ffd4a302d6cc80a7e8dacb9bf1f11ac4563c81d8
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
2
3         Rename/refactor setButterfly/setStructure
4         https://bugs.webkit.org/show_bug.cgi?id=120138
5
6         Reviewed by Geoffrey Garen.
7
8         setButterfly becomes setStructureAndButterfly.
9
10         Also removed the Butterfly* argument from setStructure and just implicitly
11         used m_butterfly internally since that's what every single client of setStructure
12         was doing already.
13
14         * jit/JITStubs.cpp:
15         (JSC::DEFINE_STUB_FUNCTION):
16         * runtime/JSObject.cpp:
17         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
18         (JSC::JSObject::createInitialUndecided):
19         (JSC::JSObject::createInitialInt32):
20         (JSC::JSObject::createInitialDouble):
21         (JSC::JSObject::createInitialContiguous):
22         (JSC::JSObject::createArrayStorage):
23         (JSC::JSObject::convertUndecidedToInt32):
24         (JSC::JSObject::convertUndecidedToDouble):
25         (JSC::JSObject::convertUndecidedToContiguous):
26         (JSC::JSObject::convertUndecidedToArrayStorage):
27         (JSC::JSObject::convertInt32ToDouble):
28         (JSC::JSObject::convertInt32ToContiguous):
29         (JSC::JSObject::convertInt32ToArrayStorage):
30         (JSC::JSObject::genericConvertDoubleToContiguous):
31         (JSC::JSObject::convertDoubleToArrayStorage):
32         (JSC::JSObject::convertContiguousToArrayStorage):
33         (JSC::JSObject::switchToSlowPutArrayStorage):
34         (JSC::JSObject::setPrototype):
35         (JSC::JSObject::putDirectAccessor):
36         (JSC::JSObject::seal):
37         (JSC::JSObject::freeze):
38         (JSC::JSObject::preventExtensions):
39         (JSC::JSObject::reifyStaticFunctionsForDelete):
40         (JSC::JSObject::removeDirect):
41         * runtime/JSObject.h:
42         (JSC::JSObject::setStructureAndButterfly):
43         (JSC::JSObject::setStructure):
44         (JSC::JSObject::putDirectInternal):
45         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
46         (JSC::JSObject::putDirectWithoutTransition):
47         * runtime/Structure.cpp:
48         (JSC::Structure::flattenDictionaryStructure):
49
50 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
51
52         https://bugs.webkit.org/show_bug.cgi?id=120127
53         Remove JSObject::propertyIsEnumerable
54
55         Unreviewed typo fix
56
57         * runtime/JSObject.h:
58             - fix typo
59
60 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
61
62         https://bugs.webkit.org/show_bug.cgi?id=120139
63         PropertyDescriptor argument to define methods should be const
64
65         Rubber stamped by Sam Weinig.
66
67         This should never be modified, and this way we can use rvalues.
68
69         * debugger/DebuggerActivation.cpp:
70         (JSC::DebuggerActivation::defineOwnProperty):
71         * debugger/DebuggerActivation.h:
72         * runtime/Arguments.cpp:
73         (JSC::Arguments::defineOwnProperty):
74         * runtime/Arguments.h:
75         * runtime/ClassInfo.h:
76         * runtime/JSArray.cpp:
77         (JSC::JSArray::defineOwnProperty):
78         * runtime/JSArray.h:
79         * runtime/JSArrayBuffer.cpp:
80         (JSC::JSArrayBuffer::defineOwnProperty):
81         * runtime/JSArrayBuffer.h:
82         * runtime/JSArrayBufferView.cpp:
83         (JSC::JSArrayBufferView::defineOwnProperty):
84         * runtime/JSArrayBufferView.h:
85         * runtime/JSCell.cpp:
86         (JSC::JSCell::defineOwnProperty):
87         * runtime/JSCell.h:
88         * runtime/JSFunction.cpp:
89         (JSC::JSFunction::defineOwnProperty):
90         * runtime/JSFunction.h:
91         * runtime/JSGenericTypedArrayView.h:
92         * runtime/JSGenericTypedArrayViewInlines.h:
93         (JSC::::defineOwnProperty):
94         * runtime/JSGlobalObject.cpp:
95         (JSC::JSGlobalObject::defineOwnProperty):
96         * runtime/JSGlobalObject.h:
97         * runtime/JSObject.cpp:
98         (JSC::JSObject::putIndexedDescriptor):
99         (JSC::JSObject::defineOwnIndexedProperty):
100         (JSC::putDescriptor):
101         (JSC::JSObject::defineOwnNonIndexProperty):
102         (JSC::JSObject::defineOwnProperty):
103         * runtime/JSObject.h:
104         * runtime/JSProxy.cpp:
105         (JSC::JSProxy::defineOwnProperty):
106         * runtime/JSProxy.h:
107         * runtime/RegExpMatchesArray.h:
108         (JSC::RegExpMatchesArray::defineOwnProperty):
109         * runtime/RegExpObject.cpp:
110         (JSC::RegExpObject::defineOwnProperty):
111         * runtime/RegExpObject.h:
112         * runtime/StringObject.cpp:
113         (JSC::StringObject::defineOwnProperty):
114         * runtime/StringObject.h:
115             - make PropertyDescriptor const
116
117 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
118
119         REGRESSION: Crash under JITCompiler::link while loading Gmail
120         https://bugs.webkit.org/show_bug.cgi?id=119872
121
122         Reviewed by Mark Hahnenberg.
123         
124         Apparently, unsigned + signed = unsigned. Work around it with a cast.
125
126         * dfg/DFGByteCodeParser.cpp:
127         (JSC::DFG::ByteCodeParser::parseBlock):
128
129 2013-08-21  Alex Christensen  <achristensen@apple.com>
130
131         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
132
133         Reviewed by Brent Fulgham.
134
135         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
136         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
137         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
138         Pass PlatformArchitecture as a command line parameter to bash scripts.
139         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
140         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
141         * JavaScriptCore.vcxproj/build-generated-files.sh:
142         Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
143
144 2013-08-21  Filip Pizlo  <fpizlo@apple.com>
145
146         Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
147         https://bugs.webkit.org/show_bug.cgi?id=120099
148
149         Reviewed by Mark Hahnenberg.
150         
151         JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
152         JSDataView may have ordinary JS indexed properties.
153
154         * runtime/ClassInfo.h:
155         * runtime/JSArrayBufferView.cpp:
156         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
157         (JSC::JSArrayBufferView::finishCreation):
158         * runtime/JSArrayBufferView.h:
159         (JSC::hasArrayBuffer):
160         * runtime/JSArrayBufferViewInlines.h:
161         (JSC::JSArrayBufferView::buffer):
162         (JSC::JSArrayBufferView::neuter):
163         (JSC::JSArrayBufferView::byteOffset):
164         * runtime/JSCell.cpp:
165         (JSC::JSCell::slowDownAndWasteMemory):
166         * runtime/JSCell.h:
167         * runtime/JSDataView.cpp:
168         (JSC::JSDataView::JSDataView):
169         (JSC::JSDataView::create):
170         (JSC::JSDataView::slowDownAndWasteMemory):
171         * runtime/JSDataView.h:
172         (JSC::JSDataView::buffer):
173         * runtime/JSGenericTypedArrayView.h:
174         * runtime/JSGenericTypedArrayViewInlines.h:
175         (JSC::::visitChildren):
176         (JSC::::slowDownAndWasteMemory):
177
178 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
179
180         Remove incorrect ASSERT from CopyVisitor::visitItem
181
182         Rubber stamped by Filip Pizlo.
183
184         * heap/CopyVisitorInlines.h:
185         (JSC::CopyVisitor::visitItem):
186
187 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
188
189         https://bugs.webkit.org/show_bug.cgi?id=120127
190         Remove JSObject::propertyIsEnumerable
191
192         Reviewed by Sam Weinig.
193
194         This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
195
196         * runtime/JSObject.cpp:
197         * runtime/JSObject.h:
198             - remove propertyIsEnumerable
199         * runtime/ObjectPrototype.cpp:
200         (JSC::objectProtoFuncPropertyIsEnumerable):
201             - Move implementation here using getOwnPropertyDescriptor directly.
202
203 2013-08-20  Filip Pizlo  <fpizlo@apple.com>
204
205         DFG should inline new typedArray()
206         https://bugs.webkit.org/show_bug.cgi?id=120022
207
208         Reviewed by Oliver Hunt.
209         
210         Adds inlining of typed array allocations in the DFG. Any operation of the
211         form:
212         
213             new foo(blah)
214         
215         or:
216         
217             foo(blah)
218         
219         where 'foo' is a typed array constructor and 'blah' is exactly one argument,
220         is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
221         is predicted integer, we generate inline code for an allocation. Otherwise
222         it turns into a call to an operation that behaves like the constructor would
223         if it was passed one argument (i.e. it may wrap a buffer or it may create a
224         copy or another array, or it may allocate an array of that length).
225
226         * bytecode/SpeculatedType.cpp:
227         (JSC::speculationFromTypedArrayType):
228         (JSC::speculationFromClassInfo):
229         * bytecode/SpeculatedType.h:
230         * dfg/DFGAbstractInterpreterInlines.h:
231         (JSC::DFG::::executeEffects):
232         * dfg/DFGBackwardsPropagationPhase.cpp:
233         (JSC::DFG::BackwardsPropagationPhase::propagate):
234         * dfg/DFGByteCodeParser.cpp:
235         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
236         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
237         * dfg/DFGCCallHelpers.h:
238         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
239         * dfg/DFGCSEPhase.cpp:
240         (JSC::DFG::CSEPhase::putStructureStoreElimination):
241         * dfg/DFGClobberize.h:
242         (JSC::DFG::clobberize):
243         * dfg/DFGFixupPhase.cpp:
244         (JSC::DFG::FixupPhase::fixupNode):
245         * dfg/DFGGraph.cpp:
246         (JSC::DFG::Graph::dump):
247         * dfg/DFGNode.h:
248         (JSC::DFG::Node::hasTypedArrayType):
249         (JSC::DFG::Node::typedArrayType):
250         * dfg/DFGNodeType.h:
251         * dfg/DFGOperations.cpp:
252         (JSC::DFG::newTypedArrayWithSize):
253         (JSC::DFG::newTypedArrayWithOneArgument):
254         * dfg/DFGOperations.h:
255         (JSC::DFG::operationNewTypedArrayWithSizeForType):
256         (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
257         * dfg/DFGPredictionPropagationPhase.cpp:
258         (JSC::DFG::PredictionPropagationPhase::propagate):
259         * dfg/DFGSafeToExecute.h:
260         (JSC::DFG::safeToExecute):
261         * dfg/DFGSpeculativeJIT.cpp:
262         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
263         * dfg/DFGSpeculativeJIT.h:
264         (JSC::DFG::SpeculativeJIT::callOperation):
265         * dfg/DFGSpeculativeJIT32_64.cpp:
266         (JSC::DFG::SpeculativeJIT::compile):
267         * dfg/DFGSpeculativeJIT64.cpp:
268         (JSC::DFG::SpeculativeJIT::compile):
269         * jit/JITOpcodes.cpp:
270         (JSC::JIT::emit_op_new_object):
271         * jit/JITOpcodes32_64.cpp:
272         (JSC::JIT::emit_op_new_object):
273         * runtime/JSArray.h:
274         (JSC::JSArray::allocationSize):
275         * runtime/JSArrayBufferView.h:
276         (JSC::JSArrayBufferView::allocationSize):
277         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
278         (JSC::constructGenericTypedArrayView):
279         * runtime/JSObject.h:
280         (JSC::JSFinalObject::allocationSize):
281         * runtime/TypedArrayType.cpp:
282         (JSC::constructorClassInfoForType):
283         * runtime/TypedArrayType.h:
284         (JSC::indexToTypedArrayType):
285
286 2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
287
288         <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
289
290         Reviewed by Geoffrey Garen.
291
292         * dfg/DFGOperations.h:
293
294 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
295
296         https://bugs.webkit.org/show_bug.cgi?id=120093
297         Remove getOwnPropertyDescriptor trap
298
299         Reviewed by Geoff Garen.
300
301         All implementations of this method are now called via the method table, and equivalent in behaviour.
302         Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
303
304         * API/JSCallbackObject.h:
305         * API/JSCallbackObjectFunctions.h:
306         * debugger/DebuggerActivation.cpp:
307         * debugger/DebuggerActivation.h:
308         * runtime/Arguments.cpp:
309         * runtime/Arguments.h:
310         * runtime/ArrayConstructor.cpp:
311         * runtime/ArrayConstructor.h:
312         * runtime/ArrayPrototype.cpp:
313         * runtime/ArrayPrototype.h:
314         * runtime/BooleanPrototype.cpp:
315         * runtime/BooleanPrototype.h:
316             - remove getOwnPropertyDescriptor
317         * runtime/ClassInfo.h:
318             - remove getOwnPropertyDescriptor from MethodTable
319         * runtime/DateConstructor.cpp:
320         * runtime/DateConstructor.h:
321         * runtime/DatePrototype.cpp:
322         * runtime/DatePrototype.h:
323         * runtime/ErrorPrototype.cpp:
324         * runtime/ErrorPrototype.h:
325         * runtime/JSActivation.cpp:
326         * runtime/JSActivation.h:
327         * runtime/JSArray.cpp:
328         * runtime/JSArray.h:
329         * runtime/JSArrayBuffer.cpp:
330         * runtime/JSArrayBuffer.h:
331         * runtime/JSArrayBufferView.cpp:
332         * runtime/JSArrayBufferView.h:
333         * runtime/JSCell.cpp:
334         * runtime/JSCell.h:
335         * runtime/JSDataView.cpp:
336         * runtime/JSDataView.h:
337         * runtime/JSDataViewPrototype.cpp:
338         * runtime/JSDataViewPrototype.h:
339         * runtime/JSFunction.cpp:
340         * runtime/JSFunction.h:
341         * runtime/JSGenericTypedArrayView.h:
342         * runtime/JSGenericTypedArrayViewInlines.h:
343         * runtime/JSGlobalObject.cpp:
344         * runtime/JSGlobalObject.h:
345         * runtime/JSNotAnObject.cpp:
346         * runtime/JSNotAnObject.h:
347         * runtime/JSONObject.cpp:
348         * runtime/JSONObject.h:
349             - remove getOwnPropertyDescriptor
350         * runtime/JSObject.cpp:
351         (JSC::JSObject::propertyIsEnumerable):
352             - switch to call new getOwnPropertyDescriptor member function
353         (JSC::JSObject::getOwnPropertyDescriptor):
354             - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
355         (JSC::JSObject::defineOwnNonIndexProperty):
356             - switch to call new getOwnPropertyDescriptor member function
357         * runtime/JSObject.h:
358         * runtime/JSProxy.cpp:
359         * runtime/JSProxy.h:
360         * runtime/NamePrototype.cpp:
361         * runtime/NamePrototype.h:
362         * runtime/NumberConstructor.cpp:
363         * runtime/NumberConstructor.h:
364         * runtime/NumberPrototype.cpp:
365         * runtime/NumberPrototype.h:
366             - remove getOwnPropertyDescriptor
367         * runtime/ObjectConstructor.cpp:
368         (JSC::objectConstructorGetOwnPropertyDescriptor):
369         (JSC::objectConstructorSeal):
370         (JSC::objectConstructorFreeze):
371         (JSC::objectConstructorIsSealed):
372         (JSC::objectConstructorIsFrozen):
373             - switch to call new getOwnPropertyDescriptor member function
374         * runtime/ObjectConstructor.h:
375             - remove getOwnPropertyDescriptor
376         * runtime/PropertyDescriptor.h:
377             - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
378         * runtime/RegExpConstructor.cpp:
379         * runtime/RegExpConstructor.h:
380         * runtime/RegExpMatchesArray.cpp:
381         * runtime/RegExpMatchesArray.h:
382         * runtime/RegExpObject.cpp:
383         * runtime/RegExpObject.h:
384         * runtime/RegExpPrototype.cpp:
385         * runtime/RegExpPrototype.h:
386         * runtime/StringConstructor.cpp:
387         * runtime/StringConstructor.h:
388         * runtime/StringObject.cpp:
389         * runtime/StringObject.h:
390             - remove getOwnPropertyDescriptor
391
392 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
393
394         <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
395
396         Reviewed by Oliver Hunt.
397
398         When we flatten an object in dictionary mode, we compact its properties. If the object 
399         had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
400         compaction its properties fit inline, the object's Structure "forgets" that the object 
401         has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
402         with bytes = 0, which causes all sorts of badness in CopiedSpace.
403
404         Instead, after we flatten a dictionary, if properties fit inline we should clear the 
405         Butterfly pointer so that the GC doesn't get confused later.
406
407         This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
408         JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
409         agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
410         that the number of bytes reported to SlotVisitor::copyLater is non-zero.
411
412         * heap/SlotVisitorInlines.h:
413         (JSC::SlotVisitor::copyLater):
414         * runtime/JSObject.cpp:
415         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
416         (JSC::JSObject::convertUndecidedToInt32):
417         (JSC::JSObject::convertUndecidedToDouble):
418         (JSC::JSObject::convertUndecidedToContiguous):
419         (JSC::JSObject::convertInt32ToDouble):
420         (JSC::JSObject::convertInt32ToContiguous):
421         (JSC::JSObject::genericConvertDoubleToContiguous):
422         (JSC::JSObject::switchToSlowPutArrayStorage):
423         (JSC::JSObject::setPrototype):
424         (JSC::JSObject::putDirectAccessor):
425         (JSC::JSObject::seal):
426         (JSC::JSObject::freeze):
427         (JSC::JSObject::preventExtensions):
428         (JSC::JSObject::reifyStaticFunctionsForDelete):
429         (JSC::JSObject::removeDirect):
430         * runtime/JSObject.h:
431         (JSC::JSObject::setButterfly):
432         (JSC::JSObject::putDirectInternal):
433         (JSC::JSObject::setStructure):
434         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
435         * runtime/Structure.cpp:
436         (JSC::Structure::flattenDictionaryStructure):
437
438 2013-08-20  Alex Christensen  <achristensen@apple.com>
439
440         Compile fix for Win64 after r154156.
441
442         Rubber stamped by Oliver Hunt.
443
444         * jit/JITStubsMSVC64.asm:
445         Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
446         cti_vm_throw_slowpath to cti_vm_handle_exception.
447
448 2013-08-20  Alex Christensen  <achristensen@apple.com>
449
450         <https://webkit.org/b/120076> More work towards a Win64 build
451
452         Reviewed by Brent Fulgham.
453
454         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
455         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
456         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
457         * JavaScriptCore.vcxproj/copy-files.cmd:
458         * JavaScriptCore.vcxproj/jsc/jscCommon.props:
459         * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
460         Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
461
462 2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
463
464         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
465
466         Reviewed by Geoffrey Garen.
467
468         More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
469         initializeLazyWriteBarrierFor* wrapper functions more sane. 
470
471         Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
472         and index when triggering the WriteBarrier at the end of compilation. 
473
474         The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
475         in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
476         little extra work that really shouldn't have been its responsibility.
477
478         * dfg/DFGByteCodeParser.cpp:
479         (JSC::DFG::ByteCodeParser::addConstant):
480         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
481         * dfg/DFGDesiredWriteBarriers.cpp:
482         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
483         (JSC::DFG::DesiredWriteBarrier::trigger):
484         * dfg/DFGDesiredWriteBarriers.h:
485         (JSC::DFG::DesiredWriteBarriers::add):
486         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
487         (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
488         (JSC::DFG::initializeLazyWriteBarrierForConstant):
489         * dfg/DFGFixupPhase.cpp:
490         (JSC::DFG::FixupPhase::truncateConstantToInt32):
491         * dfg/DFGGraph.h:
492         (JSC::DFG::Graph::constantRegisterForConstant):
493
494 2013-08-20  Michael Saboff  <msaboff@apple.com>
495
496         https://bugs.webkit.org/show_bug.cgi?id=120075
497         REGRESSION (r128400): BBC4 website not displaying pictures
498
499         Reviewed by Oliver Hunt.
500
501         * runtime/RegExpMatchesArray.h:
502         (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
503         so that the match results will be reified before any other modification to the results array.
504
505 2013-08-19  Filip Pizlo  <fpizlo@apple.com>
506
507         Incorrect behavior on emscripten-compiled cube2hash
508         https://bugs.webkit.org/show_bug.cgi?id=120033
509
510         Reviewed by Mark Hahnenberg.
511         
512         If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
513         then we should bail attempts to CSE.
