
1864         Rubber stamped by Mark Hahnenberg.
1865
1866         * runtime/JSGlobalObject.cpp:
1867         (JSC::JSGlobalObject::reset):
1868         (JSC):
1869         (JSC::JSGlobalObject::visitChildren):
1870         * runtime/JSGlobalObject.h:
1871         (JSGlobalObject):
1872
1873 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
1874
1875         Structure should be able to easily tell if the prototype chain might intercept a store
1876         https://bugs.webkit.org/show_bug.cgi?id=102326
1877
1878         Reviewed by Geoffrey Garen.
1879
1880         This improves our ability to reason about the correctness of the more optimized
1881         prototype chain walk in JSObject::put(), while also making it straight forward to
1882         check if the prototype chain will do strange things to a property store by just
1883         looking at the structure.
1884
1885         * runtime/JSObject.cpp:
1886         (JSC::JSObject::put):
1887         * runtime/Structure.cpp:
1888         (JSC::Structure::prototypeChainMayInterceptStoreTo):
1889         (JSC):
1890         * runtime/Structure.h:
1891         (Structure):
1892
1893 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
1894
1895         [CMake] Do not regenerate LLIntAssembly.h on every incremental build
1896         https://bugs.webkit.org/show_bug.cgi?id=102248
1897
1898         Reviewed by Kenneth Rohde Christiansen.
1899
1900         Update LLIntAssembly.h's mtime after running asm.rb to make the build
1901         system dependency tracking consistent.
1902
1903         * CMakeLists.txt:
1904
1905 2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>
1906
1907         Fix compiler warnings about signed/unsigned comparison on i386
1908         https://bugs.webkit.org/show_bug.cgi?id=102249
1909
1910         Reviewed by Kenneth Rohde Christiansen.
1911
1912         Add casting to unsigned to shut up gcc warnings. Build was broken on
1913         JSVALUE32_64 ports compiling with -Werror.
1914
1915         * llint/LLIntData.cpp:
1916         (JSC::LLInt::Data::performAssertions):
1917
1918 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
1919
1920         [Windows, WinCairo] Unreviewed build fix.
1921
1922         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1923         Missed one of the exports that was part of the WebKit2.def.
1924
1925 2012-11-14  Brent Fulgham  <bfulgham@webkit.org>
1926
1927         [Windows, WinCairo] Correct build failure.
1928         https://bugs.webkit.org/show_bug.cgi?id=102302
1929
1930         WebCore symbols were mistakenly added to the JavaScriptCore
1931         library definition file.
1932
1933         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
1934         WebCore symbols that were incorrectly added to the export file.
1935
1936 2012-11-14  Mark Lam  <mark.lam@apple.com>
1937
1938         Change JSEventListener::m_jsFunction to be a weak ref.
1939         https://bugs.webkit.org/show_bug.cgi?id=101989.
1940
1941         Reviewed by Geoffrey Garen.
1942
1943         Added infrastructure for scanning weak ref slots.
1944
1945         * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
1946         * heap/SlotVisitor.h:
1947         (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
1948         * heap/SlotVisitorInlines.h: Added #include "Weak.h".
1949         (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
1950         * heap/Weak.h:
1951         (JSC::operator==): Added operator==() for Weak.
1952         * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
1953         * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".
1954
1955 2012-11-14  Filip Pizlo  <fpizlo@apple.com>
1956
1957         Read-only properties created with putDirect() should tell the structure that there are read-only properties
1958         https://bugs.webkit.org/show_bug.cgi?id=102292
1959
1960         Reviewed by Gavin Barraclough.
1961
1962         This mostly affects things like function.length.
1963
1964         * runtime/JSObject.h:
1965         (JSC::JSObject::putDirectInternal):
1966
1967 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
1968
1969         Don't access Node& after adding nodes to the graph.
1970         https://bugs.webkit.org/show_bug.cgi?id=102005
1971
1972         Reviewed by Oliver Hunt.
1973
1974         * dfg/DFGFixupPhase.cpp:
1975         (JSC::DFG::FixupPhase::fixupNode):
1976
1977 2012-11-14  Valery Ignatyev  <valery.ignatyev@ispras.ru>
1978
1979         Replace (typeof(x) != <"object", "undefined", ...>) with
1980         !(typeof(x) == <"object",..>). Later is_object, is_<...>  bytecode operation
1981         will be used.
1982
1983         https://bugs.webkit.org/show_bug.cgi?id=98893
1984
1985         Reviewed by Filip Pizlo.
1986
1987         This eliminates expensive  typeof implementation and
1988         allows to use DFG optimizations, which doesn't support 'typeof'.
1989
1990         * bytecompiler/NodesCodegen.cpp:
1991         (JSC::BinaryOpNode::emitBytecode):
1992
1993 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
1994
1995         [Qt][ARM]REGRESSION(r133985): It broke the build
1996         https://bugs.webkit.org/show_bug.cgi?id=101740
1997
1998         Reviewed by Csaba Osztrogonác.
1999
2000         Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
2001         This information was passed as a template parameter.        
2002
2003         * jit/JIT.h:
2004         (JSC::JIT::emitInt32PutByVal):
2005         (JSC::JIT::emitDoublePutByVal):
2006         (JSC::JIT::emitContiguousPutByVal):
2007         (JIT):
2008         * jit/JITPropertyAccess.cpp:
2009         (JSC::JIT::emitGenericContiguousPutByVal):
2010         * jit/JITPropertyAccess32_64.cpp:
2011         (JSC::JIT::emitGenericContiguousPutByVal):
2012
2013 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
2014
2015         Fix the MIPS build after r134332
2016         https://bugs.webkit.org/show_bug.cgi?id=102227
2017
2018         Reviewed by Csaba Osztrogonác.
2019
2020         Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.
2021
2022         * assembler/MacroAssemblerMIPS.h:
2023         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
2024         (MacroAssemblerMIPS):
2025         (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
2026         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
2027
2028 2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>
2029
2030         Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
2031         https://bugs.webkit.org/show_bug.cgi?id=102206
2032
2033         Reviewed by Csaba Osztrogonác.
2034
2035         Add a return value for the function to suppress the warning.
2036
2037         * assembler/MacroAssemblerARM.h:
2038         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2039
2040 2012-11-14  Sheriff Bot  <webkit.review.bot@gmail.com>
2041
2042         Unreviewed, rolling out r134599.
2043         http://trac.webkit.org/changeset/134599
2044         https://bugs.webkit.org/show_bug.cgi?id=102225
2045
2046         It broke the 32 bit EFL build (Requested by Ossy on #webkit).
2047
2048         * jit/JITPropertyAccess.cpp:
2049         * jit/JITPropertyAccess32_64.cpp:
2050         (JSC):
2051         (JSC::JIT::emitGenericContiguousPutByVal):
2052
2053 2012-11-14  Balazs Kilvady  <kilvadyb@homejinni.com>
2054
2055         [Qt][ARM]REGRESSION(r133985): It broke the build
2056         https://bugs.webkit.org/show_bug.cgi?id=101740
2057
2058         Reviewed by Csaba Osztrogonác.
2059
2060         Template function body moved to fix VALUE_PROFILER disabled case.
2061
2062         * jit/JITPropertyAccess.cpp:
2063         (JSC):
2064         (JSC::JIT::emitGenericContiguousPutByVal):
2065         * jit/JITPropertyAccess32_64.cpp:
2066
2067 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
2068
2069         DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
2070         https://bugs.webkit.org/show_bug.cgi?id=102017
2071
2072         Reviewed by Geoffrey Garen.
2073
2074         This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
2075         NewObject to take a structure as an operand (previously it implicitly used the owning
2076         global object's empty object structure). Any GetCallee where the callee is predictable
2077         is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
2078         where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
2079         followed by a NewObject. NewObject already accounts for the structure it uses for object
2080         creation in the CFA.
2081
2082         * dfg/DFGAbstractState.cpp:
2083         (JSC::DFG::AbstractState::execute):
2084         * dfg/DFGByteCodeParser.cpp:
2085         (JSC::DFG::ByteCodeParser::parseBlock):
2086         * dfg/DFGCSEPhase.cpp:
2087         (JSC::DFG::CSEPhase::checkFunctionElimination):
2088         * dfg/DFGGraph.cpp:
2089         (JSC::DFG::Graph::dump):
2090         * dfg/DFGNode.h:
2091         (JSC::DFG::Node::hasFunction):
2092         (JSC::DFG::Node::function):
2093         (JSC::DFG::Node::hasStructure):
2094         * dfg/DFGNodeType.h:
2095         (DFG):
2096         * dfg/DFGOperations.cpp:
2097         * dfg/DFGOperations.h:
2098         * dfg/DFGPredictionPropagationPhase.cpp:
2099         (JSC::DFG::PredictionPropagationPhase::propagate):
2100         * dfg/DFGSpeculativeJIT.h:
2101         (JSC::DFG::SpeculativeJIT::callOperation):
2102         * dfg/DFGSpeculativeJIT32_64.cpp:
2103         (JSC::DFG::SpeculativeJIT::compile):
2104         * dfg/DFGSpeculativeJIT64.cpp:
2105         (JSC::DFG::SpeculativeJIT::compile):
2106         * runtime/Executable.h:
2107         (JSC::JSFunction::JSFunction):
2108         * runtime/JSBoundFunction.cpp:
2109         (JSC):
2110         * runtime/JSFunction.cpp:
2111         (JSC::JSFunction::JSFunction):
2112         (JSC::JSFunction::put):
2113         (JSC::JSFunction::defineOwnProperty):
2114         * runtime/JSFunction.h:
2115         (JSC::JSFunction::tryGetKnownInheritorID):
2116         (JSFunction):
2117         (JSC::JSFunction::addInheritorIDWatchpoint):
2118
2119 2012-11-13  Filip Pizlo  <fpizlo@apple.com>
2120
2121         JSFunction and its descendants should be destructible
2122         https://bugs.webkit.org/show_bug.cgi?id=102062
2123
2124         Reviewed by Mark Hahnenberg.
2125
2126         This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
2127         future, we could make JSFunction non-destructible again by making a version of
2128         WatchpointSet that is entirely GC'd, but this seems like overkill for now.
2129         
2130         This is performance-neutral.
2131
2132         * runtime/JSBoundFunction.cpp:
2133         (JSC::JSBoundFunction::destroy):
2134         (JSC):
2135         * runtime/JSBoundFunction.h:
2136         (JSBoundFunction):
2137         * runtime/JSFunction.cpp:
2138         (JSC):
2139         (JSC::JSFunction::destroy):
2140         * runtime/JSFunction.h:
2141         (JSFunction):
2142
2143 2012-11-13  Cosmin Truta  <ctruta@rim.com>
2144
2145         Uninitialized fields in class JSLock
2146         https://bugs.webkit.org/show_bug.cgi?id=101695
2147
2148         Reviewed by Mark Hahnenberg.
2149
2150         Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.
2151
2152         * runtime/JSLock.cpp:
2153         (JSC::JSLock::JSLock):
2154
2155 2012-11-13  Peter Gal  <galpeter@inf.u-szeged.hu>
2156
2157         Fix the ARM traditional build after r134332
2158         https://bugs.webkit.org/show_bug.cgi?id=102044
2159
2160         Reviewed by Zoltan Herczeg.
2161
2162         Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.
2163
2164         * assembler/MacroAssemblerARM.h:
2165         (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
2166         (MacroAssemblerARM):
2167         (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2168         (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
2169
2170 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2171
2172         op_get_callee should have value profiling
2173         https://bugs.webkit.org/show_bug.cgi?id=102047
2174
2175         Reviewed by Sam Weinig.
2176
2177         This will allow us to detect if the callee is always the same, which is probably
2178         the common case for a lot of constructors.
