fad8031d670db0af038bf4cd4add4352e975de7a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         HeapBlock::destroy should issue warning if result is unused
4         https://bugs.webkit.org/show_bug.cgi?id=110233
5
6         Reviewed by Oliver Hunt.
7
8         To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy, 
9         we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses.
10
11         * heap/HeapBlock.h:
12
13 2013-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>
14
15         WeakSet::removeAllocator leaks WeakBlocks
16         https://bugs.webkit.org/show_bug.cgi?id=110228
17
18         Reviewed by Geoffrey Garen.
19
20         We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.
21
22         * heap/WeakSet.cpp:
23         (JSC::WeakSet::removeAllocator):
24
25 2013-02-18  Geoffrey Garen  <ggaren@apple.com>
26
27         Save space on keys in the CodeCache
28         https://bugs.webkit.org/show_bug.cgi?id=110179
29
30         Reviewed by Oliver Hunt.
31
32         Share the SourceProvider's string instead of making our own copy. This
33         chops off 16MB - 32MB from the CodeCache's memory footprint when full.
34         (It's 16MB when the strings are LChar, and 32MB when they're UChar.)
35
36         * runtime/CodeCache.cpp:
37         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
38         * runtime/CodeCache.h: Removed a defunct enum value.
39
40         (JSC::SourceCodeKey::SourceCodeKey):
41         (JSC::SourceCodeKey::isHashTableDeletedValue):
42         (SourceCodeKey):
43         (JSC::SourceCodeKey::hash):
44         (JSC::SourceCodeKey::length):
45         (JSC::SourceCodeKey::isNull):
46         (JSC::SourceCodeKey::string):
47         (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String
48         so we can share our string with our SourceProvider. Cache our hash so
49         we don't have to re-decode our string just to re-hash the table.
50
51 2013-02-19  Zoltan Herczeg  <zherczeg@webkit.org>
52
53         revertBranchPtrWithPatch is incorrect on ARM traditional
54         https://bugs.webkit.org/show_bug.cgi?id=110201
55
56         Reviewed by Oliver Hunt.
57
58         Revert two instructions back to their original value.
59
60         * assembler/ARMAssembler.h:
61         (JSC::ARMAssembler::revertBranchPtrWithPatch):
62         (ARMAssembler):
63         * assembler/MacroAssemblerARM.h:
64         (JSC::MacroAssemblerARM::branchPtrWithPatch):
65         (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
66
67 2013-02-19  Filip Pizlo  <fpizlo@apple.com>
68
69         REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
70         https://bugs.webkit.org/show_bug.cgi?id=110184
71
72         Reviewed by Zoltan Herczeg.
73         
74         32-bit backend was making all sorts of crazy assumptions, which happened to mostly
75         not break things prior to http://trac.webkit.org/changeset/143241. This brings the
76         32-bit backend's type speculation fully into compliance with what the 64-bit
77         backend does.
78
79         * dfg/DFGSpeculativeJIT.cpp:
80         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
81         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
82         * dfg/DFGSpeculativeJIT32_64.cpp:
83         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
84         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
85         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
86         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
87
88 2013-02-18  Ilya Tikhonovsky  <loislo@chromium.org>
89
90         Unreviewed build fix for Apple Windows. Second stage.
91         Add missed export statement.
92
93         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
94
95 2013-02-18  Roger Fong  <roger_fong@apple.com>
96
97         Unreviewed Windows build fix.
98
99         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
100         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
101
102 2013-02-18  Darin Adler  <darin@apple.com>
103
104         Remove unneeded explicit function template arguments.
105         https://bugs.webkit.org/show_bug.cgi?id=110043
106
107         Reviewed by Ryosuke Niwa.
108
109         * runtime/Identifier.cpp:
110         (JSC::IdentifierASCIIStringTranslator::hash): Let the compiler deduce the type
111         when calling computeHashAndMaskTop8Bits.
112         (JSC::IdentifierLCharFromUCharTranslator::hash): Ditto.
113         * runtime/Identifier.h:
114         (JSC::IdentifierCharBufferTranslator::hash): Ditto.
115 2013-02-18  Geoffrey Garen  <ggaren@apple.com>
116
117         Shrank the SourceProvider cache
118         https://bugs.webkit.org/show_bug.cgi?id=110158
119
120         Reviewed by Oliver Hunt.
121
122         CodeCache is now our primary source cache, so a long-lived SourceProvider
123         cache is a waste. I measured this as a 10MB Membuster win; with more
124         precise instrumentation, Andreas estimated it as up to 30MB.
125
126         I didn't eliminate the SourceProvider cache because it's still useful
127         in speeding up uncached parsing of scripts with large nested functions
128         (i.e., all scripts).
129
130         * heap/Heap.cpp:
131         (JSC::Heap::collect): Discard all source provider caches after GC. This
132         is a convenient place to do so because it's reasonably soon after initial
133         parsing without being immediate.
134
135         * parser/Parser.cpp:
136         (JSC::::Parser): Updated for interface change: The heap now owns the
137         source provider cache, since most SourceProviders are not expected to
138         have one by default, and the heap is responsible for throwing them away.
139
140         (JSC::::parseInner): No need to update statistics on cache size, since
141         we're going to throw it away no matter what.
142
143         (JSC::::parseFunctionInfo): Reduced the minimum function size to 16. This
144         is a 27% win on a new parsing micro-benchmark I've added. Now that the
145         cache is temporary, we don't have to worry so much about its memory
146         footprint.
147
148         * parser/Parser.h:
149         (Parser): Updated for interface changes.
150
151         * parser/SourceProvider.cpp:
152         (JSC::SourceProvider::SourceProvider):
153         (JSC::SourceProvider::~SourceProvider):
154         * parser/SourceProvider.h:
155         (JSC):
156         (SourceProvider): SourceProvider doesn't own its cache anymore because
157         the cache is temporary.
158
159         * parser/SourceProviderCache.cpp:
160         (JSC::SourceProviderCache::clear):
161         (JSC::SourceProviderCache::add):
162         * parser/SourceProviderCache.h:
163         (JSC::SourceProviderCache::SourceProviderCache):
164         (SourceProviderCache):
165         * parser/SourceProviderCacheItem.h:
166         (SourceProviderCacheItem): No need to update statistics on cache size,
167         since we're going to throw it away no matter what.
168
169         * runtime/JSGlobalData.cpp:
170         (JSC::JSGlobalData::addSourceProviderCache):
171         (JSC):
172         (JSC::JSGlobalData::clearSourceProviderCaches):
173         * runtime/JSGlobalData.h:
174         (JSC):
175         (JSGlobalData): Moved the cache here so it's easier to throw away.
176
177 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
178
179         DFG backend Branch handling has duplicate code and dead code
180         https://bugs.webkit.org/show_bug.cgi?id=110162
181
182         Reviewed by Mark Hahnenberg.
183         
184         Streamline the code, and make the 64 backend's optimizations make more sense
185         (i.e. not be dead code).
186
187         * dfg/DFGSpeculativeJIT32_64.cpp:
188         (JSC::DFG::SpeculativeJIT::compile):
189         * dfg/DFGSpeculativeJIT64.cpp:
190         (JSC::DFG::SpeculativeJIT::emitBranch):
191         (JSC::DFG::SpeculativeJIT::compile):
192
193 2013-02-18  Brent Fulgham  <bfulgham@webkit.org>
194
195         [Windows] Unreviewed VS2010 build correction after r143273.
196
197         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing source
198         file SourceProvider.cpp.
199         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
200         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Add missing exports.
201
202 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
203
204         Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
205         https://bugs.webkit.org/show_bug.cgi?id=110155
206         <rdar://problem/13233773>
207
208         Reviewed by Mark Rowe.
209         
210         This was a rookie mistake.  It was doing:
211         
212         for (blah) {
213             m_offset = foo // foo's monotonically increase in the loop
214         }
215         
216         as a way of computing max offset for all of the properties.  Except what if the loop doesn't
217         execute because there are no properties?  Well, then, you're going to have a bogus m_offset.
218         
219         The solution is to initialize m_offset at the top of the loop.
220
221         * runtime/Structure.cpp:
222         (JSC::Structure::flattenDictionaryStructure):
223
224 2013-02-18  Balazs Kilvady  <kilvadyb@homejinni.com>
225
226         MIPS DFG implementation.
227         https://bugs.webkit.org/show_bug.cgi?id=101328
228
229         Reviewed by Oliver Hunt.
230
231         DFG implementation for MIPS.
232
233         * assembler/MIPSAssembler.h:
234         (JSC::MIPSAssembler::MIPSAssembler):
235         (JSC::MIPSAssembler::sllv):
236         (JSC::MIPSAssembler::movd):
237         (MIPSAssembler):
238         (JSC::MIPSAssembler::negd):
239         (JSC::MIPSAssembler::labelForWatchpoint):
240         (JSC::MIPSAssembler::label):
241         (JSC::MIPSAssembler::vmov):
242         (JSC::MIPSAssembler::linkDirectJump):
243         (JSC::MIPSAssembler::maxJumpReplacementSize):
244         (JSC::MIPSAssembler::revertJumpToMove):
245         (JSC::MIPSAssembler::replaceWithJump):
246         * assembler/MacroAssembler.h:
247         (MacroAssembler):
248         (JSC::MacroAssembler::poke):
249         * assembler/MacroAssemblerMIPS.h:
250         (JSC::MacroAssemblerMIPS::add32):
251         (MacroAssemblerMIPS):
252         (JSC::MacroAssemblerMIPS::and32):
253         (JSC::MacroAssemblerMIPS::lshift32):
254         (JSC::MacroAssemblerMIPS::mul32):
255         (JSC::MacroAssemblerMIPS::or32):
256         (JSC::MacroAssemblerMIPS::rshift32):
257         (JSC::MacroAssemblerMIPS::urshift32):
258         (JSC::MacroAssemblerMIPS::sub32):
259         (JSC::MacroAssemblerMIPS::xor32):
260         (JSC::MacroAssemblerMIPS::store32):
261         (JSC::MacroAssemblerMIPS::jump):
262         (JSC::MacroAssemblerMIPS::branchAdd32):
263         (JSC::MacroAssemblerMIPS::branchMul32):
264         (JSC::MacroAssemblerMIPS::branchSub32):
265         (JSC::MacroAssemblerMIPS::branchNeg32):
266         (JSC::MacroAssemblerMIPS::call):
267         (JSC::MacroAssemblerMIPS::loadDouble):
268         (JSC::MacroAssemblerMIPS::moveDouble):
269         (JSC::MacroAssemblerMIPS::swapDouble):
270         (JSC::MacroAssemblerMIPS::subDouble):
271         (JSC::MacroAssemblerMIPS::mulDouble):
272         (JSC::MacroAssemblerMIPS::divDouble):
273         (JSC::MacroAssemblerMIPS::negateDouble):
274         (JSC::MacroAssemblerMIPS::branchEqual):
275         (JSC::MacroAssemblerMIPS::branchNotEqual):
276         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
277         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
278         (JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
279         (JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
280         (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
281         (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
282         (JSC::MacroAssemblerMIPS::invert):
283         (JSC::MacroAssemblerMIPS::replaceWithJump):
284         (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
285         * dfg/DFGAssemblyHelpers.h:
286         (AssemblyHelpers):
287         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
288         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
289         (JSC::DFG::AssemblyHelpers::debugCall):
290         * dfg/DFGCCallHelpers.h:
291         (CCallHelpers):
292         (JSC::DFG::CCallHelpers::setupArguments):
293         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
294         * dfg/DFGFPRInfo.h:
295         (DFG):
296         (FPRInfo):
297         (JSC::DFG::FPRInfo::toRegister):
298         (JSC::DFG::FPRInfo::toIndex):
299         (JSC::DFG::FPRInfo::debugName):
300         * dfg/DFGGPRInfo.h:
301         (DFG):
302         (GPRInfo):
303         (JSC::DFG::GPRInfo::toRegister):
304         (JSC::DFG::GPRInfo::toIndex):
305         (JSC::DFG::GPRInfo::debugName):
306         * dfg/DFGSpeculativeJIT.h:
307         (SpeculativeJIT):
308         * jit/JSInterfaceJIT.h:
309         (JSInterfaceJIT):
310         * runtime/JSGlobalData.h:
311         (JSC::ScratchBuffer::allocationSize):
312         (ScratchBuffer):
313
314 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
315
316         DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things
317         https://bugs.webkit.org/show_bug.cgi?id=110092
318
319         Reviewed by Geoffrey Garen.
320         
321         These methods were previously using GenerationInfo and other things to try to
322         gain information that the CFA could give away for free, if you asked kindly
323         enough.
324         
325         Also fixed CallLinkStatus's dump() method since it was making an invalid
326         assertion: we most certainly can have a status where the structure is non-null
327         and the executable is null, like if we're dealing with an InternalFunction.
328         
329         Also removed calls to isKnownNotXYZ from fillSpeculateABC methods in 32_64. I
330         don't know why that was there. But it was causing asserts if the value was
331         empty - i.e. we had already exited unconditionally but we didn't know it. I
332         could have fixed this by introducing another form of isKnownNotXYZ which was
333         tolerant of empty values, but I didn't feel like fixing code that I knew to be
334         unnecessary. (More deeply, isKnownNotCell, for example, really asks: "do you
335         know that this value can never be a cell?" while some of the previous uses
336         wanted to ask: "do you know that this is a value that is not a cell?". The
337         former is "true" if the value is a contradiction [i.e. BOTTOM], while the
338         latter is "false" for contradictions, since contradictions are not values.)
339
340         * bytecode/CallLinkStatus.cpp:
341         (JSC::CallLinkStatus::dump):
342         * bytecode/CallLinkStatus.h:
343         (JSC::CallLinkStatus::CallLinkStatus):
344         * dfg/DFGSpeculativeJIT.cpp:
345         (DFG):
346         * dfg/DFGSpeculativeJIT.h:
347         (JSC::DFG::SpeculativeJIT::isKnownInteger):
348         (JSC::DFG::SpeculativeJIT::isKnownCell):
349         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
350         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
351         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
352         * dfg/DFGSpeculativeJIT32_64.cpp:
353         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
354         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
355         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
356         * dfg/DFGStructureAbstractValue.h:
357         (JSC::DFG::StructureAbstractValue::dump):
358
359 2013-02-17  Filip Pizlo  <fpizlo@apple.com>
360
361         Get rid of DFG::DoubleOperand and simplify ValueToInt32
362         https://bugs.webkit.org/show_bug.cgi?id=110072
363
364         Reviewed by Geoffrey Garen.
365         
366         ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after
367         the side-effect would lead to the side-effect re-executing. I got rid of that path
368         and replaced it with an optimization for the case where the input is speculated
369         number-or-other. This makes idioms like null|0 and true|0 work as expected, and
370         get optimized appropriately.
371         
372         Also got rid of DoubleOperand. Replaced all remaining uses of it with
373         SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse
374         edge and the remaining uses of DoubleOperand are all for untyped uses, I worked
375         around the assertion by setting the UseKind to DoubleUse by force. This is sound,
376         since all existing assertions for DoubleUse are actually asserting that we're not
377         converting a value to double unexpectedly. But all of these calls to
378         SpeculateDoubleOperand are when the operand is already known to be represented as
379         double, so there is no conversion.
380         
381         This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a
382         little. Mostly, this is intended to delete a bunch of code. DoubleOperand was
383         equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it
384         involved a _lot_ more code.
385
386         * dfg/DFGAbstractState.cpp:
387         (JSC::DFG::AbstractState::execute):
388         * dfg/DFGCSEPhase.cpp:
389         (JSC::DFG::CSEPhase::performNodeCSE):
390         * dfg/DFGFixupPhase.cpp:
391         (JSC::DFG::FixupPhase::fixupNode):
392         * dfg/DFGNodeType.h:
393         (DFG):
394         * dfg/DFGSpeculativeJIT.cpp:
395         (DFG):
396         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
397         * dfg/DFGSpeculativeJIT.h:
398         (SpeculativeJIT):
399         (DFG):
400         (FPRTemporary):
401         * dfg/DFGSpeculativeJIT32_64.cpp:
402         (DFG):
403         (JSC::DFG::SpeculativeJIT::compile):
404         * dfg/DFGSpeculativeJIT64.cpp:
405         (DFG):
406
407 2013-02-18  Ádám Kallai  <kadam@inf.u-szeged.hu>
408
409         [Qt] Mountain Lion buildfix after r143147.
410
411         Reviewed by Csaba Osztrogonác.
412
413         * runtime/DateConstructor.cpp:
414
415 2013-02-18  Zan Dobersek  <zdobersek@igalia.com>
416
417         Stop placing std::isfinite and std::signbit inside the global scope
418         https://bugs.webkit.org/show_bug.cgi?id=109817
419
420         Reviewed by Darin Adler.
421
422         Prefix calls to the isfinite and signbit methods with std:: as the two
423         methods are no longer being imported into the global scope.
424
425         * assembler/MacroAssembler.h:
426         (JSC::MacroAssembler::shouldBlindDouble):
427         * offlineasm/cloop.rb:
428         * runtime/BigInteger.h:
429         (JSC::BigInteger::BigInteger):
430         * runtime/DateConstructor.cpp:
431         (JSC::constructDate):
432         * runtime/DatePrototype.cpp:
433         (JSC::fillStructuresUsingTimeArgs):
434         (JSC::fillStructuresUsingDateArgs):
435         (JSC::dateProtoFuncToISOString):
436         (JSC::dateProtoFuncSetYear):
437         * runtime/JSCJSValueInlines.h:
438         (JSC::JSValue::JSValue):
439         * runtime/JSGlobalObjectFunctions.cpp:
440         (JSC::globalFuncIsFinite):
441         * runtime/JSONObject.cpp:
442         (JSC::Stringifier::appendStringifiedValue):
443         * runtime/MathObject.cpp:
444         (JSC::mathProtoFuncMax): Also include an opportunistic style fix.
445         (JSC::mathProtoFuncMin): Ditto.
446         * runtime/NumberPrototype.cpp:
447         (JSC::toStringWithRadix):
448         (JSC::numberProtoFuncToExponential):
449         (JSC::numberProtoFuncToFixed):
450         (JSC::numberProtoFuncToPrecision):
451         (JSC::numberProtoFuncToString):
452         * runtime/Uint16WithFraction.h:
453         (JSC::Uint16WithFraction::Uint16WithFraction):
454
455 2013-02-18  Ádám Kallai  <kadam@inf.u-szeged.hu>
456
457         [Qt] Mountain Lion buildfix after r143147.
458
459         Reviewed by Csaba Osztrogonác.
460
461         * runtime/DateInstance.cpp:
462
463 2013-02-18  Ilya Tikhonovsky  <loislo@chromium.org>
464
465         Unreviewed speculative build fix for Apple Win bots.
466
467         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
468
469 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
470
471         Fix indentation of StructureStubInfo.h
472
473         Rubber stamped by Mark Hahnenberg.
474
475         * bytecode/StructureStubInfo.h:
476
477 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
478
479         Fix indentation of JSGlobalObject.h and JSGlobalObjectFunctions.h
480
481         Rubber stamped by Mark Hahnenberg.
482
483         * runtime/JSGlobalObject.h:
484         * runtime/JSGlobalObjectFunctions.h:
485
486 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
487
488         Fix indention of Operations.h
489
490         Rubber stamped by Mark Hahnenberg.
491
492         * runtime/Operations.h:
493
494 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
495
496         Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere.
497
498         Rubber stamped by Andy Estes.
499
500         * dfg/DFGSpeculativeJIT.cpp:
501         (DFG):
502         * dfg/DFGSpeculativeJIT.h:
503         (SpeculativeJIT):
504
505 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
506
507         Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere.
508
509         Rubber stampted by Andy Estes.
510
511         * dfg/DFGSpeculativeJIT.cpp:
512         (DFG):
513         * dfg/DFGSpeculativeJIT.h:
514         (SpeculativeJIT):
515
516 2013-02-18  Filip Pizlo  <fpizlo@apple.com>
517
518         Remove dead code for ValueToNumber from the DFG.
519
520         Rubber stamped by Andy Estes.
521         
522         We killed ValueToNumber at some point, but forgot to kill all of the backend support
523         for it.
