ea4c31829d454f84e2e55dd320560462637d2769
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-02-08  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG should allow phases to break Phi's and then have one phase to rebuild them
4         https://bugs.webkit.org/show_bug.cgi?id=108414
5
6         Reviewed by Mark Hahnenberg.
7         
8         Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in
9         detail in DFGCommon.h.
10         
11         Consequently, DFG phases no longer have to worry about preserving data flow
12         links between basic blocks. It is generally always safe to request that the
13         graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where
14         the data flow is implicit. In this form, only liveness-at-head needs to be
15         preserved.
16         
17         All of the machinery for "threading" the graph to introduce data flow between
18         blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase.
19         All phases that previously did this maintenance themselves now just rely on
20         being able to dethread the graph. The one exception is the structure check
21         hoising phase, which operates over a threaded graph and preserves it, for the
22         sake of performance.
23         
24         Also moved two other things into their own phases: unification (previously found
25         in the parser) and prediction injection (previously found in various places).
26
27         * CMakeLists.txt:
28         * GNUmakefile.list.am:
29         * JavaScriptCore.xcodeproj/project.pbxproj:
30         * Target.pri:
31         * bytecode/Operands.h:
32         (Operands):
33         (JSC::Operands::sizeFor):
34         (JSC::Operands::atFor):
35         * dfg/DFGAbstractState.cpp:
36         (JSC::DFG::AbstractState::execute):
37         (JSC::DFG::AbstractState::mergeStateAtTail):
38         * dfg/DFGAllocator.h:
39         (JSC::DFG::::allocateSlow):
40         * dfg/DFGArgumentsSimplificationPhase.cpp:
41         (JSC::DFG::ArgumentsSimplificationPhase::run):
42         * dfg/DFGBasicBlockInlines.h:
43         (DFG):
44         * dfg/DFGByteCodeParser.cpp:
45         (JSC::DFG::ByteCodeParser::getLocal):
46         (JSC::DFG::ByteCodeParser::getArgument):
47         (JSC::DFG::ByteCodeParser::flushDirect):
48         (JSC::DFG::ByteCodeParser::parseBlock):
49         (DFG):
50         (JSC::DFG::ByteCodeParser::parse):
51         * dfg/DFGCFGSimplificationPhase.cpp:
52         (JSC::DFG::CFGSimplificationPhase::run):
53         (JSC::DFG::CFGSimplificationPhase::killUnreachable):
54         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
55         (CFGSimplificationPhase):
56         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
57         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
58         * dfg/DFGCPSRethreadingPhase.cpp: Added.
59         (DFG):
60         (CPSRethreadingPhase):
61         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
62         (JSC::DFG::CPSRethreadingPhase::run):
63         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
64         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail):
65         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
66         (JSC::DFG::CPSRethreadingPhase::addPhi):
67         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
68         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
69         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal):
70         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
71         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
72         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
73         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
74         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
75         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
76         (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry):
77         (PhiStackEntry):
78         (JSC::DFG::CPSRethreadingPhase::phiStackFor):
79         (JSC::DFG::performCPSRethreading):
80         * dfg/DFGCPSRethreadingPhase.h: Added.
81         (DFG):
82         * dfg/DFGCSEPhase.cpp:
83         (CSEPhase):
84         (JSC::DFG::CSEPhase::performNodeCSE):
85         * dfg/DFGCommon.cpp:
86         (WTF):
87         (WTF::printInternal):
88         * dfg/DFGCommon.h:
89         (JSC::DFG::logCompilationChanges):
90         (DFG):
91         (WTF):
92         * dfg/DFGConstantFoldingPhase.cpp:
93         (JSC::DFG::ConstantFoldingPhase::foldConstants):
94         * dfg/DFGDriver.cpp:
95         (JSC::DFG::compile):
96         * dfg/DFGGraph.cpp:
97         (JSC::DFG::Graph::Graph):
98         (JSC::DFG::Graph::dump):
99         (JSC::DFG::Graph::dethread):
100         (JSC::DFG::Graph::collectGarbage):
101         * dfg/DFGGraph.h:
102         (JSC::DFG::Graph::performSubstitution):
103         (Graph):
104         (JSC::DFG::Graph::performSubstitutionForEdge):
105         (JSC::DFG::Graph::convertToConstant):
106         * dfg/DFGNode.h:
107         (JSC::DFG::Node::convertToPhantomLocal):
108         (Node):
109         (JSC::DFG::Node::convertToGetLocal):
110         (JSC::DFG::Node::hasVariableAccessData):
111         * dfg/DFGNodeType.h:
112         (DFG):
113         * dfg/DFGPhase.cpp:
114         (JSC::DFG::Phase::beginPhase):
115         * dfg/DFGPhase.h:
116         (JSC::DFG::runAndLog):
117         * dfg/DFGPredictionInjectionPhase.cpp: Added.
118         (DFG):
119         (PredictionInjectionPhase):
120         (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase):
121         (JSC::DFG::PredictionInjectionPhase::run):
122         (JSC::DFG::performPredictionInjection):
123         * dfg/DFGPredictionInjectionPhase.h: Added.
124         (DFG):
125         * dfg/DFGPredictionPropagationPhase.cpp:
126         (JSC::DFG::PredictionPropagationPhase::run):
127         (JSC::DFG::PredictionPropagationPhase::propagate):
128         * dfg/DFGSpeculativeJIT32_64.cpp:
129         (JSC::DFG::SpeculativeJIT::compile):
130         * dfg/DFGSpeculativeJIT64.cpp:
131         (JSC::DFG::SpeculativeJIT::compile):
132         * dfg/DFGStructureCheckHoistingPhase.cpp:
133         (JSC::DFG::StructureCheckHoistingPhase::run):
134         * dfg/DFGUnificationPhase.cpp: Added.
135         (DFG):
136         (UnificationPhase):
137         (JSC::DFG::UnificationPhase::UnificationPhase):
138         (JSC::DFG::UnificationPhase::run):
139         (JSC::DFG::performUnification):
140         * dfg/DFGUnificationPhase.h: Added.
141         (DFG):
142         * dfg/DFGValidate.cpp:
143         (JSC::DFG::Validate::validate):
144         (JSC::DFG::Validate::dumpGraphIfAppropriate):
145         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
146         (JSC::DFG::VirtualRegisterAllocationPhase::run):
147         * llint/LLIntSlowPaths.cpp:
148         (JSC::LLInt::setUpCall):
149         * runtime/JSCJSValue.cpp:
150         (JSC::JSValue::dump):
151         * runtime/JSString.h:
152         (JSString):
153         * runtime/Options.h:
154         (JSC):
155
156 2013-02-08  Jer Noble  <jer.noble@apple.com>
157
158         Bring WebKit up to speed with latest Encrypted Media spec.
159         https://bugs.webkit.org/show_bug.cgi?id=97037
160
161         Reviewed by Eric Carlson.
162
163         Define the ENABLE_ENCRYPTED_MEDIA_V2 setting.
164
165         * Configurations/FeatureDefines.xcconfig:
166
167 2013-02-08  Gavin Barraclough  <barraclough@apple.com>
168
169         Objective-C API for JavaScriptCore
170         https://bugs.webkit.org/show_bug.cgi?id=105889
171
172         Reviewed by Joseph Pecoraro
173
174         Following up on review comments, mostly typos.
175
176         * API/JSBlockAdaptor.h:
177         * API/JSBlockAdaptor.mm:
178         (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
179         * API/JSContext.h:
180         * API/JSExport.h:
181         * API/JSValue.h:
182         * API/JSValue.mm:
183         * API/JSWrapperMap.mm:
184         (selectorToPropertyName):
185         (-[JSWrapperMap classInfoForClass:]):
186         (-[JSWrapperMap wrapperForObject:]):
187
188 2013-02-08  Martin Robinson  <mrobinson@igalia.com>
189
190         [GTK] Add an experimental gyp build
191         https://bugs.webkit.org/show_bug.cgi?id=109003
192
193         Reviewed by Gustavo Noronha Silva.
194
195         * JavaScriptCore.gypi: Update the list of source files to include those
196         necessary for the GTK+ build.
197
198 2013-02-08  Andreas Kling  <akling@apple.com>
199
200         JSC: Lower minimum PropertyTable size.
201         <http://webkit.org/b/109247>
202
203         Reviewed by Darin Adler.
204
205         Lower the minimum table size for PropertyTable from 16 to 8.
206         3.32 MB progression on Membuster3 (a ~13% reduction in memory used by PropertyTables.)
207
208         * runtime/PropertyMapHashTable.h:
209         (PropertyTable):
210         (JSC::PropertyTable::sizeForCapacity):
211
212 2013-02-07  Roger Fong  <roger_fong@apple.com>
213
214         Unreviewed. More VS2010 WebKit solution touchups.
215         Make JavaScriptCoreExports.def.in be treated as a custom build file so that changes to it cause the exports to be rebuilt.
216
217         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
218         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
219         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
220
221 2013-02-07  Mark Hahnenberg  <mhahnenberg@apple.com>
222
223         Objective-C API: testapi.mm should use ARC
224         https://bugs.webkit.org/show_bug.cgi?id=107838
225
226         Reviewed by Mark Rowe.
227
228         Removing the changes to the Xcode project file and moving the equivalent flags into 
229         the ToolExecutable xcconfig file.
230
231         * Configurations/ToolExecutable.xcconfig:
232         * JavaScriptCore.xcodeproj/project.pbxproj:
233
234 2013-02-07  Brent Fulgham  <bfulgham@webkit.org>
235
236         [Windows] Unreviewed Visual Studio 2010 build fixes after r142179.
237
238         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Correct changed symbols
239         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Removed autogenerated file.
240
241 2013-02-05  Filip Pizlo  <fpizlo@apple.com>
242
243         DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint
244         https://bugs.webkit.org/show_bug.cgi?id=109000
245
246         Reviewed by Oliver Hunt.
247         
248         Previously our source parser's ASTBuilder did some surgical constant folding, but it
249         didn't cover some cases.  It was particularly incapable of doing constant folding for
250         cases where we do some minimal loop peeling in the bytecode generator - since it
251         didn't "see" those constants prior to the peeling.  Example:
252
253         for (var i = 0; i < 4; ++i)
254             things;
255
256         This will get peeled just a bit by the bytecode generator, so that the "i < 4" is
257         duplicated both at the top of the loop and the bottom.  This means that we have a
258         constant comparison: "0 < 4", which the bytecode generator emits without any further
259         thought.
260
261         The DFG optimization fixpoint of course folds this and simplifies the CFG 
262         accordingly, but this incurs a compile-time cost.  The purpose of this change is to
263         do some surgical constant folding in the DFG's bytecode parser, so that such
264         constructs reduce load on the CFG simplifier and the optimization fixpoint.  The goal
265         is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful
266         sparse conditional constant propagation that we can always fall back on. Instead the
267         goal is to cover enough cases that for common small functions we don't have to
268         perform such transformations, thereby reducing compile times.
269         
270         This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call
271         and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these
272         things are used by the folder.
273         
274         As well, care has been taken to make sure that the bytecode parser only does folding
275         that is statically provable, and that doesn't arise out of speculation. This means
276         we cannot fold on data flow that crosses inlining boundaries. On the other hand, the
277         folding that the bytecode parser uses doesn't require phantoming anything. Such is
278         the trade-off: for anything that we do need phantoming, we defer it to the
279         optimization fixpoint.
280         
281         Slight SunSpider speed-up.
282
283         * dfg/DFGByteCodeParser.cpp:
284         (JSC::DFG::ByteCodeParser::get):
285         (JSC::DFG::ByteCodeParser::getLocal):
286         (JSC::DFG::ByteCodeParser::setLocal):
287         (JSC::DFG::ByteCodeParser::flushDirect):
288         (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
289         (JSC::DFG::ByteCodeParser::toInt32):
290         (ByteCodeParser):
291         (JSC::DFG::ByteCodeParser::inlineCallFrame):
292         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
293         (JSC::DFG::ByteCodeParser::canFold):
294         (JSC::DFG::ByteCodeParser::handleInlining):
295         (JSC::DFG::ByteCodeParser::getScope):
296         (JSC::DFG::ByteCodeParser::parseResolveOperations):
297         (JSC::DFG::ByteCodeParser::parseBlock):
298         (JSC::DFG::ByteCodeParser::parseCodeBlock):
299         * dfg/DFGNode.h:
300         (JSC::DFG::Node::isStronglyProvedConstantIn):
301         (Node):
302         * runtime/JSCJSValue.h:
303         * runtime/JSCJSValueInlines.h:
304         (JSC::JSValue::pureToBoolean):
305         (JSC):
306
307 2013-02-07  Zoltan Herczeg  <zherczeg@webkit.org>
308
309         Invalid code is generated for storing constants with baseindex addressing modes on ARM traditional.
310         https://bugs.webkit.org/show_bug.cgi?id=109050
311
312         Reviewed by Oliver Hunt.
313
314         The S! scratch register is reused, but it should contain the constant value.
315
316         * assembler/ARMAssembler.cpp:
317         (JSC::ARMAssembler::baseIndexTransfer32):
318         (JSC::ARMAssembler::baseIndexTransfer16):
319
320 2013-02-07  Andras Becsi  <andras.becsi@digia.com>
321
322         [Qt] Use GNU ar's thin archive format for intermediate static libs
323         https://bugs.webkit.org/show_bug.cgi?id=109052
324
325         Reviewed by Jocelyn Turcotte.
326
327         Adjust project files that used activeBuildConfig()
328         to use targetSubDir().
329
330         * JavaScriptCore.pri:
331         * LLIntOffsetsExtractor.pro:
332         * Target.pri:
333
334 2013-02-06  Roger Fong  <roger_fong@apple.com>
335
336         Unreviewed. Touchups to VS2010 WebKit solution.
337         Fix an export generator script, modify some property sheets, add resouce file.
338
339         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
340         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
341         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
342         * JavaScriptCore.vcxproj/resource.h: Added.
343
344 2013-02-06  Ilya Tikhonovsky  <loislo@chromium.org>
345
346         Web Inspector: Native Memory Instrumentation: assign class name to the heap graph node automatically
347         https://bugs.webkit.org/show_bug.cgi?id=107262
348
349         Reviewed by Yury Semikhatsky.
350
351         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
352
353 2013-02-06  Mike West  <mkwst@chromium.org>
354
355         Add an ENABLE_NOSNIFF feature flag.
356         https://bugs.webkit.org/show_bug.cgi?id=109029
357
358         Reviewed by Jochen Eisinger.
359
360         This new flag will control the behavior of 'X-Content-Type-Options: nosniff'
361         when processing script and other resource types.
362
363         * Configurations/FeatureDefines.xcconfig:
364
365 2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
366
367         put_to_base should emit a Phantom for "value" across the ForceOSRExit
368         https://bugs.webkit.org/show_bug.cgi?id=108998
369
370         Reviewed by Oliver Hunt.
371
372         Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
373
374         * bytecode/CodeBlock.cpp:
375         (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
376         * dfg/DFGByteCodeParser.cpp:
377         (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
378         * dfg/DFGSpeculativeJIT.cpp:
379         (JSC::DFG::SpeculativeJIT::compile): Ditto.
380
381 2013-02-05  Michael Saboff  <msaboff@apple.com>
382
383         Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
384         https://bugs.webkit.org/show_bug.cgi?id=108991
385
386         Reviewed by Oliver Hunt.
387
388         Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
389         may step on calleeGPR is it happen to be nonArgGPR2.
390
391         * dfg/DFGRepatch.cpp:
392         (JSC::DFG::dfgLinkClosureCall):
393
394 2013-02-05  Roger Fong  <roger_fong@apple.com>
395
396         Add a JavaScriptCore Export Generator project.
397         https://bugs.webkit.org/show_bug.cgi?id=108971.
398
399         Reviewed by Brent Fulgham.
400
401         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
402         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
403         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
404         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
405         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Added.
406         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Added.
407         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Added.
408         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.user: Added.
409         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Added.
410         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Added.
411         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Added.
412         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Added.
413         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Added.
414         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Added.
415         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Added.
416
417 2013-02-04  Filip Pizlo  <fpizlo@apple.com>
418
419         DFG should have a precise view of jump targets
420         https://bugs.webkit.org/show_bug.cgi?id=108868
421
422         Reviewed by Oliver Hunt.
423         
424         Previously, the DFG relied entirely on the CodeBlock's jump targets list for
425         determining when to break basic blocks. This worked great, except sometimes it
426         would be too conservative since the CodeBlock just says where the bytecode
427         generator inserted labels.
428         
429         This change keeps the old jump target list in CodeBlock since it is still
430         valuable to the baseline JIT, but switches the DFG to use its own jump target
431         calculator. This ought to reduce pressure on the DFG simplifier, which would
432         previously do a lot of work to try to merge redundantly created basic blocks.
433         It appears to be a 1% progression on SunSpider.
434
435         * CMakeLists.txt:
436         * GNUmakefile.list.am:
437         * JavaScriptCore.xcodeproj/project.pbxproj:
438         * Target.pri:
439         * bytecode/PreciseJumpTargets.cpp: Added.
440         (JSC):
441         (JSC::addSimpleSwitchTargets):
442         (JSC::computePreciseJumpTargets):
443         * bytecode/PreciseJumpTargets.h: Added.
444         (JSC):
445         * dfg/DFGByteCodeParser.cpp:
446         (JSC::DFG::ByteCodeParser::parseCodeBlock):
447
448 2013-02-01  Roger Fong  <roger_fong@apple.com>
449
450         Make ConfigurationBuildDir include directories precede WebKitLibraries in JSC.
451         https://bugs.webkit.org/show_bug.cgi?id=108693.
452
453         Rubberstamped by Timothy Horton.
454
455         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
456
457 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
458
459         Structure::m_outOfLineCapacity is unnecessary
460         https://bugs.webkit.org/show_bug.cgi?id=108206
461
462         Reviewed by Darin Adler.
463
464         Simplifying the utility functions that we use since we don't need a 
465         bunch of fancy templates for this one specific call site.
466
467         * runtime/Structure.h:
468         (JSC::Structure::outOfLineCapacity):
469
470 2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
471
472         Objective-C API: testapi.mm should use ARC
473         https://bugs.webkit.org/show_bug.cgi?id=107838
474
475         Reviewed by Oliver Hunt.
476
477         In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs.
478         We should enable ARC, since that is what most of our clients will be using. We use Xcode project 
479         settings to make sure we don't try to compile ARC on 32-bit.
480
481         * API/tests/testapi.mm:
482         (+[TestObject testObject]):
483         (testObjectiveCAPI):
484         * JavaScriptCore.xcodeproj/project.pbxproj:
485
486 2013-02-05  Brent Fulgham  <bfulgham@webkit.org>
487
488         [Windows] Unreviewed VS2010 Build Correction after r141651
489
490         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
491         StructureRareData.h and StructureRareData.cpp files.
492         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
493
494 2013-02-05  Michael Saboff  <msaboff@apple.com>
495
496         r141788 won't build due to not having all changes needed by Node* change
497         https://bugs.webkit.org/show_bug.cgi?id=108944
498
499         Reviewed by David Kilzer.
500
501         Fixed three instances of integerResult(..., m_compileIndex) to be integerResult(..., node).
502
503         * dfg/DFGSpeculativeJIT.cpp:
504         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
505         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
506
507 2013-02-04  Sheriff Bot  <webkit.review.bot@gmail.com>
508
509         Unreviewed, rolling out r141809.
510         http://trac.webkit.org/changeset/141809
511         https://bugs.webkit.org/show_bug.cgi?id=108860
512
513         ARC isn't supported on 32-bit. (Requested by mhahnenberg on
514         #webkit).
