1 2013-08-29 Chris Curtis <chris_curtis@apple.com>
3 VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
4 https://bugs.webkit.org/show_bug.cgi?id=120472
6 Reviewed by Filip Pizlo.
8 With the JIT disabled, interpreterThrowInCaller was attempting to throw an error,
9 but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
10 throwException can be called when topCallFrame is set.
11 * llint/LLIntSlowPaths.cpp:
12 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13 * runtime/CommonSlowPaths.cpp:
14 (JSC::SLOW_PATH_DECL):
15 * runtime/CommonSlowPathsExceptions.cpp:
16 (JSC::CommonSlowPaths::interpreterThrowInCaller):
17 * runtime/CommonSlowPathsExceptions.h:
19 Renamed genericThrow -> genericUnwind, because this function no longer has the ability
20 to throw errors. It unwinds the stack in order to report them.
21 * dfg/DFGOperations.cpp:
22 * jit/JITExceptions.cpp:
26 * jit/JITExceptions.h:
27 * llint/LLIntExceptions.cpp:
28 (JSC::LLInt::doThrow):
30 2013-08-29 Commit Queue <commit-queue@webkit.org>
32 Unreviewed, rolling out r154804.
33 http://trac.webkit.org/changeset/154804
34 https://bugs.webkit.org/show_bug.cgi?id=120477
36 Broke Windows build (assumes LLInt features not enabled on
37 this build) (Requested by bfulgham on #webkit).
40 * GNUmakefile.list.am:
41 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
42 * JavaScriptCore.xcodeproj/project.pbxproj:
44 * bytecode/CodeBlock.cpp:
45 (JSC::CodeBlock::linkIncomingCall):
46 (JSC::CodeBlock::unlinkIncomingCalls):
47 (JSC::CodeBlock::reoptimize):
48 (JSC::ProgramCodeBlock::replacement):
49 (JSC::EvalCodeBlock::replacement):
50 (JSC::FunctionCodeBlock::replacement):
51 (JSC::ProgramCodeBlock::compileOptimized):
52 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
53 (JSC::EvalCodeBlock::compileOptimized):
54 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
55 (JSC::FunctionCodeBlock::compileOptimized):
56 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
57 (JSC::ProgramCodeBlock::jitCompileImpl):
58 (JSC::EvalCodeBlock::jitCompileImpl):
59 (JSC::FunctionCodeBlock::jitCompileImpl):
60 * bytecode/CodeBlock.h:
61 (JSC::CodeBlock::jitType):
62 (JSC::CodeBlock::jitCompile):
63 * bytecode/DeferredCompilationCallback.cpp: Removed.
64 * bytecode/DeferredCompilationCallback.h: Removed.
67 (JSC::DFG::tryCompile):
68 (JSC::DFG::tryCompileFunction):
69 (JSC::DFG::tryFinalizePlan):
71 (JSC::DFG::tryCompile):
72 (JSC::DFG::tryCompileFunction):
73 (JSC::DFG::tryFinalizePlan):
74 * dfg/DFGFailedFinalizer.cpp:
75 (JSC::DFG::FailedFinalizer::finalize):
76 (JSC::DFG::FailedFinalizer::finalizeFunction):
77 * dfg/DFGFailedFinalizer.h:
79 * dfg/DFGJITFinalizer.cpp:
80 (JSC::DFG::JITFinalizer::finalize):
81 (JSC::DFG::JITFinalizer::finalizeFunction):
82 * dfg/DFGJITFinalizer.h:
83 * dfg/DFGOSRExitPreparation.cpp:
84 (JSC::DFG::prepareCodeOriginForOSRExit):
85 * dfg/DFGOperations.cpp:
87 (JSC::DFG::Plan::Plan):
88 (JSC::DFG::Plan::compileInThreadImpl):
89 (JSC::DFG::Plan::finalize):
91 * dfg/DFGSpeculativeJIT32_64.cpp:
92 (JSC::DFG::SpeculativeJIT::compile):
93 * dfg/DFGWorklist.cpp:
94 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
95 (JSC::DFG::Worklist::runThread):
96 * ftl/FTLJITFinalizer.cpp:
97 (JSC::FTL::JITFinalizer::finalize):
98 (JSC::FTL::JITFinalizer::finalizeFunction):
99 * ftl/FTLJITFinalizer.h:
101 * interpreter/Interpreter.cpp:
102 (JSC::Interpreter::execute):
103 (JSC::Interpreter::executeCall):
104 (JSC::Interpreter::executeConstruct):
105 (JSC::Interpreter::prepareForRepeatCall):
106 * jit/JITDriver.h: Added.
107 (JSC::jitCompileIfAppropriateImpl):
108 (JSC::jitCompileFunctionIfAppropriateImpl):
109 (JSC::jitCompileIfAppropriate):
110 (JSC::jitCompileFunctionIfAppropriate):
112 (JSC::DEFINE_STUB_FUNCTION):
113 (JSC::jitCompileFor):
115 * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
116 * jit/JITToDFGDeferredCompilationCallback.h: Removed.
117 * llint/LLIntEntrypoints.cpp:
118 (JSC::LLInt::getFunctionEntrypoint):
119 (JSC::LLInt::getEvalEntrypoint):
120 (JSC::LLInt::getProgramEntrypoint):
121 * llint/LLIntEntrypoints.h:
122 (JSC::LLInt::getEntrypoint):
123 * llint/LLIntSlowPaths.cpp:
124 (JSC::LLInt::jitCompileAndSetHeuristics):
125 (JSC::LLInt::setUpCall):
126 * runtime/ArrayPrototype.cpp:
127 (JSC::isNumericCompareFunction):
128 * runtime/CommonSlowPaths.cpp:
129 * runtime/CompilationResult.cpp:
130 (WTF::printInternal):
131 * runtime/CompilationResult.h:
132 * runtime/Executable.cpp:
133 (JSC::EvalExecutable::compileOptimized):
134 (JSC::EvalExecutable::jitCompile):
135 (JSC::EvalExecutable::compileInternal):
136 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
137 (JSC::ProgramExecutable::compileOptimized):
138 (JSC::ProgramExecutable::jitCompile):
139 (JSC::ProgramExecutable::compileInternal):
140 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
141 (JSC::FunctionExecutable::compileOptimizedForCall):
142 (JSC::FunctionExecutable::compileOptimizedForConstruct):
143 (JSC::FunctionExecutable::jitCompileForCall):
144 (JSC::FunctionExecutable::jitCompileForConstruct):
145 (JSC::FunctionExecutable::produceCodeBlockFor):
146 (JSC::FunctionExecutable::compileForCallInternal):
147 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
148 (JSC::FunctionExecutable::compileForConstructInternal):
149 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
150 * runtime/Executable.h:
151 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
152 (JSC::ExecutableBase::offsetOfNumParametersFor):
153 (JSC::ExecutableBase::catchRoutineFor):
154 (JSC::EvalExecutable::compile):
155 (JSC::ProgramExecutable::compile):
156 (JSC::FunctionExecutable::compileForCall):
157 (JSC::FunctionExecutable::compileForConstruct):
158 (JSC::FunctionExecutable::compileFor):
159 (JSC::FunctionExecutable::compileOptimizedFor):
160 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
161 (JSC::FunctionExecutable::jitCompileFor):
162 * runtime/ExecutionHarness.h: Added.
163 (JSC::prepareForExecutionImpl):
164 (JSC::prepareFunctionForExecutionImpl):
165 (JSC::installOptimizedCode):
166 (JSC::prepareForExecution):
167 (JSC::prepareFunctionForExecution):
168 (JSC::replaceWithDeferredOptimizedCode):
170 2013-08-28 Filip Pizlo <fpizlo@apple.com>
172 CodeBlock compilation and installation should be simplified and rationalized
173 https://bugs.webkit.org/show_bug.cgi?id=120326
175 Reviewed by Oliver Hunt.
177 Previously Executable owned the code for generating JIT code; you always had
178 to go through Executable. But often you also had to go through CodeBlock,
179 because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
180 So you'd ask CodeBlock to do something, which would dispatch through a
181 virtual method that would select the appropriate Executable subtype's method.
182 This all meant that the same code would often be duplicated, because most of
183 the work needed to compile something was identical regardless of code type.
184 But then we tried to fix this, by having templatized helpers in
185 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
186 out what happened when you asked for something to be compiled, you'd go on a
187 wild ride that started with CodeBlock, touched upon Executable, and then
188 ricocheted into either ExecutionHarness or JITDriver (likely both).
190 Another awkwardness was that for concurrent compiles, the DFG::Worklist had
191 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
192 done once the compilation finished.
194 Also, most of the DFG JIT drivers assumed that they couldn't install the
195 JITCode into the CodeBlock directly - instead they would return it via a
196 reference, which happened to be a reference to the JITCode pointer in
197 Executable. This was super weird.
199 Finally, there was no notion of compiling code into a special CodeBlock that
200 wasn't used for handling calls into an Executable. I'd like this for FTL OSR
203 This patch solves these problems by reducing all of that complexity into just
206 - Executable::newCodeBlock(). This gives you a new code block, either for call
207 or for construct, and either to serve as the baseline code or the optimized
208 code. The new code block is then owned by the caller; Executable doesn't
209 register it anywhere. The new code block has no JITCode and isn't callable,
210 but it has all of the bytecode.
212 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
213 produces a JITCode, and then installs the JITCode into the CodeBlock. This
214 method takes a JITType, and always compiles with that JIT. If you ask for
215 JITCode::InterpreterThunk then you'll get JITCode that just points to the
216 LLInt entrypoints. Once this returns, it is possible to call into the
217 CodeBlock if you do so manually - but the Executable still won't know about
218 it so JS calls to that Executable will still be routed to whatever CodeBlock
219 is associated with the Executable.
221 - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
222 entry for that Executable. This involves unlinking the Executable's last
223 CodeBlock, if there was one. This also tells the GC about any effect on
224 memory usage and does a bunch of weird data structure rewiring, since
225 Executable caches some of CodeBlock's fields for the benefit of virtual call
228 This functionality is then wrapped around three convenience methods:
230 - Executable::prepareForExecution(). If there is no code block for that
231 Executable, then one is created (newCodeBlock()), compiled
232 (CodeBlock::prepareForExecution()) and installed (installCode()).
234 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
235 can serve as an optimized replacement of the current one.
237 - CodeBlock::install(). Asks the Executable to install this code block.
239 This patch allows me to kill *a lot* of code and to remove a lot of
240 specializations for functions vs. not-functions, and a lot of places where we
241 pass around JITCode references and such. ExecutionHarness and JITDriver are
242 both gone. Overall this patch has more red than green.
244 It also allows me to work on FTL OSR entry and tier-up:
246 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
247 to do some compilation, but it will require the DFG::Worklist to do
248 something different than what JITStubs.cpp would want, once the compilation
249 finishes. This patch introduces a callback mechanism for that purpose.
251 - FTL OSR entry: this will involve creating a special auto-jettisoned
252 CodeBlock that is used only for FTL OSR entry. The new set of primitives
253 allows for this: Executable can vend you a fresh new CodeBlock, and you can
254 ask that CodeBlock to compile itself with any JIT of your choosing. Or you
255 can take that CodeBlock and compile it yourself. Previously the act of
256 producing a CodeBlock-for-optimization and the act of compiling code for it
257 were tightly coupled; now you can separate them and you can create such
258 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
261 * GNUmakefile.list.am:
262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
263 * JavaScriptCore.xcodeproj/project.pbxproj:
265 * bytecode/CodeBlock.cpp:
266 (JSC::CodeBlock::prepareForExecution):
267 (JSC::CodeBlock::install):
268 (JSC::CodeBlock::newReplacement):
269 (JSC::FunctionCodeBlock::jettisonImpl):
270 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
271 * bytecode/CodeBlock.h:
272 (JSC::CodeBlock::hasBaselineJITProfiling):
273 * bytecode/DeferredCompilationCallback.cpp: Added.
274 (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
275 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
276 * bytecode/DeferredCompilationCallback.h: Added.
278 (JSC::DFG::tryCompile):
280 (JSC::DFG::tryCompile):
281 * dfg/DFGFailedFinalizer.cpp:
282 (JSC::DFG::FailedFinalizer::finalize):
283 (JSC::DFG::FailedFinalizer::finalizeFunction):
284 * dfg/DFGFailedFinalizer.h:
285 * dfg/DFGFinalizer.h:
286 * dfg/DFGJITFinalizer.cpp:
287 (JSC::DFG::JITFinalizer::finalize):
288 (JSC::DFG::JITFinalizer::finalizeFunction):
289 * dfg/DFGJITFinalizer.h:
290 * dfg/DFGOSRExitPreparation.cpp:
291 (JSC::DFG::prepareCodeOriginForOSRExit):
292 * dfg/DFGOperations.cpp:
294 (JSC::DFG::Plan::Plan):
295 (JSC::DFG::Plan::compileInThreadImpl):
296 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
297 (JSC::DFG::Plan::finalizeAndNotifyCallback):
299 * dfg/DFGWorklist.cpp:
300 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
301 * ftl/FTLJITFinalizer.cpp:
302 (JSC::FTL::JITFinalizer::finalize):
303 (JSC::FTL::JITFinalizer::finalizeFunction):
304 * ftl/FTLJITFinalizer.h:
306 (JSC::Heap::isDeferred):
307 * interpreter/Interpreter.cpp:
308 (JSC::Interpreter::execute):
309 (JSC::Interpreter::executeCall):
310 (JSC::Interpreter::executeConstruct):
311 (JSC::Interpreter::prepareForRepeatCall):
312 * jit/JITDriver.h: Removed.
314 (JSC::DEFINE_STUB_FUNCTION):
315 (JSC::jitCompileFor):
317 * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
318 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
319 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
320 (JSC::JITToDFGDeferredCompilationCallback::create):
321 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
322 * jit/JITToDFGDeferredCompilationCallback.h: Added.
323 * llint/LLIntEntrypoints.cpp:
324 (JSC::LLInt::setFunctionEntrypoint):
325 (JSC::LLInt::setEvalEntrypoint):
326 (JSC::LLInt::setProgramEntrypoint):
327 * llint/LLIntEntrypoints.h:
328 * llint/LLIntSlowPaths.cpp:
329 (JSC::LLInt::jitCompileAndSetHeuristics):
330 (JSC::LLInt::setUpCall):
331 * runtime/ArrayPrototype.cpp:
332 (JSC::isNumericCompareFunction):
333 * runtime/CommonSlowPaths.cpp:
334 * runtime/CompilationResult.cpp:
335 (WTF::printInternal):
336 * runtime/CompilationResult.h:
337 * runtime/Executable.cpp:
338 (JSC::ScriptExecutable::installCode):
339 (JSC::ScriptExecutable::newCodeBlockFor):
340 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
341 (JSC::ScriptExecutable::prepareForExecutionImpl):
342 * runtime/Executable.h:
343 (JSC::ScriptExecutable::prepareForExecution):
344 (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
345 * runtime/ExecutionHarness.h: Removed.
347 2013-08-28 Chris Curtis <chris_curtis@apple.com>
349 https://bugs.webkit.org/show_bug.cgi?id=119548
350 Refactoring Exception throws.
352 Reviewed by Geoffrey Garen.
354 Gardening of exception throws. The act of throwing an exception was being handled in
355 different ways depending on whether the code was running in the LLint, Baseline JIT,
356 or the DFG Jit. This made development in the vm exception and error objects difficult.
359 (JSC::appendSourceToError):
360 This function moved from the interpreter into the VM. It views the developers code
361 (if there is a codeBlock) to extract what was trying to be evaluated when the error
364 (JSC::VM::throwException):
365 This function takes in the error object and sets the following:
366 1: The VM's exception stack
367 2: The VM's exception
368 3: Appends extra information on the error message(via appendSourceToError)
369 4: The error object's line number
370 5: The error object's column number
371 6: The error object's sourceURL
372 7: The error object's stack trace (unless it already exists because the developer
373 created the error object).
375 (JSC::VM::getExceptionInfo):
376 (JSC::VM::setExceptionInfo):
377 (JSC::VM::clearException):
378 (JSC::clearExceptionStack):
380 (JSC::VM::exceptionOffset):
381 (JSC::VM::exception):
382 (JSC::VM::addressOfException):
383 (JSC::VM::exceptionStack):
384 VM exception and exceptionStack are now private data members.
386 * interpreter/Interpreter.h:
387 (JSC::ClearExceptionScope::ClearExceptionScope):
388 Created this structure to temporarily clear the exception within the VM. This
389 needed to see if addition errors occur when setting the debugger as we are
392 * interpreter/Interpreter.cpp:
393 (JSC::Interpreter::unwind):
394 Removed the code that would try to add error information if it did not exist.
395 All of this functionality has moved into the VM and all error information is set
396 at the time the error occurs.
