De-bork Qt build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-29  Andreas Kling  <akling@apple.com>
2
3         De-bork Qt build.
4
5         * Target.pri:
6
7 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
8
9         Unreviewed build fix attempt for Windows.
10
11         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12         Renamed JSMapConstructor and JSMapPrototype.
13
14 2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>
15
16         Fix build break after r154861
17         https://bugs.webkit.org/show_bug.cgi?id=120503
18
19         Reviewed by Geoffrey Garen.
20
21         Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
22
23         * CMakeLists.txt:
24         * GNUmakefile.list.am:
25         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26         * Target.pri:
27         * runtime/MapData.h:
28         (JSC::MapData::KeyType::KeyType):
29
30 2013-08-29  Andreas Kling  <akling@apple.com>
31
32         CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
33         <https://webkit.org/b/120487>
34
35         Reviewed by Oliver Hunt.
36
37         CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
38         instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
39         exact amount of space needed.
40
41         * bytecode/CodeBlock.h:
42         * bytecode/CodeBlock.cpp:
43         (JSC::CodeBlock::CodeBlock):
44         (JSC::CodeBlock::shrinkToFit):
45
46 2013-08-29  Oliver Hunt  <oliver@apple.com>
47
48         Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
49
50         * runtime/MapData.h:
51         (JSC::MapData::KeyType::KeyType):
52
53 2013-08-29  Oliver Hunt  <oliver@apple.com>
54
55
56         Implement ES6 Map object
57         https://bugs.webkit.org/show_bug.cgi?id=120333
58
59         Reviewed by Geoffrey Garen.
60
61         Implement support for the ES6 Map type and related classes.
62
63         * JavaScriptCore.xcodeproj/project.pbxproj:
64         * heap/CopyToken.h: Add a new token to track copying the backing store
65         * runtime/CommonIdentifiers.h: Add new identifiers
66         * runtime/JSGlobalObject.cpp:
67         * runtime/JSGlobalObject.h:
68             Add new structures and prototypes
69
70         * runtime/JSMap.cpp: Added.
71         * runtime/JSMap.h: Added.
72             New JSMap class to represent a Map instance
73
74         * runtime/MapConstructor.cpp: Added.
75         * runtime/MapConstructor.h: Added.
76             The Map constructor
77
78         * runtime/MapData.cpp: Added.
79         * runtime/MapData.h: Added.
80             The most interesting data structure.  The roughly corresponds
81             to the ES6 notion of MapData.  It provides the core JSValue->JSValue
82             map implementation.  We implement it using 2 hashtables and a flat
83             table.  Due to the different semantics of string comparisons vs.
84             all others we need have one map keyed by String and the other by
85             generic JSValue.  The actual table is represented more or less
86             exactly as described in the ES6 draft - a single contiguous list of
87             key/value pairs.  The entire map could be achieved with just this
88             table, however we need the HashMaps in order to maintain O(1) lookup.
89
90             Deleted values are simply cleared as the draft says, however the
91             implementation compacts the storage on copy as long as the are no
92             active iterators.
93
94         * runtime/MapPrototype.cpp: Added.
95         * runtime/MapPrototype.h: Added.
96             Implement Map prototype functions
97
98         * runtime/VM.cpp:
99             Add new structures.
100
101 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
102
103         Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
104         https://bugs.webkit.org/show_bug.cgi?id=120489
105
106         Reviewed by Geoffrey Garen.
107         
108         If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
109         DFG compilation but we've also started one or more FTL compilations, then we
110         shouldn't get confused. Previously we would have gotten confused because we would
111         see an in-process deferred compile (the FTL compile) and also an optimized
112         replacement (the DFG code).
113         
114         If the baseline JIT hits an OSR entry trigger into the DFG and we previously
115         did two things in this order: triggered a tier-up compilation from the DFG into
116         the FTL, and then jettisoned the DFG code because it exited a bunch, then we
117         shouldn't be confused by the presence of an in-process deferred compile (the FTL
118         compile). Previously we would have waited for that compile to finish; but the more
119         sensible thing to do is to let it complete and then invalidate it, while at the
120         same time enqueueing a DFG compile to create a new, more valid, DFG code block.
121         
122         If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
123         triggered an FTL compile for replacement, then it should fire off a second compile
124         instead of thinking that it can wait for that one to finish. Or vice-versa. We
125         need to allow for two FTL compiles to be enqueued at the same time (one for
126         replacement and one for OSR entry in a loop).
127         
128         Then there's also the problem that DFG::compile() is almost certainly going to be
129         the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
130         right now there is no way to tell it which one you want.
131         
132         This fixes these problems and removes a bunch of potential confusion by making the
133         key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
134         FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
135         
136         Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
137         DFG::compile() is always passed DFGMode and then it might do an FTL compile if
138         possible. Fixing that is a bigger issue for a later changeset.
139
140         * CMakeLists.txt:
141         * GNUmakefile.list.am:
142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
143         * JavaScriptCore.xcodeproj/project.pbxproj:
144         * Target.pri:
145         * bytecode/CodeBlock.cpp:
146         (JSC::CodeBlock::checkIfOptimizationThresholdReached):
147         * dfg/DFGCompilationKey.cpp: Added.
148         (JSC::DFG::CompilationKey::dump):
149         * dfg/DFGCompilationKey.h: Added.
150         (JSC::DFG::CompilationKey::CompilationKey):
151         (JSC::DFG::CompilationKey::operator!):
152         (JSC::DFG::CompilationKey::isHashTableDeletedValue):
153         (JSC::DFG::CompilationKey::profiledBlock):
154         (JSC::DFG::CompilationKey::mode):
155         (JSC::DFG::CompilationKey::operator==):
156         (JSC::DFG::CompilationKey::hash):
157         (JSC::DFG::CompilationKeyHash::hash):
158         (JSC::DFG::CompilationKeyHash::equal):
159         * dfg/DFGCompilationMode.cpp: Added.
160         (WTF::printInternal):
161         * dfg/DFGCompilationMode.h: Added.
162         * dfg/DFGDriver.cpp:
163         (JSC::DFG::compileImpl):
164         (JSC::DFG::compile):
165         * dfg/DFGDriver.h:
166         * dfg/DFGPlan.cpp:
167         (JSC::DFG::Plan::Plan):
168         (JSC::DFG::Plan::key):
169         * dfg/DFGPlan.h:
170         * dfg/DFGWorklist.cpp:
171         (JSC::DFG::Worklist::enqueue):
172         (JSC::DFG::Worklist::compilationState):
173         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
174         (JSC::DFG::Worklist::runThread):
175         * dfg/DFGWorklist.h:
176         * jit/JITStubs.cpp:
177         (JSC::DEFINE_STUB_FUNCTION):
178
179 2013-08-29  Brent Fulgham  <bfulgham@apple.com>
180
181         [Windows] Unreviewed build fix after r154847.
182         If you are going to exclude promises, actually exclude the build components.
183
184         * interpreter/CallFrame.h: Exclude promise declarations
185         * runtime/JSGlobalObject.cpp:
186         (JSC::JSGlobalObject::reset): Exclude promise code.
187         (JSC::JSGlobalObject::visitChildren): Ditto.
188         * runtime/VM.cpp: Ditto.
189         (JSC::VM::VM):
190         (JSC::VM::~VM):
191         * runtime/VM.h:
192
193 2013-08-29  Sam Weinig  <sam@webkit.org>
194
195         Add ENABLE guards for Promises
196         https://bugs.webkit.org/show_bug.cgi?id=120488
197
198         Reviewed by Andreas Kling.
199
200         * Configurations/FeatureDefines.xcconfig:
201         * runtime/JSGlobalObject.cpp:
202         * runtime/JSGlobalObject.h:
203         * runtime/JSPromise.cpp:
204         * runtime/JSPromise.h:
205         * runtime/JSPromiseCallback.cpp:
206         * runtime/JSPromiseCallback.h:
207         * runtime/JSPromiseConstructor.cpp:
208         * runtime/JSPromiseConstructor.h:
209         * runtime/JSPromisePrototype.cpp:
210         * runtime/JSPromisePrototype.h:
211         * runtime/JSPromiseResolver.cpp:
212         * runtime/JSPromiseResolver.h:
213         * runtime/JSPromiseResolverConstructor.cpp:
214         * runtime/JSPromiseResolverConstructor.h:
215         * runtime/JSPromiseResolverPrototype.cpp:
216         * runtime/JSPromiseResolverPrototype.h:
217
218 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
219
220         Unreviewed, fix FTL build.
221
222         * ftl/FTLLowerDFGToLLVM.cpp:
223         (JSC::FTL::LowerDFGToLLVM::callCheck):
224
225 2013-08-29  Julien Brianceau  <jbriance@cisco.com>
226
227         REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
228         https://bugs.webkit.org/show_bug.cgi?id=120080
229
230         Reviewed by Michael Saboff.
231
232         * jit/JITOpcodes32_64.cpp:
233         (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
234
235 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
236
237         Kill code that became dead after http://trac.webkit.org/changeset/154833
238
239         Rubber stamped by Oliver Hunt.
240
241         * dfg/DFGDriver.h:
242
243 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
244
245         CodeBlock's magic for scaling tier-up thresholds should be more reusable
246         https://bugs.webkit.org/show_bug.cgi?id=120486
247
248         Reviewed by Oliver Hunt.
249         
250         Removed the counterValueForBlah() methods and exposed the reusable scaling logic
251         as a adjustedCounterValue() method.
252
253         * bytecode/CodeBlock.cpp:
254         (JSC::CodeBlock::adjustedCounterValue):
255         (JSC::CodeBlock::optimizeAfterWarmUp):
256         (JSC::CodeBlock::optimizeAfterLongWarmUp):
257         (JSC::CodeBlock::optimizeSoon):
258         * bytecode/CodeBlock.h:
259         * dfg/DFGOSRExitCompilerCommon.cpp:
260         (JSC::DFG::handleExitCounts):
261
262 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
263
264         CodeBlock::prepareForExecution() is silly
265         https://bugs.webkit.org/show_bug.cgi?id=120453
266
267         Reviewed by Oliver Hunt.
268         
269         Instead of saying:
270         
271             codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
272         
273         we should just say:
274         
275             JIT::compile(stuff, codeBlock, more stuff);
276         
277         And similarly for the LLInt and DFG.
278         
279         This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
280         wrapper that uses the JITType argument to call into the appropriate execution
281         engine, which is what the user wanted to do in the first place.
282
283         * CMakeLists.txt:
284         * GNUmakefile.list.am:
285         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
286         * JavaScriptCore.xcodeproj/project.pbxproj:
287         * Target.pri:
288         * bytecode/CodeBlock.cpp:
289         * bytecode/CodeBlock.h:
290         * dfg/DFGDriver.cpp:
291         (JSC::DFG::compileImpl):
292         (JSC::DFG::compile):
293         * dfg/DFGDriver.h:
294         (JSC::DFG::tryCompile):
295         * dfg/DFGOSRExitPreparation.cpp:
296         (JSC::DFG::prepareCodeOriginForOSRExit):
297         * dfg/DFGWorklist.cpp:
298         (JSC::DFG::globalWorklist):
299         * dfg/DFGWorklist.h:
300         * jit/JIT.cpp:
301         (JSC::JIT::privateCompile):
302         * jit/JIT.h:
303         (JSC::JIT::compile):
304         * jit/JITStubs.cpp:
305         (JSC::DEFINE_STUB_FUNCTION):
306         * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
307         (JSC::LLInt::setFunctionEntrypoint):
308         (JSC::LLInt::setEvalEntrypoint):
309         (JSC::LLInt::setProgramEntrypoint):
310         (JSC::LLInt::setEntrypoint):
311         * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
312         * llint/LLIntEntrypoints.cpp: Removed.
313         * llint/LLIntEntrypoints.h: Removed.
314         * llint/LLIntSlowPaths.cpp:
315         (JSC::LLInt::jitCompileAndSetHeuristics):
316         * runtime/Executable.cpp:
317         (JSC::ScriptExecutable::prepareForExecutionImpl):
318
319 2013-08-29  Mark Lam  <mark.lam@apple.com>
320
321         Gardening: fixed broken non-DFG build.
322         https://bugs.webkit.org/show_bug.cgi?id=120481.
323
324         Not reviewed.
325
326         * interpreter/StackIterator.h:
327
328 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
329
330         CodeBlock compilation and installation should be simplified and rationalized
331         https://bugs.webkit.org/show_bug.cgi?id=120326
332
333         Reviewed by Oliver Hunt.
334         
335         Rolling r154804 back in after fixing no-LLInt build.
336         
337         Previously Executable owned the code for generating JIT code; you always had
338         to go through Executable. But often you also had to go through CodeBlock,
339         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
340         So you'd ask CodeBlock to do something, which would dispatch through a
341         virtual method that would select the appropriate Executable subtype's method.
342         This all meant that the same code would often be duplicated, because most of
343         the work needed to compile something was identical regardless of code type.
344         But then we tried to fix this, by having templatized helpers in
345         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
346         out what happened when you asked for something to be compiled, you'd go on a
347         wild ride that started with CodeBlock, touched upon Executable, and then
348         ricocheted into either ExecutionHarness or JITDriver (likely both).
349         
350         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
351         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
352         done once the compilation finished.
353         
354         Also, most of the DFG JIT drivers assumed that they couldn't install the
355         JITCode into the CodeBlock directly - instead they would return it via a
356         reference, which happened to be a reference to the JITCode pointer in
357         Executable. This was super weird.
358         
359         Finally, there was no notion of compiling code into a special CodeBlock that
360         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
361         entry.
362         
363         This patch solves these problems by reducing all of that complexity into just
364         three primitives:
365         
366         - Executable::newCodeBlock(). This gives you a new code block, either for call
367           or for construct, and either to serve as the baseline code or the optimized
368           code. The new code block is then owned by the caller; Executable doesn't
369           register it anywhere. The new code block has no JITCode and isn't callable,
370           but it has all of the bytecode.
371         
372         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
373           produces a JITCode, and then installs the JITCode into the CodeBlock. This
374           method takes a JITType, and always compiles with that JIT. If you ask for
375           JITCode::InterpreterThunk then you'll get JITCode that just points to the
376           LLInt entrypoints. Once this returns, it is possible to call into the
377           CodeBlock if you do so manually - but the Executable still won't know about
378           it so JS calls to that Executable will still be routed to whatever CodeBlock
379           is associated with the Executable.
380         
381         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
382           entry for that Executable. This involves unlinking the Executable's last
383           CodeBlock, if there was one. This also tells the GC about any effect on
384           memory usage and does a bunch of weird data structure rewiring, since
385           Executable caches some of CodeBlock's fields for the benefit of virtual call
386           fast paths.
387         
388         This functionality is then wrapped around three convenience methods:
389         
390         - Executable::prepareForExecution(). If there is no code block for that
391           Executable, then one is created (newCodeBlock()), compiled
392           (CodeBlock::prepareForExecution()) and installed (installCode()).
393         
394         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
395           can serve as an optimized replacement of the current one.
396         
397         - CodeBlock::install(). Asks the Executable to install this code block.
398         
399         This patch allows me to kill *a lot* of code and to remove a lot of
400         specializations for functions vs. not-functions, and a lot of places where we
401         pass around JITCode references and such. ExecutionHarness and JITDriver are
402         both gone. Overall this patch has more red than green.
403         
404         It also allows me to work on FTL OSR entry and tier-up:
405         
406         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
407           to do some compilation, but it will require the DFG::Worklist to do
408           something different than what JITStubs.cpp would want, once the compilation
409           finishes. This patch introduces a callback mechanism for that purpose.
410         
411         - FTL OSR entry: this will involve creating a special auto-jettisoned
412           CodeBlock that is used only for FTL OSR entry. The new set of primitives
413           allows for this: Executable can vend you a fresh new CodeBlock, and you can
414           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
415           can take that CodeBlock and compile it yourself. Previously the act of
416           producing a CodeBlock-for-optimization and the act of compiling code for it
417           were tightly coupled; now you can separate them and you can create such
418           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
419
420         * CMakeLists.txt:
421         * GNUmakefile.list.am:
422         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
423         * JavaScriptCore.xcodeproj/project.pbxproj:
424         * Target.pri:
425         * bytecode/CodeBlock.cpp:
426         (JSC::CodeBlock::unlinkIncomingCalls):
427         (JSC::CodeBlock::prepareForExecutionImpl):
428         (JSC::CodeBlock::prepareForExecution):
429         (JSC::CodeBlock::prepareForExecutionAsynchronously):
430         (JSC::CodeBlock::install):
431         (JSC::CodeBlock::newReplacement):
432         (JSC::FunctionCodeBlock::jettisonImpl):
433         * bytecode/CodeBlock.h:
434         (JSC::CodeBlock::hasBaselineJITProfiling):
435         * bytecode/DeferredCompilationCallback.cpp: Added.
436         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
437         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
438         * bytecode/DeferredCompilationCallback.h: Added.
