DFG JIT cannot compile op_new_object, op_new_array,
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG JIT cannot compile op_new_object, op_new_array,
4         op_new_array_buffer, or op_new_regexp
5         https://bugs.webkit.org/show_bug.cgi?id=68580
6
7         Reviewed by Oliver Hunt.
8         
9         This implements all four opcodes, but has op_new_regexp turns off
10         by default because it unveils some bad speculation logic when
11         compiling string-validate-input.
12         
13         With op_new_regexp turned off, this is a 5% win on Kraken and a
14         0.7% speed-up on V8. Neutral on SunSpider.
15
16         * dfg/DFGByteCodeParser.cpp:
17         (JSC::DFG::ByteCodeParser::parseBlock):
18         * dfg/DFGCapabilities.h:
19         (JSC::DFG::canCompileOpcode):
20         * dfg/DFGJITCodeGenerator.h:
21         (JSC::DFG::callOperation):
22         * dfg/DFGNode.h:
23         (JSC::DFG::Node::hasConstantBuffer):
24         (JSC::DFG::Node::startConstant):
25         (JSC::DFG::Node::numConstants):
26         (JSC::DFG::Node::hasRegexpIndex):
27         (JSC::DFG::Node::regexpIndex):
28         * dfg/DFGOperations.cpp:
29         * dfg/DFGOperations.h:
30         * dfg/DFGPropagator.cpp:
31         (JSC::DFG::Propagator::propagateNodePredictions):
32         * dfg/DFGSpeculativeJIT.cpp:
33         (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
34         (JSC::DFG::SpeculativeJIT::compile):
35         * dfg/DFGSpeculativeJIT.h:
36         (JSC::DFG::SpeculativeJIT::isKnownArray):
37
38 2011-09-27  Filip Pizlo  <fpizlo@apple.com>
39
40         DFG JIT should speculate more aggressively on reads of array.length
41         https://bugs.webkit.org/show_bug.cgi?id=68932
42
43         Reviewed by Oliver Hunt.
44         
45         This is a 2% speed-up on Kraken, neutral elsewhere.
46
47         * dfg/DFGNode.h:
48         * dfg/DFGPropagator.cpp:
49         (JSC::DFG::Propagator::propagateNodePredictions):
50         (JSC::DFG::Propagator::fixupNode):
51         (JSC::DFG::Propagator::performNodeCSE):
52         * dfg/DFGSpeculativeJIT.cpp:
53         (JSC::DFG::SpeculativeJIT::compile):
54
55 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
56
57         DFG JIT - merge changes between 95905 - 96175
58         https://bugs.webkit.org/show_bug.cgi?id=68963
59
60         Reviewed by Sam Weinig.
61
62         Merge missing changes from bug#68677, bug#68784, bug#68785.
63
64         * dfg/DFGJITCompiler32_64.cpp:
65         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
66         (JSC::DFG::JITCompiler::compileEntry):
67         (JSC::DFG::JITCompiler::compileBody):
68         * dfg/DFGSpeculativeJIT32_64.cpp:
69         (JSC::DFG::SpeculativeJIT::compile):
70
71 2011-09-27  Gavin Barraclough  <barraclough@apple.com>
72
73         Get JSVALUE32_64 DFG JIT building on OS X.
74         https://bugs.webkit.org/show_bug.cgi?id=68961
75
76         Reviewed by Geoff Garen.
77
78         * Merge bug #68763 (DFG JIT should not eagerly initialize integer tags in the register file).
79         * Forward-declare functions in DFGOperations.cpp
80         * UNUSED_PARAM for unused arguments
81         * NO_RETURN for unimplemented function that ASSERT_NOT_REACHED
82         * Fix argument types handled by OpInfo constructor.
83         * Use SYMBOL_STRING instead of STRINGIZE for asm symbols.
84         * Add files to Xcode project.
85
86 2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>
87
88         Bug fixes for GetById, PutById, and GetByOffset in JSVALUE32_64 DFG JIT
89         https://bugs.webkit.org/show_bug.cgi?id=68755
90
91         Reviewed by Gavin Barraclough.
92
93         We need to load/store and repatch both tag and payload of a property
94         for GetById/PutById. Also reorder the loads of tag and payload for
95         GetByOffset as the result tag GPR could reuse the storage GPR.
96
97         * bytecode/StructureStubInfo.h:
98         * dfg/DFGJITCodeGenerator32_64.cpp:
99         (JSC::DFG::JITCodeGenerator::cachedGetById):
100         (JSC::DFG::JITCodeGenerator::cachedPutById):
101         * dfg/DFGJITCompiler.h:
102         (JSC::DFG::JITCompiler::addPropertyAccess):
103         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
104         * dfg/DFGJITCompiler32_64.cpp:
105         (JSC::DFG::JITCompiler::link):
106         * dfg/DFGRepatch.cpp:
107         (JSC::DFG::dfgRepatchByIdSelfAccess):
108         * dfg/DFGSpeculativeJIT32_64.cpp:
109         (JSC::DFG::SpeculativeJIT::compile):
110
111 2011-09-24  Gavin Barraclough  <barraclough@apple.com>
112
113         Macro assembler branch8 & 16 methods vary in treatment of upper bits
114         https://bugs.webkit.org/show_bug.cgi?id=68301
115
116         Reviewed by Sam Weinig.
117
118         Fix for branch16 - remove it!
119         No performance impact.
120
121         * assembler/MacroAssembler.h:
122         * assembler/MacroAssemblerARM.h:
123         * assembler/MacroAssemblerARMv7.h:
124         * assembler/MacroAssemblerMIPS.h:
125         * assembler/MacroAssemblerSH4.h:
126         * assembler/MacroAssemblerX86Common.h:
127         * yarr/YarrJIT.cpp:
128         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
129         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
130         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
131         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
132         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
133
134 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
135
136         Add static version of JSCell::getCallData
137         https://bugs.webkit.org/show_bug.cgi?id=68741
138
139         Reviewed by Darin Adler.
140
141         In this patch we just extract the bodies of the virtual getCallData methods
142         throughout the JSCell inheritance hierarchy out into static methods, which are 
143         now called from the virtual methods.  This is an intermediate step in trying to 
144         move the virtual-ness of getCallData into our own method table stored in 
145         ClassInfo.  We need to convert the methods to static methods because static methods 
146         can be represented as function pointers rather than pointers to member functions, and
147         function pointers are smaller and faster to call than pointers to member functions.
148
149         * API/JSCallbackFunction.cpp:
150         (JSC::JSCallbackFunction::getCallDataVirtual):
151         (JSC::JSCallbackFunction::getCallData):
152         * API/JSCallbackFunction.h:
153         * API/JSCallbackObject.h:
154         * API/JSCallbackObjectFunctions.h:
155         (JSC::::getCallDataVirtual):
156         (JSC::::getCallData):
157         * API/JSObjectRef.cpp:
158         (JSObjectIsFunction):
159         (JSObjectCallAsFunction):
160         * JavaScriptCore.exp:
161         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
162         * interpreter/Interpreter.cpp:
163         (JSC::Interpreter::privateExecute):
164         * jit/JITStubs.cpp:
165         (JSC::DEFINE_STUB_FUNCTION):
166         * runtime/ArrayConstructor.cpp:
167         (JSC::ArrayConstructor::getCallDataVirtual):
168         (JSC::ArrayConstructor::getCallData):
169         * runtime/ArrayConstructor.h:
170         * runtime/BooleanConstructor.cpp:
171         (JSC::BooleanConstructor::getCallDataVirtual):
172         (JSC::BooleanConstructor::getCallData):
173         * runtime/BooleanConstructor.h:
174         * runtime/DateConstructor.cpp:
175         (JSC::DateConstructor::getCallDataVirtual):
176         (JSC::DateConstructor::getCallData):
177         * runtime/DateConstructor.h:
178         * runtime/Error.cpp:
179         (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
180         (JSC::StrictModeTypeErrorFunction::getCallData):
181         * runtime/ErrorConstructor.cpp:
182         (JSC::ErrorConstructor::getCallDataVirtual):
183         (JSC::ErrorConstructor::getCallData):
184         * runtime/ErrorConstructor.h:
185         * runtime/FunctionConstructor.cpp:
186         (JSC::FunctionConstructor::getCallDataVirtual):
187         (JSC::FunctionConstructor::getCallData):
188         * runtime/FunctionConstructor.h:
189         * runtime/FunctionPrototype.cpp:
190         (JSC::FunctionPrototype::getCallDataVirtual):
191         (JSC::FunctionPrototype::getCallData):
192         * runtime/FunctionPrototype.h:
193         * runtime/InternalFunction.h:
194         * runtime/JSCell.cpp:
195         (JSC::JSCell::getCallDataVirtual):
196         (JSC::JSCell::getCallData):
197         * runtime/JSCell.h:
198         (JSC::getCallData):
199         * runtime/JSFunction.cpp:
200         (JSC::JSFunction::getCallDataVirtual):
201         (JSC::JSFunction::getCallData):
202         * runtime/JSFunction.h:
203         * runtime/JSONObject.cpp:
204         (JSC::Stringifier::Stringifier):
205         (JSC::Stringifier::toJSON):
206         (JSC::Stringifier::appendStringifiedValue):
207         * runtime/JSObject.cpp:
208         (JSC::JSObject::put):
209         * runtime/NativeErrorConstructor.cpp:
210         (JSC::NativeErrorConstructor::getCallDataVirtual):
211         (JSC::NativeErrorConstructor::getCallData):
212         * runtime/NativeErrorConstructor.h:
213         * runtime/NumberConstructor.cpp:
214         (JSC::NumberConstructor::getCallDataVirtual):
215         (JSC::NumberConstructor::getCallData):
216         * runtime/NumberConstructor.h:
217         * runtime/ObjectConstructor.cpp:
218         (JSC::ObjectConstructor::getCallDataVirtual):
219         (JSC::ObjectConstructor::getCallData):
220         * runtime/ObjectConstructor.h:
221         * runtime/Operations.cpp:
222         (JSC::jsTypeStringForValue):
223         (JSC::jsIsObjectType):
224         (JSC::jsIsFunctionType):
225         * runtime/PropertySlot.cpp:
226         (JSC::PropertySlot::functionGetter):
227         * runtime/RegExpConstructor.cpp:
228         (JSC::RegExpConstructor::getCallDataVirtual):
229         (JSC::RegExpConstructor::getCallData):
230         * runtime/RegExpConstructor.h:
231         * runtime/StringConstructor.cpp:
232         (JSC::StringConstructor::getCallDataVirtual):
233         (JSC::StringConstructor::getCallData):
234         * runtime/StringConstructor.h:
235
236 2011-09-27  Tim Horton  <timothy_horton@apple.com>
237
238         Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption
239         https://bugs.webkit.org/show_bug.cgi?id=68816
240         <rdar://problem/10186468>
241
242         Reviewed by Simon Fraser.
243         
244         Add ByteArray::clear, which zeros the memory in the ByteArray.
245
246         * wtf/ByteArray.h:
247         (WTF::ByteArray::clear): Added.
248
249 2011-09-27  Sheriff Bot  <webkit.review.bot@gmail.com>
250
251         Unreviewed, rolling out r96131.
252         http://trac.webkit.org/changeset/96131
253         https://bugs.webkit.org/show_bug.cgi?id=68927
254
255         It made 18+ tests crash on all platform (Requested by
256         Ossy_night on #webkit).
257
258         * JavaScriptCore.exp:
259         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
260         * interpreter/Interpreter.cpp:
261         (JSC::Interpreter::throwException):
262         * interpreter/Interpreter.h:
263         * jsc.cpp:
264         (GlobalObject::finishCreation):
265         * parser/Parser.h:
266         (JSC::Parser::parse):
267         * runtime/CommonIdentifiers.h:
268         * runtime/Error.cpp:
269         (JSC::addErrorInfo):
270         * runtime/Error.h:
271
272 2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>
273
274         De-virtualize JSCell::getPrimitiveNumber
275         https://bugs.webkit.org/show_bug.cgi?id=68851
276
277         Reviewed by Darin Adler.
278
279         * JavaScriptCore.exp:
280         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
281
282         Changed JSCell::getPrimitiveNumber to manually handle the dispatch for 
283         JSCells (JSObject and JSString in this case).
284         * runtime/JSCell.cpp:
285         (JSC::JSCell::getPrimitiveNumber):
286         * runtime/JSCell.h:
287
288         Removed JSNotAnObject::getPrimitiveNumber since its return value doesn't 
289         matter and it already implements defaultValue, so JSObject::getPrimitiveNumber
290         can cover the case for JSNotAnObject.
291         * runtime/JSNotAnObject.cpp:
292         * runtime/JSNotAnObject.h:
293
294         De-virtualized JSObject::getPrimitiveNumber and JSString::getPrimitiveNumber 
295         and changed them to be const.  Also made JSString::getPrimitiveNumber public 
296         because it needs to be called from JSCell::getPrimitiveNumber and also since it's 
297         no longer virtual, we want people who have a more specific pointer (JSString* 
298         instead of JSCell*) to not have to pay the cost of a virtual method call.
299         * runtime/JSObject.cpp:
300         (JSC::JSObject::getPrimitiveNumber):
301         * runtime/JSObject.h:
302         * runtime/JSString.cpp:
303         (JSC::JSString::getPrimitiveNumber):
304         * runtime/JSString.h:
305
306 2011-09-27  Juan Carlos Montemayor Elosua  <j.mont@me.com>
307
308         Implement Error.stack
309         https://bugs.webkit.org/show_bug.cgi?id=66994
310
311         Reviewed by Oliver Hunt.
312
313         This patch utilizes topCallFrame to create a stack trace when
314         an error is thrown. Users will also be able to use the stack()
315         command in jsc to get arrays with stack trace information.
316
317         * JavaScriptCore.exp:
318         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
319         * interpreter/Interpreter.cpp:
320         (JSC::getCallerLine):
321         (JSC::getSourceURLFromCallFrame):
322         (JSC::getStackFrameCodeType):
323         (JSC::Interpreter::getStackTrace):
324         (JSC::Interpreter::throwException):
325         * interpreter/Interpreter.h:
326         (JSC::StackFrame::toString):
327         * jsc.cpp:
328         (GlobalObject::finishCreation):
329         (functionJSCStack):
330         * parser/Parser.h:
331         (JSC::Parser::parse):
332         * runtime/CommonIdentifiers.h:
333         * runtime/Error.cpp:
334         (JSC::addErrorInfo):
335         * runtime/Error.h:
336
337 2011-09-27  Carlos Garcia Campos  <cgarcia@igalia.com>
338
339         [GTK] Reorganize header files
340         https://bugs.webkit.org/show_bug.cgi?id=65616
341
342         Reviewed by Martin Robinson.
343
344         Install header files under $libwebkitgtkincludedir/JavaScriptCore.
345
346         * GNUmakefile.am: Use $libwebkitgtkincludedir.
347         * javascriptcoregtk.pc.in: Use webkitgtk-<api-version> as include dir.
348
349 2011-09-26  Geoffrey Garen  <ggaren@apple.com>
350
351         REGRESSION (r95912): Conservative marking doesn't filter out pointers to
352         MarkedBlock metadata
353         https://bugs.webkit.org/show_bug.cgi?id=68860
354
355         Reviewed by Oliver Hunt.
356         
357         Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom.
358
359         * heap/MarkedBlock.h:
360         (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask
361         because the mask doesn't produce the actual atom number.
362
363         (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good
364         enough; we also need to test that a pointer is beyond the metadata section
365         of a MarkedBlock, to avoid treating random metadata as a JSCell.
366
367 2011-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>
368
369         Make JSCell::toBoolean non-virtual
370         https://bugs.webkit.org/show_bug.cgi?id=67727
371
372         Reviewed by Geoffrey Garen.
373
374         JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
375         before it was simply virtual and would crash if its implementation was called). 
376         Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
377         explicitly covers all cases of toBoolean, so having a virtual implementation of 
378         JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.
379
380         * JavaScriptCore.exp:
381         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
382         * runtime/JSCell.cpp:
383         * runtime/JSCell.h:
384         * runtime/JSNotAnObject.cpp:
385         * runtime/JSNotAnObject.h:
386         * runtime/JSObject.h:
387         * runtime/JSString.h:
388         (JSC::JSCell::toBoolean):
389         (JSC::JSValue::toBoolean):
390
391 2011-09-26  Chris Marrin  <cmarrin@apple.com>
392
393         Enable requestAnimationFrame on Windows
394         https://bugs.webkit.org/show_bug.cgi?id=68397
395
396         Reviewed by Simon Fraser.
397
398         Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows
399
400         * wtf/Platform.h:
401
402 2011-09-26  Noel Gordon  <noel.gordon@gmail.com>
403
404         [Chromium] Remove DFGAliasTracker.h references from gyp project files
405         https://bugs.webkit.org/show_bug.cgi?id=68787
406
407         Reviewed by Geoffrey Garen.
408
409         DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
410         to that file from the gyp project files.
411
412         * JavaScriptCore.gypi:
413
414 2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
415
416         [Qt]REGRESSION(r95865): It made 4 tests crash
417         https://bugs.webkit.org/show_bug.cgi?id=68780
418         
419         Reviewed by Oliver Hunt.
420
421         emitJumpSlowCaseIfNotJSCell(...) cannot be moved
422         away since the next load depends on it.
423
424         * jit/JITPropertyAccess32_64.cpp:
425         (JSC::JIT::emit_op_put_by_val):
426
427 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
428
429         Add custom vtable struct to ClassInfo struct
430         https://bugs.webkit.org/show_bug.cgi?id=68567
431
432         Reviewed by Oliver Hunt.
433
434         Declared/defined the MethodTable struct and added it to the ClassInfo struct.
435         Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
436         succinctly where they need to be defined.
437
438         Also added to it the first function to use this macro, visitChildren. 
439
440         This is part of the process of getting rid of all C++ virtual methods in JSCell.  
441         Eventually all virtual functions in JSCell that can't easily be converted to 
442         non-virtual functions will be put into this custom vtable structure.
443         * runtime/ClassInfo.h:
444
445         Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
446         ClassInfo structs declared in these classes.  This saves us from having to visit 
447         each s_info definition in the future when we add more methods to the MethodTable.