2179
2180         * bytecode/CodeBlock.cpp:
2181         (JSC::CodeBlock::CodeBlock):
2182         * bytecode/Opcode.h:
2183         (JSC):
2184         (JSC::padOpcodeName):
2185         * bytecompiler/BytecodeGenerator.cpp:
2186         (JSC::BytecodeGenerator::BytecodeGenerator):
2187         * jit/JITOpcodes.cpp:
2188         (JSC::JIT::emit_op_get_callee):
2189         * jit/JITOpcodes32_64.cpp:
2190         (JSC::JIT::emit_op_get_callee):
2191         * llint/LowLevelInterpreter32_64.asm:
2192         * llint/LowLevelInterpreter64.asm:
2193
2194 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2195
2196         The act of getting the callee during 'this' construction should be explicit in bytecode
2197         https://bugs.webkit.org/show_bug.cgi?id=102016
2198
2199         Reviewed by Michael Saboff.
2200
2201         This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes
2202         changes to have create_this use the result of get_callee.
2203         
2204         No performance or behavioral impact. This is just meant to allow us to profile
2205         get_callee in the future.
2206
2207         * bytecode/CodeBlock.cpp:
2208         (JSC::CodeBlock::dump):
2209         * bytecode/Opcode.h:
2210         (JSC):
2211         (JSC::padOpcodeName):
2212         * bytecompiler/BytecodeGenerator.cpp:
2213         (JSC::BytecodeGenerator::BytecodeGenerator):
2214         * dfg/DFGByteCodeParser.cpp:
2215         (JSC::DFG::ByteCodeParser::parseBlock):
2216         * dfg/DFGCapabilities.h:
2217         (JSC::DFG::canCompileOpcode):
2218         * jit/JIT.cpp:
2219         (JSC::JIT::privateCompileMainPass):
2220         * jit/JIT.h:
2221         (JIT):
2222         * jit/JITOpcodes.cpp:
2223         (JSC::JIT::emit_op_get_callee):
2224         (JSC):
2225         (JSC::JIT::emit_op_create_this):
2226         * jit/JITOpcodes32_64.cpp:
2227         (JSC::JIT::emit_op_get_callee):
2228         (JSC):
2229         (JSC::JIT::emit_op_create_this):
2230         * llint/LLIntSlowPaths.cpp:
2231         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2232         * llint/LowLevelInterpreter32_64.asm:
2233         * llint/LowLevelInterpreter64.asm:
2234
2235 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2236
2237         Unreviewed, fix ARMv7 build.
2238
2239         * assembler/MacroAssemblerARMv7.h:
2240         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
2241         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2242
2243 2012-11-12  Filip Pizlo  <fpizlo@apple.com>
2244
2245         Patching of jumps to stubs should use jump replacement rather than branch destination overwrite
2246         https://bugs.webkit.org/show_bug.cgi?id=101909
2247
2248         Reviewed by Geoffrey Garen.
2249
2250         This saves a few instructions in inline cases, on those architectures where it is
2251         easy to figure out where to put the jump replacement. Sub-1% speed-up across the
2252         board.
2253
2254         * assembler/MacroAssemblerARMv7.h:
2255         (MacroAssemblerARMv7):
2256         (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch):
2257         (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
2258         (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2259         * assembler/MacroAssemblerX86.h:
2260         (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch):
2261         (MacroAssemblerX86):
2262         (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch):
2263         (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
2264         * assembler/MacroAssemblerX86_64.h:
2265         (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch):
2266         (MacroAssemblerX86_64):
2267         (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch):
2268         (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
2269         * assembler/RepatchBuffer.h:
2270         (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch):
2271         (RepatchBuffer):
2272         (JSC::RepatchBuffer::replaceWithJump):
2273         (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch):
2274         * assembler/X86Assembler.h:
2275         (X86Assembler):
2276         (JSC::X86Assembler::revertJumpTo_movq_i64r):
2277         (JSC::X86Assembler::revertJumpTo_cmpl_im_force32):
2278         (X86InstructionFormatter):
2279         * bytecode/StructureStubInfo.h:
2280         * dfg/DFGRepatch.cpp:
2281         (JSC::DFG::replaceWithJump):
2282         (DFG):
2283         (JSC::DFG::tryCacheGetByID):
2284         (JSC::DFG::tryBuildGetByIDList):
2285         (JSC::DFG::tryBuildGetByIDProtoList):
2286         (JSC::DFG::tryCachePutByID):
2287         (JSC::DFG::dfgResetGetByID):
2288         (JSC::DFG::dfgResetPutByID):
2289
2290 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
2291
2292         DFG ArithMul overflow check elimination is too aggressive
2293         https://bugs.webkit.org/show_bug.cgi?id=101871
2294
2295         Reviewed by Oliver Hunt.
2296
2297         The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0)
2298         only holds if a * b < 2^53. So, I changed it to only enable the optimization
2299         when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole
2300         analysis to prove the inequality. I considered writing an epic forward flow
2301         formulation that tracks the ranges of integer values but then I thought better
2302         of it.
2303         
2304         This also rewires the ArithMul integer speculation logic. Previously, we would
2305         assume that an ArithMul was only UsedAsNumber if it escaped, and separately we
2306         would decide whether to speculate integer based on a proof of the <2^22
2307         inequality. Now, we treat the double rounding behavior of ArithMul as if the
2308         result was UsedAsNumber even if it did not escape. Then we try to prove that
2309         double rounding cannot happen by attemping to prove that a < 2^22. This then
2310         feeds back into the decision of whether or not to speculate integer (if we fail
2311         to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then
2312         that forces double speculation).
2313         
2314         No performance impact. It just fixes a bug.
2315
2316         * dfg/DFGGraph.h:
2317         (JSC::DFG::Graph::mulShouldSpeculateInteger):
2318         * dfg/DFGPredictionPropagationPhase.cpp:
2319         (PredictionPropagationPhase):
2320         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
2321         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
2322         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
2323         (JSC::DFG::PredictionPropagationPhase::propagate):
2324
2325 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
2326
2327         DFG should not emit function checks if we've already proved that the operand is that exact function
2328         https://bugs.webkit.org/show_bug.cgi?id=101885
2329
2330         Reviewed by Oliver Hunt.
2331
2332         * dfg/DFGAbstractState.cpp:
2333         (JSC::DFG::AbstractState::execute):
2334         * dfg/DFGAbstractValue.h:
2335         (JSC::DFG::AbstractValue::filterByValue):
2336         (AbstractValue):
2337         * dfg/DFGConstantFoldingPhase.cpp:
2338         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2339
2340 2012-11-12  Kentaro Hara  <haraken@chromium.org>
2341
2342         [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom]
2343         https://bugs.webkit.org/show_bug.cgi?id=101892
2344
2345         Reviewed by Adam Barth.
2346
2347         Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID.
2348
2349         * profiler/ProfileNode.h:
2350         (JSC::ProfileNode::callUID):
2351
2352 2012-11-12  Carlos Garcia Campos  <cgarcia@igalia.com>
2353
2354         Unreviewed. Fix make distcheck.
2355
2356         * GNUmakefile.list.am: Add missing header.
2357
2358 2012-11-11  Michael Pruett  <michael@68k.org>
2359
2360         Fix assertion failure in JSObject::tryGetIndexQuickly()
2361         https://bugs.webkit.org/show_bug.cgi?id=101869
2362
2363         Reviewed by Filip Pizlo.
2364
2365         Currently JSObject::tryGetIndexQuickly() triggers an assertion
2366         failure when the object has an undecided indexing type. This
2367         case should be treated the same as a blank indexing type.
2368
2369         * runtime/JSObject.h:
2370         (JSC::JSObject::tryGetIndexQuickly):
2371
2372 2012-11-11  Filip Pizlo  <fpizlo@apple.com>
2373
2374         DFG register allocation should be greedy rather than round-robin
2375         https://bugs.webkit.org/show_bug.cgi?id=101870
2376
2377         Reviewed by Geoffrey Garen.
2378
2379         This simplifies the code, reduces some code duplication, and shows some slight
2380         performance improvements in a few places, likely due to the fact that lower-numered
2381         registers also typically have smaller encodings.
2382
2383         * dfg/DFGRegisterBank.h:
2384         (JSC::DFG::RegisterBank::RegisterBank):
2385         (JSC::DFG::RegisterBank::tryAllocate):
2386         (JSC::DFG::RegisterBank::allocate):
2387         (JSC::DFG::RegisterBank::allocateInternal):
2388         (RegisterBank):
2389
2390 2012-11-11  Kenichi Ishibashi  <bashi@chromium.org>
2391
2392         WTFString::utf8() should have a mode of conversion to use replacement character
2393         https://bugs.webkit.org/show_bug.cgi?id=101678
2394
2395         Reviewed by Alexey Proskuryakov.
2396
2397         Follow the change on String::utf8()
2398
2399         * runtime/JSGlobalObjectFunctions.cpp:
2400         (JSC::encode): Pass String::StrictConversion instead of true to String::utf8().
2401
2402 2012-11-10  Filip Pizlo  <fpizlo@apple.com>
2403
2404         DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time
2405         https://bugs.webkit.org/show_bug.cgi?id=101718
2406
2407         Reviewed by Geoffrey Garen.
2408
2409         If we're reading from a JSArray in double mode, where the array's structure is
2410         primordial (all aspects of the structure are unchanged except for indexing type),
2411         and the result of the load is used in arithmetic that is known to not distinguish
2412         between NaN and undefined, then we should not emit a NaN check. Looks like a 5%
2413         win on navier-stokes.
2414         
2415         Also fixed an OpInfo initialization goof for String ops that was revealed by this
2416         change.
2417
2418         * dfg/DFGAbstractState.cpp:
2419         (JSC::DFG::AbstractState::execute):
2420         * dfg/DFGArrayMode.cpp:
2421         (JSC::DFG::arraySpeculationToString):
2422         * dfg/DFGArrayMode.h:
2423         (JSC::DFG::ArrayMode::isSaneChain):
2424         (ArrayMode):
2425         (JSC::DFG::ArrayMode::isInBounds):
2426         * dfg/DFGByteCodeParser.cpp:
2427         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2428         * dfg/DFGFixupPhase.cpp:
2429         (JSC::DFG::FixupPhase::fixupNode):
2430         * dfg/DFGNodeFlags.cpp:
2431         (JSC::DFG::nodeFlagsAsString):
2432         * dfg/DFGNodeFlags.h:
2433         (DFG):
2434         * dfg/DFGPredictionPropagationPhase.cpp:
2435         (JSC::DFG::PredictionPropagationPhase::propagate):
2436         * dfg/DFGSpeculativeJIT32_64.cpp:
2437         (JSC::DFG::SpeculativeJIT::compile):
2438         * dfg/DFGSpeculativeJIT64.cpp:
2439         (JSC::DFG::SpeculativeJIT::compile):
2440         * runtime/JSGlobalObject.cpp:
2441         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2442         (JSC):
2443         * runtime/JSGlobalObject.h:
2444         (JSGlobalObject):
2445
2446 2012-11-10  Filip Pizlo  <fpizlo@apple.com>
2447
2448         DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
2449         https://bugs.webkit.org/show_bug.cgi?id=101511
2450
2451         Reviewed by Geoffrey Garen.
2452         
2453         This is the second attempt at this patch, which fixes the !"" case.
2454
2455         To make life easier, this moves BranchDirection into BasicBlock so that after
2456         running the CFA, we always know, for each block, what direction the CFA
2457         proved. CFG simplification now both uses and preserves cfaBranchDirection in
2458         its transformations.