524
525         * dfg/DFGByteCodeParser.cpp:
526         (JSC::DFG::ByteCodeParser::handleMinMax):
527         * dfg/DFGOperations.cpp:
528         * dfg/DFGOperations.h:
529         * dfg/DFGSpeculativeJIT.h:
530         (SpeculativeJIT):
531         * dfg/DFGSpeculativeJIT32_64.cpp:
532         * dfg/DFGSpeculativeJIT64.cpp:
533
534 2013-02-17  Csaba Osztrogonác  <ossy@webkit.org>
535
536         Unreviewed buildfix for JSVALUE32_64 builds after r143147.
537
538         * jit/JIT.h:
539
540 2013-02-17  Filip Pizlo  <fpizlo@apple.com>
541
542         Move all Structure out-of-line inline methods to StructureInlines.h
543         https://bugs.webkit.org/show_bug.cgi?id=110024
544
545         Rubber stamped by Mark Hahnenberg and Sam Weinig.
546         
547         This was supposed to be easy.
548         
549         But, initially, there was a Structure inline method in CodeBlock.h, and moving that
550         into StructureInlines.h meant that Operations.h included CodeBlock.h. This would
551         cause WebCore build failures, because CodeBlock.h transitively included the JSC
552         parser (via many, many paths), and the JSC parser defines tokens using enumeration
553         elements that CSSGrammar.cpp (generated by bison) would #define. For example,
554         bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before
555         including anything interesting. The JSC parser would have an enum that included
556         FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have
557         a token element called FUNCTION declared in an enumeration, but FUNCTION was
558         #define'd to 123, leading to a parser error.
559         
560         Wow.
561         
562         So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I
563         believe I was able to do so without out-of-lining anything interesting or performance
564         critical. This is probably a purely good thing to have done: it will be nice to be
565         able to make changes to the parser without having to compile the universe.
566         
567         Of course, doing this caused a bunch of other things to not compile, since a bunch of
568         headers relied on things being implicitly included for them when they transitively
569         included the parser. I fixed a lot of that.
570         
571         Finally, I ended up removing the method that depended on CodeBlock.h from
572         StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this
573         was a waste of time, except that I suspect it was a worthwhile forcing function for
574         cleaning up a bunch of cruft.
575         
576         * API/JSCallbackFunction.cpp:
577         * CMakeLists.txt:
578         * GNUmakefile.list.am:
579         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
580         * JavaScriptCore.xcodeproj/project.pbxproj:
581         * Target.pri:
582         * bytecode/CodeBlock.h:
583         (JSC):
584         * bytecode/EvalCodeCache.h:
585         * bytecode/SamplingTool.h:
586         * bytecode/UnlinkedCodeBlock.cpp:
587         (JSC::UnlinkedFunctionExecutable::parameterCount):
588         (JSC):
589         * bytecode/UnlinkedCodeBlock.h:
590         (UnlinkedFunctionExecutable):
591         * bytecompiler/BytecodeGenerator.h:
592         * bytecompiler/Label.h:
593         (JSC):
594         * dfg/DFGByteCodeParser.cpp:
595         * dfg/DFGByteCodeParser.h:
596         * dfg/DFGFPRInfo.h:
597         * dfg/DFGRegisterBank.h:
598         * heap/HandleStack.cpp:
599         * jit/JITWriteBarrier.h:
600         * parser/Nodes.h:
601         (JSC):
602         * parser/Parser.h:
603         * parser/ParserError.h: Added.
604         (JSC):
605         (JSC::ParserError::ParserError):
606         (ParserError):
607         (JSC::ParserError::toErrorObject):
608         * parser/ParserModes.h:
609         * parser/SourceProvider.cpp: Added.
610         (JSC):
611         (JSC::SourceProvider::SourceProvider):
612         (JSC::SourceProvider::~SourceProvider):
613         * parser/SourceProvider.h:
614         (JSC):
615         (SourceProvider):
616         * runtime/ArrayPrototype.cpp:
617         * runtime/DatePrototype.cpp:
618         * runtime/Executable.h:
619         * runtime/JSGlobalObject.cpp:
620         * runtime/JSGlobalObject.h:
621         (JSC):
622         * runtime/Operations.h:
623         * runtime/Structure.cpp:
624         (JSC::Structure::prototypeForLookup):
625         (JSC):
626         * runtime/Structure.h:
627         (JSC):
628         * runtime/StructureInlines.h: Added.
629         (JSC):
630         (JSC::Structure::create):
631         (JSC::Structure::createStructure):
632         (JSC::Structure::get):
633         (JSC::Structure::masqueradesAsUndefined):
634         (JSC::SlotVisitor::internalAppend):
635         (JSC::Structure::transitivelyTransitionedFrom):
636         (JSC::Structure::setEnumerationCache):
637         (JSC::Structure::enumerationCache):
638         (JSC::Structure::prototypeForLookup):
639         (JSC::Structure::prototypeChain):
640         (JSC::Structure::isValid):
641         * runtime/StructureRareData.cpp:
642
643 2013-02-17  Roger Fong  <roger_fong@apple.com>
644
645         Unreviewed. Windows build fix.
646
647         * runtime/CodeCache.h:
648         (CodeCacheMap):
649
650 2013-02-16  Geoffrey Garen  <ggaren@apple.com>
651
652         Code cache should be explicit about what it caches
653         https://bugs.webkit.org/show_bug.cgi?id=110039
654
655         Reviewed by Oliver Hunt.
656
657         This patch makes the code cache more explicit in two ways:
658
659         (1) The cache caches top-level scripts. Any sub-functions executed as a
660         part of a script are cached with it and evicted with it.
661
662         This simplifies things by eliminating out-of-band sub-function tracking,
663         and fixes pathological cases where functions for live scripts would be
664         evicted in favor of functions for dead scripts, and/or high probability
665         functions executed early in script lifetime would be evicted in favor of
666         low probability functions executed late in script lifetime, due to LRU.
667
668         Statistical data from general browsing and PLT confirms that caching
669         functions independently of scripts is not profitable.
670
671         (2) The cache tracks script size, not script count.
672
673         This reduces the worst-case cache size by a factor of infinity.
674
675         Script size is a reasonable first-order estimate of in-memory footprint 
676         for a cached script because there are no syntactic constructs that have
677         super-linear memory footprint.
678
679         * bytecode/UnlinkedCodeBlock.cpp:
680         (JSC::generateFunctionCodeBlock): Moved this function out of the cache
681         because it does not consult the cache, and is not managed by it.
682
683         (JSC::UnlinkedFunctionExecutable::visitChildren): Visit our code blocks
684         because they are strong references now, rather than weak, a la (1).
685
686         (JSC::UnlinkedFunctionExecutable::codeBlockFor): Updated for interface changes.
687
688         * bytecode/UnlinkedCodeBlock.h:
689         (UnlinkedFunctionExecutable):
690         (UnlinkedFunctionCodeBlock): Strong now, not weak, a la (1).
691
692         * runtime/CodeCache.cpp:
693         (JSC::CodeCache::CodeCache):
694         * runtime/CodeCache.h:
695         (JSC::SourceCodeKey::length):
696         (SourceCodeKey):
697         (CodeCacheMap):
698         (JSC::CodeCacheMap::CodeCacheMap):
699         (JSC::CodeCacheMap::find):
700         (JSC::CodeCacheMap::set):
701         (JSC::CodeCacheMap::clear):
702         (CodeCache):
703         (JSC::CodeCache::clear): Removed individual function tracking, due to (1).
704         Added explicit character counting, for (2).
705
706         You might think 16000000 characters is a lot. It is. But this patch
707         didn't establish that limit -- it just took the existing limit and
708         made it more visible. I intend to reduce the size of the cache in a
709         future patch.
710
711 2013-02-16  Filip Pizlo  <fpizlo@apple.com>
712
713         Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while.
714         https://bugs.webkit.org/show_bug.cgi?id=110035
715
716         Rubber stamped by Andreas Kling.
717         
718         There are other ways of achieving the same effect, like adding print statements to the bytecode generator.
719         The fact that this feature doesn't build and nobody noticed implies that it's probably not a popular
720         feature. As well, the amount of wiring that was required for it was quite big considering its relatively
721         modest utility.
722
723         * GNUmakefile.list.am:
724         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
725         * JavaScriptCore.xcodeproj/project.pbxproj:
726         * bytecode/CodeBlock.cpp:
727         (JSC):
728         (JSC::CodeBlock::dumpBytecode):
729         (JSC::CodeBlock::CodeBlock):
730         * bytecode/CodeBlock.h:
731         (CodeBlock):
732         * bytecode/Comment.h: Removed.
733         * bytecompiler/BytecodeGenerator.cpp:
734         (JSC::BytecodeGenerator::BytecodeGenerator):
735         (JSC::BytecodeGenerator::emitOpcode):
736         (JSC):
737         * bytecompiler/BytecodeGenerator.h:
738         (BytecodeGenerator):
739         (JSC::BytecodeGenerator::symbolTable):
740
741 2013-02-16  Brent Fulgham  <bfulgham@webkit.org>
742
743         [Windows] Unreviewed Visual Studio 2010 build fix after r143117
744
745         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Reference new path to property sheets.
746         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
747         Build correction after new operator == added.
748
749 2013-02-16  Filip Pizlo  <fpizlo@apple.com>
750
751         Fix indentation of Structure.h
752
753         Rubber stamped by Mark Hahnenberg.
754
755         * runtime/Structure.h:
756
757 2013-02-16  Christophe Dumez  <ch.dumez@sisa.samsung.com>
758
759         Unreviewed build fix.
760
761         Export symbol for new CString operator== operator to fix Windows build.
762
763         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
764
765 2013-02-15  Filip Pizlo  <fpizlo@apple.com>
766
767         Structure should be more methodical about the relationship between m_offset and m_propertyTable
768         https://bugs.webkit.org/show_bug.cgi?id=109978
769
770         Reviewed by Mark Hahnenberg.
771         
772         Allegedly, the previous relationship was that either m_propertyTable or m_offset
773         would be set, and if m_propertyTable was not set you could rebuild it.  In reality,
774         we would sometimes "reset" both: some transitions wouldn't set m_offset, and other
775         transitions would clear the previous structure's m_propertyTable.  So, in a
776         structure transition chain of A->B->C you could have:
777
778         A transitions to B: B doesn't copy m_offset but does copy m_propertyTable, because
779             that seemed like a good idea at the time (this was a common idiom in the code).
780         B transitions to C: C steals B's m_propertyTable, leaving B with neither a
781             m_propertyTable nor a m_offset.
782
783         Then we would ask for the size of the property storage of B and get the answer
784         "none".  That's not good.
785
786         Now, there is a new relationship, which, hopefully, should fix things: m_offset is
787         always set and always refers to the maximum offset ever used by the property table.
788         From this, you can infer both the inline and out-of-line property size, and
789         capacity.  This is accomplished by having PropertyTable::add() take a
790         PropertyOffset reference, which must be Structure::m_offset.  It will update this
791         offset.  As well, all transitions now copy m_offset.  And we frequently assert
792         (using RELEASE_ASSERT) that the m_offset matches what m_propertyTable would tell
793         you.  Hence if you ever modify the m_propertyTable, you'll also update the offset.
794         If you ever copy the property table, you'll also copy the offset.  Life should be
795         good, I think.
796
797         * runtime/PropertyMapHashTable.h:
798         (JSC::PropertyTable::add):
799         * runtime/Structure.cpp:
800         (JSC::Structure::materializePropertyMap):
801         (JSC::Structure::addPropertyTransition):
802         (JSC::Structure::removePropertyTransition):
803         (JSC::Structure::changePrototypeTransition):
804         (JSC::Structure::despecifyFunctionTransition):
805         (JSC::Structure::attributeChangeTransition):
806         (JSC::Structure::toDictionaryTransition):
807         (JSC::Structure::sealTransition):
808         (JSC::Structure::freezeTransition):
809         (JSC::Structure::preventExtensionsTransition):
810         (JSC::Structure::nonPropertyTransition):
811         (JSC::Structure::flattenDictionaryStructure):
812         (JSC::Structure::checkConsistency):
813         (JSC::Structure::putSpecificValue):
814         (JSC::Structure::createPropertyMap):
815         (JSC::PropertyTable::checkConsistency):
816         * runtime/Structure.h:
817         (JSC):
818         (JSC::Structure::putWillGrowOutOfLineStorage):
819         (JSC::Structure::outOfLineCapacity):
820         (JSC::Structure::outOfLineSize):
821         (JSC::Structure::isEmpty):
822         (JSC::Structure::materializePropertyMapIfNecessary):
823         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
824         (Structure):
825         (JSC::Structure::checkOffsetConsistency):
826
827 2013-02-15  Martin Robinson  <mrobinson@igalia.com>
828
829         [GTK] Spread the gyp build files throughout the tree
830         https://bugs.webkit.org/show_bug.cgi?id=109960
831
832         Reviewed by Dirk Pranke.
833
834         * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Renamed from Source/WebKit/gtk/gyp/JavaScriptCore.gyp.
835         * JavaScriptCore.gyp/generate-derived-sources.sh: Renamed from Source/WebKit/gtk/gyp/generate-derived-sources.sh.
836
837 2013-02-15  Filip Pizlo  <fpizlo@apple.com>
838
839         DFG SpeculativeJIT64 should be more precise about when it's dealing with a cell (even though it probably doesn't matter)
840         https://bugs.webkit.org/show_bug.cgi?id=109625
841
842         Reviewed by Mark Hahnenberg.
843
844         * dfg/DFGSpeculativeJIT64.cpp:
845         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
846         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
847         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
848         (JSC::DFG::SpeculativeJIT::compile):
849
850 2013-02-15  Geoffrey Garen  <ggaren@apple.com>
851
852         Merged the global function cache into the source code cache
853         https://bugs.webkit.org/show_bug.cgi?id=108660
854
855         Reviewed by Sam Weinig.
856
857         Responding to review comments by Darin Adler.
858
859         * runtime/CodeCache.h:
860         (JSC::SourceCodeKey::SourceCodeKey): Don't initialize m_name and m_flags
861         in the hash table deleted value because they're meaningless.
862
863 2013-02-14  Filip Pizlo  <fpizlo@apple.com>
864
865         DFG AbstractState should filter operands to NewArray more precisely
866         https://bugs.webkit.org/show_bug.cgi?id=109900
867
868         Reviewed by Mark Hahnenberg.
869         
870         NewArray for primitive indexing types speculates that the inputs are the appropriate
871         primitives. Now, the CFA filters the abstract state accordingly, as well.
872
873         * dfg/DFGAbstractState.cpp:
874         (JSC::DFG::AbstractState::execute):
875
876 2013-02-15  Andreas Kling  <akling@apple.com>
877
878         Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer.
879         <http://webkit.org/b/109218>
880
881         Reviewed by Benjamin Poulain.
882
883         - Let classes that manage lifetime of other objects hold on to them with OwnPtr instead of raw pointers.
884         - Placed some strategic Vector::shrinkToFit(), ::reserveInitialCapacity() and ::swap().
885
886         668 kB progression on Membuster3.
887
888         * yarr/YarrInterpreter.cpp:
889         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
890         (JSC::Yarr::ByteCompiler::emitDisjunction):
891         (ByteCompiler):
892         * yarr/YarrInterpreter.h:
893         (JSC::Yarr::BytecodePattern::BytecodePattern):
894         (BytecodePattern):
895         * yarr/YarrJIT.cpp:
896         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
897         (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
898         (JSC::Yarr::YarrGenerator::opCompileBody):
899         * yarr/YarrPattern.cpp:
900         (JSC::Yarr::CharacterClassConstructor::charClass):
901         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
902         (JSC::Yarr::YarrPatternConstructor::reset):
903         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
904         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
905         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
906         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
907         (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
908         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
909         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
910         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
911         * yarr/YarrPattern.h:
912         (JSC::Yarr::PatternDisjunction::addNewAlternative):
913         (PatternDisjunction):
914         (YarrPattern):
915         (JSC::Yarr::YarrPattern::reset):
916         (JSC::Yarr::YarrPattern::newlineCharacterClass):
917         (JSC::Yarr::YarrPattern::digitsCharacterClass):
918         (JSC::Yarr::YarrPattern::spacesCharacterClass):
919         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
920         (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
921         (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
922         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
923
924 2013-02-14  Geoffrey Garen  <ggaren@apple.com>
925
926         Merged the global function cache into the source code cache
927         https://bugs.webkit.org/show_bug.cgi?id=108660
928
929         Reviewed by Sam Weinig.
930
931         This has a few benefits:
932
933             (*) Saves a few kB by removing a second cache data structure.
934
935             (*) Reduces the worst case memory usage of the cache by 1.75X. (Heavy
936             use of 'new Function' and other techniques could cause us to fill
937             both root caches, and they didn't trade off against each other.)
938
939             (*) Paves the way for future improvements based on a non-trivial
940             cache key (for example, shrinkable pointer to the key string, and
941             more precise cache size accounting).
942
943         Also cleaned up the cache implementation and simplified it a bit.
944
945         * heap/Handle.h:
946         (HandleBase):
947         * heap/Strong.h:
948         (Strong): Build!
949
950         * runtime/CodeCache.cpp:
951         (JSC):
952         (JSC::CodeCache::getCodeBlock):
953         (JSC::CodeCache::generateFunctionCodeBlock):
954         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
955         (JSC::CodeCache::usedFunctionCode): Updated for three interface changes:
956
957             (*) SourceCodeKey is a class, not a pair.
958
959             (*) Table values are abstract pointers, since they can be executables
960             or code blocks. (In a future patch, I'd like to change this so we
961             always store only code blocks. But that's too much for one patch.)
962
963             (*) The cache function is named "set" because it always overwrites
964             unconditionally.
965
966         * runtime/CodeCache.h:
967         (CacheMap):
968         (JSC::CacheMap::find):
969         (JSC::CacheMap::set):
970         (JSC::CacheMap::clear): Added support for specifying hash traits, so we
971         can use a SourceCodeKey.
972
973         Removed side table and random number generator to save space and reduce
974         complexity. Hash tables are already random, so we don't need another source
975         of randomness.
976
977         (SourceCodeKey):
978         (JSC::SourceCodeKey::SourceCodeKey):
979         (JSC::SourceCodeKey::isHashTableDeletedValue):
980         (JSC::SourceCodeKey::hash):
981         (JSC::SourceCodeKey::isNull):
982         (JSC::SourceCodeKey::operator==):
983         (JSC::SourceCodeKeyHash::hash):
984         (JSC::SourceCodeKeyHash::equal):
985         (SourceCodeKeyHash):
986         (SourceCodeKeyHashTraits):
987         (JSC::SourceCodeKeyHashTraits::isEmptyValue): A SourceCodeKey is just a
988         fancy triplet: source code string; function name (or null, for non-functions);
989         and flags. Flags and function name distinguish between functions and programs
990         with identical code, so they can live in the same cache.
991
992         I chose to use the source code string as the primary hashing reference
993         because it's likely to be unique. We can use profiling to choose another
994         technique in future, if collisions between functions and programs prove
995         to be hot. I suspect they won't.
996
997         (JSC::CodeCache::clear):
998         (CodeCache): Removed the second cache.