448         * API/JSCallbackConstructor.cpp:
449         * API/JSCallbackFunction.cpp:
450         * API/JSCallbackObject.cpp:
451         * JavaScriptCore.exp:
452         * runtime/Arguments.cpp:
453         * runtime/ArrayConstructor.cpp:
454         * runtime/ArrayPrototype.cpp:
455         * runtime/BooleanObject.cpp:
456         * runtime/BooleanPrototype.cpp:
457         * runtime/DateConstructor.cpp:
458         * runtime/DateInstance.cpp:
459         * runtime/DatePrototype.cpp:
460         * runtime/ErrorInstance.cpp:
461         * runtime/ErrorPrototype.cpp:
462         * runtime/ExceptionHelpers.cpp:
463         * runtime/Executable.cpp:
464         * runtime/GetterSetter.cpp:
465         * runtime/InternalFunction.cpp:
466         * runtime/JSAPIValueWrapper.cpp:
467         * runtime/JSActivation.cpp:
468         * runtime/JSArray.cpp:
469         * runtime/JSByteArray.cpp:
470         * runtime/JSFunction.cpp:
471         * runtime/JSGlobalObject.cpp:
472         * runtime/JSONObject.cpp:
473         * runtime/JSObject.cpp:
474         * runtime/JSPropertyNameIterator.cpp:
475         * runtime/JSString.cpp:
476         * runtime/MathObject.cpp:
477         * runtime/NativeErrorConstructor.cpp:
478         * runtime/NumberConstructor.cpp:
479         * runtime/NumberObject.cpp:
480         * runtime/NumberPrototype.cpp:
481         * runtime/ObjectConstructor.cpp:
482         * runtime/ObjectPrototype.cpp:
483         * runtime/RegExp.cpp:
484         * runtime/RegExpConstructor.cpp:
485         * runtime/RegExpObject.cpp:
486         * runtime/RegExpPrototype.cpp:
487         * runtime/ScopeChain.cpp:
488         * runtime/StringConstructor.cpp:
489         * runtime/StringObject.cpp:
490         * runtime/StringPrototype.cpp:
491         * runtime/Structure.cpp:
492         * runtime/StructureChain.cpp:
493
494         Had to make visitChildren and visitChildrenVirtual protected instead of private
495         because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
496         visitChildren function pointer in their vtable since they don't provide their own
497         implementation. Same for RegExpObject.
498         * runtime/JSWrapperObject.h:
499         * runtime/RegExpObject.h:
500
501 2011-09-25  Adam Barth  <abarth@webkit.org>
502
503         Finish removing PLATFORM(BREWMP) by removing associated code
504         https://bugs.webkit.org/show_bug.cgi?id=68779
505
506         Reviewed by Sam Weinig.
507
508         * JavaScriptCore.gyp/JavaScriptCore.gyp:
509         * JavaScriptCore.gypi:
510         * gyp/JavaScriptCore.gyp:
511         * wscript:
512         * wtf/FastMalloc.cpp:
513         (WTF::fastMallocSize):
514         * wtf/Vector.h:
515         * wtf/brew: Removed.
516         * wtf/brew/MainThreadBrew.cpp: Removed.
517         * wtf/brew/OwnPtrBrew.cpp: Removed.
518         * wtf/brew/RefPtrBrew.h: Removed.
519         * wtf/brew/ShellBrew.h: Removed.
520         * wtf/brew/StringBrew.cpp: Removed.
521         * wtf/brew/SystemMallocBrew.h: Removed.
522         * wtf/unicode/brew: Removed.
523         * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
524         * wtf/unicode/brew/UnicodeBrew.h: Removed.
525
526 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
527
528         DFG JIT does not count speculation successes correctly
529         https://bugs.webkit.org/show_bug.cgi?id=68785
530
531         Reviewed by Geoffrey Garen.
532
533         * dfg/DFGJITCompiler.cpp:
534         (JSC::DFG::JITCompiler::compileEntry):
535         (JSC::DFG::JITCompiler::compileBody):
536         * dfg/DFGOperations.cpp:
537
538 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
539
540         DFG support for op_resolve_global is not enabled
541         https://bugs.webkit.org/show_bug.cgi?id=68786
542
543         Reviewed by Geoffrey Garen.
544
545         * dfg/DFGCapabilities.h:
546         (JSC::DFG::canCompileOpcode):
547
548 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
549
550         DFG static prediction code is no longer needed and should be removed
551         https://bugs.webkit.org/show_bug.cgi?id=68784
552
553         Reviewed by Oliver Hunt.
554         
555         This gets rid of static prediction code, and ensures that we do not
556         try to compile code where dynamic predictions are not available.
557         This is accomplished by immediately performing an OSR exit wherever
558         a value is retrieved for which no predictions exist.
559         
560         This also adds value profiling for this on functions used for calls.
561         
562         The heuristics for deciding when to optimize code are also tweaked,
563         since it is now profitable to optimize sooner. This may need to be
564         tweaked further, but this patch only makes minimal changes.
565         
566         This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
567         overall win on Kraken.  It's neutral elsewhere.
568
569         * bytecode/CodeBlock.cpp:
570         (JSC::CodeBlock::shouldOptimizeNow):
571         (JSC::CodeBlock::dumpValueProfiles):
572         * bytecode/CodeBlock.h:
573         * bytecode/PredictedType.cpp:
574         (JSC::predictionToString):
575         * bytecode/PredictedType.h:
576         (JSC::isCellPrediction):
577         (JSC::isObjectPrediction):
578         (JSC::isFinalObjectPrediction):
579         (JSC::isStringPrediction):
580         (JSC::isArrayPrediction):
581         (JSC::isInt32Prediction):
582         (JSC::isDoublePrediction):
583         (JSC::isNumberPrediction):
584         (JSC::isBooleanPrediction):
585         (JSC::mergePredictions):
586         * bytecode/PredictionTracker.h:
587         (JSC::PredictionTracker::predictArgument):
588         (JSC::PredictionTracker::predict):
589         (JSC::PredictionTracker::predictGlobalVar):
590         * bytecode/ValueProfile.cpp:
591         (JSC::ValueProfile::computeUpdatedPrediction):
592         * dfg/DFGByteCodeParser.cpp:
593         (JSC::DFG::ByteCodeParser::set):
594         (JSC::DFG::ByteCodeParser::addCall):
595         (JSC::DFG::ByteCodeParser::getPrediction):
596         (JSC::DFG::ByteCodeParser::parseBlock):
597         * dfg/DFGGraph.cpp:
598         (JSC::DFG::Graph::predictArgumentTypes):
599         * dfg/DFGGraph.h:
600         (JSC::DFG::Graph::predict):
601         (JSC::DFG::Graph::predictGlobalVar):
602         (JSC::DFG::Graph::getMethodCheckPrediction):
603         (JSC::DFG::Graph::getJSConstantPrediction):
604         (JSC::DFG::Graph::getPrediction):
605         * dfg/DFGJITCodeGenerator.cpp:
606         (JSC::DFG::JITCodeGenerator::writeBarrier):
607         (JSC::DFG::JITCodeGenerator::emitBranch):
608         * dfg/DFGJITCompiler.h:
609         (JSC::DFG::JITCompiler::getPrediction):
610         * dfg/DFGNode.h:
611         (JSC::DFG::Node::valueOfJSConstantNode):
612         (JSC::DFG::Node::isInt32Constant):
613         (JSC::DFG::Node::isDoubleConstant):
614         (JSC::DFG::Node::isNumberConstant):
615         (JSC::DFG::Node::isBooleanConstant):
616         (JSC::DFG::Node::predict):
617         * dfg/DFGPropagator.cpp:
618         (JSC::DFG::Propagator::Propagator):
619         (JSC::DFG::Propagator::propagateNodePredictions):
620         (JSC::DFG::Propagator::fixupNode):
621         (JSC::DFG::Propagator::isPredictedNumerical):
622         (JSC::DFG::Propagator::logicalNotIsPure):
623         * dfg/DFGSpeculativeJIT.cpp:
624         (JSC::DFG::SpeculativeJIT::compile):
625         * dfg/DFGSpeculativeJIT.h:
626         (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
627         (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
628         (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
629         (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
630         (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
631         (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
632         (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
633         (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
634         * jit/JIT.cpp:
635         (JSC::JIT::privateCompile):
636
637 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
638
639         DFG JIT Construct opcode takes a this argument even though it's
640         not passed
641         https://bugs.webkit.org/show_bug.cgi?id=68782
642
643         Reviewed by Oliver Hunt.
644         
645         This is performance-neutral, mostly. It's a slight speed-up on
646         v8-splay.
647         
648         * dfg/DFGByteCodeParser.cpp:
649         (JSC::DFG::ByteCodeParser::addCall):
650         * dfg/DFGJITCodeGenerator.cpp:
651         (JSC::DFG::JITCodeGenerator::emitCall):
652
653 2011-09-25  Filip Pizlo  <fpizlo@apple.com>
654
655         DFG tracking of the value in cachedResultRegister does not handle
656         op_mov correctly
657         https://bugs.webkit.org/show_bug.cgi?id=68781
658
659         Reviewed by Oliver Hunt.
660         
661         This takes the simplest approach: it makes the old JIT dumber rather
662         than making the DFG JIT smarter. This is performance-neutral.
663
664         * jit/JIT.h:
665         (JSC::JIT::canBeOptimized):
666         * jit/JITOpcodes.cpp:
667         (JSC::JIT::emit_op_mov):
668
669 2011-09-25  Adam Barth  <abarth@webkit.org>
670
671         Remove PLATFORM(HAIKU) and associated code
672         https://bugs.webkit.org/show_bug.cgi?id=68774
673
674         Reviewed by Sam Weinig.
675
676         * JavaScriptCore.gyp/JavaScriptCore.gyp:
677         * JavaScriptCore.gypi:
678         * gyp/JavaScriptCore.gyp:
679         * heap/MachineStackMarker.cpp:
680         * wtf/PageAllocation.h:
681         * wtf/Platform.h:
682         * wtf/StackBounds.cpp:
683         * wtf/haiku: Removed.
684         * wtf/haiku/MainThreadHaiku.cpp: Removed.
685         * wtf/haiku/StringHaiku.cpp: Removed.
686         * wtf/text/WTFString.h:
687
688 2011-09-24  Adam Barth  <abarth@webkit.org>
689
690         Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
691         https://bugs.webkit.org/show_bug.cgi?id=68767
692
693         Reviewed by Eric Seidel.
694
695         * Configurations/FeatureDefines.xcconfig:
696
697 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
698
699         JIT implementation of put_by_val increments m_length instead of setting
700         it to index+1
701         https://bugs.webkit.org/show_bug.cgi?id=68766
702
703         Reviewed by Geoffrey Garen.
704
705         * jit/JITPropertyAccess.cpp:
706         (JSC::JIT::emit_op_put_by_val):
707
708 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
709
710         More build fixage.
711
712         * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.
713
714 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
715
716         The DFG should not attempt to guess types in the absence of value
717         profiles
718         https://bugs.webkit.org/show_bug.cgi?id=68677
719
720         Reviewed by Oliver Hunt.
721         
722         This adds the ForceOSRExit node, which is ignored by the propagator
723         and virtual register allocator (and hence ensuring that liveness analysis
724         works correctly), but forces terminateSpeculativeExecution() in the
725         back-end. This appears to be a slight speed-up on benchmark averages,
726         with ~5% swings on individual benchmarks, in both directions. But it's
727         never a regression on any average, and appears to be a ~1% progression
728         in the SunSpider average.
729         
730         This also adds a bit better debugging support in the old JIT and in DFG,
731         as this was necessary to debug the much more frequent OSR transitions
732         that occur with this change.
733
734         * dfg/DFGByteCodeParser.cpp:
735         (JSC::DFG::ByteCodeParser::addCall):
736         (JSC::DFG::ByteCodeParser::getStrongPrediction):
737         (JSC::DFG::ByteCodeParser::parseBlock):
738         * dfg/DFGJITCompiler.cpp:
739         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
740         * dfg/DFGNode.h:
741         * dfg/DFGPropagator.cpp:
742         (JSC::DFG::Propagator::propagateNodePredictions):
743         * dfg/DFGSpeculativeJIT.cpp:
744         (JSC::DFG::SpeculativeJIT::compile):
745         * jit/JIT.cpp:
746         (JSC::JIT::privateCompileMainPass):
747         (JSC::JIT::privateCompileSlowCases):
748         (JSC::JIT::privateCompile):
749         * jit/JIT.h:
750
751 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
752
753         Some Windows build fixage.
754
755         * heap/MarkedBlock.cpp:
756         (JSC::MarkedBlock::sweep):
757         * heap/MarkedBlock.h:
758         (JSC::MarkedBlock::isLive): Show the compiler that all control paths
759         return a value. There, there, compiler. Everything's going to be OK.
760
761         * runtime/JSCell.h:
762         (JSC::JSCell::setVPtr): Oops! Unrename this function.
763
764 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
765
766         Allocate new objects unmarked
767         https://bugs.webkit.org/show_bug.cgi?id=68764
768
769         Reviewed by Oliver Hunt.
770         
771         This is a pre-requisite to using the mark bit to determine object age.
772
773         ~2% v8 speedup, mostly due to a 12% v8-splay speedup.
774
775         * heap/MarkedBlock.h:
776         (JSC::MarkedBlock::isLive):
777         (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
778         this patch. They can now determine object liveness without relying on
779         newly allocated objects having their mark bits set. Each MarkedBlock
780         now has a state variable that tells us how to determine whether its
781         cells are live. (This new state variable supercedes the old one about
782         destructor state. The rest of this patch is just refactoring to support
783         the invariants of this new state variable without introducing a
784         performance regression.)
785
786         (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
787         state when a block becomes fully allocated.
788
789         (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
790         this function because, logically, clearing all mark bits is the first
791         step in saying "mark bits now exactly reflect object liveness".
792
793         (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
794         that this function only tells you about the mark bits, so it's only
795         meaningful if you've put the mark bits into a meaningful state before
796         calling it.
797
798         (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
799         instead of testing mark bits, since mark bits are not always the right
800         way to find out if an object is live anymore. (New objects are live, but
801         not marked.)
802
803         * heap/MarkedBlock.cpp:
804         (JSC::MarkedBlock::recycle):
805         (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
806         initialization when recycling an old block -- into the MarkedBlock
807         constructor, for simplicity.
808
809         (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
810         a zapped cell before running a destructor, and always zap after
811         running a destructor. This does not seem to be expensive, and the
812         alternative just creates a too-confusing matrix of possible cell states
813         ((zombie undestructed cell + zombie destructed cell + zapped destructed
814         cell) * 5! permutations for progressing through block states = "Oh my!").
815
816         (JSC::MarkedBlock::specializedSweep):
817         (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
818         optimization to use template specialization to constant fold lots of
819         branches and elide certain operations entirely during a sweep. Merged
820         four or five functions that were logically about sweeping into this one
821         function pair, so there's only one way to do things now, it's
822         automatically correct, and it's always fast.
823
824         (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
825         about exactly what it does, and to honor the new block state system.
826
827         * heap/AllocationSpace.cpp:
828         (JSC::AllocationSpace::allocateBlock): Updated for rename.
829
830         (JSC::AllocationSpace::freeBlocks): Updated for changed interface.
831
832         (JSC::TakeIfUnmarked::TakeIfUnmarked):
833         (JSC::TakeIfUnmarked::operator()):
834         (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
835         to clarify that this functor only tests the mark bits, so it's only
836         valid if you've put the mark bits into a meaningful state before
837         calling it.
838         
839         (JSC::AllocationSpace::shrink): Updated for rename.
840
841         * heap/AllocationSpace.h:
842         (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
843         little more specific about what we're making canonical.
844
845         (JSC::AllocationSpace::forEachCell): Updated for rename.
846
847         (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
848         liveness data before iterating blocks -- clients that want iterated
849         blocks to have valid cell lieveness data should make this call for
850         themselves. (And not all clients want it.)
851
852         * heap/ConservativeRoots.cpp:
853         (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
854         obsolete comment.
855
856         * heap/Heap.cpp:
857         (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
858         because clearMarks() now does that implicitly.
859
860         (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
861         tear-down tests cell liveness when running destructors.
862
863         (JSC::Heap::markRoots):
864         (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
865         and into collect, since it strictly depends on root marking, and does
866         not contribute to root marking.
867
868         (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
869         specific about what we're making canonical.
870
871         * heap/Heap.h:
872         (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
873         data before iterating protected cells, since we know they're all live,
874         and don't need to test for it.
875
876         * heap/Local.h:
877         (JSC::::set): Can't make the same ASSERT we used to because we just don't
878         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
879         in a weaker form in the future.
880
881         * heap/MarkedSpace.cpp:
882         (JSC::MarkedSpace::addBlock):
883         (JSC::MarkedSpace::removeBlock): Updated for interface change.
884         (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
885         specific about what we're making canonical.
886
887         * heap/MarkedSpace.h:
888         (JSC::MarkedSpace::allocate):
889         (JSC::MarkedSpace::SizeClass::SizeClass):
890         (JSC::MarkedSpace::SizeClass::resetAllocator):
891         (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
892         functionality a bit. We now track only one block -- "currentBlock" --
893         and rely on its internal state to know whether it has more cells to
894         allocate.
895
896         * heap/Weak.h:
897         (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
898         have the mark bits for it anymore. Perhaps we can bring this ASSERT back
899         in a weaker form in the future.
900
901         * runtime/JSCell.h:
902         (JSC::JSCell::vptr):
903         (JSC::JSCell::zap):
904         (JSC::JSCell::isZapped):
905         (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
906         In the future, exactly how a JSCell zaps itself will change, as the
907         internal representation of JSCell changes.
908
909 2011-09-24  Filip Pizlo  <fpizlo@apple.com>
910
911         DFG JIT should not eagerly initialize integer tags in the register file
912         https://bugs.webkit.org/show_bug.cgi?id=68763
913
914         Reviewed by Oliver Hunt.
915
916         * dfg/DFGJITCompiler.cpp:
917         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
918         * dfg/DFGSpeculativeJIT.cpp:
919         (JSC::DFG::ValueRecovery::dump):
920         (JSC::DFG::OSRExit::OSRExit):
921         (JSC::DFG::SpeculativeJIT::compile):
922         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
923         * dfg/DFGSpeculativeJIT.h:
924         (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
925         (JSC::DFG::OSRExit::operandForArgument):
926         (JSC::DFG::OSRExit::operandForIndex):
927         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
928
929 2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>
930
931         Add JSVALUE32_64 support to DFG JIT
932         https://bugs.webkit.org/show_bug.cgi?id=67460
933
934         Reviewed by Gavin Barraclough.
935
936         This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
937         It's tested on IA32 Linux EFL port currently. It still cannot run
938         all the test cases and benchmarks so should be turned off now.
939         
940         The major work includes:
941         1) dealing with JSVALUE32_64 data format in DFG JIT;
942         2) bindings between 64-bit JS Value and 32-bit registers;
943         3) handling of function calls. Currently for DFG operation function
944         calls we follow the X86 cdecl calling convention on Linux, and the
945         implementation is in a naive way by pushing the arguments into stack
946         one by one.