2459         
2460         Also made both LogicalNot and Branch check whether the operand is a known cell
2461         with a known structure, and if so, made them do the appropriate folding.
2462         
2463         5% speed-up on V8/raytrace because it makes raytrace's own null checks
2464         evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
2465         that we were already doing structure check hoisting.
2466
2467         * JavaScriptCore.xcodeproj/project.pbxproj:
2468         * dfg/DFGAbstractState.cpp:
2469         (JSC::DFG::AbstractState::endBasicBlock):
2470         (JSC::DFG::AbstractState::execute):
2471         (JSC::DFG::AbstractState::mergeToSuccessors):
2472         * dfg/DFGAbstractState.h:
2473         (AbstractState):
2474         * dfg/DFGBasicBlock.h:
2475         (JSC::DFG::BasicBlock::BasicBlock):
2476         (BasicBlock):
2477         * dfg/DFGBranchDirection.h: Added.
2478         (DFG):
2479         (JSC::DFG::branchDirectionToString):
2480         (JSC::DFG::isKnownDirection):
2481         (JSC::DFG::branchCondition):
2482         * dfg/DFGCFGSimplificationPhase.cpp:
2483         (JSC::DFG::CFGSimplificationPhase::run):
2484         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2485
2486 2012-11-10  Sheriff Bot  <webkit.review.bot@gmail.com>
2487
2488         Unreviewed, rolling out r133971.
2489         http://trac.webkit.org/changeset/133971
2490         https://bugs.webkit.org/show_bug.cgi?id=101839
2491
2492         Causes WebProcess to hang at 100% on www.apple.com (Requested
2493         by kling on #webkit).
2494
2495         * JavaScriptCore.xcodeproj/project.pbxproj:
2496         * dfg/DFGAbstractState.cpp:
2497         (JSC::DFG::AbstractState::endBasicBlock):
2498         (JSC::DFG::AbstractState::execute):
2499         (JSC::DFG::AbstractState::mergeToSuccessors):
2500         * dfg/DFGAbstractState.h:
2501         (JSC::DFG::AbstractState::branchDirectionToString):
2502         (AbstractState):
2503         * dfg/DFGBasicBlock.h:
2504         (JSC::DFG::BasicBlock::BasicBlock):
2505         (BasicBlock):
2506         * dfg/DFGBranchDirection.h: Removed.
2507         * dfg/DFGCFGSimplificationPhase.cpp:
2508         (JSC::DFG::CFGSimplificationPhase::run):
2509         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2510
2511 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2512
2513         If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
2514         https://bugs.webkit.org/show_bug.cgi?id=101720
2515
2516         Reviewed by Mark Hahnenberg.
2517
2518         Previously, "original" arrays was just a hint that we could find the structure
2519         of the array if we needed to even if the array profile didn't have it due to
2520         polymorphism. Now, "original" arrays are a property that is actually checked:
2521         if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
2522         can be sure that the code performing the access is dealing with not just a
2523         JSArray, but a JSArray that has no named properties, no indexed accessors, and
2524         the ArrayPrototype as its prototype. This will be useful for optimizations that
2525         are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.
2526
2527         * dfg/DFGAbstractState.cpp:
2528         (JSC::DFG::AbstractState::execute):
2529         * dfg/DFGArrayMode.cpp:
2530         (JSC::DFG::ArrayMode::originalArrayStructure):
2531         (DFG):
2532         (JSC::DFG::ArrayMode::alreadyChecked):
2533         * dfg/DFGArrayMode.h:
2534         (JSC):
2535         (DFG):
2536         (JSC::DFG::ArrayMode::withProfile):
2537         (ArrayMode):
2538         (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
2539         * dfg/DFGConstantFoldingPhase.cpp:
2540         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2541         * dfg/DFGFixupPhase.cpp:
2542         (JSC::DFG::FixupPhase::checkArray):
2543         * dfg/DFGSpeculativeJIT.cpp:
2544         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2545         (JSC::DFG::SpeculativeJIT::checkArray):
2546         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2547         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2548         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2549         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2550         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2551         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
2552
2553 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2554
2555         Fix indentation of BooleanPrototype.h
2556
2557         Rubber stamped by Mark Hahnenberg.
2558
2559         * runtime/BooleanPrototype.h:
2560
2561 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2562
2563         Fix indentation of BooleanObject.h
2564
2565         Rubber stamped by Mark Hahnenberg.
2566
2567         * runtime/BooleanObject.h:
2568
2569 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2570
2571         Fix indentation of BooleanConstructor.h
2572
2573         Rubber stamped by Mark Hahnenberg.
2574
2575         * runtime/BooleanConstructor.h:
2576
2577 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2578
2579         Fix indentation of BatchedTransitionOptimizer.h
2580
2581         Rubber stamped by Mark Hahnenberg.
2582
2583         * runtime/BatchedTransitionOptimizer.h:
2584
2585 2012-11-09  Oliver Hunt  <oliver@apple.com>
2586
2587         So Thingy probably isn't the best name for a class, so
2588         renamed to CacheMap.
2589
2590         RS=Geoff
2591
2592         * runtime/CodeCache.h:
2593         (JSC::CacheMap::CacheMap):
2594
2595 2012-11-09  Filip Pizlo  <fpizlo@apple.com>
2596
2597         ArrayPrototype should start out with a blank indexing type
2598         https://bugs.webkit.org/show_bug.cgi?id=101719
2599
2600         Reviewed by Mark Hahnenberg.
2601
2602         This allows us to track if the array prototype ever ends up with indexed
2603         properties.
2604
2605         * runtime/ArrayPrototype.cpp:
2606         (JSC::ArrayPrototype::create):
2607         (JSC::ArrayPrototype::ArrayPrototype):
2608         * runtime/ArrayPrototype.h:
2609         (ArrayPrototype):
2610         (JSC::ArrayPrototype::createStructure):
2611
2612 2012-11-08  Mark Hahnenberg  <mhahnenberg@apple.com>
2613
2614         MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator
2615         https://bugs.webkit.org/show_bug.cgi?id=101642
2616
2617         Reviewed by Filip Pizlo.
2618
2619         MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support 
2620         for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator.
2621
2622         * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments.
2623         (JSC):
2624         (JSC::MarkStackSegment):
2625         * heap/GCThreadSharedData.cpp:
2626         (JSC::GCThreadSharedData::GCThreadSharedData):
2627         (JSC::GCThreadSharedData::reset):
2628         * heap/GCThreadSharedData.h:
2629         (GCThreadSharedData):
2630         * heap/MarkStack.cpp: 
2631         (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor 
2632         all the places that used the old custom tail/previous logic.
2633         (JSC::MarkStackArray::~MarkStackArray):
2634         (JSC::MarkStackArray::expand):
2635         (JSC::MarkStackArray::refill):
2636         (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list.
2637         (JSC::MarkStackArray::stealSomeCellsFrom): Ditto.
2638         * heap/MarkStack.h:
2639         (JSC):
2640         (MarkStackSegment):
2641         (JSC::MarkStackSegment::MarkStackSegment):
2642         (JSC::MarkStackSegment::sizeFromCapacity):
2643         (MarkStackArray):
2644         * heap/MarkStackInlines.h:
2645         (JSC::MarkStackSegment::create):
2646         (JSC):
2647         (JSC::MarkStackArray::postIncTop):
2648         (JSC::MarkStackArray::preDecTop):
2649         (JSC::MarkStackArray::setTopForFullSegment):
2650         (JSC::MarkStackArray::setTopForEmptySegment):
2651         (JSC::MarkStackArray::top):
2652         (JSC::MarkStackArray::validatePrevious):
2653         (JSC::MarkStackArray::append):
2654         (JSC::MarkStackArray::removeLast):
2655         (JSC::MarkStackArray::isEmpty):
2656         (JSC::MarkStackArray::size):
2657         * heap/SlotVisitor.cpp:
2658         (JSC::SlotVisitor::SlotVisitor):
2659
2660 2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
2661
2662         [Qt] r133953 broke the ARM_TRADITIONAL build
2663         https://bugs.webkit.org/show_bug.cgi?id=101706
2664
2665         Reviewed by Csaba Osztrogonác.
2666
2667         Fix for both hardfp and softfp.
2668
2669         * dfg/DFGCCallHelpers.h:
2670         (CCallHelpers):
2671         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2672
2673 2012-11-09  Sheriff Bot  <webkit.review.bot@gmail.com>
2674
2675         Unreviewed, rolling out r134051.
2676         http://trac.webkit.org/changeset/134051
2677         https://bugs.webkit.org/show_bug.cgi?id=101757
2678
2679         It didn't fix the build (Requested by Ossy on #webkit).
2680
2681         * dfg/DFGCCallHelpers.h:
2682         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2683
2684 2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
2685
2686         [Qt] r133953 broke the ARM_TRADITIONAL build
2687         https://bugs.webkit.org/show_bug.cgi?id=101706
2688
2689         Reviewed by Csaba Osztrogonác.
2690
2691         Fix the ARM_TRADITIONAL build after r133953
2692
2693         * dfg/DFGCCallHelpers.h:
2694         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2695         (CCallHelpers):
2696
2697 2012-11-09  Csaba Osztrogonác  <ossy@webkit.org>
2698
2699         [Qt] Fix the LLINT build from ARMv7 platform
2700         https://bugs.webkit.org/show_bug.cgi?id=101712
2701
2702         Reviewed by Simon Hausmann.
2703
2704         Enable generating of LLIntAssembly.h on ARM platforms.
2705
2706         * DerivedSources.pri:
2707         * JavaScriptCore.pro:
2708
2709 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2710
2711         ArrayPrototype.h should have correct indentation
2712
2713         Rubber stamped by Sam Weinig.
2714
2715         * runtime/ArrayPrototype.h:
2716
2717 2012-11-08  Mark Lam  <mark.lam@apple.com>
2718
2719         Renamed ...InlineMethods.h files to ...Inlines.h.
2720         https://bugs.webkit.org/show_bug.cgi?id=101145.
2721
2722         Reviewed by Geoffrey Garen.
2723
2724         This is only a refactoring effort to rename the files. There are no
2725         functionality changes.
2726
2727         * API/JSObjectRef.cpp:
2728         * GNUmakefile.list.am:
2729         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2730         * JavaScriptCore.xcodeproj/project.pbxproj:
2731         * bytecode/CodeBlock.cpp:
2732         * dfg/DFGOperations.cpp:
2733         * heap/ConservativeRoots.cpp:
2734         * heap/CopiedBlock.h:
2735         * heap/CopiedSpace.cpp:
2736         * heap/CopiedSpaceInlineMethods.h: Removed.
2737         * heap/CopiedSpaceInlines.h: Copied from Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h.
2738         * heap/CopyVisitor.cpp:
2739         * heap/CopyVisitorInlineMethods.h: Removed.
2740         * heap/CopyVisitorInlines.h: Copied from Source/JavaScriptCore/heap/CopyVisitorInlineMethods.h.
2741         * heap/GCThread.cpp:
2742         * heap/GCThreadSharedData.cpp:
2743         * heap/HandleStack.cpp:
2744         * heap/Heap.cpp:
2745         * heap/HeapRootVisitor.h:
2746         * heap/MarkStack.cpp:
2747         * heap/MarkStackInlineMethods.h: Removed.
2748         * heap/MarkStackInlines.h: Copied from Source/JavaScriptCore/heap/MarkStackInlineMethods.h.
2749         * heap/SlotVisitor.cpp:
2750         * heap/SlotVisitor.h:
2751         * heap/SlotVisitorInlineMethods.h: Removed.
2752         * heap/SlotVisitorInlines.h: Copied from Source/JavaScriptCore/heap/SlotVisitorInlineMethods.h.