439         * dfg/DFGDriver.cpp:
440         (JSC::DFG::tryCompile):
441         * dfg/DFGDriver.h:
442         (JSC::DFG::tryCompile):
443         * dfg/DFGFailedFinalizer.cpp:
444         (JSC::DFG::FailedFinalizer::finalize):
445         (JSC::DFG::FailedFinalizer::finalizeFunction):
446         * dfg/DFGFailedFinalizer.h:
447         * dfg/DFGFinalizer.h:
448         * dfg/DFGJITFinalizer.cpp:
449         (JSC::DFG::JITFinalizer::finalize):
450         (JSC::DFG::JITFinalizer::finalizeFunction):
451         * dfg/DFGJITFinalizer.h:
452         * dfg/DFGOSRExitPreparation.cpp:
453         (JSC::DFG::prepareCodeOriginForOSRExit):
454         * dfg/DFGOperations.cpp:
455         * dfg/DFGPlan.cpp:
456         (JSC::DFG::Plan::Plan):
457         (JSC::DFG::Plan::compileInThreadImpl):
458         (JSC::DFG::Plan::notifyReady):
459         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
460         (JSC::DFG::Plan::finalizeAndNotifyCallback):
461         * dfg/DFGPlan.h:
462         * dfg/DFGSpeculativeJIT32_64.cpp:
463         (JSC::DFG::SpeculativeJIT::compile):
464         * dfg/DFGWorklist.cpp:
465         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
466         (JSC::DFG::Worklist::runThread):
467         * ftl/FTLJITFinalizer.cpp:
468         (JSC::FTL::JITFinalizer::finalize):
469         (JSC::FTL::JITFinalizer::finalizeFunction):
470         * ftl/FTLJITFinalizer.h:
471         * heap/Heap.h:
472         (JSC::Heap::isDeferred):
473         * interpreter/Interpreter.cpp:
474         (JSC::Interpreter::execute):
475         (JSC::Interpreter::executeCall):
476         (JSC::Interpreter::executeConstruct):
477         (JSC::Interpreter::prepareForRepeatCall):
478         * jit/JITDriver.h: Removed.
479         * jit/JITStubs.cpp:
480         (JSC::DEFINE_STUB_FUNCTION):
481         (JSC::jitCompileFor):
482         (JSC::lazyLinkFor):
483         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
484         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
485         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
486         (JSC::JITToDFGDeferredCompilationCallback::create):
487         (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
488         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
489         * jit/JITToDFGDeferredCompilationCallback.h: Added.
490         * llint/LLIntEntrypoints.cpp:
491         (JSC::LLInt::setFunctionEntrypoint):
492         (JSC::LLInt::setEvalEntrypoint):
493         (JSC::LLInt::setProgramEntrypoint):
494         * llint/LLIntEntrypoints.h:
495         * llint/LLIntSlowPaths.cpp:
496         (JSC::LLInt::jitCompileAndSetHeuristics):
497         (JSC::LLInt::setUpCall):
498         * runtime/ArrayPrototype.cpp:
499         (JSC::isNumericCompareFunction):
500         * runtime/CommonSlowPaths.cpp:
501         * runtime/CompilationResult.cpp:
502         (WTF::printInternal):
503         * runtime/CompilationResult.h:
504         * runtime/Executable.cpp:
505         (JSC::ScriptExecutable::installCode):
506         (JSC::ScriptExecutable::newCodeBlockFor):
507         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
508         (JSC::ScriptExecutable::prepareForExecutionImpl):
509         * runtime/Executable.h:
510         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
511         (JSC::ExecutableBase::offsetOfNumParametersFor):
512         (JSC::ScriptExecutable::prepareForExecution):
513         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
514         * runtime/ExecutionHarness.h: Removed.
515
516 2013-08-29  Mark Lam  <mark.lam@apple.com>
517
518         Change StackIterator to not require writes to the JS stack.
519         https://bugs.webkit.org/show_bug.cgi?id=119657.
520
521         Reviewed by Geoffrey Garen.
522
523         * GNUmakefile.list.am:
524         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
525         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
526         * JavaScriptCore.xcodeproj/project.pbxproj:
527         * interpreter/CallFrame.h:
528         - Removed references to StackIteratorPrivate.h.
529         * interpreter/StackIterator.cpp:
530         (JSC::StackIterator::numberOfFrames):
531         (JSC::StackIterator::gotoFrameAtIndex):
532         (JSC::StackIterator::gotoNextFrame):
533         (JSC::StackIterator::resetIterator):
534         (JSC::StackIterator::find):
535         (JSC::StackIterator::readFrame):
536         (JSC::StackIterator::readNonInlinedFrame):
537         - Reads in the current CallFrame's data for non-inlined frames.
538         (JSC::inlinedFrameOffset):
539         - Convenience function to compute the inlined frame offset based on the
540           CodeOrigin. If the offset is 0, then we're looking at the physical frame.
541           Otherwise, it's an inlined frame.
542         (JSC::StackIterator::readInlinedFrame):
543         - Determines the inlined frame's caller frame. Will read in the caller
544           frame if it is also an inlined frame i.e. we haven't reached the
545           outer most frame yet. Otherwise, will call readNonInlinedFrame() to
546           read on the outer most frame.
547           This is based on the old StackIterator::Frame::logicalFrame().
548         (JSC::StackIterator::updateFrame):
549         - Reads the data of the caller frame of the current one. This function
550           is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
551           but is now simplified because it delegates to the readInlinedFrame()
552           to get the caller for inlined frames.
553         (JSC::StackIterator::Frame::arguments):
554         - Fixed to use the inlined frame versions of Arguments::create() and
555           Arguments::tearOff() when the frame is an inlined frame.
556         (JSC::StackIterator::Frame::print):
557         (debugPrintCallFrame):
558         (debugPrintStack):
559         - Because sometimes, we want to see the whole stack while debugging.
560         * interpreter/StackIterator.h:
561         (JSC::StackIterator::Frame::argumentCount):
562         (JSC::StackIterator::Frame::callerFrame):
563         (JSC::StackIterator::Frame::callee):
564         (JSC::StackIterator::Frame::scope):
565         (JSC::StackIterator::Frame::codeBlock):
566         (JSC::StackIterator::Frame::bytecodeOffset):
567         (JSC::StackIterator::Frame::inlinedFrameInfo):
568         (JSC::StackIterator::Frame::isJSFrame):
569         (JSC::StackIterator::Frame::isInlinedFrame):
570         (JSC::StackIterator::Frame::callFrame):
571         (JSC::StackIterator::Frame::Frame):
572         (JSC::StackIterator::Frame::~Frame):
573         - StackIterator::Frame now caches commonly used accessed values from
574           the CallFrame. It still delegates argument queries to the CallFrame.
575         (JSC::StackIterator::operator*):
576         (JSC::StackIterator::operator->):
577         (JSC::StackIterator::operator!=):
578         (JSC::StackIterator::operator++):
579         (JSC::StackIterator::end):
580         (JSC::StackIterator::operator==):
581         * interpreter/StackIteratorPrivate.h: Removed.
582
583 2013-08-29  Chris Curtis  <chris_curtis@apple.com>
584
585         VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
586         https://bugs.webkit.org/show_bug.cgi?id=120472
587
588         Reviewed by Filip Pizlo.
589         
590         With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
591         but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
592         throwException can be called when topCallFrame is set.
593         * llint/LLIntSlowPaths.cpp:
594         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
595         * runtime/CommonSlowPaths.cpp:
596         (JSC::SLOW_PATH_DECL):
597         * runtime/CommonSlowPathsExceptions.cpp:
598         (JSC::CommonSlowPaths::interpreterThrowInCaller):
599         * runtime/CommonSlowPathsExceptions.h:
600
601         Renamed genericThrow -> genericUnwind, because this function no longer has the ability
602         to throw errors. It unwinds the stack in order to report them. 
603         * dfg/DFGOperations.cpp:
604         * jit/JITExceptions.cpp:
605         (JSC::genericUnwind):
606         (JSC::jitThrowNew):
607         (JSC::jitThrow):
608         * jit/JITExceptions.h:
609         * llint/LLIntExceptions.cpp:
610         (JSC::LLInt::doThrow):
611     
612 2013-08-29  Commit Queue  <commit-queue@webkit.org>
613
614         Unreviewed, rolling out r154804.
615         http://trac.webkit.org/changeset/154804
616         https://bugs.webkit.org/show_bug.cgi?id=120477
617
618         Broke Windows build (assumes LLInt features not enabled on
619         this build) (Requested by bfulgham on #webkit).
620
621         * CMakeLists.txt:
622         * GNUmakefile.list.am:
623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
624         * JavaScriptCore.xcodeproj/project.pbxproj:
625         * Target.pri:
626         * bytecode/CodeBlock.cpp:
627         (JSC::CodeBlock::linkIncomingCall):
628         (JSC::CodeBlock::unlinkIncomingCalls):
629         (JSC::CodeBlock::reoptimize):
630         (JSC::ProgramCodeBlock::replacement):
631         (JSC::EvalCodeBlock::replacement):
632         (JSC::FunctionCodeBlock::replacement):
633         (JSC::ProgramCodeBlock::compileOptimized):
634         (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
635         (JSC::EvalCodeBlock::compileOptimized):
636         (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
637         (JSC::FunctionCodeBlock::compileOptimized):
638         (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
639         (JSC::ProgramCodeBlock::jitCompileImpl):
640         (JSC::EvalCodeBlock::jitCompileImpl):
641         (JSC::FunctionCodeBlock::jitCompileImpl):
642         * bytecode/CodeBlock.h:
643         (JSC::CodeBlock::jitType):
644         (JSC::CodeBlock::jitCompile):
645         * bytecode/DeferredCompilationCallback.cpp: Removed.
646         * bytecode/DeferredCompilationCallback.h: Removed.
647         * dfg/DFGDriver.cpp:
648         (JSC::DFG::compile):
649         (JSC::DFG::tryCompile):
650         (JSC::DFG::tryCompileFunction):
651         (JSC::DFG::tryFinalizePlan):
652         * dfg/DFGDriver.h:
653         (JSC::DFG::tryCompile):
654         (JSC::DFG::tryCompileFunction):
655         (JSC::DFG::tryFinalizePlan):
656         * dfg/DFGFailedFinalizer.cpp:
657         (JSC::DFG::FailedFinalizer::finalize):
658         (JSC::DFG::FailedFinalizer::finalizeFunction):
659         * dfg/DFGFailedFinalizer.h:
660         * dfg/DFGFinalizer.h:
661         * dfg/DFGJITFinalizer.cpp:
662         (JSC::DFG::JITFinalizer::finalize):
663         (JSC::DFG::JITFinalizer::finalizeFunction):
664         * dfg/DFGJITFinalizer.h:
665         * dfg/DFGOSRExitPreparation.cpp:
666         (JSC::DFG::prepareCodeOriginForOSRExit):
667         * dfg/DFGOperations.cpp:
668         * dfg/DFGPlan.cpp:
669         (JSC::DFG::Plan::Plan):
670         (JSC::DFG::Plan::compileInThreadImpl):
671         (JSC::DFG::Plan::finalize):
672         * dfg/DFGPlan.h:
673         * dfg/DFGSpeculativeJIT32_64.cpp:
674         (JSC::DFG::SpeculativeJIT::compile):
675         * dfg/DFGWorklist.cpp:
676         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
677         (JSC::DFG::Worklist::runThread):
678         * ftl/FTLJITFinalizer.cpp:
679         (JSC::FTL::JITFinalizer::finalize):
680         (JSC::FTL::JITFinalizer::finalizeFunction):
681         * ftl/FTLJITFinalizer.h:
682         * heap/Heap.h:
683         * interpreter/Interpreter.cpp:
684         (JSC::Interpreter::execute):
685         (JSC::Interpreter::executeCall):
686         (JSC::Interpreter::executeConstruct):
687         (JSC::Interpreter::prepareForRepeatCall):
688         * jit/JITDriver.h: Added.
689         (JSC::jitCompileIfAppropriateImpl):
690         (JSC::jitCompileFunctionIfAppropriateImpl):
691         (JSC::jitCompileIfAppropriate):
692         (JSC::jitCompileFunctionIfAppropriate):
693         * jit/JITStubs.cpp:
694         (JSC::DEFINE_STUB_FUNCTION):
695         (JSC::jitCompileFor):
696         (JSC::lazyLinkFor):
697         * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
698         * jit/JITToDFGDeferredCompilationCallback.h: Removed.
699         * llint/LLIntEntrypoints.cpp:
700         (JSC::LLInt::getFunctionEntrypoint):
701         (JSC::LLInt::getEvalEntrypoint):
702         (JSC::LLInt::getProgramEntrypoint):
703         * llint/LLIntEntrypoints.h:
704         (JSC::LLInt::getEntrypoint):
705         * llint/LLIntSlowPaths.cpp:
706         (JSC::LLInt::jitCompileAndSetHeuristics):
707         (JSC::LLInt::setUpCall):
708         * runtime/ArrayPrototype.cpp:
709         (JSC::isNumericCompareFunction):
710         * runtime/CommonSlowPaths.cpp:
711         * runtime/CompilationResult.cpp:
712         (WTF::printInternal):
713         * runtime/CompilationResult.h:
714         * runtime/Executable.cpp:
715         (JSC::EvalExecutable::compileOptimized):
716         (JSC::EvalExecutable::jitCompile):
717         (JSC::EvalExecutable::compileInternal):
718         (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
719         (JSC::ProgramExecutable::compileOptimized):
720         (JSC::ProgramExecutable::jitCompile):
721         (JSC::ProgramExecutable::compileInternal):
722         (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
723         (JSC::FunctionExecutable::compileOptimizedForCall):
724         (JSC::FunctionExecutable::compileOptimizedForConstruct):
725         (JSC::FunctionExecutable::jitCompileForCall):
726         (JSC::FunctionExecutable::jitCompileForConstruct):
727         (JSC::FunctionExecutable::produceCodeBlockFor):
728         (JSC::FunctionExecutable::compileForCallInternal):
729         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
730         (JSC::FunctionExecutable::compileForConstructInternal):
731         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
732         * runtime/Executable.h:
733         (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
734         (JSC::ExecutableBase::offsetOfNumParametersFor):
735         (JSC::ExecutableBase::catchRoutineFor):
736         (JSC::EvalExecutable::compile):
737         (JSC::ProgramExecutable::compile):
738         (JSC::FunctionExecutable::compileForCall):
739         (JSC::FunctionExecutable::compileForConstruct):
740         (JSC::FunctionExecutable::compileFor):
741         (JSC::FunctionExecutable::compileOptimizedFor):
742         (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
743         (JSC::FunctionExecutable::jitCompileFor):
744         * runtime/ExecutionHarness.h: Added.
745         (JSC::prepareForExecutionImpl):
746         (JSC::prepareFunctionForExecutionImpl):
747         (JSC::installOptimizedCode):
748         (JSC::prepareForExecution):
749         (JSC::prepareFunctionForExecution):
750         (JSC::replaceWithDeferredOptimizedCode):
751
752 2013-08-28  Filip Pizlo  <fpizlo@apple.com>
753
754         CodeBlock compilation and installation should be simplified and rationalized
755         https://bugs.webkit.org/show_bug.cgi?id=120326
756
757         Reviewed by Oliver Hunt.
758         
759         Previously Executable owned the code for generating JIT code; you always had
760         to go through Executable. But often you also had to go through CodeBlock,
761         because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
762         So you'd ask CodeBlock to do something, which would dispatch through a
763         virtual method that would select the appropriate Executable subtype's method.
764         This all meant that the same code would often be duplicated, because most of
765         the work needed to compile something was identical regardless of code type.
766         But then we tried to fix this, by having templatized helpers in
767         ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
768         out what happened when you asked for something to be compiled, you'd go on a
769         wild ride that started with CodeBlock, touched upon Executable, and then
770         ricocheted into either ExecutionHarness or JITDriver (likely both).
771         
772         Another awkwardness was that for concurrent compiles, the DFG::Worklist had
773         super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
774         done once the compilation finished.
775         
776         Also, most of the DFG JIT drivers assumed that they couldn't install the
777         JITCode into the CodeBlock directly - instead they would return it via a
778         reference, which happened to be a reference to the JITCode pointer in
779         Executable. This was super weird.
780         
781         Finally, there was no notion of compiling code into a special CodeBlock that
782         wasn't used for handling calls into an Executable. I'd like this for FTL OSR
783         entry.
784         
785         This patch solves these problems by reducing all of that complexity into just
786         three primitives:
787         
788         - Executable::newCodeBlock(). This gives you a new code block, either for call
789           or for construct, and either to serve as the baseline code or the optimized
790           code. The new code block is then owned by the caller; Executable doesn't
791           register it anywhere. The new code block has no JITCode and isn't callable,
792           but it has all of the bytecode.
793         
794         - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
795           produces a JITCode, and then installs the JITCode into the CodeBlock. This
796           method takes a JITType, and always compiles with that JIT. If you ask for
797           JITCode::InterpreterThunk then you'll get JITCode that just points to the
798           LLInt entrypoints. Once this returns, it is possible to call into the
799           CodeBlock if you do so manually - but the Executable still won't know about
800           it so JS calls to that Executable will still be routed to whatever CodeBlock
801           is associated with the Executable.
802         
803         - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
804           entry for that Executable. This involves unlinking the Executable's last
805           CodeBlock, if there was one. This also tells the GC about any effect on
806           memory usage and does a bunch of weird data structure rewiring, since
807           Executable caches some of CodeBlock's fields for the benefit of virtual call
808           fast paths.
809         
810         This functionality is then wrapped around three convenience methods:
811         
812         - Executable::prepareForExecution(). If there is no code block for that
813           Executable, then one is created (newCodeBlock()), compiled
814           (CodeBlock::prepareForExecution()) and installed (installCode()).