947         
948         The known issues include:
949         1) some code duplicates unnecessarily, especially in Speculative JIT
950         code generation, where most of the operations on SpeculataInteger /
951         SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
952         is needed in the future;
953         2) lack of op_call and op_construct support, comparing to current
954         JSVALUE64 DFG;
955         3) currently integer speculations assume to be StrictInt32;
956         4) lack of JSBoolean speculations;
957         5) boxing and unboxing doubles could be improved;
958         6) DFG X86 register description is different with the baseline JIT,
959         the timeoutCheckRegister is used for general purpose usage;
960         7) calls to runtime functions with primitive double parameters (e.g.
961         fmod) don't work. Support needs to be added to the assembler to
962         implement the mechanism of passing double parameters for X86 cdecl
963         convention.
964         
965         And there should be many other hidden bugs which should be exposed and
966         resolved in later debugging process.
967
968         * CMakeListsEfl.txt:
969         * assembler/MacroAssemblerX86.h:
970         (JSC::MacroAssemblerX86::loadDouble):
971         (JSC::MacroAssemblerX86::storeDouble):
972         * assembler/X86Assembler.h:
973         (JSC::X86Assembler::movsd_rm):
974         * bytecode/StructureStubInfo.h:
975         * dfg/DFGByteCodeParser.cpp:
976         (JSC::DFG::ByteCodeParser::parseBlock):
977         * dfg/DFGCapabilities.h:
978         (JSC::DFG::canCompileOpcode):
979         * dfg/DFGFPRInfo.h:
980         (JSC::DFG::FPRInfo::debugName):
981         * dfg/DFGGPRInfo.h:
982         (JSC::DFG::GPRInfo::toRegister):
983         (JSC::DFG::GPRInfo::toIndex):
984         (JSC::DFG::GPRInfo::debugName):
985         * dfg/DFGGenerationInfo.h:
986         (JSC::DFG::needDataFormatConversion):
987         (JSC::DFG::GenerationInfo::initJSValue):
988         (JSC::DFG::GenerationInfo::initDouble):
989         (JSC::DFG::GenerationInfo::gpr):
990         (JSC::DFG::GenerationInfo::tagGPR):
991         (JSC::DFG::GenerationInfo::payloadGPR):
992         (JSC::DFG::GenerationInfo::fpr):
993         (JSC::DFG::GenerationInfo::fillJSValue):
994         (JSC::DFG::GenerationInfo::fillCell):
995         (JSC::DFG::GenerationInfo::fillDouble):
996         * dfg/DFGJITCodeGenerator.cpp:
997         * dfg/DFGJITCodeGenerator.h:
998         (JSC::DFG::JITCodeGenerator::allocate):
999         (JSC::DFG::JITCodeGenerator::use):
1000         (JSC::DFG::JITCodeGenerator::registersMatched):
1001         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
1002         (JSC::DFG::JITCodeGenerator::silentFillGPR):
1003         (JSC::DFG::JITCodeGenerator::silentFillFPR):
1004         (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
1005         (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
1006         (JSC::DFG::JITCodeGenerator::boxDouble):
1007         (JSC::DFG::JITCodeGenerator::unboxDouble):
1008         (JSC::DFG::JITCodeGenerator::spill):
1009         (JSC::DFG::addressOfDoubleConstant):
1010         (JSC::DFG::integerResult):
1011         (JSC::DFG::jsValueResult):
1012         (JSC::DFG::setupResults):
1013         (JSC::DFG::callOperation):
1014         (JSC::JSValueOperand::JSValueOperand):
1015         (JSC::JSValueOperand::~JSValueOperand):
1016         (JSC::JSValueOperand::isDouble):
1017         (JSC::JSValueOperand::fill):
1018         (JSC::JSValueOperand::tagGPR):
1019         (JSC::JSValueOperand::payloadGPR):
1020         (JSC::JSValueOperand::fpr):
1021         (JSC::GPRTemporary::~GPRTemporary):
1022         (JSC::GPRTemporary::gpr):
1023         (JSC::GPRResult2::GPRResult2):
1024         * dfg/DFGJITCodeGenerator32_64.cpp: Added.
1025         (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
1026         (JSC::DFG::JITCodeGenerator::fillInteger):
1027         (JSC::DFG::JITCodeGenerator::fillDouble):
1028         (JSC::DFG::JITCodeGenerator::fillJSValue):
1029         (JSC::DFG::JITCodeGenerator::fillStorage):
1030         (JSC::DFG::JITCodeGenerator::useChildren):
1031         (JSC::DFG::JITCodeGenerator::isStrictInt32):
1032         (JSC::DFG::JITCodeGenerator::isKnownInteger):
1033         (JSC::DFG::JITCodeGenerator::isKnownNumeric):
1034         (JSC::DFG::JITCodeGenerator::isKnownCell):
1035         (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
1036         (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
1037         (JSC::DFG::JITCodeGenerator::isKnownBoolean):
1038         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
1039         (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
1040         (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
1041         (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
1042         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
1043         (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
1044         (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
1045         (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
1046         (JSC::DFG::JITCodeGenerator::cachedGetById):
1047         (JSC::DFG::JITCodeGenerator::writeBarrier):
1048         (JSC::DFG::JITCodeGenerator::cachedPutById):
1049         (JSC::DFG::JITCodeGenerator::cachedGetMethod):
1050         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
1051         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
1052         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
1053         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
1054         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
1055         (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
1056         (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
1057         (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
1058         (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
1059         (JSC::DFG::JITCodeGenerator::emitBranch):
1060         (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
1061         (JSC::DFG::JITCodeGenerator::emitCall):
1062         (JSC::DFG::JITCodeGenerator::speculationCheck):
1063         (JSC::DFG::dataFormatString):
1064         (JSC::DFG::JITCodeGenerator::dump):
1065         (JSC::DFG::JITCodeGenerator::checkConsistency):
1066         (JSC::DFG::GPRTemporary::GPRTemporary):
1067         (JSC::DFG::FPRTemporary::FPRTemporary):
1068         * dfg/DFGJITCompiler.cpp:
1069         * dfg/DFGJITCompiler.h:
1070         (JSC::DFG::JITCompiler::tagForGlobalVar):
1071         (JSC::DFG::JITCompiler::payloadForGlobalVar):
1072         (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
1073         (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1074         (JSC::DFG::JITCompiler::boxDouble):
1075         (JSC::DFG::JITCompiler::unboxDouble):
1076         (JSC::DFG::JITCompiler::addPropertyAccess):
1077         (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
1078         * dfg/DFGJITCompiler32_64.cpp: Added.
1079         (JSC::DFG::JITCompiler::fillNumericToDouble):
1080         (JSC::DFG::JITCompiler::fillInt32ToInteger):
1081         (JSC::DFG::JITCompiler::fillToJS):
1082         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1083         (JSC::DFG::JITCompiler::linkOSRExits):
1084         (JSC::DFG::JITCompiler::compileEntry):
1085         (JSC::DFG::JITCompiler::compileBody):
1086         (JSC::DFG::JITCompiler::link):
1087         (JSC::DFG::JITCompiler::compile):
1088         (JSC::DFG::JITCompiler::compileFunction):
1089         (JSC::DFG::JITCompiler::jitAssertIsInt32):
1090         (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
1091         (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
1092         (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
1093         (JSC::DFG::JITCompiler::jitAssertIsCell):
1094         (JSC::DFG::JITCompiler::emitCount):
1095         (JSC::DFG::JITCompiler::setSamplingFlag):
1096         (JSC::DFG::JITCompiler::clearSamplingFlag):
1097         * dfg/DFGJITCompilerInlineMethods.h: Added.
1098         (JSC::DFG::JITCompiler::emitLoadTag):
1099         (JSC::DFG::JITCompiler::emitLoadPayload):
1100         (JSC::DFG::JITCompiler::emitLoad):
1101         (JSC::DFG::JITCompiler::emitLoad2):
1102         (JSC::DFG::JITCompiler::emitLoadDouble):
1103         (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
1104         (JSC::DFG::JITCompiler::emitStore):
1105         (JSC::DFG::JITCompiler::emitStoreInt32):
1106         (JSC::DFG::JITCompiler::emitStoreCell):
1107         (JSC::DFG::JITCompiler::emitStoreBool):
1108         (JSC::DFG::JITCompiler::emitStoreDouble):
1109         * dfg/DFGNode.h:
1110         * dfg/DFGOperations.cpp:
1111         * dfg/DFGRepatch.cpp:
1112         (JSC::DFG::generateProtoChainAccessStub):
1113         (JSC::DFG::tryCacheGetByID):
1114         (JSC::DFG::tryBuildGetByIDList):
1115         (JSC::DFG::tryCachePutByID):
1116         * dfg/DFGSpeculativeJIT.cpp:
1117         * dfg/DFGSpeculativeJIT.h:
1118         (JSC::DFG::ValueRecovery::inGPR):
1119         (JSC::DFG::ValueRecovery::inPair):
1120         (JSC::DFG::ValueRecovery::tagGPR):
1121         (JSC::DFG::ValueRecovery::payloadGPR):
1122         * dfg/DFGSpeculativeJIT32_64.cpp: Added.
1123         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1124         (JSC::DFG::ValueSource::dump):
1125         (JSC::DFG::ValueRecovery::dump):
1126         (JSC::DFG::OSRExit::OSRExit):
1127         (JSC::DFG::OSRExit::dump):
1128         (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1129         (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1130         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1131         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1132         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1133         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1134         (JSC::DFG::SpeculativeJIT::convertToDouble):
1135         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1136         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1137         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1138         (JSC::DFG::SpeculativeJIT::compare):
1139         (JSC::DFG::SpeculativeJIT::compile):
1140         (JSC::DFG::SpeculativeJIT::compileMovHint):
1141         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1142         (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
1143         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1144         * runtime/JSValue.h:
1145
1146 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
1147
1148         wtf/BitVector.h has a variety of bugs which manifest when the
1149         vector grows beyond 63 bits
1150         https://bugs.webkit.org/show_bug.cgi?id=68746
1151
1152         Reviewed by Oliver Hunt.
1153         
1154         Out-of-lined slow path code in BitVector so that not every user
1155         of CodeBlock ends up having to compile it. Fixed a variety of
1156         index computation and size computation bugs.
1157         
1158         I have not seen these issues manifest themselves, but they are
1159         blocking a patch that uses BitVector more aggressively.
1160
1161         * GNUmakefile.list.am:
1162         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
1163         * JavaScriptCore.xcodeproj/project.pbxproj:
1164         * wtf/BitVector.cpp: Added.
1165         (BitVector::BitVector):
1166         (BitVector::operator=):
1167         (BitVector::resize):
1168         (BitVector::clearAll):
1169         (BitVector::OutOfLineBits::create):
1170         (BitVector::OutOfLineBits::destroy):
1171         (BitVector::resizeOutOfLine):
1172         * wtf/BitVector.h:
1173         (WTF::BitVector::ensureSize):
1174         (WTF::BitVector::get):
1175         (WTF::BitVector::set):
1176         (WTF::BitVector::clear):
1177         (WTF::BitVector::byteCount):
1178         (WTF::BitVector::OutOfLineBits::numWords):
1179         (WTF::BitVector::OutOfLineBits::bits):
1180         (WTF::BitVector::outOfLineBits):
1181         * wtf/CMakeLists.txt:
1182         * wtf/wtf.pri:
1183
1184 2011-09-23  Adam Klein  <adamk@chromium.org>
1185
1186         Add ENABLE_MUTATION_OBSERVERS feature flag
1187         https://bugs.webkit.org/show_bug.cgi?id=68732
1188
1189         Reviewed by Ojan Vafai.
1190
1191         This flag will guard an implementation of the "Mutation Observers" proposed in
1192         http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html
1193
1194         * Configurations/FeatureDefines.xcconfig:
1195
1196 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1197
1198         De-virtualize JSCell::getJSNumber
1199         https://bugs.webkit.org/show_bug.cgi?id=68651
1200
1201         Reviewed by Oliver Hunt.
1202
1203         Added a new JSType to check whether or not something is a 
1204         NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
1205         currently a better way to determine whether something is indeed a NumberObject.
1206         Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
1207         for whether the object is a NumberObject or not.  This patch is part of 
1208         the larger process of de-virtualizing JSCell.
1209
1210         * JavaScriptCore.exp:
1211         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1212         * runtime/JSCell.cpp:
1213         (JSC::JSCell::getJSNumber):
1214         * runtime/JSCell.h:
1215         (JSC::JSValue::getJSNumber):
1216         * runtime/JSType.h:
1217         * runtime/JSTypeInfo.h:
1218         (JSC::TypeInfo::isNumberObject):
1219         * runtime/JSValue.h:
1220         * runtime/NumberObject.cpp:
1221         (JSC::NumberObject::getJSNumber):
1222         * runtime/NumberObject.h:
1223         (JSC::NumberObject::createStructure):
1224         * runtime/NumberPrototype.h:
1225         (JSC::NumberPrototype::createStructure):
1226
1227 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
1228
1229         Resolve opcodes should have value profiling.
1230         https://bugs.webkit.org/show_bug.cgi?id=68723
1231
1232         Reviewed by Oliver Hunt.
1233         
1234         This adds value profiling to all forms of op_resolve in the
1235         old JIT, and patches that information into the DFG along with
1236         performing the appropriate type propagation.
1237
1238         * dfg/DFGByteCodeParser.cpp:
1239         (JSC::DFG::ByteCodeParser::parseBlock):
1240         * dfg/DFGGraph.h:
1241         (JSC::DFG::Graph::predict):
1242         * dfg/DFGNode.h:
1243         (JSC::DFG::Node::hasIdentifier):
1244         (JSC::DFG::Node::resolveGlobalDataIndex):
1245         (JSC::DFG::Node::hasPrediction):
1246         * dfg/DFGPropagator.cpp:
1247         (JSC::DFG::Propagator::propagateNodePredictions):
1248         * dfg/DFGSpeculativeJIT.cpp:
1249         (JSC::DFG::SpeculativeJIT::compile):
1250         * jit/JITOpcodes.cpp:
1251         (JSC::JIT::emit_op_resolve):
1252         (JSC::JIT::emit_op_resolve_base):
1253         (JSC::JIT::emit_op_resolve_skip):
1254         (JSC::JIT::emit_op_resolve_global):
1255         (JSC::JIT::emitSlow_op_resolve_global):
1256         (JSC::JIT::emit_op_resolve_with_base):
1257         (JSC::JIT::emit_op_resolve_with_this):
1258         (JSC::JIT::emitSlow_op_resolve_global_dynamic):
1259         * jit/JITStubCall.h:
1260         (JSC::JITStubCall::callWithValueProfiling):
1261
1262 2011-09-23  Oliver Hunt  <oliver@apple.com>
1263
1264         Fix windows build.
1265
1266         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1267
1268 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
1269
1270         Strict mode does not work in non-trivial nested functions.
1271         https://bugs.webkit.org/show_bug.cgi?id=68740
1272
1273         Reviewed by Oliver Hunt.
1274
1275         Function-info caching does not preserve all state that it should.
1276
1277         * parser/JSParser.cpp:
1278         (JSC::JSParser::Scope::saveFunctionInfo):
1279         (JSC::JSParser::Scope::restoreFunctionInfo):
1280         (JSC::JSParser::parseFunctionInfo):
1281         * parser/SourceProviderCacheItem.h:
1282
1283 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
1284
1285         ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
1286         https://bugs.webkit.org/show_bug.cgi?id=68724
1287
1288         Reviewed by Oliver Hunt.
1289
1290         * dfg/DFGPropagator.cpp:
1291         (JSC::DFG::Propagator::propagateNodePredictions):
1292
1293 2011-09-23  Oliver Hunt  <oliver@apple.com>
1294
1295         Build fix.
1296
1297         * JavaScriptCore.xcodeproj/project.pbxproj:
1298
1299 2011-09-23  Filip Pizlo  <fpizlo@apple.com>
1300
1301         DFG implementation of PutScopedVar corrupts register allocation
1302         https://bugs.webkit.org/show_bug.cgi?id=68735
1303
1304         Reviewed by Oliver Hunt.
1305
1306         * dfg/DFGSpeculativeJIT.cpp:
1307         (JSC::DFG::SpeculativeJIT::compile):
1308
1309 2011-09-23  Oliver Hunt  <oliver@apple.com>
1310
1311         Make write barriers actually do something when enabled
1312         https://bugs.webkit.org/show_bug.cgi?id=68717
1313
1314         Reviewed by Geoffrey Garen.
1315
1316         Add a basic card marking style write barrier to JSC (currently
1317         turned off).  This requires two scratch registers in the JIT
1318         so there was some register re-arranging to satisfy that requirement.
1319         Happily this produced a minor perf bump in sunspider (~0.5%).
1320
1321         Turning the barriers on causes an overall regression of around 1.5%
1322
1323         * JavaScriptCore.exp:
1324         * JavaScriptCore.xcodeproj/project.pbxproj:
1325         * assembler/MacroAssemblerX86Common.h:
1326         (JSC::MacroAssemblerX86Common::store8):
1327         * assembler/X86Assembler.h:
1328         (JSC::X86Assembler::movb_i8m):
1329         * dfg/DFGJITCodeGenerator.cpp:
1330         (JSC::DFG::JITCodeGenerator::isKnownNotCell):
1331         (JSC::DFG::JITCodeGenerator::writeBarrier):
1332         (JSC::DFG::JITCodeGenerator::markCellCard):
1333         (JSC::DFG::JITCodeGenerator::cachedPutById):
1334         * dfg/DFGJITCodeGenerator.h:
1335         * dfg/DFGRepatch.cpp:
1336         (JSC::DFG::tryCachePutByID):
1337         * dfg/DFGSpeculativeJIT.cpp:
1338         (JSC::DFG::SpeculativeJIT::compile):
1339         * heap/CardSet.h: Added.