514
515         * dfg/DFGCSEPhase.cpp:
516         (JSC::DFG::CSEPhase::scopedVarLoadElimination):
517         (JSC::DFG::CSEPhase::scopedVarStoreElimination):
518
519 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
520
521         https://bugs.webkit.org/show_bug.cgi?id=120073
522         Remove use of GOPD from JSFunction::defineProperty
523
524         Reviewed by Oliver Hunt.
525
526         Call getOwnPropertySlot to check for existing properties instead.
527
528         * runtime/JSFunction.cpp:
529         (JSC::JSFunction::defineOwnProperty):
530             - getOwnPropertyDescriptor -> getOwnPropertySlot
531
532 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
533
534         https://bugs.webkit.org/show_bug.cgi?id=120067
535         Remove getPropertyDescriptor
536
537         Reviewed by Oliver Hunt.
538
539         This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
540         Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
541
542         * runtime/JSObject.cpp:
543         * runtime/JSObject.h:
544             - remove getPropertyDescriptor
545         * runtime/ObjectPrototype.cpp:
546         (JSC::objectProtoFuncLookupGetter):
547         (JSC::objectProtoFuncLookupSetter):
548             - replace call to getPropertyDescriptor with getPropertySlot
549         * runtime/PropertyDescriptor.h:
550         * runtime/PropertySlot.h:
551         (JSC::PropertySlot::isAccessor):
552         (JSC::PropertySlot::isCacheableGetter):
553         (JSC::PropertySlot::getterSetter):
554             - rename isGetter() to isAccessor()
555
556 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
557
558         https://bugs.webkit.org/show_bug.cgi?id=120054
559         Remove some dead code following getOwnPropertyDescriptor cleanup
560
561         Reviewed by Oliver Hunt.
562
563         * runtime/Lookup.h:
564         (JSC::getStaticFunctionSlot):
565             - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
566
567 2013-08-20  Gavin Barraclough  <barraclough@apple.com>
568
569         https://bugs.webkit.org/show_bug.cgi?id=120052
570         Remove custom getOwnPropertyDescriptor for JSProxy
571
572         Reviewed by Geoff Garen.
573
574         GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
575         Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
576         object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
577         assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
578         the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
579
580         * runtime/JSProxy.cpp:
581             - Remove custom getOwnPropertyDescriptor implementation.
582         * runtime/PropertyDescriptor.h:
583             - Modify own property access check to perform toThis conversion.
584
585 2013-08-20  Alex Christensen  <achristensen@apple.com>
586
587         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
588         https://bugs.webkit.org/show_bug.cgi?id=119512
589
590         Reviewed by Brent Fulgham.
591
592         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
593         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
594         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
595         * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
596         * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
597         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
598         * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
599         Replaced obj32, bin32, and lib32 with macros for 64-bit build.
600
601 2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
602
603         <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
604
605         Reviewed by Allan Sandfeld Jensen.
606
607         branchPtrWithPatch() of baseline JIT must ensure that space is available for its
608         instructions and two constants now DFG is enabled for sh4 architecture.
609         These missing ensureSpace calls lead to random crashes.
610
611         * assembler/MacroAssemblerSH4.h:
612         (JSC::MacroAssemblerSH4::branchPtrWithPatch):
613
614 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
615
616         https://bugs.webkit.org/show_bug.cgi?id=120034
617         Remove custom getOwnPropertyDescriptor for global objects
618
619         Reviewed by Geoff Garen.
620
621         Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
622
623         * runtime/JSGlobalObject.cpp:
624             - Remove custom getOwnPropertyDescriptor implementation.
625         * runtime/JSSymbolTableObject.h:
626         (JSC::symbolTableGet):
627             - The symbol table does not store the DontDelete attribute, we should be adding it back in.
628         * runtime/PropertyDescriptor.h:
629             - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
630         * runtime/PropertySlot.h:
631         (JSC::PropertySlot::setUndefined):
632             - This is used by WebCore when blocking access to properties on cross-frame access.
633               Mark blocked properties as read-only, non-configurable to prevent defineProperty.
634
635 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
636
637         DFG should inline typedArray.byteOffset
638         https://bugs.webkit.org/show_bug.cgi?id=119962
639
640         Reviewed by Oliver Hunt.
641         
642         This adds a new node, GetTypedArrayByteOffset, which inlines
643         typedArray.byteOffset.
644         
645         Also, I improved a bunch of the clobbering logic related to typed arrays
646         and clobbering in general. For example, PutByOffset/PutStructure are not
647         clobber-world so they can be handled by most default cases in CSE. Also,
648         It's better to use the 'Class_field' notation for typed arrays now that
649         they no longer involve magical descriptor thingies.
650
651         * bytecode/SpeculatedType.h:
652         * dfg/DFGAbstractHeap.h:
653         * dfg/DFGAbstractInterpreterInlines.h:
654         (JSC::DFG::::executeEffects):
655         * dfg/DFGArrayMode.h:
656         (JSC::DFG::neverNeedsStorage):
657         * dfg/DFGCSEPhase.cpp:
658         (JSC::DFG::CSEPhase::getByValLoadElimination):
659         (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
660         (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
661         (JSC::DFG::CSEPhase::checkArrayElimination):
662         (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
663         (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
664         (JSC::DFG::CSEPhase::performNodeCSE):
665         * dfg/DFGClobberize.h:
666         (JSC::DFG::clobberize):
667         * dfg/DFGFixupPhase.cpp:
668         (JSC::DFG::FixupPhase::fixupNode):
669         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
670         (JSC::DFG::FixupPhase::convertToGetArrayLength):
671         (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
672         * dfg/DFGNodeType.h:
673         * dfg/DFGPredictionPropagationPhase.cpp:
674         (JSC::DFG::PredictionPropagationPhase::propagate):
675         * dfg/DFGSafeToExecute.h:
676         (JSC::DFG::safeToExecute):
677         * dfg/DFGSpeculativeJIT.cpp:
678         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
679         * dfg/DFGSpeculativeJIT.h:
680         * dfg/DFGSpeculativeJIT32_64.cpp:
681         (JSC::DFG::SpeculativeJIT::compile):
682         * dfg/DFGSpeculativeJIT64.cpp:
683         (JSC::DFG::SpeculativeJIT::compile):
684         * dfg/DFGTypeCheckHoistingPhase.cpp:
685         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
686         * runtime/ArrayBuffer.h:
687         (JSC::ArrayBuffer::offsetOfData):
688         * runtime/Butterfly.h:
689         (JSC::Butterfly::offsetOfArrayBuffer):
690         * runtime/IndexingHeader.h:
691         (JSC::IndexingHeader::offsetOfArrayBuffer):
692
693 2013-08-18  Filip Pizlo  <fpizlo@apple.com>
694
695         <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
696
697         Reviewed by Geoffrey Garen.
698
699         * dfg/DFGByteCodeParser.cpp:
700         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
701
702 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
703
704         https://bugs.webkit.org/show_bug.cgi?id=119995
705         Start removing custom implementations of getOwnPropertyDescriptor
706
707         Reviewed by Oliver Hunt.
708
709         This can now typically implemented in terms of getOwnPropertySlot.
710         Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
711         Switch over most classes in JSC & the WebCore bindings generator to use this.
712
713         * API/JSCallbackObjectFunctions.h:
714         * debugger/DebuggerActivation.cpp:
715         * runtime/Arguments.cpp:
716         * runtime/ArrayConstructor.cpp:
717         * runtime/ArrayPrototype.cpp:
718         * runtime/BooleanPrototype.cpp:
719         * runtime/DateConstructor.cpp:
720         * runtime/DatePrototype.cpp:
721         * runtime/ErrorPrototype.cpp:
722         * runtime/JSActivation.cpp:
723         * runtime/JSArray.cpp:
724         * runtime/JSArrayBuffer.cpp:
725         * runtime/JSArrayBufferView.cpp:
726         * runtime/JSCell.cpp:
727         * runtime/JSDataView.cpp:
728         * runtime/JSDataViewPrototype.cpp:
729         * runtime/JSFunction.cpp:
730         * runtime/JSGenericTypedArrayViewInlines.h:
731         * runtime/JSNotAnObject.cpp:
732         * runtime/JSONObject.cpp:
733         * runtime/JSObject.cpp:
734         * runtime/NamePrototype.cpp:
735         * runtime/NumberConstructor.cpp:
736         * runtime/NumberPrototype.cpp:
737         * runtime/ObjectConstructor.cpp:
738             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
739         * runtime/PropertyDescriptor.h:
740             - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
741         * runtime/PropertySlot.h:
742         (JSC::PropertySlot::isValue):
743         (JSC::PropertySlot::isGetter):
744         (JSC::PropertySlot::isCustom):
745         (JSC::PropertySlot::isCacheableValue):
746         (JSC::PropertySlot::isCacheableGetter):
747         (JSC::PropertySlot::isCacheableCustom):
748         (JSC::PropertySlot::attributes):
749         (JSC::PropertySlot::getterSetter):
750             - Add accessors necessary to convert PropertySlot to descriptor.
751         * runtime/RegExpConstructor.cpp:
752         * runtime/RegExpMatchesArray.cpp:
753         * runtime/RegExpMatchesArray.h:
754         * runtime/RegExpObject.cpp:
755         * runtime/RegExpPrototype.cpp:
756         * runtime/StringConstructor.cpp:
757         * runtime/StringObject.cpp:
758             - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
759
760 2013-08-19  Michael Saboff  <msaboff@apple.com>
761
762         https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
763
764         Reviewed by Sam Weinig.
765
766         * dfg/DFGSpeculativeJIT32_64.cpp:
767         (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
768         DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
769         all versions of fillSpeculateBoolean().
770
771 2013-08-19  Michael Saboff  <msaboff@apple.com>
772
773         https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
774
775         Reviewed by Benjamin Poulain.
776
777         Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
778         Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
779
780         * assembler/MacroAssemblerX86Common.h:
781         (JSC::MacroAssemblerX86Common::branchTest32):
782
783 2013-08-16  Oliver Hunt  <oliver@apple.com>
784
785         <https://webkit.org/b/119860> Crash during exception unwinding
786
787         Reviewed by Filip Pizlo.
788
789         Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
790         to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
791
792         We need this so that Throw and ThrowReferenceError no longer need to be treated as
793         terminals and the subsequent flush keeps the activation (and other registers) live.
794
795         * dfg/DFGAbstractInterpreterInlines.h:
796         (JSC::DFG::::executeEffects):
797         * dfg/DFGByteCodeParser.cpp:
798         (JSC::DFG::ByteCodeParser::parseBlock):
799         * dfg/DFGClobberize.h:
800         (JSC::DFG::clobberize):
801         * dfg/DFGFixupPhase.cpp:
802         (JSC::DFG::FixupPhase::fixupNode):
803         * dfg/DFGNode.h:
804         (JSC::DFG::Node::isTerminal):
805         * dfg/DFGNodeType.h:
806         * dfg/DFGPredictionPropagationPhase.cpp:
807         (JSC::DFG::PredictionPropagationPhase::propagate):
808         * dfg/DFGSafeToExecute.h:
809         (JSC::DFG::safeToExecute):
810         * dfg/DFGSpeculativeJIT32_64.cpp:
811         (JSC::DFG::SpeculativeJIT::compile):
812         * dfg/DFGSpeculativeJIT64.cpp:
813         (JSC::DFG::SpeculativeJIT::compile):
814
815 2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
816
817         <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
818
819         Reviewed by Oliver Hunt.
820
821         Guard the compilation of these files only if DFG_JIT is enabled.
822
823         * dfg/DFGDesiredTransitions.cpp:
824         * dfg/DFGDesiredTransitions.h:
825         * dfg/DFGDesiredWeakReferences.cpp:
826         * dfg/DFGDesiredWeakReferences.h:
827         * dfg/DFGDesiredWriteBarriers.cpp:
828         * dfg/DFGDesiredWriteBarriers.h:
829
830 2013-08-17  Filip Pizlo  <fpizlo@apple.com>
831
832         REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
833         https://bugs.webkit.org/show_bug.cgi?id=119961
834
835         Reviewed by Mark Hahnenberg.
836
837         * dfg/DFGFixupPhase.cpp:
838         (JSC::DFG::FixupPhase::fixupNode):
839
840 2013-08-18  Gavin Barraclough  <barraclough@apple.com>
841
842         https://bugs.webkit.org/show_bug.cgi?id=119972
843         Add attributes field to PropertySlot
844
845         Reviewed by Geoff Garen.
846
847         For all JSC types, this makes getOwnPropertyDescriptor redundant.
848         There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
849         (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
850
851         No performance impact.
852
853         * runtime/PropertySlot.h:
854         (JSC::PropertySlot::setValue):
855         (JSC::PropertySlot::setCustom):
856         (JSC::PropertySlot::setCacheableCustom):
857         (JSC::PropertySlot::setCustomIndex):
858         (JSC::PropertySlot::setGetterSlot):
859         (JSC::PropertySlot::setCacheableGetterSlot):
860             - These mathods now all require 'attributes'.
861         * runtime/JSObject.h:
862         (JSC::JSObject::getDirect):
863         (JSC::JSObject::getDirectOffset):
864         (JSC::JSObject::inlineGetOwnPropertySlot):
865             - Added variants of getDirect, getDirectOffset that return the attributes.
866         * API/JSCallbackObjectFunctions.h:
867         (JSC::::getOwnPropertySlot):
868         * runtime/Arguments.cpp:
869         (JSC::Arguments::getOwnPropertySlotByIndex):
870         (JSC::Arguments::getOwnPropertySlot):
871         * runtime/JSActivation.cpp:
872         (JSC::JSActivation::symbolTableGet):
873         (JSC::JSActivation::getOwnPropertySlot):
874         * runtime/JSArray.cpp:
875         (JSC::JSArray::getOwnPropertySlot):
876         * runtime/JSArrayBuffer.cpp:
877         (JSC::JSArrayBuffer::getOwnPropertySlot):
878         * runtime/JSArrayBufferView.cpp:
879         (JSC::JSArrayBufferView::getOwnPropertySlot):
880         * runtime/JSDataView.cpp:
881         (JSC::JSDataView::getOwnPropertySlot):
882         * runtime/JSFunction.cpp:
883         (JSC::JSFunction::getOwnPropertySlot):
884         * runtime/JSGenericTypedArrayViewInlines.h:
885         (JSC::::getOwnPropertySlot):
886         (JSC::::getOwnPropertySlotByIndex):
887         * runtime/JSObject.cpp:
888         (JSC::JSObject::getOwnPropertySlotByIndex):
889         (JSC::JSObject::fillGetterPropertySlot):
890         * runtime/JSString.h:
891         (JSC::JSString::getStringPropertySlot):
892         * runtime/JSSymbolTableObject.h:
893         (JSC::symbolTableGet):
894         * runtime/Lookup.cpp:
895         (JSC::setUpStaticFunctionSlot):
896         * runtime/Lookup.h:
897         (JSC::getStaticPropertySlot):
898         (JSC::getStaticPropertyDescriptor):
899         (JSC::getStaticValueSlot):
900         (JSC::getStaticValueDescriptor):
901         * runtime/RegExpObject.cpp:
902         (JSC::RegExpObject::getOwnPropertySlot):
903         * runtime/SparseArrayValueMap.cpp:
904         (JSC::SparseArrayEntry::get):
905             - Pass attributes to PropertySlot::set* methods.
906
907 2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
908
909         <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
910
911         Reviewed by Filip Pizlo.
912
913         Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
914         Vector of WriteBarriers rather than the specific address. The fact that we were 
915         arbitrarily storing into a Vector's backing store for constants at the end of 
916         compilation after the Vector could have resized was causing crashes.
917
918         * bytecode/CodeBlock.h:
919         (JSC::CodeBlock::constants):
920         (JSC::CodeBlock::addConstantLazily):
921         * dfg/DFGByteCodeParser.cpp:
922         (JSC::DFG::ByteCodeParser::addConstant):
923         * dfg/DFGDesiredWriteBarriers.cpp:
924         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
925         (JSC::DFG::DesiredWriteBarrier::trigger):
926         (JSC::DFG::initializeLazyWriteBarrierForConstant):
927         * dfg/DFGDesiredWriteBarriers.h:
928         (JSC::DFG::DesiredWriteBarriers::add):
929         * dfg/DFGFixupPhase.cpp:
930         (JSC::DFG::FixupPhase::truncateConstantToInt32):
931         * dfg/DFGGraph.h:
932         (JSC::DFG::Graph::constantRegisterForConstant):
933
934 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
935
936         DFG should optimize typedArray.byteLength
937         https://bugs.webkit.org/show_bug.cgi?id=119909
938
939         Reviewed by Oliver Hunt.
940         
941         This adds typedArray.byteLength inlining to the DFG, and does so without changing
942         the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
943         legal since the byteLength of a typed array cannot exceed
944         numeric_limits<int32_t>::max().
945
946         * bytecode/SpeculatedType.cpp:
947         (JSC::typedArrayTypeFromSpeculation):
948         * bytecode/SpeculatedType.h:
949         * dfg/DFGArrayMode.cpp:
950         (JSC::DFG::toArrayType):
951         * dfg/DFGArrayMode.h:
952         * dfg/DFGFixupPhase.cpp:
953         (JSC::DFG::FixupPhase::fixupNode):
954         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
955         (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
956         (JSC::DFG::FixupPhase::convertToGetArrayLength):
957         (JSC::DFG::FixupPhase::prependGetArrayLength):
958         * dfg/DFGGraph.h:
959         (JSC::DFG::Graph::constantRegisterForConstant):
960         (JSC::DFG::Graph::convertToConstant):
961         * runtime/TypedArrayType.h:
962         (JSC::logElementSize):
963         (JSC::elementSize):
964
965 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
966
967         DFG optimizes out strict mode arguments tear off
968         https://bugs.webkit.org/show_bug.cgi?id=119504
969
970         Reviewed by Mark Hahnenberg and Oliver Hunt.
971         
972         Don't do the optimization for strict mode.
973
974         * dfg/DFGArgumentsSimplificationPhase.cpp:
975         (JSC::DFG::ArgumentsSimplificationPhase::run):
976         (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
977
978 2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
979
980         [JSC] x86: improve code generation for xxxTest32
981         https://bugs.webkit.org/show_bug.cgi?id=119876
982
983         Reviewed by Geoffrey Garen.
984
985         Try to use testb whenever possible when testing for an immediate value.
986
987         When the input is an address and an offset, we can tweak the mask
988         and offset to be able to generate testb for any byte of the mask.
989
990         When the input is a register, we can use testb if we are only interested
991         in testing the low bits.
992
993         * assembler/MacroAssemblerX86Common.h:
994         (JSC::MacroAssemblerX86Common::branchTest32):
995         (JSC::MacroAssemblerX86Common::test32):
996         (JSC::MacroAssemblerX86Common::generateTest32):
997
998 2013-08-16  Mark Lam  <mark.lam@apple.com>
999
1000         <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
1001         error message that an object is not a constructor though it expects a function
1002
1003         Reviewed by Michael Saboff.
1004
1005         * jit/JITStubs.cpp:
1006         (JSC::DEFINE_STUB_FUNCTION):
1007
1008 2013-08-16  Filip Pizlo  <fpizlo@apple.com>
1009
1010         Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
1011         https://bugs.webkit.org/show_bug.cgi?id=119897
1012
1013         Reviewed by Oliver Hunt.
1014         
1015         6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
1016         on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
1017         to turn objects into dictionaries when you're storing using bracket syntax or using
1018         eval is still in place.
1019
1020         * bytecode/CodeBlock.h:
1021         (JSC::CodeBlock::putByIdContext):
1022         * dfg/DFGOperations.cpp:
1023         * jit/JITStubs.cpp:
1024         (JSC::DEFINE_STUB_FUNCTION):
1025         * llint/LLIntSlowPaths.cpp:
1026         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1027         * runtime/JSObject.h:
1028         (JSC::JSObject::putDirectInternal):
1029         * runtime/PutPropertySlot.h:
1030         (JSC::PutPropertySlot::PutPropertySlot):
1031         (JSC::PutPropertySlot::context):
1032         * runtime/Structure.cpp:
1033         (JSC::Structure::addPropertyTransition):
1034         * runtime/Structure.h:
1035
1036 2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
1037
1038         <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
1039
1040         Reviewed by Allan Sandfeld Jensen.
1041
1042         ctiVMHandleException must jump/return using register ra (r31).
1043
1044         * jit/JITStubsMIPS.h:
1045
1046 2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
1047
1048         <https://webkit.org/b/119879> Fix sh4 build after r154156.
1049
1050         Reviewed by Allan Sandfeld Jensen.
1051
1052         Fix typo in JITStubsSH4.h file.
1053
1054         * jit/JITStubsSH4.h:
1055
1056 2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
1057
1058         <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
1059
1060         Reviewed by Oliver Hunt.
1061
1062         The concurrent compilation thread should interact minimally with the Heap, including not 
1063         triggering WriteBarriers. This is a prerequisite for generational GC.
1064
1065         * JavaScriptCore.xcodeproj/project.pbxproj:
1066         * bytecode/CodeBlock.cpp:
1067         (JSC::CodeBlock::addOrFindConstant):
1068         (JSC::CodeBlock::findConstant):
1069         * bytecode/CodeBlock.h:
1070         (JSC::CodeBlock::addConstantLazily):
1071         * dfg/DFGByteCodeParser.cpp:
1072         (JSC::DFG::ByteCodeParser::getJSConstantForValue):
1073         (JSC::DFG::ByteCodeParser::constantUndefined):
1074         (JSC::DFG::ByteCodeParser::constantNull):
1075         (JSC::DFG::ByteCodeParser::one):
1076         (JSC::DFG::ByteCodeParser::constantNaN):
1077         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1078         * dfg/DFGCommonData.cpp:
1079         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
1080         * dfg/DFGCommonData.h:
1081         * dfg/DFGDesiredTransitions.cpp: Added.
