Unreviewed. Rebaseline image test expectations for Mac after r91331.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
2
3         https://bugs.webkit.org/show_bug.cgi?id=64678
4         Fix bugs in Object.prototype this handling.
5
6         Reviewed by Darin Adler.
7
8         Fix ES5.1 correctness issues identified by Mads Ager.
9
10         * runtime/ObjectPrototype.cpp:
11         (JSC::objectProtoFuncToString):
12             - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]".
13
14 2011-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
15
16         [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
17         https://bugs.webkit.org/show_bug.cgi?id=63918
18
19         Reviewed by Darin Adler.
20
21         When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
22         method due to additional string copying within several of the constructors when dealing with 
23         UStrings.  This has been added to the UString version of the appendStringInConstruct method 
24         within the JSString class.
25
26         * runtime/JSString.h:
27         (JSC::RopeBuilder::JSString):
28         (JSC::RopeBuilder::appendStringInConstruct):
29
30 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
31
32         https://bugs.webkit.org/show_bug.cgi?id=64679
33         Fix bugs in Array.prototype this handling.
34
35         Reviewed by Oliver Hunt.
36
37         * runtime/ArrayPrototype.cpp:
38         (JSC::arrayProtoFuncJoin):
39         (JSC::arrayProtoFuncConcat):
40         (JSC::arrayProtoFuncPop):
41         (JSC::arrayProtoFuncPush):
42         (JSC::arrayProtoFuncReverse):
43         (JSC::arrayProtoFuncShift):
44         (JSC::arrayProtoFuncSlice):
45         (JSC::arrayProtoFuncSort):
46         (JSC::arrayProtoFuncSplice):
47         (JSC::arrayProtoFuncUnShift):
48         (JSC::arrayProtoFuncFilter):
49         (JSC::arrayProtoFuncMap):
50         (JSC::arrayProtoFuncEvery):
51         (JSC::arrayProtoFuncForEach):
52         (JSC::arrayProtoFuncSome):
53         (JSC::arrayProtoFuncReduce):
54         (JSC::arrayProtoFuncReduceRight):
55         (JSC::arrayProtoFuncIndexOf):
56         (JSC::arrayProtoFuncLastIndexOf):
57             - These methods should throw if this value is undefined.
58
59 2011-07-19  Gavin Barraclough  <barraclough@apple.com>
60
61         https://bugs.webkit.org/show_bug.cgi?id=64677
62         Fix bugs in String.prototype this handling.
63
64         Reviewed by Oliver Hunt.
65
66         undefined/null this values should throw TypeErrors, not convert to
67         the global object, and primitive values should not be converted via
68         object types.
69
70         * runtime/StringPrototype.cpp:
71         (JSC::stringProtoFuncReplace):
72         (JSC::stringProtoFuncCharAt):
73         (JSC::stringProtoFuncCharCodeAt):
74         (JSC::stringProtoFuncIndexOf):
75         (JSC::stringProtoFuncLastIndexOf):
76         (JSC::stringProtoFuncMatch):
77         (JSC::stringProtoFuncSearch):
78         (JSC::stringProtoFuncSlice):
79         (JSC::stringProtoFuncSplit):
80         (JSC::stringProtoFuncSubstr):
81         (JSC::stringProtoFuncSubstring):
82         (JSC::stringProtoFuncToLowerCase):
83         (JSC::stringProtoFuncToUpperCase):
84         (JSC::stringProtoFuncLocaleCompare):
85         (JSC::stringProtoFuncBig):
86         (JSC::stringProtoFuncSmall):
87         (JSC::stringProtoFuncBlink):
88         (JSC::stringProtoFuncBold):
89         (JSC::stringProtoFuncFixed):
90         (JSC::stringProtoFuncItalics):
91         (JSC::stringProtoFuncStrike):
92         (JSC::stringProtoFuncSub):
93         (JSC::stringProtoFuncSup):
94         (JSC::stringProtoFuncFontcolor):
95         (JSC::stringProtoFuncFontsize):
96         (JSC::stringProtoFuncAnchor):
97         (JSC::stringProtoFuncLink):
98         (JSC::trimString):
99             - These methods should throw if this value is undefined,
100               convert ToString directly, not via ToObject.
101
102 2011-07-19  Filip Pizlo  <fpizlo@apple.com>
103
104         DFG JIT sometimes emits spill code even when the respective values
105         are never needed.
106         https://bugs.webkit.org/show_bug.cgi?id=64774
107
108         Reviewed by Gavin Barraclough.
109         
110         The main high-level change is that it is now easier to call use() on a
111         virtual register.  JSValueOperand and its other-typed relatives now have
112         a handy use() method, and jsValueResult() and friends now make it easier to
113         pass UseChildrenCalledExplicitly.
114         
115         The rest of this patch hoists the call to use() as high as possible for
116         all of those cases where either flushRegisters() or silentSpillAllRegisters()
117         may be called.
118
119         * dfg/DFGJITCodeGenerator.cpp:
120         (JSC::DFG::JITCodeGenerator::cachedGetById):
121         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
122         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
123         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
124         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
125         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
126         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
127         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
128         (JSC::DFG::JITCodeGenerator::emitBranch):
129         * dfg/DFGJITCodeGenerator.h:
130         (JSC::DFG::JITCodeGenerator::use):
131         (JSC::DFG::JITCodeGenerator::integerResult):
132         (JSC::DFG::JITCodeGenerator::jsValueResult):
133         (JSC::DFG::IntegerOperand::use):
134         (JSC::DFG::DoubleOperand::use):
135         (JSC::DFG::JSValueOperand::use):
136         * dfg/DFGNonSpeculativeJIT.cpp:
137         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
138         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
139         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
140         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
141         (JSC::DFG::NonSpeculativeJIT::compile):
142         * dfg/DFGSpeculativeJIT.cpp:
143         (JSC::DFG::SpeculativeJIT::compile):
144         * dfg/DFGSpeculativeJIT.h:
145         (JSC::DFG::SpeculateStrictInt32Operand::use):
146         (JSC::DFG::SpeculateCellOperand::use):
147
148 2011-07-19  Xan Lopez  <xlopez@igalia.com>
149
150         ARMv7 backend broken, lacks 3 parameter rshift32 method
151         https://bugs.webkit.org/show_bug.cgi?id=64571
152
153         Reviewed by Zoltan Herczeg.
154
155         * assembler/MacroAssemblerARMv7.h:
156         (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method.
157
158 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
159
160         DFG JIT does not optimize strict equality as effectively as the old JIT does.
161         https://bugs.webkit.org/show_bug.cgi?id=64759
162
163         Reviewed by Gavin Barraclough.
164         
165         This adds a more complete set of strict equality optimizations.  If either
166         operand is known numeric, then the code reverts to the old style of optimizing
167         (first try integer comparison).  Otherwise it uses the old JIT's trick of
168         first simultaneously checking if both operands are either numbers or cells;
169         if not then a fast path is taken.
170
171         * dfg/DFGJITCodeGenerator.cpp:
172         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
173         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
174         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
175         * dfg/DFGJITCodeGenerator.h:
176         * dfg/DFGNonSpeculativeJIT.cpp:
177         (JSC::DFG::NonSpeculativeJIT::compile):
178         * dfg/DFGOperations.cpp:
179         * dfg/DFGOperations.h:
180         * dfg/DFGSpeculativeJIT.cpp:
181         (JSC::DFG::SpeculativeJIT::compile):
182
183 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
184
185         https://bugs.webkit.org/show_bug.cgi?id=64760
186         DFG JIT - Should be able to compile program code.
187
188         Reviewed by Geoff Garen.
189
190         Add support for op_end, hooks to compile program code in Executable.cpp.
191
192         * dfg/DFGByteCodeParser.cpp:
193         (JSC::DFG::ByteCodeParser::parseBlock):
194             - Add support for op_end
195         * dfg/DFGJITCompiler.cpp:
196         (JSC::DFG::JITCompiler::compileEntry):
197         (JSC::DFG::JITCompiler::compileBody):
198         (JSC::DFG::JITCompiler::link):
199             - Added, separate out steps of compileFunction.
200         (JSC::DFG::JITCompiler::compile):
201             - Added, compile program code.
202         (JSC::DFG::JITCompiler::compileFunction):
203             - Sections separated out to helper functions.
204         * dfg/DFGJITCompiler.h:
205         (JSC::DFG::JITCompiler::JITCompiler):
206             - Added m_exceptionCheckCount.
207         * runtime/Executable.cpp:
208         (JSC::tryDFGCompile):
209         (JSC::tryDFGCompileFunction):
210         (JSC::ProgramExecutable::compileInternal):
211         (JSC::FunctionExecutable::compileForCallInternal):
212             - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code.
213
214 2011-07-18  Gavin Barraclough  <barraclough@apple.com>
215
216         https://bugs.webkit.org/show_bug.cgi?id=64678
217         Fix bugs in Object.prototype this handling.
218
219         Reviewed by Oliver Hunt.
220
221         undefined/null this values should throw TypeErrors, not convert to the global object,
222         also, to toLocaleString should be calling the ToObject & invoking the object's toString
223         function, even for values that are already strings.
224
225         * runtime/ObjectPrototype.cpp:
226         (JSC::objectProtoFuncValueOf):
227         (JSC::objectProtoFuncHasOwnProperty):
228         (JSC::objectProtoFuncIsPrototypeOf):
229         (JSC::objectProtoFuncPropertyIsEnumerable):
230         (JSC::objectProtoFuncToLocaleString):
231         (JSC::objectProtoFuncToString):
232
233 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
234
235         JSC GC lazy sweep does not inline the common cases of cell destruction.
236         https://bugs.webkit.org/show_bug.cgi?id=64745
237
238         Reviewed by Oliver Hunt.
239         
240         This inlines the case of JSFinalObject destruction.
241
242         * heap/MarkedBlock.cpp:
243         (JSC::MarkedBlock::lazySweep):
244
245 2011-07-18  Oliver Hunt  <oliver@apple.com>
246
247         Interpreter build-fix
248
249         * interpreter/Interpreter.cpp:
250         (JSC::Interpreter::privateExecute):
251
252 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
253
254         DFG JIT does not optimize equal-null comparisons and branches.
255         https://bugs.webkit.org/show_bug.cgi?id=64659
256
257         Reviewed by Gavin Barraclough.
258         
259         Added a peephole-aware compare-to-null implementation to JITCodeGenerator,
260         which is used by both the speculative and non-speculative JIT.  Through
261         the use of the new isNullConstant helper, the two JITs invoke the
262         nonSpecualtiveCompareNull() helper instead of their regular comparison
263         helpers when compiling CompareEq.  Through the use of the new isKnownCell
264         helper, the compare-null code will skip the is-a-cell check if the
265         speculative JIT had been speculating cell.
266
267         * dfg/DFGJITCodeGenerator.cpp:
268         (JSC::DFG::JITCodeGenerator::isKnownCell):
269         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
270         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
271         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
272         * dfg/DFGJITCodeGenerator.h:
273         (JSC::DFG::JITCodeGenerator::isNullConstant):
274         * dfg/DFGNonSpeculativeJIT.cpp:
275         (JSC::DFG::NonSpeculativeJIT::compile):
276         * dfg/DFGOperations.cpp:
277         * dfg/DFGSpeculativeJIT.cpp:
278         (JSC::DFG::SpeculativeJIT::compile):
279
280 2011-07-18  James Robinson  <jamesr@chromium.org>
281
282         Timer scheduling should be based off the monotonic clock
283         https://bugs.webkit.org/show_bug.cgi?id=64544
284
285         Reviewed by Darin Adler.
286
287         Switches ThreadCondition::timedWait and related utility functions from currentTime() to
288         monotonicallyIncreasingTime().
289
290         Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit.
291
292         * JavaScriptCore.exp:
293         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
294         * wtf/ThreadingPthreads.cpp:
295         (WTF::ThreadCondition::timedWait):
296         * wtf/ThreadingWin.cpp:
297         (WTF::absoluteTimeToWaitTimeoutInterval):
298         * wtf/gtk/ThreadingGtk.cpp:
299         (WTF::ThreadCondition::timedWait):
300         * wtf/qt/ThreadingQt.cpp:
301         (WTF::ThreadCondition::timedWait):
302
303 2011-07-18  Filip Pizlo  <fpizlo@apple.com>
304
305         JSC JIT does not inline GC allocation fast paths
306         https://bugs.webkit.org/show_bug.cgi?id=64582
307
308         Reviewed by Oliver Hunt.
309
310         This addresses inlining allocation for the easiest-to-allocate cases:
311         op_new_object and op_create_this.  Inlining GC allocation fast paths
312         required three changes.  First, the JSGlobalData now saves the vtable
313         pointer of JSFinalObject, since that's what op_new_object and
314         op_create_this allocate.  Second, the Heap exposes a reference to
315         the appropriate SizeClass, so that the JIT may inline accesses
316         directly to the SizeClass for JSFinalObject allocations.  And third,
317         the JIT is extended with code to emit inline fast paths for GC
318         allocation.  A stub call is emitted in the case where the inline fast
319         path fails.
320
321         * heap/Heap.h:
322         (JSC::Heap::sizeClassFor):
323         (JSC::Heap::allocate):
324         * jit/JIT.cpp:
325         (JSC::JIT::privateCompileSlowCases):
326         * jit/JIT.h:
327         * jit/JITInlineMethods.h:
328         (JSC::JIT::emitAllocateJSFinalObject):
329         * jit/JITOpcodes.cpp:
330         (JSC::JIT::emit_op_new_object):
331         (JSC::JIT::emitSlow_op_new_object):
332         (JSC::JIT::emit_op_create_this):
333         (JSC::JIT::emitSlow_op_create_this):
334         * jit/JITOpcodes32_64.cpp:
335         (JSC::JIT::emit_op_new_object):
336         (JSC::JIT::emitSlow_op_new_object):
337         (JSC::JIT::emit_op_create_this):
338         (JSC::JIT::emitSlow_op_create_this):
339         * runtime/JSGlobalData.cpp:
340         (JSC::JSGlobalData::storeVPtrs):
341         * runtime/JSGlobalData.h:
342         * runtime/JSObject.h:
343         (JSC::JSFinalObject::JSFinalObject):
344         (JSC::JSObject::offsetOfInheritorID):
345
346 2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>
347
348         Refactor JSC to replace JSCell::operator new with static create method
349         https://bugs.webkit.org/show_bug.cgi?id=64466
350
351         Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com).
352
353         First step in a longer refactoring process to remove the use of
354         operator new overloading in order to allocate GC objects and to replace
355         this method with static create methods for each individual type of heap-allocated
356         JS object.  This particular patch only deals with replacing uses of
357         operator new within JSC proper.  Future patches will remove it from the
358         parts that interface with the DOM.  Due to the DOM's continued dependence
359         on it, operator new has not actually been removed from JSCell.