815         
816         - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
817           can serve as an optimized replacement of the current one.
818         
819         - CodeBlock::install(). Asks the Executable to install this code block.
820         
821         This patch allows me to kill *a lot* of code and to remove a lot of
822         specializations for functions vs. not-functions, and a lot of places where we
823         pass around JITCode references and such. ExecutionHarness and JITDriver are
824         both gone. Overall this patch has more red than green.
825         
826         It also allows me to work on FTL OSR entry and tier-up:
827         
828         - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
829           to do some compilation, but it will require the DFG::Worklist to do
830           something different than what JITStubs.cpp would want, once the compilation
831           finishes. This patch introduces a callback mechanism for that purpose.
832         
833         - FTL OSR entry: this will involve creating a special auto-jettisoned
834           CodeBlock that is used only for FTL OSR entry. The new set of primitives
835           allows for this: Executable can vend you a fresh new CodeBlock, and you can
836           ask that CodeBlock to compile itself with any JIT of your choosing. Or you
837           can take that CodeBlock and compile it yourself. Previously the act of
838           producing a CodeBlock-for-optimization and the act of compiling code for it
839           were tightly coupled; now you can separate them and you can create such
840           auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
841
842         * CMakeLists.txt:
843         * GNUmakefile.list.am:
844         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
845         * JavaScriptCore.xcodeproj/project.pbxproj:
846         * Target.pri:
847         * bytecode/CodeBlock.cpp:
848         (JSC::CodeBlock::prepareForExecution):
849         (JSC::CodeBlock::install):
850         (JSC::CodeBlock::newReplacement):
851         (JSC::FunctionCodeBlock::jettisonImpl):
852         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
853         * bytecode/CodeBlock.h:
854         (JSC::CodeBlock::hasBaselineJITProfiling):
855         * bytecode/DeferredCompilationCallback.cpp: Added.
856         (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
857         (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
858         * bytecode/DeferredCompilationCallback.h: Added.
859         * dfg/DFGDriver.cpp:
860         (JSC::DFG::tryCompile):
861         * dfg/DFGDriver.h:
862         (JSC::DFG::tryCompile):
863         * dfg/DFGFailedFinalizer.cpp:
864         (JSC::DFG::FailedFinalizer::finalize):
865         (JSC::DFG::FailedFinalizer::finalizeFunction):
866         * dfg/DFGFailedFinalizer.h:
867         * dfg/DFGFinalizer.h:
868         * dfg/DFGJITFinalizer.cpp:
869         (JSC::DFG::JITFinalizer::finalize):
870         (JSC::DFG::JITFinalizer::finalizeFunction):
871         * dfg/DFGJITFinalizer.h:
872         * dfg/DFGOSRExitPreparation.cpp:
873         (JSC::DFG::prepareCodeOriginForOSRExit):
874         * dfg/DFGOperations.cpp:
875         * dfg/DFGPlan.cpp:
876         (JSC::DFG::Plan::Plan):
877         (JSC::DFG::Plan::compileInThreadImpl):
878         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
879         (JSC::DFG::Plan::finalizeAndNotifyCallback):
880         * dfg/DFGPlan.h:
881         * dfg/DFGWorklist.cpp:
882         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
883         * ftl/FTLJITFinalizer.cpp:
884         (JSC::FTL::JITFinalizer::finalize):
885         (JSC::FTL::JITFinalizer::finalizeFunction):
886         * ftl/FTLJITFinalizer.h:
887         * heap/Heap.h:
888         (JSC::Heap::isDeferred):
889         * interpreter/Interpreter.cpp:
890         (JSC::Interpreter::execute):
891         (JSC::Interpreter::executeCall):
892         (JSC::Interpreter::executeConstruct):
893         (JSC::Interpreter::prepareForRepeatCall):
894         * jit/JITDriver.h: Removed.
895         * jit/JITStubs.cpp:
896         (JSC::DEFINE_STUB_FUNCTION):
897         (JSC::jitCompileFor):
898         (JSC::lazyLinkFor):
899         * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
900         (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
901         (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
902         (JSC::JITToDFGDeferredCompilationCallback::create):
903         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
904         * jit/JITToDFGDeferredCompilationCallback.h: Added.
905         * llint/LLIntEntrypoints.cpp:
906         (JSC::LLInt::setFunctionEntrypoint):
907         (JSC::LLInt::setEvalEntrypoint):
908         (JSC::LLInt::setProgramEntrypoint):
909         * llint/LLIntEntrypoints.h:
910         * llint/LLIntSlowPaths.cpp:
911         (JSC::LLInt::jitCompileAndSetHeuristics):
912         (JSC::LLInt::setUpCall):
913         * runtime/ArrayPrototype.cpp:
914         (JSC::isNumericCompareFunction):
915         * runtime/CommonSlowPaths.cpp:
916         * runtime/CompilationResult.cpp:
917         (WTF::printInternal):
918         * runtime/CompilationResult.h:
919         * runtime/Executable.cpp:
920         (JSC::ScriptExecutable::installCode):
921         (JSC::ScriptExecutable::newCodeBlockFor):
922         (JSC::ScriptExecutable::newReplacementCodeBlockFor):
923         (JSC::ScriptExecutable::prepareForExecutionImpl):
924         * runtime/Executable.h:
925         (JSC::ScriptExecutable::prepareForExecution):
926         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
927         * runtime/ExecutionHarness.h: Removed.
928
929 2013-08-28  Chris Curtis  <chris_curtis@apple.com>
930
931         https://bugs.webkit.org/show_bug.cgi?id=119548
932         Refactoring Exception throws.
933         
934         Reviewed by Geoffrey Garen.
935         
936         Gardening of exception throws. The act of throwing an exception was being handled in 
937         different ways depending on whether the code was running in the LLint, Baseline JIT, 
938         or the DFG Jit. This made development in the vm exception and error objects difficult.
939         
940          * runtime/VM.cpp:
941         (JSC::appendSourceToError): 
942         This function moved from the interpreter into the VM. It views the developers code
943         (if there is a codeBlock) to extract what was trying to be evaluated when the error
944         occurred.
945         
946         (JSC::VM::throwException):
947         This function takes in the error object and sets the following:
948             1: The VM's exception stack
949             2: The VM's exception 
950             3: Appends extra information on the error message(via appendSourceToError)
951             4: The error object's line number
952             5: The error object's column number
953             6: The error object's sourceURL
954             7: The error object's stack trace (unless it already exists because the developer 
955                 created the error object). 
956
957         (JSC::VM::getExceptionInfo):
958         (JSC::VM::setExceptionInfo):
959         (JSC::VM::clearException):
960         (JSC::clearExceptionStack):
961         * runtime/VM.h:
962         (JSC::VM::exceptionOffset):
963         (JSC::VM::exception):
964         (JSC::VM::addressOfException):
965         (JSC::VM::exceptionStack):
966         VM exception and exceptionStack are now private data members.
967
968         * interpreter/Interpreter.h:
969         (JSC::ClearExceptionScope::ClearExceptionScope):
970         Created this structure to temporarily clear the exception within the VM. This 
971         needed to see if addition errors occur when setting the debugger as we are 
972         unwinding the stack.
973
974          * interpreter/Interpreter.cpp:
975         (JSC::Interpreter::unwind): 
976         Removed the code that would try to add error information if it did not exist. 
977         All of this functionality has moved into the VM and all error information is set 
978         at the time the error occurs. 
979
980         The rest of these functions reference the new calling convention to throw an error.
981
982         * API/APICallbackFunction.h:
983         (JSC::APICallbackFunction::call):
984         * API/JSCallbackConstructor.cpp:
985         (JSC::constructJSCallback):
986         * API/JSCallbackObjectFunctions.h:
987         (JSC::::getOwnPropertySlot):
988         (JSC::::defaultValue):
989         (JSC::::put):
990         (JSC::::putByIndex):
991         (JSC::::deleteProperty):
992         (JSC::::construct):
993         (JSC::::customHasInstance):
994         (JSC::::call):
995         (JSC::::getStaticValue):
996         (JSC::::staticFunctionGetter):
997         (JSC::::callbackGetter):
998         * debugger/Debugger.cpp:
999         (JSC::evaluateInGlobalCallFrame):
1000         * debugger/DebuggerCallFrame.cpp:
1001         (JSC::DebuggerCallFrame::evaluate):
1002         * dfg/DFGAssemblyHelpers.h:
1003         (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
1004         * dfg/DFGOperations.cpp:
1005         (JSC::DFG::operationPutByValInternal):
1006         * ftl/FTLLowerDFGToLLVM.cpp:
1007         (JSC::FTL::LowerDFGToLLVM::callCheck):
1008         * heap/Heap.cpp:
1009         (JSC::Heap::markRoots):
1010         * interpreter/CallFrame.h:
1011         (JSC::ExecState::clearException):
1012         (JSC::ExecState::exception):
1013         (JSC::ExecState::hadException):
1014         * interpreter/Interpreter.cpp:
1015         (JSC::eval):
1016         (JSC::loadVarargs):
1017         (JSC::stackTraceAsString):
1018         (JSC::Interpreter::execute):
1019         (JSC::Interpreter::executeCall):
1020         (JSC::Interpreter::executeConstruct):
1021         (JSC::Interpreter::prepareForRepeatCall):
1022         * interpreter/Interpreter.h:
1023         (JSC::ClearExceptionScope::ClearExceptionScope):
1024         * jit/JITCode.cpp:
1025         (JSC::JITCode::execute):
1026         * jit/JITExceptions.cpp:
1027         (JSC::genericThrow):
1028         * jit/JITOpcodes.cpp:
1029         (JSC::JIT::emit_op_catch):
1030         * jit/JITOpcodes32_64.cpp:
1031         (JSC::JIT::privateCompileCTINativeCall):
1032         (JSC::JIT::emit_op_catch):
1033         * jit/JITStubs.cpp:
1034         (JSC::returnToThrowTrampoline):
1035         (JSC::throwExceptionFromOpCall):
1036         (JSC::DEFINE_STUB_FUNCTION):
1037         (JSC::jitCompileFor):
1038         (JSC::lazyLinkFor):
1039         (JSC::putByVal):
1040         (JSC::cti_vm_handle_exception):
1041         * jit/SlowPathCall.h:
1042         (JSC::JITSlowPathCall::call):
1043         * jit/ThunkGenerators.cpp:
1044         (JSC::nativeForGenerator):
1045         * jsc.cpp:
1046         (functionRun):
1047         (functionLoad):
1048         (functionCheckSyntax):
1049         * llint/LLIntExceptions.cpp:
1050         (JSC::LLInt::doThrow):
1051         (JSC::LLInt::returnToThrow):
1052         (JSC::LLInt::callToThrow):
1053         * llint/LLIntSlowPaths.cpp:
1054         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1055         * llint/LowLevelInterpreter.cpp:
1056         (JSC::CLoop::execute):
1057         * llint/LowLevelInterpreter32_64.asm:
1058         * llint/LowLevelInterpreter64.asm:
1059         * runtime/ArrayConstructor.cpp:
1060         (JSC::constructArrayWithSizeQuirk):
1061         * runtime/CommonSlowPaths.cpp:
1062         (JSC::SLOW_PATH_DECL):
1063         * runtime/CommonSlowPaths.h:
1064         (JSC::CommonSlowPaths::opIn):
1065         * runtime/CommonSlowPathsExceptions.cpp:
1066         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1067         * runtime/Completion.cpp:
1068         (JSC::evaluate):
1069         * runtime/Error.cpp:
1070         (JSC::addErrorInfo):
1071         (JSC::throwTypeError):
1072         (JSC::throwSyntaxError):
1073         * runtime/Error.h:
1074         (JSC::throwVMError):
1075         * runtime/ExceptionHelpers.cpp:
1076         (JSC::throwOutOfMemoryError):
1077         (JSC::throwStackOverflowError):
1078         (JSC::throwTerminatedExecutionException):
1079         * runtime/Executable.cpp:
1080         (JSC::EvalExecutable::create):
1081         (JSC::FunctionExecutable::produceCodeBlockFor):
1082         * runtime/FunctionConstructor.cpp:
1083         (JSC::constructFunction):
1084         (JSC::constructFunctionSkippingEvalEnabledCheck):
1085         * runtime/JSArray.cpp:
1086         (JSC::JSArray::defineOwnProperty):
1087         (JSC::JSArray::put):
1088         (JSC::JSArray::push):
1089         * runtime/JSCJSValue.cpp:
1090         (JSC::JSValue::toObjectSlowCase):
1091         (JSC::JSValue::synthesizePrototype):
1092         (JSC::JSValue::putToPrimitive):
1093         * runtime/JSFunction.cpp:
1094         (JSC::JSFunction::defineOwnProperty):
1095         * runtime/JSGenericTypedArrayViewInlines.h:
1096         (JSC::::create):
1097         (JSC::::createUninitialized):
1098         (JSC::::validateRange):
1099         (JSC::::setWithSpecificType):
1100         * runtime/JSGlobalObjectFunctions.cpp:
1101         (JSC::encode):
1102         (JSC::decode):
1103         (JSC::globalFuncProtoSetter):
1104         * runtime/JSNameScope.cpp:
1105         (JSC::JSNameScope::put):
1106         * runtime/JSONObject.cpp:
1107         (JSC::Stringifier::appendStringifiedValue):
1108         (JSC::Walker::walk):
1109         * runtime/JSObject.cpp:
1110         (JSC::JSObject::put):
1111         (JSC::JSObject::defaultValue):
1112         (JSC::JSObject::hasInstance):
1113         (JSC::JSObject::defaultHasInstance):
1114         (JSC::JSObject::defineOwnNonIndexProperty):
1115         (JSC::throwTypeError):
1116         * runtime/ObjectConstructor.cpp:
1117         (JSC::toPropertyDescriptor):
1118         * runtime/RegExpConstructor.cpp:
1119         (JSC::constructRegExp):
1120         * runtime/StringObject.cpp:
1121         (JSC::StringObject::defineOwnProperty):
1122         * runtime/StringRecursionChecker.cpp:
1123         (JSC::StringRecursionChecker::throwStackOverflowError):
1124
1125 2013-08-28  Zan Dobersek  <zdobersek@igalia.com>
1126
1127         [GTK] Add support for building JSC with FTL JIT enabled
1128         https://bugs.webkit.org/show_bug.cgi?id=120270
1129
1130         Reviewed by Filip Pizlo.
1131
1132         * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
1133         compiler flags for the JSC library.
1134         * GNUmakefile.list.am: Add the missing build targets.
1135         * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
1136         failures when using the Clang compiler with the libstdc++ standard library.
1137         (JSC::FTL::mdKindID):
1138         (JSC::FTL::mdString):
1139
1140 2013-08-23  Andy Estes  <aestes@apple.com>
1141
1142         Fix issues found by the Clang Static Analyzer
1143         https://bugs.webkit.org/show_bug.cgi?id=120230
1144
1145         Reviewed by Darin Adler.
1146
1147         * API/JSValue.mm:
1148         (valueToString): Don't leak every CFStringRef when in Objective-C GC.
1149         * API/ObjCCallbackFunction.mm:
1150         (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
1151         release m_invocation's target since NSInvocation will do it for us on
1152         -dealloc.
1153         (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
1154         and -release our reference to the copied block.
1155         * API/tests/minidom.c:
1156         (createStringWithContentsOfFile): Free buffer before returning.
1157         * API/tests/testapi.c:
1158         (createStringWithContentsOfFile): Ditto.
1159
1160 2013-08-26  Brent Fulgham  <bfulgham@apple.com>
1161
1162         [Windows] Unreviewed build fix after r154629.
1163
1164         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
1165         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1166
1167 2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>
1168
1169         Windows build fix attempt after r154629.
1170
1171         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1172
1173 2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>
1174
1175         JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
1176         https://bugs.webkit.org/show_bug.cgi?id=120278
1177
1178         Reviewed by Geoffrey Garen.
1179
1180         * runtime/JSObject.cpp:
1181         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1182
1183 2013-08-26  Filip Pizlo  <fpizlo@apple.com>
1184
1185         Fix indention of Executable.h.
1186
1187         Rubber stamped by Mark Hahnenberg.
1188
1189         * runtime/Executable.h:
1190
1191 2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>
1192
1193         Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
1194         https://bugs.webkit.org/show_bug.cgi?id=120314
1195
1196         Reviewed by Darin Adler.
1197
1198         Currently with the way that defineProperty works, we leave a stray low bit set in 
1199         PropertyDescriptor::m_attributes in the following code:
1200
1201         var o = {};
1202         Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
1203         
1204         This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
1205         instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
1206         but only the top three bits mean anything. Even in the case above, the top three bits are set 
1207         to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
1208
1209         Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
1210         framework's public C API, it's safer to just change how we calculate the default value, which is
1211         where the weirdness was originating from in the first place.
1212
1213         * runtime/PropertyDescriptor.cpp:
1214
1215 2013-08-24  Sam Weinig  <sam@webkit.org>
1216
1217         Add support for Promises
1218         https://bugs.webkit.org/show_bug.cgi?id=120260
1219
1220         Reviewed by Darin Adler.
1221
1222         Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
1223         - Despite Promises being defined in the DOM, the implementation is being put in JSC
1224           in preparation for the Promises eventually being defined in ECMAScript.