1082         (JSC::DFG::DesiredTransition::DesiredTransition):
1083         (JSC::DFG::DesiredTransition::reallyAdd):
1084         (JSC::DFG::DesiredTransitions::DesiredTransitions):
1085         (JSC::DFG::DesiredTransitions::~DesiredTransitions):
1086         (JSC::DFG::DesiredTransitions::addLazily):
1087         (JSC::DFG::DesiredTransitions::reallyAdd):
1088         * dfg/DFGDesiredTransitions.h: Added.
1089         * dfg/DFGDesiredWeakReferences.cpp: Added.
1090         (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
1091         (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
1092         (JSC::DFG::DesiredWeakReferences::addLazily):
1093         (JSC::DFG::DesiredWeakReferences::reallyAdd):
1094         * dfg/DFGDesiredWeakReferences.h: Added.
1095         * dfg/DFGDesiredWriteBarriers.cpp: Added.
1096         (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
1097         (JSC::DFG::DesiredWriteBarrier::trigger):
1098         (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
1099         (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
1100         (JSC::DFG::DesiredWriteBarriers::addImpl):
1101         (JSC::DFG::DesiredWriteBarriers::trigger):
1102         * dfg/DFGDesiredWriteBarriers.h: Added.
1103         (JSC::DFG::DesiredWriteBarriers::add):
1104         (JSC::DFG::initializeLazyWriteBarrier):
1105         * dfg/DFGFixupPhase.cpp:
1106         (JSC::DFG::FixupPhase::truncateConstantToInt32):
1107         * dfg/DFGGraph.h:
1108         (JSC::DFG::Graph::convertToConstant):
1109         * dfg/DFGJITCompiler.h:
1110         (JSC::DFG::JITCompiler::addWeakReference):
1111         * dfg/DFGPlan.cpp:
1112         (JSC::DFG::Plan::Plan):
1113         (JSC::DFG::Plan::reallyAdd):
1114         * dfg/DFGPlan.h:
1115         * dfg/DFGSpeculativeJIT32_64.cpp:
1116         (JSC::DFG::SpeculativeJIT::compile):
1117         * dfg/DFGSpeculativeJIT64.cpp:
1118         (JSC::DFG::SpeculativeJIT::compile):
1119         * runtime/WriteBarrier.h:
1120         (JSC::WriteBarrierBase::set):
1121         (JSC::WriteBarrier::WriteBarrier):
1122
1123 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1124
1125         Fix x86 32bits build after r154158
1126
1127         * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
1128
1129 2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
1130
1131         Build fix attempt after r154156.
1132
1133         * jit/JITStubs.cpp:
1134         (JSC::cti_vm_handle_exception): encode!
1135
1136 2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
1137
1138         [JSC] x86: Use inc and dec when possible
1139         https://bugs.webkit.org/show_bug.cgi?id=119831
1140
1141         Reviewed by Geoffrey Garen.
1142
1143         When incrementing or decrementing by an immediate of 1, use the insctructions
1144         inc and dec instead of add and sub.
1145         The instructions have good timing and their encoding is smaller.
1146
1147         * assembler/MacroAssemblerX86Common.h:
1148         (JSC::MacroAssemblerX86_64::add32):
1149         (JSC::MacroAssemblerX86_64::sub32):
1150         * assembler/MacroAssemblerX86_64.h:
1151         (JSC::MacroAssemblerX86_64::add64):
1152         (JSC::MacroAssemblerX86_64::sub64):
1153         * assembler/X86Assembler.h:
1154         (JSC::X86Assembler::dec_r):
1155         (JSC::X86Assembler::decq_r):
1156         (JSC::X86Assembler::inc_r):
1157         (JSC::X86Assembler::incq_r):
1158
1159 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1160
1161         Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
1162         https://bugs.webkit.org/show_bug.cgi?id=119874
1163
1164         Reviewed by Oliver Hunt and Mark Hahnenberg.
1165         
1166         It was a confusion between heuristics in DFG::ArrayMode that are assuming that
1167         you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
1168         sometimes for typed array length accesses, and the FixupPhase assuming that a
1169         ForceExit ArrayMode means that it should continue using a generic GetById.
1170
1171         This fixes the confusion.
1172
1173         * dfg/DFGFixupPhase.cpp:
1174         (JSC::DFG::FixupPhase::fixupNode):
1175
1176 2013-08-15  Mark Lam  <mark.lam@apple.com>
1177
1178         Fix crash when performing activation tearoff.
1179         https://bugs.webkit.org/show_bug.cgi?id=119848
1180
1181         Reviewed by Oliver Hunt.
1182
1183         The activation tearoff crash was due to a bug in the baseline JIT.
1184         If we have a scenario where the a baseline JIT frame calls a LLINT
1185         frame, an exception may be thrown while in the LLINT.
1186
1187         Interpreter::throwException() which handles the exception will unwind
1188         all frames until it finds a catcher or sees a host frame. When we
1189         return from the LLINT to the baseline JIT code, the baseline JIT code
1190         errorneously sets topCallFrame to the value in its call frame register,
1191         and starts unwinding the stack frames that have already been unwound.
1192
1193         The fix is:
1194         1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1195            This is a more accurate description of what this runtime function
1196            is supposed to do i.e. it handles the exception which include doing
1197            nothing (if there are no more frames to unwind).
1198         2. Fix up topCallFrame values so that the HostCallFrameFlag is never
1199            set on it.
1200         3. Reloading the call frame register from topCallFrame when we're
1201            returning from a callee and detect exception handling in progress.
1202
1203         * interpreter/Interpreter.cpp:
1204         (JSC::Interpreter::unwindCallFrame):
1205         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1206         (JSC::Interpreter::getStackTrace):
1207         * interpreter/Interpreter.h:
1208         (JSC::TopCallFrameSetter::TopCallFrameSetter):
1209         (JSC::TopCallFrameSetter::~TopCallFrameSetter):
1210         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1211         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1212         * jit/JIT.h:
1213         * jit/JITExceptions.cpp:
1214         (JSC::uncaughtExceptionHandler):
1215         - Convenience function to get the handler for uncaught exceptions.
1216         * jit/JITExceptions.h:
1217         * jit/JITInlines.h:
1218         (JSC::JIT::reloadCallFrameFromTopCallFrame):
1219         * jit/JITOpcodes32_64.cpp:
1220         (JSC::JIT::privateCompileCTINativeCall):
1221         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1222         * jit/JITStubs.cpp:
1223         (JSC::throwExceptionFromOpCall):
1224         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1225         (JSC::cti_vm_handle_exception):
1226         - Check for the case when there are no more frames to unwind.
1227         * jit/JITStubs.h:
1228         * jit/JITStubsARM.h:
1229         * jit/JITStubsARMv7.h:
1230         * jit/JITStubsMIPS.h:
1231         * jit/JITStubsSH4.h:
1232         * jit/JITStubsX86.h:
1233         * jit/JITStubsX86_64.h:
1234         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1235         * jit/SlowPathCall.h:
1236         (JSC::JITSlowPathCall::call):
1237         - reload cfr from topcallFrame when handling an exception.
1238         - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
1239         * jit/ThunkGenerators.cpp:
1240         (JSC::nativeForGenerator):
1241         * llint/LowLevelInterpreter32_64.asm:
1242         * llint/LowLevelInterpreter64.asm:
1243         - reload cfr from topcallFrame when handling an exception.
1244         * runtime/VM.cpp:
1245         (JSC::VM::VM):
1246         - Ensure that topCallFrame is not set with the HostCallFrameFlag.
1247
1248 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1249
1250         Remove some code duplication.
1251         
1252         Rubber stamped by Mark Hahnenberg.
1253
1254         * runtime/JSDataViewPrototype.cpp:
1255         (JSC::getData):
1256         (JSC::setData):
1257
1258 2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
1259
1260         [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
1261         https://bugs.webkit.org/show_bug.cgi?id=119794
1262
1263         Reviewed by Filip Pizlo.
1264
1265         This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
1266
1267         * dfg/DFGUseKind.h:
1268         (JSC::DFG::isNumerical):
1269         (JSC::DFG::isDouble):
1270
1271 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1272
1273         http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
1274
1275         Rubber stamped by Oliver Hunt.
1276         
1277         This was causing some test crashes for me.
1278
1279         * dfg/DFGCapabilities.cpp:
1280         (JSC::DFG::capabilityLevel):
1281
1282 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1283
1284         [Windows] Clear up improper export declaration.
1285
1286         * runtime/ArrayBufferView.h:
1287
1288 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1289
1290         Unreviewed, remove some unnecessary periods from exceptions.
1291
1292         * runtime/JSDataViewPrototype.cpp:
1293         (JSC::getData):
1294         (JSC::setData):
1295
1296 2013-08-15  Filip Pizlo  <fpizlo@apple.com>
1297
1298         Unreviewed, fix 32-bit build.
1299
1300         * dfg/DFGSpeculativeJIT32_64.cpp:
1301         (JSC::DFG::SpeculativeJIT::compile):
1302
1303 2013-08-14  Filip Pizlo  <fpizlo@apple.com>
1304
1305         Typed arrays should be rewritten
1306         https://bugs.webkit.org/show_bug.cgi?id=119064
1307
1308         Reviewed by Oliver Hunt.
1309         
1310         Typed arrays were previously deficient in several major ways:
1311         
1312         - They were defined separately in WebCore and in the jsc shell. The two
1313           implementations were different, and the jsc shell one was basically wrong.
1314           The WebCore one was quite awful, also.
1315         
1316         - Typed arrays were not visible to the JIT except through some weird hooks.
1317           For example, the JIT could not ask "what is the Structure that this typed
1318           array would have if I just allocated it from this global object". Also,
1319           it was difficult to wire any of the typed array intrinsics, because most
1320           of the functionality wasn't visible anywhere in JSC.
1321         
1322         - Typed array allocation was brain-dead. Allocating a typed array involved
1323           two JS objects, two GC weak handles, and three malloc allocations.
1324         
1325         - Neutering. It involved keeping tabs on all native views but not the view
1326           wrappers, even though the native views can autoneuter just by asking the
1327           buffer if it was neutered anytime you touch them; while the JS view
1328           wrappers are the ones that you really want to reach out to.
1329         
1330         - Common case-ing. Most typed arrays have one buffer and one view, and
1331           usually nobody touches the buffer. Yet we created all of that stuff
1332           anyway, using data structures optimized for the case where you had a lot
1333           of views.
1334         
1335         - Semantic goofs. Typed arrays should, in the future, behave like ES
1336           features rather than DOM features, for example when it comes to exceptions.
1337           Firefox already does this and I agree with them.
1338         
1339         This patch cleanses our codebase of these sins:
1340         
1341         - Typed arrays are almost entirely defined in JSC. Only the lifecycle
1342           management of native references to buffers is left to WebCore.
1343         
1344         - Allocating a typed array requires either two GC allocations (a cell and a
1345           copied storage vector) or one GC allocation, a malloc allocation, and a
1346           weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
1347           latter). The latter is only used for oversize arrays. Remember that before
1348           it was 7 allocations no matter what.
1349         
1350         - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
1351           mode/length, void* vector. Before it was a lot more than that - remember,
1352           there were five additional objects that did absolutely nothing for anybody.
1353         
1354         - Native views aren't tracked by the buffer, or by the wrappers. They are
1355           transient. In the future we'll probably switch to not even having them be
1356           malloc'd.
1357         
1358         - Native array buffers have an efficient way of tracking all of their JS view
1359           wrappers, both for neutering, and for lifecycle management. The GC
1360           special-cases native array buffers. This saves a bunch of grief; for example
1361           it means that a JS view wrapper can refer to its buffer via the butterfly,
1362           which would be dead by the time we went to finalize.
1363         
1364         - Typed array semantics now match Firefox, which also happens to be where the
1365           standards are going. The discussion on webkit-dev seemed to confirm that
1366           Chrome is also heading in this direction. This includes making
1367           Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
1368           ArrayBufferView as a JS-visible construct.
1369         
1370         This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
1371         It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
1372         further typed array optimizations in the JSC JITs, including inlining typed
1373         array allocation, inlining more of the accessors, reducing the cost of type
1374         checks, etc.
1375         
1376         An additional property of this patch is that typed arrays are mostly
1377         implemented using templates. This deduplicates a bunch of code, but does mean
1378         that we need some hacks for exporting s_info's of template classes. See
1379         JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
1380         low-impact compared to code duplication.
1381         
1382         Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
1383
1384         * CMakeLists.txt:
1385         * DerivedSources.make:
1386         * GNUmakefile.list.am:
1387         * JSCTypedArrayStubs.h: Removed.
1388         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1389         * JavaScriptCore.xcodeproj/project.pbxproj:
1390         * Target.pri:
1391         * bytecode/ByValInfo.h:
1392         (JSC::hasOptimizableIndexingForClassInfo):
1393         (JSC::jitArrayModeForClassInfo):
1394         (JSC::typedArrayTypeForJITArrayMode):
1395         * bytecode/SpeculatedType.cpp:
1396         (JSC::speculationFromClassInfo):
1397         * dfg/DFGArrayMode.cpp:
1398         (JSC::DFG::toTypedArrayType):
1399         * dfg/DFGArrayMode.h:
1400         (JSC::DFG::ArrayMode::typedArrayType):
1401         * dfg/DFGSpeculativeJIT.cpp:
1402         (JSC::DFG::SpeculativeJIT::checkArray):
1403         (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1404         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1405         (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1406         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1407         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1408         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1409         * dfg/DFGSpeculativeJIT.h:
1410         * dfg/DFGSpeculativeJIT32_64.cpp:
1411         (JSC::DFG::SpeculativeJIT::compile):
1412         * dfg/DFGSpeculativeJIT64.cpp:
1413         (JSC::DFG::SpeculativeJIT::compile):
1414         * heap/CopyToken.h:
1415         * heap/DeferGC.h:
1416         (JSC::DeferGCForAWhile::DeferGCForAWhile):
1417         (JSC::DeferGCForAWhile::~DeferGCForAWhile):
1418         * heap/GCIncomingRefCounted.h: Added.
1419         (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
1420         (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
1421         (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
1422         (JSC::GCIncomingRefCounted::incomingReferenceAt):
1423         (JSC::GCIncomingRefCounted::singletonFlag):
1424         (JSC::GCIncomingRefCounted::hasVectorOfCells):
1425         (JSC::GCIncomingRefCounted::hasAnyIncoming):
1426         (JSC::GCIncomingRefCounted::hasSingleton):
1427         (JSC::GCIncomingRefCounted::singleton):
1428         (JSC::GCIncomingRefCounted::vectorOfCells):
1429         * heap/GCIncomingRefCountedInlines.h: Added.
1430         (JSC::::addIncomingReference):
1431         (JSC::::filterIncomingReferences):
1432         * heap/GCIncomingRefCountedSet.h: Added.
1433         (JSC::GCIncomingRefCountedSet::size):
1434         * heap/GCIncomingRefCountedSetInlines.h: Added.
1435         (JSC::::GCIncomingRefCountedSet):
1436         (JSC::::~GCIncomingRefCountedSet):
1437         (JSC::::addReference):
1438         (JSC::::sweep):
1439         (JSC::::removeAll):
1440         (JSC::::removeDead):
1441         * heap/Heap.cpp:
1442         (JSC::Heap::addReference):
1443         (JSC::Heap::extraSize):
1444         (JSC::Heap::size):
1445         (JSC::Heap::capacity):
1446         (JSC::Heap::collect):
1447         (JSC::Heap::decrementDeferralDepth):
1448         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1449         * heap/Heap.h:
1450         * interpreter/CallFrame.h:
1451         (JSC::ExecState::dataViewTable):
1452         * jit/JIT.h:
1453         * jit/JITPropertyAccess.cpp:
1454         (JSC::JIT::privateCompileGetByVal):
1455         (JSC::JIT::privateCompilePutByVal):
1456         (JSC::JIT::emitIntTypedArrayGetByVal):
1457         (JSC::JIT::emitFloatTypedArrayGetByVal):
1458         (JSC::JIT::emitIntTypedArrayPutByVal):
1459         (JSC::JIT::emitFloatTypedArrayPutByVal):
1460         * jsc.cpp:
1461         (GlobalObject::finishCreation):
1462         * runtime/ArrayBuffer.cpp:
1463         (JSC::ArrayBuffer::transfer):
1464         * runtime/ArrayBuffer.h:
1465         (JSC::ArrayBuffer::createAdopted):
1466         (JSC::ArrayBuffer::ArrayBuffer):
1467         (JSC::ArrayBuffer::gcSizeEstimateInBytes):
1468         (JSC::ArrayBuffer::pin):
1469         (JSC::ArrayBuffer::unpin):
1470         (JSC::ArrayBufferContents::tryAllocate):
1471         * runtime/ArrayBufferView.cpp:
1472         (JSC::ArrayBufferView::ArrayBufferView):
1473         (JSC::ArrayBufferView::~ArrayBufferView):
1474         (JSC::ArrayBufferView::setNeuterable):
1475         * runtime/ArrayBufferView.h:
1476         (JSC::ArrayBufferView::isNeutered):
1477         (JSC::ArrayBufferView::buffer):
1478         (JSC::ArrayBufferView::baseAddress):
1479         (JSC::ArrayBufferView::byteOffset):
1480         (JSC::ArrayBufferView::verifySubRange):
1481         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1482         (JSC::ArrayBufferView::calculateOffsetAndLength):
1483         * runtime/ClassInfo.h:
1484         * runtime/CommonIdentifiers.h:
1485         * runtime/DataView.cpp: Added.
1486         (JSC::DataView::DataView):
1487         (JSC::DataView::create):
1488         (JSC::DataView::wrap):
1489         * runtime/DataView.h: Added.
1490         (JSC::DataView::byteLength):
1491         (JSC::DataView::getType):
1492         (JSC::DataView::get):
1493         (JSC::DataView::set):
1494         * runtime/Float32Array.h:
1495         * runtime/Float64Array.h:
1496         * runtime/GenericTypedArrayView.h: Added.
1497         (JSC::GenericTypedArrayView::data):
1498         (JSC::GenericTypedArrayView::set):
1499         (JSC::GenericTypedArrayView::setRange):
1500         (JSC::GenericTypedArrayView::zeroRange):
1501         (JSC::GenericTypedArrayView::zeroFill):
1502         (JSC::GenericTypedArrayView::length):
1503         (JSC::GenericTypedArrayView::byteLength):
1504         (JSC::GenericTypedArrayView::item):
1505         (JSC::GenericTypedArrayView::checkInboundData):
1506         (JSC::GenericTypedArrayView::getType):
1507         * runtime/GenericTypedArrayViewInlines.h: Added.
1508         (JSC::::GenericTypedArrayView):
1509         (JSC::::create):
1510         (JSC::::createUninitialized):
1511         (JSC::::subarray):
1512         (JSC::::wrap):
1513         * runtime/IndexingHeader.h:
1514         (JSC::IndexingHeader::arrayBuffer):
1515         (JSC::IndexingHeader::setArrayBuffer):
1516         * runtime/Int16Array.h:
1517         * runtime/Int32Array.h:
1518         * runtime/Int8Array.h:
1519         * runtime/JSArrayBuffer.cpp: Added.
1520         (JSC::JSArrayBuffer::JSArrayBuffer):
1521         (JSC::JSArrayBuffer::finishCreation):
1522         (JSC::JSArrayBuffer::create):
1523         (JSC::JSArrayBuffer::createStructure):
1524         (JSC::JSArrayBuffer::getOwnPropertySlot):
1525         (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
1526         (JSC::JSArrayBuffer::put):
1527         (JSC::JSArrayBuffer::defineOwnProperty):
1528         (JSC::JSArrayBuffer::deleteProperty):
1529         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
1530         * runtime/JSArrayBuffer.h: Added.
1531         (JSC::JSArrayBuffer::impl):
1532         (JSC::toArrayBuffer):
1533         * runtime/JSArrayBufferConstructor.cpp: Added.
1534         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1535         (JSC::JSArrayBufferConstructor::finishCreation):
1536         (JSC::JSArrayBufferConstructor::create):
1537         (JSC::JSArrayBufferConstructor::createStructure):
1538         (JSC::constructArrayBuffer):
1539         (JSC::JSArrayBufferConstructor::getConstructData):
1540         (JSC::JSArrayBufferConstructor::getCallData):
1541         * runtime/JSArrayBufferConstructor.h: Added.
1542         * runtime/JSArrayBufferPrototype.cpp: Added.
1543         (JSC::arrayBufferProtoFuncSlice):
1544         (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
1545         (JSC::JSArrayBufferPrototype::finishCreation):
1546         (JSC::JSArrayBufferPrototype::create):
1547         (JSC::JSArrayBufferPrototype::createStructure):
1548         * runtime/JSArrayBufferPrototype.h: Added.
1549         * runtime/JSArrayBufferView.cpp: Added.
1550         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1551         (JSC::JSArrayBufferView::JSArrayBufferView):
1552         (JSC::JSArrayBufferView::finishCreation):
1553         (JSC::JSArrayBufferView::getOwnPropertySlot):
1554         (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
1555         (JSC::JSArrayBufferView::put):
1556         (JSC::JSArrayBufferView::defineOwnProperty):
1557         (JSC::JSArrayBufferView::deleteProperty):
1558         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1559         (JSC::JSArrayBufferView::finalize):
1560         * runtime/JSArrayBufferView.h: Added.