360
361         * API/JSCallbackConstructor.h:
362         (JSC::JSCallbackConstructor::create):
363         * API/JSCallbackFunction.h:
364         (JSC::JSCallbackFunction::create):
365         * API/JSCallbackObject.h:
366         (JSC::JSCallbackObject::operator new):
367         (JSC::JSCallbackObject::create):
368         * API/JSCallbackObjectFunctions.h:
369         (JSC::::staticFunctionGetter):
370         * API/JSClassRef.cpp:
371         (OpaqueJSClass::prototype):
372         * API/JSContextRef.cpp:
373         * API/JSObjectRef.cpp:
374         (JSObjectMake):
375         (JSObjectMakeFunctionWithCallback):
376         (JSObjectMakeConstructor):
377         * JavaScriptCore.exp:
378         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
379         * bytecode/CodeBlock.cpp:
380         (JSC::CodeBlock::createActivation):
381         * bytecompiler/BytecodeGenerator.cpp:
382         (JSC::BytecodeGenerator::BytecodeGenerator):
383         * bytecompiler/BytecodeGenerator.h:
384         (JSC::BytecodeGenerator::makeFunction):
385         * bytecompiler/NodesCodegen.cpp:
386         (JSC::RegExpNode::emitBytecode):
387         * interpreter/Interpreter.cpp:
388         (JSC::Interpreter::privateExecute):
389         (JSC::Interpreter::retrieveArguments):
390         * jit/JITStubs.cpp:
391         (JSC::DEFINE_STUB_FUNCTION):
392         * jsc.cpp:
393         (GlobalObject::create):
394         (GlobalObject::GlobalObject):
395         (functionRun):
396         (jscmain):
397         * runtime/Arguments.h:
398         (JSC::Arguments::create):
399         (JSC::Arguments::createNoParameters):
400         * runtime/ArrayConstructor.cpp:
401         (JSC::constructArrayWithSizeQuirk):
402         * runtime/ArrayConstructor.h:
403         (JSC::ArrayConstructor::create):
404         * runtime/ArrayPrototype.cpp:
405         (JSC::arrayProtoFuncSplice):
406         * runtime/ArrayPrototype.h:
407         (JSC::ArrayPrototype::create):
408         * runtime/BooleanConstructor.cpp:
409         (JSC::constructBoolean):
410         (JSC::constructBooleanFromImmediateBoolean):
411         * runtime/BooleanConstructor.h:
412         (JSC::BooleanConstructor::create):
413         * runtime/BooleanObject.h:
414         (JSC::BooleanObject::create):
415         * runtime/BooleanPrototype.h:
416         (JSC::BooleanPrototype::create):
417         * runtime/DateConstructor.cpp:
418         (JSC::constructDate):
419         * runtime/DateConstructor.h:
420         (JSC::DateConstructor::create):
421         * runtime/DateInstance.h:
422         (JSC::DateInstance::create):
423         * runtime/DatePrototype.h:
424         (JSC::DatePrototype::create):
425         * runtime/Error.cpp:
426         (JSC::createError):
427         (JSC::createEvalError):
428         (JSC::createRangeError):
429         (JSC::createReferenceError):
430         (JSC::createSyntaxError):
431         (JSC::createTypeError):
432         (JSC::createURIError):
433         (JSC::StrictModeTypeErrorFunction::create):
434         (JSC::createTypeErrorFunction):
435         * runtime/ErrorConstructor.h:
436         (JSC::ErrorConstructor::create):
437         * runtime/ErrorInstance.cpp:
438         (JSC::ErrorInstance::ErrorInstance):
439         (JSC::ErrorInstance::create):
440         * runtime/ErrorInstance.h:
441         * runtime/ErrorPrototype.cpp:
442         (JSC::ErrorPrototype::ErrorPrototype):
443         * runtime/ErrorPrototype.h:
444         (JSC::ErrorPrototype::create):
445         * runtime/ExceptionHelpers.cpp:
446         (JSC::InterruptedExecutionError::InterruptedExecutionError):
447         (JSC::InterruptedExecutionError::create):
448         (JSC::createInterruptedExecutionException):
449         (JSC::TerminatedExecutionError::TerminatedExecutionError):
450         (JSC::TerminatedExecutionError::create):
451         (JSC::createTerminatedExecutionException):
452         * runtime/Executable.cpp:
453         (JSC::FunctionExecutable::FunctionExecutable):
454         (JSC::FunctionExecutable::fromGlobalCode):
455         * runtime/Executable.h:
456         (JSC::ExecutableBase::create):
457         (JSC::NativeExecutable::create):
458         (JSC::ScriptExecutable::ScriptExecutable):
459         (JSC::EvalExecutable::create):
460         (JSC::ProgramExecutable::create):
461         (JSC::FunctionExecutable::create):
462         (JSC::FunctionExecutable::make):
463         * runtime/FunctionConstructor.cpp:
464         (JSC::constructFunctionSkippingEvalEnabledCheck):
465         * runtime/FunctionConstructor.h:
466         (JSC::FunctionConstructor::create):
467         * runtime/FunctionPrototype.cpp:
468         (JSC::FunctionPrototype::addFunctionProperties):
469         * runtime/FunctionPrototype.h:
470         (JSC::FunctionPrototype::create):
471         * runtime/GetterSetter.h:
472         (JSC::GetterSetter::create):
473         * runtime/JSAPIValueWrapper.h:
474         (JSC::JSAPIValueWrapper::create):
475         (JSC::jsAPIValueWrapper):
476         * runtime/JSActivation.cpp:
477         (JSC::JSActivation::argumentsGetter):
478         * runtime/JSActivation.h:
479         (JSC::JSActivation::create):
480         * runtime/JSArray.h:
481         (JSC::JSArray::create):
482         * runtime/JSCell.h:
483         (JSC::JSCell::allocateCell):
484         * runtime/JSFunction.h:
485         (JSC::JSFunction::create):
486         * runtime/JSGlobalObject.cpp:
487         (JSC::JSGlobalObject::init):
488         (JSC::JSGlobalObject::reset):
489         * runtime/JSGlobalObject.h:
490         (JSC::constructEmptyArray):
491         (JSC::constructArray):
492         * runtime/JSNotAnObject.h:
493         (JSC::JSNotAnObject::create):
494         * runtime/JSONObject.h:
495         (JSC::JSONObject::create):
496         * runtime/JSObject.cpp:
497         (JSC::JSObject::defineGetter):
498         (JSC::JSObject::defineSetter):
499         (JSC::putDescriptor):
500         * runtime/JSObject.h:
501         (JSC::JSFinalObject::create):
502         * runtime/JSPropertyNameIterator.cpp:
503         (JSC::JSPropertyNameIterator::create):
504         * runtime/JSPropertyNameIterator.h:
505         (JSC::JSPropertyNameIterator::create):
506         * runtime/JSString.cpp:
507         (JSC::JSString::substringFromRope):
508         (JSC::JSString::replaceCharacter):
509         (JSC::StringObject::create):
510         * runtime/JSString.h:
511         (JSC::RopeBuilder::JSString):
512         (JSC::RopeBuilder::create):
513         (JSC::RopeBuilder::createHasOtherOwner):
514         (JSC::jsSingleCharacterString):
515         (JSC::jsSingleCharacterSubstring):
516         (JSC::jsNontrivialString):
517         (JSC::jsString):
518         (JSC::jsSubstring):
519         (JSC::jsOwnedString):
520         * runtime/JSValue.cpp:
521         (JSC::JSValue::toObjectSlowCase):
522         (JSC::JSValue::synthesizeObject):
523         (JSC::JSValue::synthesizePrototype):
524         * runtime/Lookup.cpp:
525         (JSC::setUpStaticFunctionSlot):
526         * runtime/MathObject.h:
527         (JSC::MathObject::create):
528         * runtime/NativeErrorConstructor.cpp:
529         (JSC::NativeErrorConstructor::NativeErrorConstructor):
530         * runtime/NativeErrorConstructor.h:
531         (JSC::NativeErrorConstructor::create):
532         * runtime/NativeErrorPrototype.h:
533         (JSC::NativeErrorPrototype::create):
534         * runtime/NumberConstructor.cpp:
535         (JSC::constructWithNumberConstructor):
536         * runtime/NumberConstructor.h:
537         (JSC::NumberConstructor::create):
538         * runtime/NumberObject.cpp:
539         (JSC::constructNumber):
540         * runtime/NumberObject.h:
541         (JSC::NumberObject::create):
542         * runtime/NumberPrototype.h:
543         (JSC::NumberPrototype::create):
544         * runtime/ObjectConstructor.h:
545         (JSC::ObjectConstructor::create):
546         * runtime/ObjectPrototype.h:
547         (JSC::ObjectPrototype::create):
548         * runtime/Operations.h:
549         (JSC::jsString):
550         * runtime/RegExp.cpp:
551         (JSC::RegExp::RegExp):
552         (JSC::RegExp::createWithoutCaching):
553         (JSC::RegExp::create):
554         * runtime/RegExp.h:
555         * runtime/RegExpCache.cpp:
556         (JSC::RegExpCache::lookupOrCreate):
557         * runtime/RegExpConstructor.cpp:
558         (JSC::RegExpConstructor::arrayOfMatches):
559         (JSC::constructRegExp):
560         * runtime/RegExpConstructor.h:
561         (JSC::RegExpConstructor::create):
562         * runtime/RegExpMatchesArray.h:
563         (JSC::RegExpMatchesArray::create):
564         * runtime/RegExpObject.h:
565         (JSC::RegExpObject::create):
566         * runtime/RegExpPrototype.cpp:
567         (JSC::regExpProtoFuncCompile):
568         * runtime/RegExpPrototype.h:
569         (JSC::RegExpPrototype::create):
570         * runtime/ScopeChain.h:
571         (JSC::ScopeChainNode::create):
572         (JSC::ScopeChainNode::push):
573         * runtime/SmallStrings.cpp:
574         (JSC::SmallStrings::createEmptyString):
575         (JSC::SmallStrings::createSingleCharacterString):
576         * runtime/StringConstructor.cpp:
577         (JSC::constructWithStringConstructor):
578         * runtime/StringConstructor.h:
579         (JSC::StringConstructor::create):
580         * runtime/StringObject.h:
581         (JSC::StringObject::create):
582         * runtime/StringObjectThatMasqueradesAsUndefined.h:
583         (JSC::StringObjectThatMasqueradesAsUndefined::create):
584         * runtime/StringPrototype.cpp:
585         (JSC::stringProtoFuncMatch):
586         (JSC::stringProtoFuncSearch):
587         * runtime/StringPrototype.h:
588         (JSC::StringPrototype::create):
589         * runtime/Structure.h:
590         (JSC::Structure::create):
591         (JSC::Structure::createStructure):
592         * runtime/StructureChain.h:
593         (JSC::StructureChain::create):
594
595 2011-07-17  Ryuan Choi  <ryuan.choi@samsung.com>
596
597         [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash.
598         https://bugs.webkit.org/show_bug.cgi?id=64337
599
600         Replace ecore_timer_add to Ecore_Pipe.
601         This is needed because ecore_timer should not be called in a child thread,
602         but in the main thread.
603
604         Reviewed by Antonio Gomes.
605
606         * wtf/efl/MainThreadEfl.cpp:
607         (WTF::pipeObject):
608         (WTF::monitorDispatchFunctions):
609         (WTF::initializeMainThreadPlatform):
610         (WTF::scheduleDispatchFunctionsOnMainThread):
611
612 2011-07-17  Filip Pizlo  <fpizlo@apple.com>
613
614         DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline.
615         https://bugs.webkit.org/show_bug.cgi?id=64637
616
617         Reviewed by Gavin Barraclough.
618
619         * dfg/DFGOperations.cpp:
620
621 2011-07-16  Gavin Barraclough  <barraclough@apple.com>
622
623         https://bugs.webkit.org/show_bug.cgi?id=64657
624         Converted this value not preserved when accessed via direct eval.
625
626         Reviewed by Oliver Hunt.
627
628         Upon entry into a non-strict function, primitive this values should be boxed as Object types
629         (or substituted with the global object) - which is done by op_convert_this. However we only
630         do so where this is used lexically within the function (we omit the conversion op if not).
631         The problem comes if a direct eval (running within the function's scope) accesses the this
632         value.
633
634         We are safe in the case of a single eval, since the this object will be converted within
635         callEval, however the converted value is not preserved, and a new wrapper object is allocated
636         each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
637         object will be lost between eval statements.
638
639         * bytecompiler/BytecodeGenerator.cpp:
640         (JSC::BytecodeGenerator::BytecodeGenerator):
641             - If a function uses eval, we always need to convert this.
642         * interpreter/Interpreter.cpp:
643         (JSC::Interpreter::execute):
644             - Don't convert primitive values here - this is too late!
645         (JSC::Interpreter::privateExecute):
646             - Changed op_convert_this to call new isPrimitive method.
647         * jit/JITStubs.cpp:
648         (JSC::DEFINE_STUB_FUNCTION):
649             - Changed op_convert_this to call new isPrimitive method.
650         * runtime/JSCell.h:
651         (JSC::JSCell::JSValue::isPrimitive):
652             - Added JSValue::isPrimitive.
653         * runtime/JSValue.h:
654             - Added JSValue::isPrimitive.
655
656 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
657
658         DFG JIT compare/branch code emits is-integer tests even when a value is
659         definitely not an integer.
660         https://bugs.webkit.org/show_bug.cgi?id=64654
661
662         Reviewed by Gavin Barraclough.
663         
664         Added the isKnownNotInteger() method, which returns true if a node is
665         definitely not an integer and will always fail any is-integer test.  Then
666         modified the compare and branch code to use this method; if it returns
667         true then is-int tests are omitted and the compiler always emits a slow
668         call.
669
670         * dfg/DFGJITCodeGenerator.cpp:
671         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
672         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
673         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
674         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
675         * dfg/DFGJITCodeGenerator.h:
676         * dfg/DFGSpeculativeJIT.cpp:
677         (JSC::DFG::SpeculativeJIT::compare):
678
679 2011-07-16  Filip Pizlo  <fpizlo@apple.com>
680
681         DFG speculative JIT has dead code for slow calls for branches.
682         https://bugs.webkit.org/show_bug.cgi?id=64653
683
684         Reviewed by Gavin Barraclough.
685         
686         Removed SpeculativeJIT::compilePeepHoleCall.
687
688         * dfg/DFGSpeculativeJIT.cpp:
689         * dfg/DFGSpeculativeJIT.h:
690
691 2011-07-15  Mark Rowe  <mrowe@apple.com>
692
693         Fix the build.
694
695         * dfg/DFGGraph.h:
696
697 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
698
699         NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
700         https://bugs.webkit.org/show_bug.cgi?id=55346
701
702         Reviewed by Sam Weinig.
703
704         * runtime/ErrorPrototype.cpp:
705         (JSC::ErrorPrototype::ErrorPrototype):
706             - Switch to putDirect since we're not the only ones tranitioning this Structure now.
707         * runtime/NativeErrorPrototype.cpp:
708         (JSC::NativeErrorPrototype::NativeErrorPrototype):
709         * runtime/NativeErrorPrototype.h:
710             - Switch base class to ErrorPrototype.
711
712 2011-07-15  Gavin Barraclough  <barraclough@apple.com>
713
714         DFG JIT - Where arguments passed are integers, speculate this.
715         https://bugs.webkit.org/show_bug.cgi?id=64630
716
717         Reviewed by Sam Weinig.
718
719         Presently the DFG JIT is overly aggressively predicting double.
720         Use a bit of dynamic information, and curtail this a little.
721
722         * dfg/DFGGraph.cpp:
723         (JSC::DFG::Graph::predictArgumentTypes):
724             - Check for integer arguments.
725         * dfg/DFGGraph.h:
726             - Function declaration.
727         * runtime/Executable.cpp:
728         (JSC::tryDFGCompile):
729         (JSC::FunctionExecutable::compileForCallInternal):
730             - Add call to predictArgumentTypes.
731
732 2011-07-15  Filip Pizlo  <fpizlo@apple.com>
733
734         DFG JIT is inconsistent about fusing branches and speculating
735         integer comparisons for branches.
736         https://bugs.webkit.org/show_bug.cgi?id=64573
737
738         Reviewed by Gavin Barraclough.
739         
740         This patch moves some of NonSpeculativeJIT's functionality up into the
741         JITCodeGenerator superclass so that it can be used from both JITs.  Now,
742         in cases where the speculative JIT doesn't want to speculate but still
743         wants to emit good code, it can reliably emit the same code sequence as
744         the non-speculative JIT.  This patch also extends the non-speculative
745         JIT's compare optimizations to include compare/branch fusing, and
746         extends the speculative JIT's compare optimizations to cover StrictEqual.
747
748         * dfg/DFGJITCodeGenerator.cpp:
749         (JSC::DFG::JITCodeGenerator::isKnownInteger):
750         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
751         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
752         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
753         * dfg/DFGJITCodeGenerator.h:
754         (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
755         * dfg/DFGNonSpeculativeJIT.cpp:
756         (JSC::DFG::NonSpeculativeJIT::compile):
757         * dfg/DFGNonSpeculativeJIT.h:
758         * dfg/DFGOperations.cpp:
759         * dfg/DFGSpeculativeJIT.cpp:
760         (JSC::DFG::SpeculativeJIT::compare):
761         (JSC::DFG::SpeculativeJIT::compile):
762         * dfg/DFGSpeculativeJIT.h:
763         * wtf/Platform.h:
764
765 2011-07-14  Gavin Barraclough  <barraclough@apple.com>
766
767         https://bugs.webkit.org/show_bug.cgi?id=64250
768         Global strict mode function leaking global object as "this".
769
770         Reviewed by Oliver Hunt.
771
772         The root problem here is that we pass the wrong values into
773         calls, and then try to fix them up in the callee. Correct
774         behaviour per the spec is to pass in the value undefined,
775         as this unless either (1) the function call is based on an
776         explicit property access or (2) the base of the call comes
777         directly from a 'with'.
778
779         This change does away with the need for this conversion of
780         objects (non strict code should only box primitives), and
781         does away with all this conversion for strict functions.
782
783         This patch may have web compatibility ramifications, and may
784         require some advocacy.
785
786         * bytecode/CodeBlock.cpp:
787         (JSC::CodeBlock::dump):
788             - Removed op_convert_this_strict, added op_resolve_with_this.
789         * bytecode/Opcode.h:
790             - Removed op_convert_this_strict, added op_resolve_with_this.
791         * bytecompiler/BytecodeGenerator.cpp:
792         (JSC::BytecodeGenerator::BytecodeGenerator):
793         (JSC::BytecodeGenerator::emitResolveWithThis):
794             - Removed op_convert_this_strict, added op_resolve_with_this.
795         * bytecompiler/BytecodeGenerator.h:
796             - Removed op_convert_this_strict, added op_resolve_with_this.
797         * bytecompiler/NodesCodegen.cpp:
798         (JSC::EvalFunctionCallNode::emitBytecode):
799         (JSC::FunctionCallResolveNode::emitBytecode):
800             - Removed op_convert_this_strict, added op_resolve_with_this.
801         * dfg/DFGSpeculativeJIT.cpp:
802         (JSC::DFG::SpeculativeJIT::compile):
803             - Change NeedsThisConversion check to test for JSString's vptr
804               (objects no longer need conversion).
805         * interpreter/Interpreter.cpp:
806         (JSC::Interpreter::resolveThisAndProperty):
807             - Based on resolveBaseAndProperty, but produce correct this value.
808         (JSC::Interpreter::privateExecute):
809             - Removed op_convert_this_strict, added op_resolve_with_this.
810         * interpreter/Interpreter.h:
811         * jit/JIT.cpp:
812         (JSC::JIT::privateCompileMainPass):
813         (JSC::JIT::privateCompileSlowCases):
814             - Removed op_convert_this_strict, added op_resolve_with_this.
815         * jit/JIT.h:
816         * jit/JITOpcodes.cpp:
817         (JSC::JIT::emit_op_resolve_with_this):
818             - Removed op_convert_this_strict, added op_resolve_with_this.
819         (JSC::JIT::emit_op_convert_this):
820         (JSC::JIT::emitSlow_op_convert_this):
821             - Change NeedsThisConversion check to test for JSString's vptr
822               (objects no longer need conversion).
823         * jit/JITOpcodes32_64.cpp:
824         (JSC::JIT::emit_op_resolve_with_this):
825             - Removed op_convert_this_strict, added op_resolve_with_this.
826         (JSC::JIT::emit_op_convert_this):
827         (JSC::JIT::emitSlow_op_convert_this):
828             - Change NeedsThisConversion check to test for JSString's vptr
829               (objects no longer need conversion).
830         * jit/JITStubs.cpp:
831         (JSC::DEFINE_STUB_FUNCTION):
832             - Removed op_convert_this_strict, added op_resolve_with_this.
833         * jit/JITStubs.h:
834             - Removed op_convert_this_strict, added op_resolve_with_this.
835         * runtime/JSActivation.h:
836             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
837         * runtime/JSStaticScopeObject.h:
838             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
839         * runtime/JSString.h:
840         (JSC::RopeBuilder::createStructure):
841             - removed NeedsThisConversion.
842         * runtime/JSTypeInfo.h:
843         (JSC::TypeInfo::isEnvironmentRecord):
844         (JSC::TypeInfo::overridesHasInstance):
845             - removed NeedsThisConversion flag, added IsEnvironmentRecord.
846         * runtime/JSValue.h:
847             - removed NeedsThisConversion.
848         * runtime/JSVariableObject.h:
849             - Corrected StructureFlags inheritance.
850         * runtime/StrictEvalActivation.h:
851         (JSC::StrictEvalActivation::createStructure):
852             - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
853         * runtime/Structure.h:
854             - removed NeedsThisConversion.
855         * tests/mozilla/ecma/String/15.5.4.6-2.js:
856         (getTestCases):
857             - Removed invalid test case.