1225
1226         * CMakeLists.txt:
1227         * DerivedSources.make:
1228         * DerivedSources.pri:
1229         * GNUmakefile.list.am:
1230         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1231         * JavaScriptCore.xcodeproj/project.pbxproj:
1232         * Target.pri:
1233         Add new files.
1234
1235         * jsc.cpp:
1236         Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
1237         you can't quite use Promises with with the command line tool yet.
1238     
1239         * interpreter/CallFrame.h:
1240         (JSC::ExecState::promisePrototypeTable):
1241         (JSC::ExecState::promiseConstructorTable):
1242         (JSC::ExecState::promiseResolverPrototypeTable):
1243         * runtime/VM.cpp:
1244         (JSC::VM::VM):
1245         (JSC::VM::~VM):
1246         * runtime/VM.h:
1247         Add supporting code for the new static lookup tables.
1248
1249         * runtime/CommonIdentifiers.h:
1250         Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
1251
1252         * runtime/JSGlobalObject.cpp:
1253         (JSC::JSGlobalObject::reset):
1254         (JSC::JSGlobalObject::visitChildren):
1255         Add supporting code Promise and PromiseResolver's constructors and structures.
1256
1257         * runtime/JSGlobalObject.h:
1258         (JSC::TaskContext::~TaskContext):
1259         Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
1260
1261         (JSC::JSGlobalObject::promisePrototype):
1262         (JSC::JSGlobalObject::promiseResolverPrototype):
1263         (JSC::JSGlobalObject::promiseStructure):
1264         (JSC::JSGlobalObject::promiseResolverStructure):
1265         (JSC::JSGlobalObject::promiseCallbackStructure):
1266         (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
1267         Add supporting code Promise and PromiseResolver's constructors and structures.
1268
1269         * runtime/JSPromise.cpp: Added.
1270         * runtime/JSPromise.h: Added.
1271         * runtime/JSPromiseCallback.cpp: Added.
1272         * runtime/JSPromiseCallback.h: Added.
1273         * runtime/JSPromiseConstructor.cpp: Added.
1274         * runtime/JSPromiseConstructor.h: Added.
1275         * runtime/JSPromisePrototype.cpp: Added.
1276         * runtime/JSPromisePrototype.h: Added.
1277         * runtime/JSPromiseResolver.cpp: Added.
1278         * runtime/JSPromiseResolver.h: Added.
1279         * runtime/JSPromiseResolverConstructor.cpp: Added.
1280         * runtime/JSPromiseResolverConstructor.h: Added.
1281         * runtime/JSPromiseResolverPrototype.cpp: Added.
1282         * runtime/JSPromiseResolverPrototype.h: Added.
1283         Add Promise implementation.
1284
1285 2013-08-26  Zan Dobersek  <zdobersek@igalia.com>
1286
1287         Plenty of -Wcast-align warnings in KeywordLookup.h
1288         https://bugs.webkit.org/show_bug.cgi?id=120316
1289
1290         Reviewed by Darin Adler.
1291
1292         * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
1293         the character pointers to types of larger size. This avoids spewing lots of warnings
1294         in the KeywordLookup.h header when compiling with the -Wcast-align option.
1295
1296 2013-08-26  Gavin Barraclough  <barraclough@apple.com>
1297
1298         RegExpMatchesArray should not call [[put]]
1299         https://bugs.webkit.org/show_bug.cgi?id=120317
1300
1301         Reviewed by Oliver Hunt.
1302
1303         This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
1304         property called index or input to either of these prototypes will result in broken behavior.
1305
1306         * runtime/RegExpMatchesArray.cpp:
1307         (JSC::RegExpMatchesArray::reifyAllProperties):
1308             - put -> putDirect
1309
1310 2013-08-24  Filip Pizlo  <fpizlo@apple.com>
1311
1312         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
1313         https://bugs.webkit.org/show_bug.cgi?id=120228
1314
1315         Reviewed by Oliver Hunt.
1316         
1317         It turns out that there were three problems:
1318         
1319         - Using jsNumber() meant that we were converting doubles to integers and then
1320           possibly back again whenever doing a set() between floating point arrays.
1321         
1322         - Slow-path accesses to double typed arrays were slower than necessary because
1323           of the to-int conversion attempt.
1324         
1325         - The use of JSValue as an intermediate for converting between differen types
1326           in typedArray.set() resulted in worse code than I had previously expected.
1327         
1328         This patch solves the problem by using template double-dispatch to ensure that
1329         that C++ compiler sees the simplest possible combination of casts between any
1330         combination of typed array types, while still preserving JS and typed array
1331         conversion semantics. Conversions are done as follows:
1332         
1333             SourceAdaptor::convertTo<TargetAdaptor>(value)
1334         
1335         Internally, convertTo() calls one of three possible methods on TargetAdaptor,
1336         with one method for each of int32_t, uint32_t, and double. This means that the
1337         C++ compiler will at worst see a widening cast to one of those types followed
1338         by a narrowing conversion (not necessarily a cast - may have clamping or the
1339         JS toInt32() function).
1340         
1341         This change doesn't just affect typedArray.set(); it also affects slow-path
1342         accesses to typed arrays as well. This patch also adds a bunch of new test
1343         coverage.
1344         
1345         This change is a ~50% speed-up on typedArray.set() involving floating point
1346         types.
1347
1348         * GNUmakefile.list.am:
1349         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1350         * JavaScriptCore.xcodeproj/project.pbxproj:
1351         * runtime/GenericTypedArrayView.h:
1352         (JSC::GenericTypedArrayView::set):
1353         * runtime/JSDataViewPrototype.cpp:
1354         (JSC::setData):
1355         * runtime/JSGenericTypedArrayView.h:
1356         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1357         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1358         * runtime/JSGenericTypedArrayViewInlines.h:
1359         (JSC::::setWithSpecificType):
1360         (JSC::::set):
1361         * runtime/ToNativeFromValue.h: Added.
1362         (JSC::toNativeFromValue):
1363         * runtime/TypedArrayAdaptors.h:
1364         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1365         (JSC::IntegralTypedArrayAdaptor::toDouble):
1366         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
1367         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
1368         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
1369         (JSC::IntegralTypedArrayAdaptor::convertTo):
1370         (JSC::FloatTypedArrayAdaptor::toJSValue):
1371         (JSC::FloatTypedArrayAdaptor::toDouble):
1372         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
1373         (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
1374         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
1375         (JSC::FloatTypedArrayAdaptor::convertTo):
1376         (JSC::Uint8ClampedAdaptor::toJSValue):
1377         (JSC::Uint8ClampedAdaptor::toDouble):
1378         (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
1379         (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
1380         (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
1381         (JSC::Uint8ClampedAdaptor::convertTo):
1382
1383 2013-08-24  Dan Bernstein  <mitz@apple.com>
1384
1385         [mac] link against libz in a more civilized manner
1386         https://bugs.webkit.org/show_bug.cgi?id=120258
1387
1388         Reviewed by Darin Adler.
1389
1390         * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
1391         * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
1392         Link Binary With Libraries build phase.
1393
1394 2013-08-23  Laszlo Papp  <lpapp@kde.org>
1395
1396         Failure building with python3
1397         https://bugs.webkit.org/show_bug.cgi?id=106645
1398
1399         Reviewed by Benjamin Poulain.
1400
1401         Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
1402         Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
1403
1404         * disassembler/udis86/itab.py:
1405         (UdItabGenerator.genInsnTable):
1406         * disassembler/udis86/ud_opcode.py:
1407         (UdOpcodeTables.print_table):
1408         * disassembler/udis86/ud_optable.py:
1409         (UdOptableXmlParser.parseDef):
1410         (UdOptableXmlParser.parse):
1411         (printFn):
1412
1413 2013-08-23  Filip Pizlo  <fpizlo@apple.com>
1414
1415         Incorrect TypedArray#set behavior
1416         https://bugs.webkit.org/show_bug.cgi?id=83818
1417
1418         Reviewed by Oliver Hunt and Mark Hahnenberg.
1419         
1420         This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
1421         not smart enough to figure out optimal versions for *all* of the cases. But I
1422         did come up with optimal implementations for most of the cases, and I wrote
1423         spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
1424         enough to write optimal code for.
1425
1426         * runtime/JSArrayBufferView.h:
1427         (JSC::JSArrayBufferView::hasArrayBuffer):
1428         * runtime/JSArrayBufferViewInlines.h:
1429         (JSC::JSArrayBufferView::buffer):
1430         (JSC::JSArrayBufferView::existingBufferInButterfly):
1431         (JSC::JSArrayBufferView::neuter):
1432         (JSC::JSArrayBufferView::byteOffset):
1433         * runtime/JSGenericTypedArrayView.h:
1434         * runtime/JSGenericTypedArrayViewInlines.h:
1435         (JSC::::setWithSpecificType):
1436         (JSC::::set):
1437         (JSC::::existingBuffer):
1438
1439 2013-08-23  Alex Christensen  <achristensen@apple.com>
1440
1441         Re-separating Win32 and Win64 builds.
1442         https://bugs.webkit.org/show_bug.cgi?id=120178
1443
1444         Reviewed by Brent Fulgham.
1445
1446         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1447         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1448         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1449         Pass PlatformArchitecture as a command line parameter to bash scripts.
1450         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1451         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1452         * JavaScriptCore.vcxproj/build-generated-files.sh:
1453         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1454
1455 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1456
1457         build-jsc --ftl-jit should work
1458         https://bugs.webkit.org/show_bug.cgi?id=120194
1459
1460         Reviewed by Oliver Hunt.
1461
1462         * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
1463         * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
1464         * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
1465         * ftl/FTLLowerDFGToLLVM.cpp: Build fix
1466         (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1467         (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1468
1469 2013-08-23  Oliver Hunt  <oliver@apple.com>
1470
1471         Re-sort xcode project file
1472
1473         * JavaScriptCore.xcodeproj/project.pbxproj:
1474
1475 2013-08-23  Oliver Hunt  <oliver@apple.com>
1476
1477         Support in memory compression of rarely used data
1478         https://bugs.webkit.org/show_bug.cgi?id=120143
1479
1480         Reviewed by Gavin Barraclough.
1481
1482         Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
1483
1484         * Configurations/JavaScriptCore.xcconfig:
1485         * bytecode/UnlinkedCodeBlock.cpp:
1486         (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
1487         (JSC::UnlinkedCodeBlock::addExpressionInfo):
1488         * bytecode/UnlinkedCodeBlock.h:
1489
1490 2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
1491
1492         JSObject and JSArray code shouldn't have to tiptoe around garbage collection
1493         https://bugs.webkit.org/show_bug.cgi?id=120179
1494
1495         Reviewed by Geoffrey Garen.
1496
1497         There are many places in the code for JSObject and JSArray where they are manipulating their 
1498         Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
1499         these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
1500         like it will make this dance even more intricate. To make everybody's lives easier we should use 
1501         the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
1502         code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
1503         should not incur any additional overhead.
1504
1505         * heap/Heap.h:
1506         * runtime/JSArray.cpp:
1507         (JSC::JSArray::unshiftCountSlowCase):
1508         * runtime/JSObject.cpp:
1509         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1510         (JSC::JSObject::createInitialUndecided):
1511         (JSC::JSObject::createInitialInt32):
1512         (JSC::JSObject::createInitialDouble):
1513         (JSC::JSObject::createInitialContiguous):
1514         (JSC::JSObject::createArrayStorage):
1515         (JSC::JSObject::convertUndecidedToArrayStorage):
1516         (JSC::JSObject::convertInt32ToArrayStorage):
1517         (JSC::JSObject::convertDoubleToArrayStorage):
1518         (JSC::JSObject::convertContiguousToArrayStorage):
1519         (JSC::JSObject::increaseVectorLength):
1520         (JSC::JSObject::ensureLengthSlow):
1521         * runtime/JSObject.h:
1522         (JSC::JSObject::putDirectInternal):
1523         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1524         (JSC::JSObject::putDirectWithoutTransition):
1525
1526 2013-08-22  Filip Pizlo  <fpizlo@apple.com>
1527
1528         Update LLVM binary drops and scripts to the latest version from SVN
1529         https://bugs.webkit.org/show_bug.cgi?id=120184
1530
1531         Reviewed by Mark Hahnenberg.
1532
1533         * dfg/DFGPlan.cpp:
1534         (JSC::DFG::Plan::compileInThreadImpl):
1535
1536 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1537
1538         Don't leak registers for redeclared variables
1539         https://bugs.webkit.org/show_bug.cgi?id=120174
1540
1541         Reviewed by Geoff Garen.
1542
1543         We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
1544         Only allocate new registers when necessary.
1545
1546         No performance impact.
1547
1548         * interpreter/Interpreter.cpp:
1549         (JSC::Interpreter::execute):
1550         * runtime/Executable.cpp:
1551         (JSC::ProgramExecutable::initializeGlobalProperties):
1552             - Don't allocate the register here.
1553         * runtime/JSGlobalObject.cpp:
1554         (JSC::JSGlobalObject::addGlobalVar):
1555             - Allocate the register here instead.
1556
1557 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1558
1559         https://bugs.webkit.org/show_bug.cgi?id=120128
1560         Remove putDirectVirtual
1561
1562         Unreviewed, checked in commented out code. :-(
1563
1564         * interpreter/Interpreter.cpp:
1565         (JSC::Interpreter::execute):
1566             - delete commented out code
1567
1568 2013-08-22  Gavin Barraclough  <barraclough@apple.com>
1569
1570         Error.stack should not be enumerable
1571         https://bugs.webkit.org/show_bug.cgi?id=120171
1572
1573         Reviewed by Oliver Hunt.
1574
1575         Breaks ECMA tests.
1576
1577         * runtime/ErrorInstance.cpp:
1578         (JSC::ErrorInstance::finishCreation):
1579             - None -> DontEnum
1580
1581 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1582
1583         https://bugs.webkit.org/show_bug.cgi?id=120128
1584         Remove putDirectVirtual
1585
1586         Reviewed by Sam Weinig.
1587
1588         This could most generously be described as 'vestigial'.
1589         No performance impact.
1590
1591         * API/JSObjectRef.cpp:
1592         (JSObjectSetProperty):
1593             - changed to use defineOwnProperty
1594         * debugger/DebuggerActivation.cpp:
1595         * debugger/DebuggerActivation.h:
1596             - remove putDirectVirtual
1597         * interpreter/Interpreter.cpp:
1598         (JSC::Interpreter::execute):
1599             - changed to use defineOwnProperty
1600         * runtime/ClassInfo.h:
1601         * runtime/JSActivation.cpp:
1602         * runtime/JSActivation.h:
1603         * runtime/JSCell.cpp:
1604         * runtime/JSCell.h:
1605         * runtime/JSGlobalObject.cpp:
1606         * runtime/JSGlobalObject.h:
1607         * runtime/JSObject.cpp:
1608         * runtime/JSObject.h:
1609         * runtime/JSProxy.cpp:
1610         * runtime/JSProxy.h:
1611         * runtime/JSSymbolTableObject.cpp:
1612         * runtime/JSSymbolTableObject.h:
1613             - remove putDirectVirtual
1614         * runtime/PropertyDescriptor.h:
1615         (JSC::PropertyDescriptor::PropertyDescriptor):
1616             - added constructor for convenience
1617
1618 2013-08-22  Chris Curtis  <chris_curtis@apple.com>
1619
1620         errorDescriptionForValue() should not assume error value is an Object
1621         https://bugs.webkit.org/show_bug.cgi?id=119812
1622
1623         Reviewed by Geoffrey Garen.
1624
1625         Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1626         has no type, the function now returns the empty string. 
1627         * runtime/ExceptionHelpers.cpp:
1628         (JSC::errorDescriptionForValue):
1629
1630 2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
1631
1632         Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1633         https://bugs.webkit.org/show_bug.cgi?id=120107
1634
1635         Reviewed by Yong Li.
1636
1637         EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1638
1639         * dfg/DFGSpeculativeJIT.h:
1640         (JSC::DFG::SpeculativeJIT::callOperation):
1641
1642 2013-08-21  Commit Queue  <commit-queue@webkit.org>
1643
1644         Unreviewed, rolling out r154416.
1645         http://trac.webkit.org/changeset/154416
1646         https://bugs.webkit.org/show_bug.cgi?id=120147
1647
1648         Broke Windows builds (Requested by rniwa on #webkit).
1649
1650         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1651         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1652         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1653         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1654         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1655         * JavaScriptCore.vcxproj/build-generated-files.sh:
1656
1657 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1658
1659         Clarify var/const/function declaration
1660         https://bugs.webkit.org/show_bug.cgi?id=120144
1661
1662         Reviewed by Sam Weinig.
1663
1664         Add methods to JSGlobalObject to declare vars, consts, and functions.
1665
1666         * runtime/Executable.cpp:
1667         (JSC::ProgramExecutable::initializeGlobalProperties):
1668         * runtime/Executable.h:
1669             - Moved declaration code to JSGlobalObject
1670         * runtime/JSGlobalObject.cpp:
1671         (JSC::JSGlobalObject::addGlobalVar):
1672             - internal implementation of addVar, addConst, addFunction
1673         * runtime/JSGlobalObject.h:
1674         (JSC::JSGlobalObject::addVar):
1675         (JSC::JSGlobalObject::addConst):
1676         (JSC::JSGlobalObject::addFunction):
1677             - Added methods to declare vars, consts, and functions
1678
1679 2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
1680
1681         https://bugs.webkit.org/show_bug.cgi?id=119900
1682         Exception in global setter doesn't unwind correctly
1683
1684         Reviewed by Geoffrey Garen.
1685
1686         Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1687
1688         * jit/JITStubs.cpp:
1689         (JSC::DEFINE_STUB_FUNCTION):
1690
1691 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1692
1693         Rename/refactor setButterfly/setStructure
1694         https://bugs.webkit.org/show_bug.cgi?id=120138
1695
1696         Reviewed by Geoffrey Garen.
1697
1698         setButterfly becomes setStructureAndButterfly.