398 The rest of these functions reference the new calling convention to throw an error.
400 * API/APICallbackFunction.h:
401 (JSC::APICallbackFunction::call):
402 * API/JSCallbackConstructor.cpp:
403 (JSC::constructJSCallback):
404 * API/JSCallbackObjectFunctions.h:
405 (JSC::::getOwnPropertySlot):
406 (JSC::::defaultValue):
409 (JSC::::deleteProperty):
411 (JSC::::customHasInstance):
413 (JSC::::getStaticValue):
414 (JSC::::staticFunctionGetter):
415 (JSC::::callbackGetter):
416 * debugger/Debugger.cpp:
417 (JSC::evaluateInGlobalCallFrame):
418 * debugger/DebuggerCallFrame.cpp:
419 (JSC::DebuggerCallFrame::evaluate):
420 * dfg/DFGAssemblyHelpers.h:
421 (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
422 * dfg/DFGOperations.cpp:
423 (JSC::DFG::operationPutByValInternal):
424 * ftl/FTLLowerDFGToLLVM.cpp:
425 (JSC::FTL::LowerDFGToLLVM::callCheck):
427 (JSC::Heap::markRoots):
428 * interpreter/CallFrame.h:
429 (JSC::ExecState::clearException):
430 (JSC::ExecState::exception):
431 (JSC::ExecState::hadException):
432 * interpreter/Interpreter.cpp:
435 (JSC::stackTraceAsString):
436 (JSC::Interpreter::execute):
437 (JSC::Interpreter::executeCall):
438 (JSC::Interpreter::executeConstruct):
439 (JSC::Interpreter::prepareForRepeatCall):
440 * interpreter/Interpreter.h:
441 (JSC::ClearExceptionScope::ClearExceptionScope):
443 (JSC::JITCode::execute):
444 * jit/JITExceptions.cpp:
446 * jit/JITOpcodes.cpp:
447 (JSC::JIT::emit_op_catch):
448 * jit/JITOpcodes32_64.cpp:
449 (JSC::JIT::privateCompileCTINativeCall):
450 (JSC::JIT::emit_op_catch):
452 (JSC::returnToThrowTrampoline):
453 (JSC::throwExceptionFromOpCall):
454 (JSC::DEFINE_STUB_FUNCTION):
455 (JSC::jitCompileFor):
458 (JSC::cti_vm_handle_exception):
459 * jit/SlowPathCall.h:
460 (JSC::JITSlowPathCall::call):
461 * jit/ThunkGenerators.cpp:
462 (JSC::nativeForGenerator):
466 (functionCheckSyntax):
467 * llint/LLIntExceptions.cpp:
468 (JSC::LLInt::doThrow):
469 (JSC::LLInt::returnToThrow):
470 (JSC::LLInt::callToThrow):
471 * llint/LLIntSlowPaths.cpp:
472 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
473 * llint/LowLevelInterpreter.cpp:
474 (JSC::CLoop::execute):
475 * llint/LowLevelInterpreter32_64.asm:
476 * llint/LowLevelInterpreter64.asm:
477 * runtime/ArrayConstructor.cpp:
478 (JSC::constructArrayWithSizeQuirk):
479 * runtime/CommonSlowPaths.cpp:
480 (JSC::SLOW_PATH_DECL):
481 * runtime/CommonSlowPaths.h:
482 (JSC::CommonSlowPaths::opIn):
483 * runtime/CommonSlowPathsExceptions.cpp:
484 (JSC::CommonSlowPaths::interpreterThrowInCaller):
485 * runtime/Completion.cpp:
489 (JSC::throwTypeError):
490 (JSC::throwSyntaxError):
493 * runtime/ExceptionHelpers.cpp:
494 (JSC::throwOutOfMemoryError):
495 (JSC::throwStackOverflowError):
496 (JSC::throwTerminatedExecutionException):
497 * runtime/Executable.cpp:
498 (JSC::EvalExecutable::create):
499 (JSC::FunctionExecutable::produceCodeBlockFor):
500 * runtime/FunctionConstructor.cpp:
501 (JSC::constructFunction):
502 (JSC::constructFunctionSkippingEvalEnabledCheck):
503 * runtime/JSArray.cpp:
504 (JSC::JSArray::defineOwnProperty):
506 (JSC::JSArray::push):
507 * runtime/JSCJSValue.cpp:
508 (JSC::JSValue::toObjectSlowCase):
509 (JSC::JSValue::synthesizePrototype):
510 (JSC::JSValue::putToPrimitive):
511 * runtime/JSFunction.cpp:
512 (JSC::JSFunction::defineOwnProperty):
513 * runtime/JSGenericTypedArrayViewInlines.h:
515 (JSC::::createUninitialized):
516 (JSC::::validateRange):
517 (JSC::::setWithSpecificType):
518 * runtime/JSGlobalObjectFunctions.cpp:
521 (JSC::globalFuncProtoSetter):
522 * runtime/JSNameScope.cpp:
523 (JSC::JSNameScope::put):
524 * runtime/JSONObject.cpp:
525 (JSC::Stringifier::appendStringifiedValue):
527 * runtime/JSObject.cpp:
528 (JSC::JSObject::put):
529 (JSC::JSObject::defaultValue):
530 (JSC::JSObject::hasInstance):
531 (JSC::JSObject::defaultHasInstance):
532 (JSC::JSObject::defineOwnNonIndexProperty):
533 (JSC::throwTypeError):
534 * runtime/ObjectConstructor.cpp:
535 (JSC::toPropertyDescriptor):
536 * runtime/RegExpConstructor.cpp:
537 (JSC::constructRegExp):
538 * runtime/StringObject.cpp:
539 (JSC::StringObject::defineOwnProperty):
540 * runtime/StringRecursionChecker.cpp:
541 (JSC::StringRecursionChecker::throwStackOverflowError):
543 2013-08-28 Zan Dobersek <zdobersek@igalia.com>
545 [GTK] Add support for building JSC with FTL JIT enabled
546 https://bugs.webkit.org/show_bug.cgi?id=120270
548 Reviewed by Filip Pizlo.
550 * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
551 compiler flags for the JSC library.
552 * GNUmakefile.list.am: Add the missing build targets.
553 * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
554 failures when using the Clang compiler with the libstdc++ standard library.
555 (JSC::FTL::mdKindID):
556 (JSC::FTL::mdString):
558 2013-08-23 Andy Estes <aestes@apple.com>
560 Fix issues found by the Clang Static Analyzer
561 https://bugs.webkit.org/show_bug.cgi?id=120230
563 Reviewed by Darin Adler.
566 (valueToString): Don't leak every CFStringRef when in Objective-C GC.
567 * API/ObjCCallbackFunction.mm:
568 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
569 release m_invocation's target since NSInvocation will do it for us on
571 (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
572 and -release our reference to the copied block.
573 * API/tests/minidom.c:
574 (createStringWithContentsOfFile): Free buffer before returning.
575 * API/tests/testapi.c:
576 (createStringWithContentsOfFile): Ditto.
578 2013-08-26 Brent Fulgham <bfulgham@apple.com>
580 [Windows] Unreviewed build fix after r154629.
582 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
583 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
585 2013-08-26 Ryosuke Niwa <rniwa@webkit.org>
587 Windows build fix attempt after r154629.
589 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
591 2013-08-25 Mark Hahnenberg <mhahnenberg@apple.com>
593 JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
594 https://bugs.webkit.org/show_bug.cgi?id=120278
596 Reviewed by Geoffrey Garen.
598 * runtime/JSObject.cpp:
599 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
601 2013-08-26 Filip Pizlo <fpizlo@apple.com>
603 Fix indention of Executable.h.
605 Rubber stamped by Mark Hahnenberg.
607 * runtime/Executable.h:
609 2013-08-26 Mark Hahnenberg <mhahnenberg@apple.com>
611 Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
612 https://bugs.webkit.org/show_bug.cgi?id=120314
614 Reviewed by Darin Adler.
616 Currently with the way that defineProperty works, we leave a stray low bit set in
617 PropertyDescriptor::m_attributes in the following code:
620 Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
622 This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1
623 instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF,
624 but only the top three bits mean anything. Even in the case above, the top three bits are set
625 to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
627 Since some of these attributes and their corresponding values are exposed in the JavaScriptCore
628 framework's public C API, it's safer to just change how we calculate the default value, which is
629 where the weirdness was originating from in the first place.
631 * runtime/PropertyDescriptor.cpp:
633 2013-08-24 Sam Weinig <sam@webkit.org>
635 Add support for Promises
636 https://bugs.webkit.org/show_bug.cgi?id=120260
638 Reviewed by Darin Adler.
640 Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
641 - Despite Promises being defined in the DOM, the implementation is being put in JSC
642 in preparation for the Promises eventually being defined in ECMAScript.
645 * DerivedSources.make:
646 * DerivedSources.pri:
647 * GNUmakefile.list.am:
648 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
649 * JavaScriptCore.xcodeproj/project.pbxproj:
654 Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
655 you can't quite use Promises with with the command line tool yet.
657 * interpreter/CallFrame.h:
658 (JSC::ExecState::promisePrototypeTable):
659 (JSC::ExecState::promiseConstructorTable):
660 (JSC::ExecState::promiseResolverPrototypeTable):
665 Add supporting code for the new static lookup tables.
667 * runtime/CommonIdentifiers.h:
668 Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
670 * runtime/JSGlobalObject.cpp:
671 (JSC::JSGlobalObject::reset):
672 (JSC::JSGlobalObject::visitChildren):
673 Add supporting code Promise and PromiseResolver's constructors and structures.
675 * runtime/JSGlobalObject.h:
676 (JSC::TaskContext::~TaskContext):
677 Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
679 (JSC::JSGlobalObject::promisePrototype):
680 (JSC::JSGlobalObject::promiseResolverPrototype):
681 (JSC::JSGlobalObject::promiseStructure):
682 (JSC::JSGlobalObject::promiseResolverStructure):
683 (JSC::JSGlobalObject::promiseCallbackStructure):
684 (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
685 Add supporting code Promise and PromiseResolver's constructors and structures.
687 * runtime/JSPromise.cpp: Added.
688 * runtime/JSPromise.h: Added.
689 * runtime/JSPromiseCallback.cpp: Added.
690 * runtime/JSPromiseCallback.h: Added.
691 * runtime/JSPromiseConstructor.cpp: Added.
692 * runtime/JSPromiseConstructor.h: Added.
693 * runtime/JSPromisePrototype.cpp: Added.
694 * runtime/JSPromisePrototype.h: Added.
695 * runtime/JSPromiseResolver.cpp: Added.
696 * runtime/JSPromiseResolver.h: Added.
697 * runtime/JSPromiseResolverConstructor.cpp: Added.
698 * runtime/JSPromiseResolverConstructor.h: Added.
699 * runtime/JSPromiseResolverPrototype.cpp: Added.
700 * runtime/JSPromiseResolverPrototype.h: Added.
701 Add Promise implementation.
703 2013-08-26 Zan Dobersek <zdobersek@igalia.com>
705 Plenty of -Wcast-align warnings in KeywordLookup.h
706 https://bugs.webkit.org/show_bug.cgi?id=120316
708 Reviewed by Darin Adler.
710 * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
711 the character pointers to types of larger size. This avoids spewing lots of warnings
712 in the KeywordLookup.h header when compiling with the -Wcast-align option.
714 2013-08-26 Gavin Barraclough <barraclough@apple.com>
716 RegExpMatchesArray should not call [[put]]
717 https://bugs.webkit.org/show_bug.cgi?id=120317
719 Reviewed by Oliver Hunt.
721 This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
722 property called index or input to either of these prototypes will result in broken behavior.
724 * runtime/RegExpMatchesArray.cpp:
725 (JSC::RegExpMatchesArray::reifyAllProperties):
728 2013-08-24 Filip Pizlo <fpizlo@apple.com>
730 FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
731 https://bugs.webkit.org/show_bug.cgi?id=120228
733 Reviewed by Oliver Hunt.
735 It turns out that there were three problems:
737 - Using jsNumber() meant that we were converting doubles to integers and then
738 possibly back again whenever doing a set() between floating point arrays.
740 - Slow-path accesses to double typed arrays were slower than necessary because
741 of the to-int conversion attempt.
743 - The use of JSValue as an intermediate for converting between differen types
744 in typedArray.set() resulted in worse code than I had previously expected.
746 This patch solves the problem by using template double-dispatch to ensure that
747 that C++ compiler sees the simplest possible combination of casts between any
748 combination of typed array types, while still preserving JS and typed array
749 conversion semantics. Conversions are done as follows:
751 SourceAdaptor::convertTo<TargetAdaptor>(value)
753 Internally, convertTo() calls one of three possible methods on TargetAdaptor,
754 with one method for each of int32_t, uint32_t, and double. This means that the
755 C++ compiler will at worst see a widening cast to one of those types followed
756 by a narrowing conversion (not necessarily a cast - may have clamping or the
757 JS toInt32() function).
759 This change doesn't just affect typedArray.set(); it also affects slow-path
760 accesses to typed arrays as well. This patch also adds a bunch of new test
763 This change is a ~50% speed-up on typedArray.set() involving floating point
766 * GNUmakefile.list.am:
767 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
768 * JavaScriptCore.xcodeproj/project.pbxproj:
769 * runtime/GenericTypedArrayView.h:
770 (JSC::GenericTypedArrayView::set):
771 * runtime/JSDataViewPrototype.cpp:
773 * runtime/JSGenericTypedArrayView.h:
774 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
775 (JSC::JSGenericTypedArrayView::setIndexQuickly):
776 * runtime/JSGenericTypedArrayViewInlines.h:
777 (JSC::::setWithSpecificType):
779 * runtime/ToNativeFromValue.h: Added.
780 (JSC::toNativeFromValue):
781 * runtime/TypedArrayAdaptors.h:
782 (JSC::IntegralTypedArrayAdaptor::toJSValue):
783 (JSC::IntegralTypedArrayAdaptor::toDouble):
784 (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
785 (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
786 (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
787 (JSC::IntegralTypedArrayAdaptor::convertTo):
788 (JSC::FloatTypedArrayAdaptor::toJSValue):
789 (JSC::FloatTypedArrayAdaptor::toDouble):
790 (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
791 (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
792 (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
793 (JSC::FloatTypedArrayAdaptor::convertTo):
794 (JSC::Uint8ClampedAdaptor::toJSValue):
795 (JSC::Uint8ClampedAdaptor::toDouble):
796 (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
797 (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
798 (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
799 (JSC::Uint8ClampedAdaptor::convertTo):
801 2013-08-24 Dan Bernstein <mitz@apple.com>
803 [mac] link against libz in a more civilized manner
804 https://bugs.webkit.org/show_bug.cgi?id=120258
806 Reviewed by Darin Adler.
808 * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
809 * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
810 Link Binary With Libraries build phase.
812 2013-08-23 Laszlo Papp <lpapp@kde.org>
814 Failure building with python3
815 https://bugs.webkit.org/show_bug.cgi?id=106645
817 Reviewed by Benjamin Poulain.
819 Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
820 Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
822 * disassembler/udis86/itab.py:
823 (UdItabGenerator.genInsnTable):
824 * disassembler/udis86/ud_opcode.py:
825 (UdOpcodeTables.print_table):
826 * disassembler/udis86/ud_optable.py:
827 (UdOptableXmlParser.parseDef):
828 (UdOptableXmlParser.parse):
831 2013-08-23 Filip Pizlo <fpizlo@apple.com>
833 Incorrect TypedArray#set behavior
834 https://bugs.webkit.org/show_bug.cgi?id=83818
836 Reviewed by Oliver Hunt and Mark Hahnenberg.
838 This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
839 not smart enough to figure out optimal versions for *all* of the cases. But I
840 did come up with optimal implementations for most of the cases, and I wrote
841 spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
842 enough to write optimal code for.
844 * runtime/JSArrayBufferView.h:
845 (JSC::JSArrayBufferView::hasArrayBuffer):
846 * runtime/JSArrayBufferViewInlines.h:
847 (JSC::JSArrayBufferView::buffer):
848 (JSC::JSArrayBufferView::existingBufferInButterfly):
849 (JSC::JSArrayBufferView::neuter):
850 (JSC::JSArrayBufferView::byteOffset):
851 * runtime/JSGenericTypedArrayView.h:
852 * runtime/JSGenericTypedArrayViewInlines.h:
853 (JSC::::setWithSpecificType):
855 (JSC::::existingBuffer):
857 2013-08-23 Alex Christensen <achristensen@apple.com>
859 Re-separating Win32 and Win64 builds.
860 https://bugs.webkit.org/show_bug.cgi?id=120178
862 Reviewed by Brent Fulgham.
864 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
865 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
866 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
867 Pass PlatformArchitecture as a command line parameter to bash scripts.
868 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
869 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
870 * JavaScriptCore.vcxproj/build-generated-files.sh:
871 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
873 2013-08-22 Filip Pizlo <fpizlo@apple.com>
875 build-jsc --ftl-jit should work
876 https://bugs.webkit.org/show_bug.cgi?id=120194
878 Reviewed by Oliver Hunt.
880 * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
881 * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
882 * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
883 * ftl/FTLLowerDFGToLLVM.cpp: Build fix
884 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
885 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
887 2013-08-23 Oliver Hunt <oliver@apple.com>
889 Re-sort xcode project file
891 * JavaScriptCore.xcodeproj/project.pbxproj:
893 2013-08-23 Oliver Hunt <oliver@apple.com>
895 Support in memory compression of rarely used data
896 https://bugs.webkit.org/show_bug.cgi?id=120143
898 Reviewed by Gavin Barraclough.
900 Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector. This saves ~200k on google maps.