999
1000         * heap/Handle.h:
1001         (HandleBase):
1002         * heap/Strong.h:
1003         (Strong):
1004         * runtime/CodeCache.cpp:
1005         (JSC):
1006         (JSC::CodeCache::getCodeBlock):
1007         (JSC::CodeCache::generateFunctionCodeBlock):
1008         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1009         (JSC::CodeCache::usedFunctionCode):
1010         * runtime/CodeCache.h:
1011         (JSC):
1012         (CacheMap):
1013         (JSC::CacheMap::find):
1014         (JSC::CacheMap::set):
1015         (JSC::CacheMap::clear):
1016         (SourceCodeKey):
1017         (JSC::SourceCodeKey::SourceCodeKey):
1018         (JSC::SourceCodeKey::isHashTableDeletedValue):
1019         (JSC::SourceCodeKey::hash):
1020         (JSC::SourceCodeKey::isNull):
1021         (JSC::SourceCodeKey::operator==):
1022         (JSC::SourceCodeKeyHash::hash):
1023         (JSC::SourceCodeKeyHash::equal):
1024         (SourceCodeKeyHash):
1025         (SourceCodeKeyHashTraits):
1026         (JSC::SourceCodeKeyHashTraits::isEmptyValue):
1027         (JSC::CodeCache::clear):
1028         (CodeCache):
1029
1030 2013-02-14  Tony Chang  <tony@chromium.org>
1031
1032         Unreviewed, set svn:eol-style native for .sln, .vcproj, and .vsprops files.
1033         https://bugs.webkit.org/show_bug.cgi?id=96934
1034
1035         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
1036         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
1037         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added property svn:eol-style.
1038         * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added property svn:eol-style.
1039         * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added property svn:eol-style.
1040         * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added property svn:eol-style.
1041         * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added property svn:eol-style.
1042         * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added property svn:eol-style.
1043         * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added property svn:eol-style.
1044         * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added property svn:eol-style.
1045
1046 2013-02-14  Tony Chang  <tony@chromium.org>
1047
1048         Unreviewed, set svn:eol-style CRLF for .sln files.
1049
1050         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
1051         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
1052
1053 2013-02-14  David Kilzer  <ddkilzer@apple.com>
1054
1055         [Mac] Clean up WARNING_CFLAGS
1056         <http://webkit.org/b/109747>
1057         <rdar://problem/13208373>
1058
1059         Reviewed by Mark Rowe.
1060
1061         * Configurations/Base.xcconfig: Use
1062         GCC_WARN_64_TO_32_BIT_CONVERSION to enable and disable
1063         -Wshorten-64-to-32 rather than WARNING_CFLAGS.
1064
1065         * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
1066         * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
1067
1068 2013-02-13  Anders Carlsson  <andersca@apple.com>
1069
1070         Better build fix.
1071
1072         * API/tests/testapi.c:
1073         (assertEqualsAsNumber):
1074         (main):
1075
1076 2013-02-13  Roger Fong  <roger_fong@apple.com>
1077
1078         Unreviewed. Build fix.
1079
1080         * API/tests/testapi.c:
1081         (assertEqualsAsNumber):
1082         (main):
1083
1084 2013-02-13  Oliver Hunt  <oliver@apple.com>
1085
1086         Yet another build fix
1087
1088         * bytecode/CodeBlock.cpp:
1089         (JSC::CodeBlock::CodeBlock):
1090
1091 2013-02-13  Zan Dobersek  <zdobersek@igalia.com>
1092
1093         The 'global isinf/isnan' compiler quirk required when using clang with libstdc++
1094         https://bugs.webkit.org/show_bug.cgi?id=109325
1095
1096         Reviewed by Anders Carlsson.
1097
1098         Prefix calls to the isinf and isnan methods with std::, declaring we want to use the
1099         two methods as they're provided by the C++ standard library being used.
1100
1101         * API/JSValueRef.cpp:
1102         (JSValueMakeNumber):
1103         * JSCTypedArrayStubs.h:
1104         (JSC):
1105         * bytecompiler/BytecodeGenerator.cpp:
1106         (JSC::BytecodeGenerator::emitLoad):
1107         * dfg/DFGByteCodeParser.cpp:
1108         (JSC::DFG::ByteCodeParser::constantNaN):
1109         * offlineasm/cloop.rb:
1110         * runtime/DateConstructor.cpp:
1111         (JSC::dateUTC): Also include an opportunistic style fix.
1112         * runtime/DateInstance.cpp:
1113         (JSC::DateInstance::calculateGregorianDateTime):
1114         (JSC::DateInstance::calculateGregorianDateTimeUTC):
1115         * runtime/DatePrototype.cpp:
1116         (JSC::dateProtoFuncGetMilliSeconds):
1117         (JSC::dateProtoFuncGetUTCMilliseconds):
1118         (JSC::setNewValueFromTimeArgs):
1119         (JSC::setNewValueFromDateArgs):
1120         (JSC::dateProtoFuncSetYear):
1121         * runtime/JSCJSValue.cpp:
1122         (JSC::JSValue::toInteger):
1123         * runtime/JSDateMath.cpp:
1124         (JSC::getUTCOffset):
1125         (JSC::parseDateFromNullTerminatedCharacters):
1126         (JSC::parseDate):
1127         * runtime/JSGlobalObjectFunctions.cpp:
1128         (JSC::globalFuncIsNaN):
1129         * runtime/MathObject.cpp:
1130         (JSC::mathProtoFuncMax):
1131         (JSC::mathProtoFuncMin):
1132         (JSC::mathProtoFuncPow):
1133         * runtime/PropertyDescriptor.cpp:
1134         (JSC::sameValue):
1135
1136 2013-02-13  Filip Pizlo  <fpizlo@apple.com>
1137
1138         Change another use of (SpecCell & ~SpecString) to SpecObject.
1139
1140         Reviewed by Mark Hahnenberg.
1141
1142         * dfg/DFGAbstractState.cpp:
1143         (JSC::DFG::AbstractState::execute):
1144
1145 2013-02-13  Filip Pizlo  <fpizlo@apple.com>
1146
1147         ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
1148         https://bugs.webkit.org/show_bug.cgi?id=109726
1149
1150         Reviewed by Mark Hahnenberg.
1151         
1152         If you add it to the list of relevant node types, you also need to make sure
1153         it's listed as either hasChild or one of the other kinds. Otherwise you get
1154         an assertion. This is causing test failures in run-javascriptcore-tests.
1155
1156         * dfg/DFGMinifiedNode.h:
1157         (JSC::DFG::MinifiedNode::hasChild):
1158
1159 2013-02-13  Oliver Hunt  <oliver@apple.com>
1160
1161         Build fix.
1162
1163         Rearranged the code somewhat to reduce the number of
1164         DFG related ifdefs.
1165
1166         * bytecode/CodeBlock.cpp:
1167         (JSC::CodeBlock::CodeBlock):
1168
1169 2013-02-13  Filip Pizlo  <fpizlo@apple.com>
1170
1171         ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
1172         https://bugs.webkit.org/show_bug.cgi?id=109726
1173
1174         Reviewed by Gavin Barraclough.
1175         
1176         This is asymptomatic because ForwardInt32ToDouble is only used in SetLocals, in
1177         which case the value is already stored to the stack.  Still, we should fix this.
1178
1179         * dfg/DFGMinifiedNode.h:
1180         (JSC::DFG::belongsInMinifiedGraph):
1181
1182 2013-02-12  Filip Pizlo  <fpizlo@apple.com>
1183
1184         DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting
1185         https://bugs.webkit.org/show_bug.cgi?id=109489
1186
1187         Reviewed by Mark Hahnenberg.
1188         
1189         If things can exit between the LogicalNot and the Branch then don't peephole.
1190
1191         * dfg/DFGFixupPhase.cpp:
1192         (JSC::DFG::FixupPhase::fixupNode):
1193
1194 2013-02-13  Oliver Hunt  <oliver@apple.com>
1195
1196         Remove unnecessary indirection to non-local variable access operations
1197         https://bugs.webkit.org/show_bug.cgi?id=109724
1198
1199         Reviewed by Filip Pizlo.
1200
1201         Linked bytecode now stores a direct pointer to the resolve operation
1202         vectors, so the interpreter no longer needs a bunch of indirection to
1203         to perform non-local lookup.
1204
1205         * bytecode/CodeBlock.cpp:
1206         (JSC::CodeBlock::CodeBlock):
1207         * bytecode/CodeBlock.h:
1208         (CodeBlock):
1209         * bytecode/Instruction.h:
1210         * dfg/DFGByteCodeParser.cpp:
1211         (ByteCodeParser):
1212         (InlineStackEntry):
1213         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1214         (JSC::DFG::ByteCodeParser::parseBlock):
1215         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1216         * dfg/DFGCapabilities.h:
1217         (JSC::DFG::canInlineOpcode):
1218         * dfg/DFGGraph.h:
1219         (ResolveGlobalData):
1220         (ResolveOperationData):
1221         (PutToBaseOperationData):
1222         * dfg/DFGSpeculativeJIT.h:
1223         * dfg/DFGSpeculativeJIT32_64.cpp:
1224         (JSC::DFG::SpeculativeJIT::compile):
1225         * dfg/DFGSpeculativeJIT64.cpp:
1226         (JSC::DFG::SpeculativeJIT::compile):
1227         * jit/JITOpcodes.cpp:
1228         (JSC::JIT::emit_op_put_to_base):
1229         (JSC::JIT::emit_op_resolve):
1230         (JSC::JIT::emitSlow_op_resolve):
1231         (JSC::JIT::emit_op_resolve_base):
1232         (JSC::JIT::emitSlow_op_resolve_base):
1233         (JSC::JIT::emit_op_resolve_with_base):
1234         (JSC::JIT::emitSlow_op_resolve_with_base):
1235         (JSC::JIT::emit_op_resolve_with_this):
1236         (JSC::JIT::emitSlow_op_resolve_with_this):
1237         (JSC::JIT::emitSlow_op_put_to_base):
1238         * jit/JITOpcodes32_64.cpp:
1239         (JSC::JIT::emit_op_put_to_base):
1240         * llint/LLIntSlowPaths.cpp:
1241         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1242         * llint/LowLevelInterpreter.asm:
1243
1244 2013-02-13  Zoltan Herczeg  <zherczeg@webkit.org>
1245
1246         replaceWithJump should not decrease the offset by 1 on ARM traditional.
1247         https://bugs.webkit.org/show_bug.cgi?id=109689
1248
1249         Reviewed by Oliver Hunt.
1250
1251         * assembler/ARMAssembler.h:
1252         (JSC::ARMAssembler::replaceWithJump):
1253
1254 2013-02-12  Joseph Pecoraro  <pecoraro@apple.com>
1255
1256         [iOS] Enable PAGE_VISIBILITY_API
1257         https://bugs.webkit.org/show_bug.cgi?id=109399
1258
1259         Reviewed by David Kilzer.
1260
1261         * Configurations/FeatureDefines.xcconfig:
1262
1263 2013-02-12  Filip Pizlo  <fpizlo@apple.com>
1264
1265         Renamed SpecObjectMask to SpecObject.
1266
1267         Rubber stamped by Mark Hahnenberg.
1268         
1269         "SpecObjectMask" is a weird name considering that a bunch of the other speculated
1270         types are also masks, but don't have "Mask" in the name.
1271
1272         * bytecode/SpeculatedType.h:
1273         (JSC):
1274         (JSC::isObjectSpeculation):
1275         (JSC::isObjectOrOtherSpeculation):
1276         * dfg/DFGAbstractState.cpp:
1277         (JSC::DFG::AbstractState::execute):
1278         * dfg/DFGPredictionPropagationPhase.cpp:
1279         (JSC::DFG::PredictionPropagationPhase::propagate):
1280         * dfg/DFGSpeculativeJIT.cpp:
1281         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1282         * dfg/DFGSpeculativeJIT32_64.cpp:
1283         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1284         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1285         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1286         * dfg/DFGSpeculativeJIT64.cpp:
1287         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1288         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1289         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1290
1291 2013-02-12  Filip Pizlo  <fpizlo@apple.com>
1292
1293         DFG CFA doesn't filter precisely enough for CompareStrictEq
1294         https://bugs.webkit.org/show_bug.cgi?id=109618
1295
1296         Reviewed by Mark Hahnenberg.
1297         
1298         The backend speculates object for this case, but the CFA was filtering on
1299         (SpecCell & ~SpecString) | SpecOther.
1300
1301         * dfg/DFGAbstractState.cpp:
1302         (JSC::DFG::AbstractState::execute):
1303
1304 2013-02-12  Martin Robinson  <mrobinson@igalia.com>
1305
1306         Fix the gyp build of JavaScriptCore.
1307
1308         * JavaScriptCore.gypi: Added some missing DFG files to the source list.
1309
1310 2013-02-12  Sheriff Bot  <webkit.review.bot@gmail.com>
1311
1312         Unreviewed, rolling out r142387.
1313         http://trac.webkit.org/changeset/142387
1314         https://bugs.webkit.org/show_bug.cgi?id=109601
1315
1316         caused all layout and jscore tests on windows to fail
1317         (Requested by kling on #webkit).
1318
1319         * bytecode/UnlinkedCodeBlock.cpp:
1320         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1321         * bytecode/UnlinkedCodeBlock.h:
1322         (UnlinkedCodeBlock):
1323
1324 2013-02-11  Filip Pizlo  <fpizlo@apple.com>
1325
1326         DFG CompareEq optimization should be retuned
1327         https://bugs.webkit.org/show_bug.cgi?id=109545
1328
1329         Reviewed by Mark Hahnenberg.
1330         
1331         - Made the object-to-object equality case work again by hoisting the if statement
1332           for it. Previously, object-to-object equality would be compiled as
1333           object-to-object-or-other.
1334         
1335         - Added AbstractState guards for most of the type checks that the object equality
1336           code uses.
1337         
1338         Looks like a hint of a speed-up on all of the things.
1339
1340         * dfg/DFGAbstractState.cpp:
1341         (JSC::DFG::AbstractState::execute):
1342         * dfg/DFGSpeculativeJIT.cpp:
1343         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1344         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1345         (JSC::DFG::SpeculativeJIT::compare):
1346         * dfg/DFGSpeculativeJIT32_64.cpp:
1347         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1348         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1349         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1350         * dfg/DFGSpeculativeJIT64.cpp:
1351         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1352         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1353         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1354
1355 2013-02-12  Gabor Rapcsanyi  <rgabor@webkit.org>
1356
1357         JSC asserting with long parameter list functions in debug mode on ARM traditional
1358         https://bugs.webkit.org/show_bug.cgi?id=109565
1359
1360         Reviewed by Zoltan Herczeg.
1361
1362         Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80.
1363
1364         * jit/JIT.h:
1365
1366 2013-02-11  Oliver Hunt  <oliver@apple.com>
1367
1368         Make JSC API more NULL tolerant
1369         https://bugs.webkit.org/show_bug.cgi?id=109515
1370
1371         Reviewed by Mark Hahnenberg.
1372
1373         We do so much marshalling for the C API these days anyway that a single null
1374         check isn't a performance issue.  Yet the existing "null is unsafe" behaviour
1375         leads to crashes in embedding applications whenever there's an untested code
1376         path, so it seems having defined behaviour is superior.
1377
1378         * API/APICast.h:
1379         (toJS):
1380         (toJSForGC):
1381         * API/JSObjectRef.cpp:
1382         (JSObjectIsFunction):
1383         (JSObjectCallAsFunction):
1384         (JSObjectIsConstructor):
1385         (JSObjectCallAsConstructor):
1386         * API/tests/testapi.c:
1387         (main):
1388
1389 2013-02-11  Filip Pizlo  <fpizlo@apple.com>
1390
1391         Unreviewed, adding a FIXME to remind ourselves of a bug.
1392         https://bugs.webkit.org/show_bug.cgi?id=109487
1393
1394         * dfg/DFGSpeculativeJIT.cpp:
1395         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1396
1397 2013-02-11  Filip Pizlo  <fpizlo@apple.com>
1398
1399         Strange bug in DFG OSR in JSC
1400         https://bugs.webkit.org/show_bug.cgi?id=109491
1401
1402         Reviewed by Mark Hahnenberg.
1403         
1404         Int32ToDouble was being injected after a side-effecting operation and before a SetLocal. Anytime we
1405         inject something just before a SetLocal we should be aware that the previous operation may have been
1406         a side-effect associated with the current code origin. Hence, we should use a forward exit.
1407         Int32ToDouble does not do forward exits by default.
1408         
1409         This patch adds a forward-exiting form of Int32ToDouble, for use in SetLocal Int32ToDouble injections.
1410         Changed the CSE and other things to treat these nodes identically, but for the exit strategy to be
1411         distinct (Int32ToDouble -> backward, ForwardInt32ToDouble -> forward). The use of the NodeType for
1412         signaling exit direction is not "great" but it's what we use in other places already (like
1413         ForwardCheckStructure).
1414
1415         * dfg/DFGAbstractState.cpp:
1416         (JSC::DFG::AbstractState::execute):
1417         * dfg/DFGCSEPhase.cpp:
1418         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
1419         (CSEPhase):
1420         (JSC::DFG::CSEPhase::performNodeCSE):
1421         * dfg/DFGCommon.h:
1422         * dfg/DFGFixupPhase.cpp:
1423         (JSC::DFG::FixupPhase::fixupNode):
1424         (JSC::DFG::FixupPhase::fixDoubleEdge):
1425         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1426         * dfg/DFGNode.h:
1427         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1428         * dfg/DFGNodeType.h:
1429         (DFG):
1430         * dfg/DFGPredictionPropagationPhase.cpp:
1431         (JSC::DFG::PredictionPropagationPhase::propagate):
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1434         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1435         * dfg/DFGSpeculativeJIT.h:
1436         * dfg/DFGSpeculativeJIT32_64.cpp:
1437         (JSC::DFG::SpeculativeJIT::compile):
1438         * dfg/DFGSpeculativeJIT64.cpp:
1439         (JSC::DFG::SpeculativeJIT::compile):
1440         * dfg/DFGVariableEventStream.cpp:
1441         (JSC::DFG::VariableEventStream::reconstruct):
1442
1443 2013-02-11  Filip Pizlo  <fpizlo@apple.com>
1444
1445         NonStringCell and Object are practically the same thing for the purpose of speculation
1446         https://bugs.webkit.org/show_bug.cgi?id=109492
1447
1448         Reviewed by Mark Hahnenberg.
1449         
1450         Removed isNonStringCellSpeculation, and made all callers use isObjectSpeculation.
1451         
1452         Changed isNonStringCellOrOtherSpeculation to be isObjectOrOtherSpeculation.
1453         
1454         I believe this is correct because even weird object types like JSNotAnObject end up
1455         being "objects" from the standpoint of our typesystem. Anyway, the assumption that
1456         "is cell but not a string" equates to "object" is an assumption that is already made
1457         in other places in the system so there's little value in being paranoid about it.
1458
1459         * bytecode/SpeculatedType.h:
1460         (JSC::isObjectSpeculation):
1461         (JSC::isObjectOrOtherSpeculation):
1462         * dfg/DFGAbstractState.cpp:
1463         (JSC::DFG::AbstractState::execute):
1464         * dfg/DFGNode.h:
1465         (Node):
1466         (JSC::DFG::Node::shouldSpeculateObjectOrOther):
1467         * dfg/DFGSpeculativeJIT.cpp:
1468         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1469         (JSC::DFG::SpeculativeJIT::compare):
1470         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1471         * dfg/DFGSpeculativeJIT.h:
1472         (SpeculativeJIT):
1473         * dfg/DFGSpeculativeJIT32_64.cpp:
1474         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1475         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1476         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1477         (JSC::DFG::SpeculativeJIT::emitBranch):
1478         (JSC::DFG::SpeculativeJIT::compile):
1479         * dfg/DFGSpeculativeJIT64.cpp:
1480         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1481         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1482         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1483         (JSC::DFG::SpeculativeJIT::emitBranch):
1484         (JSC::DFG::SpeculativeJIT::compile):
1485
1486 2013-02-10  Filip Pizlo  <fpizlo@apple.com>
1487
1488         DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
1489         https://bugs.webkit.org/show_bug.cgi?id=109387
1490
1491         Reviewed by Oliver Hunt and Mark Hahnenberg.
1492         
1493         Lock in the decision to use a non-speculative constant comparison as early as possible
1494         and don't let the CFA change it by folding constants. This might be a performance
1495         penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
1496         the other hand it completely side-steps the unsoundness that the bug speaks of.