1340         (JSC::CardSet::CardSet):
1341         (JSC::::cardForAtom):
1342         (JSC::::cardMarkedForAtom):
1343         (JSC::::markCardForAtom):
1344         * heap/Heap.cpp:
1345         * heap/Heap.h:
1346         (JSC::Heap::addressOfCardFor):
1347         (JSC::Heap::writeBarrierFastCase):
1348         * heap/MarkedBlock.h:
1349         (JSC::MarkedBlock::setDirtyObject):
1350         (JSC::MarkedBlock::addressOfCardFor):
1351         (JSC::MarkedBlock::offsetOfCards):
1352         * jit/JIT.h:
1353         * jit/JITPropertyAccess.cpp:
1354         (JSC::JIT::emit_op_put_by_val):
1355         (JSC::JIT::emit_op_put_by_id):
1356         (JSC::JIT::privateCompilePutByIdTransition):
1357         (JSC::JIT::emit_op_put_scoped_var):
1358         (JSC::JIT::emit_op_put_global_var):
1359         (JSC::JIT::emitWriteBarrier):
1360         * jit/JITPropertyAccess32_64.cpp:
1361         (JSC::JIT::emit_op_put_by_val):
1362         (JSC::JIT::emit_op_put_by_id):
1363         (JSC::JIT::emitSlow_op_put_by_id):
1364         (JSC::JIT::privateCompilePutByIdTransition):
1365         (JSC::JIT::emit_op_put_scoped_var):
1366         (JSC::JIT::emit_op_put_global_var):
1367
1368 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
1369
1370         https://bugs.webkit.org/show_bug.cgi?id=68077
1371         SH4 assemblers doesn't refer to executable memory handle.
1372
1373         Reviewed by Gavin Barraclough.
1374
1375         * assembler/MacroAssemblerSH4.h:
1376         (JSC::MacroAssemblerSH4::branch8):
1377         * assembler/SH4Assembler.h:
1378         (JSC::SH4Assembler::executableCopy):
1379
1380 2011-09-23  Oliver Hunt  <oliver@apple.com>
1381
1382         PutScopedVar nodes should report that it has a var number
1383         https://bugs.webkit.org/show_bug.cgi?id=68721
1384
1385         Reviewed by Anders Carlsson.
1386
1387         Another assertion fix.
1388
1389         * dfg/DFGNode.h:
1390         (JSC::DFG::Node::hasVarNumber):
1391
1392 2011-09-23  Oliver Hunt  <oliver@apple.com>
1393
1394         Add a bunch of unhandled node types to the propagator
1395         https://bugs.webkit.org/show_bug.cgi?id=68716
1396
1397         Reviewed by Darin Adler.
1398
1399         Remove the ASSERT_NOT_REACHED() default for debug builds in the
1400         prediction propagator, this way unhandled nodes will just cause
1401         compile time failures rather than failing at some point in the
1402         future.
1403
1404         * dfg/DFGPropagator.cpp:
1405         (JSC::DFG::Propagator::propagateNodePredictions):
1406
1407 2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>
1408
1409         Add static version of JSCell::visitChildren
1410         https://bugs.webkit.org/show_bug.cgi?id=68404
1411
1412         Reviewed by Darin Adler.
1413
1414         In this patch we just extract the bodies of the virtual visitChildren methods
1415         throughout the JSCell inheritance hierarchy out into static methods, which are 
1416         now called from the virtual methods.  This is an intermediate step in trying to 
1417         move the virtual-ness of visitChildren into our own custom vtable stored in 
1418         ClassInfo.  We need to convert the methods to static methods in order to be 
1419         able to more easily store and refer to them in our custom vtable since normal 
1420         member methods store some implicit information in their types, making it 
1421         impossible to store them generically in ClassInfo.
1422
1423         * API/JSCallbackObject.h:
1424         (JSC::JSCallbackObject::visitChildrenVirtual):
1425         (JSC::JSCallbackObject::visitChildren):
1426         * JavaScriptCore.exp:
1427         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1428         * debugger/DebuggerActivation.cpp:
1429         (JSC::DebuggerActivation::visitChildrenVirtual):
1430         (JSC::DebuggerActivation::visitChildren):
1431         * debugger/DebuggerActivation.h:
1432         * heap/MarkStack.cpp:
1433         (JSC::SlotVisitor::visitChildren):
1434         (JSC::SlotVisitor::drain):
1435         * runtime/Arguments.cpp:
1436         (JSC::Arguments::visitChildrenVirtual):
1437         (JSC::Arguments::visitChildren):
1438         * runtime/Arguments.h:
1439         * runtime/Executable.cpp:
1440         (JSC::EvalExecutable::visitChildrenVirtual):
1441         (JSC::EvalExecutable::visitChildren):
1442         (JSC::ProgramExecutable::visitChildrenVirtual):
1443         (JSC::ProgramExecutable::visitChildren):
1444         (JSC::FunctionExecutable::visitChildrenVirtual):
1445         (JSC::FunctionExecutable::visitChildren):
1446         * runtime/Executable.h:
1447         * runtime/GetterSetter.cpp:
1448         (JSC::GetterSetter::visitChildrenVirtual):
1449         (JSC::GetterSetter::visitChildren):
1450         * runtime/GetterSetter.h:
1451         * runtime/JSActivation.cpp:
1452         (JSC::JSActivation::visitChildrenVirtual):
1453         (JSC::JSActivation::visitChildren):
1454         * runtime/JSActivation.h:
1455         * runtime/JSArray.cpp:
1456         (JSC::JSArray::visitChildrenVirtual):
1457         (JSC::JSArray::visitChildren):
1458         * runtime/JSArray.h:
1459         * runtime/JSBoundFunction.cpp:
1460         (JSC::JSBoundFunction::visitChildrenVirtual):
1461         (JSC::JSBoundFunction::visitChildren):
1462         * runtime/JSBoundFunction.h:
1463         * runtime/JSCell.h:
1464         (JSC::JSCell::visitChildrenVirtual):
1465         (JSC::JSCell::visitChildren):
1466         * runtime/JSFunction.cpp:
1467         (JSC::JSFunction::visitChildrenVirtual):
1468         (JSC::JSFunction::visitChildren):
1469         * runtime/JSFunction.h:
1470         * runtime/JSGlobalObject.cpp:
1471         (JSC::JSGlobalObject::visitChildrenVirtual):
1472         (JSC::JSGlobalObject::visitChildren):
1473         * runtime/JSGlobalObject.h:
1474         * runtime/JSObject.cpp:
1475         (JSC::JSObject::visitChildrenVirtual):
1476         (JSC::JSObject::visitChildren):
1477         * runtime/JSObject.h:
1478         (JSC::JSObject::visitChildrenDirect):
1479         * runtime/JSPropertyNameIterator.cpp:
1480         (JSC::JSPropertyNameIterator::visitChildrenVirtual):
1481         (JSC::JSPropertyNameIterator::visitChildren):
1482         * runtime/JSPropertyNameIterator.h:
1483         * runtime/JSStaticScopeObject.cpp:
1484         (JSC::JSStaticScopeObject::visitChildrenVirtual):
1485         (JSC::JSStaticScopeObject::visitChildren):
1486         * runtime/JSStaticScopeObject.h:
1487         * runtime/JSWrapperObject.cpp:
1488         (JSC::JSWrapperObject::visitChildrenVirtual):
1489         (JSC::JSWrapperObject::visitChildren):
1490         * runtime/JSWrapperObject.h:
1491         * runtime/NativeErrorConstructor.cpp:
1492         (JSC::NativeErrorConstructor::visitChildrenVirtual):
1493         (JSC::NativeErrorConstructor::visitChildren):
1494         * runtime/NativeErrorConstructor.h:
1495         * runtime/RegExpObject.cpp:
1496         (JSC::RegExpObject::visitChildrenVirtual):
1497         (JSC::RegExpObject::visitChildren):
1498         * runtime/RegExpObject.h:
1499         * runtime/ScopeChain.cpp:
1500         (JSC::ScopeChainNode::visitChildrenVirtual):
1501         (JSC::ScopeChainNode::visitChildren):
1502         * runtime/ScopeChain.h:
1503         * runtime/Structure.cpp:
1504         (JSC::Structure::visitChildrenVirtual):
1505         (JSC::Structure::visitChildren):
1506         * runtime/Structure.h:
1507         * runtime/StructureChain.cpp:
1508         (JSC::StructureChain::visitChildrenVirtual):
1509         (JSC::StructureChain::visitChildren):
1510         * runtime/StructureChain.h:
1511
1512 2011-09-23  Oliver Hunt  <oliver@apple.com>
1513
1514         Node propagation doesn't handle PutScopedVar
1515         https://bugs.webkit.org/show_bug.cgi?id=68713
1516
1517         Reviewed by Sam Weinig.
1518
1519         This was causing assertion failures.
1520
1521         * dfg/DFGPropagator.cpp:
1522         (JSC::DFG::Propagator::propagateNodePredictions):
1523
1524 2011-09-23  Anders Carlsson  <andersca@apple.com>
1525
1526         Make sure to define OVERRIDE and FINAL for older builds of clang.
1527
1528         * wtf/Compiler.h:
1529
1530 2011-09-23  Gavin Barraclough  <barraclough@apple.com>
1531
1532         Implement op_resolve_global in the DFG JIT
1533         https://bugs.webkit.org/show_bug.cgi?id=68704
1534
1535         Reviewed by Oliver Hunt.
1536
1537         This is performance neutral, but increases coverage.
1538
1539         * dfg/DFGByteCodeParser.cpp:
1540         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1541         (JSC::DFG::ByteCodeParser::parseBlock):
1542         * dfg/DFGNode.h:
1543         (JSC::DFG::Node::hasIdentifier):
1544         (JSC::DFG::Node::resolveInfoIndex):
1545         * dfg/DFGOperations.cpp:
1546         * dfg/DFGOperations.h:
1547         * dfg/DFGSpeculativeJIT.cpp:
1548         (JSC::DFG::SpeculativeJIT::compile):
1549
1550 2011-09-23  Mark Rowe  <mrowe@apple.com>
1551
1552         Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.
1553
1554         * wtf/Platform.h:
1555
1556 2011-09-22  Anders Carlsson  <andersca@apple.com>
1557
1558         We should add support for OVERRIDE and FINAL annotations
1559         https://bugs.webkit.org/show_bug.cgi?id=68654
1560
1561         Reviewed by David Hyatt.
1562
1563         Add OVERRIDE and FINAL macros for compilers that support them.
1564
1565         * wtf/Compiler.h:
1566
1567 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1568
1569         GetScopedVar should have value profiling
1570         https://bugs.webkit.org/show_bug.cgi?id=68676
1571
1572         Reviewed by Oliver Hunt.
1573         
1574         Added GetScopedVar value profiling and predictin propagation.
1575         Added GetScopeChain to CSE.
1576
1577         * dfg/DFGByteCodeParser.cpp:
1578         (JSC::DFG::ByteCodeParser::parseBlock):
1579         * dfg/DFGGraph.h:
1580         (JSC::DFG::Graph::predict):
1581         * dfg/DFGNode.h:
1582         (JSC::DFG::Node::hasPrediction):
1583         * dfg/DFGPropagator.cpp:
1584         (JSC::DFG::Propagator::propagateNodePredictions):
1585         (JSC::DFG::Propagator::getScopeChainLoadElimination):
1586         (JSC::DFG::Propagator::performNodeCSE):
1587         * jit/JITPropertyAccess.cpp:
1588         (JSC::JIT::emit_op_get_scoped_var):
1589
1590 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1591
1592         PPC build fix, part 3.
1593
1594         * runtime/Executable.cpp:
1595         (JSC::FunctionExecutable::compileForConstructInternal):
1596
1597 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1598
1599         Another PPC build fix.
1600
1601         * runtime/Executable.cpp:
1602         * runtime/Executable.h:
1603
1604 2011-09-22  Dean Jackson  <dino@apple.com>
1605
1606         Add ENABLE_CSS_FILTERS
1607         https://bugs.webkit.org/show_bug.cgi?id=68652
1608
1609         Reviewed by Simon Fraser.
1610
1611         * Configurations/FeatureDefines.xcconfig:
1612
1613 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1614
1615         Incorrect this value passed to callbacks.
1616         https://bugs.webkit.org/show_bug.cgi?id=68668
1617
1618         Reviewed by Oliver Hunt.
1619
1620         From Array/String prototype function.  Should be undefined, but
1621         global object is passed instead (this is visible for strict callbacks).
1622
1623         * runtime/ArrayPrototype.cpp:
1624         (JSC::arrayProtoFuncSort):
1625         (JSC::arrayProtoFuncFilter):
1626         (JSC::arrayProtoFuncMap):
1627         (JSC::arrayProtoFuncEvery):
1628         (JSC::arrayProtoFuncForEach):
1629         (JSC::arrayProtoFuncSome):
1630         * runtime/JSArray.cpp:
1631         (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
1632         (JSC::JSArray::sort):
1633         * runtime/StringPrototype.cpp:
1634         (JSC::stringProtoFuncReplace):
1635
1636 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1637
1638         Function.prototype.bind.length shoudl be 1.
1639
1640         Rubber stamped by Olier Hunt.
1641
1642         * runtime/FunctionPrototype.cpp:
1643         (JSC::FunctionPrototype::addFunctionProperties):
1644
1645 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1646
1647         PPC build fix.
1648
1649         * bytecode/CodeBlock.h:
1650
1651 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1652
1653         Windows build fix pt. 2
1654
1655         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1656
1657 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1658
1659         Windows build fix pt. 1
1660
1661         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1662
1663 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1664
1665         DFG JIT does not support to_primitive or strcat
1666         https://bugs.webkit.org/show_bug.cgi?id=68582
1667
1668         Reviewed by Darin Adler.
1669         
1670         This adds functional support for to_primitive and strcat. It focuses
1671         on minimizing the amount of code emitted on to_primitive (if we know
1672         that it is a primitive or can speculate cheaply, then we omit the
1673         slow path) and on keeping the implementation of strcat simple while
1674         leveraging whatever optimizations we have already. In particular,
1675         unlike the Call and Construct nodes which require extending the size
1676         of the DFG's callee registers, StrCat takes advantage of the fact
1677         that no JS code can run while StrCat is in progress and uses a
1678         scratch buffer, rather than the register file, to store the list of
1679         values to concatenate. This was done mainly to keep the code simple,
1680         but there are probably other benefits to keeping call frame sizes
1681         down. Essentially, this patch ensures that the presence of an
1682         op_strcat does not mess up any other optimizations we might do while
1683         ensuring that if you do execute it, it'll work about as well as you'd
1684         expect.
1685         
1686         When combined with the previous patch for integer division, this is a
1687         14% speed-up on Kraken. Without it, it would have been a 2% loss.
1688
1689         * assembler/AbstractMacroAssembler.h:
1690         (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
1691         * dfg/DFGByteCodeParser.cpp:
1692         (JSC::DFG::ByteCodeParser::parseBlock):
1693         * dfg/DFGCapabilities.h:
1694         (JSC::DFG::canCompileOpcode):
1695         * dfg/DFGJITCodeGenerator.h:
1696         (JSC::DFG::JITCodeGenerator::callOperation):
1697         * dfg/DFGJITCompiler.cpp:
1698         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1699         * dfg/DFGNode.h:
1700         * dfg/DFGOperations.cpp:
1701         * dfg/DFGOperations.h:
1702         * dfg/DFGPropagator.cpp:
1703         (JSC::DFG::Propagator::propagateNodePredictions):
1704         (JSC::DFG::Propagator::performNodeCSE):
1705         * dfg/DFGSpeculativeJIT.cpp:
1706         (JSC::DFG::SpeculativeJIT::compile):
1707         * runtime/JSGlobalData.cpp:
1708         (JSC::JSGlobalData::JSGlobalData):
1709         (JSC::JSGlobalData::~JSGlobalData):
1710         * runtime/JSGlobalData.h:
1711         (JSC::JSGlobalData::scratchBufferForSize):
1712
1713 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1714
1715         DFG JIT should support integer division
1716         https://bugs.webkit.org/show_bug.cgi?id=68597
1717
1718         Reviewed by Darin Adler.
1719         
1720         This adds support for ArithDiv speculating integer, and speculating
1721         that the result is integer (i.e. remainder = 0).
1722         
1723         This is a 4% win on Kraken and a 1% loss on V8.
1724
1725         * bytecode/CodeBlock.h:
1726         * dfg/DFGByteCodeParser.cpp:
1727         (JSC::DFG::ByteCodeParser::makeDivSafe):
1728         (JSC::DFG::ByteCodeParser::parseBlock):
1729         * dfg/DFGNode.h:
1730         (JSC::DFG::Node::hasArithNodeFlags):
1731         * dfg/DFGPropagator.cpp:
1732         (JSC::DFG::Propagator::propagateArithNodeFlags):
1733         (JSC::DFG::Propagator::propagateNodePredictions):
1734         (JSC::DFG::Propagator::fixupNode):
1735         * dfg/DFGSpeculativeJIT.cpp:
1736         (JSC::DFG::SpeculativeJIT::compile):
1737         * jit/JITArithmetic.cpp:
1738         (JSC::JIT::emit_op_div):
1739
1740 2011-09-22  Oliver Hunt  <oliver@apple.com>
1741
1742         Implement put_scoped_var in the DFG jit
1743         https://bugs.webkit.org/show_bug.cgi?id=68653
1744
1745         Reviewed by Gavin Barraclough.
1746
1747         Naive implementation of put_scoped_var.  Same story as the
1748         get_scoped_var implementation, although I've hoisted scope
1749         object acquisition into a separate dfg node.  Ideally in the
1750         future we would reuse the resolved scope chain object, but
1751         for now we don't.
1752
1753         * dfg/DFGByteCodeParser.cpp:
1754         (JSC::DFG::ByteCodeParser::parseBlock):
1755         * dfg/DFGCapabilities.h:
1756         (JSC::DFG::canCompileOpcode):
1757         * dfg/DFGNode.h:
1758         (JSC::DFG::Node::hasScopeChainDepth):
1759         (JSC::DFG::Node::scopeChainDepth):
1760         * dfg/DFGPropagator.cpp:
1761         (JSC::DFG::Propagator::propagateNodePredictions):
1762         * dfg/DFGSpeculativeJIT.cpp:
1763         (JSC::DFG::SpeculativeJIT::compile):
1764
1765 2011-09-22  Gavin Barraclough  <barraclough@apple.com>
1766
1767         Implement Function.prototype.bind
1768         https://bugs.webkit.org/show_bug.cgi?id=26382
1769
1770         Reviewed by Sam Weinig.
1771
1772         This patch provides a basic functional implementation
1773         for Function.bind. It should (hopefully!) be fully
1774         functionally correct, and the bound functions can be
1775         called to quickly (since they are a subclass of
1776         JSFunction, not InternalFunction), but we'll probably
1777         want to follow up with some optimization work to keep
1778         bound calls in JIT code.
1779
1780         * JavaScriptCore.JSVALUE32_64only.exp:
1781         * JavaScriptCore.JSVALUE64only.exp:
1782         * JavaScriptCore.exp:
1783         * JavaScriptCore.xcodeproj/project.pbxproj:
1784         * jit/JITStubs.cpp:
1785         (JSC::JITThunks::hostFunctionStub):
1786         * jit/JITStubs.h:
1787         * jsc.cpp:
1788         (GlobalObject::addFunction):
1789         * runtime/CommonIdentifiers.h:
1790         * runtime/ConstructData.h:
1791         * runtime/Executable.h:
1792         (JSC::NativeExecutable::NativeExecutable):
1793         * runtime/FunctionPrototype.cpp:
1794         (JSC::FunctionPrototype::addFunctionProperties):
1795         (JSC::functionProtoFuncBind):
1796         * runtime/FunctionPrototype.h:
1797         * runtime/JSBoundFunction.cpp: Added.