902 * Configurations/JavaScriptCore.xcconfig:
903 * bytecode/UnlinkedCodeBlock.cpp:
904 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
905 (JSC::UnlinkedCodeBlock::addExpressionInfo):
906 * bytecode/UnlinkedCodeBlock.h:
908 2013-08-22 Mark Hahnenberg <mhahnenberg@apple.com>
910 JSObject and JSArray code shouldn't have to tiptoe around garbage collection
911 https://bugs.webkit.org/show_bug.cgi?id=120179
913 Reviewed by Geoffrey Garen.
915 There are many places in the code for JSObject and JSArray where they are manipulating their
916 Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within
917 these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks
918 like it will make this dance even more intricate. To make everybody's lives easier we should use
919 the DeferGC mechanism in these functions to make these GC critical sections both obvious in the
920 code and trivially safe. Deferring collections will usually only last marginally longer, thus we
921 should not incur any additional overhead.
924 * runtime/JSArray.cpp:
925 (JSC::JSArray::unshiftCountSlowCase):
926 * runtime/JSObject.cpp:
927 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
928 (JSC::JSObject::createInitialUndecided):
929 (JSC::JSObject::createInitialInt32):
930 (JSC::JSObject::createInitialDouble):
931 (JSC::JSObject::createInitialContiguous):
932 (JSC::JSObject::createArrayStorage):
933 (JSC::JSObject::convertUndecidedToArrayStorage):
934 (JSC::JSObject::convertInt32ToArrayStorage):
935 (JSC::JSObject::convertDoubleToArrayStorage):
936 (JSC::JSObject::convertContiguousToArrayStorage):
937 (JSC::JSObject::increaseVectorLength):
938 (JSC::JSObject::ensureLengthSlow):
939 * runtime/JSObject.h:
940 (JSC::JSObject::putDirectInternal):
941 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
942 (JSC::JSObject::putDirectWithoutTransition):
944 2013-08-22 Filip Pizlo <fpizlo@apple.com>
946 Update LLVM binary drops and scripts to the latest version from SVN
947 https://bugs.webkit.org/show_bug.cgi?id=120184
949 Reviewed by Mark Hahnenberg.
952 (JSC::DFG::Plan::compileInThreadImpl):
954 2013-08-22 Gavin Barraclough <barraclough@apple.com>
956 Don't leak registers for redeclared variables
957 https://bugs.webkit.org/show_bug.cgi?id=120174
959 Reviewed by Geoff Garen.
961 We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
962 Only allocate new registers when necessary.
964 No performance impact.
966 * interpreter/Interpreter.cpp:
967 (JSC::Interpreter::execute):
968 * runtime/Executable.cpp:
969 (JSC::ProgramExecutable::initializeGlobalProperties):
970 - Don't allocate the register here.
971 * runtime/JSGlobalObject.cpp:
972 (JSC::JSGlobalObject::addGlobalVar):
973 - Allocate the register here instead.
975 2013-08-22 Gavin Barraclough <barraclough@apple.com>
977 https://bugs.webkit.org/show_bug.cgi?id=120128
978 Remove putDirectVirtual
980 Unreviewed, checked in commented out code. :-(
982 * interpreter/Interpreter.cpp:
983 (JSC::Interpreter::execute):
984 - delete commented out code
986 2013-08-22 Gavin Barraclough <barraclough@apple.com>
988 Error.stack should not be enumerable
989 https://bugs.webkit.org/show_bug.cgi?id=120171
991 Reviewed by Oliver Hunt.
995 * runtime/ErrorInstance.cpp:
996 (JSC::ErrorInstance::finishCreation):
999 2013-08-21 Gavin Barraclough <barraclough@apple.com>
1001 https://bugs.webkit.org/show_bug.cgi?id=120128
1002 Remove putDirectVirtual
1004 Reviewed by Sam Weinig.
1006 This could most generously be described as 'vestigial'.
1007 No performance impact.
1009 * API/JSObjectRef.cpp:
1010 (JSObjectSetProperty):
1011 - changed to use defineOwnProperty
1012 * debugger/DebuggerActivation.cpp:
1013 * debugger/DebuggerActivation.h:
1014 - remove putDirectVirtual
1015 * interpreter/Interpreter.cpp:
1016 (JSC::Interpreter::execute):
1017 - changed to use defineOwnProperty
1018 * runtime/ClassInfo.h:
1019 * runtime/JSActivation.cpp:
1020 * runtime/JSActivation.h:
1021 * runtime/JSCell.cpp:
1023 * runtime/JSGlobalObject.cpp:
1024 * runtime/JSGlobalObject.h:
1025 * runtime/JSObject.cpp:
1026 * runtime/JSObject.h:
1027 * runtime/JSProxy.cpp:
1028 * runtime/JSProxy.h:
1029 * runtime/JSSymbolTableObject.cpp:
1030 * runtime/JSSymbolTableObject.h:
1031 - remove putDirectVirtual
1032 * runtime/PropertyDescriptor.h:
1033 (JSC::PropertyDescriptor::PropertyDescriptor):
1034 - added constructor for convenience
1036 2013-08-22 Chris Curtis <chris_curtis@apple.com>
1038 errorDescriptionForValue() should not assume error value is an Object
1039 https://bugs.webkit.org/show_bug.cgi?id=119812
1041 Reviewed by Geoffrey Garen.
1043 Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
1044 has no type, the function now returns the empty string.
1045 * runtime/ExceptionHelpers.cpp:
1046 (JSC::errorDescriptionForValue):
1048 2013-08-22 Julien Brianceau <jbrianceau@nds.com>
1050 Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
1051 https://bugs.webkit.org/show_bug.cgi?id=120107
1053 Reviewed by Yong Li.
1055 EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
1057 * dfg/DFGSpeculativeJIT.h:
1058 (JSC::DFG::SpeculativeJIT::callOperation):
1060 2013-08-21 Commit Queue <commit-queue@webkit.org>
1062 Unreviewed, rolling out r154416.
1063 http://trac.webkit.org/changeset/154416
1064 https://bugs.webkit.org/show_bug.cgi?id=120147
1066 Broke Windows builds (Requested by rniwa on #webkit).
1068 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1069 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1070 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1071 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1072 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1073 * JavaScriptCore.vcxproj/build-generated-files.sh:
1075 2013-08-21 Gavin Barraclough <barraclough@apple.com>
1077 Clarify var/const/function declaration
1078 https://bugs.webkit.org/show_bug.cgi?id=120144
1080 Reviewed by Sam Weinig.
1082 Add methods to JSGlobalObject to declare vars, consts, and functions.
1084 * runtime/Executable.cpp:
1085 (JSC::ProgramExecutable::initializeGlobalProperties):
1086 * runtime/Executable.h:
1087 - Moved declaration code to JSGlobalObject
1088 * runtime/JSGlobalObject.cpp:
1089 (JSC::JSGlobalObject::addGlobalVar):
1090 - internal implementation of addVar, addConst, addFunction
1091 * runtime/JSGlobalObject.h:
1092 (JSC::JSGlobalObject::addVar):
1093 (JSC::JSGlobalObject::addConst):
1094 (JSC::JSGlobalObject::addFunction):
1095 - Added methods to declare vars, consts, and functions
1097 2013-08-21 Yi Shen <max.hong.shen@gmail.com>
1099 https://bugs.webkit.org/show_bug.cgi?id=119900
1100 Exception in global setter doesn't unwind correctly
1102 Reviewed by Geoffrey Garen.
1104 Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
1107 (JSC::DEFINE_STUB_FUNCTION):
1109 2013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
1111 Rename/refactor setButterfly/setStructure
1112 https://bugs.webkit.org/show_bug.cgi?id=120138
1114 Reviewed by Geoffrey Garen.
1116 setButterfly becomes setStructureAndButterfly.
1118 Also removed the Butterfly* argument from setStructure and just implicitly
1119 used m_butterfly internally since that's what every single client of setStructure
1123 (JSC::DEFINE_STUB_FUNCTION):
1124 * runtime/JSObject.cpp:
1125 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1126 (JSC::JSObject::createInitialUndecided):
1127 (JSC::JSObject::createInitialInt32):
1128 (JSC::JSObject::createInitialDouble):
1129 (JSC::JSObject::createInitialContiguous):
1130 (JSC::JSObject::createArrayStorage):
1131 (JSC::JSObject::convertUndecidedToInt32):
1132 (JSC::JSObject::convertUndecidedToDouble):
1133 (JSC::JSObject::convertUndecidedToContiguous):
1134 (JSC::JSObject::convertUndecidedToArrayStorage):
1135 (JSC::JSObject::convertInt32ToDouble):
1136 (JSC::JSObject::convertInt32ToContiguous):
1137 (JSC::JSObject::convertInt32ToArrayStorage):
1138 (JSC::JSObject::genericConvertDoubleToContiguous):
1139 (JSC::JSObject::convertDoubleToArrayStorage):
1140 (JSC::JSObject::convertContiguousToArrayStorage):
1141 (JSC::JSObject::switchToSlowPutArrayStorage):
1142 (JSC::JSObject::setPrototype):
1143 (JSC::JSObject::putDirectAccessor):
1144 (JSC::JSObject::seal):
1145 (JSC::JSObject::freeze):
1146 (JSC::JSObject::preventExtensions):
1147 (JSC::JSObject::reifyStaticFunctionsForDelete):
1148 (JSC::JSObject::removeDirect):
1149 * runtime/JSObject.h:
1150 (JSC::JSObject::setStructureAndButterfly):
1151 (JSC::JSObject::setStructure):
1152 (JSC::JSObject::putDirectInternal):
1153 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1154 (JSC::JSObject::putDirectWithoutTransition):
1155 * runtime/Structure.cpp:
1156 (JSC::Structure::flattenDictionaryStructure):
1158 2013-08-21 Gavin Barraclough <barraclough@apple.com>
1160 https://bugs.webkit.org/show_bug.cgi?id=120127
1161 Remove JSObject::propertyIsEnumerable
1165 * runtime/JSObject.h:
1168 2013-08-21 Gavin Barraclough <barraclough@apple.com>
1170 https://bugs.webkit.org/show_bug.cgi?id=120139
1171 PropertyDescriptor argument to define methods should be const
1173 Rubber stamped by Sam Weinig.
1175 This should never be modified, and this way we can use rvalues.
1177 * debugger/DebuggerActivation.cpp:
1178 (JSC::DebuggerActivation::defineOwnProperty):
1179 * debugger/DebuggerActivation.h:
1180 * runtime/Arguments.cpp:
1181 (JSC::Arguments::defineOwnProperty):
1182 * runtime/Arguments.h:
1183 * runtime/ClassInfo.h:
1184 * runtime/JSArray.cpp:
1185 (JSC::JSArray::defineOwnProperty):
1186 * runtime/JSArray.h:
1187 * runtime/JSArrayBuffer.cpp:
1188 (JSC::JSArrayBuffer::defineOwnProperty):
1189 * runtime/JSArrayBuffer.h:
1190 * runtime/JSArrayBufferView.cpp:
1191 (JSC::JSArrayBufferView::defineOwnProperty):
1192 * runtime/JSArrayBufferView.h:
1193 * runtime/JSCell.cpp:
1194 (JSC::JSCell::defineOwnProperty):
1196 * runtime/JSFunction.cpp:
1197 (JSC::JSFunction::defineOwnProperty):
1198 * runtime/JSFunction.h:
1199 * runtime/JSGenericTypedArrayView.h:
1200 * runtime/JSGenericTypedArrayViewInlines.h:
1201 (JSC::::defineOwnProperty):
1202 * runtime/JSGlobalObject.cpp:
1203 (JSC::JSGlobalObject::defineOwnProperty):
1204 * runtime/JSGlobalObject.h:
1205 * runtime/JSObject.cpp:
1206 (JSC::JSObject::putIndexedDescriptor):
1207 (JSC::JSObject::defineOwnIndexedProperty):
1208 (JSC::putDescriptor):
1209 (JSC::JSObject::defineOwnNonIndexProperty):
1210 (JSC::JSObject::defineOwnProperty):
1211 * runtime/JSObject.h:
1212 * runtime/JSProxy.cpp:
1213 (JSC::JSProxy::defineOwnProperty):
1214 * runtime/JSProxy.h:
1215 * runtime/RegExpMatchesArray.h:
1216 (JSC::RegExpMatchesArray::defineOwnProperty):
1217 * runtime/RegExpObject.cpp:
1218 (JSC::RegExpObject::defineOwnProperty):
1219 * runtime/RegExpObject.h:
1220 * runtime/StringObject.cpp:
1221 (JSC::StringObject::defineOwnProperty):
1222 * runtime/StringObject.h:
1223 - make PropertyDescriptor const
1225 2013-08-21 Filip Pizlo <fpizlo@apple.com>
1227 REGRESSION: Crash under JITCompiler::link while loading Gmail
1228 https://bugs.webkit.org/show_bug.cgi?id=119872
1230 Reviewed by Mark Hahnenberg.
1232 Apparently, unsigned + signed = unsigned. Work around it with a cast.
1234 * dfg/DFGByteCodeParser.cpp:
1235 (JSC::DFG::ByteCodeParser::parseBlock):
1237 2013-08-21 Alex Christensen <achristensen@apple.com>
1239 <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
1241 Reviewed by Brent Fulgham.
1243 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1244 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1245 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1246 Pass PlatformArchitecture as a command line parameter to bash scripts.
1247 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
1248 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
1249 * JavaScriptCore.vcxproj/build-generated-files.sh:
1250 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
1252 2013-08-21 Filip Pizlo <fpizlo@apple.com>
1254 Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
1255 https://bugs.webkit.org/show_bug.cgi?id=120099
1257 Reviewed by Mark Hahnenberg.
1259 JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
1260 JSDataView may have ordinary JS indexed properties.
1262 * runtime/ClassInfo.h:
1263 * runtime/JSArrayBufferView.cpp:
1264 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1265 (JSC::JSArrayBufferView::finishCreation):
1266 * runtime/JSArrayBufferView.h:
1267 (JSC::hasArrayBuffer):
1268 * runtime/JSArrayBufferViewInlines.h:
1269 (JSC::JSArrayBufferView::buffer):
1270 (JSC::JSArrayBufferView::neuter):
1271 (JSC::JSArrayBufferView::byteOffset):
1272 * runtime/JSCell.cpp:
1273 (JSC::JSCell::slowDownAndWasteMemory):
1275 * runtime/JSDataView.cpp:
1276 (JSC::JSDataView::JSDataView):
1277 (JSC::JSDataView::create):
1278 (JSC::JSDataView::slowDownAndWasteMemory):
1279 * runtime/JSDataView.h:
1280 (JSC::JSDataView::buffer):
1281 * runtime/JSGenericTypedArrayView.h:
1282 * runtime/JSGenericTypedArrayViewInlines.h:
1283 (JSC::::visitChildren):
1284 (JSC::::slowDownAndWasteMemory):
1286 2013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
1288 Remove incorrect ASSERT from CopyVisitor::visitItem
1290 Rubber stamped by Filip Pizlo.
1292 * heap/CopyVisitorInlines.h:
1293 (JSC::CopyVisitor::visitItem):
1295 2013-08-21 Gavin Barraclough <barraclough@apple.com>
1297 https://bugs.webkit.org/show_bug.cgi?id=120127
1298 Remove JSObject::propertyIsEnumerable
1300 Reviewed by Sam Weinig.
1302 This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
1304 * runtime/JSObject.cpp:
1305 * runtime/JSObject.h:
1306 - remove propertyIsEnumerable
1307 * runtime/ObjectPrototype.cpp:
1308 (JSC::objectProtoFuncPropertyIsEnumerable):
1309 - Move implementation here using getOwnPropertyDescriptor directly.
1311 2013-08-20 Filip Pizlo <fpizlo@apple.com>
1313 DFG should inline new typedArray()
1314 https://bugs.webkit.org/show_bug.cgi?id=120022
1316 Reviewed by Oliver Hunt.
1318 Adds inlining of typed array allocations in the DFG. Any operation of the
1327 where 'foo' is a typed array constructor and 'blah' is exactly one argument,
1328 is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
1329 is predicted integer, we generate inline code for an allocation. Otherwise
1330 it turns into a call to an operation that behaves like the constructor would
1331 if it was passed one argument (i.e. it may wrap a buffer or it may create a
1332 copy or another array, or it may allocate an array of that length).