2753         * jit/HostCallReturnValue.cpp:
2754         * jit/JIT.cpp:
2755         * jit/JITArithmetic.cpp:
2756         * jit/JITArithmetic32_64.cpp:
2757         * jit/JITCall.cpp:
2758         * jit/JITCall32_64.cpp:
2759         * jit/JITInlineMethods.h: Removed.
2760         * jit/JITInlines.h: Copied from Source/JavaScriptCore/jit/JITInlineMethods.h.
2761         * jit/JITOpcodes.cpp:
2762         * jit/JITOpcodes32_64.cpp:
2763         * jit/JITPropertyAccess.cpp:
2764         * jit/JITPropertyAccess32_64.cpp:
2765         * jsc.cpp:
2766         * runtime/ArrayConstructor.cpp:
2767         * runtime/ArrayPrototype.cpp:
2768         * runtime/ButterflyInlineMethods.h: Removed.
2769         * runtime/ButterflyInlines.h: Copied from Source/JavaScriptCore/runtime/ButterflyInlineMethods.h.
2770         * runtime/IndexingHeaderInlineMethods.h: Removed.
2771         * runtime/IndexingHeaderInlines.h: Copied from Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h.
2772         * runtime/JSActivation.h:
2773         * runtime/JSArray.cpp:
2774         * runtime/JSArray.h:
2775         * runtime/JSCell.h:
2776         * runtime/JSObject.cpp:
2777         * runtime/JSValueInlineMethods.h: Removed.
2778         * runtime/JSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlineMethods.h.
2779         * runtime/LiteralParser.cpp:
2780         * runtime/ObjectConstructor.cpp:
2781         * runtime/Operations.h:
2782         * runtime/RegExpMatchesArray.cpp:
2783         * runtime/RegExpObject.cpp:
2784         * runtime/StringPrototype.cpp:
2785
2786 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2787
2788         ArrayConstructor.h should have correct indentation
2789
2790         Rubber stamped by Sam Weinig.
2791
2792         * runtime/ArrayConstructor.h:
2793
2794 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2795
2796         DFG should know that int == null is always false
2797         https://bugs.webkit.org/show_bug.cgi?id=101665
2798
2799         Reviewed by Oliver Hunt.
2800
2801         * dfg/DFGAbstractState.cpp:
2802         (JSC::DFG::AbstractState::execute):
2803
2804 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2805
2806         Arguments.h should have correct indentation
2807
2808         Rubber stamped by Sam Weinig.
2809
2810         * runtime/Arguments.h:
2811
2812 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2813
2814         It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled.
2815
2816         Reviewed by Oliver Hunt.
2817
2818         * jit/JITInlineMethods.h:
2819         (JSC::JIT::chooseArrayMode):
2820
2821 2012-11-08  Filip Pizlo  <fpizlo@apple.com>
2822
2823         op_call should have LLInt call link info even if the DFG is disabled
2824         https://bugs.webkit.org/show_bug.cgi?id=101672
2825
2826         Reviewed by Oliver Hunt.
2827
2828         Get rid of the evil uses of fall-through.
2829
2830         * bytecode/CodeBlock.cpp:
2831         (JSC::CodeBlock::CodeBlock):
2832
2833 2012-11-08  Oliver Hunt  <oliver@apple.com>
2834
2835         Improve effectiveness of function-level caching
2836         https://bugs.webkit.org/show_bug.cgi?id=101667
2837
2838         Reviewed by Filip Pizlo.
2839
2840         Added a random-eviction based cache for unlinked functions, and switch
2841         UnlinkedFunctionExecutable's code references to Weak<>, thereby letting
2842         us remove the explicit UnlinkedFunctionExecutable::clearCode() calls that
2843         were being triggered by GC.
2844
2845         Refactored the random eviction part of the CodeCache into a separate data
2846         structure so that I didn't have to duplicate the code again, and then used
2847         that for the new function cache.
2848
2849         * bytecode/UnlinkedCodeBlock.cpp:
2850         (JSC::UnlinkedFunctionExecutable::visitChildren):
2851         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2852         * bytecode/UnlinkedCodeBlock.h:
2853         (JSC::UnlinkedFunctionExecutable::clearCodeForRecompilation):
2854         (UnlinkedFunctionExecutable):
2855         * debugger/Debugger.cpp:
2856         * runtime/CodeCache.cpp:
2857         (JSC::CodeCache::getCodeBlock):
2858         (JSC::CodeCache::generateFunctionCodeBlock):
2859         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2860         (JSC::CodeCache::usedFunctionCode):
2861         (JSC):
2862         * runtime/Executable.cpp:
2863         (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling):
2864         (JSC::FunctionExecutable::clearCode):
2865         * runtime/Executable.h:
2866         (FunctionExecutable):
2867
2868 2012-11-07  Filip Pizlo  <fpizlo@apple.com>
2869
2870         DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
2871         https://bugs.webkit.org/show_bug.cgi?id=101511
2872
2873         Reviewed by Oliver Hunt.
2874
2875         To make life easier, this moves BranchDirection into BasicBlock so that after
2876         running the CFA, we always know, for each block, what direction the CFA
2877         proved. CFG simplification now both uses and preserves cfaBranchDirection in
2878         its transformations.
2879         
2880         Also made both LogicalNot and Branch check whether the operand is a known cell
2881         with a known structure, and if so, made them do the appropriate folding.
2882         
2883         5% speed-up on V8/raytrace because it makes raytrace's own null checks
2884         evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
2885         that we were already doing structure check hoisting.
2886
2887         * JavaScriptCore.xcodeproj/project.pbxproj:
2888         * dfg/DFGAbstractState.cpp:
2889         (JSC::DFG::AbstractState::endBasicBlock):
2890         (JSC::DFG::AbstractState::execute):
2891         (JSC::DFG::AbstractState::mergeToSuccessors):
2892         * dfg/DFGAbstractState.h:
2893         (AbstractState):
2894         * dfg/DFGBasicBlock.h:
2895         (JSC::DFG::BasicBlock::BasicBlock):
2896         (BasicBlock):
2897         * dfg/DFGBranchDirection.h: Added.
2898         (DFG):
2899         (JSC::DFG::branchDirectionToString):
2900         (JSC::DFG::isKnownDirection):
2901         (JSC::DFG::branchCondition):
2902         * dfg/DFGCFGSimplificationPhase.cpp:
2903         (JSC::DFG::CFGSimplificationPhase::run):
2904         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2905
2906 2012-11-08  Christophe Dumez  <christophe.dumez@intel.com>
2907
2908         [JSC] HTML extensions to String.prototype should escape " as &quot; in argument values
2909         https://bugs.webkit.org/show_bug.cgi?id=90667
2910
2911         Reviewed by Benjamin Poulain.
2912
2913         Escape quotation mark as &quot; in argument values to:
2914         - String.prototype.anchor(name)
2915         - String.prototype.fontcolor(color)
2916         - String.prototype.fontsize(size)
2917         - String.prototype.link(href)
2918
2919         This behavior matches Chromium/V8 and Firefox/Spidermonkey
2920         implementations and is requited by:
2921         http://mathias.html5.org/specs/javascript/#escapeattributevalue
2922
2923         This also fixes a potential security risk (XSS vector).
2924
2925         * runtime/StringPrototype.cpp:
2926         (JSC::stringProtoFuncFontcolor):
2927         (JSC::stringProtoFuncFontsize):
2928         (JSC::stringProtoFuncAnchor):
2929         (JSC::stringProtoFuncLink):
2930
2931 2012-11-08  Anders Carlsson  <andersca@apple.com>
2932
2933         HeapStatistics::s_pauseTimeStarts and s_pauseTimeEnds should be Vectors
2934         https://bugs.webkit.org/show_bug.cgi?id=101651
2935
2936         Reviewed by Andreas Kling.
2937
2938         HeapStatistics uses Deques when Vectors would work just as good.
2939
2940         * heap/HeapStatistics.cpp:
2941         * heap/HeapStatistics.h:
2942         (HeapStatistics):
2943
2944 2012-11-07  Filip Pizlo  <fpizlo@apple.com>
2945
2946         DFG should not assume that something is a double just because it might be undefined
2947         https://bugs.webkit.org/show_bug.cgi?id=101438
2948
2949         Reviewed by Oliver Hunt.
2950
2951         This changes all non-bitop arithmetic to (a) statically expect that variables are
2952         defined prior to use in arithmetic and (b) not fall off into double paths just
2953         because a value may not be a number. This is accomplished with two new notions of
2954         speculation:
2955         
2956         shouldSpeculateIntegerExpectingDefined: Should we speculate that the value is an
2957         integer if we ignore undefined (i.e. SpecOther) predictions?
2958         
2959         shouldSpeculateIntegerForArithmetic: Should we speculate that the value is an
2960         integer if we ignore non-numeric predictions?
2961         
2962         This is a ~2x speed-up on programs that seem to our prediction propagator to have
2963         paths in which otherwise numeric variables are undefined.
2964
2965         * bytecode/SpeculatedType.h:
2966         (JSC::isInt32SpeculationForArithmetic):
2967         (JSC):
2968         (JSC::isInt32SpeculationExpectingDefined):
2969         (JSC::isDoubleSpeculationForArithmetic):
2970         (JSC::isNumberSpeculationExpectingDefined):
2971         * dfg/DFGAbstractState.cpp:
2972         (JSC::DFG::AbstractState::execute):
2973         * dfg/DFGFixupPhase.cpp:
2974         (JSC::DFG::FixupPhase::fixupNode):
2975         * dfg/DFGGraph.h:
2976         (JSC::DFG::Graph::addShouldSpeculateInteger):
2977         (JSC::DFG::Graph::mulShouldSpeculateInteger):
2978         (JSC::DFG::Graph::negateShouldSpeculateInteger):
2979         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
2980         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
2981         * dfg/DFGNode.h:
2982         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
2983         (Node):
2984         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
2985         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
2986         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
2987         * dfg/DFGPredictionPropagationPhase.cpp:
2988         (JSC::DFG::PredictionPropagationPhase::propagate):
2989         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2990         * dfg/DFGSpeculativeJIT.cpp:
2991         (JSC::DFG::SpeculativeJIT::compileAdd):
2992         (JSC::DFG::SpeculativeJIT::compileArithMod):
2993         * dfg/DFGSpeculativeJIT32_64.cpp:
2994         (JSC::DFG::SpeculativeJIT::compile):
2995         * dfg/DFGSpeculativeJIT64.cpp:
2996         (JSC::DFG::SpeculativeJIT::compile):
2997         * jit/JITArithmetic.cpp:
2998         (JSC::JIT::emit_op_div):
2999
3000 2012-11-06  Filip Pizlo  <fpizlo@apple.com>
3001
3002         JSC should infer when indexed storage contains only integers or doubles
3003         https://bugs.webkit.org/show_bug.cgi?id=98606
3004
3005         Reviewed by Oliver Hunt.
3006
3007         This adds two new indexing types: int32 and double. It also adds array allocation profiling,
3008         which allows array allocations to converge to allocating arrays using those types to which
3009         those arrays would have been converted.
3010         
3011         20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
3012         but a performance win overall on all benchmarks we track.
3013
3014         * API/JSObjectRef.cpp:
3015         (JSObjectMakeArray):
3016         * CMakeLists.txt:
3017         * GNUmakefile.list.am:
3018         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3019         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3020         * JavaScriptCore.xcodeproj/project.pbxproj:
3021         * Target.pri:
3022         * assembler/AbstractMacroAssembler.h:
3023         (JumpList):
3024         (JSC::AbstractMacroAssembler::JumpList::JumpList):
3025         * assembler/MacroAssemblerX86Common.h:
3026         (JSC::MacroAssemblerX86Common::branchDouble):
3027         * assembler/X86Assembler.h:
3028         (JSC::X86Assembler::jnp):
3029         (X86Assembler):
3030         (JSC::X86Assembler::X86InstructionFormatter::emitRex):
3031         * bytecode/ArrayAllocationProfile.cpp: Added.