1699
1700         Also removed the Butterfly* argument from setStructure and just implicitly
1701         used m_butterfly internally since that's what every single client of setStructure
1702         was doing already.
1703
1704         * jit/JITStubs.cpp:
1705         (JSC::DEFINE_STUB_FUNCTION):
1706         * runtime/JSObject.cpp:
1707         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1708         (JSC::JSObject::createInitialUndecided):
1709         (JSC::JSObject::createInitialInt32):
1710         (JSC::JSObject::createInitialDouble):
1711         (JSC::JSObject::createInitialContiguous):
1712         (JSC::JSObject::createArrayStorage):
1713         (JSC::JSObject::convertUndecidedToInt32):
1714         (JSC::JSObject::convertUndecidedToDouble):
1715         (JSC::JSObject::convertUndecidedToContiguous):
1716         (JSC::JSObject::convertUndecidedToArrayStorage):
1717         (JSC::JSObject::convertInt32ToDouble):
1718         (JSC::JSObject::convertInt32ToContiguous):
1719         (JSC::JSObject::convertInt32ToArrayStorage):
1720         (JSC::JSObject::genericConvertDoubleToContiguous):
1721         (JSC::JSObject::convertDoubleToArrayStorage):
1722         (JSC::JSObject::convertContiguousToArrayStorage):
1723         (JSC::JSObject::switchToSlowPutArrayStorage):
1724         (JSC::JSObject::setPrototype):
1725         (JSC::JSObject::putDirectAccessor):
1726         (JSC::JSObject::seal):
1727         (JSC::JSObject::freeze):
1728         (JSC::JSObject::preventExtensions):
1729         (JSC::JSObject::reifyStaticFunctionsForDelete):
1730         (JSC::JSObject::removeDirect):
1731         * runtime/JSObject.h:
1732         (JSC::JSObject::setStructureAndButterfly):
1733         (JSC::JSObject::setStructure):
1734         (JSC::JSObject::putDirectInternal):
1735         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1736         (JSC::JSObject::putDirectWithoutTransition):
1737         * runtime/Structure.cpp:
1738         (JSC::Structure::flattenDictionaryStructure):
1739
1740 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1741
1742         https://bugs.webkit.org/show_bug.cgi?id=120127
1743         Remove JSObject::propertyIsEnumerable
1744
1745         Unreviewed typo fix
1746
1747         * runtime/JSObject.h:
1748             - fix typo
1749
1750 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1751
1752         https://bugs.webkit.org/show_bug.cgi?id=120139
1753         PropertyDescriptor argument to define methods should be const
1754
1755         Rubber stamped by Sam Weinig.
1756
1757         This should never be modified, and this way we can use rvalues.
1758
1759         * debugger/DebuggerActivation.cpp:
1760         (JSC::DebuggerActivation::defineOwnProperty):
1761         * debugger/DebuggerActivation.h:
1762         * runtime/Arguments.cpp:
1763         (JSC::Arguments::defineOwnProperty):
1764         * runtime/Arguments.h:
1765         * runtime/ClassInfo.h:
1766         * runtime/JSArray.cpp:
1767         (JSC::JSArray::defineOwnProperty):
1768         * runtime/JSArray.h:
1769         * runtime/JSArrayBuffer.cpp:
1770         (JSC::JSArrayBuffer::defineOwnProperty):
1771         * runtime/JSArrayBuffer.h:
1772         * runtime/JSArrayBufferView.cpp:
1773         (JSC::JSArrayBufferView::defineOwnProperty):
1774         * runtime/JSArrayBufferView.h:
1775         * runtime/JSCell.cpp:
1776         (JSC::JSCell::defineOwnProperty):
1777         * runtime/JSCell.h:
1778         * runtime/JSFunction.cpp:
1779         (JSC::JSFunction::defineOwnProperty):
1780         * runtime/JSFunction.h:
1781         * runtime/JSGenericTypedArrayView.h:
1782         * runtime/JSGenericTypedArrayViewInlines.h:
1783         (JSC::::defineOwnProperty):
1784         * runtime/JSGlobalObject.cpp:
1785         (JSC::JSGlobalObject::defineOwnProperty):
1786         * runtime/JSGlobalObject.h:
1787         * runtime/JSObject.cpp:
1788         (JSC::JSObject::putIndexedDescriptor):
1789         (JSC::JSObject::defineOwnIndexedProperty):
1790         (JSC::putDescriptor):
1791         (JSC::JSObject::defineOwnNonIndexProperty):
1792         (JSC::JSObject::defineOwnProperty):
1793         * runtime/JSObject.h:
1794         * runtime/JSProxy.cpp:
1795         (JSC::JSProxy::defineOwnProperty):
1796         * runtime/JSProxy.h:
1797         * runtime/RegExpMatchesArray.h:
1798         (JSC::RegExpMatchesArray::defineOwnProperty):
1799         * runtime/RegExpObject.cpp:
1800         (JSC::RegExpObject::defineOwnProperty):
1801         * runtime/RegExpObject.h:
1802         * runtime/StringObject.cpp:
1803         (JSC::StringObject::defineOwnProperty):
1804         * runtime/StringObject.h:
1805             - make PropertyDescriptor const
1806
1807 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1808
1809         REGRESSION: Crash under JITCompiler::link while loading Gmail
1810         https://bugs.webkit.org/show_bug.cgi?id=119872
1811
1812         Reviewed by Mark Hahnenberg.
1813         
1814         Apparently, unsigned + signed = unsigned. Work around it with a cast.
1815
1816         * dfg/DFGByteCodeParser.cpp:
1817         (JSC::DFG::ByteCodeParser::parseBlock):
1818
1819 2013-08-21  Alex Christensen  <achristensen@apple.com>
1820
1821         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1822
1823         Reviewed by Brent Fulgham.
1824
1825         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1826         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1827         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1828         Pass PlatformArchitecture as a command line parameter to bash scripts.
1829         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1830         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1831         * JavaScriptCore.vcxproj/build-generated-files.sh:
1832         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1833
1834 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
1835
1836         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1837         https://bugs.webkit.org/show_bug.cgi?id=120099
1838
1839         Reviewed by Mark Hahnenberg.
1840         
1841         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1842         JSDataView may have ordinary JS indexed properties.
1843
1844         * runtime/ClassInfo.h:
1845         * runtime/JSArrayBufferView.cpp:
1846         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1847         (JSC::JSArrayBufferView::finishCreation):
1848         * runtime/JSArrayBufferView.h:
1849         (JSC::hasArrayBuffer):
1850         * runtime/JSArrayBufferViewInlines.h:
1851         (JSC::JSArrayBufferView::buffer):
1852         (JSC::JSArrayBufferView::neuter):
1853         (JSC::JSArrayBufferView::byteOffset):
1854         * runtime/JSCell.cpp:
1855         (JSC::JSCell::slowDownAndWasteMemory):
1856         * runtime/JSCell.h:
1857         * runtime/JSDataView.cpp:
1858         (JSC::JSDataView::JSDataView):
1859         (JSC::JSDataView::create):
1860         (JSC::JSDataView::slowDownAndWasteMemory):
1861         * runtime/JSDataView.h:
1862         (JSC::JSDataView::buffer):
1863         * runtime/JSGenericTypedArrayView.h:
1864         * runtime/JSGenericTypedArrayViewInlines.h:
1865         (JSC::::visitChildren):
1866         (JSC::::slowDownAndWasteMemory):
1867
1868 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
1869
1870         Remove incorrect ASSERT from CopyVisitor::visitItem
1871
1872         Rubber stamped by Filip Pizlo.
1873
1874         * heap/CopyVisitorInlines.h:
1875         (JSC::CopyVisitor::visitItem):
1876
1877 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
1878
1879         https://bugs.webkit.org/show_bug.cgi?id=120127
1880         Remove JSObject::propertyIsEnumerable
1881
1882         Reviewed by Sam Weinig.
1883
1884         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1885
1886         * runtime/JSObject.cpp:
1887         * runtime/JSObject.h:
1888             - remove propertyIsEnumerable
1889         * runtime/ObjectPrototype.cpp:
1890         (JSC::objectProtoFuncPropertyIsEnumerable):
1891             - Move implementation here using getOwnPropertyDescriptor directly.
1892
1893 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
1894
1895         DFG should inline new typedArray()
1896         https://bugs.webkit.org/show_bug.cgi?id=120022
1897
1898         Reviewed by Oliver Hunt.
1899         
1900         Adds inlining of typed array allocations in the DFG. Any operation of the
1901         form:
1902         
1903             new foo(blah)
1904         
1905         or:
1906         
1907             foo(blah)
1908         
1909         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1910         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1911         is predicted integer, we generate inline code for an allocation. Otherwise
1912         it turns into a call to an operation that behaves like the constructor would
1913         if it was passed one argument (i.e. it may wrap a buffer or it may create a
1914         copy or another array, or it may allocate an array of that length).
1915
1916         * bytecode/SpeculatedType.cpp:
1917         (JSC::speculationFromTypedArrayType):
1918         (JSC::speculationFromClassInfo):
1919         * bytecode/SpeculatedType.h:
1920         * dfg/DFGAbstractInterpreterInlines.h:
1921         (JSC::DFG::::executeEffects):
1922         * dfg/DFGBackwardsPropagationPhase.cpp:
1923         (JSC::DFG::BackwardsPropagationPhase::propagate):
1924         * dfg/DFGByteCodeParser.cpp:
1925         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1926         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1927         * dfg/DFGCCallHelpers.h:
1928         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1929         * dfg/DFGCSEPhase.cpp:
1930         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1931         * dfg/DFGClobberize.h:
1932         (JSC::DFG::clobberize):
1933         * dfg/DFGFixupPhase.cpp:
1934         (JSC::DFG::FixupPhase::fixupNode):
1935         * dfg/DFGGraph.cpp:
1936         (JSC::DFG::Graph::dump):
1937         * dfg/DFGNode.h:
1938         (JSC::DFG::Node::hasTypedArrayType):
1939         (JSC::DFG::Node::typedArrayType):
1940         * dfg/DFGNodeType.h:
1941         * dfg/DFGOperations.cpp:
1942         (JSC::DFG::newTypedArrayWithSize):
1943         (JSC::DFG::newTypedArrayWithOneArgument):
1944         * dfg/DFGOperations.h:
1945         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1946         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1947         * dfg/DFGPredictionPropagationPhase.cpp:
1948         (JSC::DFG::PredictionPropagationPhase::propagate):
1949         * dfg/DFGSafeToExecute.h:
1950         (JSC::DFG::safeToExecute):
1951         * dfg/DFGSpeculativeJIT.cpp:
1952         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1953         * dfg/DFGSpeculativeJIT.h:
1954         (JSC::DFG::SpeculativeJIT::callOperation):
1955         * dfg/DFGSpeculativeJIT32_64.cpp:
1956         (JSC::DFG::SpeculativeJIT::compile):
1957         * dfg/DFGSpeculativeJIT64.cpp:
1958         (JSC::DFG::SpeculativeJIT::compile):
1959         * jit/JITOpcodes.cpp:
1960         (JSC::JIT::emit_op_new_object):
1961         * jit/JITOpcodes32_64.cpp:
1962         (JSC::JIT::emit_op_new_object):
1963         * runtime/JSArray.h:
1964         (JSC::JSArray::allocationSize):
1965         * runtime/JSArrayBufferView.h:
1966         (JSC::JSArrayBufferView::allocationSize):
1967         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1968         (JSC::constructGenericTypedArrayView):
1969         * runtime/JSObject.h:
1970         (JSC::JSFinalObject::allocationSize):
1971         * runtime/TypedArrayType.cpp:
1972         (JSC::constructorClassInfoForType):
1973         * runtime/TypedArrayType.h:
1974         (JSC::indexToTypedArrayType):
1975
1976 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
1977
1978         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         * dfg/DFGOperations.h:
1983
1984 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
1985
1986         https://bugs.webkit.org/show_bug.cgi?id=120093
1987         Remove getOwnPropertyDescriptor trap
1988
1989         Reviewed by Geoff Garen.
1990
1991         All implementations of this method are now called via the method table, and equivalent in behaviour.
1992         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1993
1994         * API/JSCallbackObject.h:
1995         * API/JSCallbackObjectFunctions.h:
1996         * debugger/DebuggerActivation.cpp:
1997         * debugger/DebuggerActivation.h:
1998         * runtime/Arguments.cpp:
1999         * runtime/Arguments.h:
2000         * runtime/ArrayConstructor.cpp:
2001         * runtime/ArrayConstructor.h:
2002         * runtime/ArrayPrototype.cpp:
2003         * runtime/ArrayPrototype.h:
2004         * runtime/BooleanPrototype.cpp:
2005         * runtime/BooleanPrototype.h:
2006             - remove getOwnPropertyDescriptor
2007         * runtime/ClassInfo.h:
2008             - remove getOwnPropertyDescriptor from MethodTable
2009         * runtime/DateConstructor.cpp:
2010         * runtime/DateConstructor.h:
2011         * runtime/DatePrototype.cpp:
2012         * runtime/DatePrototype.h:
2013         * runtime/ErrorPrototype.cpp:
2014         * runtime/ErrorPrototype.h:
2015         * runtime/JSActivation.cpp:
2016         * runtime/JSActivation.h:
2017         * runtime/JSArray.cpp:
2018         * runtime/JSArray.h:
2019         * runtime/JSArrayBuffer.cpp:
2020         * runtime/JSArrayBuffer.h:
2021         * runtime/JSArrayBufferView.cpp:
2022         * runtime/JSArrayBufferView.h:
2023         * runtime/JSCell.cpp:
2024         * runtime/JSCell.h:
2025         * runtime/JSDataView.cpp:
2026         * runtime/JSDataView.h:
2027         * runtime/JSDataViewPrototype.cpp:
2028         * runtime/JSDataViewPrototype.h:
2029         * runtime/JSFunction.cpp:
2030         * runtime/JSFunction.h:
2031         * runtime/JSGenericTypedArrayView.h:
2032         * runtime/JSGenericTypedArrayViewInlines.h:
2033         * runtime/JSGlobalObject.cpp:
2034         * runtime/JSGlobalObject.h:
2035         * runtime/JSNotAnObject.cpp:
2036         * runtime/JSNotAnObject.h:
2037         * runtime/JSONObject.cpp:
2038         * runtime/JSONObject.h:
2039             - remove getOwnPropertyDescriptor
2040         * runtime/JSObject.cpp:
2041         (JSC::JSObject::propertyIsEnumerable):
2042             - switch to call new getOwnPropertyDescriptor member function
2043         (JSC::JSObject::getOwnPropertyDescriptor):
2044             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2045         (JSC::JSObject::defineOwnNonIndexProperty):
2046             - switch to call new getOwnPropertyDescriptor member function
2047         * runtime/JSObject.h:
2048         * runtime/JSProxy.cpp:
2049         * runtime/JSProxy.h:
2050         * runtime/NamePrototype.cpp:
2051         * runtime/NamePrototype.h:
2052         * runtime/NumberConstructor.cpp:
2053         * runtime/NumberConstructor.h:
2054         * runtime/NumberPrototype.cpp:
2055         * runtime/NumberPrototype.h:
2056             - remove getOwnPropertyDescriptor
2057         * runtime/ObjectConstructor.cpp:
2058         (JSC::objectConstructorGetOwnPropertyDescriptor):
2059         (JSC::objectConstructorSeal):
2060         (JSC::objectConstructorFreeze):
2061         (JSC::objectConstructorIsSealed):
2062         (JSC::objectConstructorIsFrozen):
2063             - switch to call new getOwnPropertyDescriptor member function
2064         * runtime/ObjectConstructor.h:
2065             - remove getOwnPropertyDescriptor
2066         * runtime/PropertyDescriptor.h:
2067             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
2068         * runtime/RegExpConstructor.cpp:
2069         * runtime/RegExpConstructor.h:
2070         * runtime/RegExpMatchesArray.cpp:
2071         * runtime/RegExpMatchesArray.h:
2072         * runtime/RegExpObject.cpp:
2073         * runtime/RegExpObject.h:
2074         * runtime/RegExpPrototype.cpp:
2075         * runtime/RegExpPrototype.h:
2076         * runtime/StringConstructor.cpp:
2077         * runtime/StringConstructor.h:
2078         * runtime/StringObject.cpp:
2079         * runtime/StringObject.h:
2080             - remove getOwnPropertyDescriptor
2081
2082 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2083
2084         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
2085
2086         Reviewed by Oliver Hunt.
2087
2088         When we flatten an object in dictionary mode, we compact its properties. If the object 
2089         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
2090         compaction its properties fit inline, the object's Structure "forgets" that the object 
2091         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
2092         with bytes = 0, which causes all sorts of badness in CopiedSpace.