1497         
1498         Rolling back in after adding 32-bit path.
1499
1500         * dfg/DFGAbstractState.cpp:
1501         (JSC::DFG::AbstractState::execute):
1502         * dfg/DFGByteCodeParser.cpp:
1503         (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
1504         (ByteCodeParser):
1505         (JSC::DFG::ByteCodeParser::parseBlock):
1506         * dfg/DFGCSEPhase.cpp:
1507         (JSC::DFG::CSEPhase::performNodeCSE):
1508         * dfg/DFGNodeType.h:
1509         (DFG):
1510         * dfg/DFGPredictionPropagationPhase.cpp:
1511         (JSC::DFG::PredictionPropagationPhase::propagate):
1512         * dfg/DFGSpeculativeJIT.cpp:
1513         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1514         * dfg/DFGSpeculativeJIT32_64.cpp:
1515         (JSC::DFG::SpeculativeJIT::compile):
1516         * dfg/DFGSpeculativeJIT64.cpp:
1517         (JSC::DFG::SpeculativeJIT::compile):
1518
1519 2013-02-10  Filip Pizlo  <fpizlo@apple.com>
1520
1521         DFG TypeOf implementation should have its backend code aligned to what the CFA does
1522         https://bugs.webkit.org/show_bug.cgi?id=109385
1523
1524         Reviewed by Sam Weinig.
1525         
1526         The problem was that if we ended up trying to constant fold, but didn't succeed
1527         because of prediction mismatches, then we would also fail to do filtration.
1528         
1529         Rearranged the control flow in the CFA to fix that.
1530         
1531         As far as I know, this is asymptomatic - it's sort of OK for the CFA to prove less
1532         things, which is what the bug was.
1533
1534         * dfg/DFGAbstractState.cpp:
1535         (JSC::DFG::AbstractState::execute):
1536
1537 2013-02-11  Sheriff Bot  <webkit.review.bot@gmail.com>
1538
1539         Unreviewed, rolling out r142491.
1540         http://trac.webkit.org/changeset/142491
1541         https://bugs.webkit.org/show_bug.cgi?id=109470
1542
1543         broke the 32 bit build (Requested by jessieberlin on #webkit).
1544
1545         * dfg/DFGAbstractState.cpp:
1546         (JSC::DFG::AbstractState::execute):
1547         * dfg/DFGByteCodeParser.cpp:
1548         (JSC::DFG::ByteCodeParser::parseBlock):
1549         * dfg/DFGCSEPhase.cpp:
1550         (JSC::DFG::CSEPhase::performNodeCSE):
1551         * dfg/DFGNodeType.h:
1552         (DFG):
1553         * dfg/DFGPredictionPropagationPhase.cpp:
1554         (JSC::DFG::PredictionPropagationPhase::propagate):
1555         * dfg/DFGSpeculativeJIT.cpp:
1556         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1557         * dfg/DFGSpeculativeJIT64.cpp:
1558         (JSC::DFG::SpeculativeJIT::compile):
1559
1560 2013-02-10  Filip Pizlo  <fpizlo@apple.com>
1561
1562         DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
1563         https://bugs.webkit.org/show_bug.cgi?id=109387
1564
1565         Reviewed by Oliver Hunt.
1566         
1567         Lock in the decision to use a non-speculative constant comparison as early as possible
1568         and don't let the CFA change it by folding constants. This might be a performance
1569         penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
1570         the other hand it completely side-steps the unsoundness that the bug speaks of.
1571
1572         * dfg/DFGAbstractState.cpp:
1573         (JSC::DFG::AbstractState::execute):
1574         * dfg/DFGByteCodeParser.cpp:
1575         (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
1576         (ByteCodeParser):
1577         (JSC::DFG::ByteCodeParser::parseBlock):
1578         * dfg/DFGCSEPhase.cpp:
1579         (JSC::DFG::CSEPhase::performNodeCSE):
1580         * dfg/DFGNodeType.h:
1581         (DFG):
1582         * dfg/DFGPredictionPropagationPhase.cpp:
1583         (JSC::DFG::PredictionPropagationPhase::propagate):
1584         * dfg/DFGSpeculativeJIT.cpp:
1585         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1586         * dfg/DFGSpeculativeJIT64.cpp:
1587         (JSC::DFG::SpeculativeJIT::compile):
1588
1589 2013-02-11  Csaba Osztrogonác  <ossy@webkit.org>
1590
1591         Unreviewed fix after r13954 for !ENABLE(JIT) builds.
1592
1593         * llint/LowLevelInterpreter.cpp:
1594
1595 2013-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>
1596
1597         JSC build failing with verbose debug mode
1598         https://bugs.webkit.org/show_bug.cgi?id=109441
1599
1600         Reviewed by Darin Adler.
1601
1602         Fixing some verbose messages which caused build errors.
1603
1604         * dfg/DFGAbstractState.cpp:
1605         (JSC::DFG::AbstractState::mergeToSuccessors):
1606         * dfg/DFGCFAPhase.cpp:
1607         (JSC::DFG::CFAPhase::performBlockCFA):
1608         * dfg/DFGCSEPhase.cpp:
1609         (JSC::DFG::CSEPhase::setReplacement):
1610         (JSC::DFG::CSEPhase::eliminate):
1611         * dfg/DFGPredictionInjectionPhase.cpp:
1612         (JSC::DFG::PredictionInjectionPhase::run):
1613
1614 2013-02-10  Martin Robinson  <mrobinson@igalia.com>
1615
1616         Fix the GTK+ gyp build
1617
1618         * JavaScriptCore.gypi: Update the source list to accurately
1619         reflect what's in the repository and remove the offsets extractor
1620         from the list of JavaScriptCore files. It's only used to build
1621         the extractor binary.
1622
1623 2013-02-09  Andreas Kling  <akling@apple.com>
1624
1625         Shrink-wrap UnlinkedCodeBlock members.
1626         <http://webkit.org/b/109368>
1627
1628         Reviewed by Oliver Hunt.
1629
1630         Rearrange the members of UnlinkedCodeBlock to avoid unnecessary padding on 64-bit.
1631         Knocks ~600 KB off of the Membuster3 peak.
1632
1633         * bytecode/UnlinkedCodeBlock.cpp:
1634         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1635         * bytecode/UnlinkedCodeBlock.h:
1636         (UnlinkedCodeBlock):
1637
1638 2013-02-08  Filip Pizlo  <fpizlo@apple.com>
1639
1640         DFG should allow phases to break Phi's and then have one phase to rebuild them
1641         https://bugs.webkit.org/show_bug.cgi?id=108414
1642
1643         Reviewed by Mark Hahnenberg.
1644         
1645         Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in
1646         detail in DFGCommon.h.
1647         
1648         Consequently, DFG phases no longer have to worry about preserving data flow
1649         links between basic blocks. It is generally always safe to request that the
1650         graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where
1651         the data flow is implicit. In this form, only liveness-at-head needs to be
1652         preserved.
1653         
1654         All of the machinery for "threading" the graph to introduce data flow between
1655         blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase.
1656         All phases that previously did this maintenance themselves now just rely on
1657         being able to dethread the graph. The one exception is the structure check
1658         hoising phase, which operates over a threaded graph and preserves it, for the
1659         sake of performance.
1660         
1661         Also moved two other things into their own phases: unification (previously found
1662         in the parser) and prediction injection (previously found in various places).
1663
1664         * CMakeLists.txt:
1665         * GNUmakefile.list.am:
1666         * JavaScriptCore.xcodeproj/project.pbxproj:
1667         * Target.pri:
1668         * bytecode/Operands.h:
1669         (Operands):
1670         (JSC::Operands::sizeFor):
1671         (JSC::Operands::atFor):
1672         * dfg/DFGAbstractState.cpp:
1673         (JSC::DFG::AbstractState::execute):
1674         (JSC::DFG::AbstractState::mergeStateAtTail):
1675         * dfg/DFGAllocator.h:
1676         (JSC::DFG::::allocateSlow):
1677         * dfg/DFGArgumentsSimplificationPhase.cpp:
1678         (JSC::DFG::ArgumentsSimplificationPhase::run):
1679         * dfg/DFGBasicBlockInlines.h:
1680         (DFG):
1681         * dfg/DFGByteCodeParser.cpp:
1682         (JSC::DFG::ByteCodeParser::getLocal):
1683         (JSC::DFG::ByteCodeParser::getArgument):
1684         (JSC::DFG::ByteCodeParser::flushDirect):
1685         (JSC::DFG::ByteCodeParser::parseBlock):
1686         (DFG):
1687         (JSC::DFG::ByteCodeParser::parse):
1688         * dfg/DFGCFGSimplificationPhase.cpp:
1689         (JSC::DFG::CFGSimplificationPhase::run):
1690         (JSC::DFG::CFGSimplificationPhase::killUnreachable):
1691         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1692         (CFGSimplificationPhase):
1693         (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
1694         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1695         * dfg/DFGCPSRethreadingPhase.cpp: Added.
1696         (DFG):
1697         (CPSRethreadingPhase):
1698         (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
1699         (JSC::DFG::CPSRethreadingPhase::run):
1700         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1701         (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail):
1702         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1703         (JSC::DFG::CPSRethreadingPhase::addPhi):
1704         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1705         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
1706         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal):
1707         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1708         (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
1709         (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
1710         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1711         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
1712         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1713         (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry):
1714         (PhiStackEntry):
1715         (JSC::DFG::CPSRethreadingPhase::phiStackFor):
1716         (JSC::DFG::performCPSRethreading):
1717         * dfg/DFGCPSRethreadingPhase.h: Added.
1718         (DFG):
1719         * dfg/DFGCSEPhase.cpp:
1720         (CSEPhase):
1721         (JSC::DFG::CSEPhase::performNodeCSE):
1722         * dfg/DFGCommon.cpp:
1723         (WTF):
1724         (WTF::printInternal):
1725         * dfg/DFGCommon.h:
1726         (JSC::DFG::logCompilationChanges):
1727         (DFG):
1728         (WTF):
1729         * dfg/DFGConstantFoldingPhase.cpp:
1730         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1731         * dfg/DFGDriver.cpp:
1732         (JSC::DFG::compile):
1733         * dfg/DFGGraph.cpp:
1734         (JSC::DFG::Graph::Graph):
1735         (JSC::DFG::Graph::dump):
1736         (JSC::DFG::Graph::dethread):
1737         (JSC::DFG::Graph::collectGarbage):
1738         * dfg/DFGGraph.h:
1739         (JSC::DFG::Graph::performSubstitution):
1740         (Graph):
1741         (JSC::DFG::Graph::performSubstitutionForEdge):
1742         (JSC::DFG::Graph::convertToConstant):
1743         * dfg/DFGNode.h:
1744         (JSC::DFG::Node::convertToPhantomLocal):
1745         (Node):
1746         (JSC::DFG::Node::convertToGetLocal):
1747         (JSC::DFG::Node::hasVariableAccessData):
1748         * dfg/DFGNodeType.h:
1749         (DFG):
1750         * dfg/DFGPhase.cpp:
1751         (JSC::DFG::Phase::beginPhase):
1752         * dfg/DFGPhase.h:
1753         (JSC::DFG::runAndLog):
1754         * dfg/DFGPredictionInjectionPhase.cpp: Added.
1755         (DFG):
1756         (PredictionInjectionPhase):
1757         (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase):
1758         (JSC::DFG::PredictionInjectionPhase::run):
1759         (JSC::DFG::performPredictionInjection):
1760         * dfg/DFGPredictionInjectionPhase.h: Added.
1761         (DFG):
1762         * dfg/DFGPredictionPropagationPhase.cpp:
1763         (JSC::DFG::PredictionPropagationPhase::run):
1764         (JSC::DFG::PredictionPropagationPhase::propagate):
1765         * dfg/DFGSpeculativeJIT32_64.cpp:
1766         (JSC::DFG::SpeculativeJIT::compile):
1767         * dfg/DFGSpeculativeJIT64.cpp:
1768         (JSC::DFG::SpeculativeJIT::compile):
1769         * dfg/DFGStructureCheckHoistingPhase.cpp:
1770         (JSC::DFG::StructureCheckHoistingPhase::run):
1771         * dfg/DFGUnificationPhase.cpp: Added.
1772         (DFG):
1773         (UnificationPhase):
1774         (JSC::DFG::UnificationPhase::UnificationPhase):
1775         (JSC::DFG::UnificationPhase::run):
1776         (JSC::DFG::performUnification):
1777         * dfg/DFGUnificationPhase.h: Added.
1778         (DFG):
1779         * dfg/DFGValidate.cpp:
1780         (JSC::DFG::Validate::validate):
1781         (JSC::DFG::Validate::dumpGraphIfAppropriate):
1782         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1783         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1784         * llint/LLIntSlowPaths.cpp:
1785         (JSC::LLInt::setUpCall):
1786         * runtime/JSCJSValue.cpp:
1787         (JSC::JSValue::dump):
1788         * runtime/JSString.h:
1789         (JSString):
1790         * runtime/Options.h:
1791         (JSC):
1792
1793 2013-02-08  Jer Noble  <jer.noble@apple.com>
1794
1795         Bring WebKit up to speed with latest Encrypted Media spec.
1796         https://bugs.webkit.org/show_bug.cgi?id=97037
1797
1798         Reviewed by Eric Carlson.
1799
1800         Define the ENABLE_ENCRYPTED_MEDIA_V2 setting.
1801
1802         * Configurations/FeatureDefines.xcconfig:
1803
1804 2013-02-08  Gavin Barraclough  <barraclough@apple.com>
1805
1806         Objective-C API for JavaScriptCore
1807         https://bugs.webkit.org/show_bug.cgi?id=105889
1808
1809         Reviewed by Joseph Pecoraro
1810
1811         Following up on review comments, mostly typos.
1812
1813         * API/JSBlockAdaptor.h:
1814         * API/JSBlockAdaptor.mm:
1815         (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
1816         * API/JSContext.h:
1817         * API/JSExport.h:
1818         * API/JSValue.h:
1819         * API/JSValue.mm:
1820         * API/JSWrapperMap.mm:
1821         (selectorToPropertyName):
1822         (-[JSWrapperMap classInfoForClass:]):
1823         (-[JSWrapperMap wrapperForObject:]):
1824
1825 2013-02-08  Martin Robinson  <mrobinson@igalia.com>
1826
1827         [GTK] Add an experimental gyp build
1828         https://bugs.webkit.org/show_bug.cgi?id=109003
1829
1830         Reviewed by Gustavo Noronha Silva.
1831
1832         * JavaScriptCore.gypi: Update the list of source files to include those
1833         necessary for the GTK+ build.
1834
1835 2013-02-08  Andreas Kling  <akling@apple.com>
1836
1837         JSC: Lower minimum PropertyTable size.
1838         <http://webkit.org/b/109247>
1839
1840         Reviewed by Darin Adler.
1841
1842         Lower the minimum table size for PropertyTable from 16 to 8.
1843         3.32 MB progression on Membuster3 (a ~13% reduction in memory used by PropertyTables.)
1844
1845         * runtime/PropertyMapHashTable.h:
1846         (PropertyTable):
1847         (JSC::PropertyTable::sizeForCapacity):
1848
1849 2013-02-07  Roger Fong  <roger_fong@apple.com>
1850
1851         Unreviewed. More VS2010 WebKit solution touchups.
1852         Make JavaScriptCoreExports.def.in be treated as a custom build file so that changes to it cause the exports to be rebuilt.
1853
1854         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
1855         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
1856         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
1857
1858 2013-02-07  Mark Hahnenberg  <mhahnenberg@apple.com>
1859
1860         Objective-C API: testapi.mm should use ARC
1861         https://bugs.webkit.org/show_bug.cgi?id=107838
1862
1863         Reviewed by Mark Rowe.
1864
1865         Removing the changes to the Xcode project file and moving the equivalent flags into 
1866         the ToolExecutable xcconfig file.
1867
1868         * Configurations/ToolExecutable.xcconfig:
1869         * JavaScriptCore.xcodeproj/project.pbxproj:
1870
1871 2013-02-07  Brent Fulgham  <bfulgham@webkit.org>
1872
1873         [Windows] Unreviewed Visual Studio 2010 build fixes after r142179.
1874
1875         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Correct changed symbols
1876         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Removed autogenerated file.
1877
1878 2013-02-05  Filip Pizlo  <fpizlo@apple.com>
1879
1880         DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint
1881         https://bugs.webkit.org/show_bug.cgi?id=109000
1882
1883         Reviewed by Oliver Hunt.
1884         
1885         Previously our source parser's ASTBuilder did some surgical constant folding, but it
1886         didn't cover some cases.  It was particularly incapable of doing constant folding for
1887         cases where we do some minimal loop peeling in the bytecode generator - since it
1888         didn't "see" those constants prior to the peeling.  Example:
1889
1890         for (var i = 0; i < 4; ++i)
1891             things;
1892
1893         This will get peeled just a bit by the bytecode generator, so that the "i < 4" is
1894         duplicated both at the top of the loop and the bottom.  This means that we have a
1895         constant comparison: "0 < 4", which the bytecode generator emits without any further
1896         thought.
1897
1898         The DFG optimization fixpoint of course folds this and simplifies the CFG 
1899         accordingly, but this incurs a compile-time cost.  The purpose of this change is to
1900         do some surgical constant folding in the DFG's bytecode parser, so that such
1901         constructs reduce load on the CFG simplifier and the optimization fixpoint.  The goal
1902         is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful
1903         sparse conditional constant propagation that we can always fall back on. Instead the
1904         goal is to cover enough cases that for common small functions we don't have to
1905         perform such transformations, thereby reducing compile times.
1906         
1907         This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call
1908         and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these
1909         things are used by the folder.
1910         
1911         As well, care has been taken to make sure that the bytecode parser only does folding
1912         that is statically provable, and that doesn't arise out of speculation. This means
1913         we cannot fold on data flow that crosses inlining boundaries. On the other hand, the
1914         folding that the bytecode parser uses doesn't require phantoming anything. Such is
1915         the trade-off: for anything that we do need phantoming, we defer it to the
1916         optimization fixpoint.
1917         
1918         Slight SunSpider speed-up.
1919
1920         * dfg/DFGByteCodeParser.cpp:
1921         (JSC::DFG::ByteCodeParser::get):
1922         (JSC::DFG::ByteCodeParser::getLocal):
1923         (JSC::DFG::ByteCodeParser::setLocal):
1924         (JSC::DFG::ByteCodeParser::flushDirect):
1925         (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
1926         (JSC::DFG::ByteCodeParser::toInt32):
1927         (ByteCodeParser):
1928         (JSC::DFG::ByteCodeParser::inlineCallFrame):
1929         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
1930         (JSC::DFG::ByteCodeParser::canFold):
1931         (JSC::DFG::ByteCodeParser::handleInlining):
1932         (JSC::DFG::ByteCodeParser::getScope):
1933         (JSC::DFG::ByteCodeParser::parseResolveOperations):
1934         (JSC::DFG::ByteCodeParser::parseBlock):
1935         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1936         * dfg/DFGNode.h:
1937         (JSC::DFG::Node::isStronglyProvedConstantIn):
1938         (Node):
1939         * runtime/JSCJSValue.h:
1940         * runtime/JSCJSValueInlines.h:
1941         (JSC::JSValue::pureToBoolean):
1942         (JSC):
1943
1944 2013-02-07  Zoltan Herczeg  <zherczeg@webkit.org>
1945
1946         Invalid code is generated for storing constants with baseindex addressing modes on ARM traditional.
1947         https://bugs.webkit.org/show_bug.cgi?id=109050
1948
1949         Reviewed by Oliver Hunt.
1950
1951         The S! scratch register is reused, but it should contain the constant value.
1952
1953         * assembler/ARMAssembler.cpp:
1954         (JSC::ARMAssembler::baseIndexTransfer32):
1955         (JSC::ARMAssembler::baseIndexTransfer16):
1956
1957 2013-02-07  Andras Becsi  <andras.becsi@digia.com>
1958
1959         [Qt] Use GNU ar's thin archive format for intermediate static libs
1960         https://bugs.webkit.org/show_bug.cgi?id=109052
1961
1962         Reviewed by Jocelyn Turcotte.
1963
1964         Adjust project files that used activeBuildConfig()
1965         to use targetSubDir().