1561         (JSC::JSArrayBufferView::sizeOf):
1562         (JSC::JSArrayBufferView::ConstructionContext::operator!):
1563         (JSC::JSArrayBufferView::ConstructionContext::structure):
1564         (JSC::JSArrayBufferView::ConstructionContext::vector):
1565         (JSC::JSArrayBufferView::ConstructionContext::length):
1566         (JSC::JSArrayBufferView::ConstructionContext::mode):
1567         (JSC::JSArrayBufferView::ConstructionContext::butterfly):
1568         (JSC::JSArrayBufferView::mode):
1569         (JSC::JSArrayBufferView::vector):
1570         (JSC::JSArrayBufferView::length):
1571         (JSC::JSArrayBufferView::offsetOfVector):
1572         (JSC::JSArrayBufferView::offsetOfLength):
1573         (JSC::JSArrayBufferView::offsetOfMode):
1574         * runtime/JSArrayBufferViewInlines.h: Added.
1575         (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
1576         (JSC::JSArrayBufferView::buffer):
1577         (JSC::JSArrayBufferView::impl):
1578         (JSC::JSArrayBufferView::neuter):
1579         (JSC::JSArrayBufferView::byteOffset):
1580         * runtime/JSCell.cpp:
1581         (JSC::JSCell::slowDownAndWasteMemory):
1582         (JSC::JSCell::getTypedArrayImpl):
1583         * runtime/JSCell.h:
1584         * runtime/JSDataView.cpp: Added.
1585         (JSC::JSDataView::JSDataView):
1586         (JSC::JSDataView::create):
1587         (JSC::JSDataView::createUninitialized):
1588         (JSC::JSDataView::set):
1589         (JSC::JSDataView::typedImpl):
1590         (JSC::JSDataView::getOwnPropertySlot):
1591         (JSC::JSDataView::getOwnPropertyDescriptor):
1592         (JSC::JSDataView::slowDownAndWasteMemory):
1593         (JSC::JSDataView::getTypedArrayImpl):
1594         (JSC::JSDataView::createStructure):
1595         * runtime/JSDataView.h: Added.
1596         * runtime/JSDataViewPrototype.cpp: Added.
1597         (JSC::JSDataViewPrototype::JSDataViewPrototype):
1598         (JSC::JSDataViewPrototype::create):
1599         (JSC::JSDataViewPrototype::createStructure):
1600         (JSC::JSDataViewPrototype::getOwnPropertySlot):
1601         (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
1602         (JSC::getData):
1603         (JSC::setData):
1604         (JSC::dataViewProtoFuncGetInt8):
1605         (JSC::dataViewProtoFuncGetInt16):
1606         (JSC::dataViewProtoFuncGetInt32):
1607         (JSC::dataViewProtoFuncGetUint8):
1608         (JSC::dataViewProtoFuncGetUint16):
1609         (JSC::dataViewProtoFuncGetUint32):
1610         (JSC::dataViewProtoFuncGetFloat32):
1611         (JSC::dataViewProtoFuncGetFloat64):
1612         (JSC::dataViewProtoFuncSetInt8):
1613         (JSC::dataViewProtoFuncSetInt16):
1614         (JSC::dataViewProtoFuncSetInt32):
1615         (JSC::dataViewProtoFuncSetUint8):
1616         (JSC::dataViewProtoFuncSetUint16):
1617         (JSC::dataViewProtoFuncSetUint32):
1618         (JSC::dataViewProtoFuncSetFloat32):
1619         (JSC::dataViewProtoFuncSetFloat64):
1620         * runtime/JSDataViewPrototype.h: Added.
1621         * runtime/JSFloat32Array.h: Added.
1622         * runtime/JSFloat64Array.h: Added.
1623         * runtime/JSGenericTypedArrayView.h: Added.
1624         (JSC::JSGenericTypedArrayView::byteLength):
1625         (JSC::JSGenericTypedArrayView::byteSize):
1626         (JSC::JSGenericTypedArrayView::typedVector):
1627         (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
1628         (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
1629         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
1630         (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
1631         (JSC::JSGenericTypedArrayView::getIndexQuickly):
1632         (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
1633         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1634         (JSC::JSGenericTypedArrayView::setIndexQuickly):
1635         (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
1636         (JSC::JSGenericTypedArrayView::typedImpl):
1637         (JSC::JSGenericTypedArrayView::createStructure):
1638         (JSC::JSGenericTypedArrayView::info):
1639         (JSC::toNativeTypedView):
1640         * runtime/JSGenericTypedArrayViewConstructor.h: Added.
1641         * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
1642         (JSC::::JSGenericTypedArrayViewConstructor):
1643         (JSC::::finishCreation):
1644         (JSC::::create):
1645         (JSC::::createStructure):
1646         (JSC::constructGenericTypedArrayView):
1647         (JSC::::getConstructData):
1648         (JSC::::getCallData):
1649         * runtime/JSGenericTypedArrayViewInlines.h: Added.
1650         (JSC::::JSGenericTypedArrayView):
1651         (JSC::::create):
1652         (JSC::::createUninitialized):
1653         (JSC::::validateRange):
1654         (JSC::::setWithSpecificType):
1655         (JSC::::set):
1656         (JSC::::getOwnPropertySlot):
1657         (JSC::::getOwnPropertyDescriptor):
1658         (JSC::::put):
1659         (JSC::::defineOwnProperty):
1660         (JSC::::deleteProperty):
1661         (JSC::::getOwnPropertySlotByIndex):
1662         (JSC::::putByIndex):
1663         (JSC::::deletePropertyByIndex):
1664         (JSC::::getOwnNonIndexPropertyNames):
1665         (JSC::::getOwnPropertyNames):
1666         (JSC::::visitChildren):
1667         (JSC::::copyBackingStore):
1668         (JSC::::slowDownAndWasteMemory):
1669         (JSC::::getTypedArrayImpl):
1670         * runtime/JSGenericTypedArrayViewPrototype.h: Added.
1671         * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
1672         (JSC::genericTypedArrayViewProtoFuncSet):
1673         (JSC::genericTypedArrayViewProtoFuncSubarray):
1674         (JSC::::JSGenericTypedArrayViewPrototype):
1675         (JSC::::finishCreation):
1676         (JSC::::create):
1677         (JSC::::createStructure):
1678         * runtime/JSGlobalObject.cpp:
1679         (JSC::JSGlobalObject::reset):
1680         (JSC::JSGlobalObject::visitChildren):
1681         * runtime/JSGlobalObject.h:
1682         (JSC::JSGlobalObject::arrayBufferPrototype):
1683         (JSC::JSGlobalObject::arrayBufferStructure):
1684         (JSC::JSGlobalObject::typedArrayStructure):
1685         * runtime/JSInt16Array.h: Added.
1686         * runtime/JSInt32Array.h: Added.
1687         * runtime/JSInt8Array.h: Added.
1688         * runtime/JSTypedArrayConstructors.cpp: Added.
1689         * runtime/JSTypedArrayConstructors.h: Added.
1690         * runtime/JSTypedArrayPrototypes.cpp: Added.
1691         * runtime/JSTypedArrayPrototypes.h: Added.
1692         * runtime/JSTypedArrays.cpp: Added.
1693         * runtime/JSTypedArrays.h: Added.
1694         * runtime/JSUint16Array.h: Added.
1695         * runtime/JSUint32Array.h: Added.
1696         * runtime/JSUint8Array.h: Added.
1697         * runtime/JSUint8ClampedArray.h: Added.
1698         * runtime/Operations.h:
1699         * runtime/Options.h:
1700         * runtime/SimpleTypedArrayController.cpp: Added.
1701         (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
1702         (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
1703         (JSC::SimpleTypedArrayController::toJS):
1704         * runtime/SimpleTypedArrayController.h: Added.
1705         * runtime/Structure.h:
1706         (JSC::Structure::couldHaveIndexingHeader):
1707         * runtime/StructureInlines.h:
1708         (JSC::Structure::hasIndexingHeader):
1709         * runtime/TypedArrayAdaptors.h: Added.
1710         (JSC::IntegralTypedArrayAdaptor::toNative):
1711         (JSC::IntegralTypedArrayAdaptor::toJSValue):
1712         (JSC::IntegralTypedArrayAdaptor::toDouble):
1713         (JSC::FloatTypedArrayAdaptor::toNative):
1714         (JSC::FloatTypedArrayAdaptor::toJSValue):
1715         (JSC::FloatTypedArrayAdaptor::toDouble):
1716         (JSC::Uint8ClampedAdaptor::toNative):
1717         (JSC::Uint8ClampedAdaptor::toJSValue):
1718         (JSC::Uint8ClampedAdaptor::toDouble):
1719         (JSC::Uint8ClampedAdaptor::clamp):
1720         * runtime/TypedArrayController.cpp: Added.
1721         (JSC::TypedArrayController::TypedArrayController):
1722         (JSC::TypedArrayController::~TypedArrayController):
1723         * runtime/TypedArrayController.h: Added.
1724         * runtime/TypedArrayDescriptor.h: Removed.
1725         * runtime/TypedArrayInlines.h: Added.
1726         * runtime/TypedArrayType.cpp: Added.
1727         (JSC::classInfoForType):
1728         (WTF::printInternal):
1729         * runtime/TypedArrayType.h: Added.
1730         (JSC::toIndex):
1731         (JSC::isTypedView):
1732         (JSC::elementSize):
1733         (JSC::isInt):
1734         (JSC::isFloat):
1735         (JSC::isSigned):
1736         (JSC::isClamped):
1737         * runtime/TypedArrays.h: Added.
1738         * runtime/Uint16Array.h:
1739         * runtime/Uint32Array.h:
1740         * runtime/Uint8Array.h:
1741         * runtime/Uint8ClampedArray.h:
1742         * runtime/VM.cpp:
1743         (JSC::VM::VM):
1744         (JSC::VM::~VM):
1745         * runtime/VM.h:
1746
1747 2013-08-15  Oliver Hunt  <oliver@apple.com>
1748
1749         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
1750
1751         Reviewed by Filip Pizlo.
1752
1753         Make sure dfgCapabilities doesn't report a Dynamic put as
1754         being compilable when we don't actually support it.  
1755
1756         * bytecode/CodeBlock.cpp:
1757         (JSC::CodeBlock::dumpBytecode):
1758         * dfg/DFGCapabilities.cpp:
1759         (JSC::DFG::capabilityLevel):
1760
1761 2013-08-15  Brent Fulgham  <bfulgham@apple.com>
1762
1763         [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
1764         https://bugs.webkit.org/show_bug.cgi?id=119847
1765
1766         Reviewed by Oliver Hunt.
1767
1768         * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
1769         * runtime/ArrayBufferView.h: Ditto.
1770
1771 2013-08-15  Gavin Barraclough  <barraclough@apple.com>
1772
1773         https://bugs.webkit.org/show_bug.cgi?id=119843
1774         PropertySlot::setValue is ambiguous
1775
1776         Reviewed by Geoff Garen.
1777
1778         There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
1779         The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
1780         Unify on always providing the object, and remove the version that just takes a value.
1781         This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
1782         Provide a version of setValue that takes a JSString as the owner of the property.
1783         We won't store this, but it makes it clear that this interface should only be used from JSString.
1784
1785         * API/JSCallbackObjectFunctions.h:
1786         (JSC::::getOwnPropertySlot):
1787         * JSCTypedArrayStubs.h:
1788         * runtime/Arguments.cpp:
1789         (JSC::Arguments::getOwnPropertySlotByIndex):
1790         (JSC::Arguments::getOwnPropertySlot):
1791         * runtime/JSActivation.cpp:
1792         (JSC::JSActivation::symbolTableGet):
1793         (JSC::JSActivation::getOwnPropertySlot):
1794         * runtime/JSArray.cpp:
1795         (JSC::JSArray::getOwnPropertySlot):
1796         * runtime/JSObject.cpp:
1797         (JSC::JSObject::getOwnPropertySlotByIndex):
1798         * runtime/JSString.h:
1799         (JSC::JSString::getStringPropertySlot):
1800         * runtime/JSSymbolTableObject.h:
1801         (JSC::symbolTableGet):
1802         * runtime/SparseArrayValueMap.cpp:
1803         (JSC::SparseArrayEntry::get):
1804             - Pass object containing property to PropertySlot::setValue
1805         * runtime/PropertySlot.h:
1806         (JSC::PropertySlot::setValue):
1807             - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
1808         (JSC::PropertySlot::setUndefined):
1809             - removed setValue(JSValue), added setValue(JSString*, JSValue)
1810
1811 2013-08-15  Oliver Hunt  <oliver@apple.com>
1812
1813         Remove bogus assertion.
1814
1815         RS=Filip Pizlo
1816
1817         * dfg/DFGAbstractInterpreterInlines.h:
1818         (JSC::DFG::::executeEffects):
1819
1820 2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
1821
1822         REGRESSION(r148790) Made 7 tests fail on x86 32bit
1823         https://bugs.webkit.org/show_bug.cgi?id=114913
1824
1825         Reviewed by Filip Pizlo.
1826
1827         The X87 register was not freed before some calls. Instead
1828         of inserting resetX87Registers to the last call sites,
1829         the two X87 registers are now freed in every call.
1830
1831         * llint/LowLevelInterpreter32_64.asm:
1832         * llint/LowLevelInterpreter64.asm:
1833         * offlineasm/instructions.rb:
1834         * offlineasm/x86.rb:
1835
1836 2013-08-14  Michael Saboff  <msaboff@apple.com>
1837
1838         Fixed jit on Win64.
1839         https://bugs.webkit.org/show_bug.cgi?id=119601
1840
1841         Reviewed by Oliver Hunt.
1842
1843         * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
1844         * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
1845         * jit/SlowPathCall.h:
1846         (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
1847
1848 2013-08-14  Alex Christensen  <achristensen@apple.com>
1849
1850         Compile fix for Win64 with jit disabled.
1851         https://bugs.webkit.org/show_bug.cgi?id=119804
1852
1853         Reviewed by Michael Saboff.
1854
1855         * offlineasm/cloop.rb: Added std:: before isnan.
1856
1857 2013-08-14  Julien Brianceau  <jbrianceau@nds.com>
1858
1859         DFG_JIT implementation for sh4 architecture.
1860         https://bugs.webkit.org/show_bug.cgi?id=119737
1861
1862         Reviewed by Oliver Hunt.
1863
1864         * assembler/MacroAssemblerSH4.h:
1865         (JSC::MacroAssemblerSH4::invert):
1866         (JSC::MacroAssemblerSH4::add32):
1867         (JSC::MacroAssemblerSH4::and32):
1868         (JSC::MacroAssemblerSH4::lshift32):
1869         (JSC::MacroAssemblerSH4::mul32):
1870         (JSC::MacroAssemblerSH4::or32):
1871         (JSC::MacroAssemblerSH4::rshift32):
1872         (JSC::MacroAssemblerSH4::sub32):
1873         (JSC::MacroAssemblerSH4::xor32):
1874         (JSC::MacroAssemblerSH4::store32):
1875         (JSC::MacroAssemblerSH4::swapDouble):
1876         (JSC::MacroAssemblerSH4::storeDouble):
1877         (JSC::MacroAssemblerSH4::subDouble):
1878         (JSC::MacroAssemblerSH4::mulDouble):
1879         (JSC::MacroAssemblerSH4::divDouble):
1880         (JSC::MacroAssemblerSH4::negateDouble):
1881         (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
1882         (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
1883         (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
1884         (JSC::MacroAssemblerSH4::swap):
1885         (JSC::MacroAssemblerSH4::jump):
1886         (JSC::MacroAssemblerSH4::branchNeg32):
1887         (JSC::MacroAssemblerSH4::branchAdd32):
1888         (JSC::MacroAssemblerSH4::branchMul32):
1889         (JSC::MacroAssemblerSH4::urshift32):
1890         * assembler/SH4Assembler.h:
1891         (JSC::SH4Assembler::SH4Assembler):
1892         (JSC::SH4Assembler::labelForWatchpoint):
1893         (JSC::SH4Assembler::label):
1894         (JSC::SH4Assembler::debugOffset):
1895         * dfg/DFGAssemblyHelpers.h:
1896         (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
1897         (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
1898         (JSC::DFG::AssemblyHelpers::debugCall):
1899         * dfg/DFGCCallHelpers.h:
1900         (JSC::DFG::CCallHelpers::setupArguments):
1901         (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1902         * dfg/DFGFPRInfo.h:
1903         (JSC::DFG::FPRInfo::toRegister):
1904         (JSC::DFG::FPRInfo::toIndex):
1905         (JSC::DFG::FPRInfo::debugName):
1906         * dfg/DFGGPRInfo.h:
1907         (JSC::DFG::GPRInfo::toRegister):
1908         (JSC::DFG::GPRInfo::toIndex):
1909         (JSC::DFG::GPRInfo::debugName):
1910         * dfg/DFGOperations.cpp:
1911         * dfg/DFGSpeculativeJIT.h:
1912         (JSC::DFG::SpeculativeJIT::callOperation):
1913         * jit/JITStubs.h:
1914         * jit/JITStubsSH4.h:
1915
1916 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1917
1918         Unreviewed, fix build.
1919
1920         * API/JSValue.mm:
1921         (isDate):
1922         (isArray):
1923         * API/JSWrapperMap.mm:
1924         (tryUnwrapObjcObject):
1925         * API/ObjCCallbackFunction.mm:
1926         (tryUnwrapBlock):