1334 * bytecode/SpeculatedType.cpp:
1335 (JSC::speculationFromTypedArrayType):
1336 (JSC::speculationFromClassInfo):
1337 * bytecode/SpeculatedType.h:
1338 * dfg/DFGAbstractInterpreterInlines.h:
1339 (JSC::DFG::::executeEffects):
1340 * dfg/DFGBackwardsPropagationPhase.cpp:
1341 (JSC::DFG::BackwardsPropagationPhase::propagate):
1342 * dfg/DFGByteCodeParser.cpp:
1343 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
1344 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1345 * dfg/DFGCCallHelpers.h:
1346 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1347 * dfg/DFGCSEPhase.cpp:
1348 (JSC::DFG::CSEPhase::putStructureStoreElimination):
1349 * dfg/DFGClobberize.h:
1350 (JSC::DFG::clobberize):
1351 * dfg/DFGFixupPhase.cpp:
1352 (JSC::DFG::FixupPhase::fixupNode):
1354 (JSC::DFG::Graph::dump):
1356 (JSC::DFG::Node::hasTypedArrayType):
1357 (JSC::DFG::Node::typedArrayType):
1358 * dfg/DFGNodeType.h:
1359 * dfg/DFGOperations.cpp:
1360 (JSC::DFG::newTypedArrayWithSize):
1361 (JSC::DFG::newTypedArrayWithOneArgument):
1362 * dfg/DFGOperations.h:
1363 (JSC::DFG::operationNewTypedArrayWithSizeForType):
1364 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
1365 * dfg/DFGPredictionPropagationPhase.cpp:
1366 (JSC::DFG::PredictionPropagationPhase::propagate):
1367 * dfg/DFGSafeToExecute.h:
1368 (JSC::DFG::safeToExecute):
1369 * dfg/DFGSpeculativeJIT.cpp:
1370 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1371 * dfg/DFGSpeculativeJIT.h:
1372 (JSC::DFG::SpeculativeJIT::callOperation):
1373 * dfg/DFGSpeculativeJIT32_64.cpp:
1374 (JSC::DFG::SpeculativeJIT::compile):
1375 * dfg/DFGSpeculativeJIT64.cpp:
1376 (JSC::DFG::SpeculativeJIT::compile):
1377 * jit/JITOpcodes.cpp:
1378 (JSC::JIT::emit_op_new_object):
1379 * jit/JITOpcodes32_64.cpp:
1380 (JSC::JIT::emit_op_new_object):
1381 * runtime/JSArray.h:
1382 (JSC::JSArray::allocationSize):
1383 * runtime/JSArrayBufferView.h:
1384 (JSC::JSArrayBufferView::allocationSize):
1385 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1386 (JSC::constructGenericTypedArrayView):
1387 * runtime/JSObject.h:
1388 (JSC::JSFinalObject::allocationSize):
1389 * runtime/TypedArrayType.cpp:
1390 (JSC::constructorClassInfoForType):
1391 * runtime/TypedArrayType.h:
1392 (JSC::indexToTypedArrayType):
1394 2013-08-21 Julien Brianceau <jbrianceau@nds.com>
1396 <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
1398 Reviewed by Geoffrey Garen.
1400 * dfg/DFGOperations.h:
1402 2013-08-20 Gavin Barraclough <barraclough@apple.com>
1404 https://bugs.webkit.org/show_bug.cgi?id=120093
1405 Remove getOwnPropertyDescriptor trap
1407 Reviewed by Geoff Garen.
1409 All implementations of this method are now called via the method table, and equivalent in behaviour.
1410 Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
1412 * API/JSCallbackObject.h:
1413 * API/JSCallbackObjectFunctions.h:
1414 * debugger/DebuggerActivation.cpp:
1415 * debugger/DebuggerActivation.h:
1416 * runtime/Arguments.cpp:
1417 * runtime/Arguments.h:
1418 * runtime/ArrayConstructor.cpp:
1419 * runtime/ArrayConstructor.h:
1420 * runtime/ArrayPrototype.cpp:
1421 * runtime/ArrayPrototype.h:
1422 * runtime/BooleanPrototype.cpp:
1423 * runtime/BooleanPrototype.h:
1424 - remove getOwnPropertyDescriptor
1425 * runtime/ClassInfo.h:
1426 - remove getOwnPropertyDescriptor from MethodTable
1427 * runtime/DateConstructor.cpp:
1428 * runtime/DateConstructor.h:
1429 * runtime/DatePrototype.cpp:
1430 * runtime/DatePrototype.h:
1431 * runtime/ErrorPrototype.cpp:
1432 * runtime/ErrorPrototype.h:
1433 * runtime/JSActivation.cpp:
1434 * runtime/JSActivation.h:
1435 * runtime/JSArray.cpp:
1436 * runtime/JSArray.h:
1437 * runtime/JSArrayBuffer.cpp:
1438 * runtime/JSArrayBuffer.h:
1439 * runtime/JSArrayBufferView.cpp:
1440 * runtime/JSArrayBufferView.h:
1441 * runtime/JSCell.cpp:
1443 * runtime/JSDataView.cpp:
1444 * runtime/JSDataView.h:
1445 * runtime/JSDataViewPrototype.cpp:
1446 * runtime/JSDataViewPrototype.h:
1447 * runtime/JSFunction.cpp:
1448 * runtime/JSFunction.h:
1449 * runtime/JSGenericTypedArrayView.h:
1450 * runtime/JSGenericTypedArrayViewInlines.h:
1451 * runtime/JSGlobalObject.cpp:
1452 * runtime/JSGlobalObject.h:
1453 * runtime/JSNotAnObject.cpp:
1454 * runtime/JSNotAnObject.h:
1455 * runtime/JSONObject.cpp:
1456 * runtime/JSONObject.h:
1457 - remove getOwnPropertyDescriptor
1458 * runtime/JSObject.cpp:
1459 (JSC::JSObject::propertyIsEnumerable):
1460 - switch to call new getOwnPropertyDescriptor member function
1461 (JSC::JSObject::getOwnPropertyDescriptor):
1462 - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1463 (JSC::JSObject::defineOwnNonIndexProperty):
1464 - switch to call new getOwnPropertyDescriptor member function
1465 * runtime/JSObject.h:
1466 * runtime/JSProxy.cpp:
1467 * runtime/JSProxy.h:
1468 * runtime/NamePrototype.cpp:
1469 * runtime/NamePrototype.h:
1470 * runtime/NumberConstructor.cpp:
1471 * runtime/NumberConstructor.h:
1472 * runtime/NumberPrototype.cpp:
1473 * runtime/NumberPrototype.h:
1474 - remove getOwnPropertyDescriptor
1475 * runtime/ObjectConstructor.cpp:
1476 (JSC::objectConstructorGetOwnPropertyDescriptor):
1477 (JSC::objectConstructorSeal):
1478 (JSC::objectConstructorFreeze):
1479 (JSC::objectConstructorIsSealed):
1480 (JSC::objectConstructorIsFrozen):
1481 - switch to call new getOwnPropertyDescriptor member function
1482 * runtime/ObjectConstructor.h:
1483 - remove getOwnPropertyDescriptor
1484 * runtime/PropertyDescriptor.h:
1485 - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
1486 * runtime/RegExpConstructor.cpp:
1487 * runtime/RegExpConstructor.h:
1488 * runtime/RegExpMatchesArray.cpp:
1489 * runtime/RegExpMatchesArray.h:
1490 * runtime/RegExpObject.cpp:
1491 * runtime/RegExpObject.h:
1492 * runtime/RegExpPrototype.cpp:
1493 * runtime/RegExpPrototype.h:
1494 * runtime/StringConstructor.cpp:
1495 * runtime/StringConstructor.h:
1496 * runtime/StringObject.cpp:
1497 * runtime/StringObject.h:
1498 - remove getOwnPropertyDescriptor
1500 2013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
1502 <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
1504 Reviewed by Oliver Hunt.
1506 When we flatten an object in dictionary mode, we compact its properties. If the object
1507 had out-of-line storage in the form of a Butterfly prior to this compaction, and after
1508 compaction its properties fit inline, the object's Structure "forgets" that the object
1509 has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
1510 with bytes = 0, which causes all sorts of badness in CopiedSpace.
1512 Instead, after we flatten a dictionary, if properties fit inline we should clear the
1513 Butterfly pointer so that the GC doesn't get confused later.
1515 This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
1516 JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
1517 agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
1518 that the number of bytes reported to SlotVisitor::copyLater is non-zero.
1520 * heap/SlotVisitorInlines.h:
1521 (JSC::SlotVisitor::copyLater):
1522 * runtime/JSObject.cpp:
1523 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1524 (JSC::JSObject::convertUndecidedToInt32):
1525 (JSC::JSObject::convertUndecidedToDouble):
1526 (JSC::JSObject::convertUndecidedToContiguous):
1527 (JSC::JSObject::convertInt32ToDouble):
1528 (JSC::JSObject::convertInt32ToContiguous):
1529 (JSC::JSObject::genericConvertDoubleToContiguous):
1530 (JSC::JSObject::switchToSlowPutArrayStorage):
1531 (JSC::JSObject::setPrototype):
1532 (JSC::JSObject::putDirectAccessor):
1533 (JSC::JSObject::seal):
1534 (JSC::JSObject::freeze):
1535 (JSC::JSObject::preventExtensions):
1536 (JSC::JSObject::reifyStaticFunctionsForDelete):
1537 (JSC::JSObject::removeDirect):
1538 * runtime/JSObject.h:
1539 (JSC::JSObject::setButterfly):
1540 (JSC::JSObject::putDirectInternal):
1541 (JSC::JSObject::setStructure):
1542 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1543 * runtime/Structure.cpp:
1544 (JSC::Structure::flattenDictionaryStructure):
1546 2013-08-20 Alex Christensen <achristensen@apple.com>
1548 Compile fix for Win64 after r154156.
1550 Rubber stamped by Oliver Hunt.
1552 * jit/JITStubsMSVC64.asm:
1553 Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
1554 cti_vm_throw_slowpath to cti_vm_handle_exception.
1556 2013-08-20 Alex Christensen <achristensen@apple.com>
1558 <https://webkit.org/b/120076> More work towards a Win64 build
1560 Reviewed by Brent Fulgham.
1562 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1563 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1564 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1565 * JavaScriptCore.vcxproj/copy-files.cmd:
1566 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
1567 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
1568 Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
1570 2013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
1572 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
1574 Reviewed by Geoffrey Garen.
1576 More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the
1577 initializeLazyWriteBarrierFor* wrapper functions more sane.
1579 Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
1580 and index when triggering the WriteBarrier at the end of compilation.
1582 The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
1583 in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a
1584 little extra work that really shouldn't have been its responsibility.
1586 * dfg/DFGByteCodeParser.cpp:
1587 (JSC::DFG::ByteCodeParser::addConstant):
1588 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1589 * dfg/DFGDesiredWriteBarriers.cpp:
1590 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1591 (JSC::DFG::DesiredWriteBarrier::trigger):
1592 * dfg/DFGDesiredWriteBarriers.h:
1593 (JSC::DFG::DesiredWriteBarriers::add):
1594 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
1595 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
1596 (JSC::DFG::initializeLazyWriteBarrierForConstant):
1597 * dfg/DFGFixupPhase.cpp:
1598 (JSC::DFG::FixupPhase::truncateConstantToInt32):
1600 (JSC::DFG::Graph::constantRegisterForConstant):
1602 2013-08-20 Michael Saboff <msaboff@apple.com>
1604 https://bugs.webkit.org/show_bug.cgi?id=120075
1605 REGRESSION (r128400): BBC4 website not displaying pictures
1607 Reviewed by Oliver Hunt.
1609 * runtime/RegExpMatchesArray.h:
1610 (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
1611 so that the match results will be reified before any other modification to the results array.
1613 2013-08-19 Filip Pizlo <fpizlo@apple.com>
1615 Incorrect behavior on emscripten-compiled cube2hash
1616 https://bugs.webkit.org/show_bug.cgi?id=120033
1618 Reviewed by Mark Hahnenberg.
1620 If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
1621 then we should bail attempts to CSE.
1623 * dfg/DFGCSEPhase.cpp:
1624 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1625 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1627 2013-08-20 Gavin Barraclough <barraclough@apple.com>
1629 https://bugs.webkit.org/show_bug.cgi?id=120073
1630 Remove use of GOPD from JSFunction::defineProperty
1632 Reviewed by Oliver Hunt.
1634 Call getOwnPropertySlot to check for existing properties instead.
1636 * runtime/JSFunction.cpp:
1637 (JSC::JSFunction::defineOwnProperty):
1638 - getOwnPropertyDescriptor -> getOwnPropertySlot
1640 2013-08-20 Gavin Barraclough <barraclough@apple.com>
1642 https://bugs.webkit.org/show_bug.cgi?id=120067
1643 Remove getPropertyDescriptor
1645 Reviewed by Oliver Hunt.
1647 This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
1648 Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
1650 * runtime/JSObject.cpp:
1651 * runtime/JSObject.h:
1652 - remove getPropertyDescriptor
1653 * runtime/ObjectPrototype.cpp:
1654 (JSC::objectProtoFuncLookupGetter):
1655 (JSC::objectProtoFuncLookupSetter):
1656 - replace call to getPropertyDescriptor with getPropertySlot
1657 * runtime/PropertyDescriptor.h:
1658 * runtime/PropertySlot.h:
1659 (JSC::PropertySlot::isAccessor):
1660 (JSC::PropertySlot::isCacheableGetter):
1661 (JSC::PropertySlot::getterSetter):
1662 - rename isGetter() to isAccessor()
1664 2013-08-20 Gavin Barraclough <barraclough@apple.com>
1666 https://bugs.webkit.org/show_bug.cgi?id=120054
1667 Remove some dead code following getOwnPropertyDescriptor cleanup
1669 Reviewed by Oliver Hunt.
1672 (JSC::getStaticFunctionSlot):
1673 - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
1675 2013-08-20 Gavin Barraclough <barraclough@apple.com>
1677 https://bugs.webkit.org/show_bug.cgi?id=120052
1678 Remove custom getOwnPropertyDescriptor for JSProxy
1680 Reviewed by Geoff Garen.
1682 GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
1683 Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
1684 object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
1685 assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
1686 the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
1688 * runtime/JSProxy.cpp:
1689 - Remove custom getOwnPropertyDescriptor implementation.
1690 * runtime/PropertyDescriptor.h:
1691 - Modify own property access check to perform toThis conversion.
1693 2013-08-20 Alex Christensen <achristensen@apple.com>
1695 Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
1696 https://bugs.webkit.org/show_bug.cgi?id=119512
1698 Reviewed by Brent Fulgham.
1700 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1701 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1702 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1703 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1704 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1705 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
1706 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
1707 Replaced obj32, bin32, and lib32 with macros for 64-bit build.
1709 2013-08-20 Julien Brianceau <jbrianceau@nds.com>
1711 <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
1713 Reviewed by Allan Sandfeld Jensen.
1715 branchPtrWithPatch() of baseline JIT must ensure that space is available for its
1716 instructions and two constants now DFG is enabled for sh4 architecture.
1717 These missing ensureSpace calls lead to random crashes.
1719 * assembler/MacroAssemblerSH4.h:
1720 (JSC::MacroAssemblerSH4::branchPtrWithPatch):
1722 2013-08-19 Gavin Barraclough <barraclough@apple.com>
1724 https://bugs.webkit.org/show_bug.cgi?id=120034
1725 Remove custom getOwnPropertyDescriptor for global objects
1727 Reviewed by Geoff Garen.
1729 Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
1731 * runtime/JSGlobalObject.cpp:
1732 - Remove custom getOwnPropertyDescriptor implementation.
1733 * runtime/JSSymbolTableObject.h:
1734 (JSC::symbolTableGet):
1735 - The symbol table does not store the DontDelete attribute, we should be adding it back in.
1736 * runtime/PropertyDescriptor.h:
1737 - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
1738 * runtime/PropertySlot.h:
1739 (JSC::PropertySlot::setUndefined):
1740 - This is used by WebCore when blocking access to properties on cross-frame access.
1741 Mark blocked properties as read-only, non-configurable to prevent defineProperty.
1743 2013-08-17 Filip Pizlo <fpizlo@apple.com>
1745 DFG should inline typedArray.byteOffset
1746 https://bugs.webkit.org/show_bug.cgi?id=119962
1748 Reviewed by Oliver Hunt.
1750 This adds a new node, GetTypedArrayByteOffset, which inlines
1751 typedArray.byteOffset.
1753 Also, I improved a bunch of the clobbering logic related to typed arrays
1754 and clobbering in general. For example, PutByOffset/PutStructure are not
1755 clobber-world so they can be handled by most default cases in CSE. Also,
1756 It's better to use the 'Class_field' notation for typed arrays now that
1757 they no longer involve magical descriptor thingies.