515
516         * API/tests/testapi.mm:
517         (+[TestObject testObject]):
518         (testObjectiveCAPI):
519         * JavaScriptCore.xcodeproj/project.pbxproj:
520
521 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
522
523         Objective-C API: testapi.mm should use ARC
524         https://bugs.webkit.org/show_bug.cgi?id=107838
525
526         Reviewed by Oliver Hunt.
527
528         In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 
529         We should enable ARC, since that is what most of our clients will be using.
530
531         * API/tests/testapi.mm:
532         (-[TestObject init]):
533         (-[TestObject dealloc]):
534         (+[TestObject testObject]):
535         (testObjectiveCAPI):
536         * JavaScriptCore.xcodeproj/project.pbxproj:
537
538 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
539
540         Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation
541         https://bugs.webkit.org/show_bug.cgi?id=108843
542
543         Reviewed by Darin Adler.
544
545         Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do 
546         this to prevent crashes when trying to invoke a callback later on.
547
548         * API/ObjCCallbackFunction.mm:
549         (ObjCCallbackFunction::ObjCCallbackFunction):
550         (ObjCCallbackFunction::~ObjCCallbackFunction):
551
552 2013-02-04  Martin Robinson  <mrobinson@igalia.com>
553
554         Fix GTK+ 'make dist' in preparation for the 1.11.5 release.
555
556         * GNUmakefile.list.am: Update the source lists.
557
558 2013-02-04  Michael Saboff  <msaboff@apple.com>
559
560         For ARMv7s use integer divide instruction for divide and modulo when possible
561         https://bugs.webkit.org/show_bug.cgi?id=108840
562
563         Reviewed in person by Filip Pizlo.
564
565         Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
566         This is patterned after the similar code for X86.  Also added modulo power of 2 optimization
567         that uses logical and.  Added sdiv and udiv to the ARMv7 disassembler.  Put all the changes
568         behind #if CPU(APPLE_ARMV7S). 
569
570         * assembler/ARMv7Assembler.h:
571         (ARMv7Assembler):
572         (JSC::ARMv7Assembler::sdiv):
573         (JSC::ARMv7Assembler::udiv):
574         * dfg/DFGCommon.h:
575         (JSC::DFG::isARMv7s):
576         * dfg/DFGFixupPhase.cpp:
577         (JSC::DFG::FixupPhase::fixupNode):
578         * dfg/DFGSpeculativeJIT.cpp:
579         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
580         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
581         * dfg/DFGSpeculativeJIT.h:
582         (SpeculativeJIT):
583         * dfg/DFGSpeculativeJIT32_64.cpp:
584         (JSC::DFG::SpeculativeJIT::compile):
585
586 2013-02-04  David Kilzer  <ddkilzer@apple.com>
587
588         Check PrivateHeaders/JSBasePrivate.h for inappropriate macros
589         <http://webkit.org/b/108749>
590
591         Reviewed by Joseph Pecoraro.
592
593         * JavaScriptCore.xcodeproj/project.pbxproj: Add
594         PrivateHeaders/JSBasePrivate.h to list of headers to check in
595         "Check for Inappropriate Macros in External Headers" build phase
596         script.
597
598 2013-02-04  David Kilzer  <ddkilzer@apple.com>
599
600         Remove duplicate entries from JavaScriptCore Xcode project
601
602             $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R
603             patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
604
605         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates.
606
607 2013-02-04  David Kilzer  <ddkilzer@apple.com>
608
609         Sort JavaScriptCore Xcode project file
610
611         * JavaScriptCore.xcodeproj/project.pbxproj:
612
613 2013-02-03  David Kilzer  <ddkilzer@apple.com>
614
615         Upstream ENABLE_PDFKIT_PLUGIN settting
616         <http://webkit.org/b/108792>
617
618         Reviewed by Tim Horton.
619
620         * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN
621         on iOS since PDFKit is a Mac-only framework.
622
623 2013-02-02  Andreas Kling  <akling@apple.com>
624
625         Vector should consult allocator about ideal size when choosing capacity.
626         <http://webkit.org/b/108410>
627         <rdar://problem/13124002>
628
629         Reviewed by Benjamin Poulain.
630
631         Remove assertion about Vector capacity that won't hold anymore since capacity()
632         may not be what you passed to reserveCapacity().
633         Also export WTF::fastMallocGoodSize() for Windows builds.
634
635         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
636         * bytecode/CodeBlock.cpp:
637         (JSC::CodeBlock::CodeBlock):
638
639 2013-02-02  Patrick Gansterer  <paroga@webkit.org>
640
641         [CMake] Adopt the WinCE port to new CMake
642         https://bugs.webkit.org/show_bug.cgi?id=108754
643
644         Reviewed by Laszlo Gombos.
645
646         * os-win32/WinMain.cpp: Removed.
647         * shell/PlatformWinCE.cmake: Removed.
648
649 2013-02-02  Mark Rowe  <mrowe@apple.com>
650
651         <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us
652
653         Reviewed by Sam Weinig.
654
655         * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use
656         of the generated file moved to WTF.
657
658 2013-02-02  David Kilzer  <ddkilzer@apple.com>
659
660         Upstream iOS FeatureDefines
661         <http://webkit.org/b/108753>
662
663         Reviewed by Anders Carlsson.
664
665         * Configurations/FeatureDefines.xcconfig:
666         - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
667         - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
668         - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO.  Add
669           PLATFORM_NAME variant to reduce future merge conflicts. 
670
671 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
672
673         Structure::m_enumerationCache should be moved to StructureRareData
674         https://bugs.webkit.org/show_bug.cgi?id=108723
675
676         Reviewed by Oliver Hunt.
677
678         m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 
679         field and it can therefore be moved safely to StructureRareData to help with memory savings.
680
681         * runtime/JSPropertyNameIterator.h:
682         (JSPropertyNameIterator):
683         (JSC::Register::propertyNameIterator):
684         (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
685         (JSC::StructureRareData::setEnumerationCache): Ditto.
686         * runtime/Structure.cpp:
687         (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
688         (JSC::Structure::removePropertyWithoutTransition): Ditto.
689         (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
690         * runtime/Structure.h: 
691         (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 
692         the JSPropertyNameIterator type.
693         (JSC::Structure::enumerationCache): Ditto.
694         * runtime/StructureRareData.cpp:
695         (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
696         * runtime/StructureRareData.h: Add new functions/fields.
697         (StructureRareData):
698
699 2013-02-01  Roger Fong  <roger_fong@apple.com>
700
701         Unreviewed. JavaScriptCore VS2010 project cleanup.
702
703         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
704         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
705         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
706         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
707
708 2013-02-01  Sheriff Bot  <webkit.review.bot@gmail.com>
709
710         Unreviewed, rolling out r141662.
711         http://trac.webkit.org/changeset/141662
712         https://bugs.webkit.org/show_bug.cgi?id=108738
713
714         it's an incorrect change since processPhiStack will
715         dereference dangling BasicBlock pointers (Requested by pizlo
716         on #webkit).
717
718         * dfg/DFGByteCodeParser.cpp:
719         (JSC::DFG::ByteCodeParser::parse):
720
721 2013-02-01  Filip Pizlo  <fpizlo@apple.com>
722
723         Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
724         https://bugs.webkit.org/show_bug.cgi?id=108717
725
726         Reviewed by Mark Hahnenberg.
727         
728         I think this makes the code clearer. It doesn't change behavior.
729
730         * dfg/DFGByteCodeParser.cpp:
731         (JSC::DFG::ByteCodeParser::parse):
732
733 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
734
735         Structure should have a StructureRareData field to save space
736         https://bugs.webkit.org/show_bug.cgi?id=108659
737
738         Reviewed by Oliver Hunt.
739
740         Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 
741         pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 
742         many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 
743         refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
744
745         To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 
746         can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 
747         can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 
748         with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 
749         a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 
750         if it has one. There could be some potential for optimizing this process, but the initial implementation will 
751         be dumb since we'd be paying these overhead costs for each Structure anyways.
752
753         Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 
754         continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 
755         Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 
756         Structures (and into StructureRareData).
757
758         * CMakeLists.txt:
759         * GNUmakefile.list.am:
760         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
761         * JavaScriptCore.xcodeproj/project.pbxproj:
762         * Target.pri:
763         * dfg/DFGRepatch.cpp: Includes for linking purposes.
764         * jit/JITStubs.cpp:
765         * jsc.cpp:
766         * llint/LLIntSlowPaths.cpp:
767         * runtime/JSCellInlines.h: Added ifdef guards.
768         * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
769         (JSC::JSGlobalData::JSGlobalData):
770         * runtime/JSGlobalData.h:
771         (JSGlobalData):
772         * runtime/JSGlobalObject.h:
773         * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
774         (JSC::TypeInfo::flags):
775         (JSC::TypeInfo::structureHasRareData):
776         * runtime/ObjectPrototype.cpp:
777         * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
778         (JSC::Structure::dumpStatistics):
779         (JSC::Structure::Structure): 
780         (JSC::Structure::materializePropertyMap):
781         (JSC::Structure::addPropertyTransition):
782         (JSC::Structure::nonPropertyTransition):
783         (JSC::Structure::pin):
784         (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
785         (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 
786         transitions.
787         (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
788         * runtime/Structure.h:
789         (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
790         (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
791         (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 
792         call to it.
793         (JSC::Structure::materializePropertyMapIfNecessary):
794         (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
795         (Structure):
796         (JSC::Structure::clearPreviousID): Ditto.
797         (JSC::Structure::create):
798         * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 
799         from Structure and the functions required to access/modify those fields as Structure would have done.
800         (JSC):
801         (JSC::StructureRareData::createStructure):
802         (JSC::StructureRareData::create):
803         (JSC::StructureRareData::clone):
804         (JSC::StructureRareData::StructureRareData):
805         (JSC::StructureRareData::visitChildren):
806         * runtime/StructureRareData.h: Added.
807         (JSC):
808         (StructureRareData):
809         * runtime/StructureRareDataInlines.h: Added.
810         (JSC):
811         (JSC::StructureRareData::previousID):
812         (JSC::StructureRareData::setPreviousID):
813         (JSC::StructureRareData::clearPreviousID):
814         (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
815         (JSC::Structure::rareData): Ditto.
816         (JSC::StructureRareData::objectToStringValue):
817         (JSC::StructureRareData::setObjectToStringValue):
818
819         * CMakeLists.txt:
820         * GNUmakefile.list.am:
821         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
822         * JavaScriptCore.xcodeproj/project.pbxproj:
823         * Target.pri:
824         * dfg/DFGRepatch.cpp:
825         * jit/JITStubs.cpp:
826         * jsc.cpp:
827         * llint/LLIntSlowPaths.cpp:
828         * runtime/JSCellInlines.h:
829         * runtime/JSGlobalData.cpp:
830         (JSC::JSGlobalData::JSGlobalData):
831         * runtime/JSGlobalData.h:
832         (JSGlobalData):
833         * runtime/JSGlobalObject.h:
834         * runtime/JSTypeInfo.h:
835         (JSC):
836         (JSC::TypeInfo::flags):
837         (JSC::TypeInfo::structureHasRareData):
838         * runtime/ObjectPrototype.cpp:
839         * runtime/Structure.cpp:
840         (JSC::Structure::dumpStatistics):
841         (JSC::Structure::Structure):
842         (JSC::Structure::materializePropertyMap):
843         (JSC::Structure::addPropertyTransition):
844         (JSC::Structure::nonPropertyTransition):
845         (JSC::Structure::pin):
846         (JSC::Structure::allocateRareData):
847         (JSC):
848         (JSC::Structure::cloneRareDataFrom):
849         (JSC::Structure::visitChildren):
850         * runtime/Structure.h:
851         (JSC::Structure::previousID):
852         (JSC::Structure::objectToStringValue):
853         (JSC::Structure::setObjectToStringValue):
854         (JSC::Structure::materializePropertyMapIfNecessary):
855         (JSC::Structure::setPreviousID):
856         (Structure):
857         (JSC::Structure::clearPreviousID):
858         (JSC::Structure::previous):
859         (JSC::Structure::rareData):
860         (JSC::Structure::create):
861         * runtime/StructureRareData.cpp: Added.
862         (JSC):
863         (JSC::StructureRareData::createStructure):
864         (JSC::StructureRareData::create):
865         (JSC::StructureRareData::clone):
866         (JSC::StructureRareData::StructureRareData):
867         (JSC::StructureRareData::visitChildren):
868         * runtime/StructureRareData.h: Added.
869         (JSC):
870         (StructureRareData):
871         * runtime/StructureRareDataInlines.h: Added.
872         (JSC):
873         (JSC::StructureRareData::previousID):
874         (JSC::StructureRareData::setPreviousID):
875         (JSC::StructureRareData::clearPreviousID):
876         (JSC::StructureRareData::objectToStringValue):
877         (JSC::StructureRareData::setObjectToStringValue):
878
879 2013-02-01  Balazs Kilvady  <kilvadyb@homejinni.com>
880
881         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
882         https://bugs.webkit.org/show_bug.cgi?id=108261
883
884         Reviewed by Filip Pizlo.
885
886         offlineasm BaseIndex handling fix on MIPS.
887
888         * offlineasm/mips.rb:
889         * offlineasm/risc.rb:
890
891 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
892
893         Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
894         https://bugs.webkit.org/show_bug.cgi?id=108657
895
896         Reviewed by Anders Carlsson.
897
898         * runtime/JSGlobalObject.cpp:
899         (JSC):
900         * runtime/JSGlobalObject.h:
901         (JSGlobalObject):
902
903 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
904
905         Added TriState to WTF and started using it in one place
906         https://bugs.webkit.org/show_bug.cgi?id=108628
907
908         Reviewed by Beth Dakin.
909
910         * runtime/PrototypeMap.h:
911         (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
912         response to review feedback, this is an attempt to clarify that our
913         'true' condition is actually just a 'maybe'.
914
915         * runtime/PrototypeMap.h:
916         (PrototypeMap):
917         (JSC::PrototypeMap::isPrototype):
918
919 2013-02-01  Alexis Menard  <alexis@webkit.org>
920
921         Enable unprefixed CSS transitions by default.
922         https://bugs.webkit.org/show_bug.cgi?id=108216
923
924         Reviewed by Dean Jackson.
925
926         Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
927         to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 
928         guard the unprefixing work for CSS Transforms and animations.
929
930         * Configurations/FeatureDefines.xcconfig:
931
932 2013-01-31  Filip Pizlo  <fpizlo@apple.com>
933
934         DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
935         https://bugs.webkit.org/show_bug.cgi?id=108580
936
937         Reviewed by Oliver Hunt.
938         
939         This is a harmless bug in that it only results in us keeping a bit too many things
940         for OSR.  But it's worth fixing so that the code is consistent.
941
942         keepOperandAlive() is called when block A has a branch to blocks B and C, but the
943         A->B edge is proven to never be taken and we want to optimize the code to have A
944         unconditionally jump to C.  In that case, for the purposes of OSR, we need to
945         preserve the knowledge that the state that B expected to be live incoming from A
946         ought still to be live up to the point of where the A->B,C branch used to be.  The
947         way we keep things alive is by using the variablesAtTail of A (i.e., we use the
948         knowledge of in what manner A made state available to B and C).  The way we choose
949         which state should be kept alive ought to be chosen by the variablesAtHead of B
950         (i.e. the things B says it needs from its predecessors, including A), except that
951         keepOperandAlive() was previously just using variablesAtTail of A for this
952         purpose.
953         
954         The fix is to have keepOperandAlive() use both liveness and availability in its
955         logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
956         alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
957         keep it alive.
958         
959         This might be a microscopic win on some programs, but it's mainly intended to be
960         a code clean-up so that I don't end up scratching my head in confusion the next
961         time I look at this code.
962
963         * dfg/DFGCFGSimplificationPhase.cpp:
964         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
965         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
966         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
967
968 2013-01-31  Geoffrey Garen  <ggaren@apple.com>
969
970         REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
971         https://bugs.webkit.org/show_bug.cgi?id=108576
972
973         Reviewed by Filip Pizlo.
974
975         This was a long-standing bug. The DFG would destructively reuse a register
976         in op_convert_this, but:
977
978             * The bug only presented during speculation failure for type Other
979
980             * The bug presented by removing the low bits of a pointer, which
981             used to be harmless, since all objects were so aligned anyway.
982
983         * dfg/DFGSpeculativeJIT64.cpp:
984         (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
985         our scratch register. The whole point of our scratch register is to
986         avoid destructively modifying our this register. I'm pretty sure this
987         was a copy-paste error.
988
989 2013-01-31  Roger Fong  <roger_fong@apple.com>
990
991         Unreviewed. Windows build fix.
992
993         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
994
995 2013-01-31  Jessie Berlin  <jberlin@apple.com>
996
997         Rolling out r141407 because it is causing crashes under
998         WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
999
1000         * bytecode/CodeBlock.cpp:
1001         (JSC::CodeBlock::CodeBlock):
1002
1003 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1004
1005         Objective-C API: JSContext exception property causes reference cycle
1006         https://bugs.webkit.org/show_bug.cgi?id=107778
1007
1008         Reviewed by Darin Adler.
1009
1010         JSContext has a (retain) JSValue * exception property which, when non-null, creates a 
1011         reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
1012
1013         * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
1014         (-[JSContext initWithVirtualMachine:]):
1015         (-[JSContext setException:]):
1016         (-[JSContext exception]):
1017
1018 2013-01-31  Roger Fong  <roger_fong@apple.com>
1019
1020         Unreviewed build fix. Win7 port.
1021
1022         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1023
1024 2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>
1025
1026         Disable ENABLE_FULLSCREEN_API on iOS
1027         https://bugs.webkit.org/show_bug.cgi?id=108250
1028
1029         Reviewed by Benjamin Poulain.
1030
1031         * Configurations/FeatureDefines.xcconfig:
1032
1033 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
1034
1035         Objective-C API: Fix insertion of values greater than the max index allowed by the spec
1036         https://bugs.webkit.org/show_bug.cgi?id=108264
1037
1038         Reviewed by Oliver Hunt.
1039
1040         Fixed a bug, added a test to the API tests, cleaned up some code.
1041
1042         * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 
1043         setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
1044         * API/JSValue.mm:
1045         (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
1046         (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
1047         (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
1048         * API/tests/testapi.mm:
1049
1050 2013-01-30  Andreas Kling  <akling@apple.com>
1051
1052         Vector should consult allocator about ideal size when choosing capacity.
1053         <http://webkit.org/b/108410>
1054         <rdar://problem/13124002>
1055
1056         Reviewed by Benjamin Poulain.
1057
1058         Remove assertion about Vector capacity that won't hold anymore since capacity()
1059         may not be what you passed to reserveCapacity().
1060
1061         * bytecode/CodeBlock.cpp:
1062         (JSC::CodeBlock::CodeBlock):
1063
1064 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
1065
1066         DFG bytecode parser should have more assertions about the status of local accesses
1067         https://bugs.webkit.org/show_bug.cgi?id=108417
1068
1069         Reviewed by Mark Hahnenberg.
1070         
1071         Assert some things that we already know to be true, just to reassure ourselves that they are true.
1072         This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
1073         make these rules even stricter.