2093
2094         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
2095         Butterfly pointer so that the GC doesn't get confused later.
2096
2097         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
2098         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
2099         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
2100         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
2101
2102         * heap/SlotVisitorInlines.h:
2103         (JSC::SlotVisitor::copyLater):
2104         * runtime/JSObject.cpp:
2105         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2106         (JSC::JSObject::convertUndecidedToInt32):
2107         (JSC::JSObject::convertUndecidedToDouble):
2108         (JSC::JSObject::convertUndecidedToContiguous):
2109         (JSC::JSObject::convertInt32ToDouble):
2110         (JSC::JSObject::convertInt32ToContiguous):
2111         (JSC::JSObject::genericConvertDoubleToContiguous):
2112         (JSC::JSObject::switchToSlowPutArrayStorage):
2113         (JSC::JSObject::setPrototype):
2114         (JSC::JSObject::putDirectAccessor):
2115         (JSC::JSObject::seal):
2116         (JSC::JSObject::freeze):
2117         (JSC::JSObject::preventExtensions):
2118         (JSC::JSObject::reifyStaticFunctionsForDelete):
2119         (JSC::JSObject::removeDirect):
2120         * runtime/JSObject.h:
2121         (JSC::JSObject::setButterfly):
2122         (JSC::JSObject::putDirectInternal):
2123         (JSC::JSObject::setStructure):
2124         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2125         * runtime/Structure.cpp:
2126         (JSC::Structure::flattenDictionaryStructure):
2127
2128 2013-08-20  Alex Christensen  <achristensen@apple.com>
2129
2130         Compile fix for Win64 after r154156.
2131
2132         Rubber stamped by Oliver Hunt.
2133
2134         * jit/JITStubsMSVC64.asm:
2135         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
2136         cti_vm_throw_slowpath to cti_vm_handle_exception.
2137
2138 2013-08-20  Alex Christensen  <achristensen@apple.com>
2139
2140         <https://webkit.org/b/120076> More work towards a Win64 build
2141
2142         Reviewed by Brent Fulgham.
2143
2144         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2145         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
2146         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
2147         * JavaScriptCore.vcxproj/copy-files.cmd:
2148         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2149         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
2150         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
2151
2152 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
2153
2154         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2155
2156         Reviewed by Geoffrey Garen.
2157
2158         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
2159         initializeLazyWriteBarrierFor* wrapper functions more sane. 
2160
2161         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
2162         and index when triggering the WriteBarrier at the end of compilation. 
2163
2164         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
2165         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
2166         little extra work that really shouldn't have been its responsibility.
2167
2168         * dfg/DFGByteCodeParser.cpp:
2169         (JSC::DFG::ByteCodeParser::addConstant):
2170         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2171         * dfg/DFGDesiredWriteBarriers.cpp:
2172         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2173         (JSC::DFG::DesiredWriteBarrier::trigger):
2174         * dfg/DFGDesiredWriteBarriers.h:
2175         (JSC::DFG::DesiredWriteBarriers::add):
2176         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
2177         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
2178         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2179         * dfg/DFGFixupPhase.cpp:
2180         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2181         * dfg/DFGGraph.h:
2182         (JSC::DFG::Graph::constantRegisterForConstant):
2183
2184 2013-08-20  Michael Saboff  <msaboff@apple.com>
2185
2186         https://bugs.webkit.org/show_bug.cgi?id=120075
2187         REGRESSION (r128400): BBC4 website not displaying pictures
2188
2189         Reviewed by Oliver Hunt.
2190
2191         * runtime/RegExpMatchesArray.h:
2192         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
2193         so that the match results will be reified before any other modification to the results array.
2194
2195 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
2196
2197         Incorrect behavior on emscripten-compiled cube2hash
2198         https://bugs.webkit.org/show_bug.cgi?id=120033
2199
2200         Reviewed by Mark Hahnenberg.
2201         
2202         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
2203         then we should bail attempts to CSE.
2204
2205         * dfg/DFGCSEPhase.cpp:
2206         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
2207         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
2208
2209 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2210
2211         https://bugs.webkit.org/show_bug.cgi?id=120073
2212         Remove use of GOPD from JSFunction::defineProperty
2213
2214         Reviewed by Oliver Hunt.
2215
2216         Call getOwnPropertySlot to check for existing properties instead.
2217
2218         * runtime/JSFunction.cpp:
2219         (JSC::JSFunction::defineOwnProperty):
2220             - getOwnPropertyDescriptor -> getOwnPropertySlot
2221
2222 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2223
2224         https://bugs.webkit.org/show_bug.cgi?id=120067
2225         Remove getPropertyDescriptor
2226
2227         Reviewed by Oliver Hunt.
2228
2229         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
2230         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
2231
2232         * runtime/JSObject.cpp:
2233         * runtime/JSObject.h:
2234             - remove getPropertyDescriptor
2235         * runtime/ObjectPrototype.cpp:
2236         (JSC::objectProtoFuncLookupGetter):
2237         (JSC::objectProtoFuncLookupSetter):
2238             - replace call to getPropertyDescriptor with getPropertySlot
2239         * runtime/PropertyDescriptor.h:
2240         * runtime/PropertySlot.h:
2241         (JSC::PropertySlot::isAccessor):
2242         (JSC::PropertySlot::isCacheableGetter):
2243         (JSC::PropertySlot::getterSetter):
2244             - rename isGetter() to isAccessor()
2245
2246 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2247
2248         https://bugs.webkit.org/show_bug.cgi?id=120054
2249         Remove some dead code following getOwnPropertyDescriptor cleanup
2250
2251         Reviewed by Oliver Hunt.
2252
2253         * runtime/Lookup.h:
2254         (JSC::getStaticFunctionSlot):
2255             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
2256
2257 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
2258
2259         https://bugs.webkit.org/show_bug.cgi?id=120052
2260         Remove custom getOwnPropertyDescriptor for JSProxy
2261
2262         Reviewed by Geoff Garen.
2263
2264         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
2265         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
2266         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
2267         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
2268         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
2269
2270         * runtime/JSProxy.cpp:
2271             - Remove custom getOwnPropertyDescriptor implementation.
2272         * runtime/PropertyDescriptor.h:
2273             - Modify own property access check to perform toThis conversion.
2274
2275 2013-08-20  Alex Christensen  <achristensen@apple.com>
2276
2277         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
2278         https://bugs.webkit.org/show_bug.cgi?id=119512
2279
2280         Reviewed by Brent Fulgham.
2281
2282         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2283         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2284         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2285         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
2286         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
2287         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
2288         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2289         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
2290
2291 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
2292
2293         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
2294
2295         Reviewed by Allan Sandfeld Jensen.
2296
2297         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
2298         instructions and two constants now DFG is enabled for sh4 architecture.
2299         These missing ensureSpace calls lead to random crashes.
2300
2301         * assembler/MacroAssemblerSH4.h:
2302         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
2303
2304 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
2305
2306         https://bugs.webkit.org/show_bug.cgi?id=120034
2307         Remove custom getOwnPropertyDescriptor for global objects
2308
2309         Reviewed by Geoff Garen.
2310
2311         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
2312
2313         * runtime/JSGlobalObject.cpp:
2314             - Remove custom getOwnPropertyDescriptor implementation.
2315         * runtime/JSSymbolTableObject.h:
2316         (JSC::symbolTableGet):
2317             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
2318         * runtime/PropertyDescriptor.h:
2319             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
2320         * runtime/PropertySlot.h:
2321         (JSC::PropertySlot::setUndefined):
2322             - This is used by WebCore when blocking access to properties on cross-frame access.
2323               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2324
2325 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2326
2327         DFG should inline typedArray.byteOffset
2328         https://bugs.webkit.org/show_bug.cgi?id=119962
2329
2330         Reviewed by Oliver Hunt.
2331         
2332         This adds a new node, GetTypedArrayByteOffset, which inlines
2333         typedArray.byteOffset.
2334         
2335         Also, I improved a bunch of the clobbering logic related to typed arrays
2336         and clobbering in general. For example, PutByOffset/PutStructure are not
2337         clobber-world so they can be handled by most default cases in CSE. Also,
2338         It's better to use the 'Class_field' notation for typed arrays now that
2339         they no longer involve magical descriptor thingies.
2340
2341         * bytecode/SpeculatedType.h:
2342         * dfg/DFGAbstractHeap.h:
2343         * dfg/DFGAbstractInterpreterInlines.h:
2344         (JSC::DFG::::executeEffects):
2345         * dfg/DFGArrayMode.h:
2346         (JSC::DFG::neverNeedsStorage):
2347         * dfg/DFGCSEPhase.cpp:
2348         (JSC::DFG::CSEPhase::getByValLoadElimination):
2349         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
2350         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2351         (JSC::DFG::CSEPhase::checkArrayElimination):
2352         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2353         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
2354         (JSC::DFG::CSEPhase::performNodeCSE):
2355         * dfg/DFGClobberize.h:
2356         (JSC::DFG::clobberize):
2357         * dfg/DFGFixupPhase.cpp:
2358         (JSC::DFG::FixupPhase::fixupNode):
2359         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2360         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2361         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2362         * dfg/DFGNodeType.h:
2363         * dfg/DFGPredictionPropagationPhase.cpp:
2364         (JSC::DFG::PredictionPropagationPhase::propagate):
2365         * dfg/DFGSafeToExecute.h:
2366         (JSC::DFG::safeToExecute):
2367         * dfg/DFGSpeculativeJIT.cpp:
2368         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2369         * dfg/DFGSpeculativeJIT.h:
2370         * dfg/DFGSpeculativeJIT32_64.cpp:
2371         (JSC::DFG::SpeculativeJIT::compile):
2372         * dfg/DFGSpeculativeJIT64.cpp:
2373         (JSC::DFG::SpeculativeJIT::compile):
2374         * dfg/DFGTypeCheckHoistingPhase.cpp:
2375         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2376         * runtime/ArrayBuffer.h:
2377         (JSC::ArrayBuffer::offsetOfData):
2378         * runtime/Butterfly.h:
2379         (JSC::Butterfly::offsetOfArrayBuffer):
2380         * runtime/IndexingHeader.h:
2381         (JSC::IndexingHeader::offsetOfArrayBuffer):
2382
2383 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
2384
2385         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
2386
2387         Reviewed by Geoffrey Garen.
2388
2389         * dfg/DFGByteCodeParser.cpp:
2390         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2391
2392 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2393
2394         https://bugs.webkit.org/show_bug.cgi?id=119995
2395         Start removing custom implementations of getOwnPropertyDescriptor
2396
2397         Reviewed by Oliver Hunt.
2398
2399         This can now typically implemented in terms of getOwnPropertySlot.
2400         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
2401         Switch over most classes in JSC & the WebCore bindings generator to use this.
2402
2403         * API/JSCallbackObjectFunctions.h:
2404         * debugger/DebuggerActivation.cpp:
2405         * runtime/Arguments.cpp:
2406         * runtime/ArrayConstructor.cpp:
2407         * runtime/ArrayPrototype.cpp:
2408         * runtime/BooleanPrototype.cpp:
2409         * runtime/DateConstructor.cpp:
2410         * runtime/DatePrototype.cpp:
2411         * runtime/ErrorPrototype.cpp:
2412         * runtime/JSActivation.cpp:
2413         * runtime/JSArray.cpp:
2414         * runtime/JSArrayBuffer.cpp:
2415         * runtime/JSArrayBufferView.cpp:
2416         * runtime/JSCell.cpp:
2417         * runtime/JSDataView.cpp:
2418         * runtime/JSDataViewPrototype.cpp:
2419         * runtime/JSFunction.cpp:
2420         * runtime/JSGenericTypedArrayViewInlines.h:
2421         * runtime/JSNotAnObject.cpp:
2422         * runtime/JSONObject.cpp:
2423         * runtime/JSObject.cpp:
2424         * runtime/NamePrototype.cpp:
2425         * runtime/NumberConstructor.cpp:
2426         * runtime/NumberPrototype.cpp:
2427         * runtime/ObjectConstructor.cpp:
2428             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2429         * runtime/PropertyDescriptor.h:
2430             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
2431         * runtime/PropertySlot.h:
2432         (JSC::PropertySlot::isValue):
2433         (JSC::PropertySlot::isGetter):
2434         (JSC::PropertySlot::isCustom):
2435         (JSC::PropertySlot::isCacheableValue):
2436         (JSC::PropertySlot::isCacheableGetter):
2437         (JSC::PropertySlot::isCacheableCustom):
2438         (JSC::PropertySlot::attributes):
2439         (JSC::PropertySlot::getterSetter):
2440             - Add accessors necessary to convert PropertySlot to descriptor.
2441         * runtime/RegExpConstructor.cpp:
2442         * runtime/RegExpMatchesArray.cpp:
2443         * runtime/RegExpMatchesArray.h:
2444         * runtime/RegExpObject.cpp:
2445         * runtime/RegExpPrototype.cpp:
2446         * runtime/StringConstructor.cpp:
2447         * runtime/StringObject.cpp:
2448             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
2449
2450 2013-08-19  Michael Saboff  <msaboff@apple.com>
2451
2452         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
2453
2454         Reviewed by Sam Weinig.
2455
2456         * dfg/DFGSpeculativeJIT32_64.cpp:
2457         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
2458         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
2459         all versions of fillSpeculateBoolean().
2460
2461 2013-08-19  Michael Saboff  <msaboff@apple.com>
2462
2463         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
2464
2465         Reviewed by Benjamin Poulain.
2466
2467         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
2468         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
2469
2470         * assembler/MacroAssemblerX86Common.h:
2471         (JSC::MacroAssemblerX86Common::branchTest32):
2472
2473 2013-08-16  Oliver Hunt  <oliver@apple.com>
2474
2475         <https://webkit.org/b/119860> Crash during exception unwinding
2476
2477         Reviewed by Filip Pizlo.
2478
2479         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
2480         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
2481
2482         We need this so that Throw and ThrowReferenceError no longer need to be treated as
2483         terminals and the subsequent flush keeps the activation (and other registers) live.
2484
2485         * dfg/DFGAbstractInterpreterInlines.h:
2486         (JSC::DFG::::executeEffects):
2487         * dfg/DFGByteCodeParser.cpp:
2488         (JSC::DFG::ByteCodeParser::parseBlock):
2489         * dfg/DFGClobberize.h:
2490         (JSC::DFG::clobberize):
2491         * dfg/DFGFixupPhase.cpp:
2492         (JSC::DFG::FixupPhase::fixupNode):
2493         * dfg/DFGNode.h:
2494         (JSC::DFG::Node::isTerminal):
2495         * dfg/DFGNodeType.h:
2496         * dfg/DFGPredictionPropagationPhase.cpp:
2497         (JSC::DFG::PredictionPropagationPhase::propagate):
2498         * dfg/DFGSafeToExecute.h:
2499         (JSC::DFG::safeToExecute):
2500         * dfg/DFGSpeculativeJIT32_64.cpp:
2501         (JSC::DFG::SpeculativeJIT::compile):
2502         * dfg/DFGSpeculativeJIT64.cpp:
2503         (JSC::DFG::SpeculativeJIT::compile):
2504
2505 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
2506
2507         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
2508
2509         Reviewed by Oliver Hunt.
2510
2511         Guard the compilation of these files only if DFG_JIT is enabled.
2512
2513         * dfg/DFGDesiredTransitions.cpp:
2514         * dfg/DFGDesiredTransitions.h:
2515         * dfg/DFGDesiredWeakReferences.cpp:
2516         * dfg/DFGDesiredWeakReferences.h:
2517         * dfg/DFGDesiredWriteBarriers.cpp:
2518         * dfg/DFGDesiredWriteBarriers.h:
2519
2520 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
2521
2522         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
2523         https://bugs.webkit.org/show_bug.cgi?id=119961
2524
2525         Reviewed by Mark Hahnenberg.
2526
2527         * dfg/DFGFixupPhase.cpp:
2528         (JSC::DFG::FixupPhase::fixupNode):
2529
2530 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
2531
2532         https://bugs.webkit.org/show_bug.cgi?id=119972
2533         Add attributes field to PropertySlot
2534
2535         Reviewed by Geoff Garen.
2536
2537         For all JSC types, this makes getOwnPropertyDescriptor redundant.
2538         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
2539         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
2540
2541         No performance impact.
2542
2543         * runtime/PropertySlot.h:
2544         (JSC::PropertySlot::setValue):
2545         (JSC::PropertySlot::setCustom):
2546         (JSC::PropertySlot::setCacheableCustom):
2547         (JSC::PropertySlot::setCustomIndex):
2548         (JSC::PropertySlot::setGetterSlot):
2549         (JSC::PropertySlot::setCacheableGetterSlot):
2550             - These mathods now all require 'attributes'.
2551         * runtime/JSObject.h:
2552         (JSC::JSObject::getDirect):
2553         (JSC::JSObject::getDirectOffset):
2554         (JSC::JSObject::inlineGetOwnPropertySlot):
2555             - Added variants of getDirect, getDirectOffset that return the attributes.