1927
1928 2013-08-13  Filip Pizlo  <fpizlo@apple.com>
1929
1930         Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
1931         https://bugs.webkit.org/show_bug.cgi?id=119770
1932
1933         Reviewed by Mark Hahnenberg.
1934
1935         * API/JSCallbackConstructor.cpp:
1936         (JSC::JSCallbackConstructor::finishCreation):
1937         * API/JSCallbackConstructor.h:
1938         (JSC::JSCallbackConstructor::createStructure):
1939         * API/JSCallbackFunction.cpp:
1940         (JSC::JSCallbackFunction::finishCreation):
1941         * API/JSCallbackFunction.h:
1942         (JSC::JSCallbackFunction::createStructure):
1943         * API/JSCallbackObject.cpp:
1944         (JSC::::createStructure):
1945         * API/JSCallbackObject.h:
1946         (JSC::JSCallbackObject::visitChildren):
1947         * API/JSCallbackObjectFunctions.h:
1948         (JSC::::asCallbackObject):
1949         (JSC::::finishCreation):
1950         * API/JSObjectRef.cpp:
1951         (JSObjectGetPrivate):
1952         (JSObjectSetPrivate):
1953         (JSObjectGetPrivateProperty):
1954         (JSObjectSetPrivateProperty):
1955         (JSObjectDeletePrivateProperty):
1956         * API/JSValueRef.cpp:
1957         (JSValueIsObjectOfClass):
1958         * API/JSWeakObjectMapRefPrivate.cpp:
1959         * API/ObjCCallbackFunction.h:
1960         (JSC::ObjCCallbackFunction::createStructure):
1961         * JSCTypedArrayStubs.h:
1962         * bytecode/CallLinkStatus.cpp:
1963         (JSC::CallLinkStatus::CallLinkStatus):
1964         (JSC::CallLinkStatus::function):
1965         (JSC::CallLinkStatus::internalFunction):
1966         * bytecode/CodeBlock.h:
1967         (JSC::baselineCodeBlockForInlineCallFrame):
1968         * bytecode/SpeculatedType.cpp:
1969         (JSC::speculationFromClassInfo):
1970         * bytecode/UnlinkedCodeBlock.cpp:
1971         (JSC::UnlinkedFunctionExecutable::visitChildren):
1972         (JSC::UnlinkedCodeBlock::visitChildren):
1973         (JSC::UnlinkedProgramCodeBlock::visitChildren):
1974         * bytecode/UnlinkedCodeBlock.h:
1975         (JSC::UnlinkedFunctionExecutable::createStructure):
1976         (JSC::UnlinkedProgramCodeBlock::createStructure):
1977         (JSC::UnlinkedEvalCodeBlock::createStructure):
1978         (JSC::UnlinkedFunctionCodeBlock::createStructure):
1979         * debugger/Debugger.cpp:
1980         * debugger/DebuggerActivation.cpp:
1981         (JSC::DebuggerActivation::visitChildren):
1982         * debugger/DebuggerActivation.h:
1983         (JSC::DebuggerActivation::createStructure):
1984         * debugger/DebuggerCallFrame.cpp:
1985         (JSC::DebuggerCallFrame::functionName):
1986         * dfg/DFGAbstractInterpreterInlines.h:
1987         (JSC::DFG::::executeEffects):
1988         * dfg/DFGByteCodeParser.cpp:
1989         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1990         (JSC::DFG::ByteCodeParser::parseBlock):
1991         * dfg/DFGFixupPhase.cpp:
1992         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1993         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1994         * dfg/DFGGraph.cpp:
1995         (JSC::DFG::Graph::dump):
1996         * dfg/DFGGraph.h:
1997         (JSC::DFG::Graph::isInternalFunctionConstant):
1998         * dfg/DFGOperations.cpp:
1999         * dfg/DFGSpeculativeJIT.cpp:
2000         (JSC::DFG::SpeculativeJIT::checkArray):
2001         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2002         * dfg/DFGThunks.cpp:
2003         (JSC::DFG::virtualForThunkGenerator):
2004         * interpreter/Interpreter.cpp:
2005         (JSC::loadVarargs):
2006         * jsc.cpp:
2007         (GlobalObject::createStructure):
2008         * profiler/LegacyProfiler.cpp:
2009         (JSC::LegacyProfiler::createCallIdentifier):
2010         * runtime/Arguments.cpp:
2011         (JSC::Arguments::visitChildren):
2012         * runtime/Arguments.h:
2013         (JSC::Arguments::createStructure):
2014         (JSC::asArguments):
2015         (JSC::Arguments::finishCreation):
2016         * runtime/ArrayConstructor.cpp:
2017         (JSC::arrayConstructorIsArray):
2018         * runtime/ArrayConstructor.h:
2019         (JSC::ArrayConstructor::createStructure):
2020         * runtime/ArrayPrototype.cpp:
2021         (JSC::ArrayPrototype::finishCreation):
2022         (JSC::arrayProtoFuncConcat):
2023         (JSC::attemptFastSort):
2024         * runtime/ArrayPrototype.h:
2025         (JSC::ArrayPrototype::createStructure):
2026         * runtime/BooleanConstructor.h:
2027         (JSC::BooleanConstructor::createStructure):
2028         * runtime/BooleanObject.cpp:
2029         (JSC::BooleanObject::finishCreation):
2030         * runtime/BooleanObject.h:
2031         (JSC::BooleanObject::createStructure):
2032         (JSC::asBooleanObject):
2033         * runtime/BooleanPrototype.cpp:
2034         (JSC::BooleanPrototype::finishCreation):
2035         (JSC::booleanProtoFuncToString):
2036         (JSC::booleanProtoFuncValueOf):
2037         * runtime/BooleanPrototype.h:
2038         (JSC::BooleanPrototype::createStructure):
2039         * runtime/DateConstructor.cpp:
2040         (JSC::constructDate):
2041         * runtime/DateConstructor.h:
2042         (JSC::DateConstructor::createStructure):
2043         * runtime/DateInstance.cpp:
2044         (JSC::DateInstance::finishCreation):
2045         * runtime/DateInstance.h:
2046         (JSC::DateInstance::createStructure):
2047         (JSC::asDateInstance):
2048         * runtime/DatePrototype.cpp:
2049         (JSC::formateDateInstance):
2050         (JSC::DatePrototype::finishCreation):
2051         (JSC::dateProtoFuncToISOString):
2052         (JSC::dateProtoFuncToLocaleString):
2053         (JSC::dateProtoFuncToLocaleDateString):
2054         (JSC::dateProtoFuncToLocaleTimeString):
2055         (JSC::dateProtoFuncGetTime):
2056         (JSC::dateProtoFuncGetFullYear):
2057         (JSC::dateProtoFuncGetUTCFullYear):
2058         (JSC::dateProtoFuncGetMonth):
2059         (JSC::dateProtoFuncGetUTCMonth):
2060         (JSC::dateProtoFuncGetDate):
2061         (JSC::dateProtoFuncGetUTCDate):
2062         (JSC::dateProtoFuncGetDay):
2063         (JSC::dateProtoFuncGetUTCDay):
2064         (JSC::dateProtoFuncGetHours):
2065         (JSC::dateProtoFuncGetUTCHours):
2066         (JSC::dateProtoFuncGetMinutes):
2067         (JSC::dateProtoFuncGetUTCMinutes):
2068         (JSC::dateProtoFuncGetSeconds):
2069         (JSC::dateProtoFuncGetUTCSeconds):
2070         (JSC::dateProtoFuncGetMilliSeconds):
2071         (JSC::dateProtoFuncGetUTCMilliseconds):
2072         (JSC::dateProtoFuncGetTimezoneOffset):
2073         (JSC::dateProtoFuncSetTime):
2074         (JSC::setNewValueFromTimeArgs):
2075         (JSC::setNewValueFromDateArgs):
2076         (JSC::dateProtoFuncSetYear):
2077         (JSC::dateProtoFuncGetYear):
2078         * runtime/DatePrototype.h:
2079         (JSC::DatePrototype::createStructure):
2080         * runtime/Error.h:
2081         (JSC::StrictModeTypeErrorFunction::createStructure):
2082         * runtime/ErrorConstructor.h:
2083         (JSC::ErrorConstructor::createStructure):
2084         * runtime/ErrorInstance.cpp:
2085         (JSC::ErrorInstance::finishCreation):
2086         * runtime/ErrorInstance.h:
2087         (JSC::ErrorInstance::createStructure):
2088         * runtime/ErrorPrototype.cpp:
2089         (JSC::ErrorPrototype::finishCreation):
2090         * runtime/ErrorPrototype.h:
2091         (JSC::ErrorPrototype::createStructure):
2092         * runtime/ExceptionHelpers.cpp:
2093         (JSC::isTerminatedExecutionException):
2094         * runtime/ExceptionHelpers.h:
2095         (JSC::TerminatedExecutionError::createStructure):
2096         * runtime/Executable.cpp:
2097         (JSC::EvalExecutable::visitChildren):
2098         (JSC::ProgramExecutable::visitChildren):
2099         (JSC::FunctionExecutable::visitChildren):
2100         (JSC::ExecutableBase::hashFor):
2101         * runtime/Executable.h:
2102         (JSC::ExecutableBase::createStructure):
2103         (JSC::NativeExecutable::createStructure):
2104         (JSC::EvalExecutable::createStructure):
2105         (JSC::ProgramExecutable::createStructure):
2106         (JSC::FunctionExecutable::compileFor):
2107         (JSC::FunctionExecutable::compileOptimizedFor):
2108         (JSC::FunctionExecutable::createStructure):
2109         * runtime/FunctionConstructor.h:
2110         (JSC::FunctionConstructor::createStructure):
2111         * runtime/FunctionPrototype.cpp:
2112         (JSC::functionProtoFuncToString):
2113         (JSC::functionProtoFuncApply):
2114         (JSC::functionProtoFuncBind):
2115         * runtime/FunctionPrototype.h:
2116         (JSC::FunctionPrototype::createStructure):
2117         * runtime/GetterSetter.cpp:
2118         (JSC::GetterSetter::visitChildren):
2119         * runtime/GetterSetter.h:
2120         (JSC::GetterSetter::createStructure):
2121         * runtime/InternalFunction.cpp:
2122         (JSC::InternalFunction::finishCreation):
2123         * runtime/InternalFunction.h:
2124         (JSC::InternalFunction::createStructure):
2125         (JSC::asInternalFunction):
2126         * runtime/JSAPIValueWrapper.h:
2127         (JSC::JSAPIValueWrapper::createStructure):
2128         * runtime/JSActivation.cpp:
2129         (JSC::JSActivation::visitChildren):
2130         (JSC::JSActivation::argumentsGetter):
2131         * runtime/JSActivation.h:
2132         (JSC::JSActivation::createStructure):
2133         (JSC::asActivation):
2134         * runtime/JSArray.h:
2135         (JSC::JSArray::createStructure):
2136         (JSC::asArray):
2137         (JSC::isJSArray):
2138         * runtime/JSBoundFunction.cpp:
2139         (JSC::JSBoundFunction::finishCreation):
2140         (JSC::JSBoundFunction::visitChildren):
2141         * runtime/JSBoundFunction.h:
2142         (JSC::JSBoundFunction::createStructure):
2143         * runtime/JSCJSValue.cpp:
2144         (JSC::JSValue::dumpInContext):
2145         * runtime/JSCJSValueInlines.h:
2146         (JSC::JSValue::isFunction):
2147         * runtime/JSCell.h:
2148         (JSC::jsCast):
2149         (JSC::jsDynamicCast):
2150         * runtime/JSCellInlines.h:
2151         (JSC::allocateCell):
2152         * runtime/JSFunction.cpp:
2153         (JSC::JSFunction::finishCreation):
2154         (JSC::JSFunction::visitChildren):
2155         (JSC::skipOverBoundFunctions):
2156         (JSC::JSFunction::callerGetter):
2157         * runtime/JSFunction.h:
2158         (JSC::JSFunction::createStructure):
2159         * runtime/JSGlobalObject.cpp:
2160         (JSC::JSGlobalObject::visitChildren):
2161         (JSC::slowValidateCell):
2162         * runtime/JSGlobalObject.h:
2163         (JSC::JSGlobalObject::createStructure):
2164         * runtime/JSNameScope.cpp:
2165         (JSC::JSNameScope::visitChildren):
2166         * runtime/JSNameScope.h:
2167         (JSC::JSNameScope::createStructure):
2168         * runtime/JSNotAnObject.h:
2169         (JSC::JSNotAnObject::createStructure):
2170         * runtime/JSONObject.cpp:
2171         (JSC::JSONObject::finishCreation):
2172         (JSC::unwrapBoxedPrimitive):
2173         (JSC::Stringifier::Stringifier):
2174         (JSC::Stringifier::appendStringifiedValue):
2175         (JSC::Stringifier::Holder::Holder):
2176         (JSC::Walker::walk):
2177         (JSC::JSONProtoFuncStringify):
2178         * runtime/JSONObject.h:
2179         (JSC::JSONObject::createStructure):
2180         * runtime/JSObject.cpp:
2181         (JSC::getCallableObjectSlow):
2182         (JSC::JSObject::visitChildren):
2183         (JSC::JSObject::copyBackingStore):
2184         (JSC::JSFinalObject::visitChildren):
2185         (JSC::JSObject::ensureInt32Slow):
2186         (JSC::JSObject::ensureDoubleSlow):
2187         (JSC::JSObject::ensureContiguousSlow):
2188         (JSC::JSObject::ensureArrayStorageSlow):
2189         * runtime/JSObject.h:
2190         (JSC::JSObject::finishCreation):
2191         (JSC::JSObject::createStructure):
2192         (JSC::JSNonFinalObject::createStructure):
2193         (JSC::JSFinalObject::createStructure):
2194         (JSC::isJSFinalObject):
2195         * runtime/JSPropertyNameIterator.cpp:
2196         (JSC::JSPropertyNameIterator::visitChildren):
2197         * runtime/JSPropertyNameIterator.h:
2198         (JSC::JSPropertyNameIterator::createStructure):
2199         * runtime/JSProxy.cpp:
2200         (JSC::JSProxy::visitChildren):
2201         * runtime/JSProxy.h:
2202         (JSC::JSProxy::createStructure):
2203         * runtime/JSScope.cpp:
2204         (JSC::JSScope::visitChildren):
2205         * runtime/JSSegmentedVariableObject.cpp:
2206         (JSC::JSSegmentedVariableObject::visitChildren):
2207         * runtime/JSString.h:
2208         (JSC::JSString::createStructure):
2209         (JSC::isJSString):
2210         * runtime/JSSymbolTableObject.cpp:
2211         (JSC::JSSymbolTableObject::visitChildren):
2212         * runtime/JSVariableObject.h:
2213         * runtime/JSWithScope.cpp:
2214         (JSC::JSWithScope::visitChildren):
2215         * runtime/JSWithScope.h:
2216         (JSC::JSWithScope::createStructure):
2217         * runtime/JSWrapperObject.cpp:
2218         (JSC::JSWrapperObject::visitChildren):
2219         * runtime/JSWrapperObject.h:
2220         (JSC::JSWrapperObject::createStructure):
2221         * runtime/MathObject.cpp:
2222         (JSC::MathObject::finishCreation):
2223         * runtime/MathObject.h:
2224         (JSC::MathObject::createStructure):
2225         * runtime/NameConstructor.h:
2226         (JSC::NameConstructor::createStructure):
2227         * runtime/NameInstance.h:
2228         (JSC::NameInstance::createStructure):
2229         (JSC::NameInstance::finishCreation):
2230         * runtime/NamePrototype.cpp:
2231         (JSC::NamePrototype::finishCreation):
2232         (JSC::privateNameProtoFuncToString):
2233         * runtime/NamePrototype.h:
2234         (JSC::NamePrototype::createStructure):
2235         * runtime/NativeErrorConstructor.cpp:
2236         (JSC::NativeErrorConstructor::visitChildren):
2237         * runtime/NativeErrorConstructor.h:
2238         (JSC::NativeErrorConstructor::createStructure):
2239         (JSC::NativeErrorConstructor::finishCreation):
2240         * runtime/NumberConstructor.cpp:
2241         (JSC::NumberConstructor::finishCreation):
2242         * runtime/NumberConstructor.h:
2243         (JSC::NumberConstructor::createStructure):
2244         * runtime/NumberObject.cpp:
2245         (JSC::NumberObject::finishCreation):
2246         * runtime/NumberObject.h:
2247         (JSC::NumberObject::createStructure):
2248         * runtime/NumberPrototype.cpp:
2249         (JSC::NumberPrototype::finishCreation):
2250         * runtime/NumberPrototype.h:
2251         (JSC::NumberPrototype::createStructure):
2252         * runtime/ObjectConstructor.h:
2253         (JSC::ObjectConstructor::createStructure):
2254         * runtime/ObjectPrototype.cpp:
2255         (JSC::ObjectPrototype::finishCreation):
2256         * runtime/ObjectPrototype.h:
2257         (JSC::ObjectPrototype::createStructure):
2258         * runtime/PropertyMapHashTable.h:
2259         (JSC::PropertyTable::createStructure):
2260         * runtime/PropertyTable.cpp:
2261         (JSC::PropertyTable::visitChildren):
2262         * runtime/RegExp.h:
2263         (JSC::RegExp::createStructure):
2264         * runtime/RegExpConstructor.cpp:
2265         (JSC::RegExpConstructor::finishCreation):
2266         (JSC::RegExpConstructor::visitChildren):
2267         (JSC::constructRegExp):
2268         * runtime/RegExpConstructor.h:
2269         (JSC::RegExpConstructor::createStructure):
2270         (JSC::asRegExpConstructor):
2271         * runtime/RegExpMatchesArray.cpp:
2272         (JSC::RegExpMatchesArray::visitChildren):
2273         * runtime/RegExpMatchesArray.h:
2274         (JSC::RegExpMatchesArray::createStructure):
2275         * runtime/RegExpObject.cpp:
2276         (JSC::RegExpObject::finishCreation):
2277         (JSC::RegExpObject::visitChildren):
2278         * runtime/RegExpObject.h:
2279         (JSC::RegExpObject::createStructure):
2280         (JSC::asRegExpObject):
2281         * runtime/RegExpPrototype.cpp:
2282         (JSC::regExpProtoFuncTest):
2283         (JSC::regExpProtoFuncExec):
2284         (JSC::regExpProtoFuncCompile):
2285         (JSC::regExpProtoFuncToString):
2286         * runtime/RegExpPrototype.h:
2287         (JSC::RegExpPrototype::createStructure):
2288         * runtime/SparseArrayValueMap.cpp:
2289         (JSC::SparseArrayValueMap::createStructure):
2290         * runtime/SparseArrayValueMap.h:
2291         * runtime/StrictEvalActivation.h:
2292         (JSC::StrictEvalActivation::createStructure):
2293         * runtime/StringConstructor.h:
2294         (JSC::StringConstructor::createStructure):
2295         * runtime/StringObject.cpp:
2296         (JSC::StringObject::finishCreation):
2297         * runtime/StringObject.h:
2298         (JSC::StringObject::createStructure):
2299         (JSC::asStringObject):
2300         * runtime/StringPrototype.cpp:
2301         (JSC::StringPrototype::finishCreation):
2302         (JSC::stringProtoFuncReplace):
2303         (JSC::stringProtoFuncToString):
2304         (JSC::stringProtoFuncMatch):
2305         (JSC::stringProtoFuncSearch):
2306         (JSC::stringProtoFuncSplit):
2307         * runtime/StringPrototype.h:
2308         (JSC::StringPrototype::createStructure):
2309         * runtime/Structure.cpp:
2310         (JSC::Structure::Structure):
2311         (JSC::Structure::materializePropertyMap):
2312         (JSC::Structure::get):
2313         (JSC::Structure::visitChildren):
2314         * runtime/Structure.h:
2315         (JSC::Structure::typeInfo):
2316         (JSC::Structure::previousID):
2317         (JSC::Structure::outOfLineSize):
2318         (JSC::Structure::totalStorageCapacity):
2319         (JSC::Structure::materializePropertyMapIfNecessary):
2320         (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2321         * runtime/StructureChain.cpp:
2322         (JSC::StructureChain::visitChildren):
2323         * runtime/StructureChain.h:
2324         (JSC::StructureChain::createStructure):
2325         * runtime/StructureInlines.h:
2326         (JSC::Structure::get):
2327         * runtime/StructureRareData.cpp:
2328         (JSC::StructureRareData::createStructure):
2329         (JSC::StructureRareData::visitChildren):
2330         * runtime/StructureRareData.h:
2331         * runtime/SymbolTable.h:
2332         (JSC::SharedSymbolTable::createStructure):
2333         * runtime/VM.cpp:
2334         (JSC::VM::VM):
2335         (JSC::StackPreservingRecompiler::operator()):
2336         (JSC::VM::releaseExecutableMemory):
2337         * runtime/WriteBarrier.h:
2338         (JSC::validateCell):
2339         * testRegExp.cpp:
2340         (GlobalObject::createStructure):
2341
2342 2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>
2343
2344         [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
2345         https://bugs.webkit.org/show_bug.cgi?id=119762
2346
2347         Reviewed by Geoffrey Garen.
2348
2349         * heap/Heap.cpp:
2350         (JSC::Heap::Heap):
2351         (JSC::Heap::markRoots):
2352         (JSC::Heap::collect):
2353         * jsc.cpp:
2354         (StopWatch::start):
2355         (StopWatch::stop):
2356         * testRegExp.cpp:
2357         (StopWatch::start):
2358         (StopWatch::stop):
2359
2360 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2361
2362         [sh4] Prepare LLINT for DFG_JIT implementation.
2363         https://bugs.webkit.org/show_bug.cgi?id=119755
2364
2365         Reviewed by Oliver Hunt.
2366
2367         * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
2368         * offlineasm/sh4.rb:
2369             - Handle storeb opcode.
2370             - Make relative jumps when possible using braf opcode.
2371             - Update bmulio implementation to be consistent with baseline JIT.
2372             - Remove useless code from leap opcode.
2373             - Fix incorrect comment.
2374
2375 2013-08-13  Julien Brianceau  <jbrianceau@nds.com>
2376
2377         [sh4] Prepare baseline JIT for DFG_JIT implementation.
2378         https://bugs.webkit.org/show_bug.cgi?id=119758
2379
2380         Reviewed by Oliver Hunt.
2381
2382         * assembler/MacroAssemblerSH4.h:
2383             - Introduce a loadEffectiveAddress function to avoid code duplication.
2384             - Add ASSERTs and clean code.
2385         * assembler/SH4Assembler.h:
2386             - Prepare DFG_JIT implementation.
2387             - Add ASSERTs.
2388         * jit/JITStubs.cpp:
2389             - Add SH4 specific call for assertions.
2390         * jit/JITStubs.h:
2391             - Cosmetic change.
2392         * jit/JITStubsSH4.h:
2393             - Use constants to be more flexible with sh4 JIT stack frame.
2394         * jit/JSInterfaceJIT.h:
2395             - Cosmetic change.
2396
2397 2013-08-13  Oliver Hunt  <oliver@apple.com>
2398
2399         Harden executeConstruct against incorrect return types from host functions
2400         https://bugs.webkit.org/show_bug.cgi?id=119757
2401
2402         Reviewed by Mark Hahnenberg.
2403
2404         Add logic to guard against bogus return types.  There doesn't seem to be any
2405         class in webkit that does this wrong, but the typed array stubs in debug JSC
2406         do exhibit this bad behaviour.
2407
2408         * interpreter/Interpreter.cpp:
2409         (JSC::Interpreter::executeConstruct):
2410
2411 2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>
2412
2413         [Qt] Fix C++11 build with gcc 4.4 and 4.5
2414         https://bugs.webkit.org/show_bug.cgi?id=119736
2415
2416         Reviewed by Anders Carlsson.
2417
2418         Don't force C++11 mode off anymore.
2419
2420         * Target.pri:
2421
2422 2013-08-12  Oliver Hunt  <oliver@apple.com>
2423
2424         Remove CodeBlock's notion of adding identifiers entirely
2425         https://bugs.webkit.org/show_bug.cgi?id=119708
2426
2427         Reviewed by Geoffrey Garen.
2428
2429         Remove addAdditionalIdentifier entirely, including the bogus assertion.
2430         Move the addition of identifiers to DFGPlan::reallyAdd
2431
2432         * bytecode/CodeBlock.h:
2433         * dfg/DFGDesiredIdentifiers.cpp:
2434         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2435         * dfg/DFGDesiredIdentifiers.h:
2436         * dfg/DFGPlan.cpp:
2437         (JSC::DFG::Plan::reallyAdd):
2438         (JSC::DFG::Plan::finalize):
2439         * dfg/DFGPlan.h:
2440
2441 2013-08-12  Oliver Hunt  <oliver@apple.com>
2442
2443         Build fix
2444
2445         * runtime/JSCell.h:
2446
2447 2013-08-12  Oliver Hunt  <oliver@apple.com>
2448
2449         Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
2450         https://bugs.webkit.org/show_bug.cgi?id=119705
2451
2452         Reviewed by Geoffrey Garen.
2453
2454         Relatively trivial refactoring
2455
2456         * bytecode/CodeBlock.h:
2457         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2458         (JSC::CodeBlock::addAdditionalIdentifier):
2459         (JSC::CodeBlock::identifier):
2460         (JSC::CodeBlock::numberOfIdentifiers):
2461         * dfg/DFGCommonData.h:
2462
2463 2013-08-12  Oliver Hunt  <oliver@apple.com>
2464
2465         Stop making unnecessary copy of CodeBlock Identifier Vector
2466         https://bugs.webkit.org/show_bug.cgi?id=119702
2467
2468         Reviewed by Michael Saboff.
2469
2470         Make CodeBlock simply use a separate Vector for additional Identifiers
2471         and use the UnlinkedCodeBlock for the initial set of identifiers.