1074
1075         * dfg/DFGByteCodeParser.cpp:
1076         (JSC::DFG::ByteCodeParser::getLocal):
1077         (JSC::DFG::ByteCodeParser::getArgument):
1078
1079 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1080
1081         Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
1082         https://bugs.webkit.org/show_bug.cgi?id=107978
1083
1084         Reviewed by Filip Pizlo.
1085
1086         We need to add the Identifier table save/restore in JSContextGroupRelease so that we 
1087         have the correct table if we end up destroying the JSGlobalData/Heap.
1088
1089         * API/JSContextRef.cpp:
1090         (JSContextGroupRelease):
1091
1092 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
1093
1094         Objective-C API: exceptionHandler needs to be released in JSContext dealloc
1095         https://bugs.webkit.org/show_bug.cgi?id=108378
1096
1097         Reviewed by Filip Pizlo.
1098
1099         JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 
1100         That sounds like the potential for a leak. It should be released.
1101
1102         * API/JSContext.mm:
1103         (-[JSContext dealloc]):
1104
1105 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
1106
1107         REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
1108         https://bugs.webkit.org/show_bug.cgi?id=108366
1109
1110         Reviewed by Geoffrey Garen and Mark Hahnenberg.
1111         
1112         This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
1113         Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
1114         when comparing a possibly redundant node to its possible replacement. It was doing this
1115         by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
1116         just those flag bits that correspond to actual node behavior and not auxiliary things.
1117         Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
1118         This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
1119         very high probability that matching nodes would also have completely identical flag bits
1120         (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
1121         r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
1122         access. These bits would be mutated as the CSE ran over a basic block, in such a way that
1123         there was a very high probability that the possible replacement would already have the
1124         bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
1125         returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
1126         almost every time.
1127         
1128         The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
1129         flags that are relevant to arithmetic behavior. This patch introduces a new mask that
1130         represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
1131         used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
1132         the other flags are relevant to Node::arithNodeFlags() since they either correspond to
1133         information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
1134         NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
1135         the result that the node will produce or any of the queries performed on the result of
1136         Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
1137         
1138         This is a 10% speed-up on Kraken, undoing the regression from r140504.
1139
1140         * dfg/DFGNode.h:
1141         (JSC::DFG::Node::arithNodeFlags):
1142         * dfg/DFGNodeFlags.h:
1143         (DFG):
1144
1145 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1146
1147         Structure::m_outOfLineCapacity is unnecessary
1148         https://bugs.webkit.org/show_bug.cgi?id=108206
1149
1150         Reviewed by Geoffrey Garen.
1151
1152         We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
1153         According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
1154         better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 
1155         benchmarks.
1156
1157         * runtime/Structure.cpp:
1158         (JSC::Structure::Structure):
1159         (JSC):
1160         (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
1161         (JSC::Structure::addPropertyTransition):
1162         (JSC::Structure::addPropertyWithoutTransition):
1163         * runtime/Structure.h:
1164         (Structure):
1165         (JSC::Structure::outOfLineCapacity):
1166         (JSC::Structure::totalStorageCapacity):
1167
1168 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
1169
1170         Be a little more conservative about emitting table-based switches
1171         https://bugs.webkit.org/show_bug.cgi?id=108292
1172
1173         Reviewed by Filip Pizlo.
1174
1175         Profiling shows we're using op_switch in cases where it's a regression.
1176
1177         * bytecompiler/NodesCodegen.cpp:
1178         (JSC):
1179         (JSC::length):
1180         (JSC::CaseBlockNode::tryTableSwitch):
1181         (JSC::CaseBlockNode::emitBytecodeForBlock):
1182         * parser/Nodes.h:
1183         (CaseBlockNode):
1184
1185 2013-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>
1186
1187         Unreviewed, rolling out r140983.
1188         http://trac.webkit.org/changeset/140983
1189         https://bugs.webkit.org/show_bug.cgi?id=108277
1190
1191         Unfortunately, this API has one last client (Requested by
1192         abarth on #webkit).
1193
1194         * Configurations/FeatureDefines.xcconfig:
1195
1196 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1197
1198         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
1199         https://bugs.webkit.org/show_bug.cgi?id=107839
1200
1201         Reviewed by Geoffrey Garen.
1202
1203         Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 
1204         m_constructor that they were based on.
1205
1206         * API/JSWrapperMap.mm:
1207         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
1208         fields that are null (i.e. have been collected or have never been allocated to begin with).
1209         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 
1210         reallocating one or both of the prototype/constructor combo.
1211         (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
1212         (-[JSObjCClassInfo constructor]): Ditto.
1213
1214 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
1215
1216         Make precise size classes more precise
1217         https://bugs.webkit.org/show_bug.cgi?id=108270
1218
1219         Reviewed by Mark Hahnenberg.
1220
1221         Size inference makes this profitable.
1222
1223         I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
1224         byte increments might be better.
1225
1226         * heap/Heap.h:
1227         (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
1228
1229         * heap/MarkedBlock.h:
1230         (MarkedBlock): Updated constants.
1231
1232         * heap/MarkedSpace.h:
1233         (MarkedSpace):
1234         (JSC): Also reduced the maximum precise size class because my testing
1235         has shown that the smaller size classes are much more common. This
1236         offsets some of the size class explosion caused by reducing the precise
1237         increment.
1238
1239         * llint/LLIntData.cpp:
1240         (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
1241         because we don't rely on firstAllocatorWithoutDestructors anymore, since
1242         we pick size classes dynamically now.
1243
1244 2013-01-29  Oliver Hunt  <oliver@apple.com>
1245
1246         Add some hardening to methodTable()
1247         https://bugs.webkit.org/show_bug.cgi?id=108253
1248
1249         Reviewed by Mark Hahnenberg.
1250
1251         When accessing methodTable() we now always make sure that our
1252         structure _could_ be valid.  Added a separate method to get a
1253         classes methodTable during destruction as it's not possible to
1254         validate the structure at that point.  This separation might
1255         also make it possible to improve the performance of methodTable
1256         access more generally in future.
1257
1258         * heap/MarkedBlock.cpp:
1259         (JSC::MarkedBlock::callDestructor):
1260         * runtime/JSCell.h:
1261         (JSCell):
1262         * runtime/JSCellInlines.h:
1263         (JSC::JSCell::methodTableForDestruction):
1264         (JSC):
1265         (JSC::JSCell::methodTable):
1266
1267 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
1268
1269         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
1270         https://bugs.webkit.org/show_bug.cgi?id=108261
1271
1272         Reviewed by Oliver Hunt.
1273         
1274         Backends shouldn't override each other's methods. That's not cool.
1275
1276         * offlineasm/mips.rb:
1277
1278 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
1279
1280         cloop.rb shouldn't use a method called 'dump' for code generation
1281         https://bugs.webkit.org/show_bug.cgi?id=108251
1282
1283         Reviewed by Mark Hahnenberg.
1284         
1285         Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
1286         
1287         Also made trivial build fixes for !ENABLE(JIT).
1288
1289         * offlineasm/cloop.rb:
1290         * runtime/Executable.h:
1291         (ExecutableBase):
1292         (JSC::ExecutableBase::intrinsicFor):
1293         * runtime/JSGlobalData.h:
1294
1295 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
1296
1297         Removed GGC because it has been disabled for a long time
1298         https://bugs.webkit.org/show_bug.cgi?id=108245
1299
1300         Reviewed by Filip Pizlo.
1301
1302         * GNUmakefile.list.am:
1303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1305         * JavaScriptCore.xcodeproj/project.pbxproj:
1306         * dfg/DFGRepatch.cpp:
1307         (JSC::DFG::emitPutReplaceStub):
1308         (JSC::DFG::emitPutTransitionStub):
1309         * dfg/DFGSpeculativeJIT.cpp:
1310         (JSC::DFG::SpeculativeJIT::writeBarrier):
1311         * dfg/DFGSpeculativeJIT.h:
1312         (SpeculativeJIT):
1313         * dfg/DFGSpeculativeJIT32_64.cpp:
1314         (JSC::DFG::SpeculativeJIT::compile):
1315         * dfg/DFGSpeculativeJIT64.cpp:
1316         (JSC::DFG::SpeculativeJIT::compile):
1317         * heap/CardSet.h: Removed.
1318         * heap/Heap.cpp:
1319         (JSC::Heap::markRoots):
1320         (JSC::Heap::collect):
1321         * heap/Heap.h:
1322         (Heap):
1323         (JSC::Heap::shouldCollect):
1324         (JSC::Heap::isWriteBarrierEnabled):
1325         (JSC):
1326         (JSC::Heap::writeBarrier):
1327         * heap/MarkedBlock.h:
1328         (MarkedBlock):
1329         (JSC):
1330         * heap/MarkedSpace.cpp:
1331         (JSC):
1332         * jit/JITPropertyAccess.cpp:
1333         (JSC::JIT::emitWriteBarrier):
1334
1335 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
1336
1337         Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
1338         https://bugs.webkit.org/show_bug.cgi?id=108247
1339
1340         Reviewed by Oliver Hunt.
1341         
1342         Makes offlineasm dumping easier to read and less likely to cause assertion failures.
1343         Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
1344         but cloop.rb was winning.
1345
1346         * offlineasm/cloop.rb:
1347
1348 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
1349
1350         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
1351         https://bugs.webkit.org/show_bug.cgi?id=107839
1352
1353         Reviewed by Oliver Hunt.
1354
1355         JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
1356         are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
1357         m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
1358         We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
1359         to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
1360         to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
1361         reallocate them.
1362
1363         * API/JSContext.mm:
1364         (-[JSContext wrapperMap]):
1365         * API/JSContextInternal.h:
1366         * API/JSWrapperMap.mm:
1367         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
1368         (-[JSObjCClassInfo dealloc]):
1369         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
1370         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
1371         (-[JSObjCClassInfo wrapperForObject:]):
1372         (-[JSObjCClassInfo constructor]):
1373
1374 2013-01-29  Oliver Hunt  <oliver@apple.com>
1375
1376         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
1377         https://bugs.webkit.org/show_bug.cgi?id=108097
1378
1379         Reviewed by Geoffrey Garen.
1380
1381         LiteralParser was accepting a bogus 'var a.b = c' statement
1382
1383         * runtime/LiteralParser.cpp:
1384         (JSC::::tryJSONPParse):
1385
1386 2013-01-29  Oliver Hunt  <oliver@apple.com>
1387
1388         Force debug builds to do bounds checks on contiguous property storage
1389         https://bugs.webkit.org/show_bug.cgi?id=108212
1390
1391         Reviewed by Mark Hahnenberg.
1392
1393         Add a ContiguousData type that we use to represent contiguous property
1394         storage.  In release builds it is simply a pointer to the correct type,
1395         but in debug builds it also carries the data length and performs bounds
1396         checks.  This means we don't have to add as many manual bounds assertions
1397         when performing operations over contiguous data.
1398
1399         * dfg/DFGOperations.cpp:
1400         * runtime/ArrayStorage.h:
1401         (ArrayStorage):
1402         (JSC::ArrayStorage::vector):
1403         * runtime/Butterfly.h:
1404         (JSC::ContiguousData::ContiguousData):
1405         (ContiguousData):
1406         (JSC::ContiguousData::operator[]):
1407         (JSC::ContiguousData::data):
1408         (JSC::ContiguousData::length):
1409         (JSC):
1410         (JSC::Butterfly::contiguousInt32):
1411         (Butterfly):
1412         (JSC::Butterfly::contiguousDouble):
1413         (JSC::Butterfly::contiguous):
1414         * runtime/JSArray.cpp:
1415         (JSC::JSArray::sortNumericVector):
1416         (ContiguousTypeAccessor):
1417         (JSC::ContiguousTypeAccessor::getAsValue):
1418         (JSC::ContiguousTypeAccessor::setWithValue):
1419         (JSC::ContiguousTypeAccessor::replaceDataReference):
1420         (JSC):
1421         (JSC::JSArray::sortCompactedVector):
1422         (JSC::JSArray::sort):
1423         (JSC::JSArray::fillArgList):
1424         (JSC::JSArray::copyToArguments):
1425         * runtime/JSArray.h:
1426         (JSArray):
1427         * runtime/JSObject.cpp:
1428         (JSC::JSObject::copyButterfly):
1429         (JSC::JSObject::visitButterfly):
1430         (JSC::JSObject::createInitialInt32):
1431         (JSC::JSObject::createInitialDouble):
1432         (JSC::JSObject::createInitialContiguous):
1433         (JSC::JSObject::convertUndecidedToInt32):
1434         (JSC::JSObject::convertUndecidedToDouble):
1435         (JSC::JSObject::convertUndecidedToContiguous):
1436         (JSC::JSObject::convertInt32ToDouble):
1437         (JSC::JSObject::convertInt32ToContiguous):
1438         (JSC::JSObject::genericConvertDoubleToContiguous):
1439         (JSC::JSObject::convertDoubleToContiguous):
1440         (JSC::JSObject::rageConvertDoubleToContiguous):
1441         (JSC::JSObject::ensureInt32Slow):
1442         (JSC::JSObject::ensureDoubleSlow):
1443         (JSC::JSObject::ensureContiguousSlow):
1444         (JSC::JSObject::rageEnsureContiguousSlow):
1445         (JSC::JSObject::ensureLengthSlow):
1446         * runtime/JSObject.h:
1447         (JSC::JSObject::ensureInt32):
1448         (JSC::JSObject::ensureDouble):
1449         (JSC::JSObject::ensureContiguous):
1450         (JSC::JSObject::rageEnsureContiguous):
1451         (JSObject):
1452         (JSC::JSObject::indexingData):
1453         (JSC::JSObject::currentIndexingData):
1454
1455 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
1456
1457         [Windows, WinCairo] Unreviewed build fix after r141050
1458
1459         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
1460         to match JavaScriptCore.vcproj version.
1461
1462 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1463
1464         [Qt] Implement GCActivityCallback
1465         https://bugs.webkit.org/show_bug.cgi?id=103998
1466
1467         Reviewed by Simon Hausmann.
1468
1469         Implements the activity triggered garbage collector.
1470
1471         * runtime/GCActivityCallback.cpp:
1472         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
1473         (JSC::DefaultGCActivityCallback::scheduleTimer):
1474         (JSC::DefaultGCActivityCallback::cancelTimer):
1475         * runtime/GCActivityCallback.h:
1476         (GCActivityCallback):
1477         (DefaultGCActivityCallback):
1478
1479 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
1480
1481         Compilation warning in JSC
1482         https://bugs.webkit.org/show_bug.cgi?id=108178
1483
1484         Reviewed by Kentaro Hara.
1485
1486         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
1487
1488         * runtime/Structure.cpp:
1489         (JSC::Structure::Structure):
1490
1491 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
1492
1493         [Qt] Fix the JSC build on Mac
1494
1495         Unreviewed, build fix.
1496
1497         * heap/HeapTimer.h:
1498         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
1499
1500 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1501
1502         [Qt] Implement IncrementalSweeper and HeapTimer
1503         https://bugs.webkit.org/show_bug.cgi?id=103996
1504
1505         Reviewed by Simon Hausmann.
1506
1507         Implements the incremental sweeping garbage collection for the Qt platform.
1508
1509         * heap/HeapTimer.cpp:
1510         (JSC::HeapTimer::HeapTimer):
1511         (JSC::HeapTimer::~HeapTimer):
1512         (JSC::HeapTimer::timerEvent):
1513         (JSC::HeapTimer::synchronize):
1514         (JSC::HeapTimer::invalidate):
1515         (JSC::HeapTimer::didStartVMShutdown):
1516         * heap/HeapTimer.h:
1517         (HeapTimer):
1518         * heap/IncrementalSweeper.cpp:
1519         (JSC::IncrementalSweeper::IncrementalSweeper):
1520         (JSC::IncrementalSweeper::scheduleTimer):
1521         * heap/IncrementalSweeper.h:
1522         (IncrementalSweeper):
1523
1524 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
1525
1526         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
1527         https://bugs.webkit.org/show_bug.cgi?id=106868
1528
1529         Reviewed by Oliver Hunt.
1530         
1531         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
1532         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
1533         for debugging (Node::index(), which is not guaranteed to be O(1)).
1534         
1535         1% speed-up on SunSpider, presumably because this improves compile times.
1536
1537         * CMakeLists.txt:
1538         * GNUmakefile.list.am:
1539         * JavaScriptCore.xcodeproj/project.pbxproj:
1540         * Target.pri:
1541         * bytecode/DataFormat.h:
1542         (JSC::dataFormatToString):
1543         * dfg/DFGAbstractState.cpp:
1544         (JSC::DFG::AbstractState::initialize):
1545         (JSC::DFG::AbstractState::booleanResult):
1546         (JSC::DFG::AbstractState::execute):
1547         (JSC::DFG::AbstractState::mergeStateAtTail):
1548         (JSC::DFG::AbstractState::mergeToSuccessors):
1549         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
1550         (JSC::DFG::AbstractState::dump):
1551         * dfg/DFGAbstractState.h:
1552         (DFG):
1553         (JSC::DFG::AbstractState::forNode):
1554         (AbstractState):
1555         (JSC::DFG::AbstractState::speculateInt32Unary):
1556         (JSC::DFG::AbstractState::speculateNumberUnary):
1557         (JSC::DFG::AbstractState::speculateBooleanUnary):
1558         (JSC::DFG::AbstractState::speculateInt32Binary):
1559         (JSC::DFG::AbstractState::speculateNumberBinary):
1560         (JSC::DFG::AbstractState::trySetConstant):
1561         * dfg/DFGAbstractValue.h:
1562         (AbstractValue):
1563         * dfg/DFGAdjacencyList.h:
1564         (JSC::DFG::AdjacencyList::AdjacencyList):
1565         (JSC::DFG::AdjacencyList::initialize):
1566         * dfg/DFGAllocator.h: Added.