3032         (JSC):
3033         (JSC::ArrayAllocationProfile::updateIndexingType):
3034         * bytecode/ArrayAllocationProfile.h: Added.
3035         (JSC):
3036         (ArrayAllocationProfile):
3037         (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
3038         (JSC::ArrayAllocationProfile::selectIndexingType):
3039         (JSC::ArrayAllocationProfile::updateLastAllocation):
3040         (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
3041         (JSC::ArrayAllocationProfile::updateLastAllocationFor):
3042         * bytecode/ArrayProfile.cpp:
3043         (JSC::ArrayProfile::updatedObservedArrayModes):
3044         (JSC):
3045         * bytecode/ArrayProfile.h:
3046         (JSC):
3047         (JSC::arrayModesInclude):
3048         (JSC::shouldUseSlowPutArrayStorage):
3049         (JSC::shouldUseFastArrayStorage):
3050         (JSC::shouldUseContiguous):
3051         (JSC::shouldUseDouble):
3052         (JSC::shouldUseInt32):
3053         (ArrayProfile):
3054         * bytecode/ByValInfo.h:
3055         (JSC::isOptimizableIndexingType):
3056         (JSC::jitArrayModeForIndexingType):
3057         * bytecode/CodeBlock.cpp:
3058         (JSC::CodeBlock::dump):
3059         (JSC::CodeBlock::CodeBlock):
3060         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3061         (JSC):
3062         (JSC::CodeBlock::updateAllValueProfilePredictions):
3063         (JSC::CodeBlock::updateAllArrayPredictions):
3064         (JSC::CodeBlock::updateAllPredictions):
3065         (JSC::CodeBlock::shouldOptimizeNow):
3066         * bytecode/CodeBlock.h:
3067         (CodeBlock):
3068         (JSC::CodeBlock::numberOfArrayAllocationProfiles):
3069         (JSC::CodeBlock::addArrayAllocationProfile):
3070         (JSC::CodeBlock::updateAllValueProfilePredictions):
3071         (JSC::CodeBlock::updateAllArrayPredictions):
3072         * bytecode/DFGExitProfile.h:
3073         (JSC::DFG::exitKindToString):
3074         * bytecode/Instruction.h:
3075         (JSC):
3076         (JSC::Instruction::Instruction):
3077         * bytecode/Opcode.h:
3078         (JSC):
3079         (JSC::padOpcodeName):
3080         * bytecode/SpeculatedType.h:
3081         (JSC):
3082         (JSC::isRealNumberSpeculation):
3083         * bytecode/UnlinkedCodeBlock.cpp:
3084         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3085         * bytecode/UnlinkedCodeBlock.h:
3086         (JSC):
3087         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
3088         (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
3089         (UnlinkedCodeBlock):
3090         * bytecompiler/BytecodeGenerator.cpp:
3091         (JSC::BytecodeGenerator::newArrayAllocationProfile):
3092         (JSC):
3093         (JSC::BytecodeGenerator::emitNewArray):
3094         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3095         * bytecompiler/BytecodeGenerator.h:
3096         (BytecodeGenerator):
3097         * dfg/DFGAbstractState.cpp:
3098         (JSC::DFG::AbstractState::execute):
3099         * dfg/DFGArrayMode.cpp:
3100         (JSC::DFG::ArrayMode::fromObserved):
3101         (JSC::DFG::ArrayMode::refine):
3102         (DFG):
3103         (JSC::DFG::ArrayMode::alreadyChecked):
3104         (JSC::DFG::arrayTypeToString):
3105         * dfg/DFGArrayMode.h:
3106         (JSC::DFG::ArrayMode::withType):
3107         (ArrayMode):
3108         (JSC::DFG::ArrayMode::withTypeAndConversion):
3109         (JSC::DFG::ArrayMode::usesButterfly):
3110         (JSC::DFG::ArrayMode::isSpecific):
3111         (JSC::DFG::ArrayMode::supportsLength):
3112         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
3113         * dfg/DFGByteCodeParser.cpp:
3114         (JSC::DFG::ByteCodeParser::getArrayMode):
3115         (ByteCodeParser):
3116         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3117         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3118         (JSC::DFG::ByteCodeParser::parseBlock):
3119         * dfg/DFGCCallHelpers.h:
3120         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3121         (CCallHelpers):
3122         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3123         (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
3124         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
3125         * dfg/DFGFixupPhase.cpp:
3126         (JSC::DFG::FixupPhase::fixupNode):
3127         (JSC::DFG::FixupPhase::checkArray):
3128         * dfg/DFGGraph.cpp:
3129         (JSC::DFG::Graph::dump):
3130         * dfg/DFGGraph.h:
3131         (JSC::DFG::Graph::byValIsPure):
3132         * dfg/DFGNode.h:
3133         (NewArrayBufferData):
3134         (JSC::DFG::Node::hasIndexingType):
3135         (Node):
3136         (JSC::DFG::Node::indexingType):
3137         (JSC::DFG::Node::setIndexingType):
3138         * dfg/DFGOperations.cpp:
3139         * dfg/DFGOperations.h:
3140         * dfg/DFGPredictionPropagationPhase.cpp:
3141         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3142         * dfg/DFGSpeculativeJIT.cpp:
3143         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
3144         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3145         (DFG):
3146         (JSC::DFG::SpeculativeJIT::checkArray):
3147         (JSC::DFG::SpeculativeJIT::arrayify):
3148         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
3149         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3150         * dfg/DFGSpeculativeJIT.h:
3151         (JSC::DFG::SpeculativeJIT::callOperation):
3152         (SpeculativeJIT):
3153         (SpeculateIntegerOperand):
3154         (JSC::DFG::SpeculateIntegerOperand::use):
3155         (SpeculateDoubleOperand):
3156         (JSC::DFG::SpeculateDoubleOperand::use):
3157         * dfg/DFGSpeculativeJIT32_64.cpp:
3158         (DFG):
3159         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
3160         (JSC::DFG::SpeculativeJIT::compile):
3161         * dfg/DFGSpeculativeJIT64.cpp:
3162         (JSC::DFG::SpeculativeJIT::compile):
3163         * jit/JIT.h:
3164         (JSC::JIT::emitInt32GetByVal):
3165         (JIT):
3166         (JSC::JIT::emitInt32PutByVal):
3167         (JSC::JIT::emitDoublePutByVal):
3168         (JSC::JIT::emitContiguousPutByVal):
3169         * jit/JITExceptions.cpp:
3170         (JSC::genericThrow):
3171         * jit/JITInlineMethods.h:
3172         (JSC::arrayProfileSaw):
3173         (JSC::JIT::chooseArrayMode):
3174         * jit/JITOpcodes.cpp:
3175         (JSC::JIT::emit_op_new_array):
3176         (JSC::JIT::emit_op_new_array_with_size):
3177         (JSC::JIT::emit_op_new_array_buffer):
3178         * jit/JITPropertyAccess.cpp:
3179         (JSC::JIT::emit_op_get_by_val):
3180         (JSC::JIT::emitDoubleGetByVal):
3181         (JSC):
3182         (JSC::JIT::emitContiguousGetByVal):
3183         (JSC::JIT::emit_op_put_by_val):
3184         (JSC::JIT::emitGenericContiguousPutByVal):
3185         (JSC::JIT::emitSlow_op_put_by_val):
3186         (JSC::JIT::privateCompileGetByVal):
3187         (JSC::JIT::privateCompilePutByVal):
3188         * jit/JITPropertyAccess32_64.cpp:
3189         (JSC::JIT::emit_op_get_by_val):
3190         (JSC::JIT::emitContiguousGetByVal):
3191         (JSC::JIT::emitDoubleGetByVal):
3192         (JSC):
3193         (JSC::JIT::emit_op_put_by_val):
3194         (JSC::JIT::emitGenericContiguousPutByVal):
3195         (JSC::JIT::emitSlow_op_put_by_val):
3196         * jit/JITStubs.cpp:
3197         (JSC::DEFINE_STUB_FUNCTION):
3198         * jit/JITStubs.h:
3199         (JSC):
3200         * jsc.cpp:
3201         (GlobalObject::finishCreation):
3202         * llint/LLIntSlowPaths.cpp:
3203         (JSC::LLInt::jitCompileAndSetHeuristics):
3204         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3205         * llint/LowLevelInterpreter.asm:
3206         * llint/LowLevelInterpreter32_64.asm:
3207         * llint/LowLevelInterpreter64.asm:
3208         * offlineasm/x86.rb:
3209         * runtime/ArrayConstructor.cpp:
3210         (JSC::constructArrayWithSizeQuirk):
3211         * runtime/ArrayConstructor.h:
3212         (JSC):
3213         * runtime/ArrayPrototype.cpp:
3214         (JSC::arrayProtoFuncConcat):
3215         (JSC::arrayProtoFuncSlice):
3216         (JSC::arrayProtoFuncSplice):
3217         (JSC::arrayProtoFuncFilter):
3218         (JSC::arrayProtoFuncMap):
3219         * runtime/Butterfly.h:
3220         (JSC::Butterfly::contiguousInt32):
3221         (JSC::Butterfly::contiguousDouble):
3222         (JSC::Butterfly::fromContiguous):
3223         * runtime/ButterflyInlineMethods.h:
3224         (JSC::Butterfly::createUninitializedDuringCollection):
3225         * runtime/FunctionPrototype.cpp:
3226         (JSC::functionProtoFuncBind):
3227         * runtime/IndexingHeaderInlineMethods.h:
3228         (JSC::IndexingHeader::indexingPayloadSizeInBytes):
3229         * runtime/IndexingType.cpp:
3230         (JSC::leastUpperBoundOfIndexingTypes):
3231         (JSC):
3232         (JSC::leastUpperBoundOfIndexingTypeAndType):
3233         (JSC::leastUpperBoundOfIndexingTypeAndValue):
3234         (JSC::indexingTypeToString):
3235         * runtime/IndexingType.h:
3236         (JSC):
3237         (JSC::hasUndecided):
3238         (JSC::hasInt32):
3239         (JSC::hasDouble):
3240         * runtime/JSArray.cpp:
3241         (JSC::JSArray::setLength):
3242         (JSC::JSArray::pop):
3243         (JSC::JSArray::push):
3244         (JSC::JSArray::shiftCountWithAnyIndexingType):
3245         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3246         (JSC::compareNumbersForQSortWithInt32):
3247         (JSC):
3248         (JSC::compareNumbersForQSortWithDouble):
3249         (JSC::JSArray::sortNumericVector):
3250         (JSC::JSArray::sortNumeric):
3251         (JSC::JSArray::sortCompactedVector):
3252         (JSC::JSArray::sort):
3253         (JSC::JSArray::sortVector):
3254         (JSC::JSArray::fillArgList):
3255         (JSC::JSArray::copyToArguments):
3256         (JSC::JSArray::compactForSorting):
3257         * runtime/JSArray.h:
3258         (JSArray):
3259         (JSC::createContiguousArrayButterfly):
3260         (JSC::JSArray::create):
3261         (JSC::JSArray::tryCreateUninitialized):
3262         * runtime/JSGlobalObject.cpp:
3263         (JSC::JSGlobalObject::reset):
3264         (JSC):
3265         (JSC::JSGlobalObject::haveABadTime):
3266         (JSC::JSGlobalObject::visitChildren):
3267         * runtime/JSGlobalObject.h:
3268         (JSGlobalObject):
3269         (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
3270         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
3271         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
3272         (JSC::JSGlobalObject::isOriginalArrayStructure):
3273         (JSC::constructEmptyArray):
3274         (JSC::constructArray):
3275         * runtime/JSObject.cpp:
3276         (JSC::JSObject::copyButterfly):
3277         (JSC::JSObject::getOwnPropertySlotByIndex):
3278         (JSC::JSObject::putByIndex):
3279         (JSC::JSObject::enterDictionaryIndexingMode):
3280         (JSC::JSObject::createInitialIndexedStorage):
3281         (JSC):
3282         (JSC::JSObject::createInitialUndecided):