1966
1967         * JavaScriptCore.pri:
1968         * LLIntOffsetsExtractor.pro:
1969         * Target.pri:
1970
1971 2013-02-06  Roger Fong  <roger_fong@apple.com>
1972
1973         Unreviewed. Touchups to VS2010 WebKit solution.
1974         Fix an export generator script, modify some property sheets, add resouce file.
1975
1976         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
1977         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
1978         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
1979         * JavaScriptCore.vcxproj/resource.h: Added.
1980
1981 2013-02-06  Ilya Tikhonovsky  <loislo@chromium.org>
1982
1983         Web Inspector: Native Memory Instrumentation: assign class name to the heap graph node automatically
1984         https://bugs.webkit.org/show_bug.cgi?id=107262
1985
1986         Reviewed by Yury Semikhatsky.
1987
1988         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1989
1990 2013-02-06  Mike West  <mkwst@chromium.org>
1991
1992         Add an ENABLE_NOSNIFF feature flag.
1993         https://bugs.webkit.org/show_bug.cgi?id=109029
1994
1995         Reviewed by Jochen Eisinger.
1996
1997         This new flag will control the behavior of 'X-Content-Type-Options: nosniff'
1998         when processing script and other resource types.
1999
2000         * Configurations/FeatureDefines.xcconfig:
2001
2002 2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2003
2004         put_to_base should emit a Phantom for "value" across the ForceOSRExit
2005         https://bugs.webkit.org/show_bug.cgi?id=108998
2006
2007         Reviewed by Oliver Hunt.
2008
2009         Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
2010
2011         * bytecode/CodeBlock.cpp:
2012         (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
2013         * dfg/DFGByteCodeParser.cpp:
2014         (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
2015         * dfg/DFGSpeculativeJIT.cpp:
2016         (JSC::DFG::SpeculativeJIT::compile): Ditto.
2017
2018 2013-02-05  Michael Saboff  <msaboff@apple.com>
2019
2020         Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
2021         https://bugs.webkit.org/show_bug.cgi?id=108991
2022
2023         Reviewed by Oliver Hunt.
2024
2025         Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
2026         may step on calleeGPR is it happen to be nonArgGPR2.
2027
2028         * dfg/DFGRepatch.cpp:
2029         (JSC::DFG::dfgLinkClosureCall):
2030
2031 2013-02-05  Roger Fong  <roger_fong@apple.com>
2032
2033         Add a JavaScriptCore Export Generator project.
2034         https://bugs.webkit.org/show_bug.cgi?id=108971.
2035
2036         Reviewed by Brent Fulgham.
2037
2038         * JavaScriptCore.vcxproj/JavaScriptCore.sln:
2039         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2040         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2041         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2042         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Added.
2043         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Added.
2044         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Added.
2045         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.user: Added.
2046         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Added.
2047         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Added.
2048         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Added.
2049         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Added.
2050         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Added.
2051         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Added.
2052         * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Added.
2053
2054 2013-02-04  Filip Pizlo  <fpizlo@apple.com>
2055
2056         DFG should have a precise view of jump targets
2057         https://bugs.webkit.org/show_bug.cgi?id=108868
2058
2059         Reviewed by Oliver Hunt.
2060         
2061         Previously, the DFG relied entirely on the CodeBlock's jump targets list for
2062         determining when to break basic blocks. This worked great, except sometimes it
2063         would be too conservative since the CodeBlock just says where the bytecode
2064         generator inserted labels.
2065         
2066         This change keeps the old jump target list in CodeBlock since it is still
2067         valuable to the baseline JIT, but switches the DFG to use its own jump target
2068         calculator. This ought to reduce pressure on the DFG simplifier, which would
2069         previously do a lot of work to try to merge redundantly created basic blocks.
2070         It appears to be a 1% progression on SunSpider.
2071
2072         * CMakeLists.txt:
2073         * GNUmakefile.list.am:
2074         * JavaScriptCore.xcodeproj/project.pbxproj:
2075         * Target.pri:
2076         * bytecode/PreciseJumpTargets.cpp: Added.
2077         (JSC):
2078         (JSC::addSimpleSwitchTargets):
2079         (JSC::computePreciseJumpTargets):
2080         * bytecode/PreciseJumpTargets.h: Added.
2081         (JSC):
2082         * dfg/DFGByteCodeParser.cpp:
2083         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2084
2085 2013-02-01  Roger Fong  <roger_fong@apple.com>
2086
2087         Make ConfigurationBuildDir include directories precede WebKitLibraries in JSC.
2088         https://bugs.webkit.org/show_bug.cgi?id=108693.
2089
2090         Rubberstamped by Timothy Horton.
2091
2092         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
2093
2094 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2095
2096         Structure::m_outOfLineCapacity is unnecessary
2097         https://bugs.webkit.org/show_bug.cgi?id=108206
2098
2099         Reviewed by Darin Adler.
2100
2101         Simplifying the utility functions that we use since we don't need a 
2102         bunch of fancy templates for this one specific call site.
2103
2104         * runtime/Structure.h:
2105         (JSC::Structure::outOfLineCapacity):
2106
2107 2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>
2108
2109         Objective-C API: testapi.mm should use ARC
2110         https://bugs.webkit.org/show_bug.cgi?id=107838
2111
2112         Reviewed by Oliver Hunt.
2113
2114         In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs.
2115         We should enable ARC, since that is what most of our clients will be using. We use Xcode project 
2116         settings to make sure we don't try to compile ARC on 32-bit.
2117
2118         * API/tests/testapi.mm:
2119         (+[TestObject testObject]):
2120         (testObjectiveCAPI):
2121         * JavaScriptCore.xcodeproj/project.pbxproj:
2122
2123 2013-02-05  Brent Fulgham  <bfulgham@webkit.org>
2124
2125         [Windows] Unreviewed VS2010 Build Correction after r141651
2126
2127         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
2128         StructureRareData.h and StructureRareData.cpp files.
2129         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2130
2131 2013-02-05  Michael Saboff  <msaboff@apple.com>
2132
2133         r141788 won't build due to not having all changes needed by Node* change
2134         https://bugs.webkit.org/show_bug.cgi?id=108944
2135
2136         Reviewed by David Kilzer.
2137
2138         Fixed three instances of integerResult(..., m_compileIndex) to be integerResult(..., node).
2139
2140         * dfg/DFGSpeculativeJIT.cpp:
2141         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
2142         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
2143
2144 2013-02-04  Sheriff Bot  <webkit.review.bot@gmail.com>
2145
2146         Unreviewed, rolling out r141809.
2147         http://trac.webkit.org/changeset/141809
2148         https://bugs.webkit.org/show_bug.cgi?id=108860
2149
2150         ARC isn't supported on 32-bit. (Requested by mhahnenberg on
2151         #webkit).
2152
2153         * API/tests/testapi.mm:
2154         (+[TestObject testObject]):
2155         (testObjectiveCAPI):
2156         * JavaScriptCore.xcodeproj/project.pbxproj:
2157
2158 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2159
2160         Objective-C API: testapi.mm should use ARC
2161         https://bugs.webkit.org/show_bug.cgi?id=107838
2162
2163         Reviewed by Oliver Hunt.
2164
2165         In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 
2166         We should enable ARC, since that is what most of our clients will be using.
2167
2168         * API/tests/testapi.mm:
2169         (-[TestObject init]):
2170         (-[TestObject dealloc]):
2171         (+[TestObject testObject]):
2172         (testObjectiveCAPI):
2173         * JavaScriptCore.xcodeproj/project.pbxproj:
2174
2175 2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>
2176
2177         Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation
2178         https://bugs.webkit.org/show_bug.cgi?id=108843
2179
2180         Reviewed by Darin Adler.
2181
2182         Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do 
2183         this to prevent crashes when trying to invoke a callback later on.
2184
2185         * API/ObjCCallbackFunction.mm:
2186         (ObjCCallbackFunction::ObjCCallbackFunction):
2187         (ObjCCallbackFunction::~ObjCCallbackFunction):
2188
2189 2013-02-04  Martin Robinson  <mrobinson@igalia.com>
2190
2191         Fix GTK+ 'make dist' in preparation for the 1.11.5 release.
2192
2193         * GNUmakefile.list.am: Update the source lists.
2194
2195 2013-02-04  Michael Saboff  <msaboff@apple.com>
2196
2197         For ARMv7s use integer divide instruction for divide and modulo when possible
2198         https://bugs.webkit.org/show_bug.cgi?id=108840
2199
2200         Reviewed in person by Filip Pizlo.
2201
2202         Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
2203         This is patterned after the similar code for X86.  Also added modulo power of 2 optimization
2204         that uses logical and.  Added sdiv and udiv to the ARMv7 disassembler.  Put all the changes
2205         behind #if CPU(APPLE_ARMV7S). 
2206
2207         * assembler/ARMv7Assembler.h:
2208         (ARMv7Assembler):
2209         (JSC::ARMv7Assembler::sdiv):
2210         (JSC::ARMv7Assembler::udiv):
2211         * dfg/DFGCommon.h:
2212         (JSC::DFG::isARMv7s):
2213         * dfg/DFGFixupPhase.cpp:
2214         (JSC::DFG::FixupPhase::fixupNode):
2215         * dfg/DFGSpeculativeJIT.cpp:
2216         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
2217         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
2218         * dfg/DFGSpeculativeJIT.h:
2219         (SpeculativeJIT):
2220         * dfg/DFGSpeculativeJIT32_64.cpp:
2221         (JSC::DFG::SpeculativeJIT::compile):
2222
2223 2013-02-04  David Kilzer  <ddkilzer@apple.com>
2224
2225         Check PrivateHeaders/JSBasePrivate.h for inappropriate macros
2226         <http://webkit.org/b/108749>
2227
2228         Reviewed by Joseph Pecoraro.
2229
2230         * JavaScriptCore.xcodeproj/project.pbxproj: Add
2231         PrivateHeaders/JSBasePrivate.h to list of headers to check in
2232         "Check for Inappropriate Macros in External Headers" build phase
2233         script.
2234
2235 2013-02-04  David Kilzer  <ddkilzer@apple.com>
2236
2237         Remove duplicate entries from JavaScriptCore Xcode project
2238
2239             $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R
2240             patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
2241
2242         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates.
2243
2244 2013-02-04  David Kilzer  <ddkilzer@apple.com>
2245
2246         Sort JavaScriptCore Xcode project file
2247
2248         * JavaScriptCore.xcodeproj/project.pbxproj:
2249
2250 2013-02-03  David Kilzer  <ddkilzer@apple.com>
2251
2252         Upstream ENABLE_PDFKIT_PLUGIN settting
2253         <http://webkit.org/b/108792>
2254
2255         Reviewed by Tim Horton.
2256
2257         * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN
2258         on iOS since PDFKit is a Mac-only framework.
2259
2260 2013-02-02  Andreas Kling  <akling@apple.com>
2261
2262         Vector should consult allocator about ideal size when choosing capacity.
2263         <http://webkit.org/b/108410>
2264         <rdar://problem/13124002>
2265
2266         Reviewed by Benjamin Poulain.
2267
2268         Remove assertion about Vector capacity that won't hold anymore since capacity()
2269         may not be what you passed to reserveCapacity().
2270         Also export WTF::fastMallocGoodSize() for Windows builds.
2271
2272         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2273         * bytecode/CodeBlock.cpp:
2274         (JSC::CodeBlock::CodeBlock):
2275
2276 2013-02-02  Patrick Gansterer  <paroga@webkit.org>
2277
2278         [CMake] Adopt the WinCE port to new CMake
2279         https://bugs.webkit.org/show_bug.cgi?id=108754
2280
2281         Reviewed by Laszlo Gombos.
2282
2283         * os-win32/WinMain.cpp: Removed.
2284         * shell/PlatformWinCE.cmake: Removed.
2285
2286 2013-02-02  Mark Rowe  <mrowe@apple.com>
2287
2288         <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us
2289
2290         Reviewed by Sam Weinig.
2291
2292         * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use
2293         of the generated file moved to WTF.
2294
2295 2013-02-02  David Kilzer  <ddkilzer@apple.com>
2296
2297         Upstream iOS FeatureDefines
2298         <http://webkit.org/b/108753>
2299
2300         Reviewed by Anders Carlsson.
2301
2302         * Configurations/FeatureDefines.xcconfig:
2303         - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
2304         - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
2305         - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO.  Add
2306           PLATFORM_NAME variant to reduce future merge conflicts. 
2307
2308 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2309
2310         Structure::m_enumerationCache should be moved to StructureRareData
2311         https://bugs.webkit.org/show_bug.cgi?id=108723
2312
2313         Reviewed by Oliver Hunt.
2314
2315         m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 
2316         field and it can therefore be moved safely to StructureRareData to help with memory savings.
2317
2318         * runtime/JSPropertyNameIterator.h:
2319         (JSPropertyNameIterator):
2320         (JSC::Register::propertyNameIterator):
2321         (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
2322         (JSC::StructureRareData::setEnumerationCache): Ditto.
2323         * runtime/Structure.cpp:
2324         (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
2325         (JSC::Structure::removePropertyWithoutTransition): Ditto.
2326         (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
2327         * runtime/Structure.h: 
2328         (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 
2329         the JSPropertyNameIterator type.
2330         (JSC::Structure::enumerationCache): Ditto.
2331         * runtime/StructureRareData.cpp:
2332         (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
2333         * runtime/StructureRareData.h: Add new functions/fields.
2334         (StructureRareData):
2335
2336 2013-02-01  Roger Fong  <roger_fong@apple.com>
2337
2338         Unreviewed. JavaScriptCore VS2010 project cleanup.
2339
2340         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2341         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2342         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2343         * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
2344
2345 2013-02-01  Sheriff Bot  <webkit.review.bot@gmail.com>
2346
2347         Unreviewed, rolling out r141662.
2348         http://trac.webkit.org/changeset/141662
2349         https://bugs.webkit.org/show_bug.cgi?id=108738
2350
2351         it's an incorrect change since processPhiStack will
2352         dereference dangling BasicBlock pointers (Requested by pizlo
2353         on #webkit).
2354
2355         * dfg/DFGByteCodeParser.cpp:
2356         (JSC::DFG::ByteCodeParser::parse):
2357
2358 2013-02-01  Filip Pizlo  <fpizlo@apple.com>
2359
2360         Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
2361         https://bugs.webkit.org/show_bug.cgi?id=108717
2362
2363         Reviewed by Mark Hahnenberg.
2364         
2365         I think this makes the code clearer. It doesn't change behavior.
2366
2367         * dfg/DFGByteCodeParser.cpp:
2368         (JSC::DFG::ByteCodeParser::parse):
2369
2370 2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>
2371
2372         Structure should have a StructureRareData field to save space
2373         https://bugs.webkit.org/show_bug.cgi?id=108659
2374
2375         Reviewed by Oliver Hunt.
2376
2377         Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 
2378         pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 
2379         many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 
2380         refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
2381
2382         To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 
2383         can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 
2384         can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 
2385         with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 
2386         a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 
2387         if it has one. There could be some potential for optimizing this process, but the initial implementation will 
2388         be dumb since we'd be paying these overhead costs for each Structure anyways.
2389
2390         Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 
2391         continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 
2392         Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 
2393         Structures (and into StructureRareData).
2394
2395         * CMakeLists.txt:
2396         * GNUmakefile.list.am:
2397         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2398         * JavaScriptCore.xcodeproj/project.pbxproj:
2399         * Target.pri:
2400         * dfg/DFGRepatch.cpp: Includes for linking purposes.
2401         * jit/JITStubs.cpp:
2402         * jsc.cpp:
2403         * llint/LLIntSlowPaths.cpp:
2404         * runtime/JSCellInlines.h: Added ifdef guards.
2405         * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
2406         (JSC::JSGlobalData::JSGlobalData):
2407         * runtime/JSGlobalData.h:
2408         (JSGlobalData):
2409         * runtime/JSGlobalObject.h:
2410         * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
2411         (JSC::TypeInfo::flags):
2412         (JSC::TypeInfo::structureHasRareData):
2413         * runtime/ObjectPrototype.cpp:
2414         * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
2415         (JSC::Structure::dumpStatistics):
2416         (JSC::Structure::Structure): 
2417         (JSC::Structure::materializePropertyMap):
2418         (JSC::Structure::addPropertyTransition):
2419         (JSC::Structure::nonPropertyTransition):
2420         (JSC::Structure::pin):
2421         (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
2422         (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 
2423         transitions.
2424         (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
2425         * runtime/Structure.h:
2426         (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
2427         (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
2428         (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 
2429         call to it.
2430         (JSC::Structure::materializePropertyMapIfNecessary):
2431         (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
2432         (Structure):
2433         (JSC::Structure::clearPreviousID): Ditto.
2434         (JSC::Structure::create):
2435         * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 
2436         from Structure and the functions required to access/modify those fields as Structure would have done.
2437         (JSC):
2438         (JSC::StructureRareData::createStructure):
2439         (JSC::StructureRareData::create):
2440         (JSC::StructureRareData::clone):
2441         (JSC::StructureRareData::StructureRareData):
2442         (JSC::StructureRareData::visitChildren):
2443         * runtime/StructureRareData.h: Added.
2444         (JSC):
2445         (StructureRareData):
2446         * runtime/StructureRareDataInlines.h: Added.
2447         (JSC):
2448         (JSC::StructureRareData::previousID):
2449         (JSC::StructureRareData::setPreviousID):
2450         (JSC::StructureRareData::clearPreviousID):
2451         (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
2452         (JSC::Structure::rareData): Ditto.
2453         (JSC::StructureRareData::objectToStringValue):
2454         (JSC::StructureRareData::setObjectToStringValue):
2455
2456         * CMakeLists.txt:
2457         * GNUmakefile.list.am:
2458         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2459         * JavaScriptCore.xcodeproj/project.pbxproj:
2460         * Target.pri:
2461         * dfg/DFGRepatch.cpp:
2462         * jit/JITStubs.cpp:
2463         * jsc.cpp:
2464         * llint/LLIntSlowPaths.cpp:
2465         * runtime/JSCellInlines.h:
2466         * runtime/JSGlobalData.cpp:
2467         (JSC::JSGlobalData::JSGlobalData):
2468         * runtime/JSGlobalData.h:
2469         (JSGlobalData):
2470         * runtime/JSGlobalObject.h:
2471         * runtime/JSTypeInfo.h:
2472         (JSC):
2473         (JSC::TypeInfo::flags):
2474         (JSC::TypeInfo::structureHasRareData):
2475         * runtime/ObjectPrototype.cpp:
2476         * runtime/Structure.cpp:
2477         (JSC::Structure::dumpStatistics):
2478         (JSC::Structure::Structure):
2479         (JSC::Structure::materializePropertyMap):
2480         (JSC::Structure::addPropertyTransition):
2481         (JSC::Structure::nonPropertyTransition):
2482         (JSC::Structure::pin):
2483         (JSC::Structure::allocateRareData):
2484         (JSC):
2485         (JSC::Structure::cloneRareDataFrom):
2486         (JSC::Structure::visitChildren):
2487         * runtime/Structure.h:
2488         (JSC::Structure::previousID):
2489         (JSC::Structure::objectToStringValue):
2490         (JSC::Structure::setObjectToStringValue):
2491         (JSC::Structure::materializePropertyMapIfNecessary):
2492         (JSC::Structure::setPreviousID):
2493         (Structure):
2494         (JSC::Structure::clearPreviousID):
2495         (JSC::Structure::previous):
2496         (JSC::Structure::rareData):
2497         (JSC::Structure::create):
2498         * runtime/StructureRareData.cpp: Added.
2499         (JSC):
2500         (JSC::StructureRareData::createStructure):
2501         (JSC::StructureRareData::create):
2502         (JSC::StructureRareData::clone):
2503         (JSC::StructureRareData::StructureRareData):
2504         (JSC::StructureRareData::visitChildren):
2505         * runtime/StructureRareData.h: Added.