1567         (DFG):
1568         (Allocator):
1569         (JSC::DFG::Allocator::Region::size):
1570         (JSC::DFG::Allocator::Region::headerSize):
1571         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
1572         (JSC::DFG::Allocator::Region::data):
1573         (JSC::DFG::Allocator::Region::isInThisRegion):
1574         (JSC::DFG::Allocator::Region::regionFor):
1575         (Region):
1576         (JSC::DFG::::Allocator):
1577         (JSC::DFG::::~Allocator):
1578         (JSC::DFG::::allocate):
1579         (JSC::DFG::::free):
1580         (JSC::DFG::::freeAll):
1581         (JSC::DFG::::reset):
1582         (JSC::DFG::::indexOf):
1583         (JSC::DFG::::allocatorOf):
1584         (JSC::DFG::::bumpAllocate):
1585         (JSC::DFG::::freeListAllocate):
1586         (JSC::DFG::::allocateSlow):
1587         (JSC::DFG::::freeRegionsStartingAt):
1588         (JSC::DFG::::startBumpingIn):
1589         * dfg/DFGArgumentsSimplificationPhase.cpp:
1590         (JSC::DFG::ArgumentsSimplificationPhase::run):
1591         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
1592         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
1593         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
1594         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
1595         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1596         * dfg/DFGArrayMode.cpp:
1597         (JSC::DFG::ArrayMode::originalArrayStructure):
1598         (JSC::DFG::ArrayMode::alreadyChecked):
1599         * dfg/DFGArrayMode.h:
1600         (ArrayMode):
1601         * dfg/DFGArrayifySlowPathGenerator.h:
1602         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
1603         * dfg/DFGBasicBlock.h:
1604         (JSC::DFG::BasicBlock::node):
1605         (JSC::DFG::BasicBlock::isInPhis):
1606         (JSC::DFG::BasicBlock::isInBlock):
1607         (BasicBlock):
1608         * dfg/DFGBasicBlockInlines.h:
1609         (DFG):
1610         * dfg/DFGByteCodeParser.cpp:
1611         (ByteCodeParser):
1612         (JSC::DFG::ByteCodeParser::getDirect):
1613         (JSC::DFG::ByteCodeParser::get):
1614         (JSC::DFG::ByteCodeParser::setDirect):
1615         (JSC::DFG::ByteCodeParser::set):
1616         (JSC::DFG::ByteCodeParser::setPair):
1617         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1618         (JSC::DFG::ByteCodeParser::getLocal):
1619         (JSC::DFG::ByteCodeParser::setLocal):
1620         (JSC::DFG::ByteCodeParser::getArgument):
1621         (JSC::DFG::ByteCodeParser::setArgument):
1622         (JSC::DFG::ByteCodeParser::flushDirect):
1623         (JSC::DFG::ByteCodeParser::getToInt32):
1624         (JSC::DFG::ByteCodeParser::toInt32):
1625         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1626         (JSC::DFG::ByteCodeParser::getJSConstant):
1627         (JSC::DFG::ByteCodeParser::getCallee):
1628         (JSC::DFG::ByteCodeParser::getThis):
1629         (JSC::DFG::ByteCodeParser::setThis):
1630         (JSC::DFG::ByteCodeParser::isJSConstant):
1631         (JSC::DFG::ByteCodeParser::isInt32Constant):
1632         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
1633         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
1634         (JSC::DFG::ByteCodeParser::constantUndefined):
1635         (JSC::DFG::ByteCodeParser::constantNull):
1636         (JSC::DFG::ByteCodeParser::one):
1637         (JSC::DFG::ByteCodeParser::constantNaN):
1638         (JSC::DFG::ByteCodeParser::cellConstant):
1639         (JSC::DFG::ByteCodeParser::addToGraph):
1640         (JSC::DFG::ByteCodeParser::insertPhiNode):
1641         (JSC::DFG::ByteCodeParser::addVarArgChild):
1642         (JSC::DFG::ByteCodeParser::addCall):
1643         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
1644         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1645         (JSC::DFG::ByteCodeParser::getPrediction):
1646         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1647         (JSC::DFG::ByteCodeParser::makeSafe):
1648         (JSC::DFG::ByteCodeParser::makeDivSafe):
1649         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
1650         (ConstantRecord):
1651         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
1652         (PhiStackEntry):
1653         (JSC::DFG::ByteCodeParser::handleCall):
1654         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1655         (JSC::DFG::ByteCodeParser::handleInlining):
1656         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
1657         (JSC::DFG::ByteCodeParser::handleMinMax):
1658         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1659         (JSC::DFG::ByteCodeParser::handleGetByOffset):
1660         (JSC::DFG::ByteCodeParser::handleGetById):
1661         (JSC::DFG::ByteCodeParser::getScope):
1662         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1663         (JSC::DFG::ByteCodeParser::parseBlock):
1664         (JSC::DFG::ByteCodeParser::processPhiStack):
1665         (JSC::DFG::ByteCodeParser::linkBlock):
1666         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1667         (JSC::DFG::ByteCodeParser::parse):
1668         * dfg/DFGCFAPhase.cpp:
1669         (JSC::DFG::CFAPhase::performBlockCFA):
1670         * dfg/DFGCFGSimplificationPhase.cpp:
1671         (JSC::DFG::CFGSimplificationPhase::run):
1672         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1673         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1674         (JSC::DFG::CFGSimplificationPhase::fixPhis):
1675         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1676         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
1677         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
1678         (OperandSubstitution):
1679         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
1680         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
1681         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1682         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1683         * dfg/DFGCSEPhase.cpp:
1684         (JSC::DFG::CSEPhase::canonicalize):
1685         (JSC::DFG::CSEPhase::endIndexForPureCSE):
1686         (JSC::DFG::CSEPhase::pureCSE):
1687         (JSC::DFG::CSEPhase::constantCSE):
1688         (JSC::DFG::CSEPhase::weakConstantCSE):
1689         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
1690         (JSC::DFG::CSEPhase::getArrayLengthElimination):
1691         (JSC::DFG::CSEPhase::globalVarLoadElimination):
1692         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1693         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
1694         (JSC::DFG::CSEPhase::globalVarStoreElimination):
1695         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1696         (JSC::DFG::CSEPhase::getByValLoadElimination):
1697         (JSC::DFG::CSEPhase::checkFunctionElimination):
1698         (JSC::DFG::CSEPhase::checkExecutableElimination):
1699         (JSC::DFG::CSEPhase::checkStructureElimination):
1700         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1701         (JSC::DFG::CSEPhase::putStructureStoreElimination):
1702         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1703         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1704         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1705         (JSC::DFG::CSEPhase::checkArrayElimination):
1706         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1707         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
1708         (JSC::DFG::CSEPhase::getLocalLoadElimination):
1709         (JSC::DFG::CSEPhase::setLocalStoreElimination):
1710         (JSC::DFG::CSEPhase::performSubstitution):
1711         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1712         (JSC::DFG::CSEPhase::setReplacement):
1713         (JSC::DFG::CSEPhase::eliminate):
1714         (JSC::DFG::CSEPhase::performNodeCSE):
1715         (JSC::DFG::CSEPhase::performBlockCSE):
1716         (CSEPhase):
1717         * dfg/DFGCommon.cpp: Added.
1718         (DFG):
1719         (JSC::DFG::NodePointerTraits::dump):
1720         * dfg/DFGCommon.h:
1721         (DFG):
1722         (JSC::DFG::NodePointerTraits::defaultValue):
1723         (NodePointerTraits):
1724         (JSC::DFG::verboseCompilationEnabled):
1725         (JSC::DFG::shouldDumpGraphAtEachPhase):
1726         (JSC::DFG::validationEnabled):
1727         * dfg/DFGConstantFoldingPhase.cpp:
1728         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1729         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1730         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1731         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1732         * dfg/DFGDisassembler.cpp:
1733         (JSC::DFG::Disassembler::Disassembler):
1734         (JSC::DFG::Disassembler::createDumpList):
1735         (JSC::DFG::Disassembler::dumpDisassembly):
1736         * dfg/DFGDisassembler.h:
1737         (JSC::DFG::Disassembler::setForNode):
1738         (Disassembler):
1739         * dfg/DFGDriver.cpp:
1740         (JSC::DFG::compile):
1741         * dfg/DFGEdge.cpp: Added.
1742         (DFG):
1743         (JSC::DFG::Edge::dump):
1744         * dfg/DFGEdge.h:
1745         (JSC::DFG::Edge::Edge):
1746         (JSC::DFG::Edge::node):
1747         (JSC::DFG::Edge::operator*):
1748         (JSC::DFG::Edge::operator->):
1749         (Edge):
1750         (JSC::DFG::Edge::setNode):
1751         (JSC::DFG::Edge::useKind):
1752         (JSC::DFG::Edge::setUseKind):
1753         (JSC::DFG::Edge::isSet):
1754         (JSC::DFG::Edge::shift):
1755         (JSC::DFG::Edge::makeWord):
1756         (JSC::DFG::operator==):
1757         (JSC::DFG::operator!=):
1758         * dfg/DFGFixupPhase.cpp:
1759         (JSC::DFG::FixupPhase::fixupBlock):
1760         (JSC::DFG::FixupPhase::fixupNode):
1761         (JSC::DFG::FixupPhase::checkArray):
1762         (JSC::DFG::FixupPhase::blessArrayOperation):
1763         (JSC::DFG::FixupPhase::fixIntEdge):
1764         (JSC::DFG::FixupPhase::fixDoubleEdge):
1765         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1766         (FixupPhase):
1767         * dfg/DFGGenerationInfo.h:
1768         (JSC::DFG::GenerationInfo::GenerationInfo):
1769         (JSC::DFG::GenerationInfo::initConstant):
1770         (JSC::DFG::GenerationInfo::initInteger):
1771         (JSC::DFG::GenerationInfo::initJSValue):
1772         (JSC::DFG::GenerationInfo::initCell):
1773         (JSC::DFG::GenerationInfo::initBoolean):
1774         (JSC::DFG::GenerationInfo::initDouble):
1775         (JSC::DFG::GenerationInfo::initStorage):
1776         (GenerationInfo):
1777         (JSC::DFG::GenerationInfo::node):
1778         (JSC::DFG::GenerationInfo::noticeOSRBirth):
1779         (JSC::DFG::GenerationInfo::use):
1780         (JSC::DFG::GenerationInfo::appendFill):
1781         (JSC::DFG::GenerationInfo::appendSpill):
1782         * dfg/DFGGraph.cpp:
1783         (JSC::DFG::Graph::Graph):
1784         (JSC::DFG::Graph::~Graph):
1785         (DFG):
1786         (JSC::DFG::Graph::dumpCodeOrigin):
1787         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1788         (JSC::DFG::Graph::printNodeWhiteSpace):
1789         (JSC::DFG::Graph::dump):
1790         (JSC::DFG::Graph::dumpBlockHeader):
1791         (JSC::DFG::Graph::refChildren):
1792         (JSC::DFG::Graph::derefChildren):
1793         (JSC::DFG::Graph::predictArgumentTypes):
1794         (JSC::DFG::Graph::collectGarbage):
1795         (JSC::DFG::Graph::determineReachability):
1796         (JSC::DFG::Graph::resetExitStates):
1797         * dfg/DFGGraph.h:
1798         (Graph):
1799         (JSC::DFG::Graph::ref):
1800         (JSC::DFG::Graph::deref):
1801         (JSC::DFG::Graph::changeChild):
1802         (JSC::DFG::Graph::compareAndSwap):
1803         (JSC::DFG::Graph::clearAndDerefChild):
1804         (JSC::DFG::Graph::clearAndDerefChild1):
1805         (JSC::DFG::Graph::clearAndDerefChild2):
1806         (JSC::DFG::Graph::clearAndDerefChild3):
1807         (JSC::DFG::Graph::convertToConstant):
1808         (JSC::DFG::Graph::getJSConstantSpeculation):
1809         (JSC::DFG::Graph::addSpeculationMode):
1810         (JSC::DFG::Graph::valueAddSpeculationMode):
1811         (JSC::DFG::Graph::arithAddSpeculationMode):
1812         (JSC::DFG::Graph::addShouldSpeculateInteger):
1813         (JSC::DFG::Graph::mulShouldSpeculateInteger):
1814         (JSC::DFG::Graph::negateShouldSpeculateInteger):
1815         (JSC::DFG::Graph::isConstant):
1816         (JSC::DFG::Graph::isJSConstant):
1817         (JSC::DFG::Graph::isInt32Constant):
1818         (JSC::DFG::Graph::isDoubleConstant):
1819         (JSC::DFG::Graph::isNumberConstant):
1820         (JSC::DFG::Graph::isBooleanConstant):
1821         (JSC::DFG::Graph::isCellConstant):
1822         (JSC::DFG::Graph::isFunctionConstant):
1823         (JSC::DFG::Graph::isInternalFunctionConstant):
1824         (JSC::DFG::Graph::valueOfJSConstant):
1825         (JSC::DFG::Graph::valueOfInt32Constant):
1826         (JSC::DFG::Graph::valueOfNumberConstant):
1827         (JSC::DFG::Graph::valueOfBooleanConstant):
1828         (JSC::DFG::Graph::valueOfFunctionConstant):
1829         (JSC::DFG::Graph::valueProfileFor):
1830         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1831         (JSC::DFG::Graph::numSuccessors):
1832         (JSC::DFG::Graph::successor):
1833         (JSC::DFG::Graph::successorForCondition):
1834         (JSC::DFG::Graph::isPredictedNumerical):
1835         (JSC::DFG::Graph::byValIsPure):
1836         (JSC::DFG::Graph::clobbersWorld):
1837         (JSC::DFG::Graph::varArgNumChildren):
1838         (JSC::DFG::Graph::numChildren):
1839         (JSC::DFG::Graph::varArgChild):
1840         (JSC::DFG::Graph::child):
1841         (JSC::DFG::Graph::voteNode):
1842         (JSC::DFG::Graph::voteChildren):
1843         (JSC::DFG::Graph::substitute):
1844         (JSC::DFG::Graph::substituteGetLocal):
1845         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
1846         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
1847         * dfg/DFGInsertionSet.h:
1848         (JSC::DFG::Insertion::Insertion):
1849         (JSC::DFG::Insertion::element):
1850         (Insertion):
1851         (JSC::DFG::InsertionSet::insert):
1852         (InsertionSet):
1853         * dfg/DFGJITCompiler.cpp:
1854         * dfg/DFGJITCompiler.h:
1855         (JSC::DFG::JITCompiler::setForNode):
1856         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1857         (JSC::DFG::JITCompiler::noticeOSREntry):
1858         * dfg/DFGLongLivedState.cpp: Added.
1859         (DFG):
1860         (JSC::DFG::LongLivedState::LongLivedState):
1861         (JSC::DFG::LongLivedState::~LongLivedState):
1862         (JSC::DFG::LongLivedState::shrinkToFit):
1863         * dfg/DFGLongLivedState.h: Added.
1864         (DFG):
1865         (LongLivedState):
1866         * dfg/DFGMinifiedID.h:
1867         (JSC::DFG::MinifiedID::MinifiedID):
1868         (JSC::DFG::MinifiedID::node):
1869         * dfg/DFGMinifiedNode.cpp:
1870         (JSC::DFG::MinifiedNode::fromNode):
1871         * dfg/DFGMinifiedNode.h:
1872         (MinifiedNode):
1873         * dfg/DFGNode.cpp: Added.
1874         (DFG):
1875         (JSC::DFG::Node::index):
1876         (WTF):
1877         (WTF::printInternal):
1878         * dfg/DFGNode.h:
1879         (DFG):
1880         (JSC::DFG::Node::Node):
1881         (Node):
1882         (JSC::DFG::Node::convertToGetByOffset):
1883         (JSC::DFG::Node::convertToPutByOffset):
1884         (JSC::DFG::Node::ref):
1885         (JSC::DFG::Node::shouldSpeculateInteger):
1886         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
1887         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
1888         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
1889         (JSC::DFG::Node::shouldSpeculateNumber):
1890         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
1891         (JSC::DFG::Node::shouldSpeculateFinalObject):
1892         (JSC::DFG::Node::shouldSpeculateArray):
1893         (JSC::DFG::Node::dumpChildren):
1894         (WTF):
1895         * dfg/DFGNodeAllocator.h: Added.