3283         (JSC::JSObject::createInitialInt32):
3284         (JSC::JSObject::createInitialDouble):
3285         (JSC::JSObject::createInitialContiguous):
3286         (JSC::JSObject::convertUndecidedToInt32):
3287         (JSC::JSObject::convertUndecidedToDouble):
3288         (JSC::JSObject::convertUndecidedToContiguous):
3289         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3290         (JSC::JSObject::convertUndecidedToArrayStorage):
3291         (JSC::JSObject::convertInt32ToDouble):
3292         (JSC::JSObject::convertInt32ToContiguous):
3293         (JSC::JSObject::convertInt32ToArrayStorage):
3294         (JSC::JSObject::convertDoubleToContiguous):
3295         (JSC::JSObject::convertDoubleToArrayStorage):
3296         (JSC::JSObject::convertContiguousToArrayStorage):
3297         (JSC::JSObject::convertUndecidedForValue):
3298         (JSC::JSObject::convertInt32ForValue):
3299         (JSC::JSObject::setIndexQuicklyToUndecided):
3300         (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
3301         (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
3302         (JSC::JSObject::ensureInt32Slow):
3303         (JSC::JSObject::ensureDoubleSlow):
3304         (JSC::JSObject::ensureContiguousSlow):
3305         (JSC::JSObject::ensureArrayStorageSlow):
3306         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3307         (JSC::JSObject::switchToSlowPutArrayStorage):
3308         (JSC::JSObject::deletePropertyByIndex):
3309         (JSC::JSObject::getOwnPropertyNames):
3310         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3311         (JSC::JSObject::putByIndexBeyondVectorLength):
3312         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3313         (JSC::JSObject::getNewVectorLength):
3314         (JSC::JSObject::countElements):
3315         (JSC::JSObject::ensureLengthSlow):
3316         (JSC::JSObject::getOwnPropertyDescriptor):
3317         * runtime/JSObject.h:
3318         (JSC::JSObject::getArrayLength):
3319         (JSC::JSObject::getVectorLength):
3320         (JSC::JSObject::canGetIndexQuickly):
3321         (JSC::JSObject::getIndexQuickly):
3322         (JSC::JSObject::tryGetIndexQuickly):
3323         (JSC::JSObject::canSetIndexQuickly):
3324         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3325         (JSC::JSObject::setIndexQuickly):
3326         (JSC::JSObject::initializeIndex):
3327         (JSC::JSObject::hasSparseMap):
3328         (JSC::JSObject::inSparseIndexingMode):
3329         (JSObject):
3330         (JSC::JSObject::ensureInt32):
3331         (JSC::JSObject::ensureDouble):
3332         (JSC::JSObject::ensureLength):
3333         (JSC::JSObject::indexingData):
3334         (JSC::JSObject::currentIndexingData):
3335         (JSC::JSObject::getHolyIndexQuickly):
3336         (JSC::JSObject::relevantLength):
3337         (JSC::JSObject::currentRelevantLength):
3338         * runtime/JSValue.cpp:
3339         (JSC::JSValue::description):
3340         * runtime/LiteralParser.cpp:
3341         (JSC::::parse):
3342         * runtime/ObjectConstructor.cpp:
3343         (JSC::objectConstructorGetOwnPropertyNames):
3344         (JSC::objectConstructorKeys):
3345         * runtime/StringPrototype.cpp:
3346         (JSC::stringProtoFuncMatch):
3347         (JSC::stringProtoFuncSplit):
3348         * runtime/Structure.cpp:
3349         (JSC::Structure::nonPropertyTransition):
3350         * runtime/StructureTransitionTable.h:
3351         (JSC::newIndexingType):
3352
3353 2012-11-08  Balazs Kilvady  <kilvadyb@homejinni.com>
3354
3355         ASSERT problem on MIPS
3356         https://bugs.webkit.org/show_bug.cgi?id=100589
3357
3358         Reviewed by Oliver Hunt.
3359
3360         ASSERT fix for MIPS arch.
3361
3362         * jit/JITOpcodes.cpp:
3363         (JSC::JIT::emit_resolve_operations):
3364
3365 2012-11-08  Michael Saboff  <msaboff@apple.com>
3366
3367         OpaqueJSClassContextData() should use StringImpl::isolatedCopy() to make string copies
3368         https://bugs.webkit.org/show_bug.cgi?id=101507
3369
3370         Reviewed by Andreas Kling.
3371
3372         Changed to use isolatedCopy() for key Strings.
3373
3374         * API/JSClassRef.cpp:
3375         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3376
3377 2012-11-07  Mark Hahnenberg  <mhahnenberg@apple.com>
3378
3379         WeakBlocks should be HeapBlocks
3380         https://bugs.webkit.org/show_bug.cgi?id=101411
3381
3382         Reviewed by Oliver Hunt.
3383
3384         Currently WeakBlocks use fastMalloc memory. They are very similar to the other HeapBlocks, however, 
3385         so we should change them to being allocated with the BlockAllocator.
3386
3387         * heap/BlockAllocator.cpp:
3388         (JSC::BlockAllocator::BlockAllocator):
3389         * heap/BlockAllocator.h: Added a new RegionSet for WeakBlocks.
3390         (JSC):
3391         (BlockAllocator):
3392         (JSC::WeakBlock):
3393         * heap/Heap.h: Friended WeakSet to allow access to the BlockAllocator.
3394         (Heap):
3395         * heap/WeakBlock.cpp:
3396         (JSC::WeakBlock::create): Refactored to use HeapBlocks rather than fastMalloc.
3397         (JSC::WeakBlock::WeakBlock):
3398         * heap/WeakBlock.h: Changed the WeakBlock size to 4 KB so that it divides evenly into the Region size.
3399         (JSC):
3400         (WeakBlock):
3401         * heap/WeakSet.cpp:
3402         (JSC::WeakSet::~WeakSet):
3403         (JSC::WeakSet::addAllocator):
3404
3405 2012-11-07  Filip Pizlo  <fpizlo@apple.com>
3406
3407         Indentation of ArgList.h is wrong
3408         https://bugs.webkit.org/show_bug.cgi?id=101441
3409
3410         Reviewed by Andreas Kling.
3411
3412         Just unindented by 4 spaces.
3413
3414         * runtime/ArgList.h:
3415
3416 2012-11-07  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
3417
3418         [Qt][ARM] REGRESSION(r133688): It made all JSC and layout tests crash on ARM traditional platform
3419         https://bugs.webkit.org/show_bug.cgi?id=101465
3420
3421         Reviewed by Oliver Hunt.
3422
3423         Fix failing javascriptcore tests on ARM after r133688
3424
3425         * bytecode/CodeBlock.cpp:
3426         (JSC::CodeBlock::CodeBlock):
3427
3428 2012-11-06  Oliver Hunt  <oliver@apple.com>
3429
3430         Reduce parser overhead in JSC
3431         https://bugs.webkit.org/show_bug.cgi?id=101127
3432
3433         Reviewed by Filip Pizlo.
3434
3435         An exciting journey into the world of architecture in which our hero
3436         adds yet another layer to JSC codegeneration.
3437
3438         This patch adds a marginally more compact form of bytecode that is
3439         free from any data specific to a given execution context, and that
3440         does store any data structures necessary for execution.  To actually
3441         execute this UnlinkedBytecode we still need to instantiate a real
3442         CodeBlock, but this is a much faster linear time operation than any
3443         of the earlier parsing or code generation passes.
3444
3445         As the unlinked code is context free we can then simply use a cache
3446         from source to unlinked code mapping to completely avoid all of the
3447         old parser overhead.  The cache is currently very simple and memory
3448         heavy, using the complete source text as a key (rather than SourceCode
3449         or equivalent), and a random eviction policy.
3450
3451         This seems to produce a substantial win when loading identical content
3452         in different contexts.
3453
3454         * API/tests/testapi.c:
3455         (main):
3456         * CMakeLists.txt:
3457         * GNUmakefile.list.am:
3458         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3459         * JavaScriptCore.xcodeproj/project.pbxproj:
3460         * bytecode/CodeBlock.cpp:
3461         * bytecode/CodeBlock.h:
3462             Moved a number of fields, and a bunch of logic to UnlinkedCodeBlock.h/cpp
3463         * bytecode/Opcode.h:
3464             Added a global const init no op instruction needed to get correct
3465             behaviour without any associated semantics.
3466         * bytecode/UnlinkedCodeBlock.cpp: Added.
3467         * bytecode/UnlinkedCodeBlock.h: Added.
3468             A fairly shallow, GC allocated version of the old CodeBlock
3469             classes with a 32bit instruction size, and just metadata
3470             size tracking.
3471         * bytecompiler/BytecodeGenerator.cpp:
3472         * bytecompiler/BytecodeGenerator.h:
3473             Replace direct access to m_symbolTable with access through
3474             symbolTable().  ProgramCode no longer has a symbol table at
3475             all so some previously unconditional (and pointless) uses
3476             of symbolTable get null checks.
3477             A few other changes to deal with type changes due to us generating
3478             unlinked code (eg. pointer free, so profile indices rather than
3479             pointers).
3480         * dfg/DFGByteCodeParser.cpp:
3481         * dfg/DFGCapabilities.h:
3482             Support global_init_nop        
3483         * interpreter/Interpreter.cpp:
3484             Now get the ProgramExecutable to initialise new global properties
3485             before starting execution.        
3486         * jit/JIT.cpp:
3487         * jit/JITDriver.h:
3488         * jit/JITStubs.cpp:
3489         * llint/LLIntData.cpp:
3490         * llint/LLIntSlowPaths.cpp:
3491         * llint/LowLevelInterpreter.asm:
3492         * llint/LowLevelInterpreter32_64.asm:
3493         * llint/LowLevelInterpreter64.asm:
3494             Adding init_global_const_nop everywhere else
3495         * parser/Parser.h:
3496         * parser/ParserModes.h: Added.
3497         * parser/ParserTokens.h:
3498             Parser no longer needs a global object or callframe to function        
3499         * runtime/CodeCache.cpp: Added.
3500         * runtime/CodeCache.h: Added.
3501             A simple, random eviction, Source->UnlinkedCode cache        
3502         * runtime/Executable.cpp:
3503         * runtime/Executable.h:
3504             Executables now reference their unlinked counterparts, and
3505             request code specifically for the target global object.        
3506         * runtime/JSGlobalData.cpp:
3507         * runtime/JSGlobalData.h:
3508             GlobalData now owns a CodeCache and a set of new structures
3509             for the unlinked code types.  
3510         * runtime/JSGlobalObject.cpp:
3511         * runtime/JSGlobalObject.h:
3512             Utility functions used by executables to perform compilation
3513  
3514         * runtime/JSType.h:
3515           Add new JSTypes for unlinked code
3516
3517 2012-11-06  Michael Saboff  <msaboff@apple.com>
3518
3519         JSStringCreateWithCFString() Should create an 8 bit String if possible
3520         https://bugs.webkit.org/show_bug.cgi?id=101104
3521
3522         Reviewed by Darin Adler.
3523
3524         Try converting the CFString to an 8 bit string using CFStringGetBytes(...,
3525         kCFStringEncodingISOLatin1, ...) and return the 8 bit string if successful.