2556         * API/JSCallbackObjectFunctions.h:
2557         (JSC::::getOwnPropertySlot):
2558         * runtime/Arguments.cpp:
2559         (JSC::Arguments::getOwnPropertySlotByIndex):
2560         (JSC::Arguments::getOwnPropertySlot):
2561         * runtime/JSActivation.cpp:
2562         (JSC::JSActivation::symbolTableGet):
2563         (JSC::JSActivation::getOwnPropertySlot):
2564         * runtime/JSArray.cpp:
2565         (JSC::JSArray::getOwnPropertySlot):
2566         * runtime/JSArrayBuffer.cpp:
2567         (JSC::JSArrayBuffer::getOwnPropertySlot):
2568         * runtime/JSArrayBufferView.cpp:
2569         (JSC::JSArrayBufferView::getOwnPropertySlot):
2570         * runtime/JSDataView.cpp:
2571         (JSC::JSDataView::getOwnPropertySlot):
2572         * runtime/JSFunction.cpp:
2573         (JSC::JSFunction::getOwnPropertySlot):
2574         * runtime/JSGenericTypedArrayViewInlines.h:
2575         (JSC::::getOwnPropertySlot):
2576         (JSC::::getOwnPropertySlotByIndex):
2577         * runtime/JSObject.cpp:
2578         (JSC::JSObject::getOwnPropertySlotByIndex):
2579         (JSC::JSObject::fillGetterPropertySlot):
2580         * runtime/JSString.h:
2581         (JSC::JSString::getStringPropertySlot):
2582         * runtime/JSSymbolTableObject.h:
2583         (JSC::symbolTableGet):
2584         * runtime/Lookup.cpp:
2585         (JSC::setUpStaticFunctionSlot):
2586         * runtime/Lookup.h:
2587         (JSC::getStaticPropertySlot):
2588         (JSC::getStaticPropertyDescriptor):
2589         (JSC::getStaticValueSlot):
2590         (JSC::getStaticValueDescriptor):
2591         * runtime/RegExpObject.cpp:
2592         (JSC::RegExpObject::getOwnPropertySlot):
2593         * runtime/SparseArrayValueMap.cpp:
2594         (JSC::SparseArrayEntry::get):
2595             - Pass attributes to PropertySlot::set* methods.
2596
2597 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
2598
2599         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2600
2601         Reviewed by Filip Pizlo.
2602
2603         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
2604         Vector of WriteBarriers rather than the specific address. The fact that we were 
2605         arbitrarily storing into a Vector's backing store for constants at the end of 
2606         compilation after the Vector could have resized was causing crashes.
2607
2608         * bytecode/CodeBlock.h:
2609         (JSC::CodeBlock::constants):
2610         (JSC::CodeBlock::addConstantLazily):
2611         * dfg/DFGByteCodeParser.cpp:
2612         (JSC::DFG::ByteCodeParser::addConstant):
2613         * dfg/DFGDesiredWriteBarriers.cpp:
2614         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2615         (JSC::DFG::DesiredWriteBarrier::trigger):
2616         (JSC::DFG::initializeLazyWriteBarrierForConstant):
2617         * dfg/DFGDesiredWriteBarriers.h:
2618         (JSC::DFG::DesiredWriteBarriers::add):
2619         * dfg/DFGFixupPhase.cpp:
2620         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2621         * dfg/DFGGraph.h:
2622         (JSC::DFG::Graph::constantRegisterForConstant):
2623
2624 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2625
2626         DFG should optimize typedArray.byteLength
2627         https://bugs.webkit.org/show_bug.cgi?id=119909
2628
2629         Reviewed by Oliver Hunt.
2630         
2631         This adds typedArray.byteLength inlining to the DFG, and does so without changing
2632         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2633         legal since the byteLength of a typed array cannot exceed
2634         numeric_limits<int32_t>::max().
2635
2636         * bytecode/SpeculatedType.cpp:
2637         (JSC::typedArrayTypeFromSpeculation):
2638         * bytecode/SpeculatedType.h:
2639         * dfg/DFGArrayMode.cpp:
2640         (JSC::DFG::toArrayType):
2641         * dfg/DFGArrayMode.h:
2642         * dfg/DFGFixupPhase.cpp:
2643         (JSC::DFG::FixupPhase::fixupNode):
2644         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2645         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2646         (JSC::DFG::FixupPhase::convertToGetArrayLength):
2647         (JSC::DFG::FixupPhase::prependGetArrayLength):
2648         * dfg/DFGGraph.h:
2649         (JSC::DFG::Graph::constantRegisterForConstant):
2650         (JSC::DFG::Graph::convertToConstant):
2651         * runtime/TypedArrayType.h:
2652         (JSC::logElementSize):
2653         (JSC::elementSize):
2654
2655 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2656
2657         DFG optimizes out strict mode arguments tear off
2658         https://bugs.webkit.org/show_bug.cgi?id=119504
2659
2660         Reviewed by Mark Hahnenberg and Oliver Hunt.
2661         
2662         Don't do the optimization for strict mode.
2663
2664         * dfg/DFGArgumentsSimplificationPhase.cpp:
2665         (JSC::DFG::ArgumentsSimplificationPhase::run):
2666         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2667
2668 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
2669
2670         [JSC] x86: improve code generation for xxxTest32
2671         https://bugs.webkit.org/show_bug.cgi?id=119876
2672
2673         Reviewed by Geoffrey Garen.
2674
2675         Try to use testb whenever possible when testing for an immediate value.
2676
2677         When the input is an address and an offset, we can tweak the mask
2678         and offset to be able to generate testb for any byte of the mask.
2679
2680         When the input is a register, we can use testb if we are only interested
2681         in testing the low bits.
2682
2683         * assembler/MacroAssemblerX86Common.h:
2684         (JSC::MacroAssemblerX86Common::branchTest32):
2685         (JSC::MacroAssemblerX86Common::test32):
2686         (JSC::MacroAssemblerX86Common::generateTest32):
2687
2688 2013-08-16  Mark Lam  <mark.lam@apple.com>
2689
2690         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2691         error message that an object is not a constructor though it expects a function
2692
2693         Reviewed by Michael Saboff.
2694
2695         * jit/JITStubs.cpp:
2696         (JSC::DEFINE_STUB_FUNCTION):
2697
2698 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
2699
2700         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2701         https://bugs.webkit.org/show_bug.cgi?id=119897
2702
2703         Reviewed by Oliver Hunt.
2704         
2705         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2706         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2707         to turn objects into dictionaries when you're storing using bracket syntax or using
2708         eval is still in place.
2709
2710         * bytecode/CodeBlock.h:
2711         (JSC::CodeBlock::putByIdContext):
2712         * dfg/DFGOperations.cpp:
2713         * jit/JITStubs.cpp:
2714         (JSC::DEFINE_STUB_FUNCTION):
2715         * llint/LLIntSlowPaths.cpp:
2716         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2717         * runtime/JSObject.h:
2718         (JSC::JSObject::putDirectInternal):
2719         * runtime/PutPropertySlot.h:
2720         (JSC::PutPropertySlot::PutPropertySlot):
2721         (JSC::PutPropertySlot::context):
2722         * runtime/Structure.cpp:
2723         (JSC::Structure::addPropertyTransition):
2724         * runtime/Structure.h:
2725
2726 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
2727
2728         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2729
2730         Reviewed by Allan Sandfeld Jensen.
2731
2732         ctiVMHandleException must jump/return using register ra (r31).
2733
2734         * jit/JITStubsMIPS.h:
2735
2736 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
2737
2738         <https://webkit.org/b/119879> Fix sh4 build after r154156.
2739
2740         Reviewed by Allan Sandfeld Jensen.
2741
2742         Fix typo in JITStubsSH4.h file.
2743
2744         * jit/JITStubsSH4.h:
2745
2746 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
2747
2748         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2749
2750         Reviewed by Oliver Hunt.
2751
2752         The concurrent compilation thread should interact minimally with the Heap, including not 
2753         triggering WriteBarriers. This is a prerequisite for generational GC.
2754
2755         * JavaScriptCore.xcodeproj/project.pbxproj:
2756         * bytecode/CodeBlock.cpp:
2757         (JSC::CodeBlock::addOrFindConstant):
2758         (JSC::CodeBlock::findConstant):
2759         * bytecode/CodeBlock.h:
2760         (JSC::CodeBlock::addConstantLazily):
2761         * dfg/DFGByteCodeParser.cpp:
2762         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2763         (JSC::DFG::ByteCodeParser::constantUndefined):
2764         (JSC::DFG::ByteCodeParser::constantNull):
2765         (JSC::DFG::ByteCodeParser::one):
2766         (JSC::DFG::ByteCodeParser::constantNaN):
2767         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2768         * dfg/DFGCommonData.cpp:
2769         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2770         * dfg/DFGCommonData.h:
2771         * dfg/DFGDesiredTransitions.cpp: Added.
2772         (JSC::DFG::DesiredTransition::DesiredTransition):
2773         (JSC::DFG::DesiredTransition::reallyAdd):
2774         (JSC::DFG::DesiredTransitions::DesiredTransitions):
2775         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2776         (JSC::DFG::DesiredTransitions::addLazily):
2777         (JSC::DFG::DesiredTransitions::reallyAdd):
2778         * dfg/DFGDesiredTransitions.h: Added.
2779         * dfg/DFGDesiredWeakReferences.cpp: Added.
2780         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2781         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2782         (JSC::DFG::DesiredWeakReferences::addLazily):
2783         (JSC::DFG::DesiredWeakReferences::reallyAdd):
2784         * dfg/DFGDesiredWeakReferences.h: Added.
2785         * dfg/DFGDesiredWriteBarriers.cpp: Added.
2786         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2787         (JSC::DFG::DesiredWriteBarrier::trigger):
2788         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2789         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2790         (JSC::DFG::DesiredWriteBarriers::addImpl):
2791         (JSC::DFG::DesiredWriteBarriers::trigger):
2792         * dfg/DFGDesiredWriteBarriers.h: Added.
2793         (JSC::DFG::DesiredWriteBarriers::add):
2794         (JSC::DFG::initializeLazyWriteBarrier):
2795         * dfg/DFGFixupPhase.cpp:
2796         (JSC::DFG::FixupPhase::truncateConstantToInt32):
2797         * dfg/DFGGraph.h:
2798         (JSC::DFG::Graph::convertToConstant):
2799         * dfg/DFGJITCompiler.h:
2800         (JSC::DFG::JITCompiler::addWeakReference):
2801         * dfg/DFGPlan.cpp:
2802         (JSC::DFG::Plan::Plan):
2803         (JSC::DFG::Plan::reallyAdd):
2804         * dfg/DFGPlan.h:
2805         * dfg/DFGSpeculativeJIT32_64.cpp:
2806         (JSC::DFG::SpeculativeJIT::compile):
2807         * dfg/DFGSpeculativeJIT64.cpp:
2808         (JSC::DFG::SpeculativeJIT::compile):
2809         * runtime/WriteBarrier.h:
2810         (JSC::WriteBarrierBase::set):
2811         (JSC::WriteBarrier::WriteBarrier):
2812
2813 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2814
2815         Fix x86 32bits build after r154158
2816
2817         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2818
2819 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2820
2821         Build fix attempt after r154156.
2822
2823         * jit/JITStubs.cpp:
2824         (JSC::cti_vm_handle_exception): encode!
2825
2826 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
2827
2828         [JSC] x86: Use inc and dec when possible
2829         https://bugs.webkit.org/show_bug.cgi?id=119831
2830
2831         Reviewed by Geoffrey Garen.
2832
2833         When incrementing or decrementing by an immediate of 1, use the insctructions
2834         inc and dec instead of add and sub.
2835         The instructions have good timing and their encoding is smaller.
2836
2837         * assembler/MacroAssemblerX86Common.h:
2838         (JSC::MacroAssemblerX86_64::add32):
2839         (JSC::MacroAssemblerX86_64::sub32):
2840         * assembler/MacroAssemblerX86_64.h:
2841         (JSC::MacroAssemblerX86_64::add64):
2842         (JSC::MacroAssemblerX86_64::sub64):
2843         * assembler/X86Assembler.h:
2844         (JSC::X86Assembler::dec_r):
2845         (JSC::X86Assembler::decq_r):
2846         (JSC::X86Assembler::inc_r):
2847         (JSC::X86Assembler::incq_r):
2848
2849 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2850
2851         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2852         https://bugs.webkit.org/show_bug.cgi?id=119874
2853
2854         Reviewed by Oliver Hunt and Mark Hahnenberg.
2855         
2856         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2857         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2858         sometimes for typed array length accesses, and the FixupPhase assuming that a
2859         ForceExit ArrayMode means that it should continue using a generic GetById.
2860
2861         This fixes the confusion.
2862
2863         * dfg/DFGFixupPhase.cpp:
2864         (JSC::DFG::FixupPhase::fixupNode):
2865
2866 2013-08-15  Mark Lam  <mark.lam@apple.com>
2867
2868         Fix crash when performing activation tearoff.
2869         https://bugs.webkit.org/show_bug.cgi?id=119848
2870
2871         Reviewed by Oliver Hunt.
2872
2873         The activation tearoff crash was due to a bug in the baseline JIT.
2874         If we have a scenario where the a baseline JIT frame calls a LLINT
2875         frame, an exception may be thrown while in the LLINT.
2876
2877         Interpreter::throwException() which handles the exception will unwind
2878         all frames until it finds a catcher or sees a host frame. When we
2879         return from the LLINT to the baseline JIT code, the baseline JIT code
2880         errorneously sets topCallFrame to the value in its call frame register,
2881         and starts unwinding the stack frames that have already been unwound.
2882
2883         The fix is:
2884         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2885            This is a more accurate description of what this runtime function
2886            is supposed to do i.e. it handles the exception which include doing
2887            nothing (if there are no more frames to unwind).
2888         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2889            set on it.
2890         3. Reloading the call frame register from topCallFrame when we're
2891            returning from a callee and detect exception handling in progress.
2892
2893         * interpreter/Interpreter.cpp:
2894         (JSC::Interpreter::unwindCallFrame):
2895         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2896         (JSC::Interpreter::getStackTrace):
2897         * interpreter/Interpreter.h:
2898         (JSC::TopCallFrameSetter::TopCallFrameSetter):
2899         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2900         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2901         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2902         * jit/JIT.h:
2903         * jit/JITExceptions.cpp:
2904         (JSC::uncaughtExceptionHandler):
2905         - Convenience function to get the handler for uncaught exceptions.
2906         * jit/JITExceptions.h:
2907         * jit/JITInlines.h:
2908         (JSC::JIT::reloadCallFrameFromTopCallFrame):
2909         * jit/JITOpcodes32_64.cpp:
2910         (JSC::JIT::privateCompileCTINativeCall):
2911         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2912         * jit/JITStubs.cpp:
2913         (JSC::throwExceptionFromOpCall):
2914         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2915         (JSC::cti_vm_handle_exception):
2916         - Check for the case when there are no more frames to unwind.
2917         * jit/JITStubs.h:
2918         * jit/JITStubsARM.h:
2919         * jit/JITStubsARMv7.h:
2920         * jit/JITStubsMIPS.h:
2921         * jit/JITStubsSH4.h:
2922         * jit/JITStubsX86.h:
2923         * jit/JITStubsX86_64.h:
2924         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2925         * jit/SlowPathCall.h:
2926         (JSC::JITSlowPathCall::call):
2927         - reload cfr from topcallFrame when handling an exception.
2928         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2929         * jit/ThunkGenerators.cpp:
2930         (JSC::nativeForGenerator):
2931         * llint/LowLevelInterpreter32_64.asm:
2932         * llint/LowLevelInterpreter64.asm:
2933         - reload cfr from topcallFrame when handling an exception.
2934         * runtime/VM.cpp:
2935         (JSC::VM::VM):
2936         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2937
2938 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2939
2940         Remove some code duplication.
2941         
2942         Rubber stamped by Mark Hahnenberg.
2943
2944         * runtime/JSDataViewPrototype.cpp:
2945         (JSC::getData):
2946         (JSC::setData):
2947
2948 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
2949
2950         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2951         https://bugs.webkit.org/show_bug.cgi?id=119794
2952
2953         Reviewed by Filip Pizlo.
2954
2955         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2956
2957         * dfg/DFGUseKind.h:
2958         (JSC::DFG::isNumerical):
2959         (JSC::DFG::isDouble):
2960
2961 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2962
2963         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2964
2965         Rubber stamped by Oliver Hunt.
2966         
2967         This was causing some test crashes for me.
2968
2969         * dfg/DFGCapabilities.cpp:
2970         (JSC::DFG::capabilityLevel):
2971
2972 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
2973
2974         [Windows] Clear up improper export declaration.
2975
2976         * runtime/ArrayBufferView.h:
2977
2978 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2979
2980         Unreviewed, remove some unnecessary periods from exceptions.
2981
2982         * runtime/JSDataViewPrototype.cpp:
2983         (JSC::getData):
2984         (JSC::setData):
2985
2986 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
2987
2988         Unreviewed, fix 32-bit build.
2989
2990         * dfg/DFGSpeculativeJIT32_64.cpp:
2991         (JSC::DFG::SpeculativeJIT::compile):
2992
2993 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
2994
2995         Typed arrays should be rewritten
2996         https://bugs.webkit.org/show_bug.cgi?id=119064
2997
2998         Reviewed by Oliver Hunt.
2999         
3000         Typed arrays were previously deficient in several major ways:
3001         
3002         - They were defined separately in WebCore and in the jsc shell. The two
3003           implementations were different, and the jsc shell one was basically wrong.