858
859 2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>
860
861         Unreviewed, rolling out r91082, r91087, and r91089.
862         http://trac.webkit.org/changeset/91082
863         http://trac.webkit.org/changeset/91087
864         http://trac.webkit.org/changeset/91089
865         https://bugs.webkit.org/show_bug.cgi?id=64616
866
867         gtk tests are failing a lot after this change. (Requested by
868         dave_levin on #webkit).
869
870         * wtf/ThreadIdentifierDataPthreads.cpp:
871         (WTF::ThreadIdentifierData::identifier):
872         (WTF::ThreadIdentifierData::initialize):
873         (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
874         (WTF::ThreadIdentifierData::initializeKeyOnce):
875         * wtf/ThreadIdentifierDataPthreads.h:
876         * wtf/ThreadingPthreads.cpp:
877         (WTF::initializeThreading):
878
879 2011-07-15  David Levin  <levin@chromium.org>
880
881         Another attempted build fix.
882
883         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
884         up the definition of PTHREAD_KEYS_MAX.
885
886 2011-07-15  David Levin  <levin@chromium.org>
887
888         Chromium build fix.
889
890         * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
891         up the definition of PTHREAD_KEYS_MAX.
892
893 2011-07-14  David Levin  <levin@chromium.org>
894
895         currentThread is too slow!
896         https://bugs.webkit.org/show_bug.cgi?id=64577
897
898         Reviewed by Darin Adler and Dmitry Titov.
899
900         The problem is that currentThread results in a pthread_once call which always takes a lock.
901         With this change, currentThread is 10% faster than isMainThread in release mode and only
902         5% slower than isMainThread in debug.
903
904         * wtf/ThreadIdentifierDataPthreads.cpp:
905         (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
906         which is no longer needed because this is called from initializeThreading().
907         (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
908         intialization of the pthread key should already be done.
909         (WTF::ThreadIdentifierData::initialize): Ditto.
910         * wtf/ThreadIdentifierDataPthreads.h:
911         * wtf/ThreadingPthreads.cpp:
912         (WTF::initializeThreading): Acquire the pthread key here.
913
914 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
915
916         DFG JIT does not optimize Branch as well as it could.
917         https://bugs.webkit.org/show_bug.cgi?id=64574
918
919         Reviewed by Gavin Barraclough.
920         
921         This creates a common code path for emitting unfused branches, which does
922         no speculation, and only performs a slow call if absolutely necessary.
923
924         * dfg/DFGJITCodeGenerator.cpp:
925         (JSC::DFG::JITCodeGenerator::emitBranch):
926         * dfg/DFGJITCodeGenerator.h:
927         * dfg/DFGNonSpeculativeJIT.cpp:
928         (JSC::DFG::NonSpeculativeJIT::compile):
929         * dfg/DFGSpeculativeJIT.cpp:
930         (JSC::DFG::SpeculativeJIT::compile):
931
932 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
933
934         GC allocation fast path has too many operations.
935         https://bugs.webkit.org/show_bug.cgi?id=64493
936
937         Reviewed by Darin Adler.
938         
939         Changed the timing of the lazy sweep so that it occurs when we land on
940         a previously-unsweeped block, rather than whenever we land on an unsweeped
941         cell.  After the per-block lazy sweep occurs, the block is turned into a
942         singly linked list of free cells.  The allocation fast path is now just a
943         load-branch-store to remove a cell from the head of the list.
944         
945         Additionally, this changes the way new blocks are allocated.  Previously,
946         they would be populated with dummy cells.  With this patch, they are
947         turned into a free list, which means that there will never be destructor
948         calls for allocations in fresh blocks.
949         
950         These changes result in a 1.9% speed-up on V8, and a 0.6% speed-up on
951         SunSpider.  There are no observed statistically significant slow-downs
952         on any individual benchmark.
953
954         * JavaScriptCore.exp:
955         * heap/Heap.cpp:
956         (JSC::Heap::allocateSlowCase):
957         (JSC::Heap::collect):
958         (JSC::Heap::canonicalizeBlocks):
959         (JSC::Heap::resetAllocator):
960         * heap/Heap.h:
961         (JSC::Heap::forEachProtectedCell):
962         (JSC::Heap::forEachCell):
963         (JSC::Heap::forEachBlock):
964         (JSC::Heap::allocate):
965         * heap/MarkedBlock.cpp:
966         (JSC::MarkedBlock::MarkedBlock):
967         (JSC::MarkedBlock::lazySweep):
968         (JSC::MarkedBlock::blessNewBlockForFastPath):
969         (JSC::MarkedBlock::blessNewBlockForSlowPath):
970         (JSC::MarkedBlock::canonicalizeBlock):
971         * heap/MarkedBlock.h:
972         * heap/NewSpace.cpp:
973         (JSC::NewSpace::addBlock):
974         (JSC::NewSpace::canonicalizeBlocks):
975         * heap/NewSpace.h:
976         (JSC::NewSpace::allocate):
977         (JSC::NewSpace::SizeClass::SizeClass):
978         (JSC::NewSpace::SizeClass::canonicalizeBlock):
979         * heap/OldSpace.cpp:
980         (JSC::OldSpace::addBlock):
981
982 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
983
984         DFG JIT crashes on host constructor calls in debug mode.
985         https://bugs.webkit.org/show_bug.cgi?id=64562
986         
987         Reviewed by Gavin Barraclough.
988         
989         Fixed the relevant ASSERT.
990
991         * dfg/DFGOperations.cpp:
992
993 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
994
995         DFG speculative JIT contains a FIXME for rewinding speculative code generation that
996         has already been fixed.
997         https://bugs.webkit.org/show_bug.cgi?id=64022
998
999         Reviewed by Gavin Barraclough.
1000
1001         * dfg/DFGSpeculativeJIT.h:
1002         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1003
1004 2011-07-14  Ryuan Choi  <ryuan.choi@samsung.com>
1005
1006         [EFL] Add OwnPtr specialization for Ecore_Pipe.
1007         https://bugs.webkit.org/show_bug.cgi?id=64515
1008
1009         Add an overload for deleteOwnedPtr(Ecore_Pipe*) on EFL port.
1010
1011         Reviewed by Xan Lopez.
1012
1013         * wtf/OwnPtrCommon.h:
1014         * wtf/efl/OwnPtrEfl.cpp:
1015         (WTF::deleteOwnedPtr):
1016
1017 2011-07-14  Filip Pizlo  <fpizlo@apple.com>
1018
1019         DFG JIT unnecessarily boxes and unboxes values during silent spilling.
1020         https://bugs.webkit.org/show_bug.cgi?id=64068
1021
1022         Reviewed by Gavin Barraclough.
1023         
1024         Silent spilling and filling of registers is done during slow-path C
1025         function calls.  The silent spill/fill logic does not affect register
1026         allocation on paths that don't involve the C function call.
1027         
1028         This changes the silent spilling code to spill in unboxed form.  The
1029         silent fill will refill in whatever form the register was spilled in.
1030         For example, the silent spill code may choose not to spill the register
1031         because it was already spilled previously, which would imply that it
1032         was spilled in boxed form.  The filling code detects this and either
1033         unboxes, or not, depending on what is appropriate.
1034         
1035         This change also results in a simplification of the silent spill/fill
1036         API: silent spilling no longer needs to know about the set of registers
1037         that cannot be trampled, since it never does boxing and hence does not
1038         need a temporary register.
1039
1040         * dfg/DFGJITCodeGenerator.cpp:
1041         (JSC::DFG::JITCodeGenerator::cachedGetById):
1042         (JSC::DFG::JITCodeGenerator::cachedPutById):
1043         * dfg/DFGJITCodeGenerator.h:
1044         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
1045         (JSC::DFG::JITCodeGenerator::silentSpillFPR):
1046         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1047         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
1048         * dfg/DFGNonSpeculativeJIT.cpp:
1049         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
1050         (JSC::DFG::NonSpeculativeJIT::valueToInt32):
1051         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
1052         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
1053         (JSC::DFG::NonSpeculativeJIT::compare):
1054         (JSC::DFG::NonSpeculativeJIT::compile):
1055         * dfg/DFGSpeculativeJIT.cpp:
1056         (JSC::DFG::SpeculativeJIT::compile):
1057
1058 2011-07-13  Michael Saboff  <msaboff@apple.com>
1059
1060         https://bugs.webkit.org/show_bug.cgi?id=64202
1061         Enh: Improve handling of RegExp in the form of /.*blah.*/
1062
1063         Reviewed by Gavin Barraclough.
1064
1065         Added code to both the Yarr interpreter and JIT to handle
1066         these expressions a little differently.  First off, the terms
1067         in between the leading and trailing .*'s cannot capture and
1068         also this enhancement is limited to single alternative expressions.
1069         If an expression is of the right form with the aforementioned
1070         restrictions, we process the inner terms and then look for the
1071         beginning of the string and end of the string.  There is handling 
1072         for multiline expressions to allow the beginning and end to be 
1073         right after and right before newlines.
1074
1075         This enhancement speeds up expressions of this type 12x on
1076         a MacBookPro.
1077
1078         Cleaned up 'case' statement indentation.
1079
1080         A new set of tests was added as LayoutTests/fast/regex/dotstar.html
1081
1082         * yarr/YarrInterpreter.cpp:
1083         (JSC::Yarr::Interpreter::InputStream::end):
1084         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1085         (JSC::Yarr::Interpreter::matchDisjunction):
1086         (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure):
1087         (JSC::Yarr::ByteCompiler::emitDisjunction):
1088         * yarr/YarrInterpreter.h:
1089         (JSC::Yarr::ByteTerm::DotStarEnclosure):
1090         * yarr/YarrJIT.cpp:
1091         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1092         (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure):
1093         (JSC::Yarr::YarrGenerator::generateTerm):
1094         (JSC::Yarr::YarrGenerator::backtrackTerm):
1095         * yarr/YarrPattern.cpp:
1096         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1097         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
1098         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1099         (JSC::Yarr::YarrPattern::compile):
1100         * yarr/YarrPattern.h:
1101         (JSC::Yarr::PatternTerm::PatternTerm):
1102
1103 2011-07-13  Xan Lopez  <xlopez@igalia.com>
1104
1105         [GTK] Fix distcheck
1106
1107         Reviewed by Martin Robinson.
1108
1109         * GNUmakefile.list.am: add missing files.
1110
1111 2011-07-13  Filip Pizlo  <fpizlo@apple.com>
1112
1113         DFG JIT does not implement prototype chain or list caching for get_by_id.
1114         https://bugs.webkit.org/show_bug.cgi?id=64147
1115
1116         Reviewed by Gavin Barraclough.
1117         
1118         This implements unified support for prototype caching, prototype chain
1119         caching, and polymorphic (i.e. list) prototype and prototype chain
1120         caching.  This is done by creating common code for emitting prototype
1121         or chain access stubs, and having it factored out into
1122         generateProtoChainAccessStub().  This function is called by
1123         tryCacheGetByID once the latter determines that some form of prototype
1124         access caching is necessary (i.e. the slot being accessed is not on the
1125         base value but on some other object).
1126         
1127         Direct prototype list, and prototype chain list, caching is implemented by
1128         linking the slow path to operationGetByIdProtoBuildList(), which uses the
1129         same helper function (generateProtoChainAccessStub()) as tryCacheGetByID.
1130         
1131         This change required ensuring that the value in the scratchGPR field in
1132         StructureStubInfo is preserved even after the stub info is in the
1133         chain, or proto_list, states.  Hence scratchGPR was moved out of the union
1134         and into the top-level of StructureStubInfo.
1135         
1136         * bytecode/StructureStubInfo.h:
1137         * dfg/DFGJITCompiler.cpp:
1138         (JSC::DFG::JITCompiler::compileFunction):
1139         * dfg/DFGOperations.cpp:
1140         * dfg/DFGOperations.h:
1141         * dfg/DFGRepatch.cpp:
1142         (JSC::DFG::emitRestoreScratch):
1143         (JSC::DFG::linkRestoreScratch):
1144         (JSC::DFG::generateProtoChainAccessStub):
1145         (JSC::DFG::tryCacheGetByID):
1146         (JSC::DFG::tryBuildGetByIDProtoList):
1147         (JSC::DFG::dfgBuildGetByIDProtoList):
1148         (JSC::DFG::tryCachePutByID):
1149         * dfg/DFGRepatch.h:
1150
1151 2011-07-12  Brent Fulgham  <bfulgham@webkit.org>
1152
1153         Standardize WinCairo conditionalized code under PLATFORM macro.
1154         https://bugs.webkit.org/show_bug.cgi?id=64377
1155
1156         Reviewed by Maciej Stachowiak.
1157
1158         * wtf/Platform.h: Update to use PLATFORM(WIN_CAIRO) for tests.
1159
1160 2011-07-13  David Levin  <levin@chromium.org>
1161
1162         Possible race condition in ThreadIdentifierData::initializeKeyOnce and shouldCallRealDebugger.
1163         https://bugs.webkit.org/show_bug.cgi?id=64465
1164
1165         Reviewed by Dmitry Titov.
1166
1167         There isn't a good way to test this as it is very highly unlikely to occur.
1168
1169         * wtf/ThreadIdentifierDataPthreads.cpp:
1170         (WTF::ThreadIdentifierData::initializeKeyOnce): Since scoped static initialization
1171         isn't thread-safe, change the initialization to be global.
1172
1173 2011-07-12  Gavin Barraclough  <barraclough@apple.com>
1174
1175         https://bugs.webkit.org/show_bug.cgi?id=64424
1176         Our direct eval behaviour deviates slightly from the spec.
1177
1178         Reviewed by Oliver Hunt.
1179
1180         The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
1181         behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
1182         or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
1183         may be introduced into the caller's environment.
1184
1185         ES5 direct calls are any call where the callee function is provided by a reference, a base
1186         of that Reference is an EnvironmentRecord (this corresponds to all productions
1187         "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
1188         of the reference is "eval". This means any expression of the form "eval(...)", and that
1189         calls the standard built in eval method from on the Global Object, is considered to be
1190         direct.
1191
1192         In JavaScriptCore we are currently overly restrictive. We also check that the
1193         EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
1194         at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
1195         that hits a var eval in a nested scope is not considered to be direct. This behaviour does
1196         not emanate from the spec, and is incorrect.
1197
1198         * interpreter/Interpreter.cpp:
1199         (JSC::Interpreter::privateExecute):
1200             - Fixed direct eval check in op_call_eval.
1201         * jit/JITStubs.cpp:
1202         (JSC::DEFINE_STUB_FUNCTION):
1203             - Fixed direct eval check in op_call_eval.
1204         * runtime/Executable.h:
1205         (JSC::isHostFunction):
1206             - Added check for host function with specific NativeFunction.
1207
1208 2011-07-13  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>
1209
1210         Reviewed by Andreas Kling.
1211
1212         Broken build on QNX
1213         https://bugs.webkit.org/show_bug.cgi?id=63717
1214
1215         QNX doesn't support pthread's SA_RESTART (required by
1216         JSC_MULTIPLE_THREADS), JIT is broken at runtime and there a
1217         few minor compilation errors here and there.
1218
1219         Original patch by Ritt Konstantin <ritt.ks@gmail.com>, also
1220         tested by him on QNX v6.5 (x86)
1221
1222         * wtf/DateMath.cpp: fix usage of abs/labs
1223         * wtf/Platform.h: Disable JIT and JSC_MULTIPLE_THREADS
1224         * wtf/StackBounds.cpp: Add a couple of missing includes (and sort them)
1225
1226 2011-07-12  Anders Carlsson  <andersca@apple.com>
1227
1228         If a compiler has nullptr support, include <cstddef> to get the nullptr_t definition
1229         https://bugs.webkit.org/show_bug.cgi?id=64429
1230
1231         Include the cstddef which has the nullptr_t typedef according to the C++0x standard.
1232
1233         * wtf/NullPtr.h:
1234
1235 2011-07-13  MORITA Hajime  <morrita@google.com>
1236
1237         Refactoring: Ignored ExceptionCode value should be less annoying.
1238         https://bugs.webkit.org/show_bug.cgi?id=63688
1239
1240         Added ASSERT_AT macro.
1241
1242         Reviewed by Darin Adler.
1243
1244         * wtf/Assertions.h:
1245
1246 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1247
1248         DFG JIT does not implement op_construct.
1249         https://bugs.webkit.org/show_bug.cgi?id=64066
1250
1251         Reviewed by Gavin Barraclough.
1252         
1253         This is a fixed implementation of op_construct.  Constructor calls are implemented
1254         by reusing almost all of the code for Call, with care taken to make sure that
1255         where the are differences (like selecting different code blocks), those differences
1256         are respected.  The two fixes over the last patch are: (1) make sure the
1257         CodeBlock::unlinkCalls respects differences between Call and Construct, and (2)
1258         make sure that virtualFor() in DFGOperations respects the CodeSpecializationKind
1259         (either CodeForCall or CodeForConstruct) when invoking the compiler.
1260
1261         * dfg/DFGAliasTracker.h:
1262         (JSC::DFG::AliasTracker::recordConstruct):
1263         * dfg/DFGByteCodeParser.cpp:
1264         (JSC::DFG::ByteCodeParser::addCall):
1265         (JSC::DFG::ByteCodeParser::parseBlock):
1266         * dfg/DFGJITCodeGenerator.cpp:
1267         (JSC::DFG::JITCodeGenerator::emitCall):
1268         * dfg/DFGNode.h:
1269         * dfg/DFGNonSpeculativeJIT.cpp:
1270         (JSC::DFG::NonSpeculativeJIT::compile):
1271         * dfg/DFGOperations.cpp:
1272         * dfg/DFGOperations.h:
1273         * dfg/DFGRepatch.cpp:
1274         (JSC::DFG::dfgLinkFor):
1275         * dfg/DFGRepatch.h:
1276         * dfg/DFGSpeculativeJIT.cpp:
1277         (JSC::DFG::SpeculativeJIT::compile):
1278         * runtime/CodeBlock.cpp:
1279         (JSC::CodeBlock::unlinkCalls):
1280
1281 2011-07-12  Oliver Hunt  <oliver@apple.com>
1282
1283         Overzealous type validation in method_check
1284         https://bugs.webkit.org/show_bug.cgi?id=64415
1285
1286         Reviewed by Gavin Barraclough.
1287
1288         method_check is essentially just a value look up
1289         optimisation, but it internally stores the value
1290         as a JSFunction, even though it never relies on
1291         this fact.  Under GC validation however we end up
1292         trying to enforce that assumption.  The fix is
1293         simply to store the value as a correct supertype.