2506         (JSC):
2507         (StructureRareData):
2508         * runtime/StructureRareDataInlines.h: Added.
2509         (JSC):
2510         (JSC::StructureRareData::previousID):
2511         (JSC::StructureRareData::setPreviousID):
2512         (JSC::StructureRareData::clearPreviousID):
2513         (JSC::StructureRareData::objectToStringValue):
2514         (JSC::StructureRareData::setObjectToStringValue):
2515
2516 2013-02-01  Balazs Kilvady  <kilvadyb@homejinni.com>
2517
2518         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
2519         https://bugs.webkit.org/show_bug.cgi?id=108261
2520
2521         Reviewed by Filip Pizlo.
2522
2523         offlineasm BaseIndex handling fix on MIPS.
2524
2525         * offlineasm/mips.rb:
2526         * offlineasm/risc.rb:
2527
2528 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
2529
2530         Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
2531         https://bugs.webkit.org/show_bug.cgi?id=108657
2532
2533         Reviewed by Anders Carlsson.
2534
2535         * runtime/JSGlobalObject.cpp:
2536         (JSC):
2537         * runtime/JSGlobalObject.h:
2538         (JSGlobalObject):
2539
2540 2013-02-01  Geoffrey Garen  <ggaren@apple.com>
2541
2542         Added TriState to WTF and started using it in one place
2543         https://bugs.webkit.org/show_bug.cgi?id=108628
2544
2545         Reviewed by Beth Dakin.
2546
2547         * runtime/PrototypeMap.h:
2548         (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
2549         response to review feedback, this is an attempt to clarify that our
2550         'true' condition is actually just a 'maybe'.
2551
2552         * runtime/PrototypeMap.h:
2553         (PrototypeMap):
2554         (JSC::PrototypeMap::isPrototype):
2555
2556 2013-02-01  Alexis Menard  <alexis@webkit.org>
2557
2558         Enable unprefixed CSS transitions by default.
2559         https://bugs.webkit.org/show_bug.cgi?id=108216
2560
2561         Reviewed by Dean Jackson.
2562
2563         Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
2564         to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 
2565         guard the unprefixing work for CSS Transforms and animations.
2566
2567         * Configurations/FeatureDefines.xcconfig:
2568
2569 2013-01-31  Filip Pizlo  <fpizlo@apple.com>
2570
2571         DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
2572         https://bugs.webkit.org/show_bug.cgi?id=108580
2573
2574         Reviewed by Oliver Hunt.
2575         
2576         This is a harmless bug in that it only results in us keeping a bit too many things
2577         for OSR.  But it's worth fixing so that the code is consistent.
2578
2579         keepOperandAlive() is called when block A has a branch to blocks B and C, but the
2580         A->B edge is proven to never be taken and we want to optimize the code to have A
2581         unconditionally jump to C.  In that case, for the purposes of OSR, we need to
2582         preserve the knowledge that the state that B expected to be live incoming from A
2583         ought still to be live up to the point of where the A->B,C branch used to be.  The
2584         way we keep things alive is by using the variablesAtTail of A (i.e., we use the
2585         knowledge of in what manner A made state available to B and C).  The way we choose
2586         which state should be kept alive ought to be chosen by the variablesAtHead of B
2587         (i.e. the things B says it needs from its predecessors, including A), except that
2588         keepOperandAlive() was previously just using variablesAtTail of A for this
2589         purpose.
2590         
2591         The fix is to have keepOperandAlive() use both liveness and availability in its
2592         logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
2593         alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
2594         keep it alive.
2595         
2596         This might be a microscopic win on some programs, but it's mainly intended to be
2597         a code clean-up so that I don't end up scratching my head in confusion the next
2598         time I look at this code.
2599
2600         * dfg/DFGCFGSimplificationPhase.cpp:
2601         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2602         (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
2603         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2604
2605 2013-01-31  Geoffrey Garen  <ggaren@apple.com>
2606
2607         REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
2608         https://bugs.webkit.org/show_bug.cgi?id=108576
2609
2610         Reviewed by Filip Pizlo.
2611
2612         This was a long-standing bug. The DFG would destructively reuse a register
2613         in op_convert_this, but:
2614
2615             * The bug only presented during speculation failure for type Other
2616
2617             * The bug presented by removing the low bits of a pointer, which
2618             used to be harmless, since all objects were so aligned anyway.
2619
2620         * dfg/DFGSpeculativeJIT64.cpp:
2621         (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
2622         our scratch register. The whole point of our scratch register is to
2623         avoid destructively modifying our this register. I'm pretty sure this
2624         was a copy-paste error.
2625
2626 2013-01-31  Roger Fong  <roger_fong@apple.com>
2627
2628         Unreviewed. Windows build fix.
2629
2630         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2631
2632 2013-01-31  Jessie Berlin  <jberlin@apple.com>
2633
2634         Rolling out r141407 because it is causing crashes under
2635         WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
2636
2637         * bytecode/CodeBlock.cpp:
2638         (JSC::CodeBlock::CodeBlock):
2639
2640 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2641
2642         Objective-C API: JSContext exception property causes reference cycle
2643         https://bugs.webkit.org/show_bug.cgi?id=107778
2644
2645         Reviewed by Darin Adler.
2646
2647         JSContext has a (retain) JSValue * exception property which, when non-null, creates a 
2648         reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
2649
2650         * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
2651         (-[JSContext initWithVirtualMachine:]):
2652         (-[JSContext setException:]):
2653         (-[JSContext exception]):
2654
2655 2013-01-31  Roger Fong  <roger_fong@apple.com>
2656
2657         Unreviewed build fix. Win7 port.
2658
2659         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2660
2661 2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>
2662
2663         Disable ENABLE_FULLSCREEN_API on iOS
2664         https://bugs.webkit.org/show_bug.cgi?id=108250
2665
2666         Reviewed by Benjamin Poulain.
2667
2668         * Configurations/FeatureDefines.xcconfig:
2669
2670 2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>
2671
2672         Objective-C API: Fix insertion of values greater than the max index allowed by the spec
2673         https://bugs.webkit.org/show_bug.cgi?id=108264
2674
2675         Reviewed by Oliver Hunt.
2676
2677         Fixed a bug, added a test to the API tests, cleaned up some code.
2678
2679         * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 
2680         setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
2681         * API/JSValue.mm:
2682         (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
2683         (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
2684         (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
2685         * API/tests/testapi.mm:
2686
2687 2013-01-30  Andreas Kling  <akling@apple.com>
2688
2689         Vector should consult allocator about ideal size when choosing capacity.
2690         <http://webkit.org/b/108410>
2691         <rdar://problem/13124002>
2692
2693         Reviewed by Benjamin Poulain.
2694
2695         Remove assertion about Vector capacity that won't hold anymore since capacity()
2696         may not be what you passed to reserveCapacity().
2697
2698         * bytecode/CodeBlock.cpp:
2699         (JSC::CodeBlock::CodeBlock):
2700
2701 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
2702
2703         DFG bytecode parser should have more assertions about the status of local accesses
2704         https://bugs.webkit.org/show_bug.cgi?id=108417
2705
2706         Reviewed by Mark Hahnenberg.
2707         
2708         Assert some things that we already know to be true, just to reassure ourselves that they are true.
2709         This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
2710         make these rules even stricter.
2711
2712         * dfg/DFGByteCodeParser.cpp:
2713         (JSC::DFG::ByteCodeParser::getLocal):
2714         (JSC::DFG::ByteCodeParser::getArgument):
2715
2716 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2717
2718         Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
2719         https://bugs.webkit.org/show_bug.cgi?id=107978
2720
2721         Reviewed by Filip Pizlo.
2722
2723         We need to add the Identifier table save/restore in JSContextGroupRelease so that we 
2724         have the correct table if we end up destroying the JSGlobalData/Heap.
2725
2726         * API/JSContextRef.cpp:
2727         (JSContextGroupRelease):
2728
2729 2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>
2730
2731         Objective-C API: exceptionHandler needs to be released in JSContext dealloc
2732         https://bugs.webkit.org/show_bug.cgi?id=108378
2733
2734         Reviewed by Filip Pizlo.
2735
2736         JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 
2737         That sounds like the potential for a leak. It should be released.
2738
2739         * API/JSContext.mm:
2740         (-[JSContext dealloc]):
2741
2742 2013-01-30  Filip Pizlo  <fpizlo@apple.com>
2743
2744         REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
2745         https://bugs.webkit.org/show_bug.cgi?id=108366
2746
2747         Reviewed by Geoffrey Garen and Mark Hahnenberg.
2748         
2749         This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
2750         Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
2751         when comparing a possibly redundant node to its possible replacement. It was doing this
2752         by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
2753         just those flag bits that correspond to actual node behavior and not auxiliary things.
2754         Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
2755         This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
2756         very high probability that matching nodes would also have completely identical flag bits
2757         (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
2758         r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
2759         access. These bits would be mutated as the CSE ran over a basic block, in such a way that
2760         there was a very high probability that the possible replacement would already have the
2761         bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
2762         returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
2763         almost every time.
2764         
2765         The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
2766         flags that are relevant to arithmetic behavior. This patch introduces a new mask that
2767         represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
2768         used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
2769         the other flags are relevant to Node::arithNodeFlags() since they either correspond to
2770         information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
2771         NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
2772         the result that the node will produce or any of the queries performed on the result of
2773         Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
2774         
2775         This is a 10% speed-up on Kraken, undoing the regression from r140504.
2776
2777         * dfg/DFGNode.h:
2778         (JSC::DFG::Node::arithNodeFlags):
2779         * dfg/DFGNodeFlags.h:
2780         (DFG):
2781
2782 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2783
2784         Structure::m_outOfLineCapacity is unnecessary
2785         https://bugs.webkit.org/show_bug.cgi?id=108206
2786
2787         Reviewed by Geoffrey Garen.
2788
2789         We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
2790         According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
2791         better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 
2792         benchmarks.
2793
2794         * runtime/Structure.cpp:
2795         (JSC::Structure::Structure):
2796         (JSC):
2797         (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
2798         (JSC::Structure::addPropertyTransition):
2799         (JSC::Structure::addPropertyWithoutTransition):
2800         * runtime/Structure.h:
2801         (Structure):
2802         (JSC::Structure::outOfLineCapacity):
2803         (JSC::Structure::totalStorageCapacity):
2804
2805 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
2806
2807         Be a little more conservative about emitting table-based switches
2808         https://bugs.webkit.org/show_bug.cgi?id=108292
2809
2810         Reviewed by Filip Pizlo.
2811
2812         Profiling shows we're using op_switch in cases where it's a regression.
2813
2814         * bytecompiler/NodesCodegen.cpp:
2815         (JSC):
2816         (JSC::length):
2817         (JSC::CaseBlockNode::tryTableSwitch):
2818         (JSC::CaseBlockNode::emitBytecodeForBlock):
2819         * parser/Nodes.h:
2820         (CaseBlockNode):
2821
2822 2013-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>
2823
2824         Unreviewed, rolling out r140983.
2825         http://trac.webkit.org/changeset/140983
2826         https://bugs.webkit.org/show_bug.cgi?id=108277
2827
2828         Unfortunately, this API has one last client (Requested by
2829         abarth on #webkit).
2830
2831         * Configurations/FeatureDefines.xcconfig:
2832
2833 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2834
2835         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
2836         https://bugs.webkit.org/show_bug.cgi?id=107839
2837
2838         Reviewed by Geoffrey Garen.
2839
2840         Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 
2841         m_constructor that they were based on.
2842
2843         * API/JSWrapperMap.mm:
2844         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
2845         fields that are null (i.e. have been collected or have never been allocated to begin with).
2846         (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 
2847         reallocating one or both of the prototype/constructor combo.
2848         (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
2849         (-[JSObjCClassInfo constructor]): Ditto.
2850
2851 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
2852
2853         Make precise size classes more precise
2854         https://bugs.webkit.org/show_bug.cgi?id=108270
2855
2856         Reviewed by Mark Hahnenberg.
2857
2858         Size inference makes this profitable.
2859
2860         I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
2861         byte increments might be better.
2862
2863         * heap/Heap.h:
2864         (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
2865
2866         * heap/MarkedBlock.h:
2867         (MarkedBlock): Updated constants.
2868
2869         * heap/MarkedSpace.h:
2870         (MarkedSpace):
2871         (JSC): Also reduced the maximum precise size class because my testing
2872         has shown that the smaller size classes are much more common. This
2873         offsets some of the size class explosion caused by reducing the precise
2874         increment.
2875
2876         * llint/LLIntData.cpp:
2877         (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
2878         because we don't rely on firstAllocatorWithoutDestructors anymore, since
2879         we pick size classes dynamically now.
2880
2881 2013-01-29  Oliver Hunt  <oliver@apple.com>
2882
2883         Add some hardening to methodTable()
2884         https://bugs.webkit.org/show_bug.cgi?id=108253
2885
2886         Reviewed by Mark Hahnenberg.
2887
2888         When accessing methodTable() we now always make sure that our
2889         structure _could_ be valid.  Added a separate method to get a
2890         classes methodTable during destruction as it's not possible to
2891         validate the structure at that point.  This separation might
2892         also make it possible to improve the performance of methodTable
2893         access more generally in future.
2894
2895         * heap/MarkedBlock.cpp:
2896         (JSC::MarkedBlock::callDestructor):
2897         * runtime/JSCell.h:
2898         (JSCell):
2899         * runtime/JSCellInlines.h:
2900         (JSC::JSCell::methodTableForDestruction):
2901         (JSC):
2902         (JSC::JSCell::methodTable):
2903
2904 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
2905
2906         offlineasm BaseIndex handling is broken on ARM due to MIPS changes
2907         https://bugs.webkit.org/show_bug.cgi?id=108261
2908
2909         Reviewed by Oliver Hunt.
2910         
2911         Backends shouldn't override each other's methods. That's not cool.
2912
2913         * offlineasm/mips.rb:
2914
2915 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
2916
2917         cloop.rb shouldn't use a method called 'dump' for code generation
2918         https://bugs.webkit.org/show_bug.cgi?id=108251
2919
2920         Reviewed by Mark Hahnenberg.
2921         
2922         Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
2923         
2924         Also made trivial build fixes for !ENABLE(JIT).
2925
2926         * offlineasm/cloop.rb:
2927         * runtime/Executable.h:
2928         (ExecutableBase):
2929         (JSC::ExecutableBase::intrinsicFor):
2930         * runtime/JSGlobalData.h:
2931
2932 2013-01-29  Geoffrey Garen  <ggaren@apple.com>
2933
2934         Removed GGC because it has been disabled for a long time
2935         https://bugs.webkit.org/show_bug.cgi?id=108245
2936
2937         Reviewed by Filip Pizlo.
2938
2939         * GNUmakefile.list.am:
2940         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2941         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2942         * JavaScriptCore.xcodeproj/project.pbxproj:
2943         * dfg/DFGRepatch.cpp:
2944         (JSC::DFG::emitPutReplaceStub):
2945         (JSC::DFG::emitPutTransitionStub):
2946         * dfg/DFGSpeculativeJIT.cpp:
2947         (JSC::DFG::SpeculativeJIT::writeBarrier):
2948         * dfg/DFGSpeculativeJIT.h:
2949         (SpeculativeJIT):
2950         * dfg/DFGSpeculativeJIT32_64.cpp:
2951         (JSC::DFG::SpeculativeJIT::compile):
2952         * dfg/DFGSpeculativeJIT64.cpp:
2953         (JSC::DFG::SpeculativeJIT::compile):
2954         * heap/CardSet.h: Removed.
2955         * heap/Heap.cpp:
2956         (JSC::Heap::markRoots):
2957         (JSC::Heap::collect):
2958         * heap/Heap.h:
2959         (Heap):
2960         (JSC::Heap::shouldCollect):
2961         (JSC::Heap::isWriteBarrierEnabled):
2962         (JSC):
2963         (JSC::Heap::writeBarrier):
2964         * heap/MarkedBlock.h:
2965         (MarkedBlock):
2966         (JSC):
2967         * heap/MarkedSpace.cpp:
2968         (JSC):
2969         * jit/JITPropertyAccess.cpp:
2970         (JSC::JIT::emitWriteBarrier):
2971
2972 2013-01-29  Filip Pizlo  <fpizlo@apple.com>
2973
2974         Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
2975         https://bugs.webkit.org/show_bug.cgi?id=108247
2976
2977         Reviewed by Oliver Hunt.
2978         
2979         Makes offlineasm dumping easier to read and less likely to cause assertion failures.
2980         Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
2981         but cloop.rb was winning.
2982
2983         * offlineasm/cloop.rb:
2984
2985 2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>
2986
2987         Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
2988         https://bugs.webkit.org/show_bug.cgi?id=107839
2989
2990         Reviewed by Oliver Hunt.
2991
2992         JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
2993         are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
2994         m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
2995         We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
2996         to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
2997         to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
2998         reallocate them.
2999
3000         * API/JSContext.mm:
3001         (-[JSContext wrapperMap]):
3002         * API/JSContextInternal.h:
3003         * API/JSWrapperMap.mm:
3004         (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
3005         (-[JSObjCClassInfo dealloc]):
3006         (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
3007         (-[JSObjCClassInfo allocateConstructorAndPrototype]):
3008         (-[JSObjCClassInfo wrapperForObject:]):
3009         (-[JSObjCClassInfo constructor]):
3010
3011 2013-01-29  Oliver Hunt  <oliver@apple.com>
3012
3013         REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
3014         https://bugs.webkit.org/show_bug.cgi?id=108097
3015
3016         Reviewed by Geoffrey Garen.
3017
3018         LiteralParser was accepting a bogus 'var a.b = c' statement
3019
3020         * runtime/LiteralParser.cpp:
3021         (JSC::::tryJSONPParse):
3022
3023 2013-01-29  Oliver Hunt  <oliver@apple.com>
3024
3025         Force debug builds to do bounds checks on contiguous property storage
3026         https://bugs.webkit.org/show_bug.cgi?id=108212
3027
3028         Reviewed by Mark Hahnenberg.
3029
3030         Add a ContiguousData type that we use to represent contiguous property
3031         storage.  In release builds it is simply a pointer to the correct type,
3032         but in debug builds it also carries the data length and performs bounds
3033         checks.  This means we don't have to add as many manual bounds assertions
3034         when performing operations over contiguous data.
3035
3036         * dfg/DFGOperations.cpp:
3037         * runtime/ArrayStorage.h:
3038         (ArrayStorage):
3039         (JSC::ArrayStorage::vector):
3040         * runtime/Butterfly.h:
3041         (JSC::ContiguousData::ContiguousData):
3042         (ContiguousData):
3043         (JSC::ContiguousData::operator[]):
3044         (JSC::ContiguousData::data):
3045         (JSC::ContiguousData::length):
3046         (JSC):
3047         (JSC::Butterfly::contiguousInt32):
3048         (Butterfly):
3049         (JSC::Butterfly::contiguousDouble):
3050         (JSC::Butterfly::contiguous):
3051         * runtime/JSArray.cpp:
3052         (JSC::JSArray::sortNumericVector):
3053         (ContiguousTypeAccessor):
3054         (JSC::ContiguousTypeAccessor::getAsValue):
3055         (JSC::ContiguousTypeAccessor::setWithValue):
3056         (JSC::ContiguousTypeAccessor::replaceDataReference):
3057         (JSC):
3058         (JSC::JSArray::sortCompactedVector):
3059         (JSC::JSArray::sort):
3060         (JSC::JSArray::fillArgList):
3061         (JSC::JSArray::copyToArguments):
3062         * runtime/JSArray.h:
3063         (JSArray):
3064         * runtime/JSObject.cpp:
3065         (JSC::JSObject::copyButterfly):
3066         (JSC::JSObject::visitButterfly):
3067         (JSC::JSObject::createInitialInt32):
3068         (JSC::JSObject::createInitialDouble):
3069         (JSC::JSObject::createInitialContiguous):
3070         (JSC::JSObject::convertUndecidedToInt32):
3071         (JSC::JSObject::convertUndecidedToDouble):
3072         (JSC::JSObject::convertUndecidedToContiguous):
3073         (JSC::JSObject::convertInt32ToDouble):
3074         (JSC::JSObject::convertInt32ToContiguous):
3075         (JSC::JSObject::genericConvertDoubleToContiguous):
3076         (JSC::JSObject::convertDoubleToContiguous):
3077         (JSC::JSObject::rageConvertDoubleToContiguous):
3078         (JSC::JSObject::ensureInt32Slow):
3079         (JSC::JSObject::ensureDoubleSlow):
3080         (JSC::JSObject::ensureContiguousSlow):
3081         (JSC::JSObject::rageEnsureContiguousSlow):
3082         (JSC::JSObject::ensureLengthSlow):
3083         * runtime/JSObject.h:
3084         (JSC::JSObject::ensureInt32):
3085         (JSC::JSObject::ensureDouble):
3086         (JSC::JSObject::ensureContiguous):
3087         (JSC::JSObject::rageEnsureContiguous):
3088         (JSObject):
3089         (JSC::JSObject::indexingData):
3090         (JSC::JSObject::currentIndexingData):
3091
3092 2013-01-29  Brent Fulgham  <bfulgham@webkit.org>
3093
3094         [Windows, WinCairo] Unreviewed build fix after r141050
3095
3096         * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
3097         to match JavaScriptCore.vcproj version.
