2013-04-23 Filip Pizlo DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change https://bugs.webkit.org/show_bug.cgi?id=115077 Reviewed by Oliver Hunt. The filtering did three things that are unusual: 1) AbstractValue::filterByValue() assumed that the passed value's structure wouldn't change, in the sense that at it assumed it could use that value's *current* structure to do structure filtering. Filtering by structure only makes sense if you can prove that the given value will always have that structure (for example by either using a watchpoing or emitting code that checks that structure at run-time). 2) AbstractValue::filterByValue() and the CheckFunction case in AbstractState::executeEffects() tried to invalidate the CFA based on whether the filtration led to an empty value. This is well-intentioned, but it's not how the CFA currently works. It's inconsistent with other parts of the CFA. We shouldn't introduce this feature into just one kind of filtration and not have it elsewhere. 3) The attempt to detect when the value was empty was actually implemented incorrectly. It relied on AbstractValue::validate(). That method says that a concrete value does not belong to the abstract value if it has a different structure. This makes sense for the other place where AbstractValue::validate() is called: during OSR entry, where we are talking about a JSValue that we see *right now*. It doesn't make sense in the CFA, since in the CFA any value we observe in the code is a value whose structure may change when the code starts running, and so we cannot use the value's current structure to infer things about the code when it starts running. I fixed the above problems by (1) changing filterByValue() to not filter the structure, (2) changing filterByValue() and the CheckFunction case to not invalidate the CFA, and (3) making sure that nobody else was misusing AbstractValue::validate() (they weren't). * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::filterByValue): 2013-04-23 Oliver Hunt Default ParserError() initialiser doesn't initialise all fields https://bugs.webkit.org/show_bug.cgi?id=115074 Reviewed by Joseph Pecoraro. Only the jsc command prompt depended on this, but we'll fix it to be on the safe side. * parser/ParserError.h: (JSC::ParserError::ParserError): 2013-04-23 Christophe Dumez Global constructors should be configurable and not enumerable https://bugs.webkit.org/show_bug.cgi?id=110573 Reviewed by Geoffrey Garen. Update JSObject::deleteProperty() so that mark to set the property value to undefined if it is in static hashtable of properties. The previous code was not doing anything in this case and this meant we could not remove builtin DOMWindow properties such as "ProgressEvent" even if marked as Deletable. * runtime/JSObject.cpp: (JSC::JSObject::deleteProperty): * runtime/Lookup.h: (JSC): (JSC::putEntry): (JSC::lookupPut): 2013-04-23 Geoffrey Garen Filled out more cases of branch folding in bytecode when emitting expressions into a branching context https://bugs.webkit.org/show_bug.cgi?id=115057 Reviewed by Filip Pizlo. This covers a few cases like: - while (true) { } - while (1) { } - if (x) break; - if (x) continue; - if (boolean_expr == boolean_const) { } - if (boolean_expr == 1_or_0) { } - if (bitop == 1_or_0) { } This also works, but will bring shame on your family: - while ("hello world") { } No change on the benchmarks we track, but a 2.5X speedup on a microbenchmark that uses these techniques. * JavaScriptCore.order: Order! * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewArray): (JSC::BytecodeGenerator::emitThrowReferenceError): (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::shouldEmitDebugHooks): Updated ancillary code for interface simplifications. * bytecompiler/NodesCodegen.cpp: (JSC::ConstantNode::emitBytecodeInConditionContext): Constants can jump unconditionally when used within a condition context. (JSC::ConstantNode::emitBytecode): (JSC::StringNode::jsValue): Gave constants a common base class so I could implement their codegen just once. (JSC::BinaryOpNode::emitBytecodeInConditionContext): (JSC::canFoldToBranch): (JSC::BinaryOpNode::tryFoldToBranch): Fold (!/=)= and (!/=)== where appropriate. A lot of cases are not appropriate because of the surprising type conversion semantics of ==. For example, if (number == true) { } is not the same as if (number) { } because the former will up-convert true to number and then do numeric comparison. (JSC::singleStatement): (JSC::IfElseNode::tryFoldBreakAndContinue): (JSC::IfElseNode::emitBytecode): (JSC::ContinueNode::trivialTarget): (JSC::BreakNode::trivialTarget): Fold "if (expression) break" and "if (expression) continue" into direct jumps from expression. * parser/ASTBuilder.h: (ASTBuilder): (JSC::ASTBuilder::createIfStatement): * parser/NodeConstructors.h: (JSC::ConstantNode::ConstantNode): (JSC): (JSC::NullNode::NullNode): (JSC::BooleanNode::BooleanNode): (JSC::NumberNode::NumberNode): (JSC::StringNode::StringNode): (JSC::IfElseNode::IfElseNode): * parser/Nodes.h: (JSC::ExpressionNode::isConstant): (JSC::ExpressionNode::isBoolean): (JSC::StatementNode::isBreak): (JSC::StatementNode::isContinue): (ConstantNode): (JSC::ConstantNode::isPure): (JSC::ConstantNode::isConstant): (NullNode): (JSC::NullNode::jsValue): (JSC::BooleanNode::value): (JSC::BooleanNode::isBoolean): (JSC::BooleanNode::jsValue): (JSC::NumberNode::value): (NumberNode): (JSC::NumberNode::jsValue): (StringNode): (BinaryOpNode): (IfElseNode): (ContinueNode): (JSC::ContinueNode::isContinue): (BreakNode): (JSC::BreakNode::isBreak): * parser/Parser.cpp: (JSC::::parseIfStatement): * parser/ResultType.h: (JSC::ResultType::definitelyIsBoolean): (ResultType): * runtime/JSCJSValueInlines.h: (JSC::JSValue::pureToBoolean): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::pureToBoolean): Updated for interface changes above. 2013-04-23 Mark Lam Simplify the baseline JIT loop hint call site. https://bugs.webkit.org/show_bug.cgi?id=115052. Reviewed by Geoffrey Garen. Moved the watchdog timer check after the JIT optimization check. This ensures that the JIT opimization counter is incremented on every loop hint even if the watchdog timer fires. Removed the code that allows the JIT OSR to happen if the watchdog timer fires but does not result in a termination. It is extremely rare that the JIT optimization counter would trigger an OSR on the same pass as when the watchdog timer fire. If it does happen, we'll simply hold off on servicing the watchdog timer until the next pass (because it's not time critical). * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_loop_hint): (JSC::JIT::emitSlow_op_loop_hint): 2013-04-23 Roger Fong AppleWin build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 2013-04-18 Mark Hahnenberg Objective-C API: Update public header documentation https://bugs.webkit.org/show_bug.cgi?id=114841 Reviewed by Geoffrey Garen. Added documentation for the newly added object lifetime-related stuff. * API/JSManagedValue.h: * API/JSVirtualMachine.h: 2013-04-22 Mark Lam Fix a typo in MacroAssemblerARMv7.h. https://bugs.webkit.org/show_bug.cgi?id=115011. Reviewed by Geoffrey Garen. * assembler/ARMAssembler.h: Fix a comment. * assembler/ARMv7Assembler.h: Added some comments. * assembler/MacroAssemblerARMv7.h: - ARMAssembler::PL should be ARMv7Assembler::ConditionPL. 2013-04-22 Julien Brianceau Add branchAdd32 missing implementation in SH4 base JIT. This should fix SH4 build, broken since r148893. https://bugs.webkit.org/show_bug.cgi?id=114993. Reviewed by Oliver Hunt. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::branchAdd32): (MacroAssemblerSH4): 2013-04-22 Benjamin Poulain Windows build fix after r148921 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-22 Benjamin Poulain Remove the memory instrumentation code https://bugs.webkit.org/show_bug.cgi?id=114931 Reviewed by Andreas Kling. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-22 Mark Lam Fix broken 32-bit build to green the bots. https://bugs.webkit.org/show_bug.cgi?id=114968. Unreviewed. Basically, I moved a JIT::emit_op_loop_hint() and JIT::emitSlow_op_loop_hint() into common code where they belong, instead of the 64-bit specific section. Also fixed some SH4 assertions failures which were also caused by https://bugs.webkit.org/show_bug.cgi?id=114963. Thanks to Julien Brianceau for pointing this out. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::branchAdd32): * jit/JITOpcodes.cpp: (JSC): (JSC::JIT::emit_op_loop_hint): (JSC::JIT::emitSlow_op_loop_hint): 2013-04-22 Oliver Hunt Perform null check before trying to use the result of readline() RS=Gavin * jsc.cpp: (runInteractive): 2013-04-22 Oliver Hunt Fix assertions to account for new Vector layout RS=Gavin * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): 2013-04-22 Mark Lam Change baseline JIT watchdog timer check to use the proper fast slow path infrastructure. https://bugs.webkit.org/show_bug.cgi?id=114963. Reviewed by Oliver Hunt. Edit: The PositiveOrZero condition is added because it is needed for the JIT optimization check. Previously, the JIT check branches around the slow path if the test result is 'Signed' i.e. negative. Since we now need to test for a condition that branches to the slow path (not around it), we need the complement of 'Signed / Negative' i.e. Positive or zero. SH4 parts contributed by Julien Brianceau. * assembler/ARMAssembler.h: * assembler/MacroAssemblerARM.h: * assembler/MacroAssemblerARMv7.h: * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::branchAdd32): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::branchAdd32): * assembler/MacroAssemblerX86Common.h: * assembler/SH4Assembler.h: * jit/JIT.cpp: (JSC::JIT::emitEnterOptimizationCheck): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: (JSC::JIT::emitEnterOptimizationCheck): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_loop_hint): (JSC::JIT::emitSlow_op_loop_hint): (JSC::JIT::emit_op_enter): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_enter): 2013-04-22 Andreas Kling Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size. Reviewed by Sam Weinig. Update LLInt WTF::Vector offset constants to match the new memory layout. * llint/LowLevelInterpreter.asm: 2013-04-21 Oliver Hunt JS Lexer and Parser should be more informative when they encounter errors https://bugs.webkit.org/show_bug.cgi?id=114924 Reviewed by Filip Pizlo. Add new tokens to represent the various ways that parsing and lexing have failed. This gives us the ability to produce better error messages in some cases, and to indicate whether or not the failure was due to invalid source, or simply early termination. The jsc prompt now makes use of this so that you can write functions that are more than one line long. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): * jsc.cpp: (stringFromUTF): (jscSource): (runInteractive): * parser/Lexer.cpp: (JSC::::parseFourDigitUnicodeHex): (JSC::::parseIdentifierSlowCase): (JSC::::parseString): (JSC::::parseStringSlowCase): (JSC::::lex): * parser/Lexer.h: (UnicodeHexValue): (JSC::Lexer::UnicodeHexValue::UnicodeHexValue): (JSC::Lexer::UnicodeHexValue::valueType): (JSC::Lexer::UnicodeHexValue::isValid): (JSC::Lexer::UnicodeHexValue::value): (Lexer): * parser/Parser.h: (JSC::Parser::getTokenName): (JSC::Parser::updateErrorMessageSpecialCase): (JSC::::parse): * parser/ParserError.h: (ParserError): (JSC::ParserError::ParserError): * parser/ParserTokens.h: * runtime/Completion.cpp: (JSC): (JSC::checkSyntax): * runtime/Completion.h: (JSC): 2013-04-21 Mark Lam Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections out into the common section. https://bugs.webkit.org/show_bug.cgi?id=114910. Reviewed by Filip Pizlo. * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::callOperation): 2013-04-20 Allan Sandfeld Jensen LLint should be able to use x87 instead of SSE for floating pointer https://bugs.webkit.org/show_bug.cgi?id=112239 Reviewed by Filip Pizlo. Implements LLInt floating point operations in x87, to ensure we support x86 without SSE2. X86 (except 64bit) now defaults to using x87 instructions in order to support all 32bit x86 back to i686. The implementation uses the fucomi instruction from i686 which sets the new minimum. The FPU registers must always be empty on entering or exiting a function. We make sure to only use two X87 registers, and they are always emptied before calling deeper functions or returning from the LLInt. * jit/JITStubs.cpp: (JSC): Empty FPU registers before exiting. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/instructions.rb: * offlineasm/x86.rb: 2013-04-19 Roger Fong Remove uses of WebKit_Source from AppleWin build in JavaScriptCore. * JavaScriptCore.vcxproj/JavaScriptCore.make: * JavaScriptCore.vcxproj/build-generated-files.sh: * JavaScriptCore.vcxproj/copy-files.cmd: * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 2013-04-19 Benjamin Poulain Rename JSStringJoiner::build() to join() https://bugs.webkit.org/show_bug.cgi?id=114845 Reviewed by Geoffrey Garen. The method name build() came from StringBuilder history. It does not make much sense on the StringJoiner. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::join): * runtime/JSStringJoiner.h: (JSStringJoiner): 2013-04-19 Roger Fong Unreviewed. WebKit_Source is incorrectly set. * JavaScriptCore.vcxproj/JavaScriptCore.make: 2013-04-19 Martin Robinson [GTK] JSCore.gir.in has a few problems https://bugs.webkit.org/show_bug.cgi?id=114710 Reviewed by Philippe Normand. * GNUmakefile.am: Add the gobject introspection steps for JavaScriptCore here, because they are shared between WebKit1 and WebKit2. * JavaScriptCore.gir.in: Added. Moved from the WebKit1 directory. Now written as foreign interfaces and referencing the javascriptcoregtk library. 2013-04-18 Benjamin Poulain Use StringJoiner to create the JSString of arrayProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=114779 Reviewed by Geoffrey Garen. The function arrayProtoFuncToString was just a glorified JSStringJoiner. This patch replaces it by JSStringJoiner to simplify the code and enjoy any optimization made on JSStringJoiner. For some reason, this makes the execution 3.4% faster, despite having almost identical code. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): 2013-04-18 Oliver Hunt StackFrame::column() returning bogus value https://bugs.webkit.org/show_bug.cgi?id=114840 Reviewed by Gavin Barraclough. Don't add one part of the expression offset to the other part of the expression. Make StackFrame::toString() include the column info. * interpreter/Interpreter.cpp: (JSC::StackFrame::expressionInfo): (JSC::StackFrame::toString): 2013-04-18 Mark Hahnenberg Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com https://bugs.webkit.org/show_bug.cgi?id=114774 Reviewed by Geoffrey Garen. We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base. * jit/JITOpcodes.cpp: (JSC::JIT::emitSlow_op_put_to_base): 2013-04-18 Mark Lam Interpreter entry points should throw the TerminatedExecutionException from the caller frame. https://bugs.webkit.org/show_bug.cgi?id=114816. Reviewed by Oliver Hunt. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): 2013-04-18 Gabor Rapcsanyi LLInt ARM backend should not use the d8 register as scratch register https://bugs.webkit.org/show_bug.cgi?id=114811 Reviewed by Filip Pizlo. The d8 register must preserved across function calls and should not used as scratch register. Changing it to d6. * offlineasm/arm.rb: 2013-04-18 Geoffrey Garen Removed HeapTimer::synchronize https://bugs.webkit.org/show_bug.cgi?id=114832 Reviewed by Mark Hahnenberg. HeapTimer::synchronize was a flawed attempt to make HeapTimer thread-safe. Instead, we use proper locking now. This is a slight API change, since the GC timer will now only fire in the run loop that created the JS VM, even if another run loop later executes some JS. * API/APIShims.h: (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): * heap/HeapTimer.cpp: (JSC): * heap/HeapTimer.h: (HeapTimer): 2013-04-17 Geoffrey Garen Renamed JSGlobalData to VM https://bugs.webkit.org/show_bug.cgi?id=114777 Reviewed by Phil Pizlo. * API/APICast.h: (JSC): (toJS): (toRef): * API/APIShims.h: (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): (APIEntryShimWithoutLock): (JSC::APIEntryShim::APIEntryShim): (APIEntryShim): (JSC::APIEntryShim::~APIEntryShim): (JSC::APICallbackShim::APICallbackShim): (JSC::APICallbackShim::~APICallbackShim): (APICallbackShim): * API/JSAPIWrapperObject.h: (JSAPIWrapperObject): * API/JSAPIWrapperObject.mm: (JSC::::createStructure): (JSC::JSAPIWrapperObject::JSAPIWrapperObject): (JSC::JSAPIWrapperObject::finishCreation): (JSC::JSAPIWrapperObject::visitChildren): * API/JSBase.cpp: (JSGarbageCollect): (JSReportExtraMemoryCost): (JSSynchronousGarbageCollectForDebugging): * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): (JSC::JSCallbackConstructor::finishCreation): * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::createStructure): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::finishCreation): (JSC::JSCallbackFunction::create): * API/JSCallbackFunction.h: (JSCallbackFunction): (JSC::JSCallbackFunction::createStructure): * API/JSCallbackObject.cpp: (JSC::::create): (JSC::::createStructure): * API/JSCallbackObject.h: (JSC::JSCallbackObjectData::setPrivateProperty): (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty): (JSCallbackObject): (JSC::JSCallbackObject::setPrivateProperty): * API/JSCallbackObjectFunctions.h: (JSC::::JSCallbackObject): (JSC::::finishCreation): (JSC::::put): (JSC::::staticFunctionGetter): * API/JSClassRef.cpp: (OpaqueJSClassContextData::OpaqueJSClassContextData): (OpaqueJSClass::contextData): (OpaqueJSClass::prototype): * API/JSClassRef.h: (OpaqueJSClassContextData): * API/JSContext.mm: (-[JSContext setException:]): (-[JSContext initWithGlobalContextRef:]): (+[JSContext contextWithGlobalContextRef:]): * API/JSContextRef.cpp: (JSContextGroupCreate): (JSContextGroupRelease): (JSGlobalContextCreate): (JSGlobalContextCreateInGroup): (JSGlobalContextRetain): (JSGlobalContextRelease): (JSContextGetGroup): (JSContextCreateBacktrace): * API/JSObjectRef.cpp: (JSObjectMake): (JSObjectMakeConstructor): (JSObjectMakeFunction): (JSObjectSetPrototype): (JSObjectHasProperty): (JSObjectGetProperty): (JSObjectSetProperty): (JSObjectDeleteProperty): (JSObjectGetPrivateProperty): (JSObjectSetPrivateProperty): (JSObjectDeletePrivateProperty): (OpaqueJSPropertyNameArray::OpaqueJSPropertyNameArray): (OpaqueJSPropertyNameArray): (JSObjectCopyPropertyNames): (JSPropertyNameArrayRelease): (JSPropertyNameAccumulatorAddName): * API/JSScriptRef.cpp: (OpaqueJSScript::create): (OpaqueJSScript::vm): (OpaqueJSScript::OpaqueJSScript): (OpaqueJSScript): (parseScript): * API/JSVirtualMachine.mm: (scanExternalObjectGraph): * API/JSVirtualMachineInternal.h: (JSC): * API/JSWrapperMap.mm: (makeWrapper): * API/ObjCCallbackFunction.h: (JSC::ObjCCallbackFunction::createStructure): * API/ObjCCallbackFunction.mm: (JSC::ObjCCallbackFunction::create): * API/OpaqueJSString.cpp: (OpaqueJSString::identifier): * API/OpaqueJSString.h: (JSC): (OpaqueJSString): * GNUmakefile.list.am: * JSCTypedArrayStubs.h: (JSC): * JavaScriptCore.order: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: * JavaScriptCore.xcodeproj/project.pbxproj: * KeywordLookupGenerator.py: (Trie.printSubTreeAsC): * Target.pri: * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::executableCopy): * assembler/ARMAssembler.h: (ARMAssembler): * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::executableCopy): * assembler/AssemblerBufferWithConstantPool.h: (JSC::AssemblerBufferWithConstantPool::executableCopy): * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::linkCode): * assembler/LinkBuffer.h: (JSC): (JSC::LinkBuffer::LinkBuffer): (LinkBuffer): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::executableCopy): * assembler/SH4Assembler.h: (JSC::SH4Assembler::executableCopy): * assembler/X86Assembler.h: (JSC::X86Assembler::executableCopy): (JSC::X86Assembler::X86InstructionFormatter::executableCopy): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::unlink): * bytecode/CallLinkInfo.h: (CallLinkInfo): * bytecode/CodeBlock.cpp: (JSC::dumpStructure): (JSC::CodeBlock::printStructures): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitStructures): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::createActivation): (JSC::CodeBlock::unlinkCalls): (JSC::CodeBlock::unlinkIncomingCalls): (JSC::CodeBlock::findClosureCallForReturnPC): (JSC::ProgramCodeBlock::jettisonImpl): (JSC::EvalCodeBlock::jettisonImpl): (JSC::FunctionCodeBlock::jettisonImpl): (JSC::CodeBlock::predictedMachineCodeSize): (JSC::CodeBlock::usesOpcode): * bytecode/CodeBlock.h: (JSC::CodeBlock::appendWeakReference): (JSC::CodeBlock::appendWeakReferenceTransition): (JSC::CodeBlock::setJITCode): (JSC::CodeBlock::setGlobalData): (JSC::CodeBlock::vm): (JSC::CodeBlock::valueProfileForBytecodeOffset): (JSC::CodeBlock::addConstant): (JSC::CodeBlock::setConstantRegisters): (CodeBlock): (JSC::CodeBlock::WeakReferenceTransition::WeakReferenceTransition): * bytecode/EvalCodeCache.h: (JSC::EvalCodeCache::getSlow): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeForChain): (JSC::GetByIdStatus::computeFor): * bytecode/GetByIdStatus.h: (GetByIdStatus): * bytecode/Instruction.h: (JSC::Instruction::Instruction): * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::initialize): (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): * bytecode/PolymorphicAccessStructureList.h: (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): * bytecode/PolymorphicPutByIdList.h: (JSC::PutByIdAccess::transition): (JSC::PutByIdAccess::replace): * bytecode/PreciseJumpTargets.cpp: (JSC::computePreciseJumpTargets): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFromLLInt): (JSC::PutByIdStatus::computeFor): * bytecode/PutByIdStatus.h: (JSC): (PutByIdStatus): * bytecode/ResolveGlobalStatus.cpp: (JSC::computeForStructure): * bytecode/SamplingTool.cpp: (JSC::SamplingTool::notifyOfScope): * bytecode/SamplingTool.h: (JSC::ScriptSampleRecord::ScriptSampleRecord): (SamplingTool): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::initGetByIdSelf): (JSC::StructureStubInfo::initGetByIdProto): (JSC::StructureStubInfo::initGetByIdChain): (JSC::StructureStubInfo::initPutByIdTransition): (JSC::StructureStubInfo::initPutByIdReplace): * bytecode/UnlinkedCodeBlock.cpp: (JSC::generateFunctionCodeBlock): (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): (JSC::UnlinkedFunctionExecutable::link): (JSC::UnlinkedFunctionExecutable::fromGlobalCode): (JSC::UnlinkedFunctionExecutable::codeBlockFor): (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedFunctionExecutable::create): (UnlinkedFunctionExecutable): (JSC::UnlinkedFunctionExecutable::finishCreation): (JSC::UnlinkedFunctionExecutable::createStructure): (JSC::UnlinkedCodeBlock::addRegExp): (JSC::UnlinkedCodeBlock::addConstant): (JSC::UnlinkedCodeBlock::addFunctionDecl): (JSC::UnlinkedCodeBlock::addFunctionExpr): (JSC::UnlinkedCodeBlock::vm): (UnlinkedCodeBlock): (JSC::UnlinkedCodeBlock::finishCreation): (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): (JSC::UnlinkedProgramCodeBlock::create): (JSC::UnlinkedProgramCodeBlock::addFunctionDeclaration): (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): (JSC::UnlinkedProgramCodeBlock::createStructure): (JSC::UnlinkedEvalCodeBlock::create): (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): (JSC::UnlinkedEvalCodeBlock::createStructure): (JSC::UnlinkedFunctionCodeBlock::create): (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): (JSC::UnlinkedFunctionCodeBlock::createStructure): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::addConstant): (JSC::BytecodeGenerator::emitLoad): (JSC::BytecodeGenerator::emitDirectPutById): (JSC::BytecodeGenerator::addStringConstant): (JSC::BytecodeGenerator::expectedFunctionForIdentifier): (JSC::BytecodeGenerator::emitThrowReferenceError): (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): * bytecompiler/BytecodeGenerator.h: (BytecodeGenerator): (JSC::BytecodeGenerator::vm): (JSC::BytecodeGenerator::propertyNames): (JSC::BytecodeGenerator::makeFunction): * bytecompiler/NodesCodegen.cpp: (JSC::RegExpNode::emitBytecode): (JSC::ArrayNode::toArgumentList): (JSC::ApplyFunctionCallDotNode::emitBytecode): (JSC::InstanceOfNode::emitBytecode): * debugger/Debugger.cpp: (JSC::Debugger::recompileAllJSFunctions): (JSC::evaluateInGlobalCallFrame): * debugger/Debugger.h: (JSC): * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::DebuggerActivation): (JSC::DebuggerActivation::finishCreation): * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::create): (JSC::DebuggerActivation::createStructure): (DebuggerActivation): * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluate): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGAssemblyHelpers.h: (JSC::DFG::AssemblyHelpers::AssemblyHelpers): (JSC::DFG::AssemblyHelpers::vm): (JSC::DFG::AssemblyHelpers::debugCall): (JSC::DFG::AssemblyHelpers::emitExceptionCheck): (AssemblyHelpers): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (ByteCodeParser): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parseCodeBlock): * dfg/DFGByteCodeParser.h: (JSC): * dfg/DFGCCallHelpers.h: (JSC::DFG::CCallHelpers::CCallHelpers): * dfg/DFGCapabilities.cpp: (JSC::DFG::canHandleOpcodes): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDisassembler.cpp: (JSC::DFG::Disassembler::reportToProfiler): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGDriver.h: (JSC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::Graph): * dfg/DFGGraph.h: (Graph): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::JITCompiler): (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (JSC): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSRExitCompiler.cpp: * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): (JSC::DFG::operationPutByValInternal): (JSC::getHostCallReturnValueWithExecState): * dfg/DFGPhase.h: (JSC::DFG::Phase::vm): * dfg/DFGRepatch.cpp: (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryBuildGetByIDProtoList): (JSC::DFG::emitPutReplaceStub): (JSC::DFG::emitPutTransitionStub): (JSC::DFG::tryCachePutByID): (JSC::DFG::tryBuildPutByIdList): (JSC::DFG::linkSlowFor): (JSC::DFG::dfgLinkFor): (JSC::DFG::dfgLinkSlowFor): (JSC::DFG::dfgLinkClosureCall): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::typedArrayDescriptor): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compileFromCharCode): (JSC::DFG::SpeculativeJIT::compileMakeRope): (JSC::DFG::SpeculativeJIT::compileStringEquality): (JSC::DFG::SpeculativeJIT::compileToStringOnCell): (JSC::DFG::SpeculativeJIT::speculateObject): (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): (JSC::DFG::SpeculativeJIT::speculateString): (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::prepareForExternalCall): (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator): (JSC::DFG::throwExceptionFromCallSlowPathGenerator): (JSC::DFG::slowPathFor): (JSC::DFG::linkForThunkGenerator): (JSC::DFG::linkCallThunkGenerator): (JSC::DFG::linkConstructThunkGenerator): (JSC::DFG::linkClosureCallThunkGenerator): (JSC::DFG::virtualForThunkGenerator): (JSC::DFG::virtualCallThunkGenerator): (JSC::DFG::virtualConstructThunkGenerator): * dfg/DFGThunks.h: (JSC): (DFG): * heap/BlockAllocator.h: (JSC): * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateSlowCase): (JSC::CopiedSpace::tryReallocate): * heap/CopiedSpaceInlines.h: (JSC::CopiedSpace::tryAllocate): * heap/GCThreadSharedData.cpp: (JSC::GCThreadSharedData::GCThreadSharedData): (JSC::GCThreadSharedData::reset): * heap/GCThreadSharedData.h: (JSC): (GCThreadSharedData): * heap/HandleSet.cpp: (JSC::HandleSet::HandleSet): (JSC::HandleSet::~HandleSet): (JSC::HandleSet::grow): * heap/HandleSet.h: (JSC): (HandleSet): (JSC::HandleSet::vm): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC): (JSC::Heap::lastChanceToFinalize): (JSC::Heap::protect): (JSC::Heap::unprotect): (JSC::Heap::stack): (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): (JSC::Heap::deleteAllCompiledCode): (JSC::Heap::collect): (JSC::Heap::isValidAllocation): * heap/Heap.h: (JSC): (Heap): (JSC::Heap::vm): * heap/HeapTimer.cpp: (JSC::HeapTimer::HeapTimer): (JSC::HeapTimer::timerDidFire): (JSC::HeapTimer::timerEvent): * heap/HeapTimer.h: (JSC): (HeapTimer): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::IncrementalSweeper): (JSC::IncrementalSweeper::sweepNextBlock): (JSC::IncrementalSweeper::willFinishSweeping): (JSC::IncrementalSweeper::create): * heap/IncrementalSweeper.h: (IncrementalSweeper): * heap/Local.h: (Local): (JSC::::Local): (JSC::LocalStack::LocalStack): (JSC::LocalStack::push): (LocalStack): * heap/LocalScope.h: (JSC): (LocalScope): (JSC::LocalScope::LocalScope): * heap/MachineStackMarker.cpp: (JSC::MachineThreads::addCurrentThread): * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateSlowCase): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): * heap/MarkedBlock.h: (JSC::MarkedBlock::vm): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::SlotVisitor): (JSC::SlotVisitor::setup): * heap/Strong.h: (JSC): (Strong): (JSC::Strong::operator=): * heap/StrongInlines.h: (JSC::::Strong): (JSC::::set): * heap/SuperRegion.h: (JSC): * heap/WeakSet.cpp: * heap/WeakSet.h: (WeakSet): (JSC::WeakSet::WeakSet): (JSC::WeakSet::vm): * interpreter/AbstractPC.cpp: (JSC::AbstractPC::AbstractPC): * interpreter/AbstractPC.h: (JSC): (AbstractPC): * interpreter/CachedCall.h: (JSC::CachedCall::CachedCall): * interpreter/CallFrame.h: (ExecState): (JSC::ExecState::clearException): (JSC::ExecState::clearSupplementaryExceptionInfo): (JSC::ExecState::exception): (JSC::ExecState::hadException): (JSC::ExecState::propertyNames): (JSC::ExecState::emptyList): (JSC::ExecState::interpreter): (JSC::ExecState::heap): (JSC::ExecState::arrayConstructorTable): (JSC::ExecState::arrayPrototypeTable): (JSC::ExecState::booleanPrototypeTable): (JSC::ExecState::dateTable): (JSC::ExecState::dateConstructorTable): (JSC::ExecState::errorPrototypeTable): (JSC::ExecState::globalObjectTable): (JSC::ExecState::jsonTable): (JSC::ExecState::mathTable): (JSC::ExecState::numberConstructorTable): (JSC::ExecState::numberPrototypeTable): (JSC::ExecState::objectConstructorTable): (JSC::ExecState::privateNamePrototypeTable): (JSC::ExecState::regExpTable): (JSC::ExecState::regExpConstructorTable): (JSC::ExecState::regExpPrototypeTable): (JSC::ExecState::stringConstructorTable): (JSC::ExecState::abstractReturnPC): * interpreter/CallFrameClosure.h: (CallFrameClosure): * interpreter/Interpreter.cpp: (JSC): (JSC::eval): (JSC::loadVarargs): (JSC::Interpreter::Interpreter): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::unwindCallFrame): (JSC::appendSourceToError): (JSC::getCallerInfo): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::throwException): (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::retrieveArgumentsFromVMCode): (JSC::Interpreter::retrieveCallerFromVMCode): * interpreter/Interpreter.h: (JSC): (JSC::TopCallFrameSetter::TopCallFrameSetter): (JSC::TopCallFrameSetter::~TopCallFrameSetter): (TopCallFrameSetter): (JSC::NativeCallFrameTracer::NativeCallFrameTracer): (Interpreter): * interpreter/JSStack.cpp: (JSC::JSStack::JSStack): * interpreter/JSStack.h: (JSC): * jit/ClosureCallStubRoutine.cpp: (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): * jit/ClosureCallStubRoutine.h: (ClosureCallStubRoutine): * jit/ExecutableAllocator.cpp: (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutableAllocator::allocate): * jit/ExecutableAllocator.h: (JSC): (ExecutableAllocator): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutableAllocator::allocate): * jit/GCAwareJITStubRoutine.cpp: (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): (JSC::createJITStubRoutine): * jit/GCAwareJITStubRoutine.h: (GCAwareJITStubRoutine): (MarkingGCAwareJITStubRoutineWithOneObject): (JSC): * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::privateCompile): (JSC::JIT::linkFor): (JSC::JIT::linkSlowCall): * jit/JIT.h: (JSC::JIT::compile): (JSC::JIT::compileClosureCall): (JSC::JIT::compileGetByIdProto): (JSC::JIT::compileGetByIdSelfList): (JSC::JIT::compileGetByIdProtoList): (JSC::JIT::compileGetByIdChainList): (JSC::JIT::compileGetByIdChain): (JSC::JIT::compilePutByIdTransition): (JSC::JIT::compileGetByVal): (JSC::JIT::compilePutByVal): (JSC::JIT::compileCTINativeCall): (JSC::JIT::compilePatchGetArrayLength): (JIT): * jit/JITCall.cpp: (JSC::JIT::compileLoadVarargs): (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCallSlowCase): (JSC::JIT::privateCompileClosureCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileLoadVarargs): (JSC::JIT::compileCallEvalSlowCase): (JSC::JIT::compileOpCallSlowCase): (JSC::JIT::privateCompileClosureCall): * jit/JITCode.h: (JSC): (JSC::JITCode::execute): * jit/JITDriver.h: (JSC::jitCompileIfAppropriate): (JSC::jitCompileFunctionIfAppropriate): * jit/JITExceptions.cpp: (JSC::genericThrow): (JSC::jitThrow): * jit/JITExceptions.h: (JSC): * jit/JITInlines.h: (JSC::JIT::emitLoadCharacterString): (JSC::JIT::updateTopCallFrame): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTINativeCall): (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_to_primitive): (JSC::JIT::emit_op_catch): (JSC::JIT::emit_op_convert_this): (JSC::JIT::emitSlow_op_convert_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): (JSC::JIT::emit_op_new_object): (JSC::JIT::emit_op_to_primitive): (JSC::JIT::emitSlow_op_eq): (JSC::JIT::emitSlow_op_neq): (JSC::JIT::compileOpStrictEq): (JSC::JIT::emit_op_catch): (JSC::JIT::emit_op_convert_this): (JSC::JIT::emitSlow_op_convert_this): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::privateCompileGetByVal): (JSC::JIT::privateCompilePutByVal): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): * jit/JITStubs.cpp: (JSC::ctiTrampoline): (JSC): (JSC::performPlatformSpecificJITAssertions): (JSC::tryCachePutByID): (JSC::tryCacheGetByID): (JSC::returnToThrowTrampoline): (JSC::throwExceptionFromOpCall): (JSC::DEFINE_STUB_FUNCTION): (JSC::getPolymorphicAccessStructureListSlot): (JSC::jitCompileFor): (JSC::lazyLinkFor): (JSC::putByVal): * jit/JITStubs.h: (JSC): (JITStackFrame): * jit/JITThunks.cpp: (JSC::JITThunks::ctiNativeCall): (JSC::JITThunks::ctiNativeConstruct): (JSC::JITThunks::ctiStub): (JSC::JITThunks::hostFunctionStub): * jit/JITThunks.h: (JSC): (JITThunks): * jit/JITWriteBarrier.h: (JSC): (JSC::JITWriteBarrierBase::set): (JSC::JITWriteBarrier::set): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::loadJSStringArgument): (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerator.h: (JSC): * jit/ThunkGenerators.cpp: (JSC::generateSlowCaseFor): (JSC::linkForGenerator): (JSC::linkCallGenerator): (JSC::linkConstructGenerator): (JSC::linkClosureCallGenerator): (JSC::virtualForGenerator): (JSC::virtualCallGenerator): (JSC::virtualConstructGenerator): (JSC::stringLengthTrampolineGenerator): (JSC::nativeForGenerator): (JSC::nativeCallGenerator): (JSC::nativeConstructGenerator): (JSC::stringCharLoad): (JSC::charToString): (JSC::charCodeAtThunkGenerator): (JSC::charAtThunkGenerator): (JSC::fromCharCodeThunkGenerator): (JSC::sqrtThunkGenerator): (JSC::floorThunkGenerator): (JSC::ceilThunkGenerator): (JSC::roundThunkGenerator): (JSC::expThunkGenerator): (JSC::logThunkGenerator): (JSC::absThunkGenerator): (JSC::powThunkGenerator): * jit/ThunkGenerators.h: (JSC): * jsc.cpp: (GlobalObject): (GlobalObject::create): (GlobalObject::createStructure): (GlobalObject::finishCreation): (GlobalObject::addFunction): (GlobalObject::addConstructableFunction): (functionDumpCallFrame): (functionJSCStack): (functionReleaseExecutableMemory): (functionRun): (main): (runWithScripts): (jscmain): * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LLIntData.h: (JSC): (Data): (JSC::LLInt::Data::performAssertions): * llint/LLIntEntrypoints.cpp: (JSC::LLInt::getFunctionEntrypoint): (JSC::LLInt::getEvalEntrypoint): (JSC::LLInt::getProgramEntrypoint): * llint/LLIntEntrypoints.h: (JSC): (LLInt): (JSC::LLInt::getEntrypoint): * llint/LLIntExceptions.cpp: (JSC::LLInt::interpreterThrowInCaller): (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntSlowPaths.cpp: (LLInt): (JSC::LLInt::llint_trace_operand): (JSC::LLInt::llint_trace_value): (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::shouldJIT): (JSC::LLInt::handleHostCall): (JSC::LLInt::setUpCall): * llint/LLIntThunks.cpp: (JSC::LLInt::generateThunkWithJumpTo): (JSC::LLInt::functionForCallEntryThunkGenerator): (JSC::LLInt::functionForConstructEntryThunkGenerator): (JSC::LLInt::functionForCallArityCheckThunkGenerator): (JSC::LLInt::functionForConstructArityCheckThunkGenerator): (JSC::LLInt::evalEntryThunkGenerator): (JSC::LLInt::programEntryThunkGenerator): * llint/LLIntThunks.h: (JSC): (LLInt): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/cloop.rb: * parser/ASTBuilder.h: (JSC::ASTBuilder::ASTBuilder): (JSC::ASTBuilder::createSourceElements): (JSC::ASTBuilder::createCommaExpr): (JSC::ASTBuilder::createLogicalNot): (JSC::ASTBuilder::createUnaryPlus): (JSC::ASTBuilder::createVoid): (JSC::ASTBuilder::thisExpr): (JSC::ASTBuilder::createResolve): (JSC::ASTBuilder::createObjectLiteral): (JSC::ASTBuilder::createArray): (JSC::ASTBuilder::createNumberExpr): (JSC::ASTBuilder::createString): (JSC::ASTBuilder::createBoolean): (JSC::ASTBuilder::createNull): (JSC::ASTBuilder::createBracketAccess): (JSC::ASTBuilder::createDotAccess): (JSC::ASTBuilder::createRegExp): (JSC::ASTBuilder::createNewExpr): (JSC::ASTBuilder::createConditionalExpr): (JSC::ASTBuilder::createAssignResolve): (JSC::ASTBuilder::createFunctionExpr): (JSC::ASTBuilder::createFunctionBody): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createArguments): (JSC::ASTBuilder::createArgumentsList): (JSC::ASTBuilder::createProperty): (JSC::ASTBuilder::createPropertyList): (JSC::ASTBuilder::createElementList): (JSC::ASTBuilder::createFormalParameterList): (JSC::ASTBuilder::createClause): (JSC::ASTBuilder::createClauseList): (JSC::ASTBuilder::createFuncDeclStatement): (JSC::ASTBuilder::createBlockStatement): (JSC::ASTBuilder::createExprStatement): (JSC::ASTBuilder::createIfStatement): (JSC::ASTBuilder::createForLoop): (JSC::ASTBuilder::createForInLoop): (JSC::ASTBuilder::createEmptyStatement): (JSC::ASTBuilder::createVarStatement): (JSC::ASTBuilder::createReturnStatement): (JSC::ASTBuilder::createBreakStatement): (JSC::ASTBuilder::createContinueStatement): (JSC::ASTBuilder::createTryStatement): (JSC::ASTBuilder::createSwitchStatement): (JSC::ASTBuilder::createWhileStatement): (JSC::ASTBuilder::createDoWhileStatement): (JSC::ASTBuilder::createLabelStatement): (JSC::ASTBuilder::createWithStatement): (JSC::ASTBuilder::createThrowStatement): (JSC::ASTBuilder::createDebugger): (JSC::ASTBuilder::createConstStatement): (JSC::ASTBuilder::appendConstDecl): (JSC::ASTBuilder::addVar): (JSC::ASTBuilder::combineCommaNodes): (JSC::ASTBuilder::Scope::Scope): (JSC::ASTBuilder::createNumber): (ASTBuilder): (JSC::ASTBuilder::makeTypeOfNode): (JSC::ASTBuilder::makeDeleteNode): (JSC::ASTBuilder::makeNegateNode): (JSC::ASTBuilder::makeBitwiseNotNode): (JSC::ASTBuilder::makeMultNode): (JSC::ASTBuilder::makeDivNode): (JSC::ASTBuilder::makeModNode): (JSC::ASTBuilder::makeAddNode): (JSC::ASTBuilder::makeSubNode): (JSC::ASTBuilder::makeLeftShiftNode): (JSC::ASTBuilder::makeRightShiftNode): (JSC::ASTBuilder::makeURightShiftNode): (JSC::ASTBuilder::makeBitOrNode): (JSC::ASTBuilder::makeBitAndNode): (JSC::ASTBuilder::makeBitXOrNode): (JSC::ASTBuilder::makeFunctionCallNode): (JSC::ASTBuilder::makeBinaryNode): (JSC::ASTBuilder::makeAssignNode): (JSC::ASTBuilder::makePrefixNode): (JSC::ASTBuilder::makePostfixNode): * parser/Lexer.cpp: (JSC::Keywords::Keywords): (JSC::::Lexer): (JSC::::parseIdentifier): (JSC::::parseIdentifierSlowCase): * parser/Lexer.h: (JSC::Keywords::isKeyword): (JSC::Keywords::getKeyword): (Keywords): (Lexer): (JSC::::makeIdentifier): (JSC::::makeRightSizedIdentifier): (JSC::::makeIdentifierLCharFromUChar): (JSC::::makeLCharIdentifier): * parser/NodeConstructors.h: (JSC::ParserArenaFreeable::operator new): (JSC::ParserArenaDeletable::operator new): (JSC::ParserArenaRefCounted::ParserArenaRefCounted): (JSC::PropertyNode::PropertyNode): (JSC::ContinueNode::ContinueNode): (JSC::BreakNode::BreakNode): (JSC::ForInNode::ForInNode): * parser/Nodes.cpp: (JSC::ScopeNode::ScopeNode): (JSC::ProgramNode::ProgramNode): (JSC::ProgramNode::create): (JSC::EvalNode::EvalNode): (JSC::EvalNode::create): (JSC::FunctionBodyNode::FunctionBodyNode): (JSC::FunctionBodyNode::create): * parser/Nodes.h: (ParserArenaFreeable): (ParserArenaDeletable): (ParserArenaRefCounted): (ArrayNode): (ForInNode): (ContinueNode): (BreakNode): (ScopeNode): (ProgramNode): (EvalNode): (FunctionBodyNode): * parser/Parser.cpp: (JSC::::Parser): (JSC::::parseInner): (JSC::::parseSourceElements): (JSC::::parseTryStatement): (JSC::::parseFunctionBody): (JSC::::parseFunctionInfo): (JSC::::parseAssignmentExpression): (JSC::::parseProperty): (JSC::::parsePrimaryExpression): (JSC::::parseMemberExpression): (JSC::::parseUnaryExpression): * parser/Parser.h: (JSC): (JSC::Scope::Scope): (JSC::Scope::declareVariable): (JSC::Scope::declareParameter): (Scope): (Parser): (JSC::Parser::pushScope): (JSC::::parse): (JSC::parse): * parser/ParserArena.h: (IdentifierArena): (JSC::IdentifierArena::makeIdentifier): (JSC::IdentifierArena::makeIdentifierLCharFromUChar): (JSC::IdentifierArena::makeNumericIdentifier): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::SyntaxChecker): (JSC::SyntaxChecker::createProperty): (JSC::SyntaxChecker::createGetterOrSetterProperty): * profiler/LegacyProfiler.cpp: (JSC::LegacyProfiler::startProfiling): (JSC::LegacyProfiler::stopProfiling): * profiler/LegacyProfiler.h: (JSC): * profiler/ProfilerBytecode.cpp: (JSC::Profiler::Bytecode::toJS): * profiler/ProfilerBytecodeSequence.cpp: (JSC::Profiler::BytecodeSequence::BytecodeSequence): (JSC::Profiler::BytecodeSequence::addSequenceProperties): * profiler/ProfilerBytecodes.cpp: (JSC::Profiler::Bytecodes::toJS): * profiler/ProfilerCompilation.cpp: (JSC::Profiler::Compilation::toJS): * profiler/ProfilerCompiledBytecode.cpp: (JSC::Profiler::CompiledBytecode::toJS): * profiler/ProfilerDatabase.cpp: (JSC::Profiler::Database::Database): (JSC::Profiler::Database::toJS): (JSC::Profiler::Database::toJSON): * profiler/ProfilerDatabase.h: (Database): * profiler/ProfilerOSRExit.cpp: (JSC::Profiler::OSRExit::toJS): * profiler/ProfilerOrigin.cpp: (JSC::Profiler::Origin::toJS): * profiler/ProfilerProfiledBytecodes.cpp: (JSC::Profiler::ProfiledBytecodes::toJS): * runtime/ArgList.h: (MarkedArgumentBuffer): * runtime/Arguments.cpp: (JSC::Arguments::putByIndex): (JSC::Arguments::put): (JSC::Arguments::deleteProperty): (JSC::Arguments::defineOwnProperty): (JSC::Arguments::tearOff): (JSC::Arguments::didTearOffActivation): (JSC::Arguments::tearOffForInlineCallFrame): * runtime/Arguments.h: (JSC::Arguments::create): (JSC::Arguments::createStructure): (Arguments): (JSC::Arguments::Arguments): (JSC::Arguments::trySetArgument): (JSC::Arguments::finishCreation): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::finishCreation): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::createStructure): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::ArrayPrototype): (JSC::ArrayPrototype::finishCreation): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::createStructure): * runtime/BatchedTransitionOptimizer.h: (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): (BatchedTransitionOptimizer): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::finishCreation): (JSC::constructBoolean): (JSC::constructBooleanFromImmediateBoolean): * runtime/BooleanConstructor.h: (JSC::BooleanConstructor::createStructure): * runtime/BooleanObject.cpp: (JSC::BooleanObject::BooleanObject): (JSC::BooleanObject::finishCreation): * runtime/BooleanObject.h: (BooleanObject): (JSC::BooleanObject::create): (JSC::BooleanObject::createStructure): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): (JSC::BooleanPrototype::finishCreation): (JSC::booleanProtoFuncToString): * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::createStructure): * runtime/Butterfly.h: (JSC): (Butterfly): * runtime/ButterflyInlines.h: (JSC::Butterfly::createUninitialized): (JSC::Butterfly::create): (JSC::Butterfly::growPropertyStorage): (JSC::Butterfly::createOrGrowArrayRight): (JSC::Butterfly::growArrayRight): (JSC::Butterfly::resizeArray): * runtime/CodeCache.cpp: (JSC::CodeCache::getCodeBlock): (JSC::CodeCache::getProgramCodeBlock): (JSC::CodeCache::getEvalCodeBlock): (JSC::CodeCache::getFunctionExecutableFromGlobalCode): * runtime/CodeCache.h: (JSC): (JSC::SourceCodeValue::SourceCodeValue): (CodeCache): * runtime/CommonIdentifiers.cpp: (JSC): (JSC::CommonIdentifiers::CommonIdentifiers): * runtime/CommonIdentifiers.h: (CommonIdentifiers): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opIn): * runtime/Completion.cpp: (JSC::checkSyntax): (JSC::evaluate): * runtime/DateConstructor.cpp: (JSC::DateConstructor::finishCreation): * runtime/DateConstructor.h: (JSC::DateConstructor::createStructure): * runtime/DateInstance.cpp: (JSC::DateInstance::DateInstance): (JSC::DateInstance::finishCreation): (JSC::DateInstance::calculateGregorianDateTime): (JSC::DateInstance::calculateGregorianDateTimeUTC): * runtime/DateInstance.h: (DateInstance): (JSC::DateInstance::create): (JSC::DateInstance::createStructure): * runtime/DatePrototype.cpp: (JSC::DatePrototype::finishCreation): (JSC::dateProtoFuncSetTime): (JSC::setNewValueFromTimeArgs): (JSC::setNewValueFromDateArgs): (JSC::dateProtoFuncSetYear): (JSC::dateProtoFuncToJSON): * runtime/DatePrototype.h: (JSC::DatePrototype::createStructure): * runtime/Error.cpp: (JSC::createError): (JSC::createEvalError): (JSC::createRangeError): (JSC::createReferenceError): (JSC::createSyntaxError): (JSC::createTypeError): (JSC::createURIError): (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): (JSC::StrictModeTypeErrorFunction::create): (JSC::StrictModeTypeErrorFunction::createStructure): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::finishCreation): * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::createStructure): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/ErrorInstance.h: (JSC::ErrorInstance::createStructure): (JSC::ErrorInstance::create): (ErrorInstance): (JSC::ErrorInstance::finishCreation): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): (JSC::ErrorPrototype::finishCreation): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::createStructure): * runtime/ExceptionHelpers.cpp: (JSC::createInterruptedExecutionException): (JSC::createTerminatedExecutionException): * runtime/ExceptionHelpers.h: (JSC): (JSC::InterruptedExecutionError::InterruptedExecutionError): (JSC::InterruptedExecutionError::create): (JSC::InterruptedExecutionError::createStructure): (JSC::TerminatedExecutionError::TerminatedExecutionError): (JSC::TerminatedExecutionError::create): (JSC::TerminatedExecutionError::createStructure): * runtime/Executable.cpp: (JSC::jettisonCodeBlock): (JSC::EvalExecutable::EvalExecutable): (JSC::ProgramExecutable::ProgramExecutable): (JSC::FunctionExecutable::FunctionExecutable): (JSC::EvalExecutable::compileOptimized): (JSC::EvalExecutable::compileInternal): (JSC::EvalExecutable::jettisonOptimizedCode): (JSC::ProgramExecutable::checkSyntax): (JSC::ProgramExecutable::compileOptimized): (JSC::ProgramExecutable::jettisonOptimizedCode): (JSC::ProgramExecutable::initializeGlobalProperties): (JSC::FunctionExecutable::compileOptimizedForCall): (JSC::FunctionExecutable::compileOptimizedForConstruct): (JSC::FunctionExecutable::produceCodeBlockFor): (JSC::FunctionExecutable::jettisonOptimizedCodeForCall): (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct): (JSC::FunctionExecutable::fromGlobalCode): * runtime/Executable.h: (JSC::ExecutableBase::ExecutableBase): (JSC::ExecutableBase::finishCreation): (JSC::ExecutableBase::createStructure): (JSC::NativeExecutable::create): (JSC::NativeExecutable::createStructure): (JSC::NativeExecutable::finishCreation): (JSC::NativeExecutable::NativeExecutable): (JSC::ScriptExecutable::ScriptExecutable): (JSC::ScriptExecutable::finishCreation): (JSC::EvalExecutable::compile): (EvalExecutable): (JSC::EvalExecutable::create): (JSC::EvalExecutable::createStructure): (JSC::ProgramExecutable::create): (ProgramExecutable): (JSC::ProgramExecutable::compile): (JSC::ProgramExecutable::createStructure): (JSC::FunctionExecutable::create): (JSC::FunctionExecutable::compileForCall): (FunctionExecutable): (JSC::FunctionExecutable::compileForConstruct): (JSC::FunctionExecutable::jettisonOptimizedCodeFor): (JSC::FunctionExecutable::createStructure): (JSC::JSFunction::JSFunction): * runtime/ExecutionHarness.h: (JSC::prepareForExecution): (JSC::prepareFunctionForExecution): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::finishCreation): * runtime/FunctionConstructor.h: (JSC::FunctionConstructor::createStructure): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::finishCreation): (JSC::FunctionPrototype::addFunctionProperties): (JSC::functionProtoFuncBind): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::createStructure): * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::doWork): (JSC::DefaultGCActivityCallback::didAllocate): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::GCActivityCallback): * runtime/GCActivityCallbackBlackBerry.cpp: (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::doWork): (JSC::DefaultGCActivityCallback::didAllocate): * runtime/GetterSetter.h: (JSC::GetterSetter::GetterSetter): (JSC::GetterSetter::create): (JSC::GetterSetter::setGetter): (JSC::GetterSetter::setSetter): (JSC::GetterSetter::createStructure): * runtime/Identifier.cpp: (JSC::Identifier::add): (JSC::Identifier::add8): (JSC::Identifier::addSlowCase): (JSC::Identifier::from): (JSC::Identifier::checkCurrentIdentifierTable): * runtime/Identifier.h: (JSC::Identifier::Identifier): (JSC::Identifier::createLCharFromUChar): (Identifier): (JSC::Identifier::add): * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): (JSC::InternalFunction::finishCreation): (JSC::InternalFunction::name): (JSC::InternalFunction::displayName): * runtime/InternalFunction.h: (JSC::InternalFunction::createStructure): (InternalFunction): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): (JSC::JSAPIValueWrapper::finishCreation): (JSC::JSAPIValueWrapper::JSAPIValueWrapper): * runtime/JSActivation.cpp: (JSC::JSActivation::symbolTablePut): (JSC::JSActivation::symbolTablePutWithAttributes): (JSC::JSActivation::getOwnPropertySlot): (JSC::JSActivation::put): (JSC::JSActivation::putDirectVirtual): (JSC::JSActivation::argumentsGetter): * runtime/JSActivation.h: (JSActivation): (JSC::JSActivation::create): (JSC::JSActivation::createStructure): (JSC::JSActivation::JSActivation): (JSC::JSActivation::tearOff): * runtime/JSArray.cpp: (JSC::createArrayButterflyInDictionaryIndexingMode): (JSC::JSArray::setLengthWritable): (JSC::JSArray::unshiftCountSlowCase): (JSC::JSArray::setLength): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithArrayStorage): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::ContiguousTypeAccessor::setWithValue): (JSC::JSArray::sortCompactedVector): (JSC::JSArray::sortVector): * runtime/JSArray.h: (JSC::JSArray::JSArray): (JSArray): (JSC::JSArray::shiftCountForShift): (JSC::JSArray::unshiftCountForShift): (JSC::JSArray::createStructure): (JSC::createContiguousArrayButterfly): (JSC::createArrayButterfly): (JSC): (JSC::JSArray::create): (JSC::JSArray::tryCreateUninitialized): (JSC::constructArray): * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::JSBoundFunction): * runtime/JSBoundFunction.h: (JSC::JSBoundFunction::createStructure): * runtime/JSCJSValue.cpp: (JSC::JSValue::putToPrimitive): (JSC::JSValue::toStringSlowCase): * runtime/JSCJSValue.h: (JSC): * runtime/JSCell.h: (JSCell): * runtime/JSCellInlines.h: (JSC::JSCell::JSCell): (JSC::JSCell::finishCreation): (JSC::allocateCell): (JSC::JSCell::setStructure): (JSC::JSCell::fastGetOwnProperty): * runtime/JSDateMath.cpp: (JSC::getDSTOffset): (JSC::getUTCOffset): (JSC::parseDate): * runtime/JSDestructibleObject.h: (JSC::JSDestructibleObject::JSDestructibleObject): * runtime/JSFunction.cpp: (JSC::JSFunction::create): (JSC::JSFunction::JSFunction): (JSC::JSFunction::finishCreation): (JSC::JSFunction::createAllocationProfile): (JSC::JSFunction::name): (JSC::JSFunction::displayName): (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::deleteProperty): * runtime/JSFunction.h: (JSFunction): (JSC::JSFunction::create): (JSC::JSFunction::setScope): (JSC::JSFunction::createStructure): * runtime/JSGlobalData.cpp: Removed. * runtime/JSGlobalData.h: Removed. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::~JSGlobalObject): (JSC::JSGlobalObject::setGlobalThis): (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::putDirectVirtual): (JSC::JSGlobalObject::reset): (JSC): (JSC::JSGlobalObject::haveABadTime): (JSC::JSGlobalObject::createThrowTypeError): (JSC::JSGlobalObject::resetPrototype): (JSC::JSGlobalObject::addStaticGlobals): (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): (JSC::JSGlobalObject::createProgramCodeBlock): (JSC::JSGlobalObject::createEvalCodeBlock): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): (JSGlobalObject): (JSC::JSGlobalObject::finishCreation): (JSC::JSGlobalObject::vm): (JSC::JSGlobalObject::createStructure): (JSC::ExecState::dynamicGlobalObject): (JSC::constructEmptyArray): (DynamicGlobalObjectScope): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncProtoSetter): * runtime/JSLock.cpp: (JSC::JSLockHolder::JSLockHolder): (JSC::JSLockHolder::init): (JSC::JSLockHolder::~JSLockHolder): (JSC::JSLock::JSLock): (JSC::JSLock::willDestroyGlobalData): (JSC::JSLock::lock): (JSC::JSLock::unlock): (JSC::JSLock::DropAllLocks::DropAllLocks): (JSC::JSLock::DropAllLocks::~DropAllLocks): * runtime/JSLock.h: (JSC): (JSLockHolder): (JSLock): (JSC::JSLock::vm): (DropAllLocks): * runtime/JSNameScope.h: (JSC::JSNameScope::createStructure): (JSC::JSNameScope::finishCreation): (JSC::JSNameScope::JSNameScope): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::JSNotAnObject): (JSC::JSNotAnObject::create): (JSC::JSNotAnObject::createStructure): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): (JSC::JSONObject::finishCreation): (Holder): (JSC::Stringifier::Stringifier): (JSC::Stringifier::stringify): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): (JSC::Stringifier::Holder::Holder): (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::Walker): (JSC::Walker::walk): (JSC::JSONProtoFuncParse): (JSC::JSONProtoFuncStringify): (JSC::JSONStringify): * runtime/JSONObject.h: (JSC::JSONObject::createStructure): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putByIndex): (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): (JSC::JSObject::enterDictionaryIndexingMode): (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createInitialUndecided): (JSC::JSObject::createInitialInt32): (JSC::JSObject::createInitialDouble): (JSC::JSObject::createInitialContiguous): (JSC::JSObject::createArrayStorage): (JSC::JSObject::createInitialArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::genericConvertDoubleToContiguous): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::rageConvertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::convertUndecidedForValue): (JSC::JSObject::convertInt32ForValue): (JSC::JSObject::setIndexQuicklyToUndecided): (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex): (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex): (JSC::JSObject::ensureInt32Slow): (JSC::JSObject::ensureDoubleSlow): (JSC::JSObject::ensureContiguousSlow): (JSC::JSObject::rageEnsureContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::putDirectVirtual): (JSC::JSObject::setPrototype): (JSC::JSObject::setPrototypeWithCycleCheck): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::deleteProperty): (JSC::JSObject::getPropertySpecificValue): (JSC::JSObject::getOwnNonIndexPropertyNames): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::reifyStaticFunctionsForDelete): (JSC::JSObject::removeDirect): (JSC::JSObject::putIndexedDescriptor): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::allocateSparseIndexMap): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putByIndexBeyondVectorLength): (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): (JSC::JSObject::putDirectIndexBeyondVectorLength): (JSC::JSObject::putDirectNativeFunction): (JSC::JSObject::increaseVectorLength): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::growOutOfLineStorage): (JSC::JSObject::getOwnPropertyDescriptor): (JSC::putDescriptor): (JSC::JSObject::putDirectMayBeIndex): (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope): (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope): (DefineOwnPropertyScope): (JSC::JSObject::defineOwnNonIndexProperty): * runtime/JSObject.h: (JSObject): (JSC::JSObject::putByIndexInline): (JSC::JSObject::putDirectIndex): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::getDirect): (JSC::JSObject::getDirectOffset): (JSC::JSObject::putDirect): (JSC::JSObject::isSealed): (JSC::JSObject::isFrozen): (JSC::JSObject::flattenDictionaryObject): (JSC::JSObject::ensureInt32): (JSC::JSObject::ensureDouble): (JSC::JSObject::ensureContiguous): (JSC::JSObject::rageEnsureContiguous): (JSC::JSObject::ensureArrayStorage): (JSC::JSObject::finishCreation): (JSC::JSObject::createStructure): (JSC::JSObject::ensureLength): (JSC::JSNonFinalObject::createStructure): (JSC::JSNonFinalObject::JSNonFinalObject): (JSC::JSNonFinalObject::finishCreation): (JSC::JSFinalObject::createStructure): (JSC::JSFinalObject::finishCreation): (JSC::JSFinalObject::JSFinalObject): (JSC::JSFinalObject::create): (JSC::JSObject::setButterfly): (JSC::JSObject::JSObject): (JSC::JSObject::inlineGetOwnPropertySlot): (JSC::JSObject::putDirectInternal): (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): (JSC::JSObject::putOwnDataProperty): (JSC::JSObject::putDirectWithoutTransition): (JSC): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::JSPropertyNameIterator): (JSC::JSPropertyNameIterator::create): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure): (JSC::JSPropertyNameIterator::setCachedStructure): (JSC::JSPropertyNameIterator::setCachedPrototypeChain): (JSC::JSPropertyNameIterator::finishCreation): (JSC::StructureRareData::setEnumerationCache): * runtime/JSProxy.cpp: (JSC::JSProxy::setTarget): * runtime/JSProxy.h: (JSC::JSProxy::create): (JSC::JSProxy::createStructure): (JSC::JSProxy::JSProxy): (JSC::JSProxy::finishCreation): (JSProxy): * runtime/JSScope.cpp: (JSC::executeResolveOperations): (JSC::JSScope::resolveContainingScopeInternal): (JSC::JSScope::resolveWithBase): (JSC::JSScope::resolveWithThis): (JSC::JSScope::resolvePut): * runtime/JSScope.h: (JSScope): (JSC::JSScope::JSScope): (JSC::JSScope::vm): (JSC::ExecState::vm): * runtime/JSSegmentedVariableObject.h: (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): (JSC::JSSegmentedVariableObject::finishCreation): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): (JSC::StringObject::create): * runtime/JSString.h: (JSC): (JSString): (JSC::JSString::JSString): (JSC::JSString::finishCreation): (JSC::JSString::create): (JSC::JSString::createHasOtherOwner): (JSC::JSString::createStructure): (JSRopeString): (JSC::JSRopeString::RopeBuilder::RopeBuilder): (JSC::JSRopeString::RopeBuilder::append): (RopeBuilder): (JSC::JSRopeString::JSRopeString): (JSC::JSRopeString::finishCreation): (JSC::JSRopeString::append): (JSC::JSRopeString::createNull): (JSC::JSRopeString::create): (JSC::jsEmptyString): (JSC::jsSingleCharacterString): (JSC::jsSingleCharacterSubstring): (JSC::jsNontrivialString): (JSC::jsString): (JSC::jsSubstring): (JSC::jsSubstring8): (JSC::jsOwnedString): (JSC::jsStringBuilder): (JSC::inlineJSValueNotStringtoString): * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::build): * runtime/JSSymbolTableObject.h: (JSC::JSSymbolTableObject::JSSymbolTableObject): (JSC::JSSymbolTableObject::finishCreation): (JSC::symbolTablePut): (JSC::symbolTablePutWithAttributes): * runtime/JSVariableObject.h: (JSC::JSVariableObject::JSVariableObject): * runtime/JSWithScope.h: (JSC::JSWithScope::create): (JSC::JSWithScope::createStructure): (JSC::JSWithScope::JSWithScope): * runtime/JSWrapperObject.h: (JSWrapperObject): (JSC::JSWrapperObject::createStructure): (JSC::JSWrapperObject::JSWrapperObject): (JSC::JSWrapperObject::setInternalValue): * runtime/LiteralParser.cpp: (JSC::::tryJSONPParse): (JSC::::makeIdentifier): (JSC::::parse): * runtime/Lookup.cpp: (JSC::HashTable::createTable): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::HashTable::initializeIfNeeded): (JSC::HashTable::entry): (JSC::HashTable::begin): (JSC::HashTable::end): (HashTable): (JSC::lookupPut): * runtime/MathObject.cpp: (JSC::MathObject::MathObject): (JSC::MathObject::finishCreation): (JSC::mathProtoFuncSin): * runtime/MathObject.h: (JSC::MathObject::createStructure): * runtime/MemoryStatistics.cpp: * runtime/MemoryStatistics.h: * runtime/NameConstructor.cpp: (JSC::NameConstructor::finishCreation): (JSC::constructPrivateName): * runtime/NameConstructor.h: (JSC::NameConstructor::createStructure): * runtime/NameInstance.cpp: (JSC::NameInstance::NameInstance): * runtime/NameInstance.h: (JSC::NameInstance::createStructure): (JSC::NameInstance::create): (NameInstance): (JSC::NameInstance::finishCreation): * runtime/NamePrototype.cpp: (JSC::NamePrototype::NamePrototype): (JSC::NamePrototype::finishCreation): * runtime/NamePrototype.h: (JSC::NamePrototype::createStructure): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::createStructure): (JSC::NativeErrorConstructor::finishCreation): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::finishCreation): * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::finishCreation): (JSC::constructWithNumberConstructor): * runtime/NumberConstructor.h: (JSC::NumberConstructor::createStructure): * runtime/NumberObject.cpp: (JSC::NumberObject::NumberObject): (JSC::NumberObject::finishCreation): (JSC::constructNumber): * runtime/NumberObject.h: (NumberObject): (JSC::NumberObject::create): (JSC::NumberObject::createStructure): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): (JSC::NumberPrototype::finishCreation): (JSC::integerValueToString): (JSC::numberProtoFuncToString): * runtime/NumberPrototype.h: (JSC::NumberPrototype::createStructure): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): (JSC::objectConstructorGetOwnPropertyDescriptor): (JSC::objectConstructorSeal): (JSC::objectConstructorFreeze): (JSC::objectConstructorPreventExtensions): (JSC::objectConstructorIsSealed): (JSC::objectConstructorIsFrozen): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::createStructure): (JSC::constructEmptyObject): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::ObjectPrototype): (JSC::ObjectPrototype::finishCreation): (JSC::objectProtoFuncToString): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::createStructure): * runtime/Operations.cpp: (JSC::jsTypeStringForValue): * runtime/Operations.h: (JSC): (JSC::jsString): (JSC::jsStringFromArguments): (JSC::normalizePrototypeChainForChainAccess): (JSC::normalizePrototypeChain): * runtime/PropertyMapHashTable.h: (JSC::PropertyMapEntry::PropertyMapEntry): (JSC::PropertyTable::createStructure): (PropertyTable): (JSC::PropertyTable::copy): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::vm): (JSC::PropertyNameArray::addKnownUnique): (PropertyNameArray): * runtime/PropertyTable.cpp: (JSC::PropertyTable::create): (JSC::PropertyTable::clone): (JSC::PropertyTable::PropertyTable): * runtime/PrototypeMap.cpp: (JSC::PrototypeMap::emptyObjectStructureForPrototype): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::finishCreation): (JSC::RegExp::createWithoutCaching): (JSC::RegExp::create): (JSC::RegExp::compile): (JSC::RegExp::compileIfNecessary): (JSC::RegExp::match): (JSC::RegExp::compileMatchOnly): (JSC::RegExp::compileIfNecessaryMatchOnly): * runtime/RegExp.h: (JSC): (RegExp): (JSC::RegExp::createStructure): * runtime/RegExpCache.cpp: (JSC::RegExpCache::lookupOrCreate): (JSC::RegExpCache::RegExpCache): (JSC::RegExpCache::addToStrongCache): * runtime/RegExpCache.h: (RegExpCache): * runtime/RegExpCachedResult.cpp: (JSC::RegExpCachedResult::lastResult): (JSC::RegExpCachedResult::setInput): * runtime/RegExpCachedResult.h: (JSC::RegExpCachedResult::RegExpCachedResult): (JSC::RegExpCachedResult::record): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor): (JSC::RegExpConstructor::finishCreation): (JSC::constructRegExp): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::createStructure): (RegExpConstructor): (JSC::RegExpConstructor::performMatch): * runtime/RegExpMatchesArray.cpp: (JSC::RegExpMatchesArray::RegExpMatchesArray): (JSC::RegExpMatchesArray::create): (JSC::RegExpMatchesArray::finishCreation): (JSC::RegExpMatchesArray::reifyAllProperties): * runtime/RegExpMatchesArray.h: (RegExpMatchesArray): (JSC::RegExpMatchesArray::createStructure): * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): (JSC::RegExpObject::finishCreation): (JSC::RegExpObject::match): * runtime/RegExpObject.h: (JSC::RegExpObject::create): (JSC::RegExpObject::setRegExp): (JSC::RegExpObject::setLastIndex): (JSC::RegExpObject::createStructure): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncCompile): * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::createStructure): * runtime/SmallStrings.cpp: (JSC::SmallStrings::initializeCommonStrings): (JSC::SmallStrings::createEmptyString): (JSC::SmallStrings::createSingleCharacterString): (JSC::SmallStrings::initialize): * runtime/SmallStrings.h: (JSC): (JSC::SmallStrings::singleCharacterString): (SmallStrings): * runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::SparseArrayValueMap): (JSC::SparseArrayValueMap::finishCreation): (JSC::SparseArrayValueMap::create): (JSC::SparseArrayValueMap::createStructure): (JSC::SparseArrayValueMap::putDirect): (JSC::SparseArrayEntry::put): * runtime/SparseArrayValueMap.h: * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::StrictEvalActivation): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::create): (JSC::StrictEvalActivation::createStructure): * runtime/StringConstructor.cpp: (JSC::StringConstructor::finishCreation): * runtime/StringConstructor.h: (JSC::StringConstructor::createStructure): * runtime/StringObject.cpp: (JSC::StringObject::StringObject): (JSC::StringObject::finishCreation): (JSC::constructString): * runtime/StringObject.h: (JSC::StringObject::create): (JSC::StringObject::createStructure): (StringObject): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): (JSC::StringPrototype::finishCreation): (JSC::removeUsingRegExpSearch): (JSC::replaceUsingRegExpSearch): (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): (JSC::stringProtoFuncSplit): * runtime/StringPrototype.h: (JSC::StringPrototype::createStructure): * runtime/StringRecursionChecker.h: (JSC::StringRecursionChecker::performCheck): (JSC::StringRecursionChecker::~StringRecursionChecker): * runtime/Structure.cpp: (JSC::StructureTransitionTable::add): (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::despecifyDictionaryFunction): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::toCacheableDictionaryTransition): (JSC::Structure::toUncacheableDictionaryTransition): (JSC::Structure::sealTransition): (JSC::Structure::freezeTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::takePropertyTableOrCloneIfPinned): (JSC::Structure::nonPropertyTransition): (JSC::Structure::isSealed): (JSC::Structure::isFrozen): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::allocateRareData): (JSC::Structure::cloneRareDataFrom): (JSC::Structure::copyPropertyTable): (JSC::Structure::copyPropertyTableForPinning): (JSC::Structure::get): (JSC::Structure::despecifyFunction): (JSC::Structure::despecifyAllFunctions): (JSC::Structure::putSpecificValue): (JSC::Structure::createPropertyMap): (JSC::Structure::getPropertyNamesFromStructure): (JSC::Structure::prototypeChainMayInterceptStoreTo): * runtime/Structure.h: (Structure): (JSC::Structure::finishCreation): (JSC::Structure::setPrototypeWithoutTransition): (JSC::Structure::setGlobalObject): (JSC::Structure::setObjectToStringValue): (JSC::Structure::materializePropertyMapIfNecessary): (JSC::Structure::materializePropertyMapIfNecessaryForPinning): (JSC::Structure::setPreviousID): * runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain): * runtime/StructureChain.h: (JSC::StructureChain::create): (JSC::StructureChain::createStructure): (JSC::StructureChain::finishCreation): (StructureChain): * runtime/StructureInlines.h: (JSC::Structure::create): (JSC::Structure::createStructure): (JSC::Structure::get): (JSC::Structure::setEnumerationCache): (JSC::Structure::prototypeChain): (JSC::Structure::propertyTable): * runtime/StructureRareData.cpp: (JSC::StructureRareData::createStructure): (JSC::StructureRareData::create): (JSC::StructureRareData::clone): (JSC::StructureRareData::StructureRareData): * runtime/StructureRareData.h: (StructureRareData): * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::setPreviousID): (JSC::StructureRareData::setObjectToStringValue): * runtime/StructureTransitionTable.h: (StructureTransitionTable): (JSC::StructureTransitionTable::setSingleTransition): * runtime/SymbolTable.h: (JSC::SharedSymbolTable::create): (JSC::SharedSymbolTable::createStructure): (JSC::SharedSymbolTable::SharedSymbolTable): * runtime/VM.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalData.cpp. (JSC::VM::VM): (JSC::VM::~VM): (JSC::VM::createContextGroup): (JSC::VM::create): (JSC::VM::createLeaked): (JSC::VM::sharedInstanceExists): (JSC::VM::sharedInstance): (JSC::VM::sharedInstanceInternal): (JSC::VM::getHostFunction): (JSC::VM::ClientData::~ClientData): (JSC::VM::resetDateCache): (JSC::VM::startSampling): (JSC::VM::stopSampling): (JSC::VM::discardAllCode): (JSC::VM::dumpSampleData): (JSC::VM::addSourceProviderCache): (JSC::VM::clearSourceProviderCaches): (JSC::VM::releaseExecutableMemory): (JSC::releaseExecutableMemory): (JSC::VM::gatherConservativeRoots): (JSC::VM::addRegExpToTrace): (JSC::VM::dumpRegExpTrace): * runtime/VM.h: Copied from Source/JavaScriptCore/runtime/JSGlobalData.h. (VM): (JSC::VM::isSharedInstance): (JSC::VM::usingAPI): (JSC::VM::isInitializingObject): (JSC::VM::setInitializingObjectClass): (JSC::WeakSet::heap): * runtime/WriteBarrier.h: (JSC): (JSC::WriteBarrierBase::set): (JSC::WriteBarrierBase::setMayBeNull): (JSC::WriteBarrierBase::setEarlyValue): (JSC::WriteBarrier::WriteBarrier): * testRegExp.cpp: (GlobalObject): (GlobalObject::create): (GlobalObject::createStructure): (GlobalObject::finishCreation): (main): (testOneRegExp): (parseRegExpLine): (runFromFiles): (realMain): * yarr/YarrInterpreter.h: (BytecodePattern): * yarr/YarrJIT.cpp: (YarrGenerator): (JSC::Yarr::YarrGenerator::compile): (JSC::Yarr::jitCompile): * yarr/YarrJIT.h: (JSC): 2013-04-18 Xuefei Ren remove build warning(unused parameter) https://bugs.webkit.org/show_bug.cgi?id=114670 Reviewed by Rob Buis. remove warning in Source/JavaScriptCore/runtime/GCActivityCallbackBlackBerry.cpp * runtime/GCActivityCallbackBlackBerry.cpp: (JSC::DefaultGCActivityCallback::didAllocate): 2013-04-18 Jonathan Liu Implement JIT for MinGW-w64 64-bit https://bugs.webkit.org/show_bug.cgi?id=114580 Reviewed by Jocelyn Turcotte. * jit/JITStubs.cpp: (JSC): 2013-04-17 Mark Lam Avoid using a branch range that is too far for some CPU architectures. https://bugs.webkit.org/show_bug.cgi?id=114782. Reviewed by David Kilzer. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2013-04-17 Julien Brianceau Fix SH4 build (broken since r148639). https://bugs.webkit.org/show_bug.cgi?id=114773. Allow longer displacements for specific branches in SH4 LLINT. Reviewed by Oliver Hunt. * offlineasm/sh4.rb: 2013-04-14 Roger Fong Unreviewed. More Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-14 Roger Fong Unreviewed. Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-17 Mark Lam Fix broken build. Replaced a static const with a #define. https://bugs.webkit.org/show_bug.cgi?id=114577. Unreviewed. * runtime/Watchdog.cpp: (JSC::Watchdog::Watchdog): (JSC::Watchdog::isEnabled): 2013-04-17 Mark Lam Add LLINT and baseline JIT support for timing out scripts. https://bugs.webkit.org/show_bug.cgi?id=114577. Reviewed by Geoffrey Garen. Introduces the new Watchdog class which is used to track script execution time, and initiate script termination if needed. * API/JSContextRef.cpp: (internalScriptTimeoutCallback): (JSContextGroupSetExecutionTimeLimit): (JSContextGroupClearExecutionTimeLimit): * API/JSContextRefPrivate.h: - Added new script execution time limit APIs. * API/tests/testapi.c: (currentCPUTime): (shouldTerminateCallback): (cancelTerminateCallback): (extendTerminateCallback): (main): - Added new API tests for script execution time limit. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoopHint): - loop hints are needed for the llint as well. Hence, it will be emitted unconditionally. * interpreter/Interpreter.cpp: (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::throwException): (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): - Added checks for script termination before entering script code. * jit/JIT.cpp: (JSC::JIT::emitWatchdogTimerCheck): * jit/JIT.h: (JSC::JIT::emit_op_loop_hint): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION(void, handle_watchdog_timer)): * jit/JITStubs.h: * llint/LLIntExceptions.cpp: (JSC::LLInt::doThrow): - Factored out some common code from returnToThrow() and callToThrow(). (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/ExceptionHelpers.cpp: (JSC::throwTerminatedExecutionException): - Also removed the now unused InterruptedExecutionException. * runtime/ExceptionHelpers.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: - Added watchdog, and removed the now obsolete Terminator. * runtime/Terminator.h: Removed. * runtime/Watchdog.cpp: Added. (JSC::Watchdog::Watchdog): (JSC::Watchdog::~Watchdog): (JSC::Watchdog::setTimeLimit): (JSC::Watchdog::didFire): (JSC::Watchdog::isEnabled): (JSC::Watchdog::fire): (JSC::Watchdog::arm): (JSC::Watchdog::disarm): (JSC::Watchdog::startCountdownIfNeeded): (JSC::Watchdog::startCountdown): (JSC::Watchdog::stopCountdown): (JSC::Watchdog::Scope::Scope): (JSC::Watchdog::Scope::~Scope): * runtime/Watchdog.h: Added. (Watchdog): (JSC::Watchdog::didFire): (JSC::Watchdog::timerDidFireAddress): (JSC::Watchdog::isArmed): (Watchdog::Scope): * runtime/WatchdogMac.cpp: Added. (JSC::Watchdog::initTimer): (JSC::Watchdog::destroyTimer): (JSC::Watchdog::startTimer): (JSC::Watchdog::stopTimer): * runtime/WatchdogNone.cpp: Added. (JSC::Watchdog::initTimer): (JSC::Watchdog::destroyTimer): (JSC::Watchdog::startTimer): (JSC::Watchdog::stopTimer): 2013-04-14 Roger Fong Unreviewed. VS2010 Windows build fix. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 2013-04-14 Roger Fong Copy make-file-export-generator script to the the Source folders of the projects that use it. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Copied from Source/WebCore/make-export-file-generator. 2013-04-17 Brent Fulgham [Windows, WinCairo] Stop individually building WTF files in JSC. https://bugs.webkit.org/show_bug.cgi?id=114705 Reviewed by Anders Carlsson. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Export additional String/fastMalloc symbols needed by JSC program. * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build WTF implementation files (a second time!) in this project. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Export additional String/fastMalloc symbols needed by JSC program. * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually build WTF implementation files (a second time!) in this project. * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto. 2013-04-17 Mark Lam releaseExecutableMemory() should canonicalize cell liveness data before it scans the GC roots. https://bugs.webkit.org/show_bug.cgi?id=114733. Reviewed by Mark Hahnenberg. * heap/Heap.cpp: (JSC::Heap::canonicalizeCellLivenessData): * heap/Heap.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::releaseExecutableMemory): 2013-04-16 Commit Queue Unreviewed, rolling out r148576. http://trac.webkit.org/changeset/148576 https://bugs.webkit.org/show_bug.cgi?id=114714 WebCore is building some of these same files (Requested by bfulgham on #webkit). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcproj/jsc/jsc.vcproj: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: 2013-04-16 Brent Fulgham [Windows, WinCairo] Stop individually building WTF files in JSC. https://bugs.webkit.org/show_bug.cgi?id=114705 Reviewed by Anders Carlsson. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Export additional String/fastMalloc symbols needed by JSC program. * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build WTF implementation files (a second time!) in this project. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Export additional String/fastMalloc symbols needed by JSC program. * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually build WTF implementation files (a second time!) in this project. * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto. 2013-04-16 Patrick Gansterer [CMake] Do not use JAVASCRIPTCORE_DIR in add_custom_command() of JavaScriptCore project https://bugs.webkit.org/show_bug.cgi?id=114265 Reviewed by Brent Fulgham. Use CMAKE_CURRENT_SOURCE_DIR instead, since it provides the same value and is more understandable. Also move the GENERATE_HASH_LUT macro into the CMakeLists.txt of JavaScriptCore to avoid the usage of JAVASCRIPTCORE_DIR there too. * CMakeLists.txt: 2013-04-16 Anders Carlsson Another Windows build fix attempt. * runtime/JSGlobalData.h: (JSGlobalData): 2013-04-16 Anders Carlsson Try to fix the Windows build. * runtime/JSGlobalData.h: 2013-04-16 Brent Fulgham [Windows] Unreviewed VS2010 build correction. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Specify proper link library to avoid mixture of ICU 4.0 and 4.6 symbols during link. 2013-04-15 Ryosuke Niwa Windows clean build fix after r148479. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-15 Anders Carlsson ScriptWrappable subclasses shouldn't have to include WeakInlines.h https://bugs.webkit.org/show_bug.cgi?id=114641 Reviewed by Alexey Proskuryakov. Move back the Weak constructor, destructor and clear() to Weak.h. Add a new weakClearSlowCase function and put it in Weak.cpp. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * heap/Weak.cpp: Added. * heap/Weak.h: * heap/WeakInlines.h: * heap/WeakSetInlines.h: 2013-04-15 Mark Hahnenberg HeapTimer lifetime should be less complicated https://bugs.webkit.org/show_bug.cgi?id=114529 Reviewed by Oliver Hunt. Right now our HeapTimer lifetime is rather complicated. HeapTimers are "owned" by the JSGlobalData, but there's an issue in that there can be races between a thread that is trying to tear down a JSGlobalData and the HeapTimer's fire function. Our current code for tearing down HeapTimers is an intricate and delicate dance which probably contains subtle bugs. We can make our lives easier by changing things around a bit. 1) We should free the API lock from being solely owned by the JSGlobalData so we don't have to worry about grabbing the lock out of invalid memory when our HeapTimer callback fires. 2) We should also make it so that we deref the JSGlobalData first, then unlock the API lock so that when we have the lock, the JSGlobalData is in one of two states: fully valid or completely destroyed, and we know exactly which one. 3) The JSLock can tell us this information by keeping a back pointer to the JSGlobalData. When the JSGlobalData's destructor is called, it clears this pointer in the JSLock. Other clients of the API lock can then check this pointer to determine whether or not the JSGlobalData is still around. 4) The CFRunLoopTimer will use the API lock as its context rather than the HeapTimer itself. The only way the HeapTimer's callback can get to the HeapTimer is through the API lock's JSGlobalData pointer. 5) The CFRunLoopTimerContext struct has two fields for retain and release callbacks for the context's info field. We'll provide these callbacks to ref() and deref() the JSLock as necessary. Thus, the timer becomes the other owner of the JSLock apart from the JSGlobalData. * API/APIShims.h: Remove the cruft that was required by the previous design, such as RefGlobalDataTag. (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): (APIEntryShimWithoutLock): (JSC::APIEntryShim::APIEntryShim): (JSC::APIEntryShim::~APIEntryShim): Protect the API lock with a RefPtr, deref the JSGlobalData, which could destroy it, then unlock the API lock. This ordering prevents others from obtaining the API lock while the JSGlobalData is in the middle of being torn down. (JSC::APIEntryShim::init): We now take the lock, then ref the JSGlobalData, which is the opposite order of when we tear down the shim. * heap/Heap.cpp: (JSC::Heap::setActivityCallback): Use PassOwnPtr now. (JSC::Heap::activityCallback): Ditto. (JSC::Heap::sweeper): Ditto. (JSC): * heap/Heap.h: (Heap): * heap/HeapTimer.cpp: (JSC::retainAPILock): Retain callback for CFRunLoopTimerContext struct. (JSC::releaseAPILock): Release callback for the CFRunLoopTimerContext struct. (JSC::HeapTimer::HeapTimer): Use the API lock as the context's info field rather than the HeapTimer. (JSC::HeapTimer::timerDidFire): Grab the API lock. Return early if the JSGlobalData has already been destroyed. Otherwise, figure out which kind of HeapTimer we are based on the CFRunLoopTimerRef passed to the callback and call the HeapTimer's callback. * heap/HeapTimer.h: (HeapTimer): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::create): PassOwnPtr all the things. * heap/IncrementalSweeper.h: (IncrementalSweeper): * jsc.cpp: (jscmain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly. * runtime/GCActivityCallback.h: (DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::create): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): Notify the API lock that the JSGlobalData is being torn down. * runtime/JSGlobalData.h: (JSGlobalData): (JSC::JSGlobalData::apiLock): * runtime/JSLock.cpp: (JSC::JSLockHolder::JSLockHolder): Ref, then lock (just like the API shim). (JSC): (JSC::JSLock::willDestroyGlobalData): (JSC::JSLockHolder::init): (JSC::JSLockHolder::~JSLockHolder): Protect, deref, then unlock (just like the API shim). (JSC::JSLock::JSLock): * runtime/JSLock.h: Add back pointer to the JSGlobalData and a callback for when the JSGlobalData is being torn down that clears this pointer to notify other clients (i.e. timer callbacks) that the JSGlobalData is no longer valid. (JSLockHolder): (JSLock): (JSC::JSLock::globalData): * testRegExp.cpp: (realMain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly. 2013-04-15 Julien Brianceau LLInt SH4 backend implementation https://bugs.webkit.org/show_bug.cgi?id=112886 Reviewed by Oliver Hunt. * dfg/DFGOperations.cpp: (JSC): * jit/JITStubs.cpp: * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * offlineasm/arm.rb: * offlineasm/ast.rb: * offlineasm/backends.rb: * offlineasm/instructions.rb: * offlineasm/mips.rb: * offlineasm/risc.rb: * offlineasm/sh4.rb: Added. 2013-04-15 Patrick Gansterer [CMake] Add WTF_USE_*_UNICODE variables https://bugs.webkit.org/show_bug.cgi?id=114556 Reviewed by Brent Fulgham. WTF_USE_ICU_UNICODE and WTF_USE_WCHAR_UNICODE are used to reduce duplication in the platform specific CMake files. * CMakeLists.txt: * PlatformEfl.cmake: 2013-04-13 Patrick Gansterer Add missing export macro to SymbolTableEntry::freeFatEntrySlow() * runtime/SymbolTable.h: (SymbolTableEntry): 2013-04-12 Mark Hahnenberg Block freeing thread should call Region::destroy instead of delete https://bugs.webkit.org/show_bug.cgi?id=114544 Reviewed by Oliver Hunt. Since Region doesn't have a virtual destructor, calling delete will not properly clean up all of the state of the Region. We should call destroy() instead. * heap/BlockAllocator.cpp: (JSC::BlockAllocator::releaseFreeRegions): (JSC::BlockAllocator::blockFreeingThreadMain): 2013-04-11 Benjamin Poulain Merge CharacterClassTable into CharacterClass https://bugs.webkit.org/show_bug.cgi?id=114409 Reviewed by Darin Adler. CharacterClassTable is only a pointer and a boolean. It is a little overkill to make a separate allocation for that. * create_regex_tables: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::matchCharacterClass): * yarr/YarrPattern.cpp: (JSC::Yarr::CharacterClassConstructor::charClass): * yarr/YarrPattern.h: (CharacterClass): (JSC::Yarr::CharacterClass::CharacterClass): 2013-04-11 Michael Saboff Added UNLIKELY() suggested in https://bugs.webkit.org/show_bug.cgi?id=114366 after checking in the original change. Rubber-stamped by Jessie Berlin. * dfg/DFGOperations.cpp: 2013-04-10 Benjamin Poulain Unify JSC Parser's error and error message https://bugs.webkit.org/show_bug.cgi?id=114363 Reviewed by Geoffrey Garen. The parser kept the error state over two attributes: error and errorMessage. They were changed in sync, but had some discrepancy (for example, the error message was always defined to something). This patch unifies the two. There is an error if if the error message is non-null or if the parsing finished before the end. This also gets rid of the allocation of the error message when instantiating a parser. * parser/Parser.cpp: (JSC::::Parser): (JSC::::parseInner): (JSC::::parseSourceElements): (JSC::::parseVarDeclaration): (JSC::::parseConstDeclaration): (JSC::::parseForStatement): (JSC::::parseSwitchStatement): (JSC::::parsePrimaryExpression): * parser/Parser.h: (JSC::Parser::updateErrorMessage): (JSC::Parser::updateErrorWithNameAndMessage): (JSC::Parser::hasError): (Parser): 2013-04-10 Oliver Hunt Set trap is not being called for API objects https://bugs.webkit.org/show_bug.cgi?id=114403 Reviewed by Anders Carlsson. Intercept putByIndex on the callback object and add tests to make sure we don't regress in future. * API/JSCallbackObject.h: (JSCallbackObject): * API/JSCallbackObjectFunctions.h: (JSC::::putByIndex): (JSC): * API/tests/testapi.c: (PropertyCatchalls_setProperty): * API/tests/testapi.js: 2013-04-10 Benjamin Poulain Mass remove all the empty directories Rubberstamped by Ryosuke Niwa. * qt/api: Removed. * qt/benchmarks/qscriptengine: Removed. * qt/benchmarks/qscriptvalue: Removed. * qt/tests/qscriptengine: Removed. * qt/tests/qscriptstring: Removed. * qt/tests/qscriptvalue: Removed. * qt/tests/qscriptvalueiterator: Removed. 2013-04-10 Mark Hahnenberg JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Filip Pizlo. If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are accessible in the base object's backing store, which is bad. * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setNumCacheableSlotsForObject): (JSC::PropertyNameArray::setBaseObject): (PropertyNameArray): 2013-04-10 Patrick Gansterer Remove code duplicates from MacroAssemblerARM https://bugs.webkit.org/show_bug.cgi?id=104457 Reviewed by Oliver Hunt. Reuse some existing methods to avoid duplicated code. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::store8): (JSC::MacroAssemblerARM::store32): (JSC::MacroAssemblerARM::swap): (JSC::MacroAssemblerARM::add32): (JSC::MacroAssemblerARM::sub32): 2013-04-10 Michael Saboff DFG: Negative size for new Array() interpreted as large unsigned int https://bugs.webkit.org/show_bug.cgi?id=114366 Reviewed by Oliver Hunt. Added new check in operationNewArrayWithSize() for a negative size. If size is negative throw a "RangeError: Array size is not a small enough positive integer" exception. * dfg/DFGOperations.cpp: 2013-04-10 [email protected] WinCairo build fails to link. https://bugs.webkit.org/show_bug.cgi?id=114358 Reviewed by Brent Fulgham. Export the symbol WTF::MD5::checksum(). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-08 Anders Carlsson Remove unneeded headers from FrameLoader.h https://bugs.webkit.org/show_bug.cgi?id=114223 Reviewed by Geoffrey Garen. Update for WTF changes. * bytecode/SpeculatedType.h: * runtime/JSCJSValue.h: 2013-04-09 Geoffrey Garen Removed bitrotted TimeoutChecker code https://bugs.webkit.org/show_bug.cgi?id=114336 Reviewed by Alexey Proskuryakov. This mechanism hasn't worked for a while. MarkL is working on a new version of this feature with a distinct implementation. * API/APIShims.h: (JSC::APIEntryShim::~APIEntryShim): (JSC::APIEntryShim::init): * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * dfg/DFGGPRInfo.h: * jit/JIT.cpp: * jit/JIT.h: * jit/JITStubs.cpp: * jit/JITStubs.h: * jit/JSInterfaceJIT.h: (JSInterfaceJIT): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: * runtime/JSGlobalObject.cpp: * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): (JSC::Walker::walk): * runtime/TimeoutChecker.cpp: Removed. * runtime/TimeoutChecker.h: Removed. 2013-04-10 Oliver Hunt REGRESSION (r148073): WebKit Nightly r148082 crashes on launch in JSObjectSetPrivate https://bugs.webkit.org/show_bug.cgi?id=114341 Reviewed by Alexey Proskuryakov. Make JSObjectSetPrivate use uncheckedToJS as some clients clear their private data during finalization for some reason. * API/JSObjectRef.cpp: (JSObjectSetPrivate): 2013-04-09 Oliver Hunt Add liveness tests to JSC API entry points https://bugs.webkit.org/show_bug.cgi?id=114318 Reviewed by Geoffrey Garen. Add simple checks for the existence of a method table on any JSCells passed across the API. This in turn forces a structure validity test. * API/APICast.h: (toJS): (toJSForGC): (unsafeToJS): * API/JSObjectRef.cpp: (JSObjectGetPrivate): 2013-04-09 Oliver Hunt Rollout last patch as it destroyed everything * API/APICast.h: (toJS): (toJSForGC): 2013-04-09 Oliver Hunt Add liveness tests to JSC API entry points https://bugs.webkit.org/show_bug.cgi?id=114318 Reviewed by Filip Pizlo. Add simple checks for the existence of a method table on any JSCells passed across the API. This in turn forces a structure validity test. * API/APICast.h: (toJS): (toJSForGC): 2013-04-09 Balazs Kilvady LLInt conditional branch compilation fault on MIPS. https://bugs.webkit.org/show_bug.cgi?id=114264 Reviewed by Filip Pizlo. Fix conditional branch compilation in LLInt offlineasm. * offlineasm/mips.rb: 2013-04-08 Mark Hahnenberg JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Geoffrey Garen. Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable properties causes us not to cache any properties at all. We should only cache properties on the object itself since we currently don't take advantage of any sort of name caching for properties in the prototype chain. This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570. * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): 2013-04-09 Ryosuke Niwa Remove yarr.gyp https://bugs.webkit.org/show_bug.cgi?id=114247 Reviewed by Benjamin Poulain. * yarr/yarr.gyp: Removed. 2013-04-08 Ryosuke Niwa Remove JavaScriptCore.gyp/gypi https://bugs.webkit.org/show_bug.cgi?id=114238 Reviewed by Benjamin Poulain. * JavaScriptCore.gyp: Removed. * JavaScriptCore.gyp/.gitignore: Removed. * JavaScriptCore.gypi: Removed. 2013-04-08 Vahag Vardanyan Adds fromCharCode intrinsic support. https://bugs.webkit.org/show_bug.cgi?id=104807 Reviewed by Oliver Hunt. Switch to using fromCharCode intrinsic instead of call operation in some cases. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileFromCharCode): (DFG): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/StringConstructor.cpp: (JSC::stringFromCharCode): (JSC): * runtime/StringConstructor.h: (JSC): 2013-04-08 Benjamin Poulain Remove HTML Notification https://bugs.webkit.org/show_bug.cgi?id=114231 Reviewed by Ryosuke Niwa. * Configurations/FeatureDefines.xcconfig: 2013-04-05 Roger Fong Build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-08 Filip Pizlo DFG should be able to inline string equality comparisons https://bugs.webkit.org/show_bug.cgi?id=114224 Reviewed by Oliver Hunt. Inline 8-bit string equality, go to slow path for 16-bit strings. 2x speed-up for string equality comparisons on 8-bit strings. 20-50% speed-up on JSRegress/HashMap tests. 30% speed-up on string-fasta. 