1294
1295         * bytecode/CodeBlock.h:
1296         * dfg/DFGRepatch.cpp:
1297         (JSC::DFG::dfgRepatchGetMethodFast):
1298         (JSC::DFG::tryCacheGetMethod):
1299         * jit/JIT.h:
1300         * jit/JITPropertyAccess.cpp:
1301         (JSC::JIT::patchMethodCallProto):
1302         * jit/JITStubs.cpp:
1303         (JSC::DEFINE_STUB_FUNCTION):
1304
1305 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1306
1307         COLLECT_ON_EVERY_ALLOCATION no longer works.
1308         https://bugs.webkit.org/show_bug.cgi?id=64388
1309
1310         Reviewed by Oliver Hunt.
1311         
1312         Added a flag to Heap that determines if it's safe to collect (which for now means that
1313         JSGlobalObject has actually been initialized, but it should work for other things, too).
1314         This allows JSGlobalObject to allocate even if the allocator wants to GC; instead of
1315         GCing it just grows the heap, if necessary.
1316         
1317         Then changed Heap::allocate() to not recurse ad infinitum when
1318         COLLECT_ON_EVERY_ALLOCATION is set.  This also makes the allocator generally more
1319         resilient against bugs; this change allowed me to put in handy assertions, such as that
1320         an allocation must succeed after either a collection or after a new block was added.
1321
1322         * heap/Heap.cpp:
1323         (JSC::Heap::Heap):
1324         (JSC::Heap::tryAllocate):
1325         (JSC::Heap::allocate):
1326         (JSC::Heap::collectAllGarbage):
1327         (JSC::Heap::collect):
1328         * heap/Heap.h:
1329         (JSC::Heap::notifyIsSafeToCollect):
1330         * runtime/JSGlobalData.cpp:
1331         (JSC::JSGlobalData::JSGlobalData):
1332
1333 2011-07-12  Filip Pizlo  <fpizlo@apple.com>
1334
1335         DFG JIT put_by_id transition caching does not inform the GC about the structure and
1336         prototype chain that it is referencing.
1337         https://bugs.webkit.org/show_bug.cgi?id=64387
1338
1339         Reviewed by Gavin Barraclough.
1340         
1341         Fixed the relevant code in DFGRepatch to call StructureStubInfo::initPutByIdTransition().
1342
1343         * dfg/DFGRepatch.cpp:
1344         (JSC::DFG::tryCachePutByID):
1345
1346 2011-07-12  Adam Roben  <aroben@apple.com>
1347
1348         Ensure no intermediate WTF::Strings are created when concatenating with string literals
1349
1350         Fixes <http://webkit.org/b/63330> Concatenating string literals and WTF::Strings using
1351         operator+ is suboptimal
1352
1353         Reviewed by Darin Adler.
1354
1355         * wtf/text/StringConcatenate.h:
1356         (WTF::StringTypeAdapter<String>::writeTo): Added a macro that can be used for testing how
1357         many WTF::Strings get copied while evaluating an operator+ expression.
1358
1359         * wtf/text/StringOperators.h:
1360         (WTF::operator+): Changed the overload that takes a StringAppend to take it on the left-hand
1361         side, since operator+ is left-associative. Having the StringAppend on the right-hand side
1362         was causing us to make intermediate WTF::Strings when evaluating expressions that contained
1363         multiple calls to operator+. Added some more overloads for that take a left-hand side of
1364         const char* to resolve overload ambiguity for certain expressions. Added overloads that take
1365         a left-hand side of const UChar* (matching the const char* overloads) so that wide string
1366         literals don't first have to be converted to a WTF::String in operator+ expressions.
1367
1368 2011-07-12  Adam Roben  <aroben@apple.com>
1369
1370         Unreviewed, rolling out r90811.
1371         http://trac.webkit.org/changeset/90811
1372         https://bugs.webkit.org/show_bug.cgi?id=61025
1373
1374         Several svg tests failing assertions beneath
1375         SVGSMILElement::findInstanceTime
1376
1377         * wtf/StdLibExtras.h:
1378         (WTF::binarySearch):
1379
1380 2011-07-12  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
1381
1382         Reviewed by Nikolas Zimmermann.
1383
1384         Speed up SVGSMILElement::findInstanceTime.
1385         https://bugs.webkit.org/show_bug.cgi?id=61025
1386
1387         Add a new parameter to StdlibExtras.h::binarySerarch function
1388         to also handle cases when the array does not contain the key value.
1389         This is needed for an svg function.
1390
1391         * wtf/StdLibExtras.h:
1392         (WTF::binarySearch):
1393
1394 2011-07-11  Filip Pizlo  <fpizlo@apple.com>
1395
1396         DFG speculative JIT does not guard itself against floating point speculation
1397         failures on non-floating-point constants.
1398         https://bugs.webkit.org/show_bug.cgi?id=64330
1399
1400         Reviewed by Gavin Barraclough.
1401         
1402         Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
1403         soon as it notices that it's speculating on something that is a non-numeric
1404         JSConstant.
1405
1406         * dfg/DFGSpeculativeJIT.cpp:
1407         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1408
1409 2011-07-11  Filip Pizlo  <fpizlo@apple.com>
1410
1411         DFG Speculative JIT does not always insert speculation checks when speculating
1412         arrays.
1413         https://bugs.webkit.org/show_bug.cgi?id=64254
1414
1415         Reviewed by Gavin Barraclough.
1416         
1417         Changed the SetLocal instruction to always validate that the value being stored
1418         into the local variable is an array, if that variable was marked PredictArray.
1419         This is necessary since uses of arrays assume that if a PredictArray value is
1420         in a local variable then the speculation check validating that the value is an
1421         array was already performed.
1422
1423         * dfg/DFGSpeculativeJIT.cpp:
1424         (JSC::DFG::SpeculativeJIT::compile):
1425
1426 2011-07-11  Gabor Loki  <loki@webkit.org>
1427
1428         Fix the condition of the optimized code in doubleTransfer
1429         https://bugs.webkit.org/show_bug.cgi?id=64261
1430
1431         Reviewed by Zoltan Herczeg.
1432
1433         The condition of the optimized code in doubleTransfer is wrong. The
1434         data transfer should be executed with four bytes aligned address.
1435         VFP cannot perform unaligned memory access.
1436
1437         Reported by Jacob Bramley.
1438
1439         * assembler/ARMAssembler.cpp:
1440         (JSC::ARMAssembler::doubleTransfer):
1441
1442 2011-07-11  Gabor Loki  <loki@webkit.org>
1443
1444         Signed arithmetic bug in dataTransfer32.
1445         https://bugs.webkit.org/show_bug.cgi?id=64257
1446
1447         Reviewed by Zoltan Herczeg.
1448
1449         An arithmetic bug is fixed. If the offset of dataTransfer is half of the
1450         addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
1451         a load instruction is emitted with a wrong zero offset.
1452
1453         Inspired by Jacob Bramley's patch from JaegerMonkey.
1454
1455         * assembler/ARMAssembler.cpp:
1456         (JSC::ARMAssembler::dataTransfer32):
1457
1458 2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>
1459
1460         Fix unaligned userspace access for SH4 platforms. 
1461         https://bugs.webkit.org/show_bug.cgi?id=62993
1462
1463         * wtf/Platform.h:
1464
1465 2011-07-09  Chao-ying Fu  <fu@mips.com>
1466
1467         Fix MIPS build due to readInt32 and readPointer
1468         https://bugs.webkit.org/show_bug.cgi?id=63962
1469
1470         * assembler/MIPSAssembler.h:
1471         (JSC::MIPSAssembler::readInt32):
1472         (JSC::MIPSAssembler::readPointer):
1473         * assembler/MacroAssemblerMIPS.h:
1474         (JSC::MacroAssemblerMIPS::rshift32):
1475
1476 2011-07-08  Gavin Barraclough  <barraclough@apple.com>
1477
1478         https://bugs.webkit.org/show_bug.cgi?id=64181
1479         REGRESSION (r90602): Gmail doesn't load
1480
1481         Rolling out r90601, r90602.
1482
1483         * dfg/DFGAliasTracker.h:
1484         * dfg/DFGByteCodeParser.cpp:
1485         (JSC::DFG::ByteCodeParser::addVarArgChild):
1486         (JSC::DFG::ByteCodeParser::parseBlock):
1487         * dfg/DFGJITCodeGenerator.cpp:
1488         (JSC::DFG::JITCodeGenerator::emitCall):
1489         * dfg/DFGNode.h:
1490         * dfg/DFGNonSpeculativeJIT.cpp:
1491         (JSC::DFG::NonSpeculativeJIT::compile):
1492         * dfg/DFGOperations.cpp:
1493         * dfg/DFGOperations.h:
1494         * dfg/DFGRepatch.cpp:
1495         (JSC::DFG::tryCacheGetByID):
1496         (JSC::DFG::dfgLinkCall):
1497         * dfg/DFGRepatch.h:
1498         * dfg/DFGSpeculativeJIT.cpp:
1499         (JSC::DFG::SpeculativeJIT::compile):
1500         * runtime/JSObject.h:
1501         (JSC::JSObject::isUsingInlineStorage):
1502
1503 2011-07-08  Kalev Lember  <kalev@smartlink.ee>
1504
1505         Reviewed by Adam Roben.
1506
1507         Add missing _WIN32_WINNT and WINVER definitions
1508         https://bugs.webkit.org/show_bug.cgi?id=59702
1509
1510         Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
1511         available for all source files.
1512
1513         In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
1514         DeleteTimerQueueTimer which are both guarded by
1515         #if (_WIN32_WINNT >= 0x0500)
1516         in MinGW headers.
1517
1518         * config.h:
1519         * wtf/Assertions.cpp:
1520
1521 2011-07-08  Chang Shu  <cshu@webkit.org>
1522
1523         Rename "makeSecure" to "fill" and remove the support for displaying last character
1524         to avoid layering violatation.
1525         https://bugs.webkit.org/show_bug.cgi?id=59114
1526
1527         Reviewed by Alexey Proskuryakov.
1528
1529         * JavaScriptCore.exp:
1530         * JavaScriptCore.order:
1531         * wtf/text/StringImpl.cpp:
1532         (WTF::StringImpl::fill):
1533         * wtf/text/StringImpl.h:
1534         * wtf/text/WTFString.h:
1535         (WTF::String::fill):
1536
1537 2011-07-08  Benjamin Poulain  <benjamin@webkit.org>
1538
1539         [WK2] Do not forward touch events to the web process when it does not need them
1540         https://bugs.webkit.org/show_bug.cgi?id=64164
1541
1542         Reviewed by Kenneth Rohde Christiansen.
1543
1544         Add a convenience function to obtain a reference to the last element of a Deque.
1545
1546         * wtf/Deque.h:
1547         (WTF::Deque::last):
1548
1549 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1550
1551         DFG JIT does not implement op_construct.
1552         https://bugs.webkit.org/show_bug.cgi?id=64066
1553
1554         Reviewed by Gavin Barraclough.
1555
1556         * dfg/DFGAliasTracker.h:
1557         (JSC::DFG::AliasTracker::recordConstruct):
1558         * dfg/DFGByteCodeParser.cpp:
1559         (JSC::DFG::ByteCodeParser::addCall):
1560         (JSC::DFG::ByteCodeParser::parseBlock):
1561         * dfg/DFGJITCodeGenerator.cpp:
1562         (JSC::DFG::JITCodeGenerator::emitCall):
1563         * dfg/DFGNode.h:
1564         * dfg/DFGNonSpeculativeJIT.cpp:
1565         (JSC::DFG::NonSpeculativeJIT::compile):
1566         * dfg/DFGOperations.cpp:
1567         * dfg/DFGOperations.h:
1568         * dfg/DFGRepatch.cpp:
1569         (JSC::DFG::dfgLinkFor):
1570         * dfg/DFGRepatch.h:
1571         * dfg/DFGSpeculativeJIT.cpp:
1572         (JSC::DFG::SpeculativeJIT::compile):
1573
1574 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1575
1576         DFG JIT does not implement get_by_id prototype caching.
1577         https://bugs.webkit.org/show_bug.cgi?id=64077
1578
1579         Reviewed by Gavin Barraclough.
1580
1581         * dfg/DFGRepatch.cpp:
1582         (JSC::DFG::emitRestoreScratch):
1583         (JSC::DFG::linkRestoreScratch):
1584         (JSC::DFG::tryCacheGetByID):
1585         * runtime/JSObject.h:
1586         (JSC::JSObject::addressOfPropertyAtOffset):
1587
1588 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
1589
1590         DFG JIT method_check implementation does not link to optimized get_by_id
1591         slow path.
1592         https://bugs.webkit.org/show_bug.cgi?id=64073
1593
1594         Reviewed by Gavin Barraclough.
1595
1596         * dfg/DFGRepatch.cpp:
1597         (JSC::DFG::dfgRepatchGetMethodFast):
1598
1599 2011-07-07  Oliver Hunt  <oliver@apple.com>
1600
1601         Encode jump and link sizes into the appropriate enums
1602         https://bugs.webkit.org/show_bug.cgi?id=64123
1603
1604         Reviewed by Sam Weinig.
1605
1606         Finally kill off the out of line jump and link size arrays, 
1607         so we can avoid icky loads and constant fold the linking arithmetic.
1608
1609         * assembler/ARMv7Assembler.cpp:
1610         * assembler/ARMv7Assembler.h:
1611         (JSC::ARMv7Assembler::jumpSizeDelta):
1612         (JSC::ARMv7Assembler::computeJumpType):
1613
1614 2011-07-06  Juan C. Montemayor  <jmont@apple.com>
1615
1616         ASSERT_NOT_REACHED running test 262
1617         https://bugs.webkit.org/show_bug.cgi?id=63951
1618         
1619         Added a case to the switch statement where the code was failing. Fixed
1620         some logic as well that gave faulty error messages.
1621
1622         Reviewed by Gavin Barraclough.
1623
1624         * parser/JSParser.cpp:
1625         (JSC::JSParser::getTokenName):
1626         (JSC::JSParser::updateErrorMessageSpecialCase):
1627         (JSC::JSParser::updateErrorMessage):
1628
1629 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1630
1631         DFG JIT implementation of op_call results in regressions on sunspider
1632         controlflow-recursive.
1633         https://bugs.webkit.org/show_bug.cgi?id=64039
1634
1635         Reviewed by Gavin Barraclough.
1636
1637         * dfg/DFGByteCodeParser.cpp:
1638         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
1639         (JSC::DFG::ByteCodeParser::parseBlock):
1640         * dfg/DFGSpeculativeJIT.h:
1641         (JSC::DFG::SpeculativeJIT::isInteger):
1642
1643 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1644
1645         DFG JIT does not support method_check
1646         https://bugs.webkit.org/show_bug.cgi?id=63972
1647
1648         Reviewed by Gavin Barraclough.
1649
1650         * assembler/CodeLocation.h:
1651         (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
1652         * bytecode/CodeBlock.cpp:
1653         (JSC::CodeBlock::visitAggregate):
1654         * bytecode/CodeBlock.h:
1655         (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
1656         (JSC::MethodCallLinkInfo::seenOnce):
1657         (JSC::MethodCallLinkInfo::setSeen):
1658         * dfg/DFGAliasTracker.h:
1659         (JSC::DFG::AliasTracker::recordGetMethod):
1660         * dfg/DFGByteCodeParser.cpp:
1661         (JSC::DFG::ByteCodeParser::parseBlock):
1662         * dfg/DFGJITCodeGenerator.cpp:
1663         (JSC::DFG::JITCodeGenerator::cachedGetById):
1664         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
1665         * dfg/DFGJITCodeGenerator.h:
1666         * dfg/DFGJITCompiler.cpp:
1667         (JSC::DFG::JITCompiler::compileFunction):
1668         * dfg/DFGJITCompiler.h:
1669         (JSC::DFG::JITCompiler::addMethodGet):
1670         (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
1671         * dfg/DFGNode.h:
1672         (JSC::DFG::Node::hasIdentifier):
1673         * dfg/DFGNonSpeculativeJIT.cpp:
1674         (JSC::DFG::NonSpeculativeJIT::compile):
1675         * dfg/DFGOperations.cpp:
1676         * dfg/DFGOperations.h:
1677         * dfg/DFGRepatch.cpp:
1678         (JSC::DFG::dfgRepatchGetMethodFast):
1679         (JSC::DFG::tryCacheGetMethod):
1680         (JSC::DFG::dfgRepatchGetMethod):
1681         * dfg/DFGRepatch.h:
1682         * dfg/DFGSpeculativeJIT.cpp:
1683         (JSC::DFG::SpeculativeJIT::compile):
1684         * jit/JITWriteBarrier.h:
1685         (JSC::JITWriteBarrier::set):
1686
1687 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1688
1689         DFG JIT op_call implementation will flush registers even when those registers are dead
1690         https://bugs.webkit.org/show_bug.cgi?id=64023
1691
1692         Reviewed by Gavin Barraclough.
1693
1694         * dfg/DFGJITCodeGenerator.cpp:
1695         (JSC::DFG::JITCodeGenerator::emitCall):
1696         * dfg/DFGJITCodeGenerator.h:
1697         (JSC::DFG::JITCodeGenerator::integerResult):
1698         (JSC::DFG::JITCodeGenerator::noResult):
1699         (JSC::DFG::JITCodeGenerator::cellResult):
1700         (JSC::DFG::JITCodeGenerator::jsValueResult):
1701         (JSC::DFG::JITCodeGenerator::doubleResult):
1702         * dfg/DFGNonSpeculativeJIT.cpp:
1703         (JSC::DFG::NonSpeculativeJIT::compile):
1704         * dfg/DFGSpeculativeJIT.cpp:
1705         (JSC::DFG::SpeculativeJIT::compile):
1706
1707 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
1708
1709         DFG speculative JIT may crash when speculating int on a non-int JSConstant.
1710         https://bugs.webkit.org/show_bug.cgi?id=64017
1711
1712         Reviewed by Gavin Barraclough.
1713
1714         * dfg/DFGSpeculativeJIT.cpp:
1715         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1716         (JSC::DFG::SpeculativeJIT::compile):
1717
1718 2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>
1719
1720         Reviewed by David Levin.
1721
1722         Allow substitution of dynamic annotations and prevent identical code folding by the linker.
1723         https://bugs.webkit.org/show_bug.cgi?id=62443
1724
1725         * wtf/DynamicAnnotations.cpp:
1726         (WTFAnnotateBenignRaceSized):
1727         (WTFAnnotateHappensBefore):
1728         (WTFAnnotateHappensAfter):
1729
1730 2011-07-06  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
1731
1732         Calls on 32 bit machines are failed after r90423
1733         https://bugs.webkit.org/show_bug.cgi?id=63980
1734
1735         Reviewed by Gavin Barraclough.
1736
1737         Copy the necessary lines from JITCall.cpp.
1738
1739         * jit/JITCall32_64.cpp:
1740         (JSC::JIT::compileOpCall):
1741
1742 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1743
1744         DFG JIT virtual call implementation is inefficient.
1745         https://bugs.webkit.org/show_bug.cgi?id=63974
1746
1747         Reviewed by Gavin Barraclough.
1748
1749         * dfg/DFGOperations.cpp:
1750         * runtime/Executable.h:
1751         (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck):
1752         (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck):
1753         (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor):
1754         (JSC::ExecutableBase::hasJITCodeForCall):
1755         (JSC::ExecutableBase::hasJITCodeForConstruct):
1756         (JSC::ExecutableBase::hasJITCodeFor):
1757         * runtime/JSFunction.h:
1758         (JSC::JSFunction::scopeUnchecked):
1759
1760 2011-07-05  Oliver Hunt  <oliver@apple.com>
1761
1762         Force inlining of simple functions that show up as not being inlined
1763         https://bugs.webkit.org/show_bug.cgi?id=63964
1764
1765         Reviewed by Gavin Barraclough.
1766
1767         Looking at profile data indicates the gcc is failing to inline a
1768         number of trivial functions.  This patch hits the ones that show
1769         up in profiles with the ALWAYS_INLINE hammer.