3098
3099 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3100
3101         [Qt] Implement GCActivityCallback
3102         https://bugs.webkit.org/show_bug.cgi?id=103998
3103
3104         Reviewed by Simon Hausmann.
3105
3106         Implements the activity triggered garbage collector.
3107
3108         * runtime/GCActivityCallback.cpp:
3109         (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
3110         (JSC::DefaultGCActivityCallback::scheduleTimer):
3111         (JSC::DefaultGCActivityCallback::cancelTimer):
3112         * runtime/GCActivityCallback.h:
3113         (GCActivityCallback):
3114         (DefaultGCActivityCallback):
3115
3116 2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>
3117
3118         Compilation warning in JSC
3119         https://bugs.webkit.org/show_bug.cgi?id=108178
3120
3121         Reviewed by Kentaro Hara.
3122
3123         Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
3124
3125         * runtime/Structure.cpp:
3126         (JSC::Structure::Structure):
3127
3128 2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
3129
3130         [Qt] Fix the JSC build on Mac
3131
3132         Unreviewed, build fix.
3133
3134         * heap/HeapTimer.h:
3135         Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
3136
3137 2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>
3138
3139         [Qt] Implement IncrementalSweeper and HeapTimer
3140         https://bugs.webkit.org/show_bug.cgi?id=103996
3141
3142         Reviewed by Simon Hausmann.
3143
3144         Implements the incremental sweeping garbage collection for the Qt platform.
3145
3146         * heap/HeapTimer.cpp:
3147         (JSC::HeapTimer::HeapTimer):
3148         (JSC::HeapTimer::~HeapTimer):
3149         (JSC::HeapTimer::timerEvent):
3150         (JSC::HeapTimer::synchronize):
3151         (JSC::HeapTimer::invalidate):
3152         (JSC::HeapTimer::didStartVMShutdown):
3153         * heap/HeapTimer.h:
3154         (HeapTimer):
3155         * heap/IncrementalSweeper.cpp:
3156         (JSC::IncrementalSweeper::IncrementalSweeper):
3157         (JSC::IncrementalSweeper::scheduleTimer):
3158         * heap/IncrementalSweeper.h:
3159         (IncrementalSweeper):
3160
3161 2013-01-28  Filip Pizlo  <fpizlo@apple.com>
3162
3163         DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
3164         https://bugs.webkit.org/show_bug.cgi?id=106868
3165
3166         Reviewed by Oliver Hunt.
3167         
3168         This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
3169         uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
3170         for debugging (Node::index(), which is not guaranteed to be O(1)).
3171         
3172         1% speed-up on SunSpider, presumably because this improves compile times.
3173
3174         * CMakeLists.txt:
3175         * GNUmakefile.list.am:
3176         * JavaScriptCore.xcodeproj/project.pbxproj:
3177         * Target.pri:
3178         * bytecode/DataFormat.h:
3179         (JSC::dataFormatToString):
3180         * dfg/DFGAbstractState.cpp:
3181         (JSC::DFG::AbstractState::initialize):
3182         (JSC::DFG::AbstractState::booleanResult):
3183         (JSC::DFG::AbstractState::execute):
3184         (JSC::DFG::AbstractState::mergeStateAtTail):
3185         (JSC::DFG::AbstractState::mergeToSuccessors):
3186         (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
3187         (JSC::DFG::AbstractState::dump):
3188         * dfg/DFGAbstractState.h:
3189         (DFG):
3190         (JSC::DFG::AbstractState::forNode):
3191         (AbstractState):
3192         (JSC::DFG::AbstractState::speculateInt32Unary):
3193         (JSC::DFG::AbstractState::speculateNumberUnary):
3194         (JSC::DFG::AbstractState::speculateBooleanUnary):
3195         (JSC::DFG::AbstractState::speculateInt32Binary):
3196         (JSC::DFG::AbstractState::speculateNumberBinary):
3197         (JSC::DFG::AbstractState::trySetConstant):
3198         * dfg/DFGAbstractValue.h:
3199         (AbstractValue):
3200         * dfg/DFGAdjacencyList.h:
3201         (JSC::DFG::AdjacencyList::AdjacencyList):
3202         (JSC::DFG::AdjacencyList::initialize):
3203         * dfg/DFGAllocator.h: Added.
3204         (DFG):
3205         (Allocator):
3206         (JSC::DFG::Allocator::Region::size):
3207         (JSC::DFG::Allocator::Region::headerSize):
3208         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
3209         (JSC::DFG::Allocator::Region::data):
3210         (JSC::DFG::Allocator::Region::isInThisRegion):
3211         (JSC::DFG::Allocator::Region::regionFor):
3212         (Region):
3213         (JSC::DFG::::Allocator):
3214         (JSC::DFG::::~Allocator):
3215         (JSC::DFG::::allocate):
3216         (JSC::DFG::::free):
3217         (JSC::DFG::::freeAll):
3218         (JSC::DFG::::reset):
3219         (JSC::DFG::::indexOf):
3220         (JSC::DFG::::allocatorOf):
3221         (JSC::DFG::::bumpAllocate):
3222         (JSC::DFG::::freeListAllocate):
3223         (JSC::DFG::::allocateSlow):
3224         (JSC::DFG::::freeRegionsStartingAt):
3225         (JSC::DFG::::startBumpingIn):
3226         * dfg/DFGArgumentsSimplificationPhase.cpp:
3227         (JSC::DFG::ArgumentsSimplificationPhase::run):
3228         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
3229         (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
3230         (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
3231         (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
3232         (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
3233         * dfg/DFGArrayMode.cpp:
3234         (JSC::DFG::ArrayMode::originalArrayStructure):
3235         (JSC::DFG::ArrayMode::alreadyChecked):
3236         * dfg/DFGArrayMode.h:
3237         (ArrayMode):
3238         * dfg/DFGArrayifySlowPathGenerator.h:
3239         (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
3240         * dfg/DFGBasicBlock.h:
3241         (JSC::DFG::BasicBlock::node):
3242         (JSC::DFG::BasicBlock::isInPhis):
3243         (JSC::DFG::BasicBlock::isInBlock):
3244         (BasicBlock):
3245         * dfg/DFGBasicBlockInlines.h:
3246         (DFG):
3247         * dfg/DFGByteCodeParser.cpp:
3248         (ByteCodeParser):
3249         (JSC::DFG::ByteCodeParser::getDirect):
3250         (JSC::DFG::ByteCodeParser::get):
3251         (JSC::DFG::ByteCodeParser::setDirect):
3252         (JSC::DFG::ByteCodeParser::set):
3253         (JSC::DFG::ByteCodeParser::setPair):
3254         (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
3255         (JSC::DFG::ByteCodeParser::getLocal):
3256         (JSC::DFG::ByteCodeParser::setLocal):
3257         (JSC::DFG::ByteCodeParser::getArgument):
3258         (JSC::DFG::ByteCodeParser::setArgument):
3259         (JSC::DFG::ByteCodeParser::flushDirect):
3260         (JSC::DFG::ByteCodeParser::getToInt32):
3261         (JSC::DFG::ByteCodeParser::toInt32):
3262         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
3263         (JSC::DFG::ByteCodeParser::getJSConstant):
3264         (JSC::DFG::ByteCodeParser::getCallee):
3265         (JSC::DFG::ByteCodeParser::getThis):
3266         (JSC::DFG::ByteCodeParser::setThis):
3267         (JSC::DFG::ByteCodeParser::isJSConstant):
3268         (JSC::DFG::ByteCodeParser::isInt32Constant):
3269         (JSC::DFG::ByteCodeParser::valueOfJSConstant):
3270         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
3271         (JSC::DFG::ByteCodeParser::constantUndefined):
3272         (JSC::DFG::ByteCodeParser::constantNull):
3273         (JSC::DFG::ByteCodeParser::one):
3274         (JSC::DFG::ByteCodeParser::constantNaN):
3275         (JSC::DFG::ByteCodeParser::cellConstant):
3276         (JSC::DFG::ByteCodeParser::addToGraph):
3277         (JSC::DFG::ByteCodeParser::insertPhiNode):
3278         (JSC::DFG::ByteCodeParser::addVarArgChild):
3279         (JSC::DFG::ByteCodeParser::addCall):
3280         (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
3281         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3282         (JSC::DFG::ByteCodeParser::getPrediction):
3283         (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
3284         (JSC::DFG::ByteCodeParser::makeSafe):
3285         (JSC::DFG::ByteCodeParser::makeDivSafe):
3286         (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
3287         (ConstantRecord):
3288         (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
3289         (PhiStackEntry):
3290         (JSC::DFG::ByteCodeParser::handleCall):
3291         (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3292         (JSC::DFG::ByteCodeParser::handleInlining):
3293         (JSC::DFG::ByteCodeParser::setIntrinsicResult):
3294         (JSC::DFG::ByteCodeParser::handleMinMax):
3295         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3296         (JSC::DFG::ByteCodeParser::handleGetByOffset):
3297         (JSC::DFG::ByteCodeParser::handleGetById):
3298         (JSC::DFG::ByteCodeParser::getScope):
3299         (JSC::DFG::ByteCodeParser::parseResolveOperations):
3300         (JSC::DFG::ByteCodeParser::parseBlock):
3301         (JSC::DFG::ByteCodeParser::processPhiStack):
3302         (JSC::DFG::ByteCodeParser::linkBlock):
3303         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3304         (JSC::DFG::ByteCodeParser::parse):
3305         * dfg/DFGCFAPhase.cpp:
3306         (JSC::DFG::CFAPhase::performBlockCFA):
3307         * dfg/DFGCFGSimplificationPhase.cpp:
3308         (JSC::DFG::CFGSimplificationPhase::run):
3309         (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
3310         (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3311         (JSC::DFG::CFGSimplificationPhase::fixPhis):
3312         (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
3313         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
3314         (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
3315         (OperandSubstitution):
3316         (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
3317         (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
3318         (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
3319         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3320         * dfg/DFGCSEPhase.cpp:
3321         (JSC::DFG::CSEPhase::canonicalize):
3322         (JSC::DFG::CSEPhase::endIndexForPureCSE):
3323         (JSC::DFG::CSEPhase::pureCSE):
3324         (JSC::DFG::CSEPhase::constantCSE):
3325         (JSC::DFG::CSEPhase::weakConstantCSE):
3326         (JSC::DFG::CSEPhase::getCalleeLoadElimination):
3327         (JSC::DFG::CSEPhase::getArrayLengthElimination):
3328         (JSC::DFG::CSEPhase::globalVarLoadElimination):
3329         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
3330         (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
3331         (JSC::DFG::CSEPhase::globalVarStoreElimination):
3332         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
3333         (JSC::DFG::CSEPhase::getByValLoadElimination):
3334         (JSC::DFG::CSEPhase::checkFunctionElimination):
3335         (JSC::DFG::CSEPhase::checkExecutableElimination):
3336         (JSC::DFG::CSEPhase::checkStructureElimination):
3337         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3338         (JSC::DFG::CSEPhase::putStructureStoreElimination):
3339         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
3340         (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
3341         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
3342         (JSC::DFG::CSEPhase::checkArrayElimination):
3343         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
3344         (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
3345         (JSC::DFG::CSEPhase::getLocalLoadElimination):
3346         (JSC::DFG::CSEPhase::setLocalStoreElimination):
3347         (JSC::DFG::CSEPhase::performSubstitution):
3348         (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
3349         (JSC::DFG::CSEPhase::setReplacement):
3350         (JSC::DFG::CSEPhase::eliminate):
3351         (JSC::DFG::CSEPhase::performNodeCSE):
3352         (JSC::DFG::CSEPhase::performBlockCSE):
3353         (CSEPhase):
3354         * dfg/DFGCommon.cpp: Added.
3355         (DFG):
3356         (JSC::DFG::NodePointerTraits::dump):
3357         * dfg/DFGCommon.h:
3358         (DFG):
3359         (JSC::DFG::NodePointerTraits::defaultValue):
3360         (NodePointerTraits):
3361         (JSC::DFG::verboseCompilationEnabled):
3362         (JSC::DFG::shouldDumpGraphAtEachPhase):
3363         (JSC::DFG::validationEnabled):
3364         * dfg/DFGConstantFoldingPhase.cpp:
3365         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3366         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3367         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3368         (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
3369         * dfg/DFGDisassembler.cpp:
3370         (JSC::DFG::Disassembler::Disassembler):
3371         (JSC::DFG::Disassembler::createDumpList):
3372         (JSC::DFG::Disassembler::dumpDisassembly):
3373         * dfg/DFGDisassembler.h:
3374         (JSC::DFG::Disassembler::setForNode):
3375         (Disassembler):
3376         * dfg/DFGDriver.cpp:
3377         (JSC::DFG::compile):
3378         * dfg/DFGEdge.cpp: Added.
3379         (DFG):
3380         (JSC::DFG::Edge::dump):
3381         * dfg/DFGEdge.h:
3382         (JSC::DFG::Edge::Edge):
3383         (JSC::DFG::Edge::node):
3384         (JSC::DFG::Edge::operator*):
3385         (JSC::DFG::Edge::operator->):
3386         (Edge):
3387         (JSC::DFG::Edge::setNode):
3388         (JSC::DFG::Edge::useKind):
3389         (JSC::DFG::Edge::setUseKind):
3390         (JSC::DFG::Edge::isSet):
3391         (JSC::DFG::Edge::shift):
3392         (JSC::DFG::Edge::makeWord):
3393         (JSC::DFG::operator==):
3394         (JSC::DFG::operator!=):
3395         * dfg/DFGFixupPhase.cpp:
3396         (JSC::DFG::FixupPhase::fixupBlock):
3397         (JSC::DFG::FixupPhase::fixupNode):
3398         (JSC::DFG::FixupPhase::checkArray):
3399         (JSC::DFG::FixupPhase::blessArrayOperation):
3400         (JSC::DFG::FixupPhase::fixIntEdge):
3401         (JSC::DFG::FixupPhase::fixDoubleEdge):
3402         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3403         (FixupPhase):
3404         * dfg/DFGGenerationInfo.h:
3405         (JSC::DFG::GenerationInfo::GenerationInfo):
3406         (JSC::DFG::GenerationInfo::initConstant):
3407         (JSC::DFG::GenerationInfo::initInteger):
3408         (JSC::DFG::GenerationInfo::initJSValue):
3409         (JSC::DFG::GenerationInfo::initCell):
3410         (JSC::DFG::GenerationInfo::initBoolean):
3411         (JSC::DFG::GenerationInfo::initDouble):
3412         (JSC::DFG::GenerationInfo::initStorage):
3413         (GenerationInfo):
3414         (JSC::DFG::GenerationInfo::node):
3415         (JSC::DFG::GenerationInfo::noticeOSRBirth):
3416         (JSC::DFG::GenerationInfo::use):
3417         (JSC::DFG::GenerationInfo::appendFill):
3418         (JSC::DFG::GenerationInfo::appendSpill):
3419         * dfg/DFGGraph.cpp:
3420         (JSC::DFG::Graph::Graph):
3421         (JSC::DFG::Graph::~Graph):
3422         (DFG):
3423         (JSC::DFG::Graph::dumpCodeOrigin):
3424         (JSC::DFG::Graph::amountOfNodeWhiteSpace):
3425         (JSC::DFG::Graph::printNodeWhiteSpace):
3426         (JSC::DFG::Graph::dump):
3427         (JSC::DFG::Graph::dumpBlockHeader):
3428         (JSC::DFG::Graph::refChildren):
3429         (JSC::DFG::Graph::derefChildren):
3430         (JSC::DFG::Graph::predictArgumentTypes):
3431         (JSC::DFG::Graph::collectGarbage):
3432         (JSC::DFG::Graph::determineReachability):
3433         (JSC::DFG::Graph::resetExitStates):
3434         * dfg/DFGGraph.h:
3435         (Graph):
3436         (JSC::DFG::Graph::ref):
3437         (JSC::DFG::Graph::deref):
3438         (JSC::DFG::Graph::changeChild):
3439         (JSC::DFG::Graph::compareAndSwap):
3440         (JSC::DFG::Graph::clearAndDerefChild):
3441         (JSC::DFG::Graph::clearAndDerefChild1):
3442         (JSC::DFG::Graph::clearAndDerefChild2):
3443         (JSC::DFG::Graph::clearAndDerefChild3):
3444         (JSC::DFG::Graph::convertToConstant):
3445         (JSC::DFG::Graph::getJSConstantSpeculation):
3446         (JSC::DFG::Graph::addSpeculationMode):
3447         (JSC::DFG::Graph::valueAddSpeculationMode):
3448         (JSC::DFG::Graph::arithAddSpeculationMode):
3449         (JSC::DFG::Graph::addShouldSpeculateInteger):
3450         (JSC::DFG::Graph::mulShouldSpeculateInteger):
3451         (JSC::DFG::Graph::negateShouldSpeculateInteger):
3452         (JSC::DFG::Graph::isConstant):
3453         (JSC::DFG::Graph::isJSConstant):
3454         (JSC::DFG::Graph::isInt32Constant):
3455         (JSC::DFG::Graph::isDoubleConstant):
3456         (JSC::DFG::Graph::isNumberConstant):
3457         (JSC::DFG::Graph::isBooleanConstant):
3458         (JSC::DFG::Graph::isCellConstant):
3459         (JSC::DFG::Graph::isFunctionConstant):
3460         (JSC::DFG::Graph::isInternalFunctionConstant):
3461         (JSC::DFG::Graph::valueOfJSConstant):
3462         (JSC::DFG::Graph::valueOfInt32Constant):
3463         (JSC::DFG::Graph::valueOfNumberConstant):
3464         (JSC::DFG::Graph::valueOfBooleanConstant):
3465         (JSC::DFG::Graph::valueOfFunctionConstant):
3466         (JSC::DFG::Graph::valueProfileFor):
3467         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
3468         (JSC::DFG::Graph::numSuccessors):
3469         (JSC::DFG::Graph::successor):
3470         (JSC::DFG::Graph::successorForCondition):
3471         (JSC::DFG::Graph::isPredictedNumerical):
3472         (JSC::DFG::Graph::byValIsPure):
3473         (JSC::DFG::Graph::clobbersWorld):
3474         (JSC::DFG::Graph::varArgNumChildren):
3475         (JSC::DFG::Graph::numChildren):
3476         (JSC::DFG::Graph::varArgChild):
3477         (JSC::DFG::Graph::child):
3478         (JSC::DFG::Graph::voteNode):
3479         (JSC::DFG::Graph::voteChildren):
3480         (JSC::DFG::Graph::substitute):
3481         (JSC::DFG::Graph::substituteGetLocal):
3482         (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
3483         (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
3484         * dfg/DFGInsertionSet.h:
3485         (JSC::DFG::Insertion::Insertion):
3486         (JSC::DFG::Insertion::element):
3487         (Insertion):
3488         (JSC::DFG::InsertionSet::insert):
3489         (InsertionSet):
3490         * dfg/DFGJITCompiler.cpp:
3491         * dfg/DFGJITCompiler.h:
3492         (JSC::DFG::JITCompiler::setForNode):
3493         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
3494         (JSC::DFG::JITCompiler::noticeOSREntry):
3495         * dfg/DFGLongLivedState.cpp: Added.