2472
2473         * bytecode/CodeBlock.cpp:
2474         (JSC::CodeBlock::printGetByIdOp):
2475         (JSC::dumpStructure):
2476         (JSC::dumpChain):
2477         (JSC::CodeBlock::printGetByIdCacheStatus):
2478         (JSC::CodeBlock::printPutByIdOp):
2479         (JSC::CodeBlock::dumpBytecode):
2480         (JSC::CodeBlock::CodeBlock):
2481         (JSC::CodeBlock::shrinkToFit):
2482         * bytecode/CodeBlock.h:
2483         (JSC::CodeBlock::numberOfIdentifiers):
2484         (JSC::CodeBlock::numberOfAdditionalIdentifiers):
2485         (JSC::CodeBlock::addAdditionalIdentifier):
2486         (JSC::CodeBlock::identifier):
2487         * dfg/DFGDesiredIdentifiers.cpp:
2488         (JSC::DFG::DesiredIdentifiers::reallyAdd):
2489         * jit/JIT.h:
2490         * jit/JITOpcodes.cpp:
2491         (JSC::JIT::emitSlow_op_get_arguments_length):
2492         * jit/JITPropertyAccess.cpp:
2493         (JSC::JIT::emit_op_get_by_id):
2494         (JSC::JIT::compileGetByIdHotPath):
2495         (JSC::JIT::emitSlow_op_get_by_id):
2496         (JSC::JIT::compileGetByIdSlowCase):
2497         (JSC::JIT::emitSlow_op_put_by_id):
2498         * jit/JITPropertyAccess32_64.cpp:
2499         (JSC::JIT::emit_op_get_by_id):
2500         (JSC::JIT::compileGetByIdHotPath):
2501         (JSC::JIT::compileGetByIdSlowCase):
2502         * jit/JITStubs.cpp:
2503         (JSC::DEFINE_STUB_FUNCTION):
2504         * llint/LLIntSlowPaths.cpp:
2505         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2506
2507 2013-08-08  Mark Lam  <mark.lam@apple.com>
2508
2509         Restoring use of StackIterator instead of Interpreter::getStacktrace().
2510         https://bugs.webkit.org/show_bug.cgi?id=119575.
2511
2512         Reviewed by Oliver Hunt.
2513
2514         * interpreter/Interpreter.h:
2515         - Made getStackTrace() private.
2516         * interpreter/StackIterator.cpp:
2517         (JSC::StackIterator::StackIterator):
2518         (JSC::StackIterator::numberOfFrames):
2519         - Computes the number of frames by iterating through the whole stack
2520           from the starting frame. The iterator will save its current frame
2521           position before counting the frames, and then restoring it after
2522           the counting.
2523         (JSC::StackIterator::gotoFrameAtIndex):
2524         (JSC::StackIterator::gotoNextFrame):
2525         (JSC::StackIterator::resetIterator):
2526         - Points the iterator to the starting frame.
2527         * interpreter/StackIteratorPrivate.h:
2528
2529 2013-08-08  Mark Lam  <mark.lam@apple.com>
2530
2531         Moved ErrorConstructor and NativeErrorConstructor helper functions into
2532         the Interpreter class.
2533         https://bugs.webkit.org/show_bug.cgi?id=119576.
2534
2535         Reviewed by Oliver Hunt.
2536
2537         This change is needed to prepare for making Interpreter::getStackTrace()
2538         private. It does not change the behavior of the code, only the lexical
2539         scoping.
2540
2541         * interpreter/Interpreter.h:
2542         - Added helper functions for ErrorConstructor and NativeErrorConstructor.
2543         * runtime/ErrorConstructor.cpp:
2544         (JSC::Interpreter::constructWithErrorConstructor):
2545         (JSC::ErrorConstructor::getConstructData):
2546         (JSC::Interpreter::callErrorConstructor):
2547         (JSC::ErrorConstructor::getCallData):
2548         - Don't want ErrorConstructor to call Interpreter::getStackTrace()
2549           directly. So, we moved the helper functions into the Interpreter
2550           class.
2551         * runtime/NativeErrorConstructor.cpp:
2552         (JSC::Interpreter::constructWithNativeErrorConstructor):
2553         (JSC::NativeErrorConstructor::getConstructData):
2554         (JSC::Interpreter::callNativeErrorConstructor):
2555         (JSC::NativeErrorConstructor::getCallData):
2556         - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
2557           directly. So, we moved the helper functions into the Interpreter
2558           class.
2559
2560 2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>
2561
2562         32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
2563         https://bugs.webkit.org/show_bug.cgi?id=119555
2564
2565         Reviewed by Geoffrey Garen.
2566
2567         It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
2568         This was causing crashes on maps.google.com in 32-bit debug builds.
2569
2570         * dfg/DFGSpeculativeJIT32_64.cpp:
2571         (JSC::DFG::SpeculativeJIT::compile):
2572
2573 2013-08-06  Michael Saboff  <msaboff@apple.com>
2574
2575         REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
2576         https://bugs.webkit.org/show_bug.cgi?id=119405
2577
2578         Reviewed by Geoffrey Garen.
2579
2580         * dfg/DFGSpeculativeJIT.cpp:
2581         (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
2582         ourselves to save a register and then load from it.
2583
2584 2013-08-06  Filip Pizlo  <fpizlo@apple.com>
2585
2586         DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
2587         https://bugs.webkit.org/show_bug.cgi?id=119528
2588
2589         Reviewed by Geoffrey Garen.
2590
2591         Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
2592         uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
2593         the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
2594         format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
2595         from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
2596
2597         This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
2598
2599         * bytecode/CodeBlock.cpp:
2600         (JSC::CodeBlock::finalizeUnconditionally):
2601         * dfg/DFGDriver.cpp:
2602         (JSC::DFG::compile):
2603         * dfg/DFGFixupPhase.cpp:
2604         (JSC::DFG::FixupPhase::fixupNode):
2605         * dfg/DFGGraph.cpp:
2606         (JSC::DFG::Graph::dump):
2607         * dfg/DFGSpeculativeJIT64.cpp:
2608         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2609         * runtime/JSObject.h:
2610         (JSC::JSObject::getIndexQuickly):
2611         (JSC::JSObject::tryGetIndexQuickly):
2612
2613 2013-08-08  Stephanie Lewis  <slewis@apple.com>
2614
2615         <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
2616
2617         Unreviewed.
2618
2619         Ensure llint symbols are in source order.
2620
2621         * JavaScriptCore.order:
2622
2623 2013-08-06  Mark Lam  <mark.lam@apple.com>
2624
2625         Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
2626         https://bugs.webkit.org/show_bug.cgi?id=119532.
2627
2628         Reviewed by Oliver Hunt.
2629
2630         * parser/Parser.cpp:
2631         (JSC::::Parser):
2632         - Just need to initialize the Parser's JSTokenLocation's initial line and
2633           startOffset as well during Parser construction.
2634
2635 2013-08-06  Stephanie Lewis  <slewis@apple.com>
2636
2637         Update Order Files for Safari
2638         <rdar://problem/14517392>
2639
2640         Unreviewed.
2641
2642         * JavaScriptCore.order:
2643
2644 2013-08-04  Sam Weinig  <sam@webkit.org>
2645
2646         Remove support for HTML5 MicroData
2647         https://bugs.webkit.org/show_bug.cgi?id=119480
2648
2649         Reviewed by Anders Carlsson.
2650
2651         * Configurations/FeatureDefines.xcconfig:
2652
2653 2013-08-05  Oliver Hunt  <oliver@apple.com>
2654
2655         Delay Arguments creation in strict mode
2656         https://bugs.webkit.org/show_bug.cgi?id=119505
2657
2658         Reviewed by Geoffrey Garen.
2659
2660         Make use of the write tracking performed by the parser to
2661         allow us to know if we're modifying the parameters to a function.
2662         Then use that information to make strict mode function opt out
2663         of eager arguments creation.
2664
2665         * bytecompiler/BytecodeGenerator.cpp:
2666         (JSC::BytecodeGenerator::BytecodeGenerator):
2667         (JSC::BytecodeGenerator::createArgumentsIfNecessary):
2668         (JSC::BytecodeGenerator::emitReturn):
2669         * bytecompiler/BytecodeGenerator.h:
2670         (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
2671         * parser/Nodes.h:
2672         (JSC::ScopeNode::modifiesParameter):
2673         * parser/Parser.cpp:
2674         (JSC::::parseInner):
2675         * parser/Parser.h:
2676         (JSC::Scope::declareParameter):
2677         (JSC::Scope::getCapturedVariables):
2678         (JSC::Parser::declareWrite):
2679         * parser/ParserModes.h:
2680
2681 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2682
2683         Remove useless code from COMPILER(RVCT) JITStubs
2684         https://bugs.webkit.org/show_bug.cgi?id=119521
2685
2686         Reviewed by Geoffrey Garen.
2687
2688         * jit/JITStubsARMv7.h:
2689         (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
2690         (JSC::ctiOpThrowNotCaught): Ditto.
2691
2692 2013-07-23  David Farler  <dfarler@apple.com>
2693
2694         Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
2695         https://bugs.webkit.org/show_bug.cgi?id=117762
2696
2697         Reviewed by Mark Rowe.
2698
2699         * Configurations/DebugRelease.xcconfig:
2700         Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
2701         * Configurations/JavaScriptCore.xcconfig:
2702         Add ASAN_OTHER_LDFLAGS.
2703         * Configurations/ToolExecutable.xcconfig:
2704         Don't use ASAN for build tools.
2705
2706 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2707
2708         Build fix for ARM MSVC after r153222 and r153648.
2709
2710         * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
2711
2712 2013-08-06  Patrick Gansterer  <paroga@webkit.org>
2713
2714         Build fix for ARM MSVC after r150109.
2715
2716         Read the stub template from a header files instead of the JITStubs.cpp.
2717
2718         * CMakeLists.txt:
2719         * DerivedSources.pri:
2720         * create_jit_stubs:
2721
2722 2013-08-05  Oliver Hunt  <oliver@apple.com>
2723
2724         Move TypedArray implementation into JSC
2725         https://bugs.webkit.org/show_bug.cgi?id=119489
2726
2727         Reviewed by Filip Pizlo.
2728
2729         Move TypedArray implementation into JSC in advance of re-implementation
2730
2731         * GNUmakefile.list.am:
2732         * JSCTypedArrayStubs.h:
2733         * JavaScriptCore.xcodeproj/project.pbxproj:
2734         * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
2735         (JSC::ArrayBuffer::transfer):
2736         (JSC::ArrayBuffer::addView):
2737         (JSC::ArrayBuffer::removeView):
2738         * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
2739         (JSC::ArrayBufferContents::ArrayBufferContents):
2740         (JSC::ArrayBufferContents::data):
2741         (JSC::ArrayBufferContents::sizeInBytes):
2742         (JSC::ArrayBufferContents::transfer):
2743         (JSC::ArrayBufferContents::copyTo):
2744         (JSC::ArrayBuffer::isNeutered):
2745         (JSC::ArrayBuffer::~ArrayBuffer):
2746         (JSC::ArrayBuffer::clampValue):
2747         (JSC::ArrayBuffer::create):
2748         (JSC::ArrayBuffer::createUninitialized):
2749         (JSC::ArrayBuffer::ArrayBuffer):
2750         (JSC::ArrayBuffer::data):
2751         (JSC::ArrayBuffer::byteLength):
2752         (JSC::ArrayBuffer::slice):
2753         (JSC::ArrayBuffer::sliceImpl):
2754         (JSC::ArrayBuffer::clampIndex):
2755         (JSC::ArrayBufferContents::tryAllocate):
2756         (JSC::ArrayBufferContents::~ArrayBufferContents):
2757         * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
2758         (JSC::ArrayBufferView::ArrayBufferView):
2759         (JSC::ArrayBufferView::~ArrayBufferView):
2760         (JSC::ArrayBufferView::neuter):
2761         * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
2762         (JSC::ArrayBufferView::buffer):
2763         (JSC::ArrayBufferView::baseAddress):
2764         (JSC::ArrayBufferView::byteOffset):
2765         (JSC::ArrayBufferView::setNeuterable):
2766         (JSC::ArrayBufferView::isNeuterable):
2767         (JSC::ArrayBufferView::verifySubRange):
2768         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2769         (JSC::ArrayBufferView::setImpl):
2770         (JSC::ArrayBufferView::setRangeImpl):
2771         (JSC::ArrayBufferView::zeroRangeImpl):
2772         (JSC::ArrayBufferView::calculateOffsetAndLength):
2773         * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
2774         (JSC::Float32Array::set):
2775         (JSC::Float32Array::getType):
2776         (JSC::Float32Array::create):
2777         (JSC::Float32Array::createUninitialized):
2778         (JSC::Float32Array::Float32Array):
2779         (JSC::Float32Array::subarray):
2780         * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
2781         (JSC::Float64Array::set):
2782         (JSC::Float64Array::getType):
2783         (JSC::Float64Array::create):
2784         (JSC::Float64Array::createUninitialized):
2785         (JSC::Float64Array::Float64Array):
2786         (JSC::Float64Array::subarray):
2787         * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
2788         (JSC::Int16Array::getType):
2789         (JSC::Int16Array::create):
2790         (JSC::Int16Array::createUninitialized):
2791         (JSC::Int16Array::Int16Array):
2792         (JSC::Int16Array::subarray):
2793         * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
2794         (JSC::Int32Array::getType):
2795         (JSC::Int32Array::create):
2796         (JSC::Int32Array::createUninitialized):
2797         (JSC::Int32Array::Int32Array):
2798         (JSC::Int32Array::subarray):
2799         * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
2800         (JSC::Int8Array::getType):
2801         (JSC::Int8Array::create):
2802         (JSC::Int8Array::createUninitialized):
2803         (JSC::Int8Array::Int8Array):
2804         (JSC::Int8Array::subarray):
2805         * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
2806         (JSC::IntegralTypedArrayBase::set):
2807         (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
2808         * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
2809         (JSC::TypedArrayBase::data):
2810         (JSC::TypedArrayBase::set):
2811         (JSC::TypedArrayBase::setRange):
2812         (JSC::TypedArrayBase::zeroRange):
2813         (JSC::TypedArrayBase::length):
2814         (JSC::TypedArrayBase::byteLength):
2815         (JSC::TypedArrayBase::item):
2816         (JSC::TypedArrayBase::checkInboundData):
2817         (JSC::TypedArrayBase::TypedArrayBase):
2818         (JSC::TypedArrayBase::create):
2819         (JSC::TypedArrayBase::createUninitialized):
2820         (JSC::TypedArrayBase::subarrayImpl):
2821         (JSC::TypedArrayBase::neuter):
2822         * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
2823         (JSC::Uint16Array::getType):
2824         (JSC::Uint16Array::create):
2825         (JSC::Uint16Array::createUninitialized):
2826         (JSC::Uint16Array::Uint16Array):
2827         (JSC::Uint16Array::subarray):
2828         * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
2829         (JSC::Uint32Array::getType):
2830         (JSC::Uint32Array::create):
2831         (JSC::Uint32Array::createUninitialized):
2832         (JSC::Uint32Array::Uint32Array):
2833         (JSC::Uint32Array::subarray):
2834         * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
2835         (JSC::Uint8Array::getType):
2836         (JSC::Uint8Array::create):
2837         (JSC::Uint8Array::createUninitialized):
2838         (JSC::Uint8Array::Uint8Array):
2839         (JSC::Uint8Array::subarray):
2840         * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
2841         (JSC::Uint8ClampedArray::getType):
2842         (JSC::Uint8ClampedArray::create):
2843         (JSC::Uint8ClampedArray::createUninitialized):
2844         (JSC::Uint8ClampedArray::zeroFill):
2845         (JSC::Uint8ClampedArray::set):
2846         (JSC::Uint8ClampedArray::Uint8ClampedArray):
2847         (JSC::Uint8ClampedArray::subarray):
2848         * runtime/VM.h:
2849
2850 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2851
2852         Copied space should be able to handle more than one copied backing store per JSCell
2853         https://bugs.webkit.org/show_bug.cgi?id=119471
2854
2855         Reviewed by Mark Hahnenberg.
2856         
2857         This allows a cell to call copyLater() multiple times for multiple different
2858         backing stores, and then have copyBackingStore() called exactly once for each
2859         of those. A token tells it which backing store to copy. All backing stores
2860         must be named using the CopyToken, an enumeration which currently cannot
2861         exceed eight entries.
2862         
2863         When copyBackingStore() is called, it's up to the callee to (a) use the token
2864         to decide what to copy and (b) call its base class's copyBackingStore() in
2865         case the base class had something that needed copying. The only exception is
2866         that JSCell never asks anything to be copied, and so if your base is JSCell
2867         then you don't have to do anything.
2868
2869         * GNUmakefile.list.am:
2870         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2871         * JavaScriptCore.xcodeproj/project.pbxproj:
2872         * heap/CopiedBlock.h:
2873         * heap/CopiedBlockInlines.h:
2874         (JSC::CopiedBlock::reportLiveBytes):
2875         * heap/CopyToken.h: Added.
2876         * heap/CopyVisitor.cpp:
2877         (JSC::CopyVisitor::copyFromShared):
2878         * heap/CopyVisitor.h:
2879         * heap/CopyVisitorInlines.h:
2880         (JSC::CopyVisitor::visitItem):
2881         * heap/CopyWorkList.h:
2882         (JSC::CopyWorklistItem::CopyWorklistItem):
2883         (JSC::CopyWorklistItem::cell):
2884         (JSC::CopyWorklistItem::token):
2885         (JSC::CopyWorkListSegment::get):
2886         (JSC::CopyWorkListSegment::append):
2887         (JSC::CopyWorkListSegment::data):
2888         (JSC::CopyWorkListIterator::get):
2889         (JSC::CopyWorkListIterator::operator*):
2890         (JSC::CopyWorkListIterator::operator->):
2891         (JSC::CopyWorkList::append):
2892         * heap/SlotVisitor.h:
2893         * heap/SlotVisitorInlines.h:
2894         (JSC::SlotVisitor::copyLater):
2895         * runtime/ClassInfo.h:
2896         * runtime/JSCell.cpp:
2897         (JSC::JSCell::copyBackingStore):
2898         * runtime/JSCell.h:
2899         * runtime/JSObject.cpp:
2900         (JSC::JSObject::visitButterfly):
2901         (JSC::JSObject::copyBackingStore):
2902         * runtime/JSObject.h:
2903
2904 2013-08-05  Zan Dobersek  <zdobersek@igalia.com>
2905
2906         [Automake] Define ENABLE_JIT through the Autoconf header
2907         https://bugs.webkit.org/show_bug.cgi?id=119445
2908
2909         Reviewed by Martin Robinson.
2910
2911         * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
2912
2913 2013-08-03  Filip Pizlo  <fpizlo@apple.com>
2914
2915         hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
2916         https://bugs.webkit.org/show_bug.cgi?id=119470
2917
2918         Reviewed by Oliver Hunt.
2919         
2920         Structure can still tell you if the object "could" (in the conservative sense)
2921         have an indexing header; that's used by the compiler.
2922         
2923         Most of the time if you want to know if there's an indexing header, you ask the
2924         JSObject.
2925         
2926         In some cases, the JSObject wants to know if it would have an indexing header if
2927         it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
2928
2929         * dfg/DFGRepatch.cpp:
2930         (JSC::DFG::tryCachePutByID):
2931         (JSC::DFG::tryBuildPutByIdList):
2932         * dfg/DFGSpeculativeJIT.cpp:
2933         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2934         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2935         * runtime/ButterflyInlines.h:
2936         (JSC::Butterfly::create):
2937         (JSC::Butterfly::growPropertyStorage):
2938         (JSC::Butterfly::growArrayRight):
2939         (JSC::Butterfly::resizeArray):
2940         * runtime/JSObject.cpp:
2941         (JSC::JSObject::copyButterfly):
2942         (JSC::JSObject::visitButterfly):
2943         * runtime/JSObject.h:
2944         (JSC::JSObject::hasIndexingHeader):
2945         (JSC::JSObject::setButterfly):
2946         * runtime/Structure.h:
2947         (JSC::Structure::couldHaveIndexingHeader):
2948         (JSC::Structure::hasIndexingHeader):
2949
2950 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
2951
2952         Give the error object's stack property accessor attributes.
2953         https://bugs.webkit.org/show_bug.cgi?id=119404
2954
2955         Reviewed by Geoffrey Garen.
2956         
2957         Changed the attributes of error object's stack property to allow developers to write
2958         and delete the stack property. This will match the functionality of Chrome. Firefox  
2959         allows developers to write the error's stack, but not delete it. 