1770
1771         We also replace the memcpy() call in linking with a manual loop.
1772         Apparently memcpy() is almost never faster than an inlined loop.
1773
1774         * assembler/ARMv7Assembler.h:
1775         (JSC::ARMv7Assembler::add):
1776         (JSC::ARMv7Assembler::add_S):
1777         (JSC::ARMv7Assembler::ARM_and):
1778         (JSC::ARMv7Assembler::asr):
1779         (JSC::ARMv7Assembler::b):
1780         (JSC::ARMv7Assembler::blx):
1781         (JSC::ARMv7Assembler::bx):
1782         (JSC::ARMv7Assembler::clz):
1783         (JSC::ARMv7Assembler::cmn):
1784         (JSC::ARMv7Assembler::cmp):
1785         (JSC::ARMv7Assembler::eor):
1786         (JSC::ARMv7Assembler::it):
1787         (JSC::ARMv7Assembler::ldr):
1788         (JSC::ARMv7Assembler::ldrCompact):
1789         (JSC::ARMv7Assembler::ldrh):
1790         (JSC::ARMv7Assembler::ldrb):
1791         (JSC::ARMv7Assembler::lsl):
1792         (JSC::ARMv7Assembler::lsr):
1793         (JSC::ARMv7Assembler::movT3):
1794         (JSC::ARMv7Assembler::mov):
1795         (JSC::ARMv7Assembler::movt):
1796         (JSC::ARMv7Assembler::mvn):
1797         (JSC::ARMv7Assembler::neg):
1798         (JSC::ARMv7Assembler::orr):
1799         (JSC::ARMv7Assembler::orr_S):
1800         (JSC::ARMv7Assembler::ror):
1801         (JSC::ARMv7Assembler::smull):
1802         (JSC::ARMv7Assembler::str):
1803         (JSC::ARMv7Assembler::sub):
1804         (JSC::ARMv7Assembler::sub_S):
1805         (JSC::ARMv7Assembler::tst):
1806         (JSC::ARMv7Assembler::linkRecordSourceComparator):
1807         (JSC::ARMv7Assembler::link):
1808         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
1809         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
1810         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
1811         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
1812         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
1813         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
1814         (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
1815         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
1816         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
1817         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
1818         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
1819         (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
1820         (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
1821         (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
1822         * assembler/LinkBuffer.h:
1823         (JSC::LinkBuffer::linkCode):
1824         * assembler/MacroAssemblerARMv7.h:
1825         (JSC::MacroAssemblerARMv7::nearCall):
1826         (JSC::MacroAssemblerARMv7::call):
1827         (JSC::MacroAssemblerARMv7::ret):
1828         (JSC::MacroAssemblerARMv7::moveWithPatch):
1829         (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
1830         (JSC::MacroAssemblerARMv7::storePtrWithPatch):
1831         (JSC::MacroAssemblerARMv7::tailRecursiveCall):
1832         (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
1833         (JSC::MacroAssemblerARMv7::jump):
1834         (JSC::MacroAssemblerARMv7::makeBranch):
1835
1836 2011-07-05  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
1837
1838         Make "Add optimised paths for a few maths functions" work on Qt
1839         https://bugs.webkit.org/show_bug.cgi?id=63893
1840
1841         Reviewed by Oliver Hunt.
1842
1843         Move the generated code to the .text section instead of .data section.
1844         Fix alignment for the 32 bit thunk code.
1845
1846         * jit/ThunkGenerators.cpp:
1847
1848 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1849
1850         DFG JIT does not implement op_call.
1851         https://bugs.webkit.org/show_bug.cgi?id=63858
1852
1853         Reviewed by Gavin Barraclough.
1854
1855         * bytecode/CodeBlock.cpp:
1856         (JSC::CodeBlock::unlinkCalls):
1857         * bytecode/CodeBlock.h:
1858         (JSC::CodeBlock::setNumberOfCallLinkInfos):
1859         (JSC::CodeBlock::numberOfCallLinkInfos):
1860         * bytecompiler/BytecodeGenerator.cpp:
1861         (JSC::BytecodeGenerator::emitCall):
1862         (JSC::BytecodeGenerator::emitConstruct):
1863         * dfg/DFGAliasTracker.h:
1864         (JSC::DFG::AliasTracker::lookupGetByVal):
1865         (JSC::DFG::AliasTracker::recordCall):
1866         (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
1867         * dfg/DFGByteCodeParser.cpp:
1868         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1869         (JSC::DFG::ByteCodeParser::getLocal):
1870         (JSC::DFG::ByteCodeParser::getArgument):
1871         (JSC::DFG::ByteCodeParser::toInt32):
1872         (JSC::DFG::ByteCodeParser::addToGraph):
1873         (JSC::DFG::ByteCodeParser::addVarArgChild):
1874         (JSC::DFG::ByteCodeParser::predictInt32):
1875         (JSC::DFG::ByteCodeParser::parseBlock):
1876         (JSC::DFG::ByteCodeParser::processPhiStack):
1877         (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
1878         * dfg/DFGGraph.cpp:
1879         (JSC::DFG::Graph::opName):
1880         (JSC::DFG::Graph::dump):
1881         (JSC::DFG::Graph::refChildren):
1882         * dfg/DFGGraph.h:
1883         * dfg/DFGJITCodeGenerator.cpp:
1884         (JSC::DFG::JITCodeGenerator::useChildren):
1885         (JSC::DFG::JITCodeGenerator::emitCall):
1886         * dfg/DFGJITCodeGenerator.h:
1887         (JSC::DFG::JITCodeGenerator::addressOfCallData):
1888         * dfg/DFGJITCompiler.cpp:
1889         (JSC::DFG::JITCompiler::compileFunction):
1890         * dfg/DFGJITCompiler.h:
1891         (JSC::DFG::CallRecord::CallRecord):
1892         (JSC::DFG::JITCompiler::notifyCall):
1893         (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
1894         (JSC::DFG::JITCompiler::addJSCall):
1895         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
1896         (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1897         * dfg/DFGNode.h:
1898         (JSC::DFG::Node::Node):
1899         (JSC::DFG::Node::child1):
1900         (JSC::DFG::Node::child2):
1901         (JSC::DFG::Node::child3):
1902         (JSC::DFG::Node::firstChild):
1903         (JSC::DFG::Node::numChildren):
1904         * dfg/DFGNonSpeculativeJIT.cpp:
1905         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
1906         (JSC::DFG::NonSpeculativeJIT::compare):
1907         (JSC::DFG::NonSpeculativeJIT::compile):
1908         * dfg/DFGOperations.cpp:
1909         * dfg/DFGOperations.h:
1910         * dfg/DFGRepatch.cpp:
1911         (JSC::DFG::dfgLinkCall):
1912         * dfg/DFGRepatch.h:
1913         * dfg/DFGSpeculativeJIT.cpp:
1914         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1915         (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
1916         (JSC::DFG::SpeculativeJIT::compile):
1917         * dfg/DFGSpeculativeJIT.h:
1918         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1919         * interpreter/CallFrame.h:
1920         (JSC::ExecState::calleeAsValue):
1921         * jit/JIT.cpp:
1922         (JSC::JIT::JIT):
1923         (JSC::JIT::privateCompileMainPass):
1924         (JSC::JIT::privateCompileSlowCases):
1925         (JSC::JIT::privateCompile):
1926         (JSC::JIT::linkCall):
1927         (JSC::JIT::linkConstruct):
1928         * jit/JITCall.cpp:
1929         (JSC::JIT::compileOpCall):
1930         * jit/JITCode.h:
1931         (JSC::JITCode::JITCode):
1932         (JSC::JITCode::jitType):
1933         (JSC::JITCode::HostFunction):
1934         * runtime/JSFunction.h:
1935         * runtime/JSGlobalData.h:
1936
1937 2011-07-05  Oliver Hunt  <oliver@apple.com>
1938
1939         Initialize new MarkStack member
1940
1941         * heap/MarkStack.h:
1942         (JSC::MarkStack::MarkStack):
1943
1944 2011-07-05  Oliver Hunt  <oliver@apple.com>
1945
1946         Don't throw out compiled code repeatedly
1947         https://bugs.webkit.org/show_bug.cgi?id=63960
1948
1949         Reviewed by Gavin Barraclough.
1950
1951         Stop throwing away all compiled code every time
1952         we're told to do a full GC.  Instead unlink all
1953         callsites during such GC passes to maximise the
1954         number of collectable functions, but otherwise
1955         leave compiled functions alone.
1956
1957         * API/JSBase.cpp:
1958         (JSGarbageCollect):
1959         * bytecode/CodeBlock.cpp:
1960         (JSC::CodeBlock::visitAggregate):
1961         * heap/Heap.cpp:
1962         (JSC::Heap::collectAllGarbage):
1963         * heap/MarkStack.h:
1964         (JSC::MarkStack::shouldUnlinkCalls):
1965         (JSC::MarkStack::setShouldUnlinkCalls):
1966         * runtime/JSGlobalData.cpp:
1967         (JSC::JSGlobalData::recompileAllJSFunctions):
1968         (JSC::JSGlobalData::releaseExecutableMemory):
1969         * runtime/RegExp.cpp:
1970         (JSC::RegExp::compile):
1971         (JSC::RegExp::invalidateCode):
1972         * runtime/RegExp.h:
1973
1974 2011-07-05  Filip Pizlo  <fpizlo@apple.com>
1975
1976         JSC JIT has code duplication for the handling of call and construct
1977         https://bugs.webkit.org/show_bug.cgi?id=63957
1978
1979         Reviewed by Gavin Barraclough.
1980
1981         * jit/JIT.cpp:
1982         (JSC::JIT::linkFor):
1983         * jit/JIT.h:
1984         * jit/JITStubs.cpp:
1985         (JSC::jitCompileFor):
1986         (JSC::DEFINE_STUB_FUNCTION):
1987         (JSC::arityCheckFor):
1988         (JSC::lazyLinkFor):
1989         * runtime/Executable.h:
1990         (JSC::ExecutableBase::generatedJITCodeFor):
1991         (JSC::FunctionExecutable::compileFor):
1992         (JSC::FunctionExecutable::isGeneratedFor):
1993         (JSC::FunctionExecutable::generatedBytecodeFor):
1994         (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor):
1995
1996 2011-07-05  Gavin Barraclough  <barraclough@apple.com>
1997
1998         Build fix following last patch.
1999
2000         * runtime/JSFunction.cpp:
2001         (JSC::createPrototypeProperty):
2002
2003 2011-07-05  Gavin Barraclough  <barraclough@apple.com>
2004
2005         https://bugs.webkit.org/show_bug.cgi?id=63947
2006         ASSERT running Object.preventExtensions(Math.sin)
2007
2008         Reviewed by Oliver Hunt.
2009
2010         This is due to calling scope() on a hostFunction as a part of
2011         calling createPrototypeProperty to reify the prototype property.
2012         But host functions don't have a prototype property anyway!
2013
2014         Prevent callling createPrototypeProperty on a host function.
2015
2016         * runtime/JSFunction.cpp:
2017         (JSC::JSFunction::createPrototypeProperty):
2018         (JSC::JSFunction::preventExtensions):
2019
2020 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2021
2022         https://bugs.webkit.org/show_bug.cgi?id=63880
2023         Evaluation order of conversions of operands to >, >= incorrect.
2024
2025         Reviewed by Sam Weinig.
2026
2027         Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5
2028         spec. This allows these methods to be reused to perform >, >= relational compares
2029         with correct ordering of type conversions.
2030
2031         * dfg/DFGOperations.cpp:
2032         * interpreter/Interpreter.cpp:
2033         (JSC::Interpreter::privateExecute):
2034         * jit/JITStubs.cpp:
2035         (JSC::DEFINE_STUB_FUNCTION):
2036         * runtime/Operations.h:
2037         (JSC::jsLess):
2038         (JSC::jsLessEq):
2039
2040 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2041
2042         Reviewed by Sam Weinig.
2043
2044         https://bugs.webkit.org/show_bug.cgi?id=16652
2045         Firefox and JavaScriptCore differ in Number.toString(integer)
2046
2047         Our arbitrary radix (2..36) toString conversion is inaccurate.
2048         This is partly because it uses doubles to perform math that requires
2049         higher accuracy, and partly becasue it does not attempt to correctly
2050         detect where to terminate, instead relying on a simple 'epsilon'.
2051
2052         * runtime/NumberPrototype.cpp:
2053         (JSC::decomposeDouble):
2054             - helper function to extract sign, exponent, mantissa from IEEE doubles.
2055         (JSC::Uint16WithFraction::Uint16WithFraction):
2056             - helper class, u16int with infinite precision fraction, used to convert
2057               the fractional part of the number to a string.
2058         (JSC::Uint16WithFraction::operator*=):
2059             - Multiply by a uint16.
2060         (JSC::Uint16WithFraction::operator<):
2061             - Compare two Uint16WithFractions.
2062         (JSC::Uint16WithFraction::floorAndSubtract):
2063             - Extract the integer portion of the number, and subtract it (clears the integer portion).
2064         (JSC::Uint16WithFraction::comparePoint5):
2065             - Compare to 0.5.
2066         (JSC::Uint16WithFraction::sumGreaterThanOne):
2067             - Passed a second Uint16WithFraction, returns true if the result of adding
2068               the two values would be greater than one.
2069         (JSC::Uint16WithFraction::isNormalized):
2070             - Used by ASSERTs to consistency check internal representation.
2071         (JSC::BigInteger::BigInteger):
2072             - helper class, unbounded integer value, used to convert the integer part
2073               of the number to a string.
2074         (JSC::BigInteger::divide):
2075             - Divide this value through by a uint32.
2076         (JSC::BigInteger::operator!):
2077             - test for zero.
2078         (JSC::toStringWithRadix):
2079             - Performs number to string conversion, with the given radix (2..36).
2080         (JSC::numberProtoFuncToString):
2081             - Changed to use toStringWithRadix.
2082
2083 2011-07-04  Gavin Barraclough  <barraclough@apple.com>
2084
2085         https://bugs.webkit.org/show_bug.cgi?id=63881
2086         Need separate bytecodes for handling >, >= comparisons.
2087
2088         Reviewed by Oliver Hunt.
2089
2090         This clears the way to fix Bug#63880. We currently handle greater-than comparisons
2091         as being using the corresponding op_less, etc opcodes.  This is incorrect with
2092         respect to evaluation ordering of the implicit conversions performed on operands -
2093         we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
2094         but instead convert RHS then LHS.
2095
2096         This patch adds opcodes for greater-than comparisons mirroring existing ones used
2097         for less-than.
2098
2099         * bytecode/CodeBlock.cpp:
2100         (JSC::CodeBlock::dump):
2101         * bytecode/Opcode.h:
2102         * bytecompiler/BytecodeGenerator.cpp:
2103         (JSC::BytecodeGenerator::emitJumpIfTrue):
2104         (JSC::BytecodeGenerator::emitJumpIfFalse):
2105         * bytecompiler/NodesCodegen.cpp:
2106         * dfg/DFGByteCodeParser.cpp:
2107         (JSC::DFG::ByteCodeParser::parseBlock):
2108         * dfg/DFGNode.h:
2109         * dfg/DFGNonSpeculativeJIT.cpp:
2110         (JSC::DFG::NonSpeculativeJIT::compare):
2111         (JSC::DFG::NonSpeculativeJIT::compile):
2112         * dfg/DFGNonSpeculativeJIT.h:
2113         * dfg/DFGOperations.cpp:
2114         * dfg/DFGOperations.h:
2115         * dfg/DFGSpeculativeJIT.cpp:
2116         (JSC::DFG::SpeculativeJIT::compare):
2117         (JSC::DFG::SpeculativeJIT::compile):
2118         * dfg/DFGSpeculativeJIT.h:
2119         * interpreter/Interpreter.cpp:
2120         (JSC::Interpreter::privateExecute):
2121         * jit/JIT.cpp:
2122         (JSC::JIT::privateCompileMainPass):
2123         (JSC::JIT::privateCompileSlowCases):
2124         * jit/JIT.h:
2125         (JSC::JIT::emit_op_loop_if_greater):
2126         (JSC::JIT::emitSlow_op_loop_if_greater):
2127         (JSC::JIT::emit_op_loop_if_greatereq):
2128         (JSC::JIT::emitSlow_op_loop_if_greatereq):
2129         * jit/JITArithmetic.cpp:
2130         (JSC::JIT::emit_op_jgreater):
2131         (JSC::JIT::emit_op_jgreatereq):
2132         (JSC::JIT::emit_op_jngreater):
2133         (JSC::JIT::emit_op_jngreatereq):
2134         (JSC::JIT::emitSlow_op_jgreater):
2135         (JSC::JIT::emitSlow_op_jgreatereq):
2136         (JSC::JIT::emitSlow_op_jngreater):
2137         (JSC::JIT::emitSlow_op_jngreatereq):
2138         (JSC::JIT::emit_compareAndJumpSlow):
2139         * jit/JITArithmetic32_64.cpp:
2140         (JSC::JIT::emitBinaryDoubleOp):
2141         * jit/JITStubs.cpp:
2142         (JSC::DEFINE_STUB_FUNCTION):
2143         * jit/JITStubs.h:
2144         * parser/NodeConstructors.h:
2145         (JSC::GreaterNode::GreaterNode):
2146         (JSC::GreaterEqNode::GreaterEqNode):
2147         * parser/Nodes.h:
2148
2149 2011-07-03  Gavin Barraclough  <barraclough@apple.com>
2150
2151         https://bugs.webkit.org/show_bug.cgi?id=63879
2152         Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq.