1759 * bytecode/SpeculatedType.h:
1760 * dfg/DFGAbstractHeap.h:
1761 * dfg/DFGAbstractInterpreterInlines.h:
1762 (JSC::DFG::::executeEffects):
1763 * dfg/DFGArrayMode.h:
1764 (JSC::DFG::neverNeedsStorage):
1765 * dfg/DFGCSEPhase.cpp:
1766 (JSC::DFG::CSEPhase::getByValLoadElimination):
1767 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1768 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1769 (JSC::DFG::CSEPhase::checkArrayElimination):
1770 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1771 (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
1772 (JSC::DFG::CSEPhase::performNodeCSE):
1773 * dfg/DFGClobberize.h:
1774 (JSC::DFG::clobberize):
1775 * dfg/DFGFixupPhase.cpp:
1776 (JSC::DFG::FixupPhase::fixupNode):
1777 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
1778 (JSC::DFG::FixupPhase::convertToGetArrayLength):
1779 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
1780 * dfg/DFGNodeType.h:
1781 * dfg/DFGPredictionPropagationPhase.cpp:
1782 (JSC::DFG::PredictionPropagationPhase::propagate):
1783 * dfg/DFGSafeToExecute.h:
1784 (JSC::DFG::safeToExecute):
1785 * dfg/DFGSpeculativeJIT.cpp:
1786 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1787 * dfg/DFGSpeculativeJIT.h:
1788 * dfg/DFGSpeculativeJIT32_64.cpp:
1789 (JSC::DFG::SpeculativeJIT::compile):
1790 * dfg/DFGSpeculativeJIT64.cpp:
1791 (JSC::DFG::SpeculativeJIT::compile):
1792 * dfg/DFGTypeCheckHoistingPhase.cpp:
1793 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1794 * runtime/ArrayBuffer.h:
1795 (JSC::ArrayBuffer::offsetOfData):
1796 * runtime/Butterfly.h:
1797 (JSC::Butterfly::offsetOfArrayBuffer):
1798 * runtime/IndexingHeader.h:
1799 (JSC::IndexingHeader::offsetOfArrayBuffer):
1801 2013-08-18 Filip Pizlo <fpizlo@apple.com>
1803 <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
1805 Reviewed by Geoffrey Garen.
1807 * dfg/DFGByteCodeParser.cpp:
1808 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1810 2013-08-18 Gavin Barraclough <barraclough@apple.com>
1812 https://bugs.webkit.org/show_bug.cgi?id=119995
1813 Start removing custom implementations of getOwnPropertyDescriptor
1815 Reviewed by Oliver Hunt.
1817 This can now typically implemented in terms of getOwnPropertySlot.
1818 Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
1819 Switch over most classes in JSC & the WebCore bindings generator to use this.
1821 * API/JSCallbackObjectFunctions.h:
1822 * debugger/DebuggerActivation.cpp:
1823 * runtime/Arguments.cpp:
1824 * runtime/ArrayConstructor.cpp:
1825 * runtime/ArrayPrototype.cpp:
1826 * runtime/BooleanPrototype.cpp:
1827 * runtime/DateConstructor.cpp:
1828 * runtime/DatePrototype.cpp:
1829 * runtime/ErrorPrototype.cpp:
1830 * runtime/JSActivation.cpp:
1831 * runtime/JSArray.cpp:
1832 * runtime/JSArrayBuffer.cpp:
1833 * runtime/JSArrayBufferView.cpp:
1834 * runtime/JSCell.cpp:
1835 * runtime/JSDataView.cpp:
1836 * runtime/JSDataViewPrototype.cpp:
1837 * runtime/JSFunction.cpp:
1838 * runtime/JSGenericTypedArrayViewInlines.h:
1839 * runtime/JSNotAnObject.cpp:
1840 * runtime/JSONObject.cpp:
1841 * runtime/JSObject.cpp:
1842 * runtime/NamePrototype.cpp:
1843 * runtime/NumberConstructor.cpp:
1844 * runtime/NumberPrototype.cpp:
1845 * runtime/ObjectConstructor.cpp:
1846 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1847 * runtime/PropertyDescriptor.h:
1848 - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
1849 * runtime/PropertySlot.h:
1850 (JSC::PropertySlot::isValue):
1851 (JSC::PropertySlot::isGetter):
1852 (JSC::PropertySlot::isCustom):
1853 (JSC::PropertySlot::isCacheableValue):
1854 (JSC::PropertySlot::isCacheableGetter):
1855 (JSC::PropertySlot::isCacheableCustom):
1856 (JSC::PropertySlot::attributes):
1857 (JSC::PropertySlot::getterSetter):
1858 - Add accessors necessary to convert PropertySlot to descriptor.
1859 * runtime/RegExpConstructor.cpp:
1860 * runtime/RegExpMatchesArray.cpp:
1861 * runtime/RegExpMatchesArray.h:
1862 * runtime/RegExpObject.cpp:
1863 * runtime/RegExpPrototype.cpp:
1864 * runtime/StringConstructor.cpp:
1865 * runtime/StringObject.cpp:
1866 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
1868 2013-08-19 Michael Saboff <msaboff@apple.com>
1870 https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
1872 Reviewed by Sam Weinig.
1874 * dfg/DFGSpeculativeJIT32_64.cpp:
1875 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
1876 DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
1877 all versions of fillSpeculateBoolean().
1879 2013-08-19 Michael Saboff <msaboff@apple.com>
1881 https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
1883 Reviewed by Benjamin Poulain.
1885 Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
1886 Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
1888 * assembler/MacroAssemblerX86Common.h:
1889 (JSC::MacroAssemblerX86Common::branchTest32):
1891 2013-08-16 Oliver Hunt <oliver@apple.com>
1893 <https://webkit.org/b/119860> Crash during exception unwinding
1895 Reviewed by Filip Pizlo.
1897 Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
1898 to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
1900 We need this so that Throw and ThrowReferenceError no longer need to be treated as
1901 terminals and the subsequent flush keeps the activation (and other registers) live.
1903 * dfg/DFGAbstractInterpreterInlines.h:
1904 (JSC::DFG::::executeEffects):
1905 * dfg/DFGByteCodeParser.cpp:
1906 (JSC::DFG::ByteCodeParser::parseBlock):
1907 * dfg/DFGClobberize.h:
1908 (JSC::DFG::clobberize):
1909 * dfg/DFGFixupPhase.cpp:
1910 (JSC::DFG::FixupPhase::fixupNode):
1912 (JSC::DFG::Node::isTerminal):
1913 * dfg/DFGNodeType.h:
1914 * dfg/DFGPredictionPropagationPhase.cpp:
1915 (JSC::DFG::PredictionPropagationPhase::propagate):
1916 * dfg/DFGSafeToExecute.h:
1917 (JSC::DFG::safeToExecute):
1918 * dfg/DFGSpeculativeJIT32_64.cpp:
1919 (JSC::DFG::SpeculativeJIT::compile):
1920 * dfg/DFGSpeculativeJIT64.cpp:
1921 (JSC::DFG::SpeculativeJIT::compile):
1923 2013-08-19 Víctor Manuel Jáquez Leal <vjaquez@igalia.com>
1925 <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
1927 Reviewed by Oliver Hunt.
1929 Guard the compilation of these files only if DFG_JIT is enabled.
1931 * dfg/DFGDesiredTransitions.cpp:
1932 * dfg/DFGDesiredTransitions.h:
1933 * dfg/DFGDesiredWeakReferences.cpp:
1934 * dfg/DFGDesiredWeakReferences.h:
1935 * dfg/DFGDesiredWriteBarriers.cpp:
1936 * dfg/DFGDesiredWriteBarriers.h:
1938 2013-08-17 Filip Pizlo <fpizlo@apple.com>
1940 REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
1941 https://bugs.webkit.org/show_bug.cgi?id=119961
1943 Reviewed by Mark Hahnenberg.
1945 * dfg/DFGFixupPhase.cpp:
1946 (JSC::DFG::FixupPhase::fixupNode):
1948 2013-08-18 Gavin Barraclough <barraclough@apple.com>
1950 https://bugs.webkit.org/show_bug.cgi?id=119972
1951 Add attributes field to PropertySlot
1953 Reviewed by Geoff Garen.
1955 For all JSC types, this makes getOwnPropertyDescriptor redundant.
1956 There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
1957 (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
1959 No performance impact.
1961 * runtime/PropertySlot.h:
1962 (JSC::PropertySlot::setValue):
1963 (JSC::PropertySlot::setCustom):
1964 (JSC::PropertySlot::setCacheableCustom):
1965 (JSC::PropertySlot::setCustomIndex):
1966 (JSC::PropertySlot::setGetterSlot):
1967 (JSC::PropertySlot::setCacheableGetterSlot):
1968 - These mathods now all require 'attributes'.
1969 * runtime/JSObject.h:
1970 (JSC::JSObject::getDirect):
1971 (JSC::JSObject::getDirectOffset):
1972 (JSC::JSObject::inlineGetOwnPropertySlot):
1973 - Added variants of getDirect, getDirectOffset that return the attributes.
1974 * API/JSCallbackObjectFunctions.h:
1975 (JSC::::getOwnPropertySlot):
1976 * runtime/Arguments.cpp:
1977 (JSC::Arguments::getOwnPropertySlotByIndex):
1978 (JSC::Arguments::getOwnPropertySlot):
1979 * runtime/JSActivation.cpp:
1980 (JSC::JSActivation::symbolTableGet):
1981 (JSC::JSActivation::getOwnPropertySlot):
1982 * runtime/JSArray.cpp:
1983 (JSC::JSArray::getOwnPropertySlot):
1984 * runtime/JSArrayBuffer.cpp:
1985 (JSC::JSArrayBuffer::getOwnPropertySlot):
1986 * runtime/JSArrayBufferView.cpp:
1987 (JSC::JSArrayBufferView::getOwnPropertySlot):
1988 * runtime/JSDataView.cpp:
1989 (JSC::JSDataView::getOwnPropertySlot):
1990 * runtime/JSFunction.cpp:
1991 (JSC::JSFunction::getOwnPropertySlot):
1992 * runtime/JSGenericTypedArrayViewInlines.h:
1993 (JSC::::getOwnPropertySlot):
1994 (JSC::::getOwnPropertySlotByIndex):
1995 * runtime/JSObject.cpp:
1996 (JSC::JSObject::getOwnPropertySlotByIndex):
1997 (JSC::JSObject::fillGetterPropertySlot):
1998 * runtime/JSString.h:
1999 (JSC::JSString::getStringPropertySlot):
2000 * runtime/JSSymbolTableObject.h:
2001 (JSC::symbolTableGet):
2002 * runtime/Lookup.cpp:
2003 (JSC::setUpStaticFunctionSlot):
2005 (JSC::getStaticPropertySlot):
2006 (JSC::getStaticPropertyDescriptor):
2007 (JSC::getStaticValueSlot):
2008 (JSC::getStaticValueDescriptor):
2009 * runtime/RegExpObject.cpp:
2010 (JSC::RegExpObject::getOwnPropertySlot):
2011 * runtime/SparseArrayValueMap.cpp:
2012 (JSC::SparseArrayEntry::get):
2013 - Pass attributes to PropertySlot::set* methods.
2015 2013-08-17 Mark Hahnenberg <mhahnenberg@apple.com>
2017 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
2019 Reviewed by Filip Pizlo.
2021 Added a new mode for DesiredWriteBarrier that allows it to track a position in a
2022 Vector of WriteBarriers rather than the specific address. The fact that we were
2023 arbitrarily storing into a Vector's backing store for constants at the end of
2024 compilation after the Vector could have resized was causing crashes.
2026 * bytecode/CodeBlock.h:
2027 (JSC::CodeBlock::constants):
2028 (JSC::CodeBlock::addConstantLazily):
2029 * dfg/DFGByteCodeParser.cpp:
2030 (JSC::DFG::ByteCodeParser::addConstant):
2031 * dfg/DFGDesiredWriteBarriers.cpp:
2032 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2033 (JSC::DFG::DesiredWriteBarrier::trigger):
2034 (JSC::DFG::initializeLazyWriteBarrierForConstant):
2035 * dfg/DFGDesiredWriteBarriers.h:
2036 (JSC::DFG::DesiredWriteBarriers::add):
2037 * dfg/DFGFixupPhase.cpp:
2038 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2040 (JSC::DFG::Graph::constantRegisterForConstant):
2042 2013-08-16 Filip Pizlo <fpizlo@apple.com>
2044 DFG should optimize typedArray.byteLength
2045 https://bugs.webkit.org/show_bug.cgi?id=119909
2047 Reviewed by Oliver Hunt.
2049 This adds typedArray.byteLength inlining to the DFG, and does so without changing
2050 the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
2051 legal since the byteLength of a typed array cannot exceed
2052 numeric_limits<int32_t>::max().
2054 * bytecode/SpeculatedType.cpp:
2055 (JSC::typedArrayTypeFromSpeculation):
2056 * bytecode/SpeculatedType.h:
2057 * dfg/DFGArrayMode.cpp:
2058 (JSC::DFG::toArrayType):
2059 * dfg/DFGArrayMode.h:
2060 * dfg/DFGFixupPhase.cpp:
2061 (JSC::DFG::FixupPhase::fixupNode):
2062 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2063 (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
2064 (JSC::DFG::FixupPhase::convertToGetArrayLength):
2065 (JSC::DFG::FixupPhase::prependGetArrayLength):
2067 (JSC::DFG::Graph::constantRegisterForConstant):
2068 (JSC::DFG::Graph::convertToConstant):
2069 * runtime/TypedArrayType.h:
2070 (JSC::logElementSize):
2073 2013-08-16 Filip Pizlo <fpizlo@apple.com>
2075 DFG optimizes out strict mode arguments tear off
2076 https://bugs.webkit.org/show_bug.cgi?id=119504
2078 Reviewed by Mark Hahnenberg and Oliver Hunt.
2080 Don't do the optimization for strict mode.
2082 * dfg/DFGArgumentsSimplificationPhase.cpp:
2083 (JSC::DFG::ArgumentsSimplificationPhase::run):
2084 (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
2086 2013-08-16 Benjamin Poulain <benjamin@webkit.org>
2088 [JSC] x86: improve code generation for xxxTest32
2089 https://bugs.webkit.org/show_bug.cgi?id=119876
2091 Reviewed by Geoffrey Garen.
2093 Try to use testb whenever possible when testing for an immediate value.
2095 When the input is an address and an offset, we can tweak the mask
2096 and offset to be able to generate testb for any byte of the mask.
2098 When the input is a register, we can use testb if we are only interested
2099 in testing the low bits.
2101 * assembler/MacroAssemblerX86Common.h:
2102 (JSC::MacroAssemblerX86Common::branchTest32):
2103 (JSC::MacroAssemblerX86Common::test32):
2104 (JSC::MacroAssemblerX86Common::generateTest32):
2106 2013-08-16 Mark Lam <mark.lam@apple.com>
2108 <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
2109 error message that an object is not a constructor though it expects a function
2111 Reviewed by Michael Saboff.
2114 (JSC::DEFINE_STUB_FUNCTION):
2116 2013-08-16 Filip Pizlo <fpizlo@apple.com>
2118 Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
2119 https://bugs.webkit.org/show_bug.cgi?id=119897
2121 Reviewed by Oliver Hunt.
2123 6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
2124 on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
2125 to turn objects into dictionaries when you're storing using bracket syntax or using
2126 eval is still in place.
2128 * bytecode/CodeBlock.h:
2129 (JSC::CodeBlock::putByIdContext):
2130 * dfg/DFGOperations.cpp:
2132 (JSC::DEFINE_STUB_FUNCTION):
2133 * llint/LLIntSlowPaths.cpp:
2134 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2135 * runtime/JSObject.h:
2136 (JSC::JSObject::putDirectInternal):
2137 * runtime/PutPropertySlot.h:
2138 (JSC::PutPropertySlot::PutPropertySlot):
2139 (JSC::PutPropertySlot::context):
2140 * runtime/Structure.cpp:
2141 (JSC::Structure::addPropertyTransition):
2142 * runtime/Structure.h:
2144 2013-08-16 Balazs Kilvady <kilvadyb@homejinni.com>
2146 <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
2148 Reviewed by Allan Sandfeld Jensen.
2150 ctiVMHandleException must jump/return using register ra (r31).
2152 * jit/JITStubsMIPS.h:
2154 2013-08-16 Julien Brianceau <jbrianceau@nds.com>
2156 <https://webkit.org/b/119879> Fix sh4 build after r154156.
2158 Reviewed by Allan Sandfeld Jensen.
2160 Fix typo in JITStubsSH4.h file.
2162 * jit/JITStubsSH4.h:
2164 2013-08-15 Mark Hahnenberg <mhahnenberg@apple.com>
2166 <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
2168 Reviewed by Oliver Hunt.
2170 The concurrent compilation thread should interact minimally with the Heap, including not
2171 triggering WriteBarriers. This is a prerequisite for generational GC.
2173 * JavaScriptCore.xcodeproj/project.pbxproj:
2174 * bytecode/CodeBlock.cpp:
2175 (JSC::CodeBlock::addOrFindConstant):
2176 (JSC::CodeBlock::findConstant):
2177 * bytecode/CodeBlock.h:
2178 (JSC::CodeBlock::addConstantLazily):
2179 * dfg/DFGByteCodeParser.cpp:
2180 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
2181 (JSC::DFG::ByteCodeParser::constantUndefined):
2182 (JSC::DFG::ByteCodeParser::constantNull):
2183 (JSC::DFG::ByteCodeParser::one):
2184 (JSC::DFG::ByteCodeParser::constantNaN):
2185 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2186 * dfg/DFGCommonData.cpp:
2187 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2188 * dfg/DFGCommonData.h:
2189 * dfg/DFGDesiredTransitions.cpp: Added.
2190 (JSC::DFG::DesiredTransition::DesiredTransition):
2191 (JSC::DFG::DesiredTransition::reallyAdd):
2192 (JSC::DFG::DesiredTransitions::DesiredTransitions):
2193 (JSC::DFG::DesiredTransitions::~DesiredTransitions):
2194 (JSC::DFG::DesiredTransitions::addLazily):
2195 (JSC::DFG::DesiredTransitions::reallyAdd):
2196 * dfg/DFGDesiredTransitions.h: Added.
2197 * dfg/DFGDesiredWeakReferences.cpp: Added.
2198 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
2199 (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
2200 (JSC::DFG::DesiredWeakReferences::addLazily):
2201 (JSC::DFG::DesiredWeakReferences::reallyAdd):
2202 * dfg/DFGDesiredWeakReferences.h: Added.
2203 * dfg/DFGDesiredWriteBarriers.cpp: Added.
2204 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
2205 (JSC::DFG::DesiredWriteBarrier::trigger):
2206 (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
2207 (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
2208 (JSC::DFG::DesiredWriteBarriers::addImpl):
2209 (JSC::DFG::DesiredWriteBarriers::trigger):
2210 * dfg/DFGDesiredWriteBarriers.h: Added.