3526         If not proceed with 16 bit conversion.
3527
3528         * API/JSStringRefCF.cpp:
3529         (JSStringCreateWithCFString):
3530
3531 2012-11-06  Oliver Hunt  <oliver@apple.com>
3532
3533         Reduce direct m_symbolTable usage in CodeBlock
3534         https://bugs.webkit.org/show_bug.cgi?id=101391
3535
3536         Reviewed by Sam Weinig.
3537
3538         Simple refactoring.
3539
3540         * bytecode/CodeBlock.cpp:
3541         (JSC::CodeBlock::dump):
3542         (JSC::CodeBlock::dumpStatistics):
3543         (JSC::CodeBlock::nameForRegister):
3544         * bytecode/CodeBlock.h:
3545         (JSC::CodeBlock::isCaptured):
3546
3547 2012-11-06  Michael Saboff  <msaboff@apple.com>
3548
3549         Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible
3550         https://bugs.webkit.org/show_bug.cgi?id=101013
3551
3552         Reviewed by Darin Adler.
3553
3554         Changed scanRegExp so that it will create 8 bit identifiers from 8 bit sources and from 16 bit sources
3555         whan all the characters are 8 bit.  Using two templated helpers, the "is all 8 bit" check is only performed
3556         on 16 bit sources.  The first helper is orCharacter() that will accumulate the or value of all characters
3557         only for 16 bit sources.  Replaced the helper Lexer::makeIdentifierSameType() with Lexer::makeRightSizedIdentifier().
3558
3559         * parser/Lexer.cpp:
3560         (JSC::orCharacter<LChar>): Explicit template that serves as a placeholder.
3561         (JSC::orCharacter<UChar>): Explicit template that actually or accumulates characters.
3562         (JSC::Lexer::scanRegExp):
3563         * parser/Lexer.h:
3564         (Lexer):
3565         (JSC::Lexer::makeRightSizedIdentifier<LChar>): New template that always creates an 8 bit Identifier.
3566         (JSC::Lexer::makeRightSizedIdentifier<UChar>): New template that creates an 8 bit Identifier for 8 bit
3567         data in a 16 bit source.
3568
3569 2012-11-06  Filip Pizlo  <fpizlo@apple.com>
3570
3571         Indentation of JSCell.h is wrong
3572         https://bugs.webkit.org/show_bug.cgi?id=101379
3573
3574         Rubber stamped by Alexey Proskuryakov.
3575
3576         Just removed four spaces on a bunch of lines.
3577
3578         * runtime/JSCell.h:
3579
3580 2012-11-05  Filip Pizlo  <fpizlo@apple.com>
3581
3582         Indentation of JSObject.h is wrong
3583         https://bugs.webkit.org/show_bug.cgi?id=101313
3584
3585         Rubber stamped by Alexey Proskuryakov.
3586
3587         Just unindented code, since namespace bodies shouldn't be indented.
3588
3589         * runtime/JSObject.h:
3590
3591 2012-11-05  Filip Pizlo  <fpizlo@apple.com>
3592
3593         Indentation of JSArray.h is wrong
3594         https://bugs.webkit.org/show_bug.cgi?id=101314
3595
3596         Rubber stamped by Alexey Proskuryakov.
3597
3598         Just removing the indentation inside the namespace body.
3599
3600         * runtime/JSArray.h:
3601
3602 2012-11-05  Filip Pizlo  <fpizlo@apple.com>
3603
3604         DFG should not fall down to patchable GetById just because a prototype had things added to it
3605         https://bugs.webkit.org/show_bug.cgi?id=101299
3606
3607         Reviewed by Geoffrey Garen.
3608
3609         This looks like a slight win on V8v7 and SunSpider.
3610
3611         * bytecode/DFGExitProfile.h:
3612         (JSC::DFG::exitKindToString):
3613         * dfg/DFGSpeculativeJIT64.cpp:
3614         (JSC::DFG::SpeculativeJIT::compile):
3615
3616 2012-11-05  Filip Pizlo  <fpizlo@apple.com>
3617
3618         Get rid of method_check
3619         https://bugs.webkit.org/show_bug.cgi?id=101147
3620
3621         Reviewed by Geoffrey Garen.
3622
3623         op_method_check no longer buys us anything, since get_by_id proto caching
3624         gives just as much profiling information and the DFG inlines monomorphic
3625         proto accesses anyway.
3626         
3627         This also has the potential for a speed-up since it makes parsing of
3628         profiling data easier. No longer do we have to deal with the confusion of
3629         the get_by_id portion of a method_check appearing monomorphic even though
3630         we're really dealing with a bimorphic access (method_check specializes for
3631         one case and get_by_id for another).
3632
3633         This looks like a 1% speed-up on both SunSpider and V8v7.
3634
3635         * CMakeLists.txt:
3636         * GNUmakefile.list.am:
3637         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3638         * JavaScriptCore.xcodeproj/project.pbxproj:
3639         * Target.pri:
3640         * bytecode/CodeBlock.cpp:
3641         (JSC::CodeBlock::printGetByIdCacheStatus):
3642         (JSC::CodeBlock::dump):
3643         (JSC::CodeBlock::finalizeUnconditionally):
3644         (JSC::CodeBlock::shrinkToFit):
3645         (JSC::CodeBlock::unlinkCalls):
3646         * bytecode/CodeBlock.h:
3647         (JSC::CodeBlock::getCallLinkInfo):
3648         (JSC::CodeBlock::callLinkInfo):
3649         (CodeBlock):
3650         * bytecode/GetByIdStatus.cpp:
3651         (JSC::GetByIdStatus::computeFromLLInt):
3652         * bytecode/MethodCallLinkInfo.cpp: Removed.
3653         * bytecode/MethodCallLinkInfo.h: Removed.
3654         * bytecode/MethodCallLinkStatus.cpp: Removed.
3655         * bytecode/MethodCallLinkStatus.h: Removed.
3656         * bytecode/Opcode.h:
3657         (JSC):
3658         (JSC::padOpcodeName):
3659         * bytecompiler/BytecodeGenerator.cpp:
3660         (JSC):
3661         * bytecompiler/BytecodeGenerator.h:
3662         (BytecodeGenerator):
3663         * bytecompiler/NodesCodegen.cpp:
3664         (JSC::FunctionCallDotNode::emitBytecode):
3665         * dfg/DFGByteCodeParser.cpp:
3666         (JSC::DFG::ByteCodeParser::parseBlock):
3667         * dfg/DFGCapabilities.h:
3668         (JSC::DFG::canCompileOpcode):
3669         * jit/JIT.cpp:
3670         (JSC::JIT::privateCompileMainPass):
3671         (JSC::JIT::privateCompileSlowCases):
3672         (JSC::PropertyStubCompilationInfo::copyToStubInfo):
3673         (JSC::JIT::privateCompile):
3674         * jit/JIT.h:
3675         (JSC::PropertyStubCompilationInfo::slowCaseInfo):
3676         (PropertyStubCompilationInfo):
3677         (JSC):
3678         (JIT):
3679         * jit/JITPropertyAccess.cpp:
3680         (JSC):
3681         (JSC::JIT::emitSlow_op_get_by_id):
3682         (JSC::JIT::compileGetByIdSlowCase):
3683         * jit/JITPropertyAccess32_64.cpp:
3684         (JSC):
3685         (JSC::JIT::compileGetByIdSlowCase):
3686         * jit/JITStubs.cpp:
3687         (JSC):
3688         * jit/JITStubs.h:
3689         * llint/LowLevelInterpreter.asm:
3690
3691 2012-11-05  Yuqiang Xian  <yuqiang.xian@intel.com>
3692
3693         Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations
3694         https://bugs.webkit.org/show_bug.cgi?id=100321
3695
3696         Reviewed by Filip Pizlo.
3697
3698         We have refactored the MacroAssembler and JIT compilers to distinguish
3699         the pointer operations from the 64-bit integer operations (see bug #99154).
3700         Now we want to do the similar work for LLInt, and the goal is same as
3701         the one mentioned in 99154.
3702
3703         This is the second part of the modification: in the low level interpreter,
3704         changing the operations on 64-bit integers to use the "<foo>q" instructions.
3705         This also removes some unused/meaningless "<foo>p" instructions.
3706
3707         * llint/LowLevelInterpreter.asm:
3708         * llint/LowLevelInterpreter.cpp:
3709         (JSC::CLoop::execute):
3710         * llint/LowLevelInterpreter64.asm:
3711         * offlineasm/armv7.rb:
3712         * offlineasm/cloop.rb:
3713         * offlineasm/instructions.rb:
3714         * offlineasm/x86.rb:
3715
3716 2012-11-05  Filip Pizlo  <fpizlo@apple.com>
3717
3718         Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only
3719         https://bugs.webkit.org/show_bug.cgi?id=101276
3720
3721         Reviewed by Gavin Barraclough.
3722
3723         Changed normalizePrototypeChain() to report an invalid prototype chain if any object is a proxy.
3724         This catches cases where our prototype chain checks would have been insufficient to guard against
3725         newly introduced properties, despecialized properties, or deleted properties in the chain of
3726         objects involved in the access.
3727
3728         * dfg/DFGRepatch.cpp:
3729         (JSC::DFG::tryCacheGetByID):
3730         (JSC::DFG::tryBuildGetByIDProtoList):
3731         (JSC::DFG::tryCachePutByID):
3732         (JSC::DFG::tryBuildPutByIdList):
3733         * jit/JITStubs.cpp:
3734         (JSC::JITThunks::tryCachePutByID):
3735         (JSC::JITThunks::tryCacheGetByID):
3736         (JSC::DEFINE_STUB_FUNCTION):
3737         * llint/LLIntSlowPaths.cpp:
3738         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3739         * runtime/Operations.h:
3740         (JSC):
3741         (JSC::normalizePrototypeChain):
3742
3743 2012-11-05  Dima Gorbik  <dgorbik@apple.com>
3744
3745         Back out controversial changes from Bug 98665.
3746         https://bugs.webkit.org/show_bug.cgi?id=101244
3747
3748         Reviewed by David Kilzer.
3749
3750         Backing out changes from Bug 98665 until further discussions take place on rules for including Platform.h in Assertions.h.
3751
3752         * API/tests/minidom.c:
3753         * API/tests/testapi.c:
3754
3755 2012-11-04  Filip Pizlo  <fpizlo@apple.com>
3756
3757         Reduce the verbosity of referring to QNaN in JavaScriptCore
3758         https://bugs.webkit.org/show_bug.cgi?id=101174
3759
3760         Reviewed by Geoffrey Garen.
3761
3762         Introduces a #define QNaN in JSValue.h, and replaces all previous uses of
3763         std::numeric_limits<double>::quiet_NaN() with QNaN.