2153
2154         Reviewed by Sam Weinig.
2155         
2156         There is a lot of copy & paste code here; we can reduce duplication by making
2157         a shared implementation.
2158
2159         * assembler/MacroAssembler.h:
2160         (JSC::MacroAssembler::branch32):
2161         (JSC::MacroAssembler::commute):
2162             - Make these function platform agnostic.
2163         * assembler/MacroAssemblerX86Common.h:
2164             - Moved branch32/commute up to MacroAssembler.
2165         * jit/JIT.h:
2166         (JSC::JIT::emit_op_loop_if_lesseq):
2167         (JSC::JIT::emitSlow_op_loop_if_lesseq):
2168             - Add an implementation matching that for op_loop_if_less, which just calls op_jless.
2169         * jit/JITArithmetic.cpp:
2170         (JSC::JIT::emit_op_jless):
2171         (JSC::JIT::emit_op_jlesseq):
2172         (JSC::JIT::emit_op_jnless):
2173         (JSC::JIT::emit_op_jnlesseq):
2174         (JSC::JIT::emitSlow_op_jless):
2175         (JSC::JIT::emitSlow_op_jlesseq):
2176         (JSC::JIT::emitSlow_op_jnless):
2177         (JSC::JIT::emitSlow_op_jnlesseq):
2178             - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64.
2179         (JSC::JIT::emit_compareAndJump):
2180         (JSC::JIT::emit_compareAndJumpSlow):
2181             - Internal implmementation of jless etc for JSVALUE64.
2182         * jit/JITArithmetic32_64.cpp:
2183         (JSC::JIT::emit_compareAndJump):
2184         (JSC::JIT::emit_compareAndJumpSlow):
2185             - Internal implmementation of jless etc for JSVALUE32_64.
2186         * jit/JITOpcodes.cpp:
2187         * jit/JITOpcodes32_64.cpp:
2188         * jit/JITStubs.cpp:
2189         * jit/JITStubs.h:
2190             - Remove old implementation of emit_op_loop_if_lesseq.
2191
2192 2011-07-03  Sheriff Bot  <webkit.review.bot@gmail.com>
2193
2194         Unreviewed, rolling out r90347.
2195         http://trac.webkit.org/changeset/90347
2196         https://bugs.webkit.org/show_bug.cgi?id=63886
2197
2198         Build breaks on Leopard, Chromium-win, WinCairo, and WinCE.
2199         (Requested by tkent on #webkit).
2200
2201         * JavaScriptCore.xcodeproj/project.pbxproj:
2202         * runtime/BigInteger.h: Removed.
2203         * runtime/NumberPrototype.cpp:
2204         (JSC::numberProtoFuncToPrecision):
2205         (JSC::numberProtoFuncToString):
2206         * runtime/Uint16WithFraction.h: Removed.
2207         * wtf/MathExtras.h:
2208
2209 2011-06-30  Gavin Barraclough  <barraclough@apple.com>
2210
2211         Reviewed by Sam Weinig.
2212
2213         https://bugs.webkit.org/show_bug.cgi?id=16652
2214         Firefox and JavaScriptCore differ in Number.toString(integer)
2215
2216         Our arbitrary radix (2..36) toString conversion is inaccurate.
2217         This is partly because it uses doubles to perform math that requires
2218         higher accuracy, and partly becasue it does not attempt to correctly
2219         detect where to terminate, instead relying on a simple 'epsilon'.
2220
2221         * runtime/NumberPrototype.cpp:
2222         (JSC::decomposeDouble):
2223             - helper function to extract sign, exponent, mantissa from IEEE doubles.
2224         (JSC::Uint16WithFraction::Uint16WithFraction):
2225             - helper class, u16int with infinite precision fraction, used to convert
2226               the fractional part of the number to a string.
2227         (JSC::Uint16WithFraction::operator*=):
2228             - Multiply by a uint16.
2229         (JSC::Uint16WithFraction::operator<):
2230             - Compare two Uint16WithFractions.
2231         (JSC::Uint16WithFraction::floorAndSubtract):
2232             - Extract the integer portion of the number, and subtract it (clears the integer portion).
2233         (JSC::Uint16WithFraction::comparePoint5):
2234             - Compare to 0.5.
2235         (JSC::Uint16WithFraction::sumGreaterThanOne):
2236             - Passed a second Uint16WithFraction, returns true if the result of adding
2237               the two values would be greater than one.
2238         (JSC::Uint16WithFraction::isNormalized):
2239             - Used by ASSERTs to consistency check internal representation.
2240         (JSC::BigInteger::BigInteger):
2241             - helper class, unbounded integer value, used to convert the integer part
2242               of the number to a string.
2243         (JSC::BigInteger::divide):
2244             - Divide this value through by a uint32.
2245         (JSC::BigInteger::operator!):
2246             - test for zero.
2247         (JSC::toStringWithRadix):
2248             - Performs number to string conversion, with the given radix (2..36).
2249         (JSC::numberProtoFuncToString):
2250             - Changed to use toStringWithRadix.
2251
2252 2011-07-02  Gavin Barraclough  <barraclough@apple.com>
2253
2254         https://bugs.webkit.org/show_bug.cgi?id=63866
2255         DFG JIT - implement instanceof
2256
2257         Reviewed by Sam Weinig.
2258
2259         Add ops CheckHasInstance & InstanceOf to implement bytecodes
2260         op_check_has_instance & op_instanceof. This is an initial
2261         functional implementation, performance is a wash. We can
2262         follow up with changes to fuse the InstanceOf node with
2263         a subsequant branch, as we do with other comparisons.
2264
2265         * dfg/DFGByteCodeParser.cpp:
2266         (JSC::DFG::ByteCodeParser::parseBlock):
2267         * dfg/DFGJITCompiler.cpp:
2268         (JSC::DFG::JITCompiler::jitAssertIsCell):
2269         * dfg/DFGJITCompiler.h:
2270         (JSC::DFG::JITCompiler::jitAssertIsCell):
2271         * dfg/DFGNode.h:
2272         * dfg/DFGNonSpeculativeJIT.cpp:
2273         (JSC::DFG::NonSpeculativeJIT::compile):
2274         * dfg/DFGOperations.cpp:
2275         * dfg/DFGOperations.h:
2276         * dfg/DFGSpeculativeJIT.cpp:
2277         (JSC::DFG::SpeculativeJIT::compile):
2278
2279 2011-07-01  Oliver Hunt  <oliver@apple.com>
2280
2281         IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
2282         https://bugs.webkit.org/show_bug.cgi?id=63732
2283
2284         Reviewed by Gavin Barraclough.
2285
2286         Initialise the memory at the head of the new storage so that
2287         GC is safe if triggered by reportExtraMemoryCost.
2288
2289         * runtime/JSArray.cpp:
2290         (JSC::JSArray::increaseVectorPrefixLength):
2291
2292 2011-07-01  Oliver Hunt  <oliver@apple.com>
2293
2294         GC sweep can occur before an object is completely initialised
2295         https://bugs.webkit.org/show_bug.cgi?id=63836
2296
2297         Reviewed by Gavin Barraclough.
2298
2299         In rare cases it's possible for a GC sweep to occur while a
2300         live, but not completely initialised object is on the stack.
2301         In such a case we may incorrectly choose to mark it, even
2302         though it has no children that need marking.
2303
2304         We resolve this by always zeroing out the structure of any
2305         value returned from JSCell::operator new(), and making the
2306         markstack tolerant of a null structure. 
2307
2308         * runtime/JSCell.h:
2309         (JSC::JSCell::JSCell::~JSCell):
2310         (JSC::JSCell::JSCell::operator new):
2311         * runtime/Structure.h:
2312         (JSC::MarkStack::internalAppend):
2313
2314 2011-07-01  Filip Pizlo  <fpizlo@apple.com>
2315
2316         Reviewed by Gavin Barraclough.
2317
2318         DFG non-speculative JIT always performs slow C calls for div and mod.
2319         https://bugs.webkit.org/show_bug.cgi?id=63684
2320
2321         * dfg/DFGNonSpeculativeJIT.cpp:
2322         (JSC::DFG::NonSpeculativeJIT::compile):
2323
2324 2011-07-01  Juan C. Montemayor  <jmont@apple.com>
2325
2326         Reviewed by Oliver Hunt.
2327
2328         Lexer error messages are currently appalling
2329         https://bugs.webkit.org/show_bug.cgi?id=63340
2330
2331         Added error messages for the Lexer. These messages will be displayed
2332         instead of the lexer error messages from the parser that are currently
2333         shown.
2334
2335         * parser/Lexer.cpp:
2336         (JSC::Lexer::getInvalidCharMessage):
2337         (JSC::Lexer::setCode):
2338         (JSC::Lexer::parseString):
2339         (JSC::Lexer::lex):
2340         (JSC::Lexer::clear):
2341         * parser/Lexer.h:
2342         (JSC::Lexer::getErrorMessage):
2343         (JSC::Lexer::setOffset):
2344         * parser/Parser.cpp:
2345         (JSC::Parser::parse):
2346
2347 2011-07-01  Jungshik Shin  <jshin@chromium.org>
2348
2349         Reviewed by Alexey Proskuryakov.
2350
2351         Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
2352         build files for ports not using ICU.
2353         Add icu/unicode/uscript.h for ports using ICU. It's taken from 
2354         ICU 3.6 (the version used on Mac OS 10.5)
2355
2356         http://bugs.webkit.org/show_bug.cgi?id=20797
2357
2358         * GNUmakefile.list.am:
2359         * JavaScriptCore.gypi:
2360         * icu/unicode/uscript.h: Added for UScriptCode enum.
2361         * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
2362         * wtf/unicode/icu/UnicodeIcu.h:
2363         * wtf/unicode/brew/UnicodeBrew.h:
2364         * wtf/unicode/glib/UnicodeGLib.h:
2365         * wtf/unicode/qt4/UnicodeQt4.h:
2366         * wtf/unicode/wince/UnicodeWinCE.h:
2367
2368 2011-07-01  Gavin Barraclough  <barraclough@apple.com>
2369
2370         Reviewed by Sam Weinig.
2371
2372         https://bugs.webkit.org/show_bug.cgi?id=63819
2373         Escaping of forwardslashes in strings incorrect if multiple exist.
2374
2375         The bug is in the parameters passed to a substring - should be
2376         start & length, but we're passing start & end indices!
2377
2378         * runtime/RegExpObject.cpp:
2379         (JSC::regExpObjectSource):
2380
2381 2011-07-01  Adam Roben  <aroben@apple.com>
2382
2383         Roll out r90194
2384         http://trac.webkit.org/changeset/90194
2385         https://bugs.webkit.org/show_bug.cgi?id=63778
2386
2387         Fixes <http://webkit.org/b/63812> REGRESSION (r90194): Multiple tests intermittently failing
2388         assertions in WriteBarrierBase<JSC::Structure>::get
2389
2390         * runtime/JSCell.h:
2391         (JSC::JSCell::JSCell::~JSCell):
2392
2393 2011-06-30  Oliver Hunt  <oliver@apple.com>
2394
2395         Reviewed by Gavin Barraclough.
2396
2397         Add optimised paths for a few maths functions
2398         https://bugs.webkit.org/show_bug.cgi?id=63757
2399
2400         Relanding as a Mac only patch.
2401
2402         This adds specialised thunks for Math.abs, Math.round, Math.ceil,
2403         Math.floor, Math.log, and Math.exp as they are apparently more
2404         important in real web content than we thought, which is somewhat
2405         mind-boggling.  On average doubles the performance of the common
2406         cases (eg. actually passing numbers in).  They're not as efficient
2407         as they could be, but this way gives them the most portability.
2408
2409         * assembler/MacroAssemblerARM.h:
2410         (JSC::MacroAssemblerARM::supportsDoubleBitops):
2411         (JSC::MacroAssemblerARM::andnotDouble):
2412         * assembler/MacroAssemblerARMv7.h:
2413         (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
2414         (JSC::MacroAssemblerARMv7::andnotDouble):
2415         * assembler/MacroAssemblerMIPS.h:
2416         (JSC::MacroAssemblerMIPS::andnotDouble):
2417         (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
2418         * assembler/MacroAssemblerSH4.h:
2419         (JSC::MacroAssemblerSH4::supportsDoubleBitops):
2420         (JSC::MacroAssemblerSH4::andnotDouble):
2421         * assembler/MacroAssemblerX86.h:
2422         (JSC::MacroAssemblerX86::supportsDoubleBitops):
2423         * assembler/MacroAssemblerX86Common.h:
2424         (JSC::MacroAssemblerX86Common::andnotDouble):
2425         * assembler/MacroAssemblerX86_64.h:
2426         (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
2427         * assembler/X86Assembler.h:
2428         (JSC::X86Assembler::andnpd_rr):
2429         * create_hash_table:
2430         * jit/SpecializedThunkJIT.h:
2431         (JSC::SpecializedThunkJIT::finalize):
2432         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2433         * jit/ThunkGenerators.cpp:
2434         (JSC::floorThunkGenerator):
2435         (JSC::ceilThunkGenerator):
2436         (JSC::roundThunkGenerator):
2437         (JSC::expThunkGenerator):
2438         (JSC::logThunkGenerator):
2439         (JSC::absThunkGenerator):
2440         * jit/ThunkGenerators.h:
2441
2442 2011-07-01  David Kilzer  <ddkilzer@apple.com>
2443
2444         <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp
2445
2446         Fixes the following build error in clang:
2447
2448             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
2449                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2450                      ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
2451             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
2452                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2453                                                 ^
2454                      (                         )
2455             fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
2456             fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
2457             JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
2458                  map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
2459                                         ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2460             1 error generated.
2461
2462         * jit/JITOpcodes32_64.cpp:
2463         (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
2464         tertiary expression evaluate first.
2465
2466 2011-07-01  Sheriff Bot  <webkit.review.bot@gmail.com>
2467
2468         Unreviewed, rolling out r90177 and r90179.
2469         http://trac.webkit.org/changeset/90177
2470         http://trac.webkit.org/changeset/90179
2471         https://bugs.webkit.org/show_bug.cgi?id=63790
2472
2473         It caused crashes on Qt in debug mode (Requested by Ossy on
2474         #webkit).
2475
2476         * assembler/MacroAssemblerARM.h:
2477         (JSC::MacroAssemblerARM::rshift32):
2478         (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
2479         (JSC::MacroAssemblerARM::sqrtDouble):
2480         * assembler/MacroAssemblerARMv7.h:
2481         (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
2482         (JSC::MacroAssemblerARMv7::sqrtDouble):
2483         * assembler/MacroAssemblerMIPS.h:
2484         (JSC::MacroAssemblerMIPS::sqrtDouble):
2485         (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
2486         * assembler/MacroAssemblerSH4.h:
2487         (JSC::MacroAssemblerSH4::sqrtDouble):
2488         * assembler/MacroAssemblerX86.h:
2489         * assembler/MacroAssemblerX86Common.h:
2490         * assembler/MacroAssemblerX86_64.h:
2491         * assembler/X86Assembler.h:
2492         * create_hash_table:
2493         * jit/JSInterfaceJIT.h:
2494         (JSC::JSInterfaceJIT::emitLoadDouble):
2495         * jit/SpecializedThunkJIT.h:
2496         (JSC::SpecializedThunkJIT::finalize):
2497         * jit/ThunkGenerators.cpp:
2498         * jit/ThunkGenerators.h:
2499
2500 2011-06-30  Oliver Hunt  <oliver@apple.com>
2501
2502         Reviewed by Beth Dakin.
2503
2504         Make GC validation clear cell structure on destruction
2505         https://bugs.webkit.org/show_bug.cgi?id=63778
2506
2507         * runtime/JSCell.h:
2508         (JSC::JSCell::JSCell::~JSCell):
2509
2510 2011-06-30  Geoffrey Garen  <ggaren@apple.com>
2511
2512         Reviewed by Gavin Barraclough.
2513
2514         Added write barrier that was missing from put_by_id_transition
2515         https://bugs.webkit.org/show_bug.cgi?id=63775
2516
2517         * dfg/DFGJITCodeGenerator.cpp:
2518         (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
2519         MacroAssembler& argument so our patching functions could use it.
2520
2521         (JSC::DFG::JITCodeGenerator::cachedPutById):
2522         * dfg/DFGJITCodeGenerator.h:
2523         * dfg/DFGNonSpeculativeJIT.cpp:
2524         (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.
2525
2526         * dfg/DFGRepatch.cpp:
2527         (JSC::DFG::tryCachePutByID): Missing barrier!
2528
2529         * dfg/DFGSpeculativeJIT.cpp:
2530         (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.
2531
2532         * jit/JITPropertyAccess.cpp:
2533         (JSC::JIT::privateCompilePutByIdTransition):
2534         * jit/JITPropertyAccess32_64.cpp:
2535         (JSC::JIT::privateCompilePutByIdTransition):
2536         * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
2537         because its meaning isn't clear -- maybe in the future we'll have a
2538         clear way to pass all stores through a common function that guarantees
2539         a write barrier, but that's not the case right now.
2540
2541 2011-06-30  Filip Pizlo  <fpizlo@apple.com>
2542
2543         Reviewed by Gavin Barraclough.
2544
2545         DFG non-speculative JIT does not reuse registers when compiling comparisons.
2546         https://bugs.webkit.org/show_bug.cgi?id=63565
2547
2548         * dfg/DFGNonSpeculativeJIT.cpp:
2549         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
2550         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
2551         (JSC::DFG::NonSpeculativeJIT::compare):
2552
2553 2011-06-30  Geoffrey Garen  <ggaren@apple.com>
2554
2555         Reviewed by Gavin Barraclough.
2556
2557         Added empty write barrier stubs in all the right places in the DFG JIT
2558         https://bugs.webkit.org/show_bug.cgi?id=63764
2559         
2560         SunSpider thinks this might be a 0.5% speedup. Meh.
2561
2562         * dfg/DFGJITCodeGenerator.cpp:
2563         (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub.