2211 (JSC::DFG::DesiredWriteBarriers::add):
2212 (JSC::DFG::initializeLazyWriteBarrier):
2213 * dfg/DFGFixupPhase.cpp:
2214 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2216 (JSC::DFG::Graph::convertToConstant):
2217 * dfg/DFGJITCompiler.h:
2218 (JSC::DFG::JITCompiler::addWeakReference):
2220 (JSC::DFG::Plan::Plan):
2221 (JSC::DFG::Plan::reallyAdd):
2223 * dfg/DFGSpeculativeJIT32_64.cpp:
2224 (JSC::DFG::SpeculativeJIT::compile):
2225 * dfg/DFGSpeculativeJIT64.cpp:
2226 (JSC::DFG::SpeculativeJIT::compile):
2227 * runtime/WriteBarrier.h:
2228 (JSC::WriteBarrierBase::set):
2229 (JSC::WriteBarrier::WriteBarrier):
2231 2013-08-15 Benjamin Poulain <benjamin@webkit.org>
2233 Fix x86 32bits build after r154158
2235 * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
2237 2013-08-15 Ryosuke Niwa <rniwa@webkit.org>
2239 Build fix attempt after r154156.
2242 (JSC::cti_vm_handle_exception): encode!
2244 2013-08-15 Benjamin Poulain <benjamin@webkit.org>
2246 [JSC] x86: Use inc and dec when possible
2247 https://bugs.webkit.org/show_bug.cgi?id=119831
2249 Reviewed by Geoffrey Garen.
2251 When incrementing or decrementing by an immediate of 1, use the insctructions
2252 inc and dec instead of add and sub.
2253 The instructions have good timing and their encoding is smaller.
2255 * assembler/MacroAssemblerX86Common.h:
2256 (JSC::MacroAssemblerX86_64::add32):
2257 (JSC::MacroAssemblerX86_64::sub32):
2258 * assembler/MacroAssemblerX86_64.h:
2259 (JSC::MacroAssemblerX86_64::add64):
2260 (JSC::MacroAssemblerX86_64::sub64):
2261 * assembler/X86Assembler.h:
2262 (JSC::X86Assembler::dec_r):
2263 (JSC::X86Assembler::decq_r):
2264 (JSC::X86Assembler::inc_r):
2265 (JSC::X86Assembler::incq_r):
2267 2013-08-15 Filip Pizlo <fpizlo@apple.com>
2269 Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
2270 https://bugs.webkit.org/show_bug.cgi?id=119874
2272 Reviewed by Oliver Hunt and Mark Hahnenberg.
2274 It was a confusion between heuristics in DFG::ArrayMode that are assuming that
2275 you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
2276 sometimes for typed array length accesses, and the FixupPhase assuming that a
2277 ForceExit ArrayMode means that it should continue using a generic GetById.
2279 This fixes the confusion.
2281 * dfg/DFGFixupPhase.cpp:
2282 (JSC::DFG::FixupPhase::fixupNode):
2284 2013-08-15 Mark Lam <mark.lam@apple.com>
2286 Fix crash when performing activation tearoff.
2287 https://bugs.webkit.org/show_bug.cgi?id=119848
2289 Reviewed by Oliver Hunt.
2291 The activation tearoff crash was due to a bug in the baseline JIT.
2292 If we have a scenario where the a baseline JIT frame calls a LLINT
2293 frame, an exception may be thrown while in the LLINT.
2295 Interpreter::throwException() which handles the exception will unwind
2296 all frames until it finds a catcher or sees a host frame. When we
2297 return from the LLINT to the baseline JIT code, the baseline JIT code
2298 errorneously sets topCallFrame to the value in its call frame register,
2299 and starts unwinding the stack frames that have already been unwound.
2302 1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2303 This is a more accurate description of what this runtime function
2304 is supposed to do i.e. it handles the exception which include doing
2305 nothing (if there are no more frames to unwind).
2306 2. Fix up topCallFrame values so that the HostCallFrameFlag is never
2308 3. Reloading the call frame register from topCallFrame when we're
2309 returning from a callee and detect exception handling in progress.
2311 * interpreter/Interpreter.cpp:
2312 (JSC::Interpreter::unwindCallFrame):
2313 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2314 (JSC::Interpreter::getStackTrace):
2315 * interpreter/Interpreter.h:
2316 (JSC::TopCallFrameSetter::TopCallFrameSetter):
2317 (JSC::TopCallFrameSetter::~TopCallFrameSetter):
2318 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2319 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2321 * jit/JITExceptions.cpp:
2322 (JSC::uncaughtExceptionHandler):
2323 - Convenience function to get the handler for uncaught exceptions.
2324 * jit/JITExceptions.h:
2326 (JSC::JIT::reloadCallFrameFromTopCallFrame):
2327 * jit/JITOpcodes32_64.cpp:
2328 (JSC::JIT::privateCompileCTINativeCall):
2329 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2331 (JSC::throwExceptionFromOpCall):
2332 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2333 (JSC::cti_vm_handle_exception):
2334 - Check for the case when there are no more frames to unwind.
2336 * jit/JITStubsARM.h:
2337 * jit/JITStubsARMv7.h:
2338 * jit/JITStubsMIPS.h:
2339 * jit/JITStubsSH4.h:
2340 * jit/JITStubsX86.h:
2341 * jit/JITStubsX86_64.h:
2342 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2343 * jit/SlowPathCall.h:
2344 (JSC::JITSlowPathCall::call):
2345 - reload cfr from topcallFrame when handling an exception.
2346 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
2347 * jit/ThunkGenerators.cpp:
2348 (JSC::nativeForGenerator):
2349 * llint/LowLevelInterpreter32_64.asm:
2350 * llint/LowLevelInterpreter64.asm:
2351 - reload cfr from topcallFrame when handling an exception.
2354 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
2356 2013-08-15 Filip Pizlo <fpizlo@apple.com>
2358 Remove some code duplication.
2360 Rubber stamped by Mark Hahnenberg.
2362 * runtime/JSDataViewPrototype.cpp:
2366 2013-08-15 Julien Brianceau <jbrianceau@nds.com>
2368 [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
2369 https://bugs.webkit.org/show_bug.cgi?id=119794
2371 Reviewed by Filip Pizlo.
2373 This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
2376 (JSC::DFG::isNumerical):
2377 (JSC::DFG::isDouble):
2379 2013-08-15 Filip Pizlo <fpizlo@apple.com>
2381 http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
2383 Rubber stamped by Oliver Hunt.
2385 This was causing some test crashes for me.
2387 * dfg/DFGCapabilities.cpp:
2388 (JSC::DFG::capabilityLevel):
2390 2013-08-15 Brent Fulgham <bfulgham@apple.com>
2392 [Windows] Clear up improper export declaration.
2394 * runtime/ArrayBufferView.h:
2396 2013-08-15 Filip Pizlo <fpizlo@apple.com>
2398 Unreviewed, remove some unnecessary periods from exceptions.
2400 * runtime/JSDataViewPrototype.cpp:
2404 2013-08-15 Filip Pizlo <fpizlo@apple.com>
2406 Unreviewed, fix 32-bit build.
2408 * dfg/DFGSpeculativeJIT32_64.cpp:
2409 (JSC::DFG::SpeculativeJIT::compile):
2411 2013-08-14 Filip Pizlo <fpizlo@apple.com>
2413 Typed arrays should be rewritten
2414 https://bugs.webkit.org/show_bug.cgi?id=119064
2416 Reviewed by Oliver Hunt.
2418 Typed arrays were previously deficient in several major ways:
2420 - They were defined separately in WebCore and in the jsc shell. The two
2421 implementations were different, and the jsc shell one was basically wrong.
2422 The WebCore one was quite awful, also.
2424 - Typed arrays were not visible to the JIT except through some weird hooks.
2425 For example, the JIT could not ask "what is the Structure that this typed
2426 array would have if I just allocated it from this global object". Also,
2427 it was difficult to wire any of the typed array intrinsics, because most
2428 of the functionality wasn't visible anywhere in JSC.
2430 - Typed array allocation was brain-dead. Allocating a typed array involved
2431 two JS objects, two GC weak handles, and three malloc allocations.
2433 - Neutering. It involved keeping tabs on all native views but not the view
2434 wrappers, even though the native views can autoneuter just by asking the
2435 buffer if it was neutered anytime you touch them; while the JS view
2436 wrappers are the ones that you really want to reach out to.
2438 - Common case-ing. Most typed arrays have one buffer and one view, and
2439 usually nobody touches the buffer. Yet we created all of that stuff
2440 anyway, using data structures optimized for the case where you had a lot
2443 - Semantic goofs. Typed arrays should, in the future, behave like ES
2444 features rather than DOM features, for example when it comes to exceptions.
2445 Firefox already does this and I agree with them.
2447 This patch cleanses our codebase of these sins:
2449 - Typed arrays are almost entirely defined in JSC. Only the lifecycle
2450 management of native references to buffers is left to WebCore.
2452 - Allocating a typed array requires either two GC allocations (a cell and a
2453 copied storage vector) or one GC allocation, a malloc allocation, and a
2454 weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
2455 latter). The latter is only used for oversize arrays. Remember that before
2456 it was 7 allocations no matter what.
2458 - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
2459 mode/length, void* vector. Before it was a lot more than that - remember,
2460 there were five additional objects that did absolutely nothing for anybody.
2462 - Native views aren't tracked by the buffer, or by the wrappers. They are
2463 transient. In the future we'll probably switch to not even having them be
2466 - Native array buffers have an efficient way of tracking all of their JS view
2467 wrappers, both for neutering, and for lifecycle management. The GC
2468 special-cases native array buffers. This saves a bunch of grief; for example
2469 it means that a JS view wrapper can refer to its buffer via the butterfly,
2470 which would be dead by the time we went to finalize.
2472 - Typed array semantics now match Firefox, which also happens to be where the
2473 standards are going. The discussion on webkit-dev seemed to confirm that
2474 Chrome is also heading in this direction. This includes making
2475 Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
2476 ArrayBufferView as a JS-visible construct.
2478 This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
2479 It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
2480 further typed array optimizations in the JSC JITs, including inlining typed
2481 array allocation, inlining more of the accessors, reducing the cost of type
2484 An additional property of this patch is that typed arrays are mostly
2485 implemented using templates. This deduplicates a bunch of code, but does mean
2486 that we need some hacks for exporting s_info's of template classes. See
2487 JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
2488 low-impact compared to code duplication.
2490 Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
2493 * DerivedSources.make:
2494 * GNUmakefile.list.am:
2495 * JSCTypedArrayStubs.h: Removed.
2496 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2497 * JavaScriptCore.xcodeproj/project.pbxproj:
2499 * bytecode/ByValInfo.h:
2500 (JSC::hasOptimizableIndexingForClassInfo):
2501 (JSC::jitArrayModeForClassInfo):
2502 (JSC::typedArrayTypeForJITArrayMode):
2503 * bytecode/SpeculatedType.cpp:
2504 (JSC::speculationFromClassInfo):
2505 * dfg/DFGArrayMode.cpp:
2506 (JSC::DFG::toTypedArrayType):
2507 * dfg/DFGArrayMode.h:
2508 (JSC::DFG::ArrayMode::typedArrayType):
2509 * dfg/DFGSpeculativeJIT.cpp:
2510 (JSC::DFG::SpeculativeJIT::checkArray):
2511 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2512 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2513 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2514 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2515 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2516 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2517 * dfg/DFGSpeculativeJIT.h:
2518 * dfg/DFGSpeculativeJIT32_64.cpp:
2519 (JSC::DFG::SpeculativeJIT::compile):
2520 * dfg/DFGSpeculativeJIT64.cpp:
2521 (JSC::DFG::SpeculativeJIT::compile):
2524 (JSC::DeferGCForAWhile::DeferGCForAWhile):
2525 (JSC::DeferGCForAWhile::~DeferGCForAWhile):
2526 * heap/GCIncomingRefCounted.h: Added.
2527 (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
2528 (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
2529 (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
2530 (JSC::GCIncomingRefCounted::incomingReferenceAt):
2531 (JSC::GCIncomingRefCounted::singletonFlag):
2532 (JSC::GCIncomingRefCounted::hasVectorOfCells):
2533 (JSC::GCIncomingRefCounted::hasAnyIncoming):
2534 (JSC::GCIncomingRefCounted::hasSingleton):
2535 (JSC::GCIncomingRefCounted::singleton):
2536 (JSC::GCIncomingRefCounted::vectorOfCells):
2537 * heap/GCIncomingRefCountedInlines.h: Added.
2538 (JSC::::addIncomingReference):
2539 (JSC::::filterIncomingReferences):
2540 * heap/GCIncomingRefCountedSet.h: Added.
2541 (JSC::GCIncomingRefCountedSet::size):
2542 * heap/GCIncomingRefCountedSetInlines.h: Added.
2543 (JSC::::GCIncomingRefCountedSet):
2544 (JSC::::~GCIncomingRefCountedSet):
2545 (JSC::::addReference):
2548 (JSC::::removeDead):
2550 (JSC::Heap::addReference):
2551 (JSC::Heap::extraSize):
2553 (JSC::Heap::capacity):
2554 (JSC::Heap::collect):
2555 (JSC::Heap::decrementDeferralDepth):
2556 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2558 * interpreter/CallFrame.h:
2559 (JSC::ExecState::dataViewTable):
2561 * jit/JITPropertyAccess.cpp:
2562 (JSC::JIT::privateCompileGetByVal):
2563 (JSC::JIT::privateCompilePutByVal):
2564 (JSC::JIT::emitIntTypedArrayGetByVal):
2565 (JSC::JIT::emitFloatTypedArrayGetByVal):
2566 (JSC::JIT::emitIntTypedArrayPutByVal):
2567 (JSC::JIT::emitFloatTypedArrayPutByVal):
2569 (GlobalObject::finishCreation):
2570 * runtime/ArrayBuffer.cpp:
2571 (JSC::ArrayBuffer::transfer):
2572 * runtime/ArrayBuffer.h:
2573 (JSC::ArrayBuffer::createAdopted):
2574 (JSC::ArrayBuffer::ArrayBuffer):
2575 (JSC::ArrayBuffer::gcSizeEstimateInBytes):
2576 (JSC::ArrayBuffer::pin):
2577 (JSC::ArrayBuffer::unpin):
2578 (JSC::ArrayBufferContents::tryAllocate):
2579 * runtime/ArrayBufferView.cpp:
2580 (JSC::ArrayBufferView::ArrayBufferView):
2581 (JSC::ArrayBufferView::~ArrayBufferView):
2582 (JSC::ArrayBufferView::setNeuterable):
2583 * runtime/ArrayBufferView.h:
2584 (JSC::ArrayBufferView::isNeutered):
2585 (JSC::ArrayBufferView::buffer):
2586 (JSC::ArrayBufferView::baseAddress):
2587 (JSC::ArrayBufferView::byteOffset):
2588 (JSC::ArrayBufferView::verifySubRange):
2589 (JSC::ArrayBufferView::clampOffsetAndNumElements):
2590 (JSC::ArrayBufferView::calculateOffsetAndLength):
2591 * runtime/ClassInfo.h:
2592 * runtime/CommonIdentifiers.h:
2593 * runtime/DataView.cpp: Added.
2594 (JSC::DataView::DataView):
2595 (JSC::DataView::create):
2596 (JSC::DataView::wrap):
2597 * runtime/DataView.h: Added.
2598 (JSC::DataView::byteLength):
2599 (JSC::DataView::getType):
2600 (JSC::DataView::get):
2601 (JSC::DataView::set):
2602 * runtime/Float32Array.h:
2603 * runtime/Float64Array.h:
2604 * runtime/GenericTypedArrayView.h: Added.
2605 (JSC::GenericTypedArrayView::data):
2606 (JSC::GenericTypedArrayView::set):
2607 (JSC::GenericTypedArrayView::setRange):
2608 (JSC::GenericTypedArrayView::zeroRange):
2609 (JSC::GenericTypedArrayView::zeroFill):
2610 (JSC::GenericTypedArrayView::length):
2611 (JSC::GenericTypedArrayView::byteLength):
2612 (JSC::GenericTypedArrayView::item):
2613 (JSC::GenericTypedArrayView::checkInboundData):
2614 (JSC::GenericTypedArrayView::getType):
2615 * runtime/GenericTypedArrayViewInlines.h: Added.
2616 (JSC::::GenericTypedArrayView):
2618 (JSC::::createUninitialized):
2621 * runtime/IndexingHeader.h:
2622 (JSC::IndexingHeader::arrayBuffer):
2623 (JSC::IndexingHeader::setArrayBuffer):
2624 * runtime/Int16Array.h:
2625 * runtime/Int32Array.h:
2626 * runtime/Int8Array.h:
2627 * runtime/JSArrayBuffer.cpp: Added.
2628 (JSC::JSArrayBuffer::JSArrayBuffer):
2629 (JSC::JSArrayBuffer::finishCreation):
2630 (JSC::JSArrayBuffer::create):
2631 (JSC::JSArrayBuffer::createStructure):
2632 (JSC::JSArrayBuffer::getOwnPropertySlot):
2633 (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
2634 (JSC::JSArrayBuffer::put):
2635 (JSC::JSArrayBuffer::defineOwnProperty):
2636 (JSC::JSArrayBuffer::deleteProperty):
2637 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2638 * runtime/JSArrayBuffer.h: Added.
2639 (JSC::JSArrayBuffer::impl):
2640 (JSC::toArrayBuffer):
2641 * runtime/JSArrayBufferConstructor.cpp: Added.
2642 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2643 (JSC::JSArrayBufferConstructor::finishCreation):
2644 (JSC::JSArrayBufferConstructor::create):
2645 (JSC::JSArrayBufferConstructor::createStructure):
2646 (JSC::constructArrayBuffer):
2647 (JSC::JSArrayBufferConstructor::getConstructData):
2648 (JSC::JSArrayBufferConstructor::getCallData):
2649 * runtime/JSArrayBufferConstructor.h: Added.