3496         (DFG):
3497         (JSC::DFG::LongLivedState::LongLivedState):
3498         (JSC::DFG::LongLivedState::~LongLivedState):
3499         (JSC::DFG::LongLivedState::shrinkToFit):
3500         * dfg/DFGLongLivedState.h: Added.
3501         (DFG):
3502         (LongLivedState):
3503         * dfg/DFGMinifiedID.h:
3504         (JSC::DFG::MinifiedID::MinifiedID):
3505         (JSC::DFG::MinifiedID::node):
3506         * dfg/DFGMinifiedNode.cpp:
3507         (JSC::DFG::MinifiedNode::fromNode):
3508         * dfg/DFGMinifiedNode.h:
3509         (MinifiedNode):
3510         * dfg/DFGNode.cpp: Added.
3511         (DFG):
3512         (JSC::DFG::Node::index):
3513         (WTF):
3514         (WTF::printInternal):
3515         * dfg/DFGNode.h:
3516         (DFG):
3517         (JSC::DFG::Node::Node):
3518         (Node):
3519         (JSC::DFG::Node::convertToGetByOffset):
3520         (JSC::DFG::Node::convertToPutByOffset):
3521         (JSC::DFG::Node::ref):
3522         (JSC::DFG::Node::shouldSpeculateInteger):
3523         (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
3524         (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
3525         (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
3526         (JSC::DFG::Node::shouldSpeculateNumber):
3527         (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
3528         (JSC::DFG::Node::shouldSpeculateFinalObject):
3529         (JSC::DFG::Node::shouldSpeculateArray):
3530         (JSC::DFG::Node::dumpChildren):
3531         (WTF):
3532         * dfg/DFGNodeAllocator.h: Added.
3533         (DFG):
3534         (operator new ):
3535         * dfg/DFGOSRExit.cpp:
3536         (JSC::DFG::OSRExit::OSRExit):
3537         * dfg/DFGOSRExit.h:
3538         (OSRExit):
3539         (SpeculationFailureDebugInfo):
3540         * dfg/DFGOSRExitCompiler.cpp:
3541         * dfg/DFGOSRExitCompiler32_64.cpp:
3542         (JSC::DFG::OSRExitCompiler::compileExit):
3543         * dfg/DFGOSRExitCompiler64.cpp:
3544         (JSC::DFG::OSRExitCompiler::compileExit):
3545         * dfg/DFGOperations.cpp:
3546         * dfg/DFGPhase.cpp:
3547         (DFG):
3548         (JSC::DFG::Phase::beginPhase):
3549         (JSC::DFG::Phase::endPhase):
3550         * dfg/DFGPhase.h:
3551         (Phase):
3552         (JSC::DFG::runAndLog):
3553         * dfg/DFGPredictionPropagationPhase.cpp:
3554         (JSC::DFG::PredictionPropagationPhase::setPrediction):
3555         (JSC::DFG::PredictionPropagationPhase::mergePrediction):
3556         (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
3557         (JSC::DFG::PredictionPropagationPhase::isNotZero):
3558         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
3559         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
3560         (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
3561         (JSC::DFG::PredictionPropagationPhase::propagate):
3562         (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
3563         (JSC::DFG::PredictionPropagationPhase::propagateForward):
3564         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
3565         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
3566         (PredictionPropagationPhase):
3567         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3568         * dfg/DFGScoreBoard.h:
3569         (JSC::DFG::ScoreBoard::ScoreBoard):
3570         (JSC::DFG::ScoreBoard::use):
3571         (JSC::DFG::ScoreBoard::useIfHasResult):
3572         (ScoreBoard):
3573         * dfg/DFGSilentRegisterSavePlan.h:
3574         (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
3575         (JSC::DFG::SilentRegisterSavePlan::node):
3576         (SilentRegisterSavePlan):
3577         * dfg/DFGSlowPathGenerator.h:
3578         (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
3579         (JSC::DFG::SlowPathGenerator::generate):
3580         (SlowPathGenerator):
3581         * dfg/DFGSpeculativeJIT.cpp:
3582         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3583         (JSC::DFG::SpeculativeJIT::speculationCheck):
3584         (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
3585         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
3586         (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
3587         (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
3588         (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3589         (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
3590         (JSC::DFG::SpeculativeJIT::silentSpill):
3591         (JSC::DFG::SpeculativeJIT::silentFill):
3592         (JSC::DFG::SpeculativeJIT::checkArray):
3593         (JSC::DFG::SpeculativeJIT::arrayify):
3594         (JSC::DFG::SpeculativeJIT::fillStorage):
3595         (JSC::DFG::SpeculativeJIT::useChildren):
3596         (JSC::DFG::SpeculativeJIT::isStrictInt32):
3597         (JSC::DFG::SpeculativeJIT::isKnownInteger):
3598         (JSC::DFG::SpeculativeJIT::isKnownNumeric):
3599         (JSC::DFG::SpeculativeJIT::isKnownCell):
3600         (JSC::DFG::SpeculativeJIT::isKnownNotCell):
3601         (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
3602         (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
3603         (JSC::DFG::SpeculativeJIT::writeBarrier):
3604         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
3605         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
3606         (JSC::DFG::GPRTemporary::GPRTemporary):
3607         (JSC::DFG::FPRTemporary::FPRTemporary):
3608         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
3609         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3610         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
3611         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
3612         (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
3613         (JSC::DFG::SpeculativeJIT::compileMovHint):
3614         (JSC::DFG::SpeculativeJIT::compile):
3615         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
3616         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3617         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
3618         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
3619         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3620         (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3621         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3622         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
3623         (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
3624         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3625         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
3626         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
3627         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
3628         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
3629         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3630         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
3631         (JSC::DFG::SpeculativeJIT::compileSoftModulo):
3632         (JSC::DFG::SpeculativeJIT::compileAdd):
3633         (JSC::DFG::SpeculativeJIT::compileArithSub):
3634         (JSC::DFG::SpeculativeJIT::compileArithNegate):
3635         (JSC::DFG::SpeculativeJIT::compileArithMul):
3636         (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
3637         (JSC::DFG::SpeculativeJIT::compileArithMod):
3638         (JSC::DFG::SpeculativeJIT::compare):
3639         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
3640         (JSC::DFG::SpeculativeJIT::compileStrictEq):
3641         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3642         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3643         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
3644         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3645         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
3646         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
3647         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
3648         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3649         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3650         * dfg/DFGSpeculativeJIT.h:
3651         (SpeculativeJIT):
3652         (JSC::DFG::SpeculativeJIT::canReuse):
3653         (JSC::DFG::SpeculativeJIT::isFilled):
3654         (JSC::DFG::SpeculativeJIT::isFilledDouble):
3655         (JSC::DFG::SpeculativeJIT::use):
3656         (JSC::DFG::SpeculativeJIT::isConstant):
3657         (JSC::DFG::SpeculativeJIT::isJSConstant):
3658         (JSC::DFG::SpeculativeJIT::isInt32Constant):
3659         (JSC::DFG::SpeculativeJIT::isDoubleConstant):
3660         (JSC::DFG::SpeculativeJIT::isNumberConstant):
3661         (JSC::DFG::SpeculativeJIT::isBooleanConstant):
3662         (JSC::DFG::SpeculativeJIT::isFunctionConstant):
3663         (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
3664         (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
3665         (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
3666         (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
3667         (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
3668         (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
3669         (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
3670         (JSC::DFG::SpeculativeJIT::isNullConstant):
3671         (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
3672         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
3673         (JSC::DFG::SpeculativeJIT::integerResult):
3674         (JSC::DFG::SpeculativeJIT::noResult):
3675         (JSC::DFG::SpeculativeJIT::cellResult):
3676         (JSC::DFG::SpeculativeJIT::booleanResult):
3677         (JSC::DFG::SpeculativeJIT::jsValueResult):
3678         (JSC::DFG::SpeculativeJIT::storageResult):
3679         (JSC::DFG::SpeculativeJIT::doubleResult):
3680         (JSC::DFG::SpeculativeJIT::initConstantInfo):
3681         (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
3682         (JSC::DFG::SpeculativeJIT::isInteger):
3683         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
3684         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
3685         (JSC::DFG::SpeculativeJIT::setNodeForOperand):
3686         (JSC::DFG::IntegerOperand::IntegerOperand):
3687         (JSC::DFG::IntegerOperand::node):
3688         (JSC::DFG::IntegerOperand::gpr):
3689         (JSC::DFG::IntegerOperand::use):
3690         (IntegerOperand):
3691         (JSC::DFG::DoubleOperand::DoubleOperand):
3692         (JSC::DFG::DoubleOperand::node):
3693         (JSC::DFG::DoubleOperand::fpr):
3694         (JSC::DFG::DoubleOperand::use):
3695         (DoubleOperand):
3696         (JSC::DFG::JSValueOperand::JSValueOperand):
3697         (JSC::DFG::JSValueOperand::node):
3698         (JSC::DFG::JSValueOperand::gpr):
3699         (JSC::DFG::JSValueOperand::fill):
3700         (JSC::DFG::JSValueOperand::use):
3701         (JSValueOperand):
3702         (JSC::DFG::StorageOperand::StorageOperand):
3703         (JSC::DFG::StorageOperand::node):
3704         (JSC::DFG::StorageOperand::gpr):
3705         (JSC::DFG::StorageOperand::use):
3706         (StorageOperand):
3707         (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
3708         (JSC::DFG::SpeculateIntegerOperand::node):
3709         (JSC::DFG::SpeculateIntegerOperand::gpr):
3710         (JSC::DFG::SpeculateIntegerOperand::use):
3711         (SpeculateIntegerOperand):
3712         (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
3713         (JSC::DFG::SpeculateStrictInt32Operand::node):
3714         (JSC::DFG::SpeculateStrictInt32Operand::gpr):
3715         (JSC::DFG::SpeculateStrictInt32Operand::use):
3716         (SpeculateStrictInt32Operand):
3717         (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
3718         (JSC::DFG::SpeculateDoubleOperand::node):
3719         (JSC::DFG::SpeculateDoubleOperand::fpr):
3720         (JSC::DFG::SpeculateDoubleOperand::use):
3721         (SpeculateDoubleOperand):
3722         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
3723         (JSC::DFG::SpeculateCellOperand::node):
3724         (JSC::DFG::SpeculateCellOperand::gpr):
3725         (JSC::DFG::SpeculateCellOperand::use):
3726         (SpeculateCellOperand):
3727         (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
3728         (JSC::DFG::SpeculateBooleanOperand::node):
3729         (JSC::DFG::SpeculateBooleanOperand::gpr):
3730         (JSC::DFG::SpeculateBooleanOperand::use):
3731         (SpeculateBooleanOperand):
3732         * dfg/DFGSpeculativeJIT32_64.cpp:
3733         (JSC::DFG::SpeculativeJIT::fillInteger):
3734         (JSC::DFG::SpeculativeJIT::fillDouble):
3735         (JSC::DFG::SpeculativeJIT::fillJSValue):
3736         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
3737         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
3738         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
3739         (JSC::DFG::SpeculativeJIT::cachedPutById):
3740         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3741         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3742         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
3743         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3744         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
3745         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3746         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3747         (JSC::DFG::SpeculativeJIT::emitCall):
3748         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3749         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
3750         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
3751         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3752         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3753         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3754         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3755         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3756         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3757         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
3758         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
3759         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3760         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
3761         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3762         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
3763         (JSC::DFG::SpeculativeJIT::emitBranch):
3764         (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
3765         (JSC::DFG::SpeculativeJIT::compile):
3766         * dfg/DFGSpeculativeJIT64.cpp:
3767         (JSC::DFG::SpeculativeJIT::fillInteger):
3768         (JSC::DFG::SpeculativeJIT::fillDouble):
3769         (JSC::DFG::SpeculativeJIT::fillJSValue):
3770         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
3771         (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
3772         (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
3773         (JSC::DFG::SpeculativeJIT::cachedPutById):
3774         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
3775         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
3776         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
3777         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3778         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
3779         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3780         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3781         (JSC::DFG::SpeculativeJIT::emitCall):
3782         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3783         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
3784         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
3785         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3786         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3787         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3788         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3789         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3790         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3791         (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
3792         (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
3793         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3794         (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
3795         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3796         (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
3797         (JSC::DFG::SpeculativeJIT::emitBranch):
3798         (JSC::DFG::SpeculativeJIT::compile):
3799         * dfg/DFGStructureAbstractValue.h:
3800         (StructureAbstractValue):
3801         * dfg/DFGStructureCheckHoistingPhase.cpp:
3802         (JSC::DFG::StructureCheckHoistingPhase::run):
3803         * dfg/DFGValidate.cpp:
3804         (DFG):
3805         (Validate):
3806         (JSC::DFG::Validate::validate):
3807         (JSC::DFG::Validate::reportValidationContext):
3808         * dfg/DFGValidate.h:
3809         * dfg/DFGValueSource.cpp:
3810         (JSC::DFG::ValueSource::dump):
3811         * dfg/DFGValueSource.h:
3812         (JSC::DFG::ValueSource::ValueSource):
3813         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3814         (JSC::DFG::VirtualRegisterAllocationPhase::run):
3815         * runtime/FunctionExecutableDump.cpp: Added.
3816         (JSC):
3817         (JSC::FunctionExecutableDump::dump):
3818         * runtime/FunctionExecutableDump.h: Added.
3819         (JSC):
3820         (FunctionExecutableDump):
3821         (JSC::FunctionExecutableDump::FunctionExecutableDump):
3822         * runtime/JSGlobalData.cpp:
3823         (JSC::JSGlobalData::JSGlobalData):
3824         * runtime/JSGlobalData.h:
3825         (JSC):
3826         (DFG):
3827         (JSGlobalData):
3828         * runtime/Options.h:
3829         (JSC):
3830
3831 2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>
3832
3833         Collapse testing for a list of PLATFORM() into OS() and USE() tests
3834         https://bugs.webkit.org/show_bug.cgi?id=108018
3835
3836         Reviewed by Eric Seidel.
3837
3838         No functional change as "OS(DARWIN) && USE(CF)" equals to the
3839         following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
3840         is not using JavaScriptCore. 
3841
3842         * runtime/DatePrototype.cpp:
3843         (JSC):
3844
3845 2013-01-28  Geoffrey Garen  <ggaren@apple.com>
3846
3847         Static size inference for JavaScript objects
3848         https://bugs.webkit.org/show_bug.cgi?id=108093
3849
3850         Reviewed by Phil Pizlo.
3851
3852         * API/JSObjectRef.cpp:
3853         * JavaScriptCore.order:
3854         * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
3855
3856         * bytecode/CodeBlock.cpp:
3857         (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
3858         have an extra inferredInlineCapacity argument. This is the statically
3859         inferred inline capacity, just from analyzing source text. op_new_object
3860         also gets a pointer to an allocation profile. (For op_create_this, the
3861         profile is in the construtor function.)
3862
3863         (JSC::CodeBlock::CodeBlock): Link op_new_object.
3864
3865         (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
3866
3867         * bytecode/CodeBlock.h:
3868         (CodeBlock): Removed some dead code. Added object allocation profiles.
3869
3870         * bytecode/Instruction.h:
3871         (JSC): New union type, since an instruction operand may point to an
3872         object allocation profile now.
3873
3874         * bytecode/ObjectAllocationProfile.h: Added.
3875         (JSC):
3876         (ObjectAllocationProfile):
3877         (JSC::ObjectAllocationProfile::offsetOfAllocator):
3878         (JSC::ObjectAllocationProfile::offsetOfStructure):
3879         (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
3880         (JSC::ObjectAllocationProfile::isNull):
3881         (JSC::ObjectAllocationProfile::initialize):
3882         (JSC::ObjectAllocationProfile::structure):
3883         (JSC::ObjectAllocationProfile::inlineCapacity):
3884         (JSC::ObjectAllocationProfile::clear):
3885         (JSC::ObjectAllocationProfile::visitAggregate):
3886         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
3887         for tracking a prediction about object allocation: structure, inline
3888         capacity, allocator to use.
3889
3890         * bytecode/Opcode.h:
3891         (JSC):
3892         (JSC::padOpcodeName): Updated instruction sizes.
3893
3894         * bytecode/UnlinkedCodeBlock.cpp:
3895         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3896         * bytecode/UnlinkedCodeBlock.h:
3897         (JSC):
3898         (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
3899         (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
3900         (UnlinkedCodeBlock): Unlinked support for allocation profiles.
3901
3902         * bytecompiler/BytecodeGenerator.cpp:
3903         (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
3904         end of codegen, since this is our last opportunity.
3905
3906         (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
3907         analyzer to bytecode generation. It tracks initializing assignments and
3908         makes a guess about how many will happen.
3909
3910         (JSC::BytecodeGenerator::newObjectAllocationProfile):
3911         (JSC):
3912         (JSC::BytecodeGenerator::emitProfiledOpcode):
3913         (JSC::BytecodeGenerator::emitMove):
3914         (JSC::BytecodeGenerator::emitResolve):
3915         (JSC::BytecodeGenerator::emitResolveBase):
3916         (JSC::BytecodeGenerator::emitResolveBaseForPut):
3917         (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
3918         (JSC::BytecodeGenerator::emitResolveWithThis):
3919         (JSC::BytecodeGenerator::emitGetById):
3920         (JSC::BytecodeGenerator::emitPutById):
3921         (JSC::BytecodeGenerator::emitDirectPutById):
3922         (JSC::BytecodeGenerator::emitPutGetterSetter):
3923         (JSC::BytecodeGenerator::emitGetArgumentByVal):
3924         (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
3925         analyzer, so it can observe allocations and stores.
3926
3927         (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
3928         function because it was a significant amount of logic, and I wanted to
3929         add to it.
3930
3931         (JSC::BytecodeGenerator::emitNewObject):
3932         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3933         (JSC::BytecodeGenerator::emitCall):
3934         (JSC::BytecodeGenerator::emitCallVarargs):
3935         (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
3936         to track their stores, in case a store kills a profiled allocation. Since
3937         profiled opcodes are basically the only interesting stores we do, this
3938         is a convenient place to notice any store that might kill an allocation.
3939
3940         * bytecompiler/BytecodeGenerator.h:
3941         (BytecodeGenerator): As above.
3942
3943         * bytecompiler/StaticPropertyAnalysis.h: Added.
3944         (JSC):
3945         (StaticPropertyAnalysis):
3946         (JSC::StaticPropertyAnalysis::create):
3947         (JSC::StaticPropertyAnalysis::addPropertyIndex):
3948         (JSC::StaticPropertyAnalysis::record):
3949         (JSC::StaticPropertyAnalysis::propertyIndexCount):
3950         (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
3951         class for tracking allocations and stores.
3952
3953         * bytecompiler/StaticPropertyAnalyzer.h: Added.
3954         (StaticPropertyAnalyzer):
3955         (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
3956         (JSC::StaticPropertyAnalyzer::createThis):
3957         (JSC::StaticPropertyAnalyzer::newObject):
3958         (JSC::StaticPropertyAnalyzer::putById):
3959         (JSC::StaticPropertyAnalyzer::mov):
3960         (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
3961         and stores and making an inline capacity guess. The heuristics here are
3962         intentionally minimal because we don't want this one class to try to
3963         re-create something like a DFG or a runtime analysis. If we discover that
3964         we need those kinds of analyses, we should just replace this class with
3965         something else.
3966
3967         This class tracks multiple registers that alias the same object -- that
3968         happens a lot, when moving locals into temporary registers -- but it