2960
2961         * interpreter/Interpreter.cpp:
2962         (JSC::Interpreter::addStackTraceIfNecessary):
2963         * runtime/ErrorInstance.cpp:
2964         (JSC::ErrorInstance::finishCreation):
2965
2966 2013-08-02  Oliver Hunt  <oliver@apple.com>
2967
2968         Incorrect type speculation reported by ToPrimitive
2969         https://bugs.webkit.org/show_bug.cgi?id=119458
2970
2971         Reviewed by Mark Hahnenberg.
2972
2973         Make sure that we report the correct type possibilities for the output
2974         from ToPrimitive
2975
2976         * dfg/DFGAbstractInterpreterInlines.h:
2977         (JSC::DFG::::executeEffects):
2978
2979 2013-08-02  Gavin Barraclough  <barraclough@apple.com>
2980
2981         Remove no-arguments constructor to PropertySlot
2982         https://bugs.webkit.org/show_bug.cgi?id=119460
2983
2984         Reviewed by Geoff Garen.
2985
2986         This constructor was unsafe if getValue is subsequently called,
2987         and the property is a getter. Simplest to just remove it.
2988
2989         * runtime/Arguments.cpp:
2990         (JSC::Arguments::defineOwnProperty):
2991         * runtime/JSActivation.cpp:
2992         (JSC::JSActivation::getOwnPropertyDescriptor):
2993         * runtime/JSFunction.cpp:
2994         (JSC::JSFunction::getOwnPropertyDescriptor):
2995         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2996         (JSC::JSFunction::put):
2997         (JSC::JSFunction::defineOwnProperty):
2998         * runtime/JSGlobalObject.cpp:
2999         (JSC::JSGlobalObject::defineOwnProperty):
3000         * runtime/JSGlobalObject.h:
3001         (JSC::JSGlobalObject::hasOwnPropertyForWrite):
3002         * runtime/JSNameScope.cpp:
3003         (JSC::JSNameScope::put):
3004         * runtime/JSONObject.cpp:
3005         (JSC::Stringifier::Holder::appendNextProperty):
3006         (JSC::Walker::walk):
3007         * runtime/JSObject.cpp:
3008         (JSC::JSObject::hasProperty):
3009         (JSC::JSObject::hasOwnProperty):
3010         (JSC::JSObject::reifyStaticFunctionsForDelete):
3011         * runtime/Lookup.h:
3012         (JSC::getStaticPropertyDescriptor):
3013         (JSC::getStaticFunctionDescriptor):
3014         (JSC::getStaticValueDescriptor):
3015         * runtime/ObjectConstructor.cpp:
3016         (JSC::defineProperties):
3017         * runtime/PropertySlot.h:
3018
3019 2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>
3020
3021         DFG validation can cause assertion failures due to dumping
3022         https://bugs.webkit.org/show_bug.cgi?id=119456
3023
3024         Reviewed by Geoffrey Garen.
3025
3026         * bytecode/CodeBlock.cpp:
3027         (JSC::CodeBlock::hasHash):
3028         (JSC::CodeBlock::isSafeToComputeHash):
3029         (JSC::CodeBlock::hash):
3030         (JSC::CodeBlock::dumpAssumingJITType):
3031         * bytecode/CodeBlock.h:
3032
3033 2013-08-02  Chris Curtis  <chris_curtis@apple.com>
3034
3035         Have vm's exceptionStack match java's vm's exceptionStack.
3036         https://bugs.webkit.org/show_bug.cgi?id=119362
3037
3038         Reviewed by Geoffrey Garen.
3039         
3040         The error object's stack is only updated if it does not exist yet. This matches 
3041         the functionality of other browsers, and Java VMs. 
3042
3043         * interpreter/Interpreter.cpp:
3044         (JSC::Interpreter::addStackTraceIfNecessary):
3045         (JSC::Interpreter::throwException):
3046         * runtime/VM.cpp:
3047         (JSC::VM::clearExceptionStack):
3048         * runtime/VM.h:
3049         (JSC::VM::lastExceptionStack):
3050
3051 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3052
3053         REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
3054         https://bugs.webkit.org/show_bug.cgi?id=119447
3055
3056         Reviewed by Geoffrey Garen.
3057
3058         Fix .cpload, update call frame and do not restore registers from JIT stack frame in
3059         mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
3060         r153583 (sh4) and r153648 (ARM).
3061
3062         * jit/JITStubsMIPS.h:
3063
3064 2013-08-01  Filip Pizlo  <fpizlo@apple.com>
3065
3066         hasIndexingHeader should be a property of the Structure, not just the IndexingType
3067         https://bugs.webkit.org/show_bug.cgi?id=119422
3068
3069         Reviewed by Oliver Hunt.
3070         
3071         This simplifies some code and also allows Structure to claim that an object
3072         has an indexing header even if it doesn't have indexed properties.
3073         
3074         I also changed some calls to use hasIndexedProperties() since in some cases,
3075         that's what we actually meant. Currently the two are synonyms.
3076
3077         * dfg/DFGRepatch.cpp:
3078         (JSC::DFG::tryCachePutByID):
3079         (JSC::DFG::tryBuildPutByIdList):
3080         * dfg/DFGSpeculativeJIT.cpp:
3081         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3082         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3083         * runtime/ButterflyInlines.h:
3084         (JSC::Butterfly::create):
3085         (JSC::Butterfly::growPropertyStorage):
3086         (JSC::Butterfly::growArrayRight):
3087         (JSC::Butterfly::resizeArray):
3088         * runtime/IndexingType.h:
3089         * runtime/JSObject.cpp:
3090         (JSC::JSObject::copyButterfly):
3091         (JSC::JSObject::visitButterfly):
3092         (JSC::JSObject::setPrototype):
3093         * runtime/JSObject.h:
3094         (JSC::JSObject::setButterfly):
3095         * runtime/JSPropertyNameIterator.cpp:
3096         (JSC::JSPropertyNameIterator::create):
3097         * runtime/Structure.h:
3098         (JSC::Structure::hasIndexingHeader):
3099
3100 2013-08-02  Julien Brianceau  <jbrianceau@nds.com>
3101
3102         REGRESSION: ARM still crashes after change set r153612.
3103         https://bugs.webkit.org/show_bug.cgi?id=119433
3104
3105         Reviewed by Michael Saboff.
3106
3107         Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
3108         implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
3109         for sh4 architecture.
3110
3111         * jit/JITStubsARM.h:
3112         * jit/JITStubsARMv7.h:
3113
3114 2013-08-02  Michael Saboff  <msaboff@apple.com>
3115
3116         REGRESSION(r153612): It made jsc and layout tests crash
3117         https://bugs.webkit.org/show_bug.cgi?id=119440
3118
3119         Reviewed by Csaba Osztrogonác.
3120
3121         Made the changes if changeset r153612 only apply to 32 bit builds.
3122
3123         * jit/JITExceptions.cpp:
3124         * jit/JITExceptions.h:
3125         * jit/JITStubs.cpp:
3126         (JSC::cti_vm_throw_slowpath):
3127         * jit/JITStubs.h:
3128
3129 2013-08-02  Patrick Gansterer  <paroga@webkit.org>
3130
3131         Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
3132
3133         * CMakeLists.txt:
3134
3135 2013-08-01  Ruth Fong  <ruth_fong@apple.com>
3136
3137         [Forms: color] <input type='color'> popover color well implementation
3138         <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
3139
3140         Reviewed by Benjamin Poulain.
3141
3142         * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
3143
3144 2013-08-01  Oliver Hunt  <oliver@apple.com>
3145
3146         DFG is not enforcing correct ordering of ToString conversion in MakeRope
3147         https://bugs.webkit.org/show_bug.cgi?id=119408
3148
3149         Reviewed by Filip Pizlo.
3150
3151         Construct ToString and Phantom nodes in advance of MakeRope
3152         nodes to ensure that ordering is ensured, and correct values
3153         will be reified on OSR exit.
3154
3155         * dfg/DFGByteCodeParser.cpp:
3156         (JSC::DFG::ByteCodeParser::parseBlock):
3157
3158 2013-08-01  Michael Saboff  <msaboff@apple.com>
3159
3160         REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
3161         https://bugs.webkit.org/show_bug.cgi?id=119140
3162
3163         Reviewed by Filip Pizlo.
3164
3165         Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
3166
3167         * jit/JITExceptions.cpp:
3168         (JSC::encode):
3169         * jit/JITExceptions.h:
3170         * jit/JITStubs.cpp:
3171         (JSC::cti_vm_throw_slowpath):
3172         * jit/JITStubs.h:
3173
3174 2013-08-01  Julien Brianceau  <jbrianceau@nds.com>
3175
3176         REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
3177         https://bugs.webkit.org/show_bug.cgi?id=119391
3178
3179         Reviewed by Csaba Osztrogonác.
3180
3181         * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
3182             - Call frame is in r14 register.
3183             - Do not restore registers from JIT stack frame here.
3184
3185 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3186
3187         More cleanup in PropertySlot
3188         https://bugs.webkit.org/show_bug.cgi?id=119359
3189
3190         Reviewed by Geoff Garen.
3191
3192         m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
3193         This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
3194
3195         * dfg/DFGRepatch.cpp:
3196         (JSC::DFG::tryCacheGetByID):
3197         (JSC::DFG::tryBuildGetByIDList):
3198             - No need to ASSERT slotBase is an object.
3199         * jit/JITStubs.cpp:
3200         (JSC::tryCacheGetByID):
3201         (JSC::DEFINE_STUB_FUNCTION):
3202             - No need to ASSERT slotBase is an object.
3203         * runtime/JSObject.cpp:
3204         (JSC::JSObject::getOwnPropertySlotByIndex):
3205         (JSC::JSObject::fillGetterPropertySlot):
3206             - Pass an object through to setGetterSlot.
3207         * runtime/JSObject.h:
3208         (JSC::PropertySlot::getValue):
3209             - Moved from PropertySlot (need to know anout JSObject).
3210         * runtime/PropertySlot.cpp:
3211         (JSC::PropertySlot::functionGetter):
3212             - update per member name changes
3213         * runtime/PropertySlot.h:
3214         (JSC::PropertySlot::PropertySlot):
3215             - Argument to constructor set to 'thisValue'.
3216         (JSC::PropertySlot::slotBase):
3217             - This returns a JSObject*.
3218         (JSC::PropertySlot::setValue):
3219         (JSC::PropertySlot::setCustom):
3220         (JSC::PropertySlot::setCacheableCustom):
3221         (JSC::PropertySlot::setCustomIndex):
3222         (JSC::PropertySlot::setGetterSlot):
3223         (JSC::PropertySlot::setCacheableGetterSlot):
3224             - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
3225         * runtime/SparseArrayValueMap.cpp:
3226         (JSC::SparseArrayEntry::get):
3227             - Pass an object through to setGetterSlot.
3228         * runtime/SparseArrayValueMap.h:
3229             - Pass an object through to setGetterSlot.
3230
3231 2013-07-31  Yi Shen  <max.hong.shen@gmail.com>
3232
3233         Reduce JSC API static value setter/getter overhead.
3234         https://bugs.webkit.org/show_bug.cgi?id=119277
3235
3236         Reviewed by Geoffrey Garen.
3237
3238         Add property name to the static value entry, so that OpaqueJSString::create() doesn't
3239         need to get called every time when set or get the static value.
3240
3241         * API/JSCallbackObjectFunctions.h:
3242         (JSC::::put):
3243         (JSC::::putByIndex):
3244         (JSC::::getStaticValue):
3245         * API/JSClassRef.cpp:
3246         (OpaqueJSClassContextData::OpaqueJSClassContextData):
3247         * API/JSClassRef.h:
3248         (StaticValueEntry::StaticValueEntry):
3249
3250 2013-07-31  Kwang Yul Seo  <skyul@company100.net>
3251
3252         Use emptyString instead of String("")
3253         https://bugs.webkit.org/show_bug.cgi?id=119335
3254
3255         Reviewed by Darin Adler.
3256
3257         Use emptyString() instead of String("") because it is better style and
3258         faster. This is a followup to r116908, removing all occurrences of
3259         String("") from WebKit.
3260
3261         * runtime/RegExpConstructor.cpp:
3262         (JSC::constructRegExp):
3263         * runtime/RegExpPrototype.cpp:
3264         (JSC::regExpProtoFuncCompile):
3265         * runtime/StringPrototype.cpp:
3266         (JSC::stringProtoFuncMatch):
3267         (JSC::stringProtoFuncSearch):
3268
3269 2013-07-31  Ruth Fong  <ruth_fong@apple.com>
3270
3271         <input type=color> Mac UI behaviour
3272         <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
3273
3274         Reviewed by Brady Eidson.
3275
3276         * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
3277
3278 2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>
3279
3280         DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
3281         https://bugs.webkit.org/show_bug.cgi?id=119349
3282
3283         Reviewed by Geoffrey Garen.
3284
3285         Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
3286         SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
3287         on code it compiled with any switch statements to have been run in the baseline JIT first. 
3288         However, if the DFG chooses to inline a function that has never been compiled by the baseline 
3289         JIT then this resizing never happens and we crash at link time in the DFG.
3290
3291         We can fix this by also doing the resize in the DFG to catch this case.
3292
3293         * dfg/DFGJITCompiler.cpp:
3294         (JSC::DFG::JITCompiler::link):
3295
3296 2013-07-31  Gavin Barraclough  <barraclough@apple.com>
3297
3298         Speculative Windows build fix.
3299
3300         Reviewed by NOBODY
3301
3302         * runtime/JSString.cpp:
3303         (JSC::JSRopeString::getIndexSlowCase):
3304         * runtime/JSString.h:
3305
3306 2013-07-30  Gavin Barraclough  <barraclough@apple.com>
3307
3308         Some cleanup in JSValue::get
3309         https://bugs.webkit.org/show_bug.cgi?id=119343
3310
3311         Reviewed by Geoff Garen.
3312
3313         JSValue::get is implemented to:
3314             1) Check if the value is a cell – if not, synthesize a prototype to search,
3315             2) call getOwnPropertySlot on the cell,
3316             3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
3317         By all rights this should crash when passed a string and accessing a property that does not exist, because
3318         the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
3319         To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
3320         prototype chain, and faking out a return value of undefined if no property is found.
3321
3322         This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
3323         from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
3324
3325         The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
3326         slots anyway.
3327
3328         Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
3329
3330 2013-07-31  Michael Saboff  <msaboff@apple.com>
3331
3332         [Win] JavaScript crash.
3333         https://bugs.webkit.org/show_bug.cgi?id=119339
3334
3335         Reviewed by Mark Hahnenberg.
3336
3337         * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
3338         ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
3339
3340 2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>
3341
3342         GetByVal on Arguments does the wrong size load when checking the Arguments object length
3343         https://bugs.webkit.org/show_bug.cgi?id=119281
3344
3345         Reviewed by Geoffrey Garen.
3346
3347         This leads to out of bounds accesses and subsequent crashes.
3348
3349         * dfg/DFGSpeculativeJIT.cpp:
3350         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
3351         * dfg/DFGSpeculativeJIT64.cpp:
3352         (JSC::DFG::SpeculativeJIT::compile):
3353
3354 2013-07-30  Oliver Hunt  <oliver@apple.com>
3355
3356         Add an assertion to SpeculateCellOperand
3357         https://bugs.webkit.org/show_bug.cgi?id=119276
3358
3359         Reviewed by Michael Saboff.
3360
3361         More assertions are better
3362
3363         * dfg/DFGSpeculativeJIT64.cpp:
3364         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3365         (JSC::DFG::SpeculativeJIT::compile):
3366
3367 2013-07-30  Mark Lam  <mark.lam@apple.com>
3368
3369         Fix problems with divot and lineStart mismatches.
3370         https://bugs.webkit.org/show_bug.cgi?id=118662.
3371
3372         Reviewed by Oliver Hunt.
3373
3374         r152494 added the recording of lineStart values for divot positions.
3375         This is needed for the computation of column numbers. Similarly, it also
3376         added the recording of line numbers for the divot positions. One problem
3377         with the approach taken was that the line and lineStart values were
3378         recorded independently, and hence were not always guaranteed to be
3379         sampled at the same place that the divot position is recorded. This
3380         resulted in potential mismatches that cause some assertions to fail.
3381
3382         The solution is to introduce a JSTextPosition abstraction that records
3383         the divot position, line, and lineStart as a single quantity. Wherever
3384         we record the divot position as an unsigned int previously, we now record
3385         its JSTextPosition which captures all 3 values in one go. This ensures
3386         that the captured line and lineStart will always match the captured divot
3387         position.
3388
3389         * bytecompiler/BytecodeGenerator.cpp:
3390         (JSC::BytecodeGenerator::emitCall):
3391         (JSC::BytecodeGenerator::emitCallEval):
3392         (JSC::BytecodeGenerator::emitCallVarargs):
3393         (JSC::BytecodeGenerator::emitConstruct):
3394         (JSC::BytecodeGenerator::emitDebugHook):
3395         - Use JSTextPosition instead of passing line and lineStart explicitly.
3396         * bytecompiler/BytecodeGenerator.h:
3397         (JSC::BytecodeGenerator::emitExpressionInfo):
3398         - Use JSTextPosition instead of passing line and lineStart explicitly.
3399         * bytecompiler/NodesCodegen.cpp:
3400         (JSC::ThrowableExpressionData::emitThrowReferenceError):
3401         (JSC::ResolveNode::emitBytecode):
3402         (JSC::BracketAccessorNode::emitBytecode):
3403         (JSC::DotAccessorNode::emitBytecode):
3404         (JSC::NewExprNode::emitBytecode):
3405         (JSC::EvalFunctionCallNode::emitBytecode):
3406         (JSC::FunctionCallValueNode::emitBytecode):
3407         (JSC::FunctionCallResolveNode::emitBytecode):
3408         (JSC::FunctionCallBracketNode::emitBytecode):
3409         (JSC::FunctionCallDotNode::emitBytecode):
3410         (JSC::CallFunctionCallDotNode::emitBytecode):
3411         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3412         (JSC::PostfixNode::emitResolve):
3413         (JSC::PostfixNode::emitBracket):
3414         (JSC::PostfixNode::emitDot):
3415         (JSC::DeleteResolveNode::emitBytecode):
3416         (JSC::DeleteBracketNode::emitBytecode):
3417         (JSC::DeleteDotNode::emitBytecode):
3418         (JSC::PrefixNode::emitResolve):
3419         (JSC::PrefixNode::emitBracket):
3420         (JSC::PrefixNode::emitDot):
3421         (JSC::UnaryOpNode::emitBytecode):
3422         (JSC::BinaryOpNode::emitStrcat):
3423         (JSC::BinaryOpNode::emitBytecode):
3424         (JSC::ThrowableBinaryOpNode::emitBytecode):
3425         (JSC::InstanceOfNode::emitBytecode):
3426         (JSC::emitReadModifyAssignment):
3427         (JSC::ReadModifyResolveNode::emitBytecode):
3428         (JSC::AssignResolveNode::emitBytecode):
3429         (JSC::AssignDotNode::emitBytecode):
3430         (JSC::ReadModifyDotNode::emitBytecode):
3431         (JSC::AssignBracketNode::emitBytecode):
3432         (JSC::ReadModifyBracketNode::emitBytecode):
3433         (JSC::ForInNode::emitBytecode):
3434         (JSC::WithNode::emitBytecode):
3435         (JSC::ThrowNode::emitBytecode):
3436         - Use JSTextPosition instead of passing line and lineStart explicitly.
3437         * parser/ASTBuilder.h:
3438         - Replaced ASTBuilder::PositionInfo with JSTextPosition.
3439         (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
3440         (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
3441         (JSC::ASTBuilder::createResolve):
3442         (JSC::ASTBuilder::createBracketAccess):
3443         (JSC::ASTBuilder::createDotAccess):
3444         (JSC::ASTBuilder::createRegExp):
3445         (JSC::ASTBuilder::createNewExpr):
3446         (JSC::ASTBuilder::createAssignResolve):
3447         (JSC::ASTBuilder::createExprStatement):
3448         (JSC::ASTBuilder::createForInLoop):
3449         (JSC::ASTBuilder::createReturnStatement):
3450         (JSC::ASTBuilder::createBreakStatement):
3451         (JSC::ASTBuilder::createContinueStatement):
3452         (JSC::ASTBuilder::createLabelStatement):
3453         (JSC::ASTBuilder::createWithStatement):
3454         (JSC::ASTBuilder::createThrowStatement):
3455         (JSC::ASTBuilder::appendBinaryExpressionInfo):
3456         (JSC::ASTBuilder::appendUnaryToken):
3457         (JSC::ASTBuilder::unaryTokenStackLastStart):
3458         (JSC::ASTBuilder::assignmentStackAppend):
3459         (JSC::ASTBuilder::createAssignment):
3460         (JSC::ASTBuilder::setExceptionLocation):
3461         (JSC::ASTBuilder::makeDeleteNode):
3462         (JSC::ASTBuilder::makeFunctionCallNode):
3463         (JSC::ASTBuilder::makeBinaryNode):
3464         (JSC::ASTBuilder::makeAssignNode):
3465         (JSC::ASTBuilder::makePrefixNode):
3466         (JSC::ASTBuilder::makePostfixNode):
3467         - Use JSTextPosition instead of passing line and lineStart explicitly.