1896         (DFG):
1897         (operator new ):
1898         * dfg/DFGOSRExit.cpp:
1899         (JSC::DFG::OSRExit::OSRExit):
1900         * dfg/DFGOSRExit.h:
1901         (OSRExit):
1902         (SpeculationFailureDebugInfo):
1903         * dfg/DFGOSRExitCompiler.cpp:
1904         * dfg/DFGOSRExitCompiler32_64.cpp:
1905         (JSC::DFG::OSRExitCompiler::compileExit):
1906         * dfg/DFGOSRExitCompiler64.cpp:
1907         (JSC::DFG::OSRExitCompiler::compileExit):
1908         * dfg/DFGOperations.cpp:
1909         * dfg/DFGPhase.cpp:
1910         (DFG):
1911         (JSC::DFG::Phase::beginPhase):
1912         (JSC::DFG::Phase::endPhase):
1913         * dfg/DFGPhase.h:
1914         (Phase):
1915         (JSC::DFG::runAndLog):
1916         * dfg/DFGPredictionPropagationPhase.cpp:
1917         (JSC::DFG::PredictionPropagationPhase::setPrediction):
1918         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
1919         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
1920         (JSC::DFG::PredictionPropagationPhase::isNotZero):
1921         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
1922         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
1923         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
1924         (JSC::DFG::PredictionPropagationPhase::propagate):
1925         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
1926         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1927         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1928         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1929         (PredictionPropagationPhase):
1930         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1931         * dfg/DFGScoreBoard.h:
1932         (JSC::DFG::ScoreBoard::ScoreBoard):
1933         (JSC::DFG::ScoreBoard::use):
1934         (JSC::DFG::ScoreBoard::useIfHasResult):
1935         (ScoreBoard):
1936         * dfg/DFGSilentRegisterSavePlan.h:
1937         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
1938         (JSC::DFG::SilentRegisterSavePlan::node):
1939         (SilentRegisterSavePlan):
1940         * dfg/DFGSlowPathGenerator.h:
1941         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
1942         (JSC::DFG::SlowPathGenerator::generate):
1943         (SlowPathGenerator):
1944         * dfg/DFGSpeculativeJIT.cpp:
1945         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1946         (JSC::DFG::SpeculativeJIT::speculationCheck):
1947         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1948         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1949         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1950         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1951         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1952         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
1953         (JSC::DFG::SpeculativeJIT::silentSpill):
1954         (JSC::DFG::SpeculativeJIT::silentFill):
1955         (JSC::DFG::SpeculativeJIT::checkArray):
1956         (JSC::DFG::SpeculativeJIT::arrayify):
1957         (JSC::DFG::SpeculativeJIT::fillStorage):
1958         (JSC::DFG::SpeculativeJIT::useChildren):
1959         (JSC::DFG::SpeculativeJIT::isStrictInt32):
1960         (JSC::DFG::SpeculativeJIT::isKnownInteger):
1961         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
1962         (JSC::DFG::SpeculativeJIT::isKnownCell):
1963         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
1964         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
1965         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
1966         (JSC::DFG::SpeculativeJIT::writeBarrier):
1967         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1968         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1969         (JSC::DFG::GPRTemporary::GPRTemporary):
1970         (JSC::DFG::FPRTemporary::FPRTemporary):
1971         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1972         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1973         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1974         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1975         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
1976         (JSC::DFG::SpeculativeJIT::compileMovHint):
1977         (JSC::DFG::SpeculativeJIT::compile):
1978         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1979         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1980         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1981         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1982         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1983         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1984         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1985         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1986         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1987         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1988         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1989         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1990         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1991         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1992         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1993         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1994         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
1995         (JSC::DFG::SpeculativeJIT::compileAdd):
1996         (JSC::DFG::SpeculativeJIT::compileArithSub):
1997         (JSC::DFG::SpeculativeJIT::compileArithNegate):
1998         (JSC::DFG::SpeculativeJIT::compileArithMul):
1999         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
2000         (JSC::DFG::SpeculativeJIT::compileArithMod):
2001         (JSC::DFG::SpeculativeJIT::compare):
2002         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
2003         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2004         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2005         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2006         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
2007         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2008         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
2009         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
2010         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
2011         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2012         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2013         * dfg/DFGSpeculativeJIT.h:
2014         (SpeculativeJIT):
2015         (JSC::DFG::SpeculativeJIT::canReuse):
2016         (JSC::DFG::SpeculativeJIT::isFilled):
2017         (JSC::DFG::SpeculativeJIT::isFilledDouble):
2018         (JSC::DFG::SpeculativeJIT::use):
2019         (JSC::DFG::SpeculativeJIT::isConstant):
2020         (JSC::DFG::SpeculativeJIT::isJSConstant):
2021         (JSC::DFG::SpeculativeJIT::isInt32Constant):
2022         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
2023         (JSC::DFG::SpeculativeJIT::isNumberConstant):
2024         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
2025         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
2026         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
2027         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
2028         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
2029         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
2030         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
2031         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
2032         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
2033         (JSC::DFG::SpeculativeJIT::isNullConstant):
2034         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2035         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
2036         (JSC::DFG::SpeculativeJIT::integerResult):
2037         (JSC::DFG::SpeculativeJIT::noResult):
2038         (JSC::DFG::SpeculativeJIT::cellResult):
2039         (JSC::DFG::SpeculativeJIT::booleanResult):
2040         (JSC::DFG::SpeculativeJIT::jsValueResult):
2041         (JSC::DFG::SpeculativeJIT::storageResult):
2042         (JSC::DFG::SpeculativeJIT::doubleResult):
2043         (JSC::DFG::SpeculativeJIT::initConstantInfo):
2044         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
2045         (JSC::DFG::SpeculativeJIT::isInteger):
2046         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
2047         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2048         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
2049         (JSC::DFG::IntegerOperand::IntegerOperand):
2050         (JSC::DFG::IntegerOperand::node):
2051         (JSC::DFG::IntegerOperand::gpr):
2052         (JSC::DFG::IntegerOperand::use):
2053         (IntegerOperand):
2054         (JSC::DFG::DoubleOperand::DoubleOperand):
2055         (JSC::DFG::DoubleOperand::node):
2056         (JSC::DFG::DoubleOperand::fpr):
2057         (JSC::DFG::DoubleOperand::use):
2058         (DoubleOperand):
2059         (JSC::DFG::JSValueOperand::JSValueOperand):
2060         (JSC::DFG::JSValueOperand::node):
2061         (JSC::DFG::JSValueOperand::gpr):
2062         (JSC::DFG::JSValueOperand::fill):
2063         (JSC::DFG::JSValueOperand::use):
2064         (JSValueOperand):
2065         (JSC::DFG::StorageOperand::StorageOperand):
2066         (JSC::DFG::StorageOperand::node):
2067         (JSC::DFG::StorageOperand::gpr):
2068         (JSC::DFG::StorageOperand::use):
2069         (StorageOperand):
2070         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
2071         (JSC::DFG::SpeculateIntegerOperand::node):
2072         (JSC::DFG::SpeculateIntegerOperand::gpr):
2073         (JSC::DFG::SpeculateIntegerOperand::use):
2074         (SpeculateIntegerOperand):
2075         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
2076         (JSC::DFG::SpeculateStrictInt32Operand::node):
2077         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
2078         (JSC::DFG::SpeculateStrictInt32Operand::use):
2079         (SpeculateStrictInt32Operand):
2080         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2081         (JSC::DFG::SpeculateDoubleOperand::node):
2082         (JSC::DFG::SpeculateDoubleOperand::fpr):
2083         (JSC::DFG::SpeculateDoubleOperand::use):
2084         (SpeculateDoubleOperand):
2085         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
2086         (JSC::DFG::SpeculateCellOperand::node):
2087         (JSC::DFG::SpeculateCellOperand::gpr):
2088         (JSC::DFG::SpeculateCellOperand::use):
2089         (SpeculateCellOperand):
2090         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
2091         (JSC::DFG::SpeculateBooleanOperand::node):
2092         (JSC::DFG::SpeculateBooleanOperand::gpr):
2093         (JSC::DFG::SpeculateBooleanOperand::use):
2094         (SpeculateBooleanOperand):
2095         * dfg/DFGSpeculativeJIT32_64.cpp:
2096         (JSC::DFG::SpeculativeJIT::fillInteger):
2097         (JSC::DFG::SpeculativeJIT::fillDouble):
2098         (JSC::DFG::SpeculativeJIT::fillJSValue):
2099         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
2100         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
2101         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
2102         (JSC::DFG::SpeculativeJIT::cachedPutById):
2103         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2104         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2105         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2106         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2107         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2108         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2109         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2110         (JSC::DFG::SpeculativeJIT::emitCall):
2111         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2112         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2113         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2114         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2115         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2116         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2117         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2118         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2119         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2120         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
2121         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2122         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2123         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
2124         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2125         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
2126         (JSC::DFG::SpeculativeJIT::emitBranch):
2127         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
2128         (JSC::DFG::SpeculativeJIT::compile):
2129         * dfg/DFGSpeculativeJIT64.cpp:
2130         (JSC::DFG::SpeculativeJIT::fillInteger):
2131         (JSC::DFG::SpeculativeJIT::fillDouble):
2132         (JSC::DFG::SpeculativeJIT::fillJSValue):
2133         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
2134         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
2135         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
2136         (JSC::DFG::SpeculativeJIT::cachedPutById):
2137         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2138         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2139         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2140         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2141         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2142         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2143         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2144         (JSC::DFG::SpeculativeJIT::emitCall):
2145         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2146         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2147         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2148         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2149         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2150         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2151         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2152         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2153         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2154         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
2155         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
2156         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2157         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
2158         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2159         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
2160         (JSC::DFG::SpeculativeJIT::emitBranch):
2161         (JSC::DFG::SpeculativeJIT::compile):
2162         * dfg/DFGStructureAbstractValue.h:
2163         (StructureAbstractValue):
2164         * dfg/DFGStructureCheckHoistingPhase.cpp:
2165         (JSC::DFG::StructureCheckHoistingPhase::run):
2166         * dfg/DFGValidate.cpp:
2167         (DFG):
2168         (Validate):
2169         (JSC::DFG::Validate::validate):
2170         (JSC::DFG::Validate::reportValidationContext):
2171         * dfg/DFGValidate.h:
2172         * dfg/DFGValueSource.cpp:
2173         (JSC::DFG::ValueSource::dump):
2174         * dfg/DFGValueSource.h:
2175         (JSC::DFG::ValueSource::ValueSource):
2176         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2177         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2178         * runtime/FunctionExecutableDump.cpp: Added.
2179         (JSC):
2180         (JSC::FunctionExecutableDump::dump):
2181         * runtime/FunctionExecutableDump.h: Added.
2182         (JSC):
2183         (FunctionExecutableDump):
2184         (JSC::FunctionExecutableDump::FunctionExecutableDump):
2185         * runtime/JSGlobalData.cpp:
2186         (JSC::JSGlobalData::JSGlobalData):
2187         * runtime/JSGlobalData.h:
2188         (JSC):
2189         (DFG):
2190         (JSGlobalData):
2191         * runtime/Options.h:
2192         (JSC):
2193
2194 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
2195
2196         Collapse testing for a list of PLATFORM() into OS() and USE() tests
2197         https://bugs.webkit.org/show_bug.cgi?id=108018
2198
2199         Reviewed by Eric Seidel.
2200
2201         No functional change as "OS(DARWIN) && USE(CF)" equals to the
2202         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
2203         is not using JavaScriptCore. 
2204
2205         * runtime/DatePrototype.cpp:
2206         (JSC):
2207
2208 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
2209
2210         Static size inference for JavaScript objects
2211         https://bugs.webkit.org/show_bug.cgi?id=108093
2212
2213         Reviewed by Phil Pizlo.
2214
2215         * API/JSObjectRef.cpp:
2216         * JavaScriptCore.order:
2217         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
2218
2219         * bytecode/CodeBlock.cpp:
2220         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
2221         have an extra inferredInlineCapacity argument. This is the statically
2222         inferred inline capacity, just from analyzing source text. op_new_object
2223         also gets a pointer to an allocation profile. (For op_create_this, the
2224         profile is in the construtor function.)
2225
2226         (JSC::CodeBlock::CodeBlock): Link op_new_object.
2227
2228         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
2229
2230         * bytecode/CodeBlock.h:
2231         (CodeBlock): Removed some dead code. Added object allocation profiles.
2232
2233         * bytecode/Instruction.h:
2234         (JSC): New union type, since an instruction operand may point to an
2235         object allocation profile now.
2236
2237         * bytecode/ObjectAllocationProfile.h: Added.
2238         (JSC):
2239         (ObjectAllocationProfile):
2240         (JSC::ObjectAllocationProfile::offsetOfAllocator):
2241         (JSC::ObjectAllocationProfile::offsetOfStructure):
2242         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
2243         (JSC::ObjectAllocationProfile::isNull):
2244         (JSC::ObjectAllocationProfile::initialize):
2245         (JSC::ObjectAllocationProfile::structure):
2246         (JSC::ObjectAllocationProfile::inlineCapacity):
2247         (JSC::ObjectAllocationProfile::clear):
2248         (JSC::ObjectAllocationProfile::visitAggregate):
2249         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
2250         for tracking a prediction about object allocation: structure, inline
2251         capacity, allocator to use.
2252
2253         * bytecode/Opcode.h:
2254         (JSC):
2255         (JSC::padOpcodeName): Updated instruction sizes.
2256
2257         * bytecode/UnlinkedCodeBlock.cpp:
2258         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2259         * bytecode/UnlinkedCodeBlock.h:
2260         (JSC):
2261         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
2262         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
2263         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
2264
2265         * bytecompiler/BytecodeGenerator.cpp:
2266         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
2267         end of codegen, since this is our last opportunity.
2268
2269         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
2270         analyzer to bytecode generation. It tracks initializing assignments and
2271         makes a guess about how many will happen.
2272
2273         (JSC::BytecodeGenerator::newObjectAllocationProfile):
2274         (JSC):
2275         (JSC::BytecodeGenerator::emitProfiledOpcode):
2276         (JSC::BytecodeGenerator::emitMove):
2277         (JSC::BytecodeGenerator::emitResolve):
2278         (JSC::BytecodeGenerator::emitResolveBase):
2279         (JSC::BytecodeGenerator::emitResolveBaseForPut):
2280         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
2281         (JSC::BytecodeGenerator::emitResolveWithThis):
2282         (JSC::BytecodeGenerator::emitGetById):
2283         (JSC::BytecodeGenerator::emitPutById):
2284         (JSC::BytecodeGenerator::emitDirectPutById):
2285         (JSC::BytecodeGenerator::emitPutGetterSetter):
2286         (JSC::BytecodeGenerator::emitGetArgumentByVal):
2287         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
2288         analyzer, so it can observe allocations and stores.
2289
2290         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
2291         function because it was a significant amount of logic, and I wanted to
2292         add to it.
2293
2294         (JSC::BytecodeGenerator::emitNewObject):
2295         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
2296         (JSC::BytecodeGenerator::emitCall):
2297         (JSC::BytecodeGenerator::emitCallVarargs):
2298         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
2299         to track their stores, in case a store kills a profiled allocation. Since
2300         profiled opcodes are basically the only interesting stores we do, this
2301         is a convenient place to notice any store that might kill an allocation.
2302
2303         * bytecompiler/BytecodeGenerator.h:
2304         (BytecodeGenerator): As above.
2305
2306         * bytecompiler/StaticPropertyAnalysis.h: Added.
2307         (JSC):
2308         (StaticPropertyAnalysis):
2309         (JSC::StaticPropertyAnalysis::create):
2310         (JSC::StaticPropertyAnalysis::addPropertyIndex):
2311         (JSC::StaticPropertyAnalysis::record):
2312         (JSC::StaticPropertyAnalysis::propertyIndexCount):
2313         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
2314         class for tracking allocations and stores.
2315
2316         * bytecompiler/StaticPropertyAnalyzer.h: Added.
2317         (StaticPropertyAnalyzer):
2318         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
2319         (JSC::StaticPropertyAnalyzer::createThis):
2320         (JSC::StaticPropertyAnalyzer::newObject):
2321         (JSC::StaticPropertyAnalyzer::putById):
2322         (JSC::StaticPropertyAnalyzer::mov):
2323         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
2324         and stores and making an inline capacity guess. The heuristics here are
2325         intentionally minimal because we don't want this one class to try to
2326         re-create something like a DFG or a runtime analysis. If we discover that
2327         we need those kinds of analyses, we should just replace this class with
2328         something else.
2329
2330         This class tracks multiple registers that alias the same object -- that
2331         happens a lot, when moving locals into temporary registers -- but it
2332         doesn't track control flow or multiple objects that alias the same register.
2333
2334         * dfg/DFGAbstractState.cpp:
2335         (JSC::DFG::AbstractState::execute): Updated for rename.
2336
2337         * dfg/DFGByteCodeParser.cpp:
2338         (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
2339         allocation profile.
2340
2341         * dfg/DFGNode.h:
2342         (JSC::DFG::Node::hasInlineCapacity):
2343         (Node):
2344         (JSC::DFG::Node::inlineCapacity):
2345         (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
2346         inline capacity for an allocation.
2347
2348         * dfg/DFGNodeType.h:
2349         (DFG): Updated for rename.
2350
2351         * dfg/DFGOperations.cpp: Updated for interface change.
2352
2353         * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
2354         an argument. This is the simplest way, since it's stored as a bytecode operand.
2355
2356         * dfg/DFGPredictionPropagationPhase.cpp:
2357         (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
2358
2359         * dfg/DFGRepatch.cpp:
2360         (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
2361         appears when doing an inline cached load for property number 64 on a 32-bit
2362         system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
2363         offset of the 64bit JSValue -- but we'll actually issue two loads, one for
2364         the payload at that offset, and one for the tag at that offset + 4. We need
2365         to ensure that both loads have a compact representation, or we'll corrupt
2366         the instruction stream.
2367
2368         * dfg/DFGSpeculativeJIT.cpp:
2369         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
2370         * dfg/DFGSpeculativeJIT.h:
2371         (JSC::DFG::SpeculativeJIT::callOperation):
2372         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2373         (SpeculativeJIT):
2374         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2375         * dfg/DFGSpeculativeJIT32_64.cpp:
2376         (JSC::DFG::SpeculativeJIT::compile):
2377         * dfg/DFGSpeculativeJIT64.cpp:
2378         (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
2379         passing an allocator to our allocation function, and/or passing a Structure
2380         as a register instead of an immediate.
2381
2382         * heap/MarkedAllocator.h:
2383         (DFG):
2384         (MarkedAllocator):
2385         (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
2386         JIT code generation of allocation from an arbitrary allocator.
2387
2388         * jit/JIT.h:
2389         (JSC):
2390         * jit/JITInlines.h:
2391         (JSC):
2392         (JSC::JIT::emitAllocateJSObject):
2393         * jit/JITOpcodes.cpp:
2394         (JSC::JIT::emit_op_new_object):
2395         (JSC::JIT::emitSlow_op_new_object):
2396         (JSC::JIT::emit_op_create_this):
2397         (JSC::JIT::emitSlow_op_create_this):
2398         * jit/JITOpcodes32_64.cpp:
2399         (JSC::JIT::emit_op_new_object):
2400         (JSC::JIT::emitSlow_op_new_object):
2401         (JSC::JIT::emit_op_create_this):
2402         (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
2403
2404         * jit/JITStubs.cpp:
2405         (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
2406
2407         (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
2408
2409         * llint/LLIntData.cpp:
2410         (JSC::LLInt::Data::performAssertions): Updated for interface changes.
2411
2412         * llint/LLIntSlowPaths.cpp:
2413         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2414         * llint/LowLevelInterpreter.asm:
2415         * llint/LowLevelInterpreter32_64.asm:
2416         * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
2417
2418         * profiler/ProfilerBytecode.cpp:
2419         * profiler/ProfilerBytecodes.cpp:
2420         * profiler/ProfilerCompilation.cpp:
2421         * profiler/ProfilerCompiledBytecode.cpp:
2422         * profiler/ProfilerDatabase.cpp:
2423         * profiler/ProfilerOSRExit.cpp:
2424         * profiler/ProfilerOrigin.cpp:
2425         * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
2426         because that's where createEmptyObject() lives now.
2427
2428         * runtime/Executable.h:
2429         (JSC::JSFunction::JSFunction): Updated for rename.
2430
2431         * runtime/JSCellInlines.h:
2432         (JSC::allocateCell): Updated to match the allocator selection code in
2433         the JIT, so it's clearer that both are correct.
2434
2435         * runtime/JSFunction.cpp:
2436         (JSC::JSFunction::JSFunction):
2437         (JSC::JSFunction::createAllocationProfile):
2438         (JSC::JSFunction::visitChildren):
2439         (JSC::JSFunction::getOwnPropertySlot):
2440         (JSC::JSFunction::put):
2441         (JSC::JSFunction::defineOwnProperty):
2442         (JSC::JSFunction::getConstructData):
2443         * runtime/JSFunction.h:
2444         (JSC::JSFunction::offsetOfScopeChain):
2445         (JSC::JSFunction::offsetOfExecutable):
2446         (JSC::JSFunction::offsetOfAllocationProfile):
2447         (JSC::JSFunction::allocationProfile):
2448         (JSFunction):
2449         (JSC::JSFunction::tryGetAllocationProfile):
2450         (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
2451         data member to be an ObjectAllocationProfile, which includes a pointer
2452         to the desired allocator. This simplifies JIT code, since we don't have
2453         to compute the allocator on the fly. I verified by code inspection that
2454         JSFunction is still only 64 bytes.
2455
2456         * runtime/JSGlobalObject.cpp:
2457         (JSC::JSGlobalObject::reset):
2458         (JSC::JSGlobalObject::visitChildren):
2459         * runtime/JSGlobalObject.h:
2460         (JSGlobalObject):
2461         (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
2462         object structure anymore, because now clients need to specify how much
2463         inline capacity they want.
2464
2465         * runtime/JSONObject.cpp:
2466         * runtime/JSObject.h:
2467         (JSC):
2468         (JSFinalObject):
2469         (JSC::JSFinalObject::defaultInlineCapacity):
2470         (JSC::JSFinalObject::maxInlineCapacity):
2471         (JSC::JSFinalObject::createStructure): A little refactoring to try to 
2472         clarify where some of these constants derive from.
2473
2474         (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
2475
2476         * runtime/JSProxy.cpp:
2477         (JSC::JSProxy::setTarget): Ugly, but effective.
2478
2479         * runtime/LiteralParser.cpp:
2480         * runtime/ObjectConstructor.cpp:
2481         (JSC::constructObject):
2482         (JSC::constructWithObjectConstructor):
2483         (JSC::callObjectConstructor):
2484         (JSC::objectConstructorCreate): Updated for interface changes.
2485
2486         * runtime/ObjectConstructor.h:
2487         (JSC::constructEmptyObject): Clarified your options for how to allocate
2488         an empty object, to emphasize what things can actually vary.
2489
2490         * runtime/PropertyOffset.h: These constants have moved because they're
2491         really higher level concepts to do with the layout of objects and the
2492         collector. PropertyOffset is just an abstract number line, independent
2493         of those things.
2494
2495         * runtime/PrototypeMap.cpp:
2496         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2497         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2498         * runtime/PrototypeMap.h:
2499         (PrototypeMap): The map key is now a pair of prototype and inline capacity,
2500         since Structure encodes inline capacity.
2501
2502         * runtime/Structure.cpp:
2503         (JSC::Structure::Structure):
2504         (JSC::Structure::materializePropertyMap):
2505         (JSC::Structure::addPropertyTransition):
2506         (JSC::Structure::nonPropertyTransition):
2507         (JSC::Structure::copyPropertyTableForPinning):
2508         * runtime/Structure.h:
2509         (Structure):
2510         (JSC::Structure::totalStorageSize):
2511         (JSC::Structure::transitionCount):
2512         (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
2513         up after enabling variable-sized inline capacities: we were passing our
2514         type info where our inline capacity was expected. The compiler didn't
2515         notice because both have type int :(.