3004           The WebCore one was quite awful, also.
3005         
3006         - Typed arrays were not visible to the JIT except through some weird hooks.
3007           For example, the JIT could not ask "what is the Structure that this typed
3008           array would have if I just allocated it from this global object". Also,
3009           it was difficult to wire any of the typed array intrinsics, because most
3010           of the functionality wasn't visible anywhere in JSC.
3011         
3012         - Typed array allocation was brain-dead. Allocating a typed array involved
3013           two JS objects, two GC weak handles, and three malloc allocations.
3014         
3015         - Neutering. It involved keeping tabs on all native views but not the view
3016           wrappers, even though the native views can autoneuter just by asking the
3017           buffer if it was neutered anytime you touch them; while the JS view
3018           wrappers are the ones that you really want to reach out to.
3019         
3020         - Common case-ing. Most typed arrays have one buffer and one view, and
3021           usually nobody touches the buffer. Yet we created all of that stuff
3022           anyway, using data structures optimized for the case where you had a lot
3023           of views.
3024         
3025         - Semantic goofs. Typed arrays should, in the future, behave like ES
3026           features rather than DOM features, for example when it comes to exceptions.
3027           Firefox already does this and I agree with them.
3028         
3029         This patch cleanses our codebase of these sins:
3030         
3031         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
3032           management of native references to buffers is left to WebCore.
3033         
3034         - Allocating a typed array requires either two GC allocations (a cell and a
3035           copied storage vector) or one GC allocation, a malloc allocation, and a
3036           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
3037           latter). The latter is only used for oversize arrays. Remember that before
3038           it was 7 allocations no matter what.
3039         
3040         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
3041           mode/length, void* vector. Before it was a lot more than that - remember,
3042           there were five additional objects that did absolutely nothing for anybody.
3043         
3044         - Native views aren't tracked by the buffer, or by the wrappers. They are
3045           transient. In the future we'll probably switch to not even having them be
3046           malloc'd.
3047         
3048         - Native array buffers have an efficient way of tracking all of their JS view
3049           wrappers, both for neutering, and for lifecycle management. The GC
3050           special-cases native array buffers. This saves a bunch of grief; for example
3051           it means that a JS view wrapper can refer to its buffer via the butterfly,
3052           which would be dead by the time we went to finalize.
3053         
3054         - Typed array semantics now match Firefox, which also happens to be where the
3055           standards are going. The discussion on webkit-dev seemed to confirm that
3056           Chrome is also heading in this direction. This includes making
3057           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
3058           ArrayBufferView as a JS-visible construct.
3059         
3060         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
3061         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
3062         further typed array optimizations in the JSC JITs, including inlining typed
3063         array allocation, inlining more of the accessors, reducing the cost of type
3064         checks, etc.
3065         
3066         An additional property of this patch is that typed arrays are mostly
3067         implemented using templates. This deduplicates a bunch of code, but does mean
3068         that we need some hacks for exporting s_info's of template classes. See
3069         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
3070         low-impact compared to code duplication.
3071         
3072         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
3073
3074         * CMakeLists.txt:
3075         * DerivedSources.make:
3076         * GNUmakefile.list.am:
3077         * JSCTypedArrayStubs.h: Removed.
3078         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3079         * JavaScriptCore.xcodeproj/project.pbxproj:
3080         * Target.pri:
3081         * bytecode/ByValInfo.h:
3082         (JSC::hasOptimizableIndexingForClassInfo):
3083         (JSC::jitArrayModeForClassInfo):
3084         (JSC::typedArrayTypeForJITArrayMode):
3085         * bytecode/SpeculatedType.cpp:
3086         (JSC::speculationFromClassInfo):
3087         * dfg/DFGArrayMode.cpp:
3088         (JSC::DFG::toTypedArrayType):
3089         * dfg/DFGArrayMode.h:
3090         (JSC::DFG::ArrayMode::typedArrayType):
3091         * dfg/DFGSpeculativeJIT.cpp:
3092         (JSC::DFG::SpeculativeJIT::checkArray):
3093         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3094         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3095         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3096         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3097         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3098         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3099         * dfg/DFGSpeculativeJIT.h:
3100         * dfg/DFGSpeculativeJIT32_64.cpp:
3101         (JSC::DFG::SpeculativeJIT::compile):
3102         * dfg/DFGSpeculativeJIT64.cpp:
3103         (JSC::DFG::SpeculativeJIT::compile):
3104         * heap/CopyToken.h:
3105         * heap/DeferGC.h:
3106         (JSC::DeferGCForAWhile::DeferGCForAWhile):
3107         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
3108         * heap/GCIncomingRefCounted.h: Added.
3109         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
3110         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
3111         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
3112         (JSC::GCIncomingRefCounted::incomingReferenceAt):
3113         (JSC::GCIncomingRefCounted::singletonFlag):
3114         (JSC::GCIncomingRefCounted::hasVectorOfCells):
3115         (JSC::GCIncomingRefCounted::hasAnyIncoming):
3116         (JSC::GCIncomingRefCounted::hasSingleton):
3117         (JSC::GCIncomingRefCounted::singleton):
3118         (JSC::GCIncomingRefCounted::vectorOfCells):
3119         * heap/GCIncomingRefCountedInlines.h: Added.
3120         (JSC::::addIncomingReference):
3121         (JSC::::filterIncomingReferences):
3122         * heap/GCIncomingRefCountedSet.h: Added.
3123         (JSC::GCIncomingRefCountedSet::size):
3124         * heap/GCIncomingRefCountedSetInlines.h: Added.
3125         (JSC::::GCIncomingRefCountedSet):
3126         (JSC::::~GCIncomingRefCountedSet):
3127         (JSC::::addReference):
3128         (JSC::::sweep):
3129         (JSC::::removeAll):
3130         (JSC::::removeDead):
3131         * heap/Heap.cpp:
3132         (JSC::Heap::addReference):
3133         (JSC::Heap::extraSize):
3134         (JSC::Heap::size):
3135         (JSC::Heap::capacity):
3136         (JSC::Heap::collect):
3137         (JSC::Heap::decrementDeferralDepth):
3138         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
3139         * heap/Heap.h:
3140         * interpreter/CallFrame.h:
3141         (JSC::ExecState::dataViewTable):
3142         * jit/JIT.h:
3143         * jit/JITPropertyAccess.cpp:
3144         (JSC::JIT::privateCompileGetByVal):
3145         (JSC::JIT::privateCompilePutByVal):
3146         (JSC::JIT::emitIntTypedArrayGetByVal):
3147         (JSC::JIT::emitFloatTypedArrayGetByVal):
3148         (JSC::JIT::emitIntTypedArrayPutByVal):
3149         (JSC::JIT::emitFloatTypedArrayPutByVal):
3150         * jsc.cpp:
3151         (GlobalObject::finishCreation):
3152         * runtime/ArrayBuffer.cpp:
3153         (JSC::ArrayBuffer::transfer):
3154         * runtime/ArrayBuffer.h:
3155         (JSC::ArrayBuffer::createAdopted):
3156         (JSC::ArrayBuffer::ArrayBuffer):
3157         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
3158         (JSC::ArrayBuffer::pin):
3159         (JSC::ArrayBuffer::unpin):
3160         (JSC::ArrayBufferContents::tryAllocate):
3161         * runtime/ArrayBufferView.cpp:
3162         (JSC::ArrayBufferView::ArrayBufferView):
3163         (JSC::ArrayBufferView::~ArrayBufferView):
3164         (JSC::ArrayBufferView::setNeuterable):
3165         * runtime/ArrayBufferView.h:
3166         (JSC::ArrayBufferView::isNeutered):
3167         (JSC::ArrayBufferView::buffer):
3168         (JSC::ArrayBufferView::baseAddress):
3169         (JSC::ArrayBufferView::byteOffset):
3170         (JSC::ArrayBufferView::verifySubRange):
3171         (JSC::ArrayBufferView::clampOffsetAndNumElements):
3172         (JSC::ArrayBufferView::calculateOffsetAndLength):
3173         * runtime/ClassInfo.h:
3174         * runtime/CommonIdentifiers.h:
3175         * runtime/DataView.cpp: Added.
3176         (JSC::DataView::DataView):
3177         (JSC::DataView::create):
3178         (JSC::DataView::wrap):
3179         * runtime/DataView.h: Added.
3180         (JSC::DataView::byteLength):
3181         (JSC::DataView::getType):
3182         (JSC::DataView::get):
3183         (JSC::DataView::set):
3184         * runtime/Float32Array.h:
3185         * runtime/Float64Array.h:
3186         * runtime/GenericTypedArrayView.h: Added.
3187         (JSC::GenericTypedArrayView::data):
3188         (JSC::GenericTypedArrayView::set):
3189         (JSC::GenericTypedArrayView::setRange):
3190         (JSC::GenericTypedArrayView::zeroRange):
3191         (JSC::GenericTypedArrayView::zeroFill):
3192         (JSC::GenericTypedArrayView::length):
3193         (JSC::GenericTypedArrayView::byteLength):
3194         (JSC::GenericTypedArrayView::item):
3195         (JSC::GenericTypedArrayView::checkInboundData):
3196         (JSC::GenericTypedArrayView::getType):
3197         * runtime/GenericTypedArrayViewInlines.h: Added.
3198         (JSC::::GenericTypedArrayView):
3199         (JSC::::create):
3200         (JSC::::createUninitialized):
3201         (JSC::::subarray):
3202         (JSC::::wrap):
3203         * runtime/IndexingHeader.h:
3204         (JSC::IndexingHeader::arrayBuffer):
3205         (JSC::IndexingHeader::setArrayBuffer):
3206         * runtime/Int16Array.h:
3207         * runtime/Int32Array.h:
3208         * runtime/Int8Array.h:
3209         * runtime/JSArrayBuffer.cpp: Added.
3210         (JSC::JSArrayBuffer::JSArrayBuffer):
3211         (JSC::JSArrayBuffer::finishCreation):
3212         (JSC::JSArrayBuffer::create):
3213         (JSC::JSArrayBuffer::createStructure):
3214         (JSC::JSArrayBuffer::getOwnPropertySlot):
3215         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
3216         (JSC::JSArrayBuffer::put):
3217         (JSC::JSArrayBuffer::defineOwnProperty):
3218         (JSC::JSArrayBuffer::deleteProperty):
3219         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
3220         * runtime/JSArrayBuffer.h: Added.
3221         (JSC::JSArrayBuffer::impl):
3222         (JSC::toArrayBuffer):
3223         * runtime/JSArrayBufferConstructor.cpp: Added.
3224         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3225         (JSC::JSArrayBufferConstructor::finishCreation):
3226         (JSC::JSArrayBufferConstructor::create):
3227         (JSC::JSArrayBufferConstructor::createStructure):
3228         (JSC::constructArrayBuffer):
3229         (JSC::JSArrayBufferConstructor::getConstructData):
3230         (JSC::JSArrayBufferConstructor::getCallData):
3231         * runtime/JSArrayBufferConstructor.h: Added.
3232         * runtime/JSArrayBufferPrototype.cpp: Added.
3233         (JSC::arrayBufferProtoFuncSlice):
3234         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
3235         (JSC::JSArrayBufferPrototype::finishCreation):
3236         (JSC::JSArrayBufferPrototype::create):
3237         (JSC::JSArrayBufferPrototype::createStructure):
3238         * runtime/JSArrayBufferPrototype.h: Added.
3239         * runtime/JSArrayBufferView.cpp: Added.
3240         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3241         (JSC::JSArrayBufferView::JSArrayBufferView):
3242         (JSC::JSArrayBufferView::finishCreation):
3243         (JSC::JSArrayBufferView::getOwnPropertySlot):
3244         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
3245         (JSC::JSArrayBufferView::put):
3246         (JSC::JSArrayBufferView::defineOwnProperty):
3247         (JSC::JSArrayBufferView::deleteProperty):
3248         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3249         (JSC::JSArrayBufferView::finalize):
3250         * runtime/JSArrayBufferView.h: Added.
3251         (JSC::JSArrayBufferView::sizeOf):
3252         (JSC::JSArrayBufferView::ConstructionContext::operator!):
3253         (JSC::JSArrayBufferView::ConstructionContext::structure):
3254         (JSC::JSArrayBufferView::ConstructionContext::vector):
3255         (JSC::JSArrayBufferView::ConstructionContext::length):
3256         (JSC::JSArrayBufferView::ConstructionContext::mode):
3257         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
3258         (JSC::JSArrayBufferView::mode):
3259         (JSC::JSArrayBufferView::vector):
3260         (JSC::JSArrayBufferView::length):
3261         (JSC::JSArrayBufferView::offsetOfVector):
3262         (JSC::JSArrayBufferView::offsetOfLength):
3263         (JSC::JSArrayBufferView::offsetOfMode):
3264         * runtime/JSArrayBufferViewInlines.h: Added.
3265         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
3266         (JSC::JSArrayBufferView::buffer):
3267         (JSC::JSArrayBufferView::impl):
3268         (JSC::JSArrayBufferView::neuter):
3269         (JSC::JSArrayBufferView::byteOffset):
3270         * runtime/JSCell.cpp:
3271         (JSC::JSCell::slowDownAndWasteMemory):
3272         (JSC::JSCell::getTypedArrayImpl):
3273         * runtime/JSCell.h:
3274         * runtime/JSDataView.cpp: Added.
3275         (JSC::JSDataView::JSDataView):
3276         (JSC::JSDataView::create):
3277         (JSC::JSDataView::createUninitialized):
3278         (JSC::JSDataView::set):
3279         (JSC::JSDataView::typedImpl):
3280         (JSC::JSDataView::getOwnPropertySlot):
3281         (JSC::JSDataView::getOwnPropertyDescriptor):
3282         (JSC::JSDataView::slowDownAndWasteMemory):
3283         (JSC::JSDataView::getTypedArrayImpl):
3284         (JSC::JSDataView::createStructure):
3285         * runtime/JSDataView.h: Added.
3286         * runtime/JSDataViewPrototype.cpp: Added.
3287         (JSC::JSDataViewPrototype::JSDataViewPrototype):
3288         (JSC::JSDataViewPrototype::create):
3289         (JSC::JSDataViewPrototype::createStructure):
3290         (JSC::JSDataViewPrototype::getOwnPropertySlot):
3291         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
3292         (JSC::getData):
3293         (JSC::setData):
3294         (JSC::dataViewProtoFuncGetInt8):
3295         (JSC::dataViewProtoFuncGetInt16):
3296         (JSC::dataViewProtoFuncGetInt32):
3297         (JSC::dataViewProtoFuncGetUint8):
3298         (JSC::dataViewProtoFuncGetUint16):
3299         (JSC::dataViewProtoFuncGetUint32):
3300         (JSC::dataViewProtoFuncGetFloat32):
3301         (JSC::dataViewProtoFuncGetFloat64):
3302         (JSC::dataViewProtoFuncSetInt8):
3303         (JSC::dataViewProtoFuncSetInt16):
3304         (JSC::dataViewProtoFuncSetInt32):
3305         (JSC::dataViewProtoFuncSetUint8):
3306         (JSC::dataViewProtoFuncSetUint16):
3307         (JSC::dataViewProtoFuncSetUint32):
3308         (JSC::dataViewProtoFuncSetFloat32):
3309         (JSC::dataViewProtoFuncSetFloat64):
3310         * runtime/JSDataViewPrototype.h: Added.
3311         * runtime/JSFloat32Array.h: Added.
3312         * runtime/JSFloat64Array.h: Added.
3313         * runtime/JSGenericTypedArrayView.h: Added.
3314         (JSC::JSGenericTypedArrayView::byteLength):
3315         (JSC::JSGenericTypedArrayView::byteSize):
3316         (JSC::JSGenericTypedArrayView::typedVector):
3317         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
3318         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
3319         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
3320         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
3321         (JSC::JSGenericTypedArrayView::getIndexQuickly):
3322         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
3323         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
3324         (JSC::JSGenericTypedArrayView::setIndexQuickly):
3325         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
3326         (JSC::JSGenericTypedArrayView::typedImpl):
3327         (JSC::JSGenericTypedArrayView::createStructure):
3328         (JSC::JSGenericTypedArrayView::info):
3329         (JSC::toNativeTypedView):
3330         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
3331         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
3332         (JSC::::JSGenericTypedArrayViewConstructor):
3333         (JSC::::finishCreation):
3334         (JSC::::create):
3335         (JSC::::createStructure):
3336         (JSC::constructGenericTypedArrayView):
3337         (JSC::::getConstructData):
3338         (JSC::::getCallData):
3339         * runtime/JSGenericTypedArrayViewInlines.h: Added.
3340         (JSC::::JSGenericTypedArrayView):
3341         (JSC::::create):
3342         (JSC::::createUninitialized):
3343         (JSC::::validateRange):
3344         (JSC::::setWithSpecificType):
3345         (JSC::::set):
3346         (JSC::::getOwnPropertySlot):
3347         (JSC::::getOwnPropertyDescriptor):
3348         (JSC::::put):
3349         (JSC::::defineOwnProperty):
3350         (JSC::::deleteProperty):
3351         (JSC::::getOwnPropertySlotByIndex):
3352         (JSC::::putByIndex):
3353         (JSC::::deletePropertyByIndex):
3354         (JSC::::getOwnNonIndexPropertyNames):