3468         * parser/Lexer.cpp:
3469         (JSC::::lex):
3470         - Added support for capturing the appropriate JSTextPositions instead
3471           of just the character offset.
3472         * parser/Lexer.h:
3473         (JSC::Lexer::currentPosition):
3474         (JSC::::lexExpectIdentifier):
3475         - Added support for capturing the appropriate JSTextPositions instead
3476           of just the character offset.
3477         * parser/NodeConstructors.h:
3478         (JSC::Node::Node):
3479         (JSC::ResolveNode::ResolveNode):
3480         (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
3481         (JSC::FunctionCallValueNode::FunctionCallValueNode):
3482         (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
3483         (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
3484         (JSC::FunctionCallDotNode::FunctionCallDotNode):
3485         (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
3486         (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
3487         (JSC::PostfixNode::PostfixNode):
3488         (JSC::DeleteResolveNode::DeleteResolveNode):
3489         (JSC::DeleteBracketNode::DeleteBracketNode):
3490         (JSC::DeleteDotNode::DeleteDotNode):
3491         (JSC::PrefixNode::PrefixNode):
3492         (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
3493         (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
3494         (JSC::AssignBracketNode::AssignBracketNode):
3495         (JSC::AssignDotNode::AssignDotNode):
3496         (JSC::ReadModifyDotNode::ReadModifyDotNode):
3497         (JSC::AssignErrorNode::AssignErrorNode):
3498         (JSC::WithNode::WithNode):
3499         (JSC::ForInNode::ForInNode):
3500         - Use JSTextPosition instead of passing line and lineStart explicitly.
3501         * parser/Nodes.cpp:
3502         (JSC::StatementNode::setLoc):
3503         - Use JSTextPosition instead of passing line and lineStart explicitly.
3504         * parser/Nodes.h:
3505         (JSC::Node::lineNo):
3506         (JSC::Node::startOffset):
3507         (JSC::Node::lineStartOffset):
3508         (JSC::Node::position):
3509         (JSC::ThrowableExpressionData::ThrowableExpressionData):
3510         (JSC::ThrowableExpressionData::setExceptionSourceCode):
3511         (JSC::ThrowableExpressionData::divot):
3512         (JSC::ThrowableExpressionData::divotStart):
3513         (JSC::ThrowableExpressionData::divotEnd):
3514         (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
3515         (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
3516         (JSC::ThrowableSubExpressionData::subexpressionDivot):
3517         (JSC::ThrowableSubExpressionData::subexpressionStart):
3518         (JSC::ThrowableSubExpressionData::subexpressionEnd):
3519         (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
3520         (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
3521         (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
3522         (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
3523         (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
3524         - Use JSTextPosition instead of passing line and lineStart explicitly.
3525         * parser/Parser.cpp:
3526         (JSC::::Parser):
3527         (JSC::::parseInner):
3528         - Use JSTextPosition instead of passing line and lineStart explicitly.
3529         (JSC::::didFinishParsing):
3530         - Remove setting of m_lastLine value. We always pass in the value from
3531           m_lastLine anyway. So, this assignment is effectively a nop.
3532         (JSC::::parseVarDeclaration):
3533         (JSC::::parseVarDeclarationList):
3534         (JSC::::parseForStatement):
3535         (JSC::::parseBreakStatement):
3536         (JSC::::parseContinueStatement):
3537         (JSC::::parseReturnStatement):
3538         (JSC::::parseThrowStatement):
3539         (JSC::::parseWithStatement):
3540         (JSC::::parseTryStatement):
3541         (JSC::::parseBlockStatement):
3542         (JSC::::parseFunctionDeclaration):
3543         (JSC::LabelInfo::LabelInfo):
3544         (JSC::::parseExpressionOrLabelStatement):
3545         (JSC::::parseExpressionStatement):
3546         (JSC::::parseAssignmentExpression):
3547         (JSC::::parseBinaryExpression):
3548         (JSC::::parseProperty):
3549         (JSC::::parsePrimaryExpression):
3550         (JSC::::parseMemberExpression):
3551         (JSC::::parseUnaryExpression):
3552         - Use JSTextPosition instead of passing line and lineStart explicitly.
3553         * parser/Parser.h:
3554         (JSC::Parser::next):
3555         (JSC::Parser::nextExpectIdentifier):
3556         (JSC::Parser::getToken):
3557         (JSC::Parser::tokenStartPosition):
3558         (JSC::Parser::tokenEndPosition):
3559         (JSC::Parser::lastTokenEndPosition):
3560         (JSC::::parse):
3561         - Use JSTextPosition instead of passing line and lineStart explicitly.
3562         * parser/ParserTokens.h:
3563         (JSC::JSTextPosition::JSTextPosition):
3564         (JSC::JSTextPosition::operator+):
3565         (JSC::JSTextPosition::operator-):
3566         (JSC::JSTextPosition::operator int):
3567         - Added JSTextPosition.
3568         * parser/SyntaxChecker.h:
3569         (JSC::SyntaxChecker::makeFunctionCallNode):
3570         (JSC::SyntaxChecker::makeAssignNode):
3571         (JSC::SyntaxChecker::makePrefixNode):
3572         (JSC::SyntaxChecker::makePostfixNode):
3573         (JSC::SyntaxChecker::makeDeleteNode):
3574         (JSC::SyntaxChecker::createResolve):
3575         (JSC::SyntaxChecker::createBracketAccess):
3576         (JSC::SyntaxChecker::createDotAccess):
3577         (JSC::SyntaxChecker::createRegExp):
3578         (JSC::SyntaxChecker::createNewExpr):
3579         (JSC::SyntaxChecker::createAssignResolve):
3580         (JSC::SyntaxChecker::createForInLoop):
3581         (JSC::SyntaxChecker::createReturnStatement):
3582         (JSC::SyntaxChecker::createBreakStatement):
3583         (JSC::SyntaxChecker::createContinueStatement):
3584         (JSC::SyntaxChecker::createWithStatement):
3585         (JSC::SyntaxChecker::createLabelStatement):
3586         (JSC::SyntaxChecker::createThrowStatement):
3587         (JSC::SyntaxChecker::appendBinaryExpressionInfo):
3588         (JSC::SyntaxChecker::operatorStackPop):
3589         - Use JSTextPosition instead of passing line and lineStart explicitly.
3590
3591 2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>
3592
3593         Unreviewed. Fix make distcheck.
3594
3595         * GNUmakefile.list.am: Add missing files to compilation.
3596         * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
3597         include FTL header files not included in the compilation.
3598         * dfg/DFGDriver.cpp: Ditto.
3599         * dfg/DFGPlan.cpp: Ditto.
3600
3601 2013-07-29  Chris Curtis  <chris_curtis@apple.com>
3602
3603         Eager stack trace for error objects.
3604         https://bugs.webkit.org/show_bug.cgi?id=118918
3605
3606         Reviewed by Geoffrey Garen.
3607         
3608         Chrome and Firefox give error objects the stack property and we wanted to match
3609         that functionality. This allows developers to see the stack without throwing an object.
3610
3611         * runtime/ErrorInstance.cpp:
3612         (JSC::ErrorInstance::finishCreation):
3613          For error objects that are not thrown as an exception, we pass the stackTrace in 
3614          as a parameter. This allows the error object to have the stack property.
3615         
3616         * interpreter/Interpreter.cpp:
3617         (JSC::stackTraceAsString):
3618         Helper function used to eliminate duplicate code.
3619
3620         (JSC::Interpreter::addStackTraceIfNecessary):
3621         When an error object is created by the user the vm->exceptionStack is not set.
3622         If the user throws this error object later the stack that is in the error object 
3623         may not be the correct stack for the throw, so when we set the vm->exception stack,
3624         the stack property on the error object is set as well.
3625         
3626         * runtime/ErrorConstructor.cpp:
3627         (JSC::constructWithErrorConstructor):
3628         (JSC::callErrorConstructor):
3629         * runtime/NativeErrorConstructor.cpp:
3630         (JSC::constructWithNativeErrorConstructor):
3631         (JSC::callNativeErrorConstructor):
3632         These functions indicate that the user created an error object. For all error objects 
3633         that the user explicitly creates, the topCallFrame is at a new frame created to 
3634         handle the user's call. In this case though, the error object needs the caller's 
3635         frame to create the stack trace correctly.
3636         
3637         * interpreter/Interpreter.h:
3638         * runtime/ErrorInstance.h:
3639         (JSC::ErrorInstance::create):
3640
3641 2013-07-29  Gavin Barraclough  <barraclough@apple.com>
3642
3643         Some cleanup in PropertySlot
3644         https://bugs.webkit.org/show_bug.cgi?id=119189
3645
3646         Reviewed by Geoff Garen.
3647
3648         PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
3649         The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
3650         is set to a special value to indicate the type (other than custom), and the type is also tracked by
3651         an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
3652         (this is invalidOffset if not cacheable).
3653
3654             * Internally, always track the type of the property using an enum value, PropertyType.
3655             * Use m_offset to indicate cacheable.
3656             * Keep the external interface (CachedPropertyType) unchanged.
3657             * Better pack data into the m_data union.
3658
3659         Performance neutral.
3660
3661         * dfg/DFGRepatch.cpp:
3662         (JSC::DFG::tryCacheGetByID):
3663         (JSC::DFG::tryBuildGetByIDList):
3664             - cachedPropertyType() -> isCacheable*()
3665         * jit/JITPropertyAccess.cpp:
3666         (JSC::JIT::privateCompileGetByIdProto):
3667         (JSC::JIT::privateCompileGetByIdSelfList):
3668         (JSC::JIT::privateCompileGetByIdProtoList):
3669         (JSC::JIT::privateCompileGetByIdChainList):
3670         (JSC::JIT::privateCompileGetByIdChain):
3671             - cachedPropertyType() -> isCacheable*()
3672         * jit/JITPropertyAccess32_64.cpp:
3673         (JSC::JIT::privateCompileGetByIdProto):
3674         (JSC::JIT::privateCompileGetByIdSelfList):
3675         (JSC::JIT::privateCompileGetByIdProtoList):
3676         (JSC::JIT::privateCompileGetByIdChainList):
3677         (JSC::JIT::privateCompileGetByIdChain):
3678             - cachedPropertyType() -> isCacheable*()
3679         * jit/JITStubs.cpp:
3680         (JSC::tryCacheGetByID):
3681             - cachedPropertyType() -> isCacheable*()
3682         * llint/LLIntSlowPaths.cpp:
3683         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3684             - cachedPropertyType() -> isCacheable*()
3685         * runtime/PropertySlot.cpp:
3686         (JSC::PropertySlot::functionGetter):
3687             - refactoring described above.
3688         * runtime/PropertySlot.h:
3689         (JSC::PropertySlot::PropertySlot):
3690         (JSC::PropertySlot::getValue):
3691         (JSC::PropertySlot::isCacheable):
3692         (JSC::PropertySlot::isCacheableValue):
3693         (JSC::PropertySlot::isCacheableGetter):
3694         (JSC::PropertySlot::isCacheableCustom):
3695         (JSC::PropertySlot::cachedOffset):
3696         (JSC::PropertySlot::customGetter):
3697         (JSC::PropertySlot::setValue):
3698         (JSC::PropertySlot::setCustom):
3699         (JSC::PropertySlot::setCacheableCustom):
3700         (JSC::PropertySlot::setCustomIndex):
3701         (JSC::PropertySlot::setGetterSlot):
3702         (JSC::PropertySlot::setCacheableGetterSlot):
3703         (JSC::PropertySlot::setUndefined):
3704         (JSC::PropertySlot::slotBase):
3705         (JSC::PropertySlot::setBase):
3706             - refactoring described above.
3707
3708 2013-07-28  Oliver Hunt  <oliver@apple.com>
3709
3710         REGRESSION: Crash when opening Facebook.com
3711         https://bugs.webkit.org/show_bug.cgi?id=119155
3712
3713         Reviewed by Andreas Kling.
3714
3715         Scope nodes are always objects, so we should be using SpecObjectOther
3716         rather than SpecCellOther.  Marking Scopes as CellOther leads to a
3717         contradiction in the CFA, resulting in bogus codegen.
3718
3719         * dfg/DFGAbstractInterpreterInlines.h:
3720         (JSC::DFG::::executeEffects):
3721         * dfg/DFGPredictionPropagationPhase.cpp:
3722         (JSC::DFG::PredictionPropagationPhase::propagate):
3723
3724 2013-07-26  Oliver Hunt  <oliver@apple.com>
3725
3726         REGRESSION(FTL?): Crashes in plugin tests
3727         https://bugs.webkit.org/show_bug.cgi?id=119141
3728
3729         Reviewed by Michael Saboff.
3730
3731         Re-export getStackTrace
3732
3733         * interpreter/Interpreter.h:
3734
3735 2013-07-26  Filip Pizlo  <fpizlo@apple.com>
3736
3737         REGRESSION: Crash when opening a message on Gmail
3738         https://bugs.webkit.org/show_bug.cgi?id=119105
3739
3740         Reviewed by Oliver Hunt and Mark Hahnenberg.
3741         
3742         - GetById patching in the DFG needs to be more disciplined about how it derives the
3743           slow path.
3744         
3745         - Fix some dumping code thread safety issues.
3746
3747         * bytecode/CallLinkStatus.cpp:
3748         (JSC::CallLinkStatus::dump):
3749         * bytecode/CodeBlock.cpp:
3750         (JSC::CodeBlock::dumpBytecode):
3751         * dfg/DFGRepatch.cpp:
3752         (JSC::DFG::getPolymorphicStructureList):
3753         (JSC::DFG::tryBuildGetByIDList):
3754
3755 2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>
3756
3757         [mips] Fix LLINT build for mips backend
3758         https://bugs.webkit.org/show_bug.cgi?id=119152
3759
3760         Reviewed by Oliver Hunt.
3761
3762         * offlineasm/mips.rb:
3763
3764 2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3765
3766         Setting a large numeric property on an object causes it to allocate a huge backing store
3767         https://bugs.webkit.org/show_bug.cgi?id=118914
3768
3769         Reviewed by Geoffrey Garen.
3770
3771         There are two distinct actions that we're trying to optimize for:
3772
3773         new Array(100000);
3774
3775         and:
3776
3777         a = [];
3778         a[100000] = 42;
3779         
3780         In the first case, the programmer has indicated that they expect this Array to be very big, 
3781         so they should get a contiguous array up until some threshold, above which we perform density 
3782         calculations to see if it is indeed dense enough to warrant being contiguous.
3783         
3784         In the second case, the programmer hasn't indicated anything about the size of the Array, so 
3785         we should be more conservative and assume it should be sparse until we've proven otherwise.
3786         
3787         Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
3788         between them for the purposes of not over-allocating large backing stores like we see on 
3789         http://www.peekanalytics.com/burgerjoints/
3790         
3791         The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
3792         introduce a new heuristic for the second case. If we are putting to an index above a certain 
3793         threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
3794         map instead. So for example, in the second case above the empty array has a blank indexing 
3795         type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
3796
3797         This fix is ~800x speedup on the accompanying regression test :-o
3798
3799         * runtime/ArrayConventions.h:
3800         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3801         * runtime/JSObject.cpp:
3802         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3803         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3804         (JSC::JSObject::putByIndexBeyondVectorLength):
3805         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3806
3807 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3808
3809         REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
3810         https://bugs.webkit.org/show_bug.cgi?id=119148
3811
3812         Reviewed by Csaba Osztrogonác.
3813
3814         * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
3815         * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
3816         in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
3817         code duplication.
3818
3819 2013-07-26  Julien Brianceau  <jbrianceau@nds.com>
3820
3821         REGRESSION(FTL): Crash in sh4 baseline JIT.
3822         https://bugs.webkit.org/show_bug.cgi?id=119138
3823
3824         Reviewed by Csaba Osztrogonác.
3825
3826         This crash is due to incomplete report of r150146 and r148474.
3827
3828         * jit/JITStubsSH4.h:
3829
3830 2013-07-26  Zan Dobersek  <zdobersek@igalia.com>
3831
3832         Unreviewed.
3833
3834         * Target.pri: Adding missing DFG files to the Qt build.
3835
3836 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
3837
3838         GTK and Qt buildfix after the intrusive win buildfix r153360.
3839
3840         * GNUmakefile.list.am:
3841         * Target.pri:
3842
3843 2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
3844
3845         Unreviewed, fix build break after r153360.
3846
3847         * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
3848
3849 2013-07-25  Roger Fong  <roger_fong@apple.com>
3850
3851         Unreviewed build fix, AppleWin port.
3852
3853         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3854         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3855         * JavaScriptCore.vcxproj/copy-files.cmd:
3856
3857 2013-07-25  Roger Fong  <roger_fong@apple.com>
3858
3859         Unreviewed. Followup to r153360.
3860
3861         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3862         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3863
3864 2013-07-25  Michael Saboff  <msaboff@apple.com>
3865
3866         [Windows] Speculative build fix.
3867
3868         Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
3869         that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.
3870
3871         * JavaScriptCore.xcodeproj/project.pbxproj:
3872         * llint/LLIntExceptions.cpp:
3873         * llint/LLIntExceptions.h:
3874         * llint/LLIntSlowPaths.cpp:
3875         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3876         * runtime/CommonSlowPaths.cpp:
3877         (JSC::SLOW_PATH_DECL):
3878         * runtime/CommonSlowPathsExceptions.cpp: Added.
3879         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3880         * runtime/CommonSlowPathsExceptions.h: Added.
3881
3882 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3883
3884         [Windows] Unreviewed build fix.
3885
3886         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
3887         parser/SourceCode.h,.cpp.
3888         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3889
3890 2013-07-25  Anders Carlsson  <andersca@apple.com>
3891
3892         ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
3893         https://bugs.webkit.org/show_bug.cgi?id=119108
3894
3895         Reviewed by Mark Hahnenberg.
3896
3897         Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
3898
3899         * heap/CopiedSpace.cpp:
3900         (JSC::CopiedSpace::tryAllocateSlowCase):
3901         * heap/Heap.cpp:
3902         (JSC::Heap::protect):
3903         (JSC::Heap::unprotect):
3904         (JSC::Heap::collect):
3905         * heap/MarkedAllocator.cpp:
3906         (JSC::MarkedAllocator::allocateSlowCase):
3907         * runtime/JSGlobalObject.cpp:
3908         (JSC::JSGlobalObject::init):
3909         * runtime/VM.h:
3910         (JSC::VM::currentThreadIsHoldingAPILock):
3911
3912 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
3913
3914         REGRESSION(FTL): Most layout tests crashes
3915         https://bugs.webkit.org/show_bug.cgi?id=119089
3916
3917         Reviewed by Oliver Hunt.
3918
3919         * runtime/ExecutionHarness.h:
3920         (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
3921         code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
3922         RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
3923         Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
3924         JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
3925         (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
3926
3927 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3928
3929         [Windows] Unreviewed build fix.
3930
3931         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
3932         include path.
3933
3934 2013-07-25  Brent Fulgham  <bfulgham@apple.com>
3935
3936         [Windows] Unreviewed build fix.
3937
3938         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
3939         runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
3940         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3941
3942 2013-07-25  Oliver Hunt  <oliver@apple.com>
3943
3944         Make all jit & non-jit combos build cleanly
3945         https://bugs.webkit.org/show_bug.cgi?id=119102
3946
3947         Reviewed by Anders Carlsson.
3948
3949         * bytecode/CodeBlock.cpp:
3950         (JSC::CodeBlock::counterValueForOptimizeSoon):
3951         * bytecode/CodeBlock.h:
3952         (JSC::CodeBlock::optimizeAfterWarmUp):
3953         (JSC::CodeBlock::numberOfDFGCompiles):
3954
3955 2013-07-25  Oliver Hunt  <oliver@apple.com>
3956
3957         32 bit portion of load validation logic
3958         https://bugs.webkit.org/show_bug.cgi?id=118878
3959
3960         Reviewed by NOBODY (Build fix).
3961
3962         * dfg/DFGSpeculativeJIT32_64.cpp:
3963         (JSC::DFG::SpeculativeJIT::compile):
3964
3965 2013-07-25  Oliver Hunt  <oliver@apple.com>
3966
3967         More 32bit build fixes
3968
3969         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
3970
3971         * API/APICallbackFunction.h:
3972         (JSC::APICallbackFunction::call):
3973         * bytecode/CodeBlock.cpp:
3974         * runtime/Structure.cpp:
3975
3976 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
3977
3978         Optimize the thread locks for API Shims
3979         https://bugs.webkit.org/show_bug.cgi?id=118573
3980
3981         Reviewed by Geoffrey Garen.