2516
2517 2013-01-28  Oliver Hunt  <oliver@apple.com>
2518
2519         Add more assertions to the property storage use in arrays
2520         https://bugs.webkit.org/show_bug.cgi?id=107728
2521
2522         Reviewed by Filip Pizlo.
2523
2524         Add a bunch of assertions to array and object butterfly
2525         usage.  This should make debugging somewhat easier.
2526
2527         I also converted a couple of assertions to release asserts
2528         as they were so low cost it seemed a sensible thing to do.
2529
2530         * runtime/JSArray.cpp:
2531         (JSC::JSArray::sortVector):
2532         (JSC::JSArray::compactForSorting):
2533         * runtime/JSObject.h:
2534         (JSC::JSObject::getHolyIndexQuickly):
2535
2536 2013-01-28  Adam Barth  <abarth@webkit.org>
2537
2538         Remove webkitNotifications.createHTMLNotification
2539         https://bugs.webkit.org/show_bug.cgi?id=107598
2540
2541         Reviewed by Benjamin Poulain.
2542
2543         * Configurations/FeatureDefines.xcconfig:
2544
2545 2013-01-28  Michael Saboff  <msaboff@apple.com>
2546
2547         Cleanup ARM version of debugName() in DFGFPRInfo.h
2548         https://bugs.webkit.org/show_bug.cgi?id=108090
2549
2550         Reviewed by David Kilzer.
2551
2552         Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
2553
2554         * dfg/DFGFPRInfo.h:
2555         (JSC::DFG::FPRInfo::debugName):
2556
2557 2013-01-27  Andreas Kling  <akling@apple.com>
2558
2559         JSC: FunctionParameters are memory hungry.
2560         <http://webkit.org/b/108033>
2561         <rdar://problem/13094803>
2562
2563         Reviewed by Sam Weinig.
2564
2565         Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
2566         with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
2567         roughly in half.
2568
2569         2.73 MB progression on Membuster3.
2570
2571         * bytecode/UnlinkedCodeBlock.cpp:
2572         (JSC::UnlinkedFunctionExecutable::paramString):
2573         * bytecompiler/BytecodeGenerator.cpp:
2574         (JSC::BytecodeGenerator::BytecodeGenerator):
2575         * parser/Nodes.cpp:
2576         (JSC::FunctionParameters::create):
2577         (JSC::FunctionParameters::FunctionParameters):
2578         (JSC::FunctionParameters::~FunctionParameters):
2579         * parser/Nodes.h:
2580         (FunctionParameters):
2581         (JSC::FunctionParameters::size):
2582         (JSC::FunctionParameters::at):
2583         (JSC::FunctionParameters::identifiers):
2584
2585 2013-01-27  Andreas Kling  <akling@apple.com>
2586
2587         JSC: SourceProviderCache is memory hungry.
2588         <http://webkit.org/b/108029>
2589         <rdar://problem/13094806>
2590
2591         Reviewed by Sam Weinig.
2592
2593         Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
2594         Since the lists never change after the object is created, there's no need to keep them in Vectors
2595         and we can instead create the whole cache item in a single allocation.
2596
2597         13.37 MB progression on Membuster3.
2598
2599         * parser/Parser.cpp:
2600         (JSC::::parseFunctionInfo):
2601         * parser/Parser.h:
2602         (JSC::Scope::copyCapturedVariablesToVector):
2603         (JSC::Scope::fillParametersForSourceProviderCache):
2604         (JSC::Scope::restoreFromSourceProviderCache):
2605         * parser/SourceProviderCacheItem.h:
2606         (SourceProviderCacheItemCreationParameters):
2607         (SourceProviderCacheItem):
2608         (JSC::SourceProviderCacheItem::approximateByteSize):
2609         (JSC::SourceProviderCacheItem::usedVariables):
2610         (JSC::SourceProviderCacheItem::writtenVariables):
2611         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
2612         (JSC::SourceProviderCacheItem::create):
2613         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2614
2615 2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
2616
2617         Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
2618         https://bugs.webkit.org/show_bug.cgi?id=106740
2619
2620         Reviewed by Benjamin Poulain.
2621
2622         * config.h:
2623
2624 2013-01-25  Filip Pizlo  <fpizlo@apple.com>
2625
2626         DFG variable event stream shouldn't use NodeIndex
2627         https://bugs.webkit.org/show_bug.cgi?id=107996
2628
2629         Reviewed by Oliver Hunt.
2630         
2631         Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
2632         Internally it currently uses a NodeIndex, but we could change this without having
2633         to recode all of the users of MinifiedID. This effectively decouples the OSR exit
2634         compiler's way of identifying nodes from the speculative JIT's way of identifying
2635         nodes, and should make it easier to make changes to the speculative JIT's internals
2636         in the future.
2637         
2638         Also changed variable event stream logging to exclude information about births and
2639         deaths of constants, since the OSR exit compiler never cares about which register
2640         holds a constant; if a value is constant then the OSR exit compiler can reify it.
2641         
2642         Also changed the variable event stream's value recovery computation to use a
2643         HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
2644         
2645         This appears to be performance-neutral. It's primarily meant as a small step
2646         towards https://bugs.webkit.org/show_bug.cgi?id=106868.
2647
2648         * GNUmakefile.list.am:
2649         * JavaScriptCore.xcodeproj/project.pbxproj:
2650         * dfg/DFGGenerationInfo.h:
2651         (JSC::DFG::GenerationInfo::GenerationInfo):
2652         (JSC::DFG::GenerationInfo::initConstant):
2653         (JSC::DFG::GenerationInfo::initInteger):
2654         (JSC::DFG::GenerationInfo::initJSValue):
2655         (JSC::DFG::GenerationInfo::initCell):
2656         (JSC::DFG::GenerationInfo::initBoolean):
2657         (JSC::DFG::GenerationInfo::initDouble):
2658         (JSC::DFG::GenerationInfo::initStorage):
2659         (JSC::DFG::GenerationInfo::noticeOSRBirth):
2660         (JSC::DFG::GenerationInfo::use):
2661         (JSC::DFG::GenerationInfo::appendFill):
2662         (JSC::DFG::GenerationInfo::appendSpill):
2663         (GenerationInfo):
2664         * dfg/DFGJITCompiler.cpp:
2665         (JSC::DFG::JITCompiler::link):
2666         * dfg/DFGMinifiedGraph.h:
2667         (JSC::DFG::MinifiedGraph::at):
2668         (MinifiedGraph):
2669         * dfg/DFGMinifiedID.h: Added.
2670         (DFG):
2671         (MinifiedID):
2672         (JSC::DFG::MinifiedID::MinifiedID):
2673         (JSC::DFG::MinifiedID::operator!):
2674         (JSC::DFG::MinifiedID::nodeIndex):
2675         (JSC::DFG::MinifiedID::operator==):
2676         (JSC::DFG::MinifiedID::operator!=):
2677         (JSC::DFG::MinifiedID::operator<):
2678         (JSC::DFG::MinifiedID::operator>):
2679         (JSC::DFG::MinifiedID::operator<=):
2680         (JSC::DFG::MinifiedID::operator>=):
2681         (JSC::DFG::MinifiedID::hash):
2682         (JSC::DFG::MinifiedID::dump):
2683         (JSC::DFG::MinifiedID::isHashTableDeletedValue):
2684         (JSC::DFG::MinifiedID::invalidID):
2685         (JSC::DFG::MinifiedID::otherInvalidID):
2686         (JSC::DFG::MinifiedID::fromBits):
2687         (JSC::DFG::MinifiedIDHash::hash):
2688         (JSC::DFG::MinifiedIDHash::equal):
2689         (MinifiedIDHash):
2690         (WTF):
2691         * dfg/DFGMinifiedNode.cpp:
2692         (JSC::DFG::MinifiedNode::fromNode):
2693         * dfg/DFGMinifiedNode.h:
2694         (JSC::DFG::MinifiedNode::id):
2695         (JSC::DFG::MinifiedNode::child1):
2696         (JSC::DFG::MinifiedNode::getID):
2697         (JSC::DFG::MinifiedNode::compareByNodeIndex):
2698         (MinifiedNode):
2699         * dfg/DFGSpeculativeJIT.cpp:
2700         (JSC::DFG::SpeculativeJIT::compileMovHint):
2701         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2702         * dfg/DFGSpeculativeJIT.h:
2703         (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
2704         * dfg/DFGValueSource.cpp:
2705         (JSC::DFG::ValueSource::dump):
2706         * dfg/DFGValueSource.h:
2707         (JSC::DFG::ValueSource::ValueSource):
2708         (JSC::DFG::ValueSource::isSet):
2709         (JSC::DFG::ValueSource::kind):
2710         (JSC::DFG::ValueSource::id):
2711         (ValueSource):
2712         (JSC::DFG::ValueSource::idFromKind):
2713         (JSC::DFG::ValueSource::kindFromID):
2714         * dfg/DFGVariableEvent.cpp:
2715         (JSC::DFG::VariableEvent::dump):
2716         (JSC::DFG::VariableEvent::dumpFillInfo):
2717         (JSC::DFG::VariableEvent::dumpSpillInfo):
2718         * dfg/DFGVariableEvent.h:
2719         (JSC::DFG::VariableEvent::fillGPR):
2720         (JSC::DFG::VariableEvent::fillPair):
2721         (JSC::DFG::VariableEvent::fillFPR):
2722         (JSC::DFG::VariableEvent::spill):
2723         (JSC::DFG::VariableEvent::death):
2724         (JSC::DFG::VariableEvent::movHint):
2725         (JSC::DFG::VariableEvent::id):
2726         (VariableEvent):
2727         * dfg/DFGVariableEventStream.cpp:
2728         (DFG):
2729         (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2730         (JSC::DFG::VariableEventStream::reconstruct):
2731         * dfg/DFGVariableEventStream.h:
2732         (VariableEventStream):
2733
2734 2013-01-25  Roger Fong  <roger_fong@apple.com>
2735
2736         Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
2737
2738         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
2739         * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
2740         * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
2741         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
2742         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
2743         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
2744         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
2745         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
2746         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
2747         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
2748         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
2749         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
2750         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
2751         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
2752         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
2753         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
2754         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
2755         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
2756         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
2757
2758 2013-01-24  Roger Fong  <roger_fong@apple.com>
2759
2760         VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
2761         https://bugs.webkit.org/show_bug.cgi?id=106987
2762
2763         Reviewed by Brent Fulgham.
2764
2765         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2766         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
2767         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2768         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
2769         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2770         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2771         * JavaScriptCore.vcxproj/jsc/jscDebug.props:
2772         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
2773         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
2774         * JavaScriptCore.vcxproj/testRegExp: Added.
2775         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
2776         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
2777         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
2778         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
2779         * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
2780         * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
2781         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
2782         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
2783         * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
2784         * JavaScriptCore.vcxproj/testapi: Added.
2785         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
2786         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
2787         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
2788         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
2789         * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
2790         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
2791         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
2792         * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
2793         * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
2794
2795 2013-01-24  Roger Fong  <roger_fong@apple.com>
2796
2797         Unreviewed. Windows build fix.
2798
2799         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2800
2801 2013-01-24  Filip Pizlo  <fpizlo@apple.com>
2802
2803         DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
2804         https://bugs.webkit.org/show_bug.cgi?id=107860
2805
2806         Reviewed by Mark Hahnenberg.
2807
2808         * dfg/DFGJITCompiler.h:
2809         (JITCompiler):
2810         * dfg/DFGSpeculativeJIT64.cpp:
2811         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2812         (JSC::DFG::SpeculativeJIT::emitBranch):
2813
2814 2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>
2815
2816         Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
2817         https://bugs.webkit.org/show_bug.cgi?id=107327
2818
2819         Reviewed by Filip Pizlo.
2820
2821         We're renaming these two files, so we have to replace the names everywhere.
2822
2823         * API/APICast.h:
2824         * API/APIJSValue.h: Removed.
2825         * API/JSBlockAdaptor.mm:
2826         * API/JSStringRefCF.cpp:
2827         * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
2828         * API/JSValue.mm:
2829         * API/JSValueInternal.h:
2830         * API/JSValueRef.cpp:
2831         * API/JSWeakObjectMapRefPrivate.cpp:
2832         * API/JavaScriptCore.h:
2833         * CMakeLists.txt:
2834         * GNUmakefile.list.am:
2835         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2836         * JavaScriptCore.xcodeproj/project.pbxproj:
2837         * Target.pri:
2838         * bytecode/CallLinkStatus.h:
2839         * bytecode/CodeBlock.cpp:
2840         * bytecode/MethodOfGettingAValueProfile.h:
2841         * bytecode/ResolveGlobalStatus.cpp:
2842         * bytecode/ResolveGlobalStatus.h:
2843         * bytecode/SpeculatedType.h:
2844         * bytecode/ValueRecovery.h:
2845         * dfg/DFGByteCodeParser.cpp:
2846         * dfg/DFGJITCompiler.cpp:
2847         * dfg/DFGNode.h:
2848         * dfg/DFGSpeculativeJIT.cpp:
2849         * dfg/DFGSpeculativeJIT64.cpp:
2850         * heap/CopiedBlock.h:
2851         * heap/HandleStack.cpp:
2852         * heap/HandleTypes.h:
2853         * heap/WeakImpl.h:
2854         * interpreter/Interpreter.h:
2855         * interpreter/Register.h:
2856         * interpreter/VMInspector.h:
2857         * jit/HostCallReturnValue.cpp:
2858         * jit/HostCallReturnValue.h:
2859         * jit/JITCode.h:
2860         * jit/JITExceptions.cpp:
2861         * jit/JITExceptions.h:
2862         * jit/JSInterfaceJIT.h:
2863         * llint/LLIntCLoop.h:
2864         * llint/LLIntData.h:
2865         * llint/LLIntSlowPaths.cpp:
2866         * profiler/ProfilerBytecode.h:
2867         * profiler/ProfilerBytecodeSequence.h:
2868         * profiler/ProfilerBytecodes.h:
2869         * profiler/ProfilerCompilation.h:
2870         * profiler/ProfilerCompiledBytecode.h:
2871         * profiler/ProfilerDatabase.h:
2872         * profiler/ProfilerOSRExit.h:
2873         * profiler/ProfilerOSRExitSite.h:
2874         * profiler/ProfilerOrigin.h:
2875         * profiler/ProfilerOriginStack.h:
2876         * runtime/ArgList.cpp:
2877         * runtime/CachedTranscendentalFunction.h:
2878         * runtime/CallData.h:
2879         * runtime/Completion.h:
2880         * runtime/ConstructData.h:
2881         * runtime/DateConstructor.cpp:
2882         * runtime/DateInstance.cpp:
2883         * runtime/DatePrototype.cpp:
2884         * runtime/JSAPIValueWrapper.h:
2885         * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
2886         * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
2887         (JSValue):
2888         * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
2889         * runtime/JSGlobalData.h:
2890         * runtime/JSGlobalObject.cpp:
2891         * runtime/JSGlobalObjectFunctions.h:
2892         * runtime/JSStringJoiner.h:
2893         * runtime/JSValue.cpp: Removed.
2894         * runtime/JSValue.h: Removed.
2895         * runtime/JSValueInlines.h: Removed.
2896         * runtime/LiteralParser.h:
2897         * runtime/Operations.h:
2898         * runtime/PropertyDescriptor.h:
2899         * runtime/PropertySlot.h:
2900         * runtime/Protect.h:
2901         * runtime/RegExpPrototype.cpp:
2902         * runtime/Structure.h:
2903
2904 2013-01-23  Oliver Hunt  <oliver@apple.com>
2905
2906         Harden JSC a bit with RELEASE_ASSERT
2907         https://bugs.webkit.org/show_bug.cgi?id=107766
2908
2909         Reviewed by Mark Hahnenberg.
2910
2911         Went through and replaced a pile of ASSERTs that were covering
2912         significantly important details (bounds checks, etc) where
2913         having the checks did not impact release performance in any
2914         measurable way.
2915
2916         * API/JSContextRef.cpp:
2917         (JSContextCreateBacktrace):
2918         * assembler/MacroAssembler.h:
2919         (JSC::MacroAssembler::branchAdd32):
2920         (JSC::MacroAssembler::branchMul32):
2921         * bytecode/CodeBlock.cpp:
2922         (JSC::CodeBlock::dumpBytecode):
2923         (JSC::CodeBlock::handlerForBytecodeOffset):
2924         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2925         (JSC::CodeBlock::bytecodeOffset):
2926         * bytecode/CodeBlock.h:
2927         (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
2928         (JSC::CodeBlock::bytecodeOffset):
2929         (JSC::CodeBlock::exceptionHandler):
2930         (JSC::CodeBlock::codeOrigin):
2931         (JSC::CodeBlock::immediateSwitchJumpTable):
2932         (JSC::CodeBlock::characterSwitchJumpTable):
2933         (JSC::CodeBlock::stringSwitchJumpTable):
2934         (JSC::CodeBlock::setIdentifiers):
2935         (JSC::baselineCodeBlockForInlineCallFrame):
2936         (JSC::ExecState::uncheckedR):
2937         * bytecode/CodeOrigin.cpp:
2938         (JSC::CodeOrigin::inlineStack):
2939         * bytecode/CodeOrigin.h:
2940         (JSC::CodeOrigin::CodeOrigin):
2941         * dfg/DFGCSEPhase.cpp:
2942         * dfg/DFGOSRExit.cpp:
2943         * dfg/DFGScratchRegisterAllocator.h:
2944         (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2945         (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2946         * dfg/DFGSpeculativeJIT.h:
2947         (JSC::DFG::SpeculativeJIT::allocate):
2948         (JSC::DFG::SpeculativeJIT::spill):
2949         (JSC::DFG::SpeculativeJIT::integerResult):
2950         * dfg/DFGSpeculativeJIT64.cpp:
2951         (JSC::DFG::SpeculativeJIT::fillInteger):
2952         (JSC::DFG::SpeculativeJIT::fillDouble):
2953         (JSC::DFG::SpeculativeJIT::fillJSValue):
2954         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2955         (JSC::DFG::SpeculativeJIT::emitCall):
2956         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2957         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2958         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2959         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2960         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2961         (JSC::DFG::SpeculativeJIT::compile):
2962         * dfg/DFGValueSource.h:
2963         (JSC::DFG::dataFormatToValueSourceKind):
2964         (JSC::DFG::ValueSource::ValueSource):
2965         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2966         * heap/BlockAllocator.cpp:
2967         (JSC::BlockAllocator::BlockAllocator):
2968         (JSC::BlockAllocator::releaseFreeRegions):
2969         (JSC::BlockAllocator::blockFreeingThreadMain):
2970         * heap/Heap.cpp:
2971         (JSC::Heap::lastChanceToFinalize):
2972         (JSC::Heap::collect):
2973         * interpreter/Interpreter.cpp:
2974         (JSC::Interpreter::throwException):
2975         (JSC::Interpreter::execute):
2976         * jit/GCAwareJITStubRoutine.cpp:
2977         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2978         * jit/JIT.cpp:
2979         (JSC::JIT::privateCompileMainPass):
2980         (JSC::JIT::privateCompileSlowCases):
2981         * jit/JITExceptions.cpp:
2982         (JSC::genericThrow):
2983         * jit/JITInlines.h:
2984         (JSC::JIT::emitLoad):
2985         * jit/JITOpcodes.cpp:
2986         (JSC::JIT::emit_op_end):
2987         (JSC::JIT::emit_resolve_operations):
2988         * jit/JITStubRoutine.cpp:
2989         (JSC::JITStubRoutine::observeZeroRefCount):
2990         * jit/JITStubs.cpp:
2991         (JSC::returnToThrowTrampoline):
2992         * runtime/Arguments.cpp:
2993         (JSC::Arguments::getOwnPropertySlot):
2994         (JSC::Arguments::getOwnPropertyDescriptor):
2995         (JSC::Arguments::deleteProperty):
2996         (JSC::Arguments::defineOwnProperty):
2997         (JSC::Arguments::didTearOffActivation):
2998         * runtime/ArrayPrototype.cpp:
2999         (JSC::shift):
3000         (JSC::unshift):
3001         (JSC::arrayProtoFuncLastIndexOf):
3002         * runtime/ButterflyInlines.h:
3003         (JSC::Butterfly::growPropertyStorage):
3004         * runtime/CodeCache.cpp:
3005         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3006         * runtime/CodeCache.h:
3007         (JSC::CacheMap::add):
3008         * runtime/Completion.cpp:
3009         (JSC::checkSyntax):
3010         (JSC::evaluate):
3011         * runtime/Executable.cpp:
3012         (JSC::FunctionExecutable::FunctionExecutable):
3013         (JSC::EvalExecutable::unlinkCalls):
3014         (JSC::ProgramExecutable::compileOptimized):
3015         (JSC::ProgramExecutable::unlinkCalls):
3016         (JSC::ProgramExecutable::initializeGlobalProperties):
3017         (JSC::FunctionExecutable::baselineCodeBlockFor):
3018         (JSC::FunctionExecutable::compileOptimizedForCall):
3019         (JSC::FunctionExecutable::compileOptimizedForConstruct):
3020         (JSC::FunctionExecutable::compileForCallInternal):
3021         (JSC::FunctionExecutable::compileForConstructInternal):
3022         (JSC::FunctionExecutable::unlinkCalls):
3023         (JSC::NativeExecutable::hashFor):
3024         * runtime/Executable.h:
3025         (JSC::EvalExecutable::compile):
3026         (JSC::ProgramExecutable::compile):
3027         (JSC::FunctionExecutable::compileForCall):
3028         (JSC::FunctionExecutable::compileForConstruct):
3029         * runtime/IndexingHeader.h:
3030         (JSC::IndexingHeader::setVectorLength):
3031         * runtime/JSArray.cpp:
3032         (JSC::JSArray::pop):
3033         (JSC::JSArray::shiftCountWithArrayStorage):
3034         (JSC::JSArray::shiftCountWithAnyIndexingType):
3035         (JSC::JSArray::unshiftCountWithArrayStorage):
3036         * runtime/JSGlobalObjectFunctions.cpp:
3037         (JSC::jsStrDecimalLiteral):
3038         * runtime/JSObject.cpp:
3039         (JSC::JSObject::copyButterfly):
3040         (JSC::JSObject::defineOwnIndexedProperty):
3041         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3042         * runtime/JSString.cpp:
3043         (JSC::JSRopeString::getIndexSlowCase):
3044         * yarr/YarrInterpreter.cpp:
3045         (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
3046
3047 2013-01-23  Filip Pizlo  <fpizlo@apple.com>
3048
3049         Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
3050         https://bugs.webkit.org/show_bug.cgi?id=107750
3051         <rdar://problem/12387265>
3052
3053         Reviewed by Mark Hahnenberg.
3054         
3055         The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
3056         for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
3057         GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
3058         checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
3059         GetLocal we are eliminating, then we allow redundant GetLocals.
3060
3061         * dfg/DFGConstantFoldingPhase.cpp:
3062         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3063         (ConstantFoldingPhase):
3064         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3065
3066 2013-01-23  Oliver Hunt  <oliver@apple.com>
3067
3068         Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
3069         https://bugs.webkit.org/show_bug.cgi?id=107736
3070
3071         Reviewed by Mark Hahnenberg.
3072
3073         Mechanical change with no performance impact.
3074
3075         * API/JSBlockAdaptor.mm:
3076         (BlockArgumentTypeDelegate::typeVoid):
3077         * API/JSCallbackObjectFunctions.h:
3078         (JSC::::construct):
3079         (JSC::::call):
3080         * API/JSScriptRef.cpp:
3081         * API/ObjCCallbackFunction.mm:
3082         (ArgumentTypeDelegate::typeVoid):
3083         * assembler/ARMv7Assembler.h:
3084         (JSC::ARMv7Assembler::link):
3085         (JSC::ARMv7Assembler::replaceWithLoad):
3086         (JSC::ARMv7Assembler::replaceWithAddressComputation):
3087         * assembler/MacroAssembler.h:
3088         (JSC::MacroAssembler::invert):
3089         * assembler/MacroAssemblerARM.h:
3090         (JSC::MacroAssemblerARM::countLeadingZeros32):
3091         (JSC::MacroAssemblerARM::divDouble):
3092         * assembler/MacroAssemblerMIPS.h:
3093         (JSC::MacroAssemblerMIPS::absDouble):
3094         (JSC::MacroAssemblerMIPS::replaceWithJump):
3095         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
3096         * assembler/MacroAssemblerSH4.h:
3097         (JSC::MacroAssemblerSH4::absDouble):
3098         (JSC::MacroAssemblerSH4::replaceWithJump):
3099         (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
3100         * assembler/SH4Assembler.h:
3101         (JSC::SH4Assembler::shllImm8r):
3102         (JSC::SH4Assembler::shlrImm8r):
3103         (JSC::SH4Assembler::cmplRegReg):
3104         (JSC::SH4Assembler::branch):
3105         * assembler/X86Assembler.h:
3106         (JSC::X86Assembler::replaceWithLoad):
3107         (JSC::X86Assembler::replaceWithAddressComputation):
3108         * bytecode/CallLinkInfo.cpp:
3109         (JSC::CallLinkInfo::unlink):
3110         * bytecode/CodeBlock.cpp:
3111         (JSC::debugHookName):
3112         (JSC::CodeBlock::printGetByIdOp):
3113         (JSC::CodeBlock::printGetByIdCacheStatus):
3114         (JSC::CodeBlock::visitAggregate):
3115         (JSC::CodeBlock::finalizeUnconditionally):
3116         (JSC::CodeBlock::usesOpcode):
3117         * bytecode/DataFormat.h:
3118         (JSC::needDataFormatConversion):
3119         * bytecode/ExitKind.cpp:
3120         (JSC::exitKindToString):
3121         (JSC::exitKindIsCountable):
3122         * bytecode/MethodOfGettingAValueProfile.cpp:
3123         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
3124         * bytecode/Opcode.h:
3125         (JSC::opcodeLength):
3126         * bytecode/PolymorphicPutByIdList.cpp:
3127         (JSC::PutByIdAccess::fromStructureStubInfo):
3128         (JSC::PutByIdAccess::visitWeak):
3129         * bytecode/StructureStubInfo.cpp:
3130         (JSC::StructureStubInfo::deref):
3131         * bytecompiler/BytecodeGenerator.cpp:
3132         (JSC::ResolveResult::checkValidity):
3133         (JSC::BytecodeGenerator::emitGetLocalVar):
3134         (JSC::BytecodeGenerator::beginSwitch):
3135         * bytecompiler/NodesCodegen.cpp:
3136         (JSC::BinaryOpNode::emitBytecode):
3137         (JSC::emitReadModifyAssignment):
3138         * dfg/DFGAbstractState.cpp:
3139         (JSC::DFG::AbstractState::execute):
3140         (JSC::DFG::AbstractState::mergeStateAtTail):
3141         (JSC::DFG::AbstractState::mergeToSuccessors):
3142         * dfg/DFGByteCodeParser.cpp:
3143         (JSC::DFG::ByteCodeParser::makeSafe):
3144         (JSC::DFG::ByteCodeParser::parseBlock):
3145         * dfg/DFGCFGSimplificationPhase.cpp:
3146         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3147         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
3148         * dfg/DFGCSEPhase.cpp:
3149         (JSC::DFG::CSEPhase::setLocalStoreElimination):
3150         * dfg/DFGCapabilities.cpp:
3151         (JSC::DFG::canHandleOpcodes):
3152         * dfg/DFGCommon.h:
3153         (JSC::DFG::useKindToString):
3154         * dfg/DFGDoubleFormatState.h:
3155         (JSC::DFG::mergeDoubleFormatStates):
3156         (JSC::DFG::doubleFormatStateToString):
3157         * dfg/DFGFixupPhase.cpp:
3158         (JSC::DFG::FixupPhase::blessArrayOperation):
3159         * dfg/DFGGraph.h:
3160         (JSC::DFG::Graph::clobbersWorld):
3161         * dfg/DFGNode.h:
3162         (JSC::DFG::Node::valueOfJSConstant):
3163         (JSC::DFG::Node::successor):
3164         * dfg/DFGNodeFlags.cpp:
3165         (JSC::DFG::nodeFlagsAsString):
3166         * dfg/DFGNodeType.h:
3167         (JSC::DFG::defaultFlags):
3168         * dfg/DFGRepatch.h:
3169         (JSC::DFG::dfgResetGetByID):
3170         (JSC::DFG::dfgResetPutByID):
3171         * dfg/DFGSlowPathGenerator.h:
3172         (JSC::DFG::SlowPathGenerator::call):
3173         * dfg/DFGSpeculativeJIT.cpp:
3174         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3175         (JSC::DFG::SpeculativeJIT::silentSpill):
3176         (JSC::DFG::SpeculativeJIT::silentFill):
3177         (JSC::DFG::SpeculativeJIT::checkArray):
3178         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3179         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3180         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3181         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3182         * dfg/DFGSpeculativeJIT.h:
3183         (JSC::DFG::SpeculativeJIT::bitOp):
3184         (JSC::DFG::SpeculativeJIT::shiftOp):
3185         (JSC::DFG::SpeculativeJIT::integerResult):
3186         * dfg/DFGSpeculativeJIT32_64.cpp:
3187         (JSC::DFG::SpeculativeJIT::fillInteger):
3188         (JSC::DFG::SpeculativeJIT::fillDouble):
3189         (JSC::DFG::SpeculativeJIT::fillJSValue):
3190         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3191         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3192         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3193         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3194         (JSC::DFG::SpeculativeJIT::compile):
3195         * dfg/DFGSpeculativeJIT64.cpp:
3196         (JSC::DFG::SpeculativeJIT::fillInteger):
3197         (JSC::DFG::SpeculativeJIT::fillDouble):
3198         (JSC::DFG::SpeculativeJIT::fillJSValue):
3199         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3200         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3201         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3202         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3203         (JSC::DFG::SpeculativeJIT::compile):
3204         * dfg/DFGStructureCheckHoistingPhase.cpp:
3205         (JSC::DFG::StructureCheckHoistingPhase::run):
3206         * dfg/DFGValueSource.h:
3207         (JSC::DFG::ValueSource::valueRecovery):
3208         * dfg/DFGVariableEvent.cpp:
3209         (JSC::DFG::VariableEvent::dump):
3210         * dfg/DFGVariableEventStream.cpp:
3211         (JSC::DFG::VariableEventStream::reconstruct):
3212         * heap/BlockAllocator.h:
3213         (JSC::BlockAllocator::regionSetFor):
3214         * heap/GCThread.cpp:
3215         (JSC::GCThread::gcThreadMain):
3216         * heap/MarkedBlock.cpp:
3217         (JSC::MarkedBlock::sweepHelper):
3218         * heap/MarkedBlock.h:
3219         (JSC::MarkedBlock::isLive):
3220         * interpreter/CallFrame.h:
3221         (JSC::ExecState::inlineCallFrame):
3222         * interpreter/Interpreter.cpp:
3223         (JSC::getCallerInfo):
3224         (JSC::getStackFrameCodeType):
3225         (JSC::Interpreter::execute):
3226         * jit/ExecutableAllocatorFixedVMPool.cpp:
3227         (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
3228         * jit/JIT.cpp:
3229         (JSC::JIT::privateCompileMainPass):
3230         (JSC::JIT::privateCompileSlowCases):
3231         (JSC::JIT::privateCompile):
3232         * jit/JITArithmetic.cpp:
3233         (JSC::JIT::emitSlow_op_mod):
3234         * jit/JITArithmetic32_64.cpp:
3235         (JSC::JIT::emitBinaryDoubleOp):
3236         (JSC::JIT::emitSlow_op_mod):
3237         * jit/JITPropertyAccess.cpp:
3238         (JSC::JIT::isDirectPutById):
3239         * jit/JITStubs.cpp:
3240         (JSC::getPolymorphicAccessStructureListSlot):
3241         (JSC::DEFINE_STUB_FUNCTION):
3242         * llint/LLIntSlowPaths.cpp:
3243         (JSC::LLInt::jitCompileAndSetHeuristics):
3244         * parser/Lexer.cpp:
3245         (JSC::::lex):
3246         * parser/Nodes.h:
3247         (JSC::ExpressionNode::emitBytecodeInConditionContext):
3248         * parser/Parser.h:
3249         (JSC::Parser::getTokenName):
3250         (JSC::Parser::updateErrorMessageSpecialCase):
3251         * parser/SyntaxChecker.h:
3252         (JSC::SyntaxChecker::operatorStackPop):
3253         * runtime/Arguments.cpp:
3254         (JSC::Arguments::tearOffForInlineCallFrame):
3255         * runtime/DatePrototype.cpp:
3256         (JSC::formatLocaleDate):
3257         * runtime/Executable.cpp:
3258         (JSC::samplingDescription):
3259         * runtime/Executable.h:
3260         (JSC::ScriptExecutable::unlinkCalls):
3261         * runtime/Identifier.cpp:
3262         (JSC):
3263         * runtime/InternalFunction.cpp:
3264         (JSC::InternalFunction::getCallData):
3265         * runtime/JSArray.cpp:
3266         (JSC::JSArray::push):
3267         (JSC::JSArray::sort):
3268         * runtime/JSCell.cpp:
3269         (JSC::JSCell::defaultValue):
3270         (JSC::JSCell::getOwnPropertyNames):
3271         (JSC::JSCell::getOwnNonIndexPropertyNames):
3272         (JSC::JSCell::className):
3273         (JSC::JSCell::getPropertyNames):
3274         (JSC::JSCell::customHasInstance):
3275         (JSC::JSCell::putDirectVirtual):
3276         (JSC::JSCell::defineOwnProperty):
3277         (JSC::JSCell::getOwnPropertyDescriptor):
3278         * runtime/JSCell.h:
3279         (JSCell):
3280         * runtime/JSNameScope.cpp:
3281         (JSC::JSNameScope::put):
3282         * runtime/JSObject.cpp:
3283         (JSC::JSObject::getOwnPropertySlotByIndex):
3284         (JSC::JSObject::putByIndex):
3285         (JSC::JSObject::ensureArrayStorageSlow):
3286         (JSC::JSObject::deletePropertyByIndex):
3287         (JSC::JSObject::getOwnPropertyNames):
3288         (JSC::JSObject::putByIndexBeyondVectorLength):
3289         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3290         (JSC::JSObject::getOwnPropertyDescriptor):
3291         * runtime/JSObject.h:
3292         (JSC::JSObject::canGetIndexQuickly):
3293         (JSC::JSObject::getIndexQuickly):
3294         (JSC::JSObject::tryGetIndexQuickly):
3295         (JSC::JSObject::canSetIndexQuickly):
3296         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3297         (JSC::JSObject::setIndexQuickly):
3298         (JSC::JSObject::initializeIndex):
3299         (JSC::JSObject::hasSparseMap):
3300         (JSC::JSObject::inSparseIndexingMode):
3301         * runtime/JSScope.cpp:
3302         (JSC::JSScope::isDynamicScope):
3303         * runtime/JSSymbolTableObject.cpp:
3304         (JSC::JSSymbolTableObject::putDirectVirtual):
3305         * runtime/JSSymbolTableObject.h:
3306         (JSSymbolTableObject):
3307         * runtime/LiteralParser.cpp:
3308         (JSC::::parse):
3309         * runtime/RegExp.cpp:
3310         (JSC::RegExp::compile):
3311         (JSC::RegExp::compileMatchOnly):
3312         * runtime/StructureTransitionTable.h:
3313         (JSC::newIndexingType):
3314         * tools/CodeProfile.cpp:
3315         (JSC::CodeProfile::sample):
3316         * yarr/YarrCanonicalizeUCS2.h:
3317         (JSC::Yarr::getCanonicalPair):
3318         (JSC::Yarr::areCanonicallyEquivalent):
3319         * yarr/YarrInterpreter.cpp:
3320         (JSC::Yarr::Interpreter::matchCharacterClass):
3321         (JSC::Yarr::Interpreter::matchBackReference):
3322         (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
3323         (JSC::Yarr::Interpreter::matchParentheses):
3324         (JSC::Yarr::Interpreter::backtrackParentheses):
3325         (JSC::Yarr::Interpreter::matchDisjunction):
3326         * yarr/YarrJIT.cpp:
3327         (JSC::Yarr::YarrGenerator::generateTerm):
3328         (JSC::Yarr::YarrGenerator::backtrackTerm):
3329         * yarr/YarrParser.h:
3330         (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
3331         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
3332         * yarr/YarrPattern.cpp:
3333         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
3334
3335 2013-01-23  Tony Chang  <tony@chromium.org>
3336
3337         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
3338
3339         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
3340         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
3341
3342 2013-01-23  Oliver Hunt  <oliver@apple.com>
3343
3344         Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
3345         https://bugs.webkit.org/show_bug.cgi?id=107726
3346
3347         Reviewed by Filip Pizlo.
3348
3349         Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
3350
3351         * assembler/MacroAssembler.h:
3352         (JSC::MacroAssembler::branchAdd32):
3353         (JSC::MacroAssembler::branchMul32):
3354         * bytecode/CodeBlockHash.cpp:
3355         (JSC::CodeBlockHash::CodeBlockHash):
3356         * heap/BlockAllocator.h:
3357         (JSC::Region::create):
3358         (JSC::Region::createCustomSize):
3359         * heap/GCAssertions.h:
3360         * heap/HandleSet.cpp:
3361         (JSC::HandleSet::visitStrongHandles):
3362         (JSC::HandleSet::writeBarrier):
3363         * heap/HandleSet.h:
3364         (JSC::HandleSet::allocate):
3365         * heap/Heap.cpp:
3366         (JSC::Heap::collect):
3367         * heap/SlotVisitor.cpp:
3368         (JSC::SlotVisitor::validate):
3369         * interpreter/Interpreter.cpp:
3370         (JSC::Interpreter::execute):
3371         * jit/ExecutableAllocator.cpp:
3372         (JSC::DemandExecutableAllocator::allocateNewSpace):
3373         (JSC::ExecutableAllocator::allocate):
3374         * jit/ExecutableAllocator.h:
3375         (JSC::roundUpAllocationSize):
3376         * jit/ExecutableAllocatorFixedVMPool.cpp:
3377         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
3378         (JSC::ExecutableAllocator::allocate):
3379         * runtime/ButterflyInlines.h:
3380         (JSC::Butterfly::createUninitialized):
3381         * runtime/Completion.cpp:
3382         (JSC::evaluate):
3383         * runtime/JSArray.h:
3384         (JSC::constructArray):
3385         * runtime/JSGlobalObject.cpp:
3386         (JSC::slowValidateCell):
3387         * runtime/JSObject.cpp:
3388         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3389         (JSC::JSObject::createArrayStorage):
3390         * tools/TieredMMapArray.h:
3391         (JSC::TieredMMapArray::append):
3392         * yarr/YarrInterpreter.cpp:
3393         (JSC::Yarr::Interpreter::allocDisjunctionContext):
3394         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
3395         (JSC::Yarr::Interpreter::InputStream::readChecked):
3396         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
3397         (JSC::Yarr::Interpreter::InputStream::atEnd):
3398         (JSC::Yarr::Interpreter::interpret):
3399
3400 2013-01-22  Filip Pizlo  <fpizlo@apple.com>
3401
3402         Convert CSE phase to not rely too much on NodeIndex
3403         https://bugs.webkit.org/show_bug.cgi?id=107616
3404
3405         Reviewed by Geoffrey Garen.
3406         
3407         - Instead of looping over the graph (which assumes that you can simply loop over all
3408           nodes without considering blocks first) to reset node.replacement, do that in the
3409           loop that sets up relevantToOSR, just before running CSE on the block.