2650 * runtime/JSArrayBufferPrototype.cpp: Added.
2651 (JSC::arrayBufferProtoFuncSlice):
2652 (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
2653 (JSC::JSArrayBufferPrototype::finishCreation):
2654 (JSC::JSArrayBufferPrototype::create):
2655 (JSC::JSArrayBufferPrototype::createStructure):
2656 * runtime/JSArrayBufferPrototype.h: Added.
2657 * runtime/JSArrayBufferView.cpp: Added.
2658 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2659 (JSC::JSArrayBufferView::JSArrayBufferView):
2660 (JSC::JSArrayBufferView::finishCreation):
2661 (JSC::JSArrayBufferView::getOwnPropertySlot):
2662 (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
2663 (JSC::JSArrayBufferView::put):
2664 (JSC::JSArrayBufferView::defineOwnProperty):
2665 (JSC::JSArrayBufferView::deleteProperty):
2666 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2667 (JSC::JSArrayBufferView::finalize):
2668 * runtime/JSArrayBufferView.h: Added.
2669 (JSC::JSArrayBufferView::sizeOf):
2670 (JSC::JSArrayBufferView::ConstructionContext::operator!):
2671 (JSC::JSArrayBufferView::ConstructionContext::structure):
2672 (JSC::JSArrayBufferView::ConstructionContext::vector):
2673 (JSC::JSArrayBufferView::ConstructionContext::length):
2674 (JSC::JSArrayBufferView::ConstructionContext::mode):
2675 (JSC::JSArrayBufferView::ConstructionContext::butterfly):
2676 (JSC::JSArrayBufferView::mode):
2677 (JSC::JSArrayBufferView::vector):
2678 (JSC::JSArrayBufferView::length):
2679 (JSC::JSArrayBufferView::offsetOfVector):
2680 (JSC::JSArrayBufferView::offsetOfLength):
2681 (JSC::JSArrayBufferView::offsetOfMode):
2682 * runtime/JSArrayBufferViewInlines.h: Added.
2683 (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
2684 (JSC::JSArrayBufferView::buffer):
2685 (JSC::JSArrayBufferView::impl):
2686 (JSC::JSArrayBufferView::neuter):
2687 (JSC::JSArrayBufferView::byteOffset):
2688 * runtime/JSCell.cpp:
2689 (JSC::JSCell::slowDownAndWasteMemory):
2690 (JSC::JSCell::getTypedArrayImpl):
2692 * runtime/JSDataView.cpp: Added.
2693 (JSC::JSDataView::JSDataView):
2694 (JSC::JSDataView::create):
2695 (JSC::JSDataView::createUninitialized):
2696 (JSC::JSDataView::set):
2697 (JSC::JSDataView::typedImpl):
2698 (JSC::JSDataView::getOwnPropertySlot):
2699 (JSC::JSDataView::getOwnPropertyDescriptor):
2700 (JSC::JSDataView::slowDownAndWasteMemory):
2701 (JSC::JSDataView::getTypedArrayImpl):
2702 (JSC::JSDataView::createStructure):
2703 * runtime/JSDataView.h: Added.
2704 * runtime/JSDataViewPrototype.cpp: Added.
2705 (JSC::JSDataViewPrototype::JSDataViewPrototype):
2706 (JSC::JSDataViewPrototype::create):
2707 (JSC::JSDataViewPrototype::createStructure):
2708 (JSC::JSDataViewPrototype::getOwnPropertySlot):
2709 (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
2712 (JSC::dataViewProtoFuncGetInt8):
2713 (JSC::dataViewProtoFuncGetInt16):
2714 (JSC::dataViewProtoFuncGetInt32):
2715 (JSC::dataViewProtoFuncGetUint8):
2716 (JSC::dataViewProtoFuncGetUint16):
2717 (JSC::dataViewProtoFuncGetUint32):
2718 (JSC::dataViewProtoFuncGetFloat32):
2719 (JSC::dataViewProtoFuncGetFloat64):
2720 (JSC::dataViewProtoFuncSetInt8):
2721 (JSC::dataViewProtoFuncSetInt16):
2722 (JSC::dataViewProtoFuncSetInt32):
2723 (JSC::dataViewProtoFuncSetUint8):
2724 (JSC::dataViewProtoFuncSetUint16):
2725 (JSC::dataViewProtoFuncSetUint32):
2726 (JSC::dataViewProtoFuncSetFloat32):
2727 (JSC::dataViewProtoFuncSetFloat64):
2728 * runtime/JSDataViewPrototype.h: Added.
2729 * runtime/JSFloat32Array.h: Added.
2730 * runtime/JSFloat64Array.h: Added.
2731 * runtime/JSGenericTypedArrayView.h: Added.
2732 (JSC::JSGenericTypedArrayView::byteLength):
2733 (JSC::JSGenericTypedArrayView::byteSize):
2734 (JSC::JSGenericTypedArrayView::typedVector):
2735 (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
2736 (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
2737 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
2738 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
2739 (JSC::JSGenericTypedArrayView::getIndexQuickly):
2740 (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
2741 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
2742 (JSC::JSGenericTypedArrayView::setIndexQuickly):
2743 (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
2744 (JSC::JSGenericTypedArrayView::typedImpl):
2745 (JSC::JSGenericTypedArrayView::createStructure):
2746 (JSC::JSGenericTypedArrayView::info):
2747 (JSC::toNativeTypedView):
2748 * runtime/JSGenericTypedArrayViewConstructor.h: Added.
2749 * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
2750 (JSC::::JSGenericTypedArrayViewConstructor):
2751 (JSC::::finishCreation):
2753 (JSC::::createStructure):
2754 (JSC::constructGenericTypedArrayView):
2755 (JSC::::getConstructData):
2756 (JSC::::getCallData):
2757 * runtime/JSGenericTypedArrayViewInlines.h: Added.
2758 (JSC::::JSGenericTypedArrayView):
2760 (JSC::::createUninitialized):
2761 (JSC::::validateRange):
2762 (JSC::::setWithSpecificType):
2764 (JSC::::getOwnPropertySlot):
2765 (JSC::::getOwnPropertyDescriptor):
2767 (JSC::::defineOwnProperty):
2768 (JSC::::deleteProperty):
2769 (JSC::::getOwnPropertySlotByIndex):
2770 (JSC::::putByIndex):
2771 (JSC::::deletePropertyByIndex):
2772 (JSC::::getOwnNonIndexPropertyNames):
2773 (JSC::::getOwnPropertyNames):
2774 (JSC::::visitChildren):
2775 (JSC::::copyBackingStore):
2776 (JSC::::slowDownAndWasteMemory):
2777 (JSC::::getTypedArrayImpl):
2778 * runtime/JSGenericTypedArrayViewPrototype.h: Added.
2779 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
2780 (JSC::genericTypedArrayViewProtoFuncSet):
2781 (JSC::genericTypedArrayViewProtoFuncSubarray):
2782 (JSC::::JSGenericTypedArrayViewPrototype):
2783 (JSC::::finishCreation):
2785 (JSC::::createStructure):
2786 * runtime/JSGlobalObject.cpp:
2787 (JSC::JSGlobalObject::reset):
2788 (JSC::JSGlobalObject::visitChildren):
2789 * runtime/JSGlobalObject.h:
2790 (JSC::JSGlobalObject::arrayBufferPrototype):
2791 (JSC::JSGlobalObject::arrayBufferStructure):
2792 (JSC::JSGlobalObject::typedArrayStructure):
2793 * runtime/JSInt16Array.h: Added.
2794 * runtime/JSInt32Array.h: Added.
2795 * runtime/JSInt8Array.h: Added.
2796 * runtime/JSTypedArrayConstructors.cpp: Added.
2797 * runtime/JSTypedArrayConstructors.h: Added.
2798 * runtime/JSTypedArrayPrototypes.cpp: Added.
2799 * runtime/JSTypedArrayPrototypes.h: Added.
2800 * runtime/JSTypedArrays.cpp: Added.
2801 * runtime/JSTypedArrays.h: Added.
2802 * runtime/JSUint16Array.h: Added.
2803 * runtime/JSUint32Array.h: Added.
2804 * runtime/JSUint8Array.h: Added.
2805 * runtime/JSUint8ClampedArray.h: Added.
2806 * runtime/Operations.h:
2807 * runtime/Options.h:
2808 * runtime/SimpleTypedArrayController.cpp: Added.
2809 (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
2810 (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
2811 (JSC::SimpleTypedArrayController::toJS):
2812 * runtime/SimpleTypedArrayController.h: Added.
2813 * runtime/Structure.h:
2814 (JSC::Structure::couldHaveIndexingHeader):
2815 * runtime/StructureInlines.h:
2816 (JSC::Structure::hasIndexingHeader):
2817 * runtime/TypedArrayAdaptors.h: Added.
2818 (JSC::IntegralTypedArrayAdaptor::toNative):
2819 (JSC::IntegralTypedArrayAdaptor::toJSValue):
2820 (JSC::IntegralTypedArrayAdaptor::toDouble):
2821 (JSC::FloatTypedArrayAdaptor::toNative):
2822 (JSC::FloatTypedArrayAdaptor::toJSValue):
2823 (JSC::FloatTypedArrayAdaptor::toDouble):
2824 (JSC::Uint8ClampedAdaptor::toNative):
2825 (JSC::Uint8ClampedAdaptor::toJSValue):
2826 (JSC::Uint8ClampedAdaptor::toDouble):
2827 (JSC::Uint8ClampedAdaptor::clamp):
2828 * runtime/TypedArrayController.cpp: Added.
2829 (JSC::TypedArrayController::TypedArrayController):
2830 (JSC::TypedArrayController::~TypedArrayController):
2831 * runtime/TypedArrayController.h: Added.
2832 * runtime/TypedArrayDescriptor.h: Removed.
2833 * runtime/TypedArrayInlines.h: Added.
2834 * runtime/TypedArrayType.cpp: Added.
2835 (JSC::classInfoForType):
2836 (WTF::printInternal):
2837 * runtime/TypedArrayType.h: Added.
2845 * runtime/TypedArrays.h: Added.
2846 * runtime/Uint16Array.h:
2847 * runtime/Uint32Array.h:
2848 * runtime/Uint8Array.h:
2849 * runtime/Uint8ClampedArray.h:
2855 2013-08-15 Oliver Hunt <oliver@apple.com>
2857 <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
2859 Reviewed by Filip Pizlo.
2861 Make sure dfgCapabilities doesn't report a Dynamic put as
2862 being compilable when we don't actually support it.
2864 * bytecode/CodeBlock.cpp:
2865 (JSC::CodeBlock::dumpBytecode):
2866 * dfg/DFGCapabilities.cpp:
2867 (JSC::DFG::capabilityLevel):
2869 2013-08-15 Brent Fulgham <bfulgham@apple.com>
2871 [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
2872 https://bugs.webkit.org/show_bug.cgi?id=119847
2874 Reviewed by Oliver Hunt.
2876 * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
2877 * runtime/ArrayBufferView.h: Ditto.
2879 2013-08-15 Gavin Barraclough <barraclough@apple.com>
2881 https://bugs.webkit.org/show_bug.cgi?id=119843
2882 PropertySlot::setValue is ambiguous
2884 Reviewed by Geoff Garen.
2886 There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
2887 The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
2888 Unify on always providing the object, and remove the version that just takes a value.
2889 This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
2890 Provide a version of setValue that takes a JSString as the owner of the property.
2891 We won't store this, but it makes it clear that this interface should only be used from JSString.
2893 * API/JSCallbackObjectFunctions.h:
2894 (JSC::::getOwnPropertySlot):
2895 * JSCTypedArrayStubs.h:
2896 * runtime/Arguments.cpp:
2897 (JSC::Arguments::getOwnPropertySlotByIndex):
2898 (JSC::Arguments::getOwnPropertySlot):
2899 * runtime/JSActivation.cpp:
2900 (JSC::JSActivation::symbolTableGet):
2901 (JSC::JSActivation::getOwnPropertySlot):
2902 * runtime/JSArray.cpp:
2903 (JSC::JSArray::getOwnPropertySlot):
2904 * runtime/JSObject.cpp:
2905 (JSC::JSObject::getOwnPropertySlotByIndex):
2906 * runtime/JSString.h:
2907 (JSC::JSString::getStringPropertySlot):
2908 * runtime/JSSymbolTableObject.h:
2909 (JSC::symbolTableGet):
2910 * runtime/SparseArrayValueMap.cpp:
2911 (JSC::SparseArrayEntry::get):
2912 - Pass object containing property to PropertySlot::setValue
2913 * runtime/PropertySlot.h:
2914 (JSC::PropertySlot::setValue):
2915 - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
2916 (JSC::PropertySlot::setUndefined):
2917 - removed setValue(JSValue), added setValue(JSString*, JSValue)
2919 2013-08-15 Oliver Hunt <oliver@apple.com>
2921 Remove bogus assertion.
2925 * dfg/DFGAbstractInterpreterInlines.h:
2926 (JSC::DFG::::executeEffects):
2928 2013-08-15 Allan Sandfeld Jensen <allan.jensen@digia.com>
2930 REGRESSION(r148790) Made 7 tests fail on x86 32bit
2931 https://bugs.webkit.org/show_bug.cgi?id=114913
2933 Reviewed by Filip Pizlo.
2935 The X87 register was not freed before some calls. Instead
2936 of inserting resetX87Registers to the last call sites,
2937 the two X87 registers are now freed in every call.
2939 * llint/LowLevelInterpreter32_64.asm:
2940 * llint/LowLevelInterpreter64.asm:
2941 * offlineasm/instructions.rb:
2942 * offlineasm/x86.rb:
2944 2013-08-14 Michael Saboff <msaboff@apple.com>
2947 https://bugs.webkit.org/show_bug.cgi?id=119601
2949 Reviewed by Oliver Hunt.
2951 * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
2952 * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
2953 * jit/SlowPathCall.h:
2954 (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
2956 2013-08-14 Alex Christensen <achristensen@apple.com>
2958 Compile fix for Win64 with jit disabled.
2959 https://bugs.webkit.org/show_bug.cgi?id=119804
2961 Reviewed by Michael Saboff.
2963 * offlineasm/cloop.rb: Added std:: before isnan.
2965 2013-08-14 Julien Brianceau <jbrianceau@nds.com>
2967 DFG_JIT implementation for sh4 architecture.
2968 https://bugs.webkit.org/show_bug.cgi?id=119737
2970 Reviewed by Oliver Hunt.
2972 * assembler/MacroAssemblerSH4.h:
2973 (JSC::MacroAssemblerSH4::invert):
2974 (JSC::MacroAssemblerSH4::add32):
2975 (JSC::MacroAssemblerSH4::and32):
2976 (JSC::MacroAssemblerSH4::lshift32):
2977 (JSC::MacroAssemblerSH4::mul32):
2978 (JSC::MacroAssemblerSH4::or32):
2979 (JSC::MacroAssemblerSH4::rshift32):
2980 (JSC::MacroAssemblerSH4::sub32):
2981 (JSC::MacroAssemblerSH4::xor32):
2982 (JSC::MacroAssemblerSH4::store32):
2983 (JSC::MacroAssemblerSH4::swapDouble):
2984 (JSC::MacroAssemblerSH4::storeDouble):
2985 (JSC::MacroAssemblerSH4::subDouble):
2986 (JSC::MacroAssemblerSH4::mulDouble):
2987 (JSC::MacroAssemblerSH4::divDouble):
2988 (JSC::MacroAssemblerSH4::negateDouble):
2989 (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
2990 (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
2991 (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
2992 (JSC::MacroAssemblerSH4::swap):
2993 (JSC::MacroAssemblerSH4::jump):
2994 (JSC::MacroAssemblerSH4::branchNeg32):
2995 (JSC::MacroAssemblerSH4::branchAdd32):
2996 (JSC::MacroAssemblerSH4::branchMul32):
2997 (JSC::MacroAssemblerSH4::urshift32):
2998 * assembler/SH4Assembler.h:
2999 (JSC::SH4Assembler::SH4Assembler):
3000 (JSC::SH4Assembler::labelForWatchpoint):
3001 (JSC::SH4Assembler::label):
3002 (JSC::SH4Assembler::debugOffset):
3003 * dfg/DFGAssemblyHelpers.h:
3004 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3005 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3006 (JSC::DFG::AssemblyHelpers::debugCall):
3007 * dfg/DFGCCallHelpers.h:
3008 (JSC::DFG::CCallHelpers::setupArguments):
3009 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3011 (JSC::DFG::FPRInfo::toRegister):
3012 (JSC::DFG::FPRInfo::toIndex):
3013 (JSC::DFG::FPRInfo::debugName):
3015 (JSC::DFG::GPRInfo::toRegister):
3016 (JSC::DFG::GPRInfo::toIndex):
3017 (JSC::DFG::GPRInfo::debugName):
3018 * dfg/DFGOperations.cpp:
3019 * dfg/DFGSpeculativeJIT.h:
3020 (JSC::DFG::SpeculativeJIT::callOperation):
3022 * jit/JITStubsSH4.h:
3024 2013-08-13 Filip Pizlo <fpizlo@apple.com>
3026 Unreviewed, fix build.
3031 * API/JSWrapperMap.mm:
3032 (tryUnwrapObjcObject):
3033 * API/ObjCCallbackFunction.mm:
3036 2013-08-13 Filip Pizlo <fpizlo@apple.com>
3038 Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
3039 https://bugs.webkit.org/show_bug.cgi?id=119770
3041 Reviewed by Mark Hahnenberg.
3043 * API/JSCallbackConstructor.cpp:
3044 (JSC::JSCallbackConstructor::finishCreation):
3045 * API/JSCallbackConstructor.h:
3046 (JSC::JSCallbackConstructor::createStructure):
3047 * API/JSCallbackFunction.cpp:
3048 (JSC::JSCallbackFunction::finishCreation):
3049 * API/JSCallbackFunction.h:
3050 (JSC::JSCallbackFunction::createStructure):
3051 * API/JSCallbackObject.cpp:
3052 (JSC::::createStructure):
3053 * API/JSCallbackObject.h:
3054 (JSC::JSCallbackObject::visitChildren):
3055 * API/JSCallbackObjectFunctions.h:
3056 (JSC::::asCallbackObject):
3057 (JSC::::finishCreation):
3058 * API/JSObjectRef.cpp:
3059 (JSObjectGetPrivate):
3060 (JSObjectSetPrivate):
3061 (JSObjectGetPrivateProperty):
3062 (JSObjectSetPrivateProperty):
3063 (JSObjectDeletePrivateProperty):
3064 * API/JSValueRef.cpp:
3065 (JSValueIsObjectOfClass):
3066 * API/JSWeakObjectMapRefPrivate.cpp:
3067 * API/ObjCCallbackFunction.h:
3068 (JSC::ObjCCallbackFunction::createStructure):
3069 * JSCTypedArrayStubs.h:
3070 * bytecode/CallLinkStatus.cpp:
3071 (JSC::CallLinkStatus::CallLinkStatus):
3072 (JSC::CallLinkStatus::function):
3073 (JSC::CallLinkStatus::internalFunction):
3074 * bytecode/CodeBlock.h:
3075 (JSC::baselineCodeBlockForInlineCallFrame):
3076 * bytecode/SpeculatedType.cpp:
3077 (JSC::speculationFromClassInfo):
3078 * bytecode/UnlinkedCodeBlock.cpp:
3079 (JSC::UnlinkedFunctionExecutable::visitChildren):
3080 (JSC::UnlinkedCodeBlock::visitChildren):
3081 (JSC::UnlinkedProgramCodeBlock::visitChildren):
3082 * bytecode/UnlinkedCodeBlock.h:
3083 (JSC::UnlinkedFunctionExecutable::createStructure):
3084 (JSC::UnlinkedProgramCodeBlock::createStructure):
3085 (JSC::UnlinkedEvalCodeBlock::createStructure):
3086 (JSC::UnlinkedFunctionCodeBlock::createStructure):
3087 * debugger/Debugger.cpp:
3088 * debugger/DebuggerActivation.cpp:
3089 (JSC::DebuggerActivation::visitChildren):
3090 * debugger/DebuggerActivation.h:
3091 (JSC::DebuggerActivation::createStructure):
3092 * debugger/DebuggerCallFrame.cpp:
3093 (JSC::DebuggerCallFrame::functionName):
3094 * dfg/DFGAbstractInterpreterInlines.h:
3095 (JSC::DFG::::executeEffects):
3096 * dfg/DFGByteCodeParser.cpp:
3097 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3098 (JSC::DFG::ByteCodeParser::parseBlock):
3099 * dfg/DFGFixupPhase.cpp:
3100 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
3101 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3103 (JSC::DFG::Graph::dump):
3105 (JSC::DFG::Graph::isInternalFunctionConstant):
3106 * dfg/DFGOperations.cpp:
3107 * dfg/DFGSpeculativeJIT.cpp:
3108 (JSC::DFG::SpeculativeJIT::checkArray):
3109 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3110 * dfg/DFGThunks.cpp:
3111 (JSC::DFG::virtualForThunkGenerator):
3112 * interpreter/Interpreter.cpp:
3115 (GlobalObject::createStructure):
3116 * profiler/LegacyProfiler.cpp:
3117 (JSC::LegacyProfiler::createCallIdentifier):
3118 * runtime/Arguments.cpp:
3119 (JSC::Arguments::visitChildren):
3120 * runtime/Arguments.h:
3121 (JSC::Arguments::createStructure):
3123 (JSC::Arguments::finishCreation):
3124 * runtime/ArrayConstructor.cpp:
3125 (JSC::arrayConstructorIsArray):
3126 * runtime/ArrayConstructor.h:
3127 (JSC::ArrayConstructor::createStructure):
3128 * runtime/ArrayPrototype.cpp:
3129 (JSC::ArrayPrototype::finishCreation):
3130 (JSC::arrayProtoFuncConcat):
3131 (JSC::attemptFastSort):
3132 * runtime/ArrayPrototype.h:
3133 (JSC::ArrayPrototype::createStructure):
3134 * runtime/BooleanConstructor.h:
3135 (JSC::BooleanConstructor::createStructure):
3136 * runtime/BooleanObject.cpp:
3137 (JSC::BooleanObject::finishCreation):
3138 * runtime/BooleanObject.h:
3139 (JSC::BooleanObject::createStructure):
3140 (JSC::asBooleanObject):
3141 * runtime/BooleanPrototype.cpp:
3142 (JSC::BooleanPrototype::finishCreation):
3143 (JSC::booleanProtoFuncToString):
3144 (JSC::booleanProtoFuncValueOf):
3145 * runtime/BooleanPrototype.h:
3146 (JSC::BooleanPrototype::createStructure):
3147 * runtime/DateConstructor.cpp:
3148 (JSC::constructDate):
3149 * runtime/DateConstructor.h:
3150 (JSC::DateConstructor::createStructure):
3151 * runtime/DateInstance.cpp:
3152 (JSC::DateInstance::finishCreation):
3153 * runtime/DateInstance.h:
3154 (JSC::DateInstance::createStructure):
3155 (JSC::asDateInstance):
3156 * runtime/DatePrototype.cpp:
3157 (JSC::formateDateInstance):
3158 (JSC::DatePrototype::finishCreation):
3159 (JSC::dateProtoFuncToISOString):
3160 (JSC::dateProtoFuncToLocaleString):
3161 (JSC::dateProtoFuncToLocaleDateString):
3162 (JSC::dateProtoFuncToLocaleTimeString):
3163 (JSC::dateProtoFuncGetTime):
3164 (JSC::dateProtoFuncGetFullYear):
3165 (JSC::dateProtoFuncGetUTCFullYear):
3166 (JSC::dateProtoFuncGetMonth):
3167 (JSC::dateProtoFuncGetUTCMonth):
3168 (JSC::dateProtoFuncGetDate):
3169 (JSC::dateProtoFuncGetUTCDate):
3170 (JSC::dateProtoFuncGetDay):
3171 (JSC::dateProtoFuncGetUTCDay):
3172 (JSC::dateProtoFuncGetHours):
3173 (JSC::dateProtoFuncGetUTCHours):
3174 (JSC::dateProtoFuncGetMinutes):
3175 (JSC::dateProtoFuncGetUTCMinutes):
3176 (JSC::dateProtoFuncGetSeconds):
3177 (JSC::dateProtoFuncGetUTCSeconds):
3178 (JSC::dateProtoFuncGetMilliSeconds):
3179 (JSC::dateProtoFuncGetUTCMilliseconds):
3180 (JSC::dateProtoFuncGetTimezoneOffset):
3181 (JSC::dateProtoFuncSetTime):
3182 (JSC::setNewValueFromTimeArgs):
3183 (JSC::setNewValueFromDateArgs):
3184 (JSC::dateProtoFuncSetYear):
3185 (JSC::dateProtoFuncGetYear):
3186 * runtime/DatePrototype.h:
3187 (JSC::DatePrototype::createStructure):
3189 (JSC::StrictModeTypeErrorFunction::createStructure):
3190 * runtime/ErrorConstructor.h:
3191 (JSC::ErrorConstructor::createStructure):
3192 * runtime/ErrorInstance.cpp:
3193 (JSC::ErrorInstance::finishCreation):
3194 * runtime/ErrorInstance.h:
3195 (JSC::ErrorInstance::createStructure):
3196 * runtime/ErrorPrototype.cpp:
3197 (JSC::ErrorPrototype::finishCreation):
3198 * runtime/ErrorPrototype.h:
3199 (JSC::ErrorPrototype::createStructure):
3200 * runtime/ExceptionHelpers.cpp:
3201 (JSC::isTerminatedExecutionException):
3202 * runtime/ExceptionHelpers.h:
3203 (JSC::TerminatedExecutionError::createStructure):
3204 * runtime/Executable.cpp:
3205 (JSC::EvalExecutable::visitChildren):
3206 (JSC::ProgramExecutable::visitChildren):
3207 (JSC::FunctionExecutable::visitChildren):
3208 (JSC::ExecutableBase::hashFor):
3209 * runtime/Executable.h:
3210 (JSC::ExecutableBase::createStructure):
3211 (JSC::NativeExecutable::createStructure):
3212 (JSC::EvalExecutable::createStructure):
3213 (JSC::ProgramExecutable::createStructure):
3214 (JSC::FunctionExecutable::compileFor):
3215 (JSC::FunctionExecutable::compileOptimizedFor):
3216 (JSC::FunctionExecutable::createStructure):
3217 * runtime/FunctionConstructor.h:
3218 (JSC::FunctionConstructor::createStructure):
3219 * runtime/FunctionPrototype.cpp:
3220 (JSC::functionProtoFuncToString):
3221 (JSC::functionProtoFuncApply):
3222 (JSC::functionProtoFuncBind):
3223 * runtime/FunctionPrototype.h:
3224 (JSC::FunctionPrototype::createStructure):
3225 * runtime/GetterSetter.cpp:
3226 (JSC::GetterSetter::visitChildren):
3227 * runtime/GetterSetter.h:
3228 (JSC::GetterSetter::createStructure):
3229 * runtime/InternalFunction.cpp:
3230 (JSC::InternalFunction::finishCreation):
3231 * runtime/InternalFunction.h:
3232 (JSC::InternalFunction::createStructure):
3233 (JSC::asInternalFunction):
3234 * runtime/JSAPIValueWrapper.h:
3235 (JSC::JSAPIValueWrapper::createStructure):
3236 * runtime/JSActivation.cpp:
3237 (JSC::JSActivation::visitChildren):
3238 (JSC::JSActivation::argumentsGetter):
3239 * runtime/JSActivation.h:
3240 (JSC::JSActivation::createStructure):
3241 (JSC::asActivation):
3242 * runtime/JSArray.h:
3243 (JSC::JSArray::createStructure):
3246 * runtime/JSBoundFunction.cpp:
3247 (JSC::JSBoundFunction::finishCreation):
3248 (JSC::JSBoundFunction::visitChildren):
3249 * runtime/JSBoundFunction.h:
3250 (JSC::JSBoundFunction::createStructure):
3251 * runtime/JSCJSValue.cpp:
3252 (JSC::JSValue::dumpInContext):
3253 * runtime/JSCJSValueInlines.h:
3254 (JSC::JSValue::isFunction):
3257 (JSC::jsDynamicCast):
3258 * runtime/JSCellInlines.h:
3259 (JSC::allocateCell):
3260 * runtime/JSFunction.cpp:
3261 (JSC::JSFunction::finishCreation):
3262 (JSC::JSFunction::visitChildren):
3263 (JSC::skipOverBoundFunctions):
3264 (JSC::JSFunction::callerGetter):
3265 * runtime/JSFunction.h:
3266 (JSC::JSFunction::createStructure):
3267 * runtime/JSGlobalObject.cpp:
3268 (JSC::JSGlobalObject::visitChildren):
3269 (JSC::slowValidateCell):
3270 * runtime/JSGlobalObject.h:
3271 (JSC::JSGlobalObject::createStructure):
3272 * runtime/JSNameScope.cpp:
3273 (JSC::JSNameScope::visitChildren):
3274 * runtime/JSNameScope.h:
3275 (JSC::JSNameScope::createStructure):
3276 * runtime/JSNotAnObject.h:
3277 (JSC::JSNotAnObject::createStructure):
3278 * runtime/JSONObject.cpp:
3279 (JSC::JSONObject::finishCreation):
3280 (JSC::unwrapBoxedPrimitive):
3281 (JSC::Stringifier::Stringifier):
3282 (JSC::Stringifier::appendStringifiedValue):
3283 (JSC::Stringifier::Holder::Holder):
3284 (JSC::Walker::walk):
3285 (JSC::JSONProtoFuncStringify):
3286 * runtime/JSONObject.h:
3287 (JSC::JSONObject::createStructure):
3288 * runtime/JSObject.cpp:
3289 (JSC::getCallableObjectSlow):
3290 (JSC::JSObject::visitChildren):
3291 (JSC::JSObject::copyBackingStore):
3292 (JSC::JSFinalObject::visitChildren):
3293 (JSC::JSObject::ensureInt32Slow):
3294 (JSC::JSObject::ensureDoubleSlow):
3295 (JSC::JSObject::ensureContiguousSlow):
3296 (JSC::JSObject::ensureArrayStorageSlow):
3297 * runtime/JSObject.h:
3298 (JSC::JSObject::finishCreation):
3299 (JSC::JSObject::createStructure):
3300 (JSC::JSNonFinalObject::createStructure):
3301 (JSC::JSFinalObject::createStructure):
3302 (JSC::isJSFinalObject):
3303 * runtime/JSPropertyNameIterator.cpp:
3304 (JSC::JSPropertyNameIterator::visitChildren):
3305 * runtime/JSPropertyNameIterator.h:
3306 (JSC::JSPropertyNameIterator::createStructure):
3307 * runtime/JSProxy.cpp:
3308 (JSC::JSProxy::visitChildren):
3309 * runtime/JSProxy.h:
3310 (JSC::JSProxy::createStructure):
3311 * runtime/JSScope.cpp:
3312 (JSC::JSScope::visitChildren):
3313 * runtime/JSSegmentedVariableObject.cpp:
3314 (JSC::JSSegmentedVariableObject::visitChildren):
3315 * runtime/JSString.h:
3316 (JSC::JSString::createStructure):
3318 * runtime/JSSymbolTableObject.cpp:
3319 (JSC::JSSymbolTableObject::visitChildren):
3320 * runtime/JSVariableObject.h:
3321 * runtime/JSWithScope.cpp:
3322 (JSC::JSWithScope::visitChildren):
3323 * runtime/JSWithScope.h:
3324 (JSC::JSWithScope::createStructure):
3325 * runtime/JSWrapperObject.cpp:
3326 (JSC::JSWrapperObject::visitChildren):
3327 * runtime/JSWrapperObject.h:
3328 (JSC::JSWrapperObject::createStructure):
3329 * runtime/MathObject.cpp:
3330 (JSC::MathObject::finishCreation):
3331 * runtime/MathObject.h:
3332 (JSC::MathObject::createStructure):
3333 * runtime/NameConstructor.h:
3334 (JSC::NameConstructor::createStructure):
3335 * runtime/NameInstance.h:
3336 (JSC::NameInstance::createStructure):
3337 (JSC::NameInstance::finishCreation):
3338 * runtime/NamePrototype.cpp:
3339 (JSC::NamePrototype::finishCreation):
3340 (JSC::privateNameProtoFuncToString):
3341 * runtime/NamePrototype.h:
3342 (JSC::NamePrototype::createStructure):
3343 * runtime/NativeErrorConstructor.cpp:
3344 (JSC::NativeErrorConstructor::visitChildren):
3345 * runtime/NativeErrorConstructor.h:
3346 (JSC::NativeErrorConstructor::createStructure):
3347 (JSC::NativeErrorConstructor::finishCreation):
3348 * runtime/NumberConstructor.cpp:
3349 (JSC::NumberConstructor::finishCreation):
3350 * runtime/NumberConstructor.h:
3351 (JSC::NumberConstructor::createStructure):
3352 * runtime/NumberObject.cpp:
3353 (JSC::NumberObject::finishCreation):
3354 * runtime/NumberObject.h:
3355 (JSC::NumberObject::createStructure):
3356 * runtime/NumberPrototype.cpp:
3357 (JSC::NumberPrototype::finishCreation):
3358 * runtime/NumberPrototype.h:
3359 (JSC::NumberPrototype::createStructure):
3360 * runtime/ObjectConstructor.h:
3361 (JSC::ObjectConstructor::createStructure):
3362 * runtime/ObjectPrototype.cpp:
3363 (JSC::ObjectPrototype::finishCreation):
3364 * runtime/ObjectPrototype.h:
3365 (JSC::ObjectPrototype::createStructure):
3366 * runtime/PropertyMapHashTable.h:
3367 (JSC::PropertyTable::createStructure):
3368 * runtime/PropertyTable.cpp:
3369 (JSC::PropertyTable::visitChildren):
3371 (JSC::RegExp::createStructure):
3372 * runtime/RegExpConstructor.cpp:
3373 (JSC::RegExpConstructor::finishCreation):
3374 (JSC::RegExpConstructor::visitChildren):
3375 (JSC::constructRegExp):
3376 * runtime/RegExpConstructor.h:
3377 (JSC::RegExpConstructor::createStructure):
3378 (JSC::asRegExpConstructor):
3379 * runtime/RegExpMatchesArray.cpp:
git://git.webkit.org / WebKit-https.git / blob