2564
2565         (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special
2566         for the case where base == scratch, since we now require base and scratch
2567         to be not equal, for the sake of the write barrier.
2568
2569         * dfg/DFGJITCodeGenerator.h: Le stub.
2570
2571         * dfg/DFGNonSpeculativeJIT.cpp:
2572         (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register
2573         as the scratch register, since that's incompatible with the write barrier,
2574         which needs a distinct base and scratch.
2575         
2576         Do put the global object into a register before loading its var storage,
2577         since it needs to be in a register for the write barrier to operate on it.
2578
2579         * dfg/DFGSpeculativeJIT.cpp:
2580         (JSC::DFG::SpeculativeJIT::compile):
2581         * jit/JITPropertyAccess.cpp:
2582         (JSC::JIT::emitWriteBarrier): Second verse, same as the first.
2583
2584         * jit/JITPropertyAccess.cpp:
2585         (JSC::JIT::emit_op_get_scoped_var):
2586         (JSC::JIT::emit_op_put_scoped_var):
2587         (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
2588         places.
2589
2590         (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
2591         is a little more than meaningless.
2592
2593         * jit/JITPropertyAccess32_64.cpp:
2594         (JSC::JIT::emit_op_get_scoped_var):
2595         (JSC::JIT::emit_op_put_scoped_var):
2596         (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
2597         places.
2598
2599         (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
2600         is a little more than meaningless.
2601
2602         * runtime/JSVariableObject.h:
2603         (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since
2604         we put the global object in a register and only then load its var storage
2605         by offset.
2606
2607         (JSC::JIT::emitWriteBarrier):
2608
2609 2011-06-30  Oliver Hunt  <oliver@apple.com>
2610
2611         Fix ARMv6 build
2612
2613         * assembler/MacroAssemblerARM.h:
2614         (JSC::MacroAssemblerARM::rshift32):
2615
2616 2011-06-30  Oliver Hunt  <oliver@apple.com>
2617
2618         Reviewed by Gavin Barraclough.
2619
2620         Add optimised paths for a few maths functions
2621         https://bugs.webkit.org/show_bug.cgi?id=63757
2622
2623         This adds specialised thunks for Math.abs, Math.round, Math.ceil,
2624         Math.floor, Math.log, and Math.exp as they are apparently more
2625         important in real web content than we thought, which is somewhat
2626         mind-boggling.  On average doubles the performance of the common
2627         cases (eg. actually passing numbers in).  They're not as efficient
2628         as they could be, but this way gives them the most portability.
2629
2630         * assembler/MacroAssemblerARM.h:
2631         (JSC::MacroAssemblerARM::supportsDoubleBitops):
2632         (JSC::MacroAssemblerARM::andnotDouble):
2633         * assembler/MacroAssemblerARMv7.h:
2634         (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
2635         (JSC::MacroAssemblerARMv7::andnotDouble):
2636         * assembler/MacroAssemblerMIPS.h:
2637         (JSC::MacroAssemblerMIPS::andnotDouble):
2638         (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
2639         * assembler/MacroAssemblerSH4.h:
2640         (JSC::MacroAssemblerSH4::supportsDoubleBitops):
2641         (JSC::MacroAssemblerSH4::andnotDouble):
2642         * assembler/MacroAssemblerX86.h:
2643         (JSC::MacroAssemblerX86::supportsDoubleBitops):
2644         * assembler/MacroAssemblerX86Common.h:
2645         (JSC::MacroAssemblerX86Common::andnotDouble):
2646         * assembler/MacroAssemblerX86_64.h:
2647         (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
2648         * assembler/X86Assembler.h:
2649         (JSC::X86Assembler::andnpd_rr):
2650         * create_hash_table:
2651         * jit/SpecializedThunkJIT.h:
2652         (JSC::SpecializedThunkJIT::finalize):
2653         (JSC::SpecializedThunkJIT::callDoubleToDouble):
2654         * jit/ThunkGenerators.cpp:
2655         (JSC::floorThunkGenerator):
2656         (JSC::ceilThunkGenerator):
2657         (JSC::roundThunkGenerator):
2658         (JSC::expThunkGenerator):
2659         (JSC::logThunkGenerator):
2660         (JSC::absThunkGenerator):
2661         * jit/ThunkGenerators.h:
2662
2663 2011-06-30  Cary Clark  <caryclark@google.com>
2664
2665         Reviewed by James Robinson.
2666
2667         Use Skia if Skia on Mac Chrome is enabled
2668         https://bugs.webkit.org/show_bug.cgi?id=62999
2669
2670         * wtf/Platform.h:
2671         Add switch to use Skia if, externally,
2672         Skia has been enabled by a gyp define.
2673
2674 2011-06-30  Juan C. Montemayor  <jmont@apple.com>
2675
2676         Reviewed by Geoffrey Garen.
2677
2678         Web Inspector fails to display source for eval with syntax error
2679         https://bugs.webkit.org/show_bug.cgi?id=63583
2680
2681         Web Inspector now displays a link to an eval statement that contains
2682         a syntax error.
2683
2684         * parser/Parser.h:
2685         (JSC::isEvalNode):
2686         (JSC::EvalNode):
2687         (JSC::Parser::parse):
2688
2689 2011-06-30  Filip Pizlo  <fpizlo@apple.com>
2690
2691         Reviewed by Gavin Barraclough.
2692
2693         X86Assembler does not encode byte registers in 64-bit mode correctly.
2694         https://bugs.webkit.org/show_bug.cgi?id=63665
2695
2696         * assembler/X86Assembler.h:
2697         (JSC::X86Assembler::testb_rr):
2698         (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
2699
2700 2011-06-30  Sheriff Bot  <webkit.review.bot@gmail.com>
2701
2702         Unreviewed, rolling out r90102.
2703         http://trac.webkit.org/changeset/90102
2704         https://bugs.webkit.org/show_bug.cgi?id=63714
2705
2706         Lots of tests asserting beneath
2707         SVGSMILElement::findInstanceTime (Requested by aroben on
2708         #webkit).
2709
2710         * wtf/StdLibExtras.h:
2711         (WTF::binarySearch):
2712
2713 2011-06-30  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
2714
2715         Reviewed by Nikolas Zimmermann.
2716
2717         Speed up SVGSMILElement::findInstanceTime.
2718         https://bugs.webkit.org/show_bug.cgi?id=61025
2719
2720         Add a new parameter to StdlibExtras.h::binarySerarch function
2721         to also handle cases when the array does not contain the key value.
2722         This is needed for an svg function.
2723
2724         * wtf/StdLibExtras.h:
2725         (WTF::binarySearch):
2726
2727 2011-06-29  Gavin Barraclough  <barraclough@apple.com>
2728
2729         Reviewed by Geoff Garen.
2730
2731         https://bugs.webkit.org/show_bug.cgi?id=63669
2732         DFG JIT - fix spectral-norm regression
2733
2734         The problem is a mis-speculation leading to us falling off the speculative path.
2735         Make the speculation logic slightly smarter, don't predict int if one of the
2736         operands is already loaded as a double (we use this logic already for compares).
2737
2738         * dfg/DFGSpeculativeJIT.cpp:
2739         (JSC::DFG::SpeculativeJIT::compile):
2740         * dfg/DFGSpeculativeJIT.h:
2741         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
2742
2743 2011-06-29  Filip Pizlo  <fpizlo@apple.com>
2744
2745         Reviewed by Gavin Barraclough.
2746
2747         DFG JIT does not do put_by_id transition caching.
2748         https://bugs.webkit.org/show_bug.cgi?id=63662
2749
2750         * dfg/DFGJITCodeGenerator.cpp:
2751         (JSC::DFG::JITCodeGenerator::cachedPutById):
2752         * dfg/DFGJITCompiler.h:
2753         (JSC::DFG::JITCompiler::addPropertyAccess):
2754         * dfg/DFGRepatch.cpp:
2755         (JSC::DFG::testPrototype):
2756         (JSC::DFG::tryCachePutByID):
2757
2758 2011-06-29  Geoffrey Garen  <ggaren@apple.com>
2759
2760         Reviewed by Oliver Hunt.
2761
2762         Added a dummy write barrier emitting function in all the right places in the old JIT
2763         https://bugs.webkit.org/show_bug.cgi?id=63667
2764         
2765         SunSpider reports no change.
2766
2767         * jit/JIT.h:
2768         * jit/JITPropertyAccess.cpp:
2769         (JSC::JIT::emit_op_put_by_id):
2770         (JSC::JIT::emit_op_put_scoped_var): Do it.
2771
2772         (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
2773         for the sake of the write barrier.
2774
2775         (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
2776
2777         * jit/JITPropertyAccess32_64.cpp:
2778         (JSC::JIT::emit_op_put_by_val):
2779         (JSC::JIT::emit_op_put_by_id):
2780         (JSC::JIT::emit_op_put_scoped_var): Do it.
2781
2782         (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
2783         for the sake of the write barrier.
2784
2785         (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
2786
2787 2011-06-29  Filip Pizlo  <fpizlo@apple.com>
2788
2789         Reviewed by Gavin Barraclough.
2790
2791         DFG JIT does not perform get_by_id self list caching.
2792         https://bugs.webkit.org/show_bug.cgi?id=63605
2793
2794         * bytecode/StructureStubInfo.h:
2795         * dfg/DFGJITCompiler.cpp:
2796         (JSC::DFG::JITCompiler::compileFunction):
2797         * dfg/DFGOperations.cpp:
2798         * dfg/DFGOperations.h:
2799         * dfg/DFGRepatch.cpp:
2800         (JSC::DFG::tryCacheGetByID):
2801         (JSC::DFG::tryBuildGetByIDList):
2802         (JSC::DFG::dfgBuildGetByIDList):
2803         * dfg/DFGRepatch.h:
2804
2805 2011-06-28  Filip Pizlo  <fpizlo@apple.com>
2806
2807         Reviewed by Gavin Barraclough.
2808
2809         DFG JIT lacks array.length caching.
2810         https://bugs.webkit.org/show_bug.cgi?id=63505
2811
2812         * bytecode/StructureStubInfo.h:
2813         * dfg/DFGJITCodeGenerator.cpp:
2814         (JSC::DFG::JITCodeGenerator::cachedGetById):
2815         (JSC::DFG::JITCodeGenerator::cachedPutById):
2816         * dfg/DFGJITCodeGenerator.h:
2817         (JSC::DFG::JITCodeGenerator::tryAllocate):
2818         (JSC::DFG::JITCodeGenerator::selectScratchGPR):
2819         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
2820         * dfg/DFGJITCompiler.cpp:
2821         (JSC::DFG::JITCompiler::compileFunction):
2822         * dfg/DFGJITCompiler.h:
2823         (JSC::DFG::JITCompiler::addPropertyAccess):
2824         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
2825         * dfg/DFGRegisterBank.h:
2826         (JSC::DFG::RegisterBank::tryAllocate):
2827         * dfg/DFGRepatch.cpp:
2828         (JSC::DFG::tryCacheGetByID):
2829
2830 2011-06-28  Pierre Rossi  <pierre.rossi@gmail.com>
2831
2832         Reviewed by Eric Seidel.
2833
2834         Warnings in JSC's JIT on 32 bit
2835         https://bugs.webkit.org/show_bug.cgi?id=63259
2836
2837         Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies.
2838
2839         * jit/JITPropertyAccess32_64.cpp:
2840         (JSC::JIT::emit_op_method_check):
2841         (JSC::JIT::compileGetByIdHotPath):
2842         (JSC::JIT::emit_op_put_by_id):
2843
2844 2011-06-28  Sheriff Bot  <webkit.review.bot@gmail.com>
2845
2846         Unreviewed, rolling out r89968.
2847         http://trac.webkit.org/changeset/89968
2848         https://bugs.webkit.org/show_bug.cgi?id=63581
2849
2850         Broke chromium windows compile (Requested by jamesr on
2851         #webkit).
2852
2853         * wtf/Platform.h:
2854
2855 2011-06-28  Oliver Hunt  <oliver@apple.com>
2856
2857         Reviewed by Gavin Barraclough.
2858
2859         Fix sampling build
2860         https://bugs.webkit.org/show_bug.cgi?id=63579
2861
2862         Gets opcode sampling building again, doesn't seem to work alas
2863
2864         * bytecode/SamplingTool.cpp:
2865         (JSC::SamplingTool::notifyOfScope):
2866         * bytecode/SamplingTool.h:
2867         (JSC::SamplingTool::SamplingTool):
2868         * interpreter/Interpreter.cpp:
2869         (JSC::Interpreter::enableSampler):
2870         * runtime/Executable.h:
2871         (JSC::ScriptExecutable::ScriptExecutable):
2872
2873 2011-06-28  Cary Clark  <caryclark@google.com>
2874
2875         Reviewed by James Robinson.
2876
2877         Use Skia if Skia on Mac Chrome is enabled
2878         https://bugs.webkit.org/show_bug.cgi?id=62999
2879
2880         * wtf/Platform.h:
2881         Add switch to use Skia if, externally,
2882         Skia has been enabled by a gyp define.
2883
2884 2011-06-28  Oliver Hunt  <oliver@apple.com>
2885
2886         Reviewed by Gavin Barraclough.
2887
2888         ASSERT when launching debug builds with interpreter and jit enabled
2889         https://bugs.webkit.org/show_bug.cgi?id=63566
2890
2891         Add appropriate guards to the various Executable's memory reporting
2892         logic.
2893
2894         * runtime/Executable.cpp:
2895         (JSC::EvalExecutable::compileInternal):
2896         (JSC::ProgramExecutable::compileInternal):
2897         (JSC::FunctionExecutable::compileForCallInternal):
2898         (JSC::FunctionExecutable::compileForConstructInternal):
2899
2900 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2901
2902         Reviewed by Oliver Hunt.
2903
2904         https://bugs.webkit.org/show_bug.cgi?id=63563
2905         DFG JIT - add support for double arith to speculative path
2906
2907         Add integer support for div & mod, add double support for div, mod,
2908         add, sub & mul, dynamically selecting based on operand types.
2909
2910         * dfg/DFGJITCodeGenerator.cpp:
2911         (JSC::DFG::FPRTemporary::FPRTemporary):
2912         * dfg/DFGJITCodeGenerator.h:
2913         * dfg/DFGJITCompiler.h:
2914         (JSC::DFG::JITCompiler::assembler):
2915         * dfg/DFGSpeculativeJIT.cpp:
2916         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2917         (JSC::DFG::SpeculativeJIT::compile):
2918         * dfg/DFGSpeculativeJIT.h:
2919         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2920         (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand):
2921         (JSC::DFG::SpeculateDoubleOperand::index):
2922         (JSC::DFG::SpeculateDoubleOperand::fpr):
2923
2924 2011-06-28  Oliver Hunt  <oliver@apple.com>
2925
2926         Fix interpreter build.
2927
2928         * interpreter/Interpreter.cpp:
2929         (JSC::Interpreter::privateExecute):
2930
2931 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2932
2933         Reviewed by Oliver Hunt.
2934
2935         https://bugs.webkit.org/show_bug.cgi?id=63561
2936         DFG JIT - don't always assume integer in relational compare
2937
2938         If neither operand is known integer, or either is in double representation,
2939         then at least use a function call (don't bail off the speculative path).
2940
2941         * dfg/DFGSpeculativeJIT.cpp:
2942         (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
2943         (JSC::DFG::SpeculativeJIT::compile):
2944         * dfg/DFGSpeculativeJIT.h:
2945         (JSC::DFG::SpeculativeJIT::isDataFormatDouble):
2946         (JSC::DFG::SpeculativeJIT::compareIsInteger):
2947
2948 2011-06-28  Oliver Hunt  <oliver@apple.com>
2949
2950         Reviewed by Gavin Barraclough.
2951
2952         Make constant array optimisation less strict about what constitutes a constant
2953         https://bugs.webkit.org/show_bug.cgi?id=63554
2954
2955         Now allow string constants in array literals to actually be considered constant,
2956         and so avoid codegen in array literals with strings in them.
2957
2958         * bytecode/CodeBlock.h:
2959         (JSC::CodeBlock::addConstantBuffer):
2960         (JSC::CodeBlock::constantBuffer):
2961         * bytecompiler/BytecodeGenerator.cpp:
2962         (JSC::BytecodeGenerator::addConstantBuffer):
2963         (JSC::BytecodeGenerator::addStringConstant):
2964         (JSC::BytecodeGenerator::emitNewArray):
2965         * bytecompiler/BytecodeGenerator.h:
2966         * interpreter/Interpreter.cpp:
2967         (JSC::Interpreter::privateExecute):
2968         * jit/JITStubs.cpp:
2969         (JSC::DEFINE_STUB_FUNCTION):
2970
2971 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2972
2973         Reviewed by Oliver Hunt.
2974
2975         https://bugs.webkit.org/show_bug.cgi?id=63560
2976         DFG_JIT allow allocation of specific machine registers
2977
2978         This allow us to allocate the registers necessary to perform x86
2979         idiv instructions for div/mod, and may be useful for shifts, too.
2980
2981         * dfg/DFGJITCodeGenerator.cpp:
2982         (JSC::DFG::GPRTemporary::GPRTemporary):
2983         * dfg/DFGJITCodeGenerator.h:
2984         (JSC::DFG::JITCodeGenerator::allocate):
2985         (JSC::DFG::GPRResult::GPRResult):
2986         * dfg/DFGRegisterBank.h:
2987         (JSC::DFG::RegisterBank::allocateSpecific):
2988         * dfg/DFGSpeculativeJIT.h:
2989         (JSC::DFG::SpeculativeJIT::isInteger):
2990
2991 2011-06-28  Gavin Barraclough  <barraclough@apple.com>
2992
2993         Reviewed by Oliver Hunt.
2994
2995         https://bugs.webkit.org/show_bug.cgi?id=55040
2996         RegExp constructor returns the argument regexp instead of a new object
2997
2998         Per 15.10.3.1, our current behaviour is correct if called as a function,
2999         but incorrect when called as a constructor.
3000
3001         * runtime/RegExpConstructor.cpp:
3002         (JSC::constructRegExp):
3003         (JSC::constructWithRegExpConstructor):
3004         * runtime/RegExpConstructor.h:
3005
3006 2011-06-28  Luke Macpherson   <macpherson@chromium.org>
3007
3008         Reviewed by Darin Adler.
3009
3010         Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits.