1798         (JSC::boundFunctionCall):
1799         (JSC::boundFunctionConstruct):
1800         (JSC::JSBoundFunction::create):
1801         (JSC::JSBoundFunction::hasInstance):
1802         (JSC::JSBoundFunction::getOwnPropertySlot):
1803         (JSC::JSBoundFunction::getOwnPropertyDescriptor):
1804         (JSC::JSBoundFunction::JSBoundFunction):
1805         (JSC::JSBoundFunction::finishCreation):
1806         * runtime/JSBoundFunction.h: Added.
1807         (JSC::JSBoundFunction::targetFunction):
1808         (JSC::JSBoundFunction::boundThis):
1809         (JSC::JSBoundFunction::boundArgs):
1810         (JSC::JSBoundFunction::createStructure):
1811         * runtime/JSFunction.cpp:
1812         (JSC::JSFunction::create):
1813         (JSC::JSFunction::finishCreation):
1814         (JSC::createDescriptorForThrowingProperty):
1815         (JSC::JSFunction::getOwnPropertySlot):
1816         * runtime/JSFunction.h:
1817         * runtime/JSGlobalData.cpp:
1818         (JSC::JSGlobalData::getHostFunction):
1819         * runtime/JSGlobalData.h:
1820         * runtime/JSGlobalObject.cpp:
1821         (JSC::JSGlobalObject::reset):
1822         (JSC::JSGlobalObject::visitChildren):
1823         * runtime/JSGlobalObject.h:
1824         (JSC::JSGlobalObject::boundFunctionStructure):
1825         * runtime/Lookup.cpp:
1826         (JSC::setUpStaticFunctionSlot):
1827
1828 2011-09-22  Oliver Hunt  <oliver@apple.com>
1829
1830         Implement get_scoped_var in the DFG
1831         https://bugs.webkit.org/show_bug.cgi?id=68640
1832
1833         Reviewed by Gavin Barraclough.
1834
1835         Naive implementation of get_scoped_var in the DFG.  Essentially this
1836         is the bare minimum required to get correct behaviour, so there's no
1837         load/store coalescing or type profiling involved, even though these
1838         would be wins.  No impact on SunSpider or V8.
1839
1840         * dfg/DFGByteCodeParser.cpp:
1841         (JSC::DFG::ByteCodeParser::parseBlock):
1842         * dfg/DFGCapabilities.h:
1843         (JSC::DFG::canCompileOpcode):
1844         * dfg/DFGNode.h:
1845         (JSC::DFG::Node::hasVarNumber):
1846         (JSC::DFG::Node::hasScopeChainDepth):
1847         (JSC::DFG::Node::scopeChainDepth):
1848         * dfg/DFGPropagator.cpp:
1849         (JSC::DFG::Propagator::propagateNodePredictions):
1850         * dfg/DFGSpeculativeJIT.cpp:
1851         (JSC::DFG::SpeculativeJIT::compile):
1852
1853 2011-09-22  Adam Roben  <aroben@apple.com>
1854
1855         Remove FindSafari from all our .sln files
1856
1857         It isn't used anymore, so there's no point in building it.
1858
1859         Part of <http://webkit.org/b/68628> Remove FindSafari
1860
1861         Reviewed by Steve Falkenburg.
1862
1863         * JavaScriptCore.vcproj/JavaScriptCore.sln:
1864
1865 2011-09-22  Filip Pizlo  <fpizlo@apple.com>
1866
1867         32-bit call code clobbers the function cell tag
1868         https://bugs.webkit.org/show_bug.cgi?id=68606
1869
1870         Reviewed by Csaba Osztrogon√°c.
1871         
1872         This is a minimalistic fix: it simply emits code to restore the
1873         cell tag on the slow path, if we know that we failed due to
1874         emitCallIfNotType.
1875
1876         * jit/JITCall32_64.cpp:
1877         (JSC::JIT::compileOpCallVarargsSlowCase):
1878         (JSC::JIT::compileOpCallSlowCase):
1879
1880 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1881
1882         Add missing addPtr->add32 mapping for X86.
1883
1884         Rubber stamped by Sam Weinig.
1885
1886         * assembler/MacroAssembler.h:
1887         (JSC::MacroAssembler::addPtr):
1888
1889 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1890
1891         Add missing addDouble for AbsoluteAddress to X86
1892
1893         Rubber stamped by Geoff Garen.
1894
1895         * assembler/MacroAssemblerX86.h:
1896         (JSC::MacroAssemblerX86::addDouble):
1897         * assembler/X86Assembler.h:
1898         (JSC::X86Assembler::addsd_mr):
1899         (JSC::X86Assembler::cvtsi2sd_rr):
1900         (JSC::X86Assembler::cvtsi2sd_mr):
1901
1902 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
1903
1904         Build fix following fix for bug #68586.
1905
1906         * jit/JIT.cpp:
1907         * jit/JITInlineMethods.h:
1908
1909 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1910
1911         DFG JIT should be able to compile op_throw
1912         https://bugs.webkit.org/show_bug.cgi?id=68571
1913
1914         Reviewed by Geoffrey Garen.
1915         
1916         This compiles op_throw in the simplest way possible: it's an OSR
1917         point back to the old JIT. This is a good step towards increasing
1918         coverage, particularly on Kraken, but it's neutral because the
1919         same functions that do throw also use some other unsupported
1920         opcodes.
1921
1922         * dfg/DFGByteCodeParser.cpp:
1923         (JSC::DFG::ByteCodeParser::parseBlock):
1924         * dfg/DFGCapabilities.h:
1925         (JSC::DFG::canCompileOpcode):
1926         * dfg/DFGNode.h:
1927         * dfg/DFGPropagator.cpp:
1928         (JSC::DFG::Propagator::propagateNodePredictions):
1929         * dfg/DFGSpeculativeJIT.cpp:
1930         (JSC::DFG::SpeculativeJIT::compile):
1931
1932 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
1933
1934         DFG should support continuous optimization
1935         https://bugs.webkit.org/show_bug.cgi?id=68329
1936
1937         Reviewed by Geoffrey Garen.
1938         
1939         This adds the ability to reoptimize a code block if speculation
1940         failures happen frequently. 6% speed-up on Kraken, 1% slow-down
1941         on V8, neutral on SunSpider.
1942
1943         * CMakeLists.txt:
1944         * GNUmakefile.list.am:
1945         * JavaScriptCore.pro:
1946         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1947         * JavaScriptCore.vcproj/WTF/WTF.vcproj:
1948         * JavaScriptCore.xcodeproj/project.pbxproj:
1949         * bytecode/CodeBlock.cpp:
1950         (JSC::CodeBlock::CodeBlock):
1951         (JSC::ProgramCodeBlock::jettison):
1952         (JSC::EvalCodeBlock::jettison):
1953         (JSC::FunctionCodeBlock::jettison):
1954         (JSC::CodeBlock::shouldOptimizeNow):
1955         (JSC::CodeBlock::dumpValueProfiles):
1956         * bytecode/CodeBlock.h:
1957         * dfg/DFGByteCodeParser.cpp:
1958         (JSC::DFG::ByteCodeParser::getStrongPrediction):
1959         * dfg/DFGJITCompiler.cpp:
1960         (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
1961         (JSC::DFG::JITCompiler::compileEntry):
1962         (JSC::DFG::JITCompiler::compileBody):
1963         * dfg/DFGJITCompiler.h:
1964         (JSC::DFG::JITCompiler::noticeOSREntry):
1965         * dfg/DFGOSREntry.cpp:
1966         (JSC::DFG::prepareOSREntry):
1967         * dfg/DFGOSREntry.h:
1968         (JSC::DFG::getOSREntryDataBytecodeIndex):
1969         * dfg/DFGSpeculativeJIT.cpp:
1970         (JSC::DFG::SpeculativeJIT::compile):
1971         * heap/ConservativeRoots.cpp:
1972         (JSC::ConservativeRoots::ConservativeRoots):
1973         (JSC::ConservativeRoots::~ConservativeRoots):
1974         (JSC::DummyMarkHook::mark):
1975         (JSC::ConservativeRoots::genericAddPointer):
1976         (JSC::ConservativeRoots::genericAddSpan):
1977         (JSC::ConservativeRoots::add):
1978         * heap/ConservativeRoots.h:
1979         * heap/Heap.cpp:
1980         (JSC::Heap::addJettisonCodeBlock):
1981         (JSC::Heap::markRoots):
1982         * heap/Heap.h:
1983         * heap/JettisonedCodeBlocks.cpp: Added.
1984         (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
1985         (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
1986         (JSC::JettisonedCodeBlocks::addCodeBlock):
1987         (JSC::JettisonedCodeBlocks::clearMarks):
1988         (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
1989         (JSC::JettisonedCodeBlocks::traceCodeBlocks):
1990         * heap/JettisonedCodeBlocks.h: Added.
1991         (JSC::JettisonedCodeBlocks::mark):
1992         * interpreter/RegisterFile.cpp:
1993         (JSC::RegisterFile::gatherConservativeRoots):
1994         * interpreter/RegisterFile.h:
1995         * jit/JITStubs.cpp:
1996         (JSC::DEFINE_STUB_FUNCTION):
1997         * runtime/Executable.cpp:
1998         (JSC::jettisonCodeBlock):
1999         (JSC::EvalExecutable::jettisonOptimizedCode):
2000         (JSC::ProgramExecutable::jettisonOptimizedCode):
2001         (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
2002         (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
2003         * runtime/Executable.h:
2004         (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
2005         * wtf/BitVector.h: Added.
2006         (WTF::BitVector::BitVector):
2007         (WTF::BitVector::~BitVector):
2008         (WTF::BitVector::operator=):
2009         (WTF::BitVector::size):
2010         (WTF::BitVector::ensureSize):
2011         (WTF::BitVector::resize):
2012         (WTF::BitVector::clearAll):
2013         (WTF::BitVector::get):
2014         (WTF::BitVector::set):
2015         (WTF::BitVector::clear):
2016         (WTF::BitVector::bitsInPointer):
2017         (WTF::BitVector::maxInlineBits):
2018         (WTF::BitVector::byteCount):
2019         (WTF::BitVector::makeInlineBits):
2020         (WTF::BitVector::OutOfLineBits::numBits):
2021         (WTF::BitVector::OutOfLineBits::numWords):
2022         (WTF::BitVector::OutOfLineBits::bits):
2023         (WTF::BitVector::OutOfLineBits::create):
2024         (WTF::BitVector::OutOfLineBits::destroy):
2025         (WTF::BitVector::OutOfLineBits::OutOfLineBits):
2026         (WTF::BitVector::isInline):
2027         (WTF::BitVector::outOfLineBits):
2028         (WTF::BitVector::resizeOutOfLine):
2029         (WTF::BitVector::bits):
2030
2031 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
2032
2033         Add X86 GPRInfo for DFG JIT.
2034         https://bugs.webkit.org/show_bug.cgi?id=68586
2035
2036         Reviewed by Geoff Garen.
2037
2038         * dfg/DFGGPRInfo.h:
2039         (JSC::DFG::GPRInfo::toRegister):
2040         (JSC::DFG::GPRInfo::toIndex):
2041         (JSC::DFG::GPRInfo::debugName):
2042
2043 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
2044
2045         Should support value profiling on CPU(X86)
2046         https://bugs.webkit.org/show_bug.cgi?id=68575
2047
2048         Reviewed by Sam Weinig.
2049
2050         Fix verbose profiling in ToT (SlowCaseProfile had been
2051         partially renamed to RareCaseProfile), add in-memory
2052         bucket counter for CPU(X86), move JIT::m_canBeOptimized
2053         out of the DFG_JIT ifdef.
2054
2055         * bytecode/CodeBlock.cpp:
2056         (JSC::CodeBlock::resetRareCaseProfiles):
2057         (JSC::CodeBlock::dumpValueProfiles):
2058         * bytecode/CodeBlock.h:
2059         * dfg/DFGByteCodeParser.cpp:
2060         (JSC::DFG::ByteCodeParser::makeSafe):
2061         * jit/JIT.cpp:
2062         (JSC::JIT::privateCompileSlowCases):
2063         (JSC::JIT::privateCompile):
2064         * jit/JIT.h:
2065         * jit/JITInlineMethods.h:
2066         (JSC::JIT::emitValueProfilingSite):
2067
2068 2011-09-21  Filip Pizlo  <fpizlo@apple.com>
2069
2070         DFG does not support compiling functions as constructors
2071         https://bugs.webkit.org/show_bug.cgi?id=68500
2072
2073         Reviewed by Oliver Hunt.
2074         
2075         This adds support for compiling constructors to the DFG. It's a
2076         1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
2077         It's also a 13% win on access-binary-trees, but it's neutral in
2078         the SunSpider and Kraken averages.
2079
2080         * dfg/DFGByteCodeParser.cpp:
2081         (JSC::DFG::ByteCodeParser::parseBlock):
2082         * dfg/DFGCapabilities.h:
2083         (JSC::DFG::mightCompileFunctionForConstruct):
2084         (JSC::DFG::canCompileOpcode):
2085         * dfg/DFGNode.h:
2086         * dfg/DFGOperations.cpp:
2087         * dfg/DFGOperations.h:
2088         * dfg/DFGPropagator.cpp:
2089         (JSC::DFG::Propagator::propagateNodePredictions):
2090         (JSC::DFG::Propagator::performNodeCSE):
2091         * dfg/DFGSpeculativeJIT.cpp:
2092         (JSC::DFG::SpeculativeJIT::compile):
2093         * runtime/Executable.cpp:
2094         (JSC::FunctionExecutable::compileOptimizedForConstruct):
2095         (JSC::FunctionExecutable::compileForConstructInternal):
2096         * runtime/Executable.h:
2097         (JSC::FunctionExecutable::compileForConstruct):
2098         (JSC::FunctionExecutable::compileFor):
2099         (JSC::FunctionExecutable::compileOptimizedFor):
2100
2101 2011-09-21  Gavin Barraclough  <barraclough@apple.com>
2102
2103         Replace jsFunctionVPtr compares with a type check on the Structure.
2104         https://bugs.webkit.org/show_bug.cgi?id=68557
2105
2106         Reviewed by Oliver Hunt.
2107
2108         This will permit calls to still optimize to subclasses of JSFunction
2109         that have the correct type (but a different C++ vptr).
2110
2111         This patch stops passing the globalData into numerous functions.
2112
2113         * dfg/DFGByteCodeParser.cpp:
2114         (JSC::DFG::ByteCodeParser::parseBlock):
2115         * dfg/DFGGraph.h:
2116         (JSC::DFG::Graph::isFunctionConstant):
2117         (JSC::DFG::Graph::valueOfFunctionConstant):
2118         * dfg/DFGJITCompiler.h:
2119         (JSC::DFG::JITCompiler::isFunctionConstant):
2120         (JSC::DFG::JITCompiler::valueOfFunctionConstant):
2121         * dfg/DFGOperations.cpp:
2122         * interpreter/Interpreter.cpp:
2123         (JSC::Interpreter::privateExecute):
2124         * jit/JIT.h:
2125         * jit/JITCall.cpp:
2126         (JSC::JIT::compileOpCallVarargs):
2127         (JSC::JIT::compileOpCallSlowCase):
2128         * jit/JITCall32_64.cpp:
2129         (JSC::JIT::compileOpCallVarargs):
2130         (JSC::JIT::compileOpCallSlowCase):
2131         * jit/JITInlineMethods.h:
2132         (JSC::JIT::emitJumpIfNotType):
2133         * jit/JITStubs.cpp:
2134         (JSC::DEFINE_STUB_FUNCTION):
2135         * runtime/Executable.h:
2136         (JSC::isHostFunction):
2137         * runtime/JSFunction.h:
2138         (JSC::JSFunction::createStructure):
2139         * runtime/JSObject.cpp:
2140         (JSC::JSObject::put):
2141         (JSC::JSObject::putWithAttributes):
2142         * runtime/JSObject.h:
2143         (JSC::getJSFunction):
2144         (JSC::JSObject::putDirect):
2145         (JSC::JSObject::putDirectWithoutTransition):
2146         * runtime/JSType.h:
2147
2148 2011-09-21  Geoffrey Garen  <ggaren@apple.com>
2149
2150         Removed WTFTHREADDATA_MULTITHREADED, making it always true
2151         https://bugs.webkit.org/show_bug.cgi?id=68549
2152
2153         Reviewed by Darin Adler.
2154         
2155         Another part of making threads exist in WebKit.
2156
2157         * wtf/WTFThreadData.cpp:
2158         * wtf/WTFThreadData.h:
2159         (WTF::wtfThreadData):
2160
2161 2011-09-21  Dan Bernstein  <mitz@apple.com>
2162
2163         JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
2164         https://bugs.webkit.org/show_bug.cgi?id=68451
2165
2166         Reviewed by Darin Adler.
2167
2168         * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
2169         check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".
2170
2171 2011-09-20  Gavin Barraclough  <barraclough@apple.com>
2172
2173         MacroAssembler fixes.
2174         https://bugs.webkit.org/show_bug.cgi?id=68494
2175
2176         Reviewed by Sam Weinig.
2177
2178         Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch
2179
2180         * assembler/MacroAssembler.h:
2181         (JSC::MacroAssembler::orPtr):
2182         (JSC::MacroAssembler::loadPtr):
2183         * assembler/MacroAssemblerARM.h:
2184         (JSC::MacroAssemblerARM::or32):
2185         * assembler/MacroAssemblerARMv7.h:
2186         (JSC::MacroAssemblerARMv7::or32):
2187         * assembler/MacroAssemblerMIPS.h:
2188         (JSC::MacroAssemblerMIPS::or32):
2189         * assembler/MacroAssemblerSH4.h:
2190         (JSC::MacroAssemblerSH4::or32):
2191         (JSC::MacroAssemblerSH4::load32):
2192         * assembler/MacroAssemblerX86.h:
2193         (JSC::MacroAssemblerX86::load32):
2194         * assembler/MacroAssemblerX86_64.h:
2195         (JSC::MacroAssemblerX86_64::load32):
2196
2197 2011-09-20  Geoffrey Garen  <ggaren@apple.com>
2198
2199         Some Heap cleanup.
2200
2201         Reviewed by Beth Dakin.
2202
2203         * heap/MarkedBlock.cpp:
2204         (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
2205         because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
2206         since there is only one now.
2207
2208         * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
2209         Updated mark bit overhead calculation. Deployed atomsPerBlock in one
2210         place where we were recalculating it.
2211
2212         * heap/MarkedSpace.cpp:
2213         (JSC::MarkedSpace::addBlock): Updated for rename.
2214
2215 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
2216
2217         DFG JIT always speculates integer on modulo
2218         https://bugs.webkit.org/show_bug.cgi?id=68485
2219
2220         Reviewed by Oliver Hunt.
2221         
2222         Added support for double modulo, which is a call to fmod().
2223         Also added support for recording the old JIT's statistics
2224         on op_mod and propagating them along the graph. Finally,
2225         fixed a goof in the ArithNodeFlags propagation logic that
2226         was made obvious when I started testing ArithMod.