2% speed-up on SunSpider overall. Some small speed-ups elsewhere. This is a gnarly change but we have loads of test coverage already between the HashMap tests and preexisting DFG string equality tests (which appear to have been designed to test OSR exits, but also give us good overall coverage on string equality behavior). * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileStrictEq): (JSC::DFG::SpeculativeJIT::compileStringEquality): (DFG): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): 2013-04-08 Geoffrey Garen Stop #include-ing all of JavaScriptCore in every DOM-related file https://bugs.webkit.org/show_bug.cgi?id=114220 Reviewed by Sam Weinig. I separated WeakInlines.h from Weak.h so WebCore data types that need to declare a Weak data member don't have to #include all of the infrastructure for accessing that data member. This also required separating Weak from PassWeak by removing the WeakImplAccessor class template and pushing code down into its subclasses. * API/JSWeakObjectMapRefPrivate.cpp: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/UnlinkedCodeBlock.h: * heap/PassWeak.h: (JSC): (PassWeak): (JSC::::PassWeak): (JSC::::operator): (JSC::::get): * heap/SlotVisitorInlines.h: * heap/Weak.h: (JSC): (Weak): * heap/WeakInlines.h: Copied from Source/JavaScriptCore/heap/Weak.h. (JSC): (JSC::::Weak): (JSC::::operator): (JSC::::get): (JSC::::was): (JSC::weakClear): * jit/JITThunks.h: * runtime/RegExpCache.h: * runtime/Structure.h: * runtime/WeakGCMap.h: 2013-04-05 Roger Fong Windows build fix fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2013-04-05 Roger Fong Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-08 Oliver Hunt Make resolve more robust in the face of lookup misses https://bugs.webkit.org/show_bug.cgi?id=114211 Reviewed by Filip Pizlo. This simply short circuits the resolve operations in the event that we don't find a path to a property. There's no repro case for this happening unfortunately. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2013-04-08 Oliver Hunt Build fix. * assembler/ARMv7Assembler.h: (ARMv7Assembler): 2013-04-08 Justin Haygood Allow KeywordLookupGenerator.py to work on Windows with Windows style line endings https://bugs.webkit.org/show_bug.cgi?id=63234 Reviewed by Oliver Hunt. * KeywordLookupGenerator.py: (parseKeywords): 2013-04-08 Filip Pizlo REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests https://bugs.webkit.org/show_bug.cgi?id=114129 Reviewed by Darin Adler. The check to see if we need a cell check when simplifying a GetById or PutById needs to be hoisted to above where we abstractly execute the instruction, since after we abstracting execute it, it will seem like it no longer needs the cell check. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): 2013-04-07 Oliver Hunt Add bounds checking for WTF::Vector::operator[] https://bugs.webkit.org/show_bug.cgi?id=89600 Reviewed by Filip Pizlo. Make a few JSC classes opt-out of release mode bounds checking. * assembler/AssemblerBuffer.h: (AssemblerBuffer): * assembler/AssemblerBufferWithConstantPool.h: (AssemblerBufferWithConstantPool): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::bytecodeOffset): (JSC): (JSC::replaceExistingEntries): * bytecode/CodeBlock.h: (JSC::CodeBlock::bytecodeOffsetForCallAtIndex): (JSC::CodeBlock::callReturnIndexVector): (JSC::CodeBlock::codeOrigins): (RareData): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedEvalCodeBlock::adoptVariables): (UnlinkedEvalCodeBlock): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitNewArray): (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitConstruct): * bytecompiler/BytecodeGenerator.h: (CallArguments): (JSC::BytecodeGenerator::instructions): (BytecodeGenerator): * bytecompiler/StaticPropertyAnalysis.h: (JSC::StaticPropertyAnalysis::create): (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): (StaticPropertyAnalysis): * bytecompiler/StaticPropertyAnalyzer.h: (StaticPropertyAnalyzer): (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * parser/ASTBuilder.h: (ASTBuilder): * runtime/ArgList.h: (MarkedArgumentBuffer): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSort): 2013-04-07 Benjamin Poulain Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime https://bugs.webkit.org/show_bug.cgi?id=114111 Reviewed by Andreas Kling. Almost all the code was already using Vector::reserveInitialCapacity() and Vector::uncheckedAppend(). Fix the remaining parts. * runtime/ArgList.h: (MarkedArgumentBuffer): The type VectorType is unused. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSort): Move the variable closer to where it is needed. * runtime/JSArray.cpp: (JSC::JSArray::setLengthWithArrayStorage): * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertyNames): 2013-04-07 Patrick Gansterer Remove references to Skia and V8 from CMake files https://bugs.webkit.org/show_bug.cgi?id=114130 Reviewed by Geoffrey Garen. * shell/PlatformBlackBerry.cmake: 2013-04-07 David Kilzer Remove the rest of SVG_DOM_OBJC_BINDINGS Reviewed by Geoffrey Garen. * Configurations/FeatureDefines.xcconfig: - Remove ENABLE_SVG_DOM_OBJC_BINDINGS macro. 2013-04-07 Oliver Hunt Inspector should display information about non-object exceptions https://bugs.webkit.org/show_bug.cgi?id=114123 Reviewed by Adele Peterson. Make sure we store the right stack information, even when throwing a primitive. * interpreter/CallFrame.h: (JSC::ExecState::clearSupplementaryExceptionInfo): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::throwException): 2013-04-06 Oliver Hunt Unify the many and varied stack trace mechanisms, and make the result sane. https://bugs.webkit.org/show_bug.cgi?id=114072 Reviewed by Filip Pizlo. Makes JSC::StackFrame record the bytecode offset and other necessary data rather than requiring us to perform eager evaluation of the line number, etc. Then remove most of the users of retrieveLastCaller, as most of them were using it to create a stack trace in a fairly incomplete and inefficient way. StackFrame now also has a couple of helpers to get the line and column info. * API/JSContextRef.cpp: (JSContextCreateBacktrace): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDebugHook): * interpreter/Interpreter.cpp: (JSC): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::unwindCallFrame): (JSC::getBytecodeOffsetForCallFrame): (JSC::getCallerInfo): (JSC::StackFrame::line): (JSC::StackFrame::column): (JSC::StackFrame::expressionInfo): (JSC::StackFrame::toString): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::retrieveCallerFromVMCode): * interpreter/Interpreter.h: (StackFrame): (Interpreter): * runtime/Error.cpp: (JSC::throwError): * runtime/JSGlobalData.h: (JSC): (JSGlobalData): * runtime/JSGlobalObject.cpp: (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 2013-04-06 Geoffrey Garen Removed v8 bindings hooks from IDL files https://bugs.webkit.org/show_bug.cgi?id=114091 Reviewed by Anders Carlsson and Sam Weinig. * heap/HeapStatistics.h: 2013-04-03 Roger Fong Windows VS2010 build fix. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-06 Zan Dobersek Remove the remaining PLATFORM(CHROMIUM) guard in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=114082 Reviewed by Ryosuke Niwa. * runtime/JSExportMacros.h: Remove the remaining PLATFORM(CHROMIUM) guard. 2013-04-06 Ed Bartosh --minimal build fails with error: control reaches end of non-void function https://bugs.webkit.org/show_bug.cgi?id=114085 Reviewed by Oliver Hunt. * interpreter/Interpreter.cpp: return 0 if JIT is not enabled (JSC::getBytecodeOffsetForCallFrame): 2013-04-06 Geoffrey Garen Try to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Added back a symbol that is exported. 2013-04-06 Geoffrey Garen Try to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Removed symbols that aren't exported. 2013-04-06 Geoffrey Garen Rolled out 147820 and 147818 because they caused plugins tests to ASSERT https://bugs.webkit.org/show_bug.cgi?id=114094 Reviewed by Anders Carlsson. * API/JSContextRef.cpp: (JSContextCreateBacktrace): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDebugHook): * interpreter/Interpreter.cpp: (JSC): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::unwindCallFrame): (JSC::getLineNumberForCallFrame): (JSC::getCallerInfo): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::retrieveCallerFromVMCode): * interpreter/Interpreter.h: (StackFrame): (JSC::StackFrame::toString): (JSC::StackFrame::friendlyLineNumber): (Interpreter): * runtime/Error.cpp: (JSC::throwError): * runtime/JSGlobalData.h: (JSC): (JSGlobalData): * runtime/JSGlobalObject.cpp: (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 2013-04-06 Patrick Gansterer Unreviewed build fix after r146932. * profiler/ProfilerDatabase.cpp: (Profiler): 2013-04-06 Patrick Gansterer Do not call getenv() on Windows CE where it does not exist. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): 2013-04-05 Benjamin Poulain Second attempt to fix the Windows bot Unreviewed. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-05 Benjamin Poulain Attempt to fix the Windows bot Unreviewed. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: r147825 removed the symbol for nullptr_t. Add it back. 2013-04-02 Roger Fong Build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-05 Oliver Hunt Build fix. * interpreter/Interpreter.cpp: (JSC::getBytecodeOffsetForCallFrame): 2013-04-05 Oliver Hunt Unify the many and varied stack trace mechanisms, and make the result sane. https://bugs.webkit.org/show_bug.cgi?id=114072 Reviewed by Filip Pizlo. Makes JSC::StackFrame record the bytecode offset and other necessary data rather than requiring us to perform eager evaluation of the line number, etc. Then remove most of the users of retrieveLastCaller, as most of them were using it to create a stack trace in a fairly incomplete and inefficient way. StackFrame now also has a couple of helpers to get the line and column info. * API/JSContextRef.cpp: (JSContextCreateBacktrace): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDebugHook): * interpreter/Interpreter.cpp: (JSC): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::unwindCallFrame): (JSC::getBytecodeOffsetForCallFrame): (JSC::getCallerInfo): (JSC::StackFrame::line): (JSC::StackFrame::column): (JSC::StackFrame::expressionInfo): (JSC::StackFrame::toString): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC::Interpreter::retrieveCallerFromVMCode): * interpreter/Interpreter.h: (StackFrame): (Interpreter): * runtime/Error.cpp: (JSC::throwError): * runtime/JSGlobalData.h: (JSC): (JSGlobalData): * runtime/JSGlobalObject.cpp: (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 2013-04-05 Mark Hahnenberg tryCacheGetByID sets StructureStubInfo accessType to an incorrect value https://bugs.webkit.org/show_bug.cgi?id=114068 Reviewed by Geoffrey Garen. In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, which leads to loading a GetterSetter directly out of an object. * jit/JITStubs.cpp: (JSC::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): 2013-04-05 Filip Pizlo If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this https://bugs.webkit.org/show_bug.cgi?id=114062 Reviewed by Oliver Hunt. * bytecode/CodeBlock.h: (JSC::CodeBlock::canGetCodeOrigin): (CodeBlock): * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallFrame): * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): 2013-04-05 Geoffrey Garen Made USE(JSC) unconditional https://bugs.webkit.org/show_bug.cgi?id=114058 Reviewed by Anders Carlsson. * config.h: 2013-04-05 Filip Pizlo Unreviewed, rolling out http://trac.webkit.org/changeset/147729 It's causing a bunch of breakage on some more strict compilers: :1267:2: error: ambiguous instructions require an explicit suffix (could be 'ficomps', or 'ficompl') * offlineasm/x86.rb: 2013-04-05 Roger Fong More VS2010 solution makefile fixes. * JavaScriptCore.vcxproj/JavaScriptCore.make: 2013-04-05 Allan Sandfeld Jensen LLint should be able to use x87 instead of SSE for floating pointer https://bugs.webkit.org/show_bug.cgi?id=112239 Reviewed by Filip Pizlo. Implements LLInt floating point operations in x87, to ensure we support x86 without SSE2. X86 (except 64bit) now defaults to using x87 instructions in order to support all 32bit x86 back to i686. The implementation uses the fucomi instruction from i686 which sets the new minimum. * offlineasm/x86.rb: 2013-04-04 Christophe Dumez Unreviewed EFL build fix. We had undefined reference to `JSC::CodeOrigin::maximumBytecodeIndex'. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::findClosureCallForReturnPC): (JSC::CodeBlock::bytecodeOffset): 2013-04-04 Geoffrey Garen Stop pretending that statements return a value https://bugs.webkit.org/show_bug.cgi?id=113969 Reviewed by Oliver Hunt. Expressions have an intrinsic value, which they return to their parent in the AST. Statements just execute for effect in sequence. This patch moves emitBytecode into the ExpressionNode and StatementNode subclasses, and changes the SatementNode subclass to return void. This eliminates some cruft where we used to return 0, or try to save a bogus register and return it, as if a statement had a consuming parent in the AST. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitNode): (BytecodeGenerator): (JSC::BytecodeGenerator::emitNodeInConditionContext): * bytecompiler/NodesCodegen.cpp: (JSC::ConstStatementNode::emitBytecode): (JSC::BlockNode::emitBytecode): (JSC::EmptyStatementNode::emitBytecode): (JSC::DebuggerStatementNode::emitBytecode): (JSC::ExprStatementNode::emitBytecode): (JSC::VarStatementNode::emitBytecode): (JSC::IfNode::emitBytecode): (JSC::IfElseNode::emitBytecode): (JSC::DoWhileNode::emitBytecode): (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::ContinueNode::emitBytecode): (JSC::BreakNode::emitBytecode): (JSC::ReturnNode::emitBytecode): (JSC::WithNode::emitBytecode): (JSC::CaseClauseNode::emitBytecode): (JSC::CaseBlockNode::emitBytecodeForBlock): (JSC::SwitchNode::emitBytecode): (JSC::LabelNode::emitBytecode): (JSC::ThrowNode::emitBytecode): (JSC::TryNode::emitBytecode): (JSC::ScopeNode::emitStatementsBytecode): (JSC::ProgramNode::emitBytecode): (JSC::EvalNode::emitBytecode): (JSC::FunctionBodyNode::emitBytecode): (JSC::FuncDeclNode::emitBytecode): * parser/NodeConstructors.h: (JSC::PropertyListNode::PropertyListNode): (JSC::ArgumentListNode::ArgumentListNode): * parser/Nodes.h: (Node): (ExpressionNode): (StatementNode): (ConstStatementNode): (BlockNode): (EmptyStatementNode): (DebuggerStatementNode): (ExprStatementNode): (VarStatementNode): (IfNode): (IfElseNode): (DoWhileNode): (WhileNode): (ForNode): (ForInNode): (ContinueNode): (BreakNode): (ReturnNode): (WithNode): (LabelNode): (ThrowNode): (TryNode): (ProgramNode): (EvalNode): (FunctionBodyNode): (FuncDeclNode): (CaseBlockNode): (SwitchNode): 2013-04-04 Oliver Hunt Exception stack unwinding doesn't handle inline callframes correctly https://bugs.webkit.org/show_bug.cgi?id=113952 Reviewed by Geoffrey Garen. The basic problem here is that the exception stack unwinding was attempting to be "clever" and avoid doing a correct stack walk as it "knew" inline callframes couldn't have exception handlers. This used to be safe as the exception handling machinery was designed to fail gently and just claim that no handler existed. This was "safe" and even "correct" inasmuch as we currently don't run any code with exception handlers through the dfg. This patch fixes the logic by simply making everything uniformly use the safe stack walking machinery, and making the correct boundary checks occur everywhere that they should. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::findClosureCallForReturnPC): (JSC::CodeBlock::bytecodeOffset): * interpreter/Interpreter.cpp: (JSC): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::unwindCallFrame): (JSC::getCallerInfo): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::retrieveCallerFromVMCode): 2013-04-04 Geoffrey Garen Removed a defunct comment https://bugs.webkit.org/show_bug.cgi?id=113948 Reviewed by Oliver Hunt. This is also a convenient way to test the EWS. * bytecompiler/BytecodeGenerator.cpp: (JSC): 2013-04-04 Martin Robinson [GTK] Remove the gyp build https://bugs.webkit.org/show_bug.cgi?id=113942 Reviewed by Gustavo Noronha Silva. * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Removed. * JavaScriptCore.gyp/redirect-stdout.sh: Removed. 2013-04-04 Geoffrey Garen Simplified bytecode generation by merging prefix and postfix nodes https://bugs.webkit.org/show_bug.cgi?id=113925 Reviewed by Filip Pizlo. PostfixNode now inherits from PrefixNode, so when we detect that we're in a context where postifx and prefix are equivalent, PostFixNode can just call through to PrefixNode codegen, instead of duplicating the logic. * bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PostfixNode::emitBracket): (JSC::PostfixNode::emitDot): * parser/NodeConstructors.h: (JSC::PostfixNode::PostfixNode): * parser/Nodes.h: (JSC): (PrefixNode): (PostfixNode): 2013-04-04 Andras Becsi Fix the build with GCC 4.8 https://bugs.webkit.org/show_bug.cgi?id=113147 Reviewed by Allan Sandfeld Jensen. Initialize JSObject* exception to suppress warnings that make the build fail because of -Werror=maybe-uninitialized. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): 2013-04-02 Mark Hahnenberg get_by_pname can become confused when iterating over objects with static properties https://bugs.webkit.org/show_bug.cgi?id=113831 Reviewed by Geoffrey Garen. get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly access an object's backing store. One way to fix this is to not cache any properties when iterating over objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlots): (PropertyNameArray): 2013-04-02 Geoffrey Garen DFG should compile a little sooner https://bugs.webkit.org/show_bug.cgi?id=113835 Unreviewed. Rolled out r147511 because it was based on incorrect performance measurement. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::optimizationThresholdScalingFactor): 2013-04-02 Geoffrey Garen DFG should compile a little sooner https://bugs.webkit.org/show_bug.cgi?id=113835 Reviewed by Michael Saboff. 2% speedup on SunSpider. 2% speedup on JSRegress. Neutral on Octane, v8, and Kraken. The worst-hit single sub-test is kraken-stanford-crypto-ccm.js, which gets 18% slower. Since Kraken is neutral overall in its preferred mean, I think that's OK for now. (Our array indexing speculation fails pathologically on kraken-stanford-crypto-ccm.js. Compiling sooner is a regression because it triggers those failures sooner. I'm going to file some follow-up bugs explaining how to fix our speculations on this sub-test, at which point compiling earlier should become a slight speedup on Kraken overall.) * bytecode/CodeBlock.cpp: (JSC::CodeBlock::optimizationThresholdScalingFactor): I experimented with a few different options, including reducing the coefficient 'a'. A simple linear reduction on instruction count worked best. 2013-04-01 Benjamin Poulain Use Vector::reserveInitialCapacity and Vector::uncheckedAppend for JSC's APIs https://bugs.webkit.org/show_bug.cgi?id=113651 Reviewed by Andreas Kling. This removes a bunch of branches on initialization and when filling the vector. * API/JSCallbackConstructor.cpp: (JSC::constructJSCallback): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::call): * API/JSCallbackObjectFunctions.h: (JSC::::construct): (JSC::::call): * API/JSObjectRef.cpp: (JSObjectCopyPropertyNames): 2013-04-01 Mark Hahnenberg Fixing borked VS 2010 project file Unreviewed bot greening. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2013-04-01 Mark Hahnenberg One more Windows build fix Unreviewed. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-04-01 Mark Hahnenberg More build fallout fixes. Unreviewed build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add new export symbols. * heap/SuperRegion.cpp: Windows didn't like "LLU". 2013-04-01 Mark Hahnenberg r147324 broke the world https://bugs.webkit.org/show_bug.cgi?id=113704 Unreviewed build fix. Remove a bunch of unused variables and use the correctly sized types for 32-bit platforms. * heap/BlockAllocator.cpp: (JSC::BlockAllocator::BlockAllocator): * heap/BlockAllocator.h: (BlockAllocator): * heap/Heap.cpp: (JSC::Heap::Heap): * heap/SuperRegion.cpp: (JSC::SuperRegion::SuperRegion): * heap/SuperRegion.h: (SuperRegion): 2013-04-01 Mark Hahnenberg 32-bit Windows build fix Unreviewed build fix. * heap/SuperRegion.cpp: * heap/SuperRegion.h: Use uint64_t instead of size_t. (SuperRegion): 2013-04-01 Mark Hahnenberg EFL build fix Unreviewed build fix. * CMakeLists.txt: 2013-03-31 Mark Hahnenberg Regions should be allocated from the same contiguous segment of virtual memory https://bugs.webkit.org/show_bug.cgi?id=113662 Reviewed by Filip Pizlo. Instead of letting the OS spread our Regions all over the place, we should allocate them all within some range of each other. This change will open the door to some other optimizations, e.g. doing simple range checks for our write barriers and compressing JSCell pointers to 32-bits. Added new SuperRegion class that encapsulates allocating Regions from a contiguous reserved chunk of virtual address space. It functions very similarly to the FixedVMPoolExecutableAllocator class used by the JIT. Also added two new subclasses of Region, NormalRegion and ExcessRegion. NormalRegion is the type of Region that is normally allocated when there is available space remaining in the SuperRegion. If we ever run out of space in the SuperRegion, we fall back to allocating ExcessRegions, which are identical to how Regions have behaved up until now, i.e. they contain a PageAllocationAligned. We only use the SuperRegion (and NormalRegions) on 64-bit systems, since it doesn't make sense to reserve the entire 4 GB address space on 32-bit systems just for the JS heap. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * heap/BlockAllocator.cpp: (JSC::BlockAllocator::BlockAllocator): * heap/BlockAllocator.h: (JSC): (BlockAllocator): (JSC::BlockAllocator::allocate): (JSC::BlockAllocator::allocateCustomSize): (JSC::BlockAllocator::deallocateCustomSize): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC): (JSC::Heap::didExceedFixedHeapSizeLimit): * heap/Heap.h: (Heap): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::create): * heap/Region.h: (Region): (JSC): (NormalRegion): (JSC::NormalRegion::base): (JSC::NormalRegion::size): (ExcessRegion): (JSC::ExcessRegion::base): (JSC::ExcessRegion::size): (JSC::NormalRegion::NormalRegion): (JSC::NormalRegion::tryCreate): (JSC::NormalRegion::tryCreateCustomSize): (JSC::NormalRegion::reset): (JSC::ExcessRegion::ExcessRegion): (JSC::ExcessRegion::~ExcessRegion): (JSC::ExcessRegion::create): (JSC::ExcessRegion::createCustomSize): (JSC::ExcessRegion::reset): (JSC::Region::Region): (JSC::Region::initializeBlockList): (JSC::Region::create): (JSC::Region::createCustomSize): (JSC::Region::~Region): (JSC::Region::destroy): (JSC::Region::reset): (JSC::Region::deallocate): (JSC::Region::base): (JSC::Region::size): * heap/SuperRegion.cpp: Added. (JSC): (JSC::SuperRegion::SuperRegion): (JSC::SuperRegion::getAlignedBase): (JSC::SuperRegion::allocateNewSpace): (JSC::SuperRegion::notifyNeedPage): (JSC::SuperRegion::notifyPageIsFree): * heap/SuperRegion.h: Added. (JSC): (SuperRegion): 2013-04-01 Benjamin Poulain Remove an unused variable from the ARMv7 Assembler https://bugs.webkit.org/show_bug.cgi?id=113653 Reviewed by Andreas Kling. * assembler/ARMv7Assembler.h: (ARMv7Assembler): 2013-03-31 Adam Barth [Chromium] Yarr should build using a separate GYP file from JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=113652 Reviewed by Nico Weber. This patch moves JavaScriptCore.gyp to yarr.gyp because Chromium only uses this GYP file to build yarr. * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: * JavaScriptCore.gypi: * yarr/yarr.gyp: Renamed from Source/JavaScriptCore/JavaScriptCore.gyp/JavaScriptCore.gyp. 2013-03-31 Filip Pizlo Unreviewed, fix a comment. While thinking about TBAA for array accesses, I realized that we have to be super careful about aliasing of typed arrays. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::getByValLoadElimination): 2013-03-30 Mark Hahnenberg Move Region into its own header https://bugs.webkit.org/show_bug.cgi?id=113617 Reviewed by Geoffrey Garen. BlockAllocator.h is getting a little crowded. We should move the Region class into its own header, since it's pretty independent from the BlockAllocator. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/BlockAllocator.h: (JSC): * heap/Region.h: Added. (JSC): (DeadBlock): (JSC::DeadBlock::DeadBlock): (Region): (JSC::Region::blockSize): (JSC::Region::isFull): (JSC::Region::isEmpty): (JSC::Region::isCustomSize): (JSC::Region::create): (JSC::Region::createCustomSize): (JSC::Region::Region): (JSC::Region::~Region): (JSC::Region::reset): (JSC::Region::allocate): (JSC::Region::deallocate): 2013-03-29 Mark Hahnenberg Objective-C API: Remove -[JSManagedValue managedValueWithValue:owner:] https://bugs.webkit.org/show_bug.cgi?id=113602 Reviewed by Geoffrey Garen. Since we put the primary way of keeping track of external object graphs (i.e. "managed" references) in JSVirtualMachine, there is some overlap in the functionality of that interface and JSManagedValue. Specifically, we no longer need the methods that include an owner, since ownership is now tracked by JSVirtualMachine. These JSManagedValues will become weak pointers unless they are used with [JSVirtualMachine addManagedReference:withOwner:], in which case their lifetime is tied to that of their owner. * API/JSManagedValue.h: * API/JSManagedValue.mm: (-[JSManagedValue init]): (-[JSManagedValue initWithValue:]): (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): * API/JSVirtualMachine.mm: (getInternalObjcObject): * API/tests/testapi.mm: (-[TextXYZ setOnclick:]): (-[TextXYZ dealloc]): 2013-03-29 Geoffrey Garen Simplified bytecode generation by unforking "condition context" codegen https://bugs.webkit.org/show_bug.cgi?id=113554 Reviewed by Mark Hahnenberg. Now, a node that establishes a condition context can always ask its child nodes to generate into that context. This has a few advantages: (*) Removes a bunch of code; (*) Optimizes a few missed cases like "if (!(x < 2))", "if (!!x)", and "if (!x || !y)"; (*) Paves the way to removing more opcodes. * bytecode/Opcode.h: (JSC): Separated out the branching opcodes for clarity. * bytecompiler/NodesCodegen.cpp: (JSC::ExpressionNode::emitBytecodeInConditionContext): All expressions can be emitted in a condition context now -- the default behavior is to branch based on the expression's value. (JSC::LogicalNotNode::emitBytecodeInConditionContext): (JSC::LogicalOpNode::emitBytecodeInConditionContext): (JSC::ConditionalNode::emitBytecode): (JSC::IfNode::emitBytecode): (JSC::IfElseNode::emitBytecode): (JSC::DoWhileNode::emitBytecode): (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): * parser/Nodes.h: (JSC::ExpressionNode::isSubtract): (ExpressionNode): (LogicalNotNode): (LogicalOpNode): Removed lots of code for handling expressions that couldn't generate into a condition context because all expressions can now. 2013-03-28 Geoffrey Garen Simplified the bytecode by removing op_loop and op_loop_if_* https://bugs.webkit.org/show_bug.cgi?id=113548 Reviewed by Filip Pizlo. Regular jumps will suffice. These opcodes are identical to branches, except they also do timeout checking. That style of timeout checking has been broken for a long time, and when we add back timeout checking, it won't use these opcodes. * JavaScriptCore.order: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecode/Opcode.h: (JSC): (JSC::padOpcodeName): * bytecode/PreciseJumpTargets.cpp: (JSC::computePreciseJumpTargets): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitJump): (JSC::BytecodeGenerator::emitJumpIfTrue): (JSC::BytecodeGenerator::emitJumpIfFalse): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: (JIT): (JSC): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2013-03-28 Geoffrey Garen Simplified the bytecode by removing op_jmp_scopes https://bugs.webkit.org/show_bug.cgi?id=113545 Reviewed by Filip Pizlo. We already have op_pop_scope and op_jmp, so we don't need op_jmp_scopes. Using op_jmp_scopes was also adding a "jump to self" to codegen for return statements, which was pretty silly. * JavaScriptCore.order: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecode/Opcode.h: (JSC::padOpcodeName): * bytecode/PreciseJumpTargets.cpp: (JSC::computePreciseJumpTargets): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitComplexPopScopes): (JSC::BytecodeGenerator::emitPopScopes): * bytecompiler/BytecodeGenerator.h: (BytecodeGenerator): * bytecompiler/NodesCodegen.cpp: (JSC::ContinueNode::emitBytecode): (JSC::BreakNode::emitBytecode): (JSC::ReturnNode::emitBytecode): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: * jit/JITOpcodes32_64.cpp: * jit/JITStubs.cpp: * jit/JITStubs.h: * llint/LLIntSlowPaths.cpp: * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: 2013-03-28 Mark Hahnenberg Safari hangs during test262 run in CodeCache::pruneSlowCase https://bugs.webkit.org/show_bug.cgi?id=113469 Reviewed by Geoffrey Garen. We can end up hanging for quite some time if we add a lot of small keys to the CodeCache. By the time we get around to pruning the cache, we have a potentially tens or hundreds of thousands of small entries, which can cause a noticeable hang when pruning them. To fix this issue we added a hard cap to the number of entries in the cache because we could potentially have to remove every element in the map. * runtime/CodeCache.cpp: (JSC::CodeCacheMap::pruneSlowCase): We need to prune until we're both under the hard cap and the capacity in bytes. * runtime/CodeCache.h: (CodeCacheMap): (JSC::CodeCacheMap::numberOfEntries): Convenience accessor function to the number of entries in the map that does the cast to size_t of m_map.size() for us. (JSC::CodeCacheMap::canPruneQuickly): Checks that the total number is under the hard cap. We put this check inside a function to more accurately describe why we're doing the check and to abstract out the actual calculation in case we want to coalesce calls to pruneSlowCase in the future. (JSC::CodeCacheMap::prune): Check the number of entries against our hard cap. If it's greater than the cap then we need to drop down to pruneSlowCase. 2013-03-28 Zan Dobersek Unreviewed build fix for the EFL and GTK ports. * runtime/CodeCache.cpp: (JSC::CodeCacheMap::pruneSlowCase): Pass a 0 casted to the int64_t type instead of 0LL to the std::max call so the arguments' types match. 2013-03-27 Geoffrey Garen Unreviewed build fix: Removed a dead field. Pointed out by Mark Lam. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (ByteCodeParser): 2013-03-27 Geoffrey Garen Unreviewed build fix: Removed a dead field. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (ByteCodeParser): 2013-03-27 Geoffrey Garen Removed some dead code in the DFG bytecode parser https://bugs.webkit.org/show_bug.cgi?id=113472 Reviewed by Sam Weinig. Now that Phi creation and liveness analysis are separate passes, we can remove the