3764
3765         * API/JSValueRef.cpp:
3766         (JSValueMakeNumber):
3767         (JSValueToNumber):
3768         * dfg/DFGSpeculativeJIT.cpp:
3769         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3770         * jit/JITPropertyAccess.cpp:
3771         (JSC::JIT::emitFloatTypedArrayGetByVal):
3772         * runtime/CachedTranscendentalFunction.h:
3773         (JSC::CachedTranscendentalFunction::initialize):
3774         * runtime/DateConstructor.cpp:
3775         (JSC::constructDate):
3776         * runtime/DateInstanceCache.h:
3777         (JSC::DateInstanceData::DateInstanceData):
3778         (JSC::DateInstanceCache::reset):
3779         * runtime/ExceptionHelpers.cpp:
3780         (JSC::InterruptedExecutionError::defaultValue):
3781         (JSC::TerminatedExecutionError::defaultValue):
3782         * runtime/JSCell.h:
3783         (JSC::JSValue::getPrimitiveNumber):
3784         * runtime/JSDateMath.cpp:
3785         (JSC::parseDateFromNullTerminatedCharacters):
3786         * runtime/JSGlobalData.cpp:
3787         (JSC::JSGlobalData::JSGlobalData):
3788         (JSC::JSGlobalData::resetDateCache):
3789         * runtime/JSGlobalObjectFunctions.cpp:
3790         (JSC::parseInt):
3791         (JSC::jsStrDecimalLiteral):
3792         (JSC::toDouble):
3793         (JSC::jsToNumber):
3794         (JSC::parseFloat):
3795         * runtime/JSValue.cpp:
3796         (JSC::JSValue::toNumberSlowCase):
3797         * runtime/JSValue.h:
3798         (JSC):
3799         * runtime/JSValueInlineMethods.h:
3800         (JSC::jsNaN):
3801         * runtime/MathObject.cpp:
3802         (JSC::mathProtoFuncMax):
3803         (JSC::mathProtoFuncMin):
3804
3805 2012-11-03  Filip Pizlo  <fpizlo@apple.com>
3806
3807         Baseline JIT should use structure watchpoints whenever possible
3808         https://bugs.webkit.org/show_bug.cgi?id=101146
3809
3810         Reviewed by Sam Weinig.
3811
3812         No speed-up yet except on toy programs. I think that it will start to show
3813         speed-ups with https://bugs.webkit.org/show_bug.cgi?id=101147, which this is
3814         a step towards.
3815
3816         * jit/JIT.h:
3817         (JIT):
3818         * jit/JITPropertyAccess.cpp:
3819         (JSC::JIT::privateCompilePutByIdTransition):
3820         (JSC::JIT::privateCompileGetByIdProto):
3821         (JSC::JIT::privateCompileGetByIdProtoList):
3822         (JSC::JIT::privateCompileGetByIdChainList):
3823         (JSC::JIT::privateCompileGetByIdChain):
3824         (JSC::JIT::addStructureTransitionCheck):
3825         (JSC):
3826         (JSC::JIT::testPrototype):
3827         * jit/JITPropertyAccess32_64.cpp:
3828         (JSC::JIT::privateCompilePutByIdTransition):
3829         (JSC::JIT::privateCompileGetByIdProto):
3830         (JSC::JIT::privateCompileGetByIdProtoList):
3831         (JSC::JIT::privateCompileGetByIdChainList):
3832         (JSC::JIT::privateCompileGetByIdChain):
3833
3834 2012-11-04  Csaba Osztrogonác  <ossy@webkit.org>
3835
3836         [Qt] udis86_itab.c is always regenerated
3837         https://bugs.webkit.org/show_bug.cgi?id=100756
3838
3839         Reviewed by Simon Hausmann.
3840
3841         * DerivedSources.pri: Generate sources to the generated directory.
3842         * disassembler/udis86/differences.txt:
3843         * disassembler/udis86/itab.py: Add --outputDir option.
3844         (UdItabGenerator.__init__):
3845         (genItabH):
3846         (genItabC):
3847         (main):
3848
3849 2012-11-02  Filip Pizlo  <fpizlo@apple.com>
3850
3851         LLInt 32-bit put_by_val ArrayStorage case should use the right register (t3, not t2) for the index in the publicLength updating path
3852         https://bugs.webkit.org/show_bug.cgi?id=101118
3853
3854         Reviewed by Gavin Barraclough.
3855
3856         * llint/LowLevelInterpreter32_64.asm:
3857
3858 2012-11-02  Filip Pizlo  <fpizlo@apple.com>
3859
3860         DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure
3861         https://bugs.webkit.org/show_bug.cgi?id=101117
3862
3863         Reviewed by Gavin Barraclough.
3864
3865         We have logic to convert ArrayifyToStructure to StructureTransitionWatchpoint, which is awesome, except
3866         that previously convertToStructureTransitionWatchpoint was (a) asserting that it never saw an
3867         ArrayifyToStructure and (b) would incorrectly create a ForwardStructureTransitionWatchpoint if it did.
3868
3869         * dfg/DFGNode.h:
3870         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
3871
3872 2012-11-02  Filip Pizlo  <fpizlo@apple.com>
3873
3874         DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays
3875         https://bugs.webkit.org/show_bug.cgi?id=101114
3876
3877         Reviewed by Gavin Barraclough.
3878
3879         As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors
3880         hadn't been initialized yet. That happens rarely, but when it does happen, we would crash.
3881         
3882         This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor
3883         and used that directly. So it's good to fix it.
3884
3885         * dfg/DFGSpeculativeJIT.cpp:
3886         (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
3887
3888 2012-11-02  Filip Pizlo  <fpizlo@apple.com>
3889
3890         JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays
3891         https://bugs.webkit.org/show_bug.cgi?id=101112
3892
3893         Reviewed by Gavin Barraclough.
3894
3895         The only reason why the code was wrong to use uint8ArrayDescriptor instead is that if we're just using
3896         Uint8ClampedArrays then the descriptor for Uint8Array may not have been initialized.
3897
3898         * jit/JITPropertyAccess.cpp:
3899         (JSC::JIT::privateCompileGetByVal):
3900
3901 2012-11-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3902
3903         MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects
3904         https://bugs.webkit.org/show_bug.cgi?id=100877
3905
3906         Reviewed by Filip Pizlo.
3907
3908         Currently when we canonicalize cell liveness data in MarkedBlocks, we set the mark bit for every cell in the 
3909         block except for those in the free list. This allows us to consider objects that were allocated since the 
3910         previous collection to be considered live until they have a chance to be properly marked by the collector.
3911
3912         If we want to use the mark bits to signify other types of information, e.g. using sticky mark bits for generational 
3913         collection, we will have to keep track of newly allocated objects in a different fashion when we canonicalize cell liveness.
3914
3915         One method would be to allocate a separate set of bits while canonicalizing liveness data. These bits would 
3916         track the newly allocated objects in the block separately from those objects who had already been marked. We would 
3917         then check these bits, along with the mark bits, when determining liveness. 
3918
3919         * heap/Heap.h:
3920         (Heap):
3921         (JSC::Heap::isLive): We now check for the presence of the newlyAllocated Bitmap.
3922         (JSC):
3923         * heap/MarkedBlock.cpp:
3924         (JSC::MarkedBlock::specializedSweep): We clear the newlyAllocated Bitmap if we're creating a free list. This 
3925         will happen if we canonicalize liveness data for some other reason than collection (e.g. forEachCell) and 
3926         then start allocating again.
3927         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): 
3928         (SetNewlyAllocatedFunctor):
3929         (JSC::SetNewlyAllocatedFunctor::operator()): We set the newlyAllocated bits for all the objects 
3930         that aren't already marked. We undo the bits for the objects in the free list later in canonicalizeCellLivenessData.
3931         (JSC::MarkedBlock::canonicalizeCellLivenessData): We should never have a FreeListed block with a newlyAllocated Bitmap.
3932         We allocate the new Bitmap, set the bits for all the objects that aren't already marked, and then unset all of the 
3933         bits for the items currently in the FreeList.
3934         * heap/MarkedBlock.h:
3935         (JSC::MarkedBlock::clearMarks): We clear the newlyAllocated bitmap if it exists because at this point we don't need it
3936         any more.
3937         (JSC::MarkedBlock::isEmpty): If we have some objects that are newlyAllocated, we are not empty.
3938         (JSC::MarkedBlock::isNewlyAllocated): 
3939         (JSC):
3940         (JSC::MarkedBlock::setNewlyAllocated):
3941         (JSC::MarkedBlock::clearNewlyAllocated):
3942         (JSC::MarkedBlock::isLive): We now check the newlyAllocated Bitmap, if it exists, when determining liveness of a cell in 
3943         a block that is Marked.
3944         * heap/WeakBlock.cpp:
3945         (JSC::WeakBlock::visit): We need to make sure we don't finalize objects that are in the newlyAllocated Bitmap.
3946         (JSC::WeakBlock::reap): Ditto.
3947
3948 2012-11-02  Filip Pizlo  <fpizlo@apple.com>
3949
3950         JIT::privateCompileGetByVal should use MacroAssemblerCodePtr::createFromExecutableAddress like JIT::privateCompilePutByVal
3951         https://bugs.webkit.org/show_bug.cgi?id=101109
3952
3953         Reviewed by Gavin Barraclough.
3954
3955         This fixes crashes on ARMv7 resulting from the return address already being tagged with the THUMB2 bit.
3956
3957         * jit/JITPropertyAccess.cpp:
3958         (JSC::JIT::privateCompileGetByVal):
3959
3960 2012-11-02  Simon Fraser  <simon.fraser@apple.com>
3961
3962         Enable SUBPIXEL_LAYOUT on Mac
3963         https://bugs.webkit.org/show_bug.cgi?id=101076
3964
3965         Reviewed by Dave Hyatt.
3966
3967         Define ENABLE_SUBPIXEL_LAYOUT and include it in FEATURE_DEFINES.
3968
3969         * Configurations/FeatureDefines.xcconfig:
3970
3971 2012-11-02  Michael Saboff  <msaboff@apple.com>
3972
3973         RegExp.prototype.toString Should Produce an 8 bit JSString if possible.
3974         https://bugs.webkit.org/show_bug.cgi?id=101003
3975
3976         Reviewed by Geoffrey Garen.
3977
3978         Took the logic of regExpObjectSource() and created two templated helpers that uses the
3979         source character type when appending to the StringBuilder.
3980
3981         * runtime/RegExpObject.cpp:
3982         (JSC::appendLineTerminatorEscape): Checks line terminate type to come up with escaped version.
3983         (JSC::regExpObjectSourceInternal): Templated version of original.
3984         (JSC::regExpObjectSource): Wrapper function.
3985
3986 2012-11-02  Adam Barth  <abarth@webkit.org>
3987
3988         ENABLE(UNDO_MANAGER) is disabled everywhere and is not under active development
3989         https://bugs.webkit.org/show_bug.cgi?id=100711
3990
3991         Reviewed by Eric Seidel.
3992
3993         * Configurations/FeatureDefines.xcconfig:
3994
3995 2012-11-02  Simon Hausmann  <simon.hausmann@digia.com>
3996
3997         [Qt] Fix build on Windows when Qt is configured with -release
3998         https://bugs.webkit.org/show_bug.cgi?id=101041
3999
4000         Reviewed by Jocelyn Turcotte.
4001
4002         When Qt is configured with -debug or -release, the release/debug build of for example
4003         QtCore is not available by default. For LLIntExtractor we always need to build debug
4004         _and_ release versions, but we do not actually need any Qt libraries nor qtmain(d).lib.
4005         Therefore we can disable all these features but need to keep $$QT.core.includes in the
4006         INCLUDEPATH for some defines from qglobal.h.
4007
4008         * LLIntOffsetsExtractor.pro:
4009
4010 2012-11-01  Mark Lam  <mark.lam@apple.com>
4011
4012         A llint workaround for a toolchain issue.
4013         https://bugs.webkit.org/show_bug.cgi?id=101012.
4014
4015         Reviewed by Michael Saboff.
4016
4017         * llint/LowLevelInterpreter.asm:
4018           - use a local label to workaround the toolchain issue with undeclared
4019             global labels.
4020
4021 2012-11-01  Oliver Hunt  <oliver@apple.com>
4022
4023         Remove GlobalObject constant register that is typically unused