2227
2228         * dfg/DFGByteCodeParser.cpp:
2229         (JSC::DFG::ByteCodeParser::makeSafe):
2230         (JSC::DFG::ByteCodeParser::parseBlock):
2231         * dfg/DFGNode.h:
2232         (JSC::DFG::Node::hasArithNodeFlags):
2233         * dfg/DFGPropagator.cpp:
2234         (JSC::DFG::Propagator::propagateArithNodeFlags):
2235         (JSC::DFG::Propagator::propagateNodePredictions):
2236         (JSC::DFG::Propagator::fixupNode):
2237         * dfg/DFGSpeculativeJIT.cpp:
2238         (JSC::DFG::SpeculativeJIT::compile):
2239
2240 2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>
2241
2242         [GTK] requestAnimationFrame support for gtk port
2243         https://bugs.webkit.org/show_bug.cgi?id=66280
2244
2245         Reviewed by Martin Robinson.
2246
2247         Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.
2248
2249         * wtf/Platform.h:
2250
2251 2011-09-20  Filip Pizlo  <fpizlo@apple.com>
2252
2253         DFG JIT performs too many negative zero checks, and too many
2254         overflow checks
2255         https://bugs.webkit.org/show_bug.cgi?id=68430
2256
2257         Reviewed by Oliver Hunt.
2258         
2259         This adds comprehensive support for deciding how to perform an
2260         arithmetic operations based on a combination of overflow profiling,
2261         negative zero profiling, value profiling, and a static analysis of
2262         how the results of these operations get used.
2263         
2264         This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
2265         2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
2266         geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
2267         V8-crypto, because apparenty everything we do speeds up crypto.
2268
2269         * dfg/DFGByteCodeParser.cpp:
2270         (JSC::DFG::ByteCodeParser::toInt32):
2271         (JSC::DFG::ByteCodeParser::toNumber):
2272         (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
2273         (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
2274         (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
2275         (JSC::DFG::ByteCodeParser::makeSafe):
2276         (JSC::DFG::ByteCodeParser::handleMinMax):
2277         (JSC::DFG::ByteCodeParser::handleIntrinsic):
2278         (JSC::DFG::ByteCodeParser::parseBlock):
2279         (JSC::DFG::ByteCodeParser::processPhiStack):
2280         (JSC::DFG::ByteCodeParser::parse):
2281         * dfg/DFGGraph.cpp:
2282         (JSC::DFG::Graph::dump):
2283         * dfg/DFGJITCodeGenerator.cpp:
2284         (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
2285         * dfg/DFGNode.h:
2286         (JSC::DFG::nodeUsedAsNumber):
2287         (JSC::DFG::nodeCanTruncateInteger):
2288         (JSC::DFG::nodeCanIgnoreNegativeZero):
2289         (JSC::DFG::nodeCanSpeculateInteger):
2290         (JSC::DFG::arithNodeFlagsAsString):
2291         (JSC::DFG::Node::Node):
2292         (JSC::DFG::Node::hasArithNodeFlags):
2293         (JSC::DFG::Node::rawArithNodeFlags):
2294         (JSC::DFG::Node::arithNodeFlags):
2295         (JSC::DFG::Node::arithNodeFlagsForCompare):
2296         (JSC::DFG::Node::setArithNodeFlag):
2297         (JSC::DFG::Node::mergeArithNodeFlags):
2298         * dfg/DFGPropagator.cpp:
2299         (JSC::DFG::Propagator::fixpoint):
2300         (JSC::DFG::Propagator::isNotNegZero):
2301         (JSC::DFG::Propagator::isNotZero):
2302         (JSC::DFG::Propagator::propagateArithNodeFlags):
2303         (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
2304         (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
2305         (JSC::DFG::Propagator::propagateNodePredictions):
2306         (JSC::DFG::Propagator::propagatePredictionsForward):
2307         (JSC::DFG::Propagator::propagatePredictionsBackward):
2308         (JSC::DFG::Propagator::toDouble):
2309         (JSC::DFG::Propagator::fixupNode):
2310         (JSC::DFG::Propagator::fixup):
2311         (JSC::DFG::Propagator::startIndexForChildren):
2312         (JSC::DFG::Propagator::endIndexForPureCSE):
2313         (JSC::DFG::Propagator::pureCSE):
2314         (JSC::DFG::Propagator::clobbersWorld):
2315         (JSC::DFG::Propagator::setReplacement):
2316         (JSC::DFG::Propagator::performNodeCSE):
2317         (JSC::DFG::Propagator::localCSE):
2318         * dfg/DFGSpeculativeJIT.cpp:
2319         (JSC::DFG::SpeculativeJIT::compile):
2320         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2321
2322 2011-09-19  Oliver Hunt  <oliver@apple.com>
2323
2324         Refactor Heap allocation logic into separate AllocationSpace class
2325         https://bugs.webkit.org/show_bug.cgi?id=68409
2326
2327         Reviewed by Gavin Barraclough.
2328
2329         This patch hoists direct manipulation of the MarkedSpace and related
2330         data out of Heap and into a separate class.  This will allow us to
2331         have multiple allocation spaces in future, so easing the way towards
2332         having GC'd backing stores for objects.
2333
2334         * CMakeLists.txt:
2335         * GNUmakefile.list.am:
2336         * JavaScriptCore.exp:
2337         * JavaScriptCore.gypi:
2338         * JavaScriptCore.pro:
2339         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2340         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2341         * JavaScriptCore.xcodeproj/project.pbxproj:
2342         * debugger/Debugger.cpp:
2343         (JSC::Debugger::recompileAllJSFunctions):
2344         * heap/AllocationSpace.cpp: Added.
2345         (JSC::AllocationSpace::tryAllocate):
2346         (JSC::AllocationSpace::allocateSlowCase):
2347         (JSC::AllocationSpace::allocateBlock):
2348         (JSC::AllocationSpace::freeBlocks):
2349         (JSC::TakeIfEmpty::TakeIfEmpty):
2350         (JSC::TakeIfEmpty::operator()):
2351         (JSC::TakeIfEmpty::returnValue):
2352         (JSC::AllocationSpace::shrink):
2353         * heap/AllocationSpace.h: Added.
2354         (JSC::AllocationSpace::AllocationSpace):
2355         (JSC::AllocationSpace::blocks):
2356         (JSC::AllocationSpace::sizeClassFor):
2357         (JSC::AllocationSpace::setHighWaterMark):
2358         (JSC::AllocationSpace::highWaterMark):
2359         (JSC::AllocationSpace::canonicalizeBlocks):
2360         (JSC::AllocationSpace::resetAllocator):
2361         (JSC::AllocationSpace::forEachCell):
2362         (JSC::AllocationSpace::forEachBlock):
2363         (JSC::AllocationSpace::allocate):
2364         * heap/Heap.cpp:
2365         (JSC::Heap::Heap):
2366         (JSC::Heap::reportExtraMemoryCostSlowCase):
2367         (JSC::Heap::getConservativeRegisterRoots):
2368         (JSC::Heap::markRoots):
2369         (JSC::Heap::clearMarks):
2370         (JSC::Heap::sweep):
2371         (JSC::Heap::objectCount):
2372         (JSC::Heap::size):
2373         (JSC::Heap::capacity):
2374         (JSC::Heap::globalObjectCount):
2375         (JSC::Heap::objectTypeCounts):
2376         (JSC::Heap::collect):
2377         (JSC::Heap::canonicalizeBlocks):
2378         (JSC::Heap::resetAllocator):
2379         (JSC::Heap::freeBlocks):
2380         (JSC::Heap::shrink):
2381         * heap/Heap.h:
2382         (JSC::Heap::objectSpace):
2383         (JSC::Heap::sizeClassForObject):
2384         (JSC::Heap::allocate):
2385         * jit/JITInlineMethods.h:
2386         (JSC::JIT::emitAllocateBasicJSObject):
2387         * runtime/JSGlobalData.cpp:
2388         (JSC::JSGlobalData::recompileAllJSFunctions):
2389         (JSC::JSGlobalData::releaseExecutableMemory):
2390
2391 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2392
2393         Removed BREWMP* platform #ifdefs
2394         https://bugs.webkit.org/show_bug.cgi?id=68425
2395         
2396         BREWMP* has no maintainer, and this is dead code.
2397
2398         Reviewed by Darin Adler.
2399
2400         * heap/MarkStack.h:
2401         (JSC::::shrinkAllocation):
2402         * jit/ExecutableAllocator.h:
2403         (JSC::ExecutableAllocator::cacheFlush):
2404         * runtime/TimeoutChecker.cpp:
2405         (JSC::getCPUTime):
2406         * wtf/Assertions.cpp:
2407         * wtf/Assertions.h:
2408         * wtf/CurrentTime.cpp:
2409         * wtf/DateMath.cpp:
2410         (WTF::calculateUTCOffset):
2411         * wtf/FastMalloc.cpp:
2412         (WTF::fastMalloc):
2413         (WTF::fastCalloc):
2414         (WTF::fastMallocSize):
2415         * wtf/FastMalloc.h:
2416         * wtf/MainThread.cpp:
2417         * wtf/MathExtras.h:
2418         * wtf/OwnPtrCommon.h:
2419         * wtf/Platform.h:
2420         * wtf/RandomNumber.cpp:
2421         (WTF::randomNumber):
2422         * wtf/RandomNumberSeed.h:
2423         (WTF::initializeRandomNumberGenerator):
2424         * wtf/text/WTFString.h:
2425         * wtf/unicode/Unicode.h:
2426
2427 2011-09-20  Adam Roben  <aroben@apple.com>
2428
2429         Windows build fix after r95523
2430
2431         * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.
2432
2433 2011-09-18  Filip Pizlo  <fpizlo@apple.com>
2434
2435         DFG JIT does not speculate aggressively enough on GetById
2436         https://bugs.webkit.org/show_bug.cgi?id=68320
2437
2438         Reviewed by Oliver Hunt.
2439         
2440         This adds the ability to access properties directly, by offset.
2441         This optimization kicks in when at the time of DFG compilation,
2442         it appears that the given get_by_id is self-cached by the old JIT.
2443         Two new opcodes get introduced: CheckStructure and GetByOffset.
2444         CheckStructure performs a speculation check on the object's
2445         structure, and returns the storage pointer. GetByOffset performs
2446         a direct read of the field from the storage pointer. Both
2447         CheckStructure and GetByOffset can be CSE'd, so that we can
2448         eliminate redundant structure checks, and redundant reads of the
2449         same field.
2450         
2451         This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
2452         neutral on SunSpider.
2453
2454         * bytecode/PredictedType.cpp:
2455         (JSC::predictionFromClassInfo):
2456         (JSC::predictionFromStructure):
2457         (JSC::predictionFromCell):
2458         * bytecode/PredictedType.h:
2459         * dfg/DFGByteCodeParser.cpp:
2460         (JSC::DFG::ByteCodeParser::parseBlock):
2461         * dfg/DFGGenerationInfo.h:
2462         (JSC::DFG::dataFormatToString):
2463         (JSC::DFG::needDataFormatConversion):
2464         (JSC::DFG::GenerationInfo::initStorage):
2465         (JSC::DFG::GenerationInfo::spill):
2466         (JSC::DFG::GenerationInfo::fillStorage):
2467         * dfg/DFGGraph.h:
2468         (JSC::DFG::Graph::predict):
2469         (JSC::DFG::Graph::getPrediction):
2470         * dfg/DFGJITCodeGenerator.cpp:
2471         (JSC::DFG::JITCodeGenerator::fillInteger):
2472         (JSC::DFG::JITCodeGenerator::fillDouble):
2473         (JSC::DFG::JITCodeGenerator::fillJSValue):
2474         (JSC::DFG::JITCodeGenerator::fillStorage):
2475         (JSC::DFG::GPRTemporary::GPRTemporary):
2476         * dfg/DFGJITCodeGenerator.h:
2477         (JSC::DFG::JITCodeGenerator::silentSpillGPR):
2478         (JSC::DFG::JITCodeGenerator::silentFillGPR):
2479         (JSC::DFG::JITCodeGenerator::spill):
2480         (JSC::DFG::JITCodeGenerator::storageResult):
2481         (JSC::DFG::StorageOperand::StorageOperand):
2482         (JSC::DFG::StorageOperand::~StorageOperand):
2483         (JSC::DFG::StorageOperand::index):
2484         (JSC::DFG::StorageOperand::gpr):
2485         (JSC::DFG::StorageOperand::use):
2486         * dfg/DFGNode.h:
2487         (JSC::DFG::OpInfo::OpInfo):
2488         (JSC::DFG::Node::Node):
2489         (JSC::DFG::Node::hasPrediction):
2490         (JSC::DFG::Node::hasStructure):
2491         (JSC::DFG::Node::structure):
2492         (JSC::DFG::Node::hasStorageAccessData):
2493         (JSC::DFG::Node::storageAccessDataIndex):
2494         * dfg/DFGPropagator.cpp:
2495         (JSC::DFG::Propagator::propagateNode):
2496         (JSC::DFG::Propagator::globalVarLoadElimination):
2497         (JSC::DFG::Propagator::getMethodLoadElimination):
2498         (JSC::DFG::Propagator::checkStructureLoadElimination):
2499         (JSC::DFG::Propagator::getByOffsetLoadElimination):
2500         (JSC::DFG::Propagator::performNodeCSE):
2501         * dfg/DFGSpeculativeJIT.cpp:
2502         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2503         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2504         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2505         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2506         (JSC::DFG::SpeculativeJIT::compile):
2507         * wtf/StdLibExtras.h:
2508         (WTF::safeCast):
2509
2510 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2511
2512         Remove toPrimitive from JSCell
2513         https://bugs.webkit.org/show_bug.cgi?id=67875
2514
2515         Reviewed by Darin Adler.
2516
2517         Part of the refactoring process to un-virtualize JSCell.  We move 
2518         all of the implicit functionality provided by the virtual toPrimitive method 
2519         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
2520         also de-virtualizing JSCell::toPrimitive.
2521
2522         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2523         * runtime/JSCell.cpp:
2524         (JSC::JSCell::toPrimitive):
2525         * runtime/JSCell.h:
2526
2527         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
2528         JSObject.  This pushes the virtual method further down, enabling us to get rid 
2529         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
2530         again, but we'll cross that bridge when we come to it.
2531         * runtime/JSNotAnObject.cpp:
2532         (JSC::JSNotAnObject::defaultValue):
2533         * runtime/JSNotAnObject.h:
2534         * runtime/JSObject.h:
2535         * runtime/JSString.h:
2536
2537 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2538
2539         Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
2540         https://bugs.webkit.org/show_bug.cgi?id=68424
2541
2542         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
2543         
2544         This may break WinCE and other ports that have not built and tested with
2545         this configuration. I've filed bugs for port maintainers. It's time for
2546         WebKit to move forward.
2547
2548         Reviewed by Mark Rowe.
2549
2550         * heap/Heap.cpp:
2551         (JSC::Heap::Heap):
2552         (JSC::Heap::~Heap):
2553         (JSC::Heap::destroy):
2554         (JSC::Heap::blockFreeingThreadMain):
2555         (JSC::Heap::allocateBlock):
2556         (JSC::Heap::freeBlocks):
2557         (JSC::Heap::releaseFreeBlocks):
2558         * heap/Heap.h:
2559         * wtf/Platform.h:
2560
2561 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2562
2563         Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
2564         https://bugs.webkit.org/show_bug.cgi?id=68423
2565
2566         As discussed on webkit-dev. All ports build with threads enabled in WTF now.
2567         
2568         This may break WinCE and other ports that have not built and tested with
2569         this configuration. I've filed bugs for port maintainers. It's time for
2570         WebKit to move forward.
2571
2572         Reviewed by Mark Rowe.
2573
2574         * wtf/CryptographicallyRandomNumber.cpp:
2575         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
2576         (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
2577         * wtf/FastMalloc.cpp:
2578         * wtf/Platform.h:
2579         * wtf/RandomNumber.cpp:
2580         (WTF::randomNumber):
2581         * wtf/RefCountedLeakCounter.cpp:
2582         (WTF::RefCountedLeakCounter::increment):
2583         (WTF::RefCountedLeakCounter::decrement):
2584         * wtf/ThreadingPthreads.cpp:
2585         (WTF::initializeThreading):
2586         * wtf/ThreadingWin.cpp:
2587         (WTF::initializeThreading):
2588         * wtf/dtoa.cpp:
2589         (WTF::pow5mult):
2590         * wtf/gtk/ThreadingGtk.cpp:
2591         (WTF::initializeThreading):
2592         * wtf/qt/ThreadingQt.cpp:
2593         (WTF::initializeThreading):
2594
2595 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2596
2597         Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
2598         https://bugs.webkit.org/show_bug.cgi?id=68422
2599         
2600         As discussed on webkit-dev. All ports build with threads enabled in JSC now.
2601         
2602         This may break WinCE and other ports that have not built and tested with
2603         this configuration. I've filed bugs for port maintainers. It's time for
2604         WebKit to move forward.
2605
2606         Reviewed by Sam Weinig.
2607
2608         * API/APIShims.h:
2609         (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
2610         * API/JSContextRef.cpp:
2611         * heap/MachineStackMarker.cpp:
2612         (JSC::MachineThreads::MachineThreads):
2613         (JSC::MachineThreads::~MachineThreads):
2614         (JSC::MachineThreads::gatherConservativeRoots):
2615         * heap/MachineStackMarker.h:
2616         * runtime/InitializeThreading.cpp:
2617         (JSC::initializeThreadingOnce):
2618         (JSC::initializeThreading):
2619         * runtime/JSGlobalData.cpp:
2620         (JSC::JSGlobalData::sharedInstance):
2621         * runtime/JSGlobalData.h:
2622         (JSC::JSGlobalData::makeUsableFromMultipleThreads):
2623         * runtime/JSLock.cpp:
2624         * runtime/Structure.cpp:
2625         * wtf/Platform.h:
2626
2627 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
2628
2629         Unreviewed, rolling out r95493 and r95496.
2630         http://trac.webkit.org/changeset/95493
2631         http://trac.webkit.org/changeset/95496
2632         https://bugs.webkit.org/show_bug.cgi?id=68418
2633
2634         Broke Windows build (Requested by rniwa on #webkit).
2635
2636         * CMakeLists.txt:
2637         * GNUmakefile.list.am:
2638         * JavaScriptCore.exp:
2639         * JavaScriptCore.gypi:
2640         * JavaScriptCore.pro:
2641         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2642         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2643         * JavaScriptCore.xcodeproj/project.pbxproj:
2644         * debugger/Debugger.cpp:
2645         (JSC::Debugger::recompileAllJSFunctions):
2646         * heap/AllocationSpace.cpp: Removed.
2647         * heap/AllocationSpace.h: Removed.