3011         https://bugs.webkit.org/show_bug.cgi?id=63469
3012
3013         * wtf/MathExtras.h:
3014         (defaultMinimumForClamp):
3015         Version of std::numeric_limits::min() that returns the largest negative value for floating point types.
3016         (defaultMaximumForClamp):
3017         Symmetric alias for std::numeric_limits::max()
3018         (clampTo):
3019         New templated clamping function that supports arbitrary output types.
3020         (clampToInteger):
3021         Use new clampTo template.
3022         (clampToFloat):
3023         Use new clampTo template.
3024         (clampToPositiveInteger):
3025         Use new clampTo template.
3026
3027 2011-06-28  Adam Roben  <aroben@apple.com>
3028
3029         Windows Debug build fix after r89885
3030
3031         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported
3032         JSGlobalData::releaseExecutableMemory for jsc.exe's benefit.
3033
3034 2011-06-28  Shinya Kawanaka  <shinyak@google.com>
3035
3036         Reviewed by Kent Tamura.
3037
3038         Add const to show() method in WTFString and AtomicString.
3039         https://bugs.webkit.org/show_bug.cgi?id=63515
3040
3041         The lack of const in show() method is painful when
3042         doing something like printf-debug.
3043
3044         * wtf/text/AtomicString.cpp:
3045         (WTF::AtomicString::show):
3046         * wtf/text/AtomicString.h:
3047         * wtf/text/WTFString.cpp:
3048         (String::show):
3049         * wtf/text/WTFString.h:
3050
3051 2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
3052
3053         Build fix attempt after r89885.
3054
3055         * JavaScriptCore.exp:
3056         * jsc.cpp:
3057
3058 2011-06-27  Oliver Hunt  <oliver@apple.com>
3059
3060         Reviewed by Geoffrey Garen.
3061
3062         Support throwing away non-running code even while other code is running
3063         https://bugs.webkit.org/show_bug.cgi?id=63485
3064
3065         Add a function to CodeBlock to support unlinking direct linked callsites,
3066         and then with that in place add logic to discard code from any function
3067         that is not currently on the stack.
3068
3069         The unlinking completely reverts any optimized call sites, such that they
3070         may be relinked again in future.
3071
3072         * JavaScriptCore.exp:
3073         * bytecode/CodeBlock.cpp:
3074         (JSC::CodeBlock::unlinkCalls):
3075         (JSC::CodeBlock::clearEvalCache):
3076         * bytecode/CodeBlock.h:
3077         (JSC::CallLinkInfo::CallLinkInfo):
3078         (JSC::CallLinkInfo::unlink):
3079         * bytecode/EvalCodeCache.h:
3080         (JSC::EvalCodeCache::clear):
3081         * heap/Heap.cpp:
3082         (JSC::Heap::getConservativeRegisterRoots):
3083         * heap/Heap.h:
3084         * jit/JIT.cpp:
3085         (JSC::JIT::privateCompile):
3086         * jit/JIT.h:
3087         * jit/JITCall.cpp:
3088         (JSC::JIT::compileOpCall):
3089         * jit/JITWriteBarrier.h:
3090         (JSC::JITWriteBarrierBase::clear):
3091         * jsc.cpp:
3092         (GlobalObject::GlobalObject):
3093         (functionReleaseExecutableMemory):
3094         * runtime/Executable.cpp:
3095         (JSC::EvalExecutable::unlinkCalls):
3096         (JSC::ProgramExecutable::unlinkCalls):
3097         (JSC::FunctionExecutable::discardCode):
3098         (JSC::FunctionExecutable::unlinkCalls):
3099         * runtime/Executable.h:
3100         * runtime/JSGlobalData.cpp:
3101         (JSC::SafeRecompiler::returnValue):
3102         (JSC::SafeRecompiler::operator()):
3103         (JSC::JSGlobalData::releaseExecutableMemory):
3104
3105 2011-06-27  Gavin Barraclough  <barraclough@apple.com>
3106
3107         Reviewed by Darin Adler & Oliver Hunt.
3108
3109         https://bugs.webkit.org/show_bug.cgi?id=50554
3110         RegExp.prototype.toString does not escape slashes
3111
3112         The problem here is that we don't escape forwards slashes when converting
3113         a RegExp to a string. This means that RegExp("/").toString() is "///",
3114         which is not a valid RegExp literal. Also, we return an invalid literal
3115         for RegExp.prototype.toString() ("//", which is an empty single-line comment).
3116
3117         From ES5:
3118         "NOTE: The returned String has the form of a RegularExpressionLiteral that
3119         evaluates to another RegExp object with the same behaviour as this object."
3120
3121         * runtime/RegExpObject.cpp:
3122         (JSC::regExpObjectSource):
3123             - Escape forward slashes when getting the source of a RegExp.
3124         * runtime/RegExpPrototype.cpp:
3125         (JSC::regExpProtoFuncToString):
3126             - Remove unnecessary and erroneous hack to return "//" as the string
3127             representation of RegExp.prototype. This is not a valid RegExp literal
3128             (it is an empty single-line comment).
3129
3130 2011-06-27  Gavin Barraclough  <barraclough@apple.com>
3131
3132         Reviewed by Oliver Hunt.
3133
3134         https://bugs.webkit.org/show_bug.cgi?id=63497
3135         Add DEBUG_WITH_BREAKPOINT support to the DFG JIT.
3136
3137         * dfg/DFGByteCodeParser.cpp:
3138         (JSC::DFG::ByteCodeParser::parseBlock):
3139         * dfg/DFGNode.h:
3140         * dfg/DFGNonSpeculativeJIT.cpp:
3141         (JSC::DFG::NonSpeculativeJIT::compile):
3142         * dfg/DFGSpeculativeJIT.cpp:
3143         (JSC::DFG::SpeculativeJIT::compile):
3144
3145 2011-06-27  Juan C. Montemayor  <jmont@apple.com>
3146
3147         Reviewed by Mark Rowe.
3148
3149         Indirectly including TextPosition.h and XPathGrammar.h causes compile errors
3150         https://bugs.webkit.org/show_bug.cgi?id=63392
3151         
3152         When both TextPosition.h and XPathGrammar.h are included a compile-error
3153         is caused, since XPathGrammar.h defines a macro called NUMBER and 
3154         TextPosition has a typedef named NUMBER.
3155
3156         * wtf/text/TextPosition.h:
3157         (WTF::TextPosition::TextPosition):
3158         (WTF::TextPosition::minimumPosition):
3159         (WTF::TextPosition::belowRangePosition):
3160
3161 2011-06-27  Filip Pizlo  <fpizlo@apple.com>
3162
3163         Reviewed by Gavin Barraclough.
3164
3165         DFG JIT does not perform put_by_id caching.
3166         https://bugs.webkit.org/show_bug.cgi?id=63409
3167
3168         * bytecode/StructureStubInfo.h:
3169         * dfg/DFGJITCodeGenerator.cpp:
3170         (JSC::DFG::JITCodeGenerator::cachedPutById):
3171         * dfg/DFGJITCodeGenerator.h:
3172         * dfg/DFGJITCompiler.cpp:
3173         (JSC::DFG::JITCompiler::compileFunction):
3174         * dfg/DFGJITCompiler.h:
3175         (JSC::DFG::JITCompiler::addPropertyAccess):
3176         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
3177         * dfg/DFGNonSpeculativeJIT.cpp:
3178         (JSC::DFG::NonSpeculativeJIT::compile):
3179         * dfg/DFGOperations.cpp:
3180         * dfg/DFGOperations.h:
3181         * dfg/DFGRepatch.cpp:
3182         (JSC::DFG::dfgRepatchByIdSelfAccess):
3183         (JSC::DFG::tryCacheGetByID):
3184         (JSC::DFG::appropriatePutByIdFunction):
3185         (JSC::DFG::tryCachePutByID):
3186         (JSC::DFG::dfgRepatchPutByID):
3187         * dfg/DFGRepatch.h:
3188         * dfg/DFGSpeculativeJIT.cpp:
3189         (JSC::DFG::SpeculativeJIT::compile):
3190
3191 2011-06-27  Gustavo Noronha Silva  <gns@gnome.org>
3192
3193         Unreviewed build fix. One more filed missing during distcheck, for
3194         the MIPS build.
3195
3196         * GNUmakefile.list.am:
3197
3198 2011-06-26  Filip Pizlo  <fpizlo@apple.com>
3199
3200         Reviewed by Gavin Barraclough.
3201
3202         DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
3203         https://bugs.webkit.org/show_bug.cgi?id=63347
3204
3205         * dfg/DFGNonSpeculativeJIT.cpp:
3206             - Changed arithmetic operations to speculate in favor of integers.
3207         (JSC::DFG::NonSpeculativeJIT::valueToNumber):
3208         (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
3209         (JSC::DFG::NonSpeculativeJIT::basicArithOp):
3210         (JSC::DFG::NonSpeculativeJIT::compile):
3211         * dfg/DFGNonSpeculativeJIT.h:
3212         * dfg/DFGOperations.cpp:
3213             - Added slow-path routines for arithmetic that perform no speculation; the
3214               non-speculative JIT will generate calls to these in cases where its
3215               speculation fails.
3216         * dfg/DFGOperations.h:
3217
3218 2011-06-24  Nikolas Zimmermann  <nzimmermann@rim.com>
3219
3220         Reviewed by Rob Buis.
3221
3222         Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
3223         https://bugs.webkit.org/show_bug.cgi?id=59085
3224
3225         * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.
3226
3227 2011-06-24  Michael Saboff  <msaboff@apple.com>
3228
3229         Reviewed by Gavin Barraclough.
3230
3231         Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
3232         https://bugs.webkit.org/show_bug.cgi?id=63345
3233
3234         The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
3235         return 9 and 10 bit quantities, therefore changed their return type from
3236         uint8_t to uint16_t.  Also casted the places where they are used as they
3237         are currently shifted and used as 7 or 8 bit values.
3238
3239         These methods are currently used for literals for stack offsets, 
3240         including creating and destroying stack frames.  The prior truncation of
3241         the upper bits caused stack frames to be too small, thus allowing a
3242         JIT'ed function to access and overwrite stack space outside of the
3243         incorrectly sized stack frame.
3244
3245         * assembler/ARMv7Assembler.h:
3246         (JSC::ARMThumbImmediate::getUInt9):
3247         (JSC::ARMThumbImmediate::getUInt10):
3248         (JSC::ARMv7Assembler::add):
3249         (JSC::ARMv7Assembler::ldr):
3250         (JSC::ARMv7Assembler::str):
3251         (JSC::ARMv7Assembler::sub):
3252         (JSC::ARMv7Assembler::sub_S):
3253
3254 2011-06-24  Michael Saboff  <msaboff@apple.com>
3255
3256         Reviewed by Geoffrey Garen.
3257
3258         releaseFastMallocFreeMemory doesn't adjust free counts for scavenger
3259         https://bugs.webkit.org/show_bug.cgi?id=63015
3260
3261         Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and
3262         min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList().  These 
3263         adjustments are a bug.  These need to reflect the pages that are released
3264         in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well.
3265         Made ReleaseFreeList a member of TCMalloc_PageHeap in the process.  Updated
3266         Check() and helper method CheckList() to check the number of actual free pages
3267         with free_committed_pages_.
3268
3269         The symptom of the problem of the existing code is that the scavenger may
3270         run unneccesarily without any real work to do, i.e. pages on the free lists.
3271         The scanvenger would also end up freeing too many pages, that is going below 
3272         the current 528 target free pages.
3273
3274         Note that the style of the changes was kept consistent with the
3275         existing style.
3276
3277         * wtf/FastMalloc.cpp:
3278         (WTF::TCMalloc_PageHeap::Check):
3279         (WTF::TCMalloc_PageHeap::CheckList):
3280         (WTF::TCMalloc_PageHeap::ReleaseFreeList):
3281
3282 2011-06-24  Abhishek Arya  <inferno@chromium.org>
3283
3284         Reviewed by Darin Adler.
3285
3286         Match other clampTo* functions in style with clampToInteger(float)
3287         function.
3288         https://bugs.webkit.org/show_bug.cgi?id=53449
3289
3290         * wtf/MathExtras.h:
3291         (clampToInteger):
3292         (clampToFloat):
3293         (clampToPositiveInteger):
3294
3295 2011-06-24  Sheriff Bot  <webkit.review.bot@gmail.com>
3296
3297         Unreviewed, rolling out r89594.
3298         http://trac.webkit.org/changeset/89594
3299         https://bugs.webkit.org/show_bug.cgi?id=63316
3300
3301         It broke 5 tests on the Qt bot (Requested by Ossy_DC on
3302         #webkit).
3303
3304         * GNUmakefile.list.am:
3305         * JavaScriptCore.gypi:
3306         * icu/unicode/uscript.h: Removed.
3307         * wtf/unicode/ScriptCodesFromICU.h: Removed.
3308         * wtf/unicode/brew/UnicodeBrew.h:
3309         * wtf/unicode/glib/UnicodeGLib.h:
3310         * wtf/unicode/icu/UnicodeIcu.h:
3311         * wtf/unicode/qt4/UnicodeQt4.h:
3312         * wtf/unicode/wince/UnicodeWinCE.h:
3313
3314 2011-06-23  Filip Pizlo  <fpizlo@apple.com>
3315
3316         Reviewed by Gavin Barraclough.
3317
3318         DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal
3319         https://bugs.webkit.org/show_bug.cgi?id=63173
3320
3321         * dfg/DFGJITCodeGenerator.cpp:
3322         (JSC::DFG::JITCodeGenerator::cachedGetById):
3323         * dfg/DFGJITCodeGenerator.h:
3324         * dfg/DFGNonSpeculativeJIT.cpp:
3325         (JSC::DFG::NonSpeculativeJIT::compile):
3326         * dfg/DFGSpeculativeJIT.cpp:
3327         (JSC::DFG::SpeculativeJIT::compile):
3328
3329 2011-06-23  Oliver Hunt  <oliver@apple.com>
3330
3331         Fix Qt again.
3332
3333         * assembler/ARMAssembler.h:
3334         (JSC::ARMAssembler::readPointer):
3335
3336 2011-06-23  Oliver Hunt  <oliver@apple.com>
3337
3338         Fix Qt Build
3339
3340         * assembler/ARMAssembler.h:
3341         (JSC::ARMAssembler::readPointer):
3342
3343 2011-06-23  Stephanie Lewis  <slewis@apple.com>
3344
3345         Reviewed by Darin Adler.
3346
3347         https://bugs.webkit.org/show_bug.cgi?id=63298
3348         Replace Malloc with FastMalloc to match the rest of wtf.
3349
3350         * wtf/BlockStack.h:
3351         (WTF::::~BlockStack):
3352         (WTF::::grow):
3353         (WTF::::shrink):
3354
3355 2011-06-23  Oliver Hunt  <oliver@apple.com>
3356
3357         Reviewed by Gavin Barraclough.
3358
3359         Add the ability to dynamically modify linked call sites
3360         https://bugs.webkit.org/show_bug.cgi?id=63291
3361
3362         Add JITWriteBarrier as a writebarrier class that allows
3363         reading and writing directly into the code stream.
3364
3365         This required adding logic to all the assemblers to allow
3366         us to read values back out of the instruction stream.
3367
3368         * JavaScriptCore.xcodeproj/project.pbxproj:
3369         * assembler/ARMAssembler.h:
3370         (JSC::ARMAssembler::readPointer):
3371         * assembler/ARMv7Assembler.h:
3372         (JSC::ARMv7Assembler::readPointer):
3373         (JSC::ARMv7Assembler::readInt32):
3374         (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst):
3375         (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond):
3376         * assembler/AbstractMacroAssembler.h:
3377         (JSC::AbstractMacroAssembler::readPointer):
3378         * assembler/MIPSAssembler.h:
3379         (JSC::MIPSAssembler::readInt32):
3380         (JSC::MIPSAssembler::readPointer):
3381         * assembler/MacroAssemblerCodeRef.h:
3382         (JSC::MacroAssemblerCodePtr::operator!):
3383         * assembler/SH4Assembler.h:
3384         (JSC::SH4Assembler::readPCrelativeAddress):
3385         (JSC::SH4Assembler::readPointer):
3386         (JSC::SH4Assembler::readInt32):
3387         * assembler/X86Assembler.h:
3388         (JSC::X86Assembler::readPointer):
3389         * bytecode/CodeBlock.cpp:
3390         (JSC::CodeBlock::visitAggregate):
3391         * bytecode/CodeBlock.h:
3392         (JSC::MethodCallLinkInfo::seenOnce):
3393         (JSC::MethodCallLinkInfo::setSeen):
3394         * heap/MarkStack.h:
3395         * jit/JIT.cpp:
3396         (JSC::JIT::privateCompile):
3397         (JSC::JIT::linkCall):
3398         (JSC::JIT::linkConstruct):
3399         * jit/JITPropertyAccess.cpp:
3400         (JSC::JIT::patchMethodCallProto):
3401         * jit/JITPropertyAccess32_64.cpp:
3402         * jit/JITWriteBarrier.h: Added.
3403         (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*):
3404         (JSC::JITWriteBarrierBase::operator!):
3405         (JSC::JITWriteBarrierBase::setFlagOnBarrier):
3406         (JSC::JITWriteBarrierBase::isFlagged):
3407         (JSC::JITWriteBarrierBase::setLocation):
3408         (JSC::JITWriteBarrierBase::location):
3409         (JSC::JITWriteBarrierBase::JITWriteBarrierBase):
3410         (JSC::JITWriteBarrierBase::set):
3411         (JSC::JITWriteBarrierBase::get):
3412         (JSC::JITWriteBarrier::JITWriteBarrier):
3413         (JSC::JITWriteBarrier::set):
3414         (JSC::JITWriteBarrier::get):
3415         (JSC::MarkStack::append):
3416
3417 2011-06-23  Gavin Barraclough  <barraclough@apple.com>
3418
3419         Reviewed by Oliver Hunt.
3420
3421         https://bugs.webkit.org/show_bug.cgi?id=61585
3422         Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/
3423
3424         This is due to use of int instead of unsigned, bad math around
3425         the 2^31 boundary.
3426
3427         * yarr/YarrInterpreter.cpp:
3428         (JSC::Yarr::ByteCompiler::emitDisjunction):
3429             - Change some uses of int to unsigned, refactor compare logic to
3430               restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1).
3431         * yarr/YarrJIT.cpp:
3432         (JSC::Yarr::YarrGenerator::generate):
3433         (JSC::Yarr::YarrGenerator::backtrack):