3410         
3411         - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
3412           NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
3413           some reshuffling to fit it in.
3414
3415         * dfg/DFGCSEPhase.cpp:
3416         (JSC::DFG::CSEPhase::CSEPhase):
3417         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
3418         (JSC::DFG::CSEPhase::performNodeCSE):
3419         (JSC::DFG::CSEPhase::performBlockCSE):
3420         (CSEPhase):
3421         * dfg/DFGNodeFlags.h:
3422         (DFG):
3423         * dfg/DFGNodeType.h:
3424         (DFG):
3425
3426 2013-01-21  Kentaro Hara  <haraken@chromium.org>
3427
3428         Implement UIEvent constructor
3429         https://bugs.webkit.org/show_bug.cgi?id=107430
3430
3431         Reviewed by Adam Barth.
3432
3433         Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
3434
3435         UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
3436         which is enabled on Safari and Chromium for now.
3437
3438         * Configurations/FeatureDefines.xcconfig:
3439
3440 2013-01-22  Roger Fong  <roger_fong@apple.com>
3441
3442         Unreviewed VS2010 build fix following r140259.
3443
3444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3445         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3446
3447 2013-01-22  Roger Fong  <roger_fong@apple.com>
3448
3449         JavaScriptCore property sheets, project files and modified build scripts.
3450         https://bugs.webkit.org/show_bug.cgi?id=106987
3451
3452         Reviewed by Brent Fulgham.
3453
3454         * JavaScriptCore.vcxproj: Added.
3455         * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
3456         * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
3457         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
3458         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
3459         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
3460         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
3461         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
3462         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
3463         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
3464         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
3465         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
3466         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
3467         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
3468         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
3469         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
3470         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
3471         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
3472         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
3473         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
3474         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
3475         * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
3476         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
3477         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
3478         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
3479         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
3480         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
3481         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
3482         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
3483         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
3484         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
3485         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
3486         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
3487         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
3488         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
3489         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
3490         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
3491         * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
3492         * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
3493         * JavaScriptCore.vcxproj/copy-files.cmd: Added.
3494         * JavaScriptCore.vcxproj/jsc: Added.
3495         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
3496         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
3497         * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
3498         * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
3499         * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
3500         * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
3501         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
3502         * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
3503         * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
3504         * config.h:
3505
3506 2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>
3507
3508         [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
3509         https://bugs.webkit.org/show_bug.cgi?id=107230
3510
3511         Reviewed by David Kilzer.
3512
3513         * Configurations/FeatureDefines.xcconfig:
3514
3515 2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>
3516
3517         Yarr JIT isn't big endian compatible
3518         https://bugs.webkit.org/show_bug.cgi?id=102897
3519
3520         Reviewed by Oliver Hunt.
3521
3522         This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
3523
3524         * yarr/YarrJIT.cpp:
3525         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
3526
3527 2013-01-22  David Kilzer  <ddkilzer@apple.com>
3528
3529         Fix DateMath.cpp to compile with -Wshorten-64-to-32
3530         <http://webkit.org/b/107503>
3531
3532         Reviewed by Darin Adler.
3533
3534         * runtime/JSDateMath.cpp:
3535         (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
3536         static_cast<int>().
3537
3538 2013-01-22  Tim Horton  <timothy_horton@apple.com>
3539
3540         PDFPlugin: Build PDFPlugin everywhere, enable at runtime
3541         https://bugs.webkit.org/show_bug.cgi?id=107117
3542
3543         Reviewed by Alexey Proskuryakov.
3544
3545         Since PDFLayerController SPI is all forward-declared, the plugin should build
3546         on all Mac platforms, and can be enabled at runtime.
3547
3548         * Configurations/FeatureDefines.xcconfig:
3549
3550 2013-01-21  Justin Schuh  <jschuh@chromium.org>
3551
3552         [CHROMIUM] Suppress c4267 build warnings for Win64 targets
3553         https://bugs.webkit.org/show_bug.cgi?id=107499
3554
3555         Reviewed by Abhishek Arya.
3556
3557         * JavaScriptCore.gyp/JavaScriptCore.gyp:
3558
3559 2013-01-21  Dirk Schulze  <dschulze@adobe.com>
3560
3561         Add build flag for Canvas's Path object (disabled by default)
3562         https://bugs.webkit.org/show_bug.cgi?id=107473
3563
3564         Reviewed by Dean Jackson.
3565
3566         Add CANVAS_PATH build flag to build systems.
3567
3568         * Configurations/FeatureDefines.xcconfig:
3569
3570 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
3571
3572         Weak GC maps should be easier to use
3573         https://bugs.webkit.org/show_bug.cgi?id=107312
3574
3575         Reviewed by Sam Weinig.
3576
3577         Follow-up fix.
3578
3579         * runtime/PrototypeMap.cpp:
3580         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
3581         ASSERT, which was disabled because of a bug in WeakGCMap.
3582
3583         * runtime/WeakGCMap.h:
3584         (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
3585         a PassWeak() clears itself when passed to another function. So, we pass
3586         nullptr instead, and fix things up afterwards.
3587
3588 2013-01-20  Geoffrey Garen  <ggaren@apple.com>
3589
3590         Unreviewed.
3591
3592         Temporarily disabling this ASSERT to get the bots green
3593         while I investigate a fix.
3594
3595         * runtime/PrototypeMap.cpp:
3596         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3597
3598 2013-01-20  Filip Pizlo  <fpizlo@apple.com>
3599
3600         Inserting a node into the DFG graph should not require five lines of code
3601         https://bugs.webkit.org/show_bug.cgi?id=107381
3602
3603         Reviewed by Sam Weinig.
3604         
3605         This adds fairly comprehensive support for inserting a node into a DFG graph in one
3606         method call. A common example of this is:
3607         
3608         m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
3609         
3610         The arguments to insert() specify what reference counting you need to have happen
3611         (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
3612         that was created), the prediction to set (SpecNone is a common default), followed by
3613         the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
3614         (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
3615         function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
3616         non-recursively ref() the node being created if the flags say NodeMustGenerate.
3617         
3618         In all, this new mechanism retains the flexibility of the old approach (you get to
3619         manage ref counts yourself, albeit in less code) while ensuring that most code that adds
3620         nodes to the graph now needs less code to do it.
3621         
3622         In the future, we should revisit the reference counting methodology in the DFG: we could
3623         do like most compilers and get rid of it entirely, or we could make it automatic. This
3624         patch doesn't attempt to make any such major changes, and only seeks to simplify the
3625         technique we were already using (manual ref counting).
3626
3627         * GNUmakefile.list.am:
3628         * JavaScriptCore.xcodeproj/project.pbxproj:
3629         * bytecode/Operands.h:
3630         (JSC::dumpOperands):
3631         * dfg/DFGAdjacencyList.h:
3632         (AdjacencyList):
3633         (JSC::DFG::AdjacencyList::kind):
3634         * dfg/DFGArgumentsSimplificationPhase.cpp:
3635         (JSC::DFG::ArgumentsSimplificationPhase::run):
3636         * dfg/DFGBasicBlock.h:
3637         (DFG):
3638         (BasicBlock):
3639         * dfg/DFGBasicBlockInlines.h: Added.
3640         (DFG):
3641         * dfg/DFGCFGSimplificationPhase.cpp:
3642         (JSC::DFG::CFGSimplificationPhase::run):
3643         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
3644         * dfg/DFGCommon.h:
3645         * dfg/DFGConstantFoldingPhase.cpp:
3646         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3647         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3648         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3649         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
3650         (ConstantFoldingPhase):
3651         * dfg/DFGFixupPhase.cpp:
3652         (JSC::DFG::FixupPhase::FixupPhase):
3653         (JSC::DFG::FixupPhase::fixupBlock):
3654         (JSC::DFG::FixupPhase::fixupNode):
3655         (FixupPhase):
3656         (JSC::DFG::FixupPhase::checkArray):
3657         (JSC::DFG::FixupPhase::blessArrayOperation):
3658         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3659         * dfg/DFGGraph.h:
3660         (JSC::DFG::Graph::ref):
3661         (Graph):
3662         * dfg/DFGInsertionSet.h:
3663         (DFG):
3664         (JSC::DFG::Insertion::Insertion):
3665         (JSC::DFG::Insertion::element):
3666         (Insertion):
3667         (JSC::DFG::InsertionSet::InsertionSet):
3668         (JSC::DFG::InsertionSet::insert):
3669         (InsertionSet):
3670         (JSC::DFG::InsertionSet::execute):
3671         * dfg/DFGNode.h:
3672         (JSC::DFG::Node::Node):
3673         (Node):
3674         * dfg/DFGStructureCheckHoistingPhase.cpp:
3675         (JSC::DFG::StructureCheckHoistingPhase::run):
3676         * dfg/DFGVariadicFunction.h: Added.
3677
3678 2013-01-19  Geoffrey Garen  <ggaren@apple.com>
3679
3680         Track inheritance structures in a side table, instead of using a private
3681         name in each prototype
3682         https://bugs.webkit.org/show_bug.cgi?id=107378
3683
3684         Reviewed by Sam Weinig and Phil Pizlo.
3685
3686         This is a step toward object size inference.
3687
3688         Using a side table frees us to use a more complex key (a pair of
3689         prototype and expected inline capacity).
3690
3691         It also avoids ruining inline caches for prototypes. (Adding a new private
3692         name for a new inline capacity would change the prototype's structure,
3693         possibly firing watchpoints, making inline caches go polymorphic, and
3694         generally causing us to have a bad time.)
3695
3696         * CMakeLists.txt:
3697         * GNUmakefile.list.am:
3698         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3699         * JavaScriptCore.xcodeproj/project.pbxproj:
3700         * Target.pri: Buildage.
3701
3702         * runtime/ArrayPrototype.cpp:
3703         (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
3704
3705         * runtime/JSFunction.cpp:
3706         (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
3707
3708         (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
3709         forgot to visit one of its data members (m_cachedInheritorID). This
3710         wasn't a user-visible problem before because JSFunction would always
3711         visit its .prototype property, which visited its m_cachedInheritorID.
3712         But now, function.prototype only weakly owns function.m_cachedInheritorID.
3713
3714         * runtime/JSGlobalData.h:
3715         (JSGlobalData): Added the map, taking care to make sure that its
3716         destructor would run after the heap destructor.
3717
3718         * runtime/JSGlobalObject.cpp:
3719         (JSC::JSGlobalObject::reset): Updated to use new side table API.
3720
3721         * runtime/JSObject.cpp:
3722         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3723         (JSC::JSObject::setPrototype):
3724         * runtime/JSObject.h:
3725         (JSObject): Updated to use new side table API, and removed lots of code
3726         that used to manage the per-object private name.
3727
3728         * runtime/JSProxy.cpp:
3729         (JSC::JSProxy::setTarget):
3730         * runtime/ObjectConstructor.cpp:
3731         (JSC::objectConstructorCreate):
3732         * runtime/ObjectPrototype.cpp:
3733         (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
3734
3735         * runtime/PrototypeMap.cpp: Added.
3736         (JSC):
3737         (JSC::PrototypeMap::addPrototype):
3738         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3739         * runtime/PrototypeMap.h: Added.
3740         (PrototypeMap):
3741         (JSC::PrototypeMap::isPrototype):
3742         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
3743         This is a simple weak map, mapping an object to the structure you should
3744         use when inheriting from that object. (In future, inline capacity will
3745         be a part of the mapping.)
3746
3747         I used two maps to preserve existing behavior that allowed us to speculate
3748         about an object becoming a prototype, even if it wasn't one at the moment.
3749         However, I suspect that behavior can be removed without harm.
3750
3751         * runtime/WeakGCMap.h:
3752         (JSC::WeakGCMap::contains):
3753         (WeakGCMap): I would rate myself a 6 / 10 in C++.
3754
3755 2013-01-18  Dan Bernstein  <mitz@apple.com>
3756
3757         Removed duplicate references to two headers in the project files.
3758
3759         Rubber-stamped by Mark Rowe.
3760
3761         * JavaScriptCore.xcodeproj/project.pbxproj:
3762
3763 2013-01-18  Michael Saboff  <msaboff@apple.com>
3764
3765         Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
3766         Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
3767
3768         * dfg/DFGFixupPhase.cpp:
3769         (JSC::DFG::FixupPhase::fixupNode):
3770
3771 2013-01-18  Michael Saboff  <msaboff@apple.com>
3772
3773         Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
3774
3775         * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
3776
3777 2013-01-18  Michael Saboff  <msaboff@apple.com>
3778
3779         Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
3780         https://bugs.webkit.org/show_bug.cgi?id=107340
3781
3782         Reviewed by Filip Pizlo.
3783
3784         Due to the change landed in r140201, more nodes might end up
3785         generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
3786         constant path of compileInt32ToDouble() to use the more
3787         restrictive isInt32Constant() check on the input.  This check was
3788         the same as the existing ASSERT() so the ASSERT was eliminated.
3789
3790         * dfg/DFGSpeculativeJIT.cpp:
3791         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3792
3793 2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>
3794
3795         Weak GC maps should be easier to use
3796         https://bugs.webkit.org/show_bug.cgi?id=107312
3797
3798         Reviewed by Ryosuke Niwa.
3799
3800         Build fix for linux platforms after r140194.
3801
3802         * runtime/WeakGCMap.h:
3803         (WeakGCMap):
3804
3805 2013-01-18  Michael Saboff  <msaboff@apple.com>
3806
3807         Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
3808         https://bugs.webkit.org/show_bug.cgi?id=107321
3809
3810         Reviewed by  Filip Pizlo.
3811
3812         Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
3813         an ArithDiv node with integer inputs and output for platforms that don't have integer division.
3814         Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
3815         without any further checks.
3816
3817         * dfg/DFGFixupPhase.cpp:
3818         (JSC::DFG::FixupPhase::fixupNode):
3819         (JSC::DFG::FixupPhase::fixDoubleEdge):
3820         (FixupPhase):
3821         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3822
3823 2013-01-18  Michael Saboff  <msaboff@apple.com>
3824
3825         Fix up of ArithDiv nodes for non-x86 CPUs is broken
3826         https://bugs.webkit.org/show_bug.cgi?id=107309
3827
3828         Reviewed by  Filip Pizlo.
3829
3830         Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
3831
3832         * dfg/DFGFixupPhase.cpp:
3833         (JSC::DFG::FixupPhase::fixDoubleEdge):
3834
3835 2013-01-18  Dan Bernstein  <mitz@apple.com>
3836
3837         Tried to fix the build after r140194.
3838
3839         * API/JSWrapperMap.mm:
3840         (-[JSWrapperMap wrapperForObject:]):
3841
3842 2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>
3843
3844         Objective-C API: Update documentation for JSValue and JSContext
3845         https://bugs.webkit.org/show_bug.cgi?id=107313
3846
3847         Reviewed by Geoffrey Garen.
3848
3849         After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
3850
3851         * API/APIJSValue.h:
3852         * API/JSContext.h:
3853
3854 2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>
3855
3856         r134080 causes heap problem on linux systems where PAGESIZE != 4096
3857         https://bugs.webkit.org/show_bug.cgi?id=102828
3858
3859         Reviewed by Mark Hahnenberg.
3860
3861         Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
3862
3863         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3864         * heap/MarkStack.cpp:
3865         (JSC):
3866         (JSC::MarkStackArray::MarkStackArray):
3867         (JSC::MarkStackArray::expand):
3868         (JSC::MarkStackArray::donateSomeCellsTo):
3869         (JSC::MarkStackArray::stealSomeCellsFrom):
3870         * heap/MarkStack.h:
3871         (JSC::MarkStackSegment::data):
3872         (CapacityFromSize):
3873         (MarkStackArray):
3874         * heap/MarkStackInlines.h:
3875         (JSC::MarkStackArray::setTopForFullSegment):
3876         (JSC::MarkStackArray::append):
3877         (JSC::MarkStackArray::isEmpty):
3878         (JSC::MarkStackArray::size):
3879         * runtime/Options.h:
3880         (JSC):
3881
3882 2013-01-18  Geoffrey Garen  <ggaren@apple.com>
3883
3884         Weak GC maps should be easier to use
3885         https://bugs.webkit.org/show_bug.cgi?id=107312
3886
3887         Reviewed by Sam Weinig.
3888
3889         This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
3890         items from the map, and to instead have the map automatically remove
3891         stale items itself upon insertion. This has a few advantages:
3892
3893         (1) WeakGCMap is now compatible with all the specializations you would
3894         use for HashMap.
3895
3896         (2) There's no need for clients to write special finalization munging
3897         functions.
3898
3899         (3) Clients can specify custom value finalizers if they like.
3900
3901         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
3902
3903         * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
3904         data, since we've reduced interdependency.
3905
3906         * heap/Handle.h: No more need to forward declare, since we've reduced
3907         interdependency.
3908
3909         * heap/Weak.h:
3910         (Weak): Use explicit so we can assign directly to a weak map iterator
3911         without ambiguity between Weak<T> and PassWeak<T>.
3912
3913         * runtime/Structure.cpp:
3914         (JSC::StructureTransitionTable::add): See above.
3915
3916         * runtime/Structure.h:
3917         (JSC):
3918         * runtime/StructureTransitionTable.h:
3919         (StructureTransitionTable): Bad code goes away, programmer happy.
3920
3921         * runtime/WeakGCMap.h:
3922         (JSC):
3923         (WeakGCMap):
3924         (JSC::WeakGCMap::WeakGCMap):
3925         (JSC::WeakGCMap::set):
3926         (JSC::WeakGCMap::add):
3927         (JSC::WeakGCMap::find):
3928         (JSC::WeakGCMap::contains):
3929         (JSC::WeakGCMap::gcMap):
3930         (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
3931         function that might observe a Weak<T> that has died, just enough to
3932         make such items appear as if they are not in the table.
3933
3934 2013-01-18  Michael Saboff  <msaboff@apple.com>
3935
3936         Refactor isPowerOf2() and add getLSBSet()
3937         https://bugs.webkit.org/show_bug.cgi?id=107306
3938
3939         Reviewed by Filip Pizlo.
3940
3941         Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
3942
3943         * runtime/PropertyMapHashTable.h:
3944         (JSC::isPowerOf2):
3945
3946 2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>
3947
3948         Objective-C API: Clean up JSValue.mm
3949         https://bugs.webkit.org/show_bug.cgi?id=107163
3950
3951         Reviewed by Darin Adler.
3952
3953         m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 
3954         on every API call.  In the head of just about every method in JSValue.mm we're doing:
3955
3956         JSContext *context = [self context];
3957         if (!context)
3958             return nil;
3959