2648         * heap/Heap.cpp:
2649         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
2650         (JSC::CountFunctor::TakeIfEmpty::operator()):
2651         (JSC::CountFunctor::TakeIfEmpty::returnValue):
2652         (JSC::Heap::Heap):
2653         (JSC::Heap::reportExtraMemoryCostSlowCase):
2654         (JSC::Heap::tryAllocate):
2655         (JSC::Heap::allocateSlowCase):
2656         (JSC::Heap::getConservativeRegisterRoots):
2657         (JSC::Heap::markRoots):
2658         (JSC::Heap::clearMarks):
2659         (JSC::Heap::sweep):
2660         (JSC::Heap::objectCount):
2661         (JSC::Heap::size):
2662         (JSC::Heap::capacity):
2663         (JSC::Heap::globalObjectCount):
2664         (JSC::Heap::objectTypeCounts):
2665         (JSC::Heap::collect):
2666         (JSC::Heap::canonicalizeBlocks):
2667         (JSC::Heap::resetAllocator):
2668         (JSC::Heap::allocateBlock):
2669         (JSC::Heap::freeBlocks):
2670         (JSC::Heap::shrink):
2671         * heap/Heap.h:
2672         (JSC::Heap::markedSpace):
2673         (JSC::Heap::forEachCell):
2674         (JSC::Heap::forEachBlock):
2675         (JSC::Heap::sizeClassFor):
2676         (JSC::Heap::allocate):
2677         * jit/JITInlineMethods.h:
2678         (JSC::JIT::emitAllocateBasicJSObject):
2679         * runtime/JSGlobalData.cpp:
2680         (JSC::JSGlobalData::recompileAllJSFunctions):
2681         (JSC::JSGlobalData::releaseExecutableMemory):
2682
2683 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
2684
2685         Errrk, missed stylebot comments in last commit.
2686
2687         * runtime/StringPrototype.cpp:
2688         (JSC::stringProtoFuncSplit):
2689
2690 2011-09-19  Gavin Barraclough  <barraclough@apple.com>
2691
2692         String#split is buggy
2693         https://bugs.webkit.org/show_bug.cgi?id=68348
2694
2695         Reviewed by Sam Weinig.
2696
2697         * runtime/StringPrototype.cpp:
2698         (JSC::jsStringWithReuse):
2699             - added helper function to reuse original JSString value.
2700         (JSC::stringProtoFuncSplit):
2701             - Rewritten from the spec.
2702         * tests/mozilla/ecma/String/15.5.4.8-2.js:
2703         (getTestCases):
2704             - This test is not ES5 compliant.
2705
2706 2011-09-19  Geoffrey Garen  <ggaren@apple.com>
2707
2708         Removed lots of friend declarations from JSCell, so we can more
2709         effectively make use of private and protected.
2710
2711         Reviewed by Sam Weinig.
2712
2713         * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
2714         confusion for not much safety.
2715         (JSC::JSCell::operator new): Made this public because it is used by a
2716         few clients, and not really dangerous.
2717
2718         * runtime/JSObject.cpp:
2719         (JSC::JSObject::put):
2720         (JSC::JSObject::deleteProperty):
2721         (JSC::JSObject::defineGetter):
2722         (JSC::JSObject::defineSetter):
2723         (JSC::JSObject::getPropertySpecificValue):
2724         (JSC::JSObject::getOwnPropertyNames):
2725         (JSC::JSObject::seal):
2726         (JSC::JSObject::freeze):
2727         (JSC::JSObject::preventExtensions):
2728         (JSC::JSObject::removeDirect):
2729         (JSC::JSObject::createInheritorID):
2730         (JSC::JSObject::allocatePropertyStorage):
2731         (JSC::JSObject::getOwnPropertyDescriptor):
2732         * runtime/JSObject.h:
2733         (JSC::JSObject::getDirect):
2734         (JSC::JSObject::getDirectLocation):
2735         (JSC::JSObject::hasCustomProperties):
2736         (JSC::JSObject::hasGetterSetterProperties):
2737         (JSC::JSObject::isSealed):
2738         (JSC::JSObject::isFrozen):
2739         (JSC::JSObject::isExtensible):
2740         (JSC::JSObject::flattenDictionaryObject):
2741         (JSC::JSObject::finishCreation):
2742         (JSC::JSObject::prototype):
2743         (JSC::JSObject::setPrototype):
2744         (JSC::JSObject::inlineGetOwnPropertySlot):
2745         (JSC::JSCell::fastGetOwnProperty):
2746         (JSC::JSObject::putDirectInternal):
2747         (JSC::JSObject::putDirectWithoutTransition):
2748         (JSC::JSObject::transitionTo):
2749         (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
2750         structure() / setStructure(), so we don't have to be a friend of JSCell.
2751
2752         * runtime/Structure.h:
2753         (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
2754         to JSCell::m_structure.
2755
2756 2011-09-19  Adam Barth  <abarth@webkit.org>
2757
2758         Always enable ENABLE(EVENTSOURCE)
2759         https://bugs.webkit.org/show_bug.cgi?id=68414
2760
2761         Reviewed by Eric Seidel.
2762
2763         * Configurations/FeatureDefines.xcconfig:
2764
2765 2011-09-19  Eli Fidler  <efidler@rim.com>
2766
2767         Enable JSC_MULTIPLE_THREADS for OS(QNX).
2768         https://bugs.webkit.org/show_bug.cgi?id=68047
2769
2770         Reviewed by Daniel Bates.
2771
2772         SA_RESTART was required for SIGUSR2-based debugging, but is not
2773         present on QNX. This debugging doesn't seem critical to
2774         JSC_MULTIPLE_THREADS, so allow it to proceed.
2775
2776         * heap/MachineStackMarker.cpp:
2777         (JSC::MachineThreads::Thread::Thread):
2778         (JSC::getPlatformThreadRegisters):
2779         (JSC::otherThreadStackPointer):
2780         (JSC::freePlatformThreadRegisters):
2781         * wtf/Platform.h: enable PTHREADS for OS(QNX)
2782
2783 2011-09-19  Oliver Hunt  <oliver@apple.com>
2784
2785         Windows build fix.
2786
2787         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2788
2789 2011-09-19  Oliver Hunt  <oliver@apple.com>
2790
2791         Refactor Heap allocation logic into separate AllocationSpace class
2792         https://bugs.webkit.org/show_bug.cgi?id=68409
2793
2794         Reviewed by Gavin Barraclough.
2795
2796         This patch hoists direct manipulation of the MarkedSpace and related
2797         data out of Heap and into a separate class.  This will allow us to
2798         have multiple allocation spaces in future, so easing the way towards
2799         having GC'd backing stores for objects.
2800
2801         * CMakeLists.txt:
2802         * GNUmakefile.list.am:
2803         * JavaScriptCore.exp:
2804         * JavaScriptCore.gypi:
2805         * JavaScriptCore.pro:
2806         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2807         * JavaScriptCore.xcodeproj/project.pbxproj:
2808         * debugger/Debugger.cpp:
2809         (JSC::Debugger::recompileAllJSFunctions):
2810         * heap/AllocationSpace.cpp: Added.
2811         (JSC::AllocationSpace::tryAllocate):
2812         (JSC::AllocationSpace::allocateSlowCase):
2813         (JSC::AllocationSpace::allocateBlock):
2814         (JSC::AllocationSpace::freeBlocks):
2815         (JSC::TakeIfEmpty::TakeIfEmpty):
2816         (JSC::TakeIfEmpty::operator()):
2817         (JSC::TakeIfEmpty::returnValue):
2818         (JSC::AllocationSpace::shrink):
2819         * heap/AllocationSpace.h: Added.
2820         (JSC::AllocationSpace::AllocationSpace):
2821         (JSC::AllocationSpace::blocks):
2822         (JSC::AllocationSpace::sizeClassFor):
2823         (JSC::AllocationSpace::setHighWaterMark):
2824         (JSC::AllocationSpace::highWaterMark):
2825         (JSC::AllocationSpace::canonicalizeBlocks):
2826         (JSC::AllocationSpace::resetAllocator):
2827         (JSC::AllocationSpace::forEachCell):
2828         (JSC::AllocationSpace::forEachBlock):
2829         (JSC::AllocationSpace::allocate):
2830         * heap/Heap.cpp:
2831         (JSC::Heap::Heap):
2832         (JSC::Heap::reportExtraMemoryCostSlowCase):
2833         (JSC::Heap::getConservativeRegisterRoots):
2834         (JSC::Heap::markRoots):
2835         (JSC::Heap::clearMarks):
2836         (JSC::Heap::sweep):
2837         (JSC::Heap::objectCount):
2838         (JSC::Heap::size):
2839         (JSC::Heap::capacity):
2840         (JSC::Heap::globalObjectCount):
2841         (JSC::Heap::objectTypeCounts):
2842         (JSC::Heap::collect):
2843         (JSC::Heap::canonicalizeBlocks):
2844         (JSC::Heap::resetAllocator):
2845         (JSC::Heap::freeBlocks):
2846         (JSC::Heap::shrink):
2847         * heap/Heap.h:
2848         (JSC::Heap::objectSpace):
2849         (JSC::Heap::sizeClassForObject):
2850         (JSC::Heap::allocate):
2851         * jit/JITInlineMethods.h:
2852         (JSC::JIT::emitAllocateBasicJSObject):
2853         * runtime/JSGlobalData.cpp:
2854         (JSC::JSGlobalData::recompileAllJSFunctions):
2855         (JSC::JSGlobalData::releaseExecutableMemory):
2856
2857 2011-09-19  Adam Roben  <aroben@apple.com>
2858
2859         Windows build fix after r95310
2860
2861         * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
2862         include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.
2863
2864 2011-09-19  Filip Pizlo  <fpizlo@apple.com>
2865
2866         DFG speculation failures should act as additional value profiles
2867         https://bugs.webkit.org/show_bug.cgi?id=68335
2868
2869         Reviewed by Oliver Hunt.
2870         
2871         This adds slow-case counters to the old JIT. It also ensures that
2872         negative zero in multiply is handled carefully. The old JIT
2873         previously took slow path if the result of a multiply was zero,
2874         which, without any changes, would cause the DFG to think that
2875         every such multiply produced a double result.
2876         
2877         This also fixes a bug in the old JIT's handling of decrements. It
2878         would take the slow path if the result was zero, but not if it
2879         underflowed.
2880         
2881         By itself, this would be a 1% slow-down on V8 and Kraken. But then
2882         I wrote optimizations in the DFG that take advantage of this new
2883         information. It's no longer the case that every multiply needs to
2884         do a check for negative zero; it only happens if the negative
2885         zero is ignored.
2886         
2887         This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
2888         speed-up in V8. It's mostly neutral on Kraken. I can see an
2889         0.5% slow-down and it appears to be significant.
2890
2891         * bytecode/CodeBlock.cpp:
2892         (JSC::CodeBlock::resetRareCaseProfiles):
2893         (JSC::CodeBlock::dumpValueProfiles):
2894         * bytecode/CodeBlock.h:
2895         * bytecode/ValueProfile.h:
2896         (JSC::RareCaseProfile::RareCaseProfile):
2897         (JSC::getRareCaseProfileBytecodeOffset):
2898         * dfg/DFGByteCodeParser.cpp:
2899         (JSC::DFG::ByteCodeParser::toInt32):
2900         (JSC::DFG::ByteCodeParser::makeSafe):
2901         (JSC::DFG::ByteCodeParser::parseBlock):
2902         * dfg/DFGJITCodeGenerator.cpp:
2903         (JSC::DFG::GPRTemporary::GPRTemporary):
2904         * dfg/DFGJITCodeGenerator.h:
2905         * dfg/DFGNode.h:
2906         * dfg/DFGPropagator.cpp:
2907         (JSC::DFG::Propagator::propagateNode):
2908         (JSC::DFG::Propagator::fixupNode):
2909         (JSC::DFG::Propagator::clobbersWorld):
2910         (JSC::DFG::Propagator::performNodeCSE):
2911         * dfg/DFGSpeculativeJIT.cpp:
2912         (JSC::DFG::SpeculativeJIT::compile):
2913         (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2914         * jit/JIT.cpp:
2915         (JSC::JIT::privateCompileSlowCases):
2916         * jit/JIT.h:
2917         (JSC::JIT::linkDummySlowCase):
2918         * jit/JITArithmetic.cpp:
2919         (JSC::JIT::emit_op_post_dec):
2920         (JSC::JIT::emit_op_pre_dec):
2921         (JSC::JIT::compileBinaryArithOp):
2922         (JSC::JIT::emit_op_add):
2923         (JSC::JIT::emitSlow_op_add):
2924         * jit/JITInlineMethods.h:
2925         (JSC::JIT::addSlowCase):
2926
2927 2011-09-19  Adam Roben  <aroben@apple.com>
2928
2929         Windows build fix after r94575
2930
2931         * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
2932         now builds just before FindSafari.
2933
2934 2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>
2935
2936         Unreviewed, rolling out r95466.
2937         http://trac.webkit.org/changeset/95466
2938         https://bugs.webkit.org/show_bug.cgi?id=68389
2939
2940         Incorrect version of the patch. (Requested by mhahnenberg on
2941         #webkit).
2942
2943         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2944         * runtime/JSCell.cpp:
2945         (JSC::JSCell::toPrimitive):
2946         * runtime/JSCell.h:
2947         (JSC::JSCell::JSValue::toPrimitive):
2948         * runtime/JSNotAnObject.cpp:
2949         (JSC::JSNotAnObject::toPrimitive):
2950         * runtime/JSNotAnObject.h:
2951         * runtime/JSObject.h:
2952         * runtime/JSString.h:
2953
2954 2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2955
2956         Remove toPrimitive from JSCell
2957         https://bugs.webkit.org/show_bug.cgi?id=67875
2958
2959         Reviewed by Geoffrey Garen.
2960
2961         Part of the refactoring process to un-virtualize JSCell.  We move 
2962         all of the implicit functionality provided by the virtual toPrimitive method 
2963         in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
2964         also de-virtualizing JSCell::toPrimitive.
2965
2966         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2967         * runtime/JSCell.cpp:
2968         (JSC::JSCell::toPrimitive):
2969         * runtime/JSCell.h:
2970
2971         We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
2972         JSObject.  This pushes the virtual method further down, enabling us to get rid 
2973         of the virtual call in JSCell.  Eventually we'll probably have to deal with this
2974         again, but we'll cross that bridge when we come to it.
2975         * runtime/JSNotAnObject.cpp:
2976         (JSC::JSNotAnObject::defaultValue):
2977         * runtime/JSNotAnObject.h:
2978         * runtime/JSObject.h:
2979         * runtime/JSString.h:
2980         (JSC::JSValue::toPrimitive):
2981
2982 2011-09-19  Oliver Hunt  <oliver@apple.com>
2983
2984         Build fix.
2985
2986         * jit/JITPropertyAccess32_64.cpp:
2987         (JSC::JIT::compileGetDirectOffset):
2988
2989 2011-09-19  Oliver Hunt  <oliver@apple.com>
2990
2991         Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
2992         https://bugs.webkit.org/show_bug.cgi?id=68376
2993
2994         Reviewed by Gavin Barraclough.
2995
2996         Renamed the the MarkedSpace files to match new name, and
2997         updated the relevant references.
2998
2999         * CMakeLists.txt:
3000         * GNUmakefile.list.am:
3001         * JavaScriptCore.gypi:
3002         * JavaScriptCore.pro:
3003         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3004         * JavaScriptCore.xcodeproj/project.pbxproj:
3005         * heap/Heap.h:
3006         * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
3007         (JSC::MarkedSpace::MarkedSpace):
3008         (JSC::MarkedSpace::addBlock):
3009         (JSC::MarkedSpace::removeBlock):
3010         (JSC::MarkedSpace::resetAllocator):
3011         (JSC::MarkedSpace::canonicalizeBlocks):
3012         * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
3013         (JSC::MarkedSpace::waterMark):
3014         (JSC::MarkedSpace::highWaterMark):
3015         (JSC::MarkedSpace::setHighWaterMark):
3016         (JSC::MarkedSpace::sizeClassFor):
3017         (JSC::MarkedSpace::allocate):
3018         (JSC::MarkedSpace::forEachBlock):
3019         (JSC::MarkedSpace::SizeClass::SizeClass):
3020         (JSC::MarkedSpace::SizeClass::resetAllocator):
3021         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
3022         * runtime/JSCell.h:
3023
3024 2011-09-19  Oliver Hunt  <oliver@apple.com>
3025
3026         Rename NewSpace to MarkedSpace
3027         https://bugs.webkit.org/show_bug.cgi?id=68375
3028
3029         Reviewed by Gavin Barraclough.
3030
3031         Rename NewSpace to a more accurate name, and update all uses.
3032         This patch doesn't rename the files themselves as that will
3033         just make the patch appear bigger than it is.
3034
3035         * JavaScriptCore.exp:
3036         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3037         * heap/Heap.cpp:
3038         (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
3039         (JSC::CountFunctor::TakeIfEmpty::operator()):
3040         (JSC::Heap::Heap):
3041         (JSC::Heap::reportExtraMemoryCostSlowCase):
3042         (JSC::Heap::tryAllocate):
3043         (JSC::Heap::allocateSlowCase):
3044         (JSC::Heap::collect):
3045         (JSC::Heap::canonicalizeBlocks):
3046         (JSC::Heap::resetAllocator):
3047         (JSC::Heap::isValidAllocation):
3048         (JSC::Heap::shrink):
3049         * heap/Heap.h:
3050         (JSC::Heap::markedSpace):
3051         (JSC::Heap::sizeClassFor):
3052         (JSC::Heap::allocate):
3053         * heap/NewSpace.cpp:
3054         (JSC::MarkedSpace::MarkedSpace):
3055         (JSC::MarkedSpace::addBlock):
3056         (JSC::MarkedSpace::removeBlock):
3057         (JSC::MarkedSpace::resetAllocator):
3058         (JSC::MarkedSpace::canonicalizeBlocks):
3059         * heap/NewSpace.h:
3060         (JSC::MarkedSpace::waterMark):
3061         (JSC::MarkedSpace::highWaterMark):
3062         (JSC::MarkedSpace::setHighWaterMark):
3063         (JSC::MarkedSpace::sizeClassFor):
3064         (JSC::MarkedSpace::allocate):
3065         (JSC::MarkedSpace::forEachBlock):
3066         (JSC::MarkedSpace::SizeClass::SizeClass):
3067         (JSC::MarkedSpace::SizeClass::resetAllocator):
3068         (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
3069         * jit/JITInlineMethods.h:
3070         (JSC::JIT::emitAllocateBasicJSObject):
3071
3072 2011-09-19  Peter Rybin  <peter.rybin@gmail.com>
3073
3074         TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
3075         https://bugs.webkit.org/show_bug.cgi?id=63541
3076
3077         Reviewed by Adam Barth.
3078
3079         * parser/SourceProvider.h:
3080         (JSC::SourceProvider::startPosition):
3081         * wtf/text/TextPosition.h:
3082         (WTF::OrdinalNumber::fromZeroBasedInt):
3083         (WTF::OrdinalNumber::fromOneBasedInt):
3084         (WTF::OrdinalNumber::OrdinalNumber):
3085         (WTF::OrdinalNumber::zeroBasedInt):
3086         (WTF::OrdinalNumber::oneBasedInt):
3087         (WTF::OrdinalNumber::operator==):
3088         (WTF::OrdinalNumber::operator!=):
3089         (WTF::OrdinalNumber::first):
3090         (WTF::OrdinalNumber::beforeFirst):
3091         (WTF::TextPosition::TextPosition):
3092         (WTF::TextPosition::minimumPosition):
3093         (WTF::TextPosition::belowRangePosition):
3094
3095 2011-09-19  Dan Bernstein  <mitz@apple.com>
3096
3097         JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
3098         https://bugs.webkit.org/show_bug.cgi?id=68323
3099
3100         Reviewed by Sam Weinig.
3101
3102         Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.
3103
3104         * wtf/mac/MainThreadMac.mm:
3105         (WTF::initializeMainThreadPlatform):
3106         (WTF::initializeMainThreadToProcessMainThreadPlatform):
3107
3108 2011-09-19  Oliver Hunt  <oliver@apple.com>
3109
3110         Remove direct property slot pointers from the instruction stream
3111         https://bugs.webkit.org/show_bug.cgi?id=68373
3112
3113         Reviewed by Gavin Barraclough.
3114
3115         Use an indirect load to access prototype properties rather than directly
3116         storing the property address in the instruction stream.  This should allow
3117         further optimisations in future, and also provides a 0.5% win to sunspider.
3118
3119         * dfg/DFGRepatch.cpp:
3120         (JSC::DFG::generateProtoChainAccessStub):
3121         * jit/JITPropertyAccess.cpp:
3122         (JSC::JIT::compileGetDirectOffset):
3123         * jit/JITPropertyAccess32_64.cpp:
3124         (JSC::JIT::compileGetDirectOffset):
3125         * runtime/JSObject.h:
3126         (JSC::JSObject::addressOfPropertyStorage):
3127
3128 2011-09-19  Oliver Hunt  <oliver@apple.com>
3129
3130         Remove bump allocator
3131         https://bugs.webkit.org/show_bug.cgi?id=68370
3132
3133         Reviewed by Sam Weinig.
3134
3135         Can't do anything with this allocator currently, and it's
3136         increasing the complexity of the GC code.  Slight progression
3137         on SunSpider, slight regression (undoing the original progression)
3138         in V8.
3139
3140         * heap/Heap.cpp:
3141         (JSC::Heap::collect):
3142         * heap/Heap.h:
3143         * heap/NewSpace.cpp:
3144         (JSC::NewSpace::NewSpace):
3145         * heap/NewSpace.h:
3146         (JSC::NewSpace::allocate):
3147         * runtime/JSObject.cpp:
3148         (JSC::JSObject::allocatePropertyStorage):
3149         * runtime/JSObject.h:
3150         (JSC::JSObject::~JSObject):
3151         (JSC::JSObject::visitChildrenDirect):
3152         * runtime/StorageBarrier.h:
3153         (JSC::StorageBarrier::set):
3154
3155 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
3156
3157         [GTK] Fix distcheck build
3158         https://bugs.webkit.org/show_bug.cgi?id=68346
3159
3160         Reviewed by Philippe Normand.
3161
3162         * GNUmakefile.list.am:
3163
3164 2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>
3165
3166         [GTK] Fix distcheck build
3167         https://bugs.webkit.org/show_bug.cgi?id=68241
3168
3169         Reviewed by Martin Robinson.
3170
3171         * GNUmakefile.list.am:
3172
3173 2011-09-18  Dan Bernstein  <mitz@apple.com>
3174
3175         Removed ProfilerServer.
3176
3177         Reviewed by Mark Rowe.
3178
3179         * JavaScriptCore.gypi:
3180         * JavaScriptCore.xcodeproj/project.pbxproj:
3181         * profiler/ProfilerServer.h: Removed.
3182         * profiler/ProfilerServer.mm: Removed.
3183         * runtime/JSGlobalData.cpp:
3184         (JSC::JSGlobalData::JSGlobalData):
3185         * wscript:
3186
3187 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
3188
3189         DFG JIT should inline Math.min, Math.max, and Math.sqrt
3190         https://bugs.webkit.org/show_bug.cgi?id=68318
3191
3192         Reviewed by Gavin Barraclough.
3193         
3194         Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
3195         a function to have an intrinsic but not a thunk generator. This is
3196         a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
3197         we're still not DFG compiling the bulk of the hot code in Kraken audio
3198         benchmarks.
3199
3200         * create_hash_table:
3201         * dfg/DFGByteCodeParser.cpp:
3202         (JSC::DFG::ByteCodeParser::handleMinMax):
3203         (JSC::DFG::ByteCodeParser::handleIntrinsic):
3204         * dfg/DFGIntrinsic.h:
3205         * dfg/DFGNode.h:
3206         * dfg/DFGPropagator.cpp:
3207         (JSC::DFG::Propagator::propagateNode):
3208         (JSC::DFG::Propagator::fixupNode):
3209         * dfg/DFGSpeculativeJIT.cpp:
3210         (JSC::DFG::SpeculativeJIT::compile):
3211         * jit/JITStubs.cpp:
3212         (JSC::JITThunks::hostFunctionStub):
3213         * runtime/Lookup.cpp:
3214         (JSC::setUpStaticFunctionSlot):
3215
3216 2011-09-18  Nico Weber  <thakis@chromium.org>
3217
3218         Remove two files from JavaScriptCore.gypi that were removed in r95240
3219         https://bugs.webkit.org/show_bug.cgi?id=68327
3220
3221         Unreviewed, build warning fix.
3222
3223         * JavaScriptCore.gypi:
3224
3225 2011-09-17  Oliver Hunt  <oliver@apple.com>
3226
3227         Remove special case handling of inline storage from the JIT
3228         https://bugs.webkit.org/show_bug.cgi?id=68319
3229
3230         Reviewed by Gavin Barraclough.
3231
3232         Simplify logic used for reading and writing to property storage
3233         by removing the special cases for inline storage.  This has no
3234         perf impact.
3235
3236         * dfg/DFGRepatch.cpp:
3237         (JSC::DFG::generateProtoChainAccessStub):
3238         (JSC::DFG::tryBuildGetByIDList):
3239         * jit/JIT.h:
3240         * jit/JITPropertyAccess.cpp:
3241         (JSC::JIT::compilePutDirectOffset):
3242         (JSC::JIT::compileGetDirectOffset):
3243         (JSC::JIT::privateCompilePutByIdTransition):
3244         (JSC::JIT::privateCompileGetByIdSelfList):
3245         * jit/JITPropertyAccess32_64.cpp:
3246         (JSC::JIT::compilePutDirectOffset):
3247         (JSC::JIT::compileGetDirectOffset):
3248         (JSC::JIT::privateCompilePutByIdTransition):
3249         (JSC::JIT::privateCompileGetByIdSelfList):
3250
3251 2011-09-17  Filip Pizlo  <fpizlo@apple.com>
3252
3253         DFG JIT does not have full block-local CSE
3254         https://bugs.webkit.org/show_bug.cgi?id=68316
3255
3256         Reviewed by Oliver Hunt.
3257         
3258         This adds block-local CSE to the DFG. CSE runs in the propagator just after
3259         type propagation. It is part of the propagator itself because it needs to
3260         use the propagator's internal data structures to determine which operations
3261         may have side effects. Because it changes the live-ranges of nodes, the
3262         virtual register allocator had to be moved into the propagator so that it
3263         runs after CSE. To ensure that the back-end knows to keep the inputs to
3264         any eliminated node alive for OSR, a new node type, Phantom, was introduced.
3265         It is a no-op but prolonges the live-range of its inputs.
3266         
3267         This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
3268         Kraken.
3269         
3270         * JavaScriptCore.xcodeproj/project.pbxproj:
3271         * dfg/DFGAliasTracker.h: Removed.
3272         * dfg/DFGByteCodeParser.cpp:
3273         (JSC::DFG::ByteCodeParser::parseBlock):
3274         (JSC::DFG::ByteCodeParser::parse):
3275         * dfg/DFGGraph.cpp:
3276         (JSC::DFG::Graph::dump):
3277         * dfg/DFGGraph.h:
3278         (JSC::DFG::MethodCheckData::operator==):
3279         (JSC::DFG::MethodCheckData::operator!=):
3280         * dfg/DFGNode.h:
3281         (JSC::DFG::Node::hasVirtualRegister):
3282         (JSC::DFG::Node::setRefCount):
3283         * dfg/DFGPropagator.cpp:
3284         (JSC::DFG::Propagator::Propagator):
3285         (JSC::DFG::Propagator::fixpoint):
3286         (JSC::DFG::Propagator::propagateNode):
3287         (JSC::DFG::Propagator::canonicalize):
3288         (JSC::DFG::Propagator::computeStartIndex):
3289         (JSC::DFG::Propagator::startIndex):
3290         (JSC::DFG::Propagator::pureCSE):
3291         (JSC::DFG::Propagator::globalVarLoadElimination):
3292         (JSC::DFG::Propagator::getByValLoadElimination):
3293         (JSC::DFG::Propagator::getMethodLoadElimination):
3294         (JSC::DFG::Propagator::performSubstitution):
3295         (JSC::DFG::Propagator::setReplacement):
3296         (JSC::DFG::Propagator::performNodeCSE):
3297         (JSC::DFG::Propagator::performBlockCSE):
3298         (JSC::DFG::Propagator::localCSE):
3299         (JSC::DFG::Propagator::allocateVirtualRegisters):
3300         (JSC::DFG::propagate):
3301         * dfg/DFGSpeculativeJIT.cpp:
3302         (JSC::DFG::SpeculativeJIT::compile):
3303
3304 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3305
3306         method_check should repatch itself if it finds that the new structure(s)
3307         are the result of transitions from the old structure(s)
3308         https://bugs.webkit.org/show_bug.cgi?id=68294
3309
3310         Reviewed by Gavin Barraclough.
3311         
3312         Previously a patched method_check would slow-path to get_by_id. Now it
3313         slow-paths to method_check_update, which attempts to correct the
3314         method_check due to structure transitions before bailing to get_by_id.
3315         
3316         This is a 1-2% speed-up on some benchmarks and is not a slow-down
3317         anywhere, leading to a 0.6% speed-up on the Kraken geomean.
3318
3319         * jit/JITPropertyAccess.cpp:
3320         (JSC::JIT::patchMethodCallProto):
3321         * jit/JITStubs.cpp:
3322         (JSC::DEFINE_STUB_FUNCTION):
3323         * jit/JITStubs.h:
3324         * runtime/Structure.h:
3325         (JSC::Structure::transitivelyTransitionedFrom):
3326
3327 2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>
3328
3329         Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).
3330
3331         * wtf/Platform.h:
3332
3333 2011-09-16  Sam Weinig  <sam@webkit.org>
3334
3335         Rename APIValueWrapper type to APIValueWrapperType for consistency
3336         https://bugs.webkit.org/show_bug.cgi?id=68306
3337
3338         Reviewed by Anders Carlsson.
3339
3340         * runtime/JSAPIValueWrapper.h:
3341         (JSC::JSAPIValueWrapper::createStructure):
3342         Update name.
3343
3344         * runtime/JSType.h:
3345         Update name and un-indent.
3346
3347         * runtime/Structure.h:
3348         (JSC::JSCell::isAPIValueWrapper):
3349         Update name.
3350
3351 2011-09-16  Sam Weinig  <sam@webkit.org>
3352
3353         Remove unused isStrictModeFunction function
3354         https://bugs.webkit.org/show_bug.cgi?id=68305
3355
3356         Reviewed by Anders Carlsson.
3357
3358         * runtime/JSObject.h:
3359         (JSC::JSObject::isStrictModeFunction):
3360
3361 2011-09-16  Sam Weinig  <sam@webkit.org>
3362
3363         Cleanup JSTypeInfo a bit
3364         https://bugs.webkit.org/show_bug.cgi?id=68289
3365
3366         Reviewed by Anders Carlsson.
3367
3368         * dfg/DFGOperations.cpp:
3369         * jit/JITStubs.cpp:
3370         (JSC::DEFINE_STUB_FUNCTION):
3371         Replace direct access to flags() with predicate.
3372
3373         * runtime/JSObject.h:
3374         (JSC::JSFinalObject::createStructure):
3375         Pass FinalObjectType instead of using special IsJSFinalObject.
3376
3377         * runtime/JSTypeInfo.h:
3378         (JSC::TypeInfo::TypeInfo):
3379         Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.
3380
3381         (JSC::TypeInfo::isFinalObject):
3382         Added.
3383
3384         (JSC::TypeInfo::masqueradesAsUndefined):
3385         (JSC::TypeInfo::implementsHasInstance):
3386         (JSC::TypeInfo::isEnvironmentRecord):
3387         (JSC::TypeInfo::overridesHasInstance):
3388         (JSC::TypeInfo::implementsDefaultHasInstance):
3389         (JSC::TypeInfo::overridesGetOwnPropertySlot):
3390         (JSC::TypeInfo::overridesVisitChildren):
3391         (JSC::TypeInfo::overridesGetPropertyNames):
3392         (JSC::TypeInfo::prohibitsPropertyCaching):
3393         (JSC::TypeInfo::isSetOnFlags1):
3394         (JSC::TypeInfo::isSetOnFlags2):
3395         Replace direct bit twiddling with helper functions.
3396
3397         * runtime/Structure.cpp:
3398         (JSC::Structure::Structure):
3399         Use new isFinalObject() predicate.
3400
3401 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
3402
3403         Unsigned bit shift fails under certain conditions in 32 bit builds
3404         https://bugs.webkit.org/show_bug.cgi?id=68166
3405
3406         Reviewed by Geoff Garen.
3407
3408         The major bug here is that the slow case (which handles shifts of
3409         doubles) doesn't check for negative results from an unsigned shift
3410         (which should be unsigned, and as such can't be represented by a
3411         signed integer immediate).  The implementation is also flawed for
3412         shifts by negative shift amounts (treats as shift by zero).
3413
3414         * jit/JITArithmetic32_64.cpp:
3415         (JSC::JIT::emitRightShift):
3416         (JSC::JIT::emitRightShiftSlowCase):
3417
3418 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
3419
3420         Removed undetectable style.filter.
3421
3422         Reviewed by Sam Weinig.
3423         
3424         This feature was added in http://trac.webkit.org/changeset/15557 to
3425         support housingmaps.com. But housingmaps.com no longer needs this hack,
3426         we don't know of other websites that need it, and we don't know of
3427         any other browsers that have implemented this feature.
3428
3429         * GNUmakefile.list.am:
3430         * JavaScriptCore.gypi:
3431         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3432         * JavaScriptCore.xcodeproj/project.pbxproj:
3433         * runtime/JSTypeInfo.h:
3434         * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.
3435
3436 2011-09-15  Sam Weinig  <sam@webkit.org>
3437
3438         Prepare JSTypes for more Object subtypes
3439         https://bugs.webkit.org/show_bug.cgi?id=68200
3440
3441         Reviewed by Gavin Barraclough.
3442
3443         * dfg/DFGJITCompiler.h:
3444         (JSC::DFG::JITCompiler::branchIfNotObject):
3445         * jit/JITInlineMethods.h:
3446         (JSC::JIT::emitJumpIfNotObject):
3447         * runtime/JSGlobalObject.h:
3448         (JSC::Structure::prototypeForLookup):
3449         * runtime/JSObject.h:
3450         (JSC::JSObject::finishCreation):
3451         * runtime/JSType.h:
3452         * runtime/JSTypeInfo.h:
3453         (JSC::TypeInfo::type):
3454         (JSC::TypeInfo::isObject):
3455         (JSC::TypeInfo::isFinal):
3456         (JSC::TypeInfo::prohibitsPropertyCaching):
3457         * runtime/NativeErrorConstructor.h:
3458         (JSC::NativeErrorConstructor::finishCreation):
3459         * runtime/Operations.cpp:
3460         (JSC::jsIsObjectType):
3461         * runtime/Structure.cpp:
3462         (JSC::Structure::addPropertyTransitionToExistingStructure):
3463         (JSC::Structure::addPropertyTransition):
3464         * runtime/Structure.h:
3465         (JSC::Structure::isObject):
3466         (JSC::JSCell::isObject):
3467
3468 2011-09-16  Geoffrey Garen  <ggaren@apple.com>
3469
3470         Rolled back in r95201 with test failure fixed.
3471         
3472         I missed two cases of jumpSlowToHot in rshift -- these cases need to be
3473         sure to initialize regT1 to the int tag, since it will otherwise hold
3474         the top 32 bits of a double.
3475
3476         * jit/JIT.h:
3477         * jit/JITArithmetic32_64.cpp:
3478         (JSC::JIT::emit_op_lshift):
3479         (JSC::JIT::emitRightShift):
3480         (JSC::JIT::emitRightShiftSlowCase):
3481         (JSC::JIT::emit_op_bitand):
3482         (JSC::JIT::emit_op_bitor):
3483         (JSC::JIT::emit_op_bitxor):
3484         (JSC::JIT::emit_op_bitnot):
3485         (JSC::JIT::emit_op_post_inc):
3486         (JSC::JIT::emit_op_post_dec):
3487         (JSC::JIT::emit_op_pre_inc):
3488         (JSC::JIT::emit_op_pre_dec):
3489         * jit/JITInlineMethods.h:
3490         (JSC::JIT::emitStoreAndMapInt32):
3491
3492 2011-09-16  Filip Pizlo  <fpizlo@apple.com>
3493
3494         Unreviewed Windows build fix after 95318.
3495
3496         * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3497
3498 2011-09-16  Adam Roben  <aroben@apple.com>
3499
3500         Windows build fix after r95310
3501
3502         * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
3503         include path so DFGIntrinsic.h can be found.
3504
3505 2011-09-16  Gavin Barraclough  <barraclough@apple.com>
3506
3507         Rationalize JSObject::putDirect* methods
3508         https://bugs.webkit.org/show_bug.cgi?id=68274
3509
3510         Reviewed by Sam Weinig.
3511         
3512         Delete the *Function variants. These are overall inefficient,
3513         in the way they get the name back from the function rather
3514         than just passing it in.
3515
3516         * JavaScriptCore.exp:
3517         * jsc.cpp:
3518         (GlobalObject::finishCreation):
3519         (GlobalObject::addFunction):
3520         * runtime/FunctionPrototype.cpp:
3521         (JSC::FunctionPrototype::addFunctionProperties):
3522         * runtime/JSGlobalObject.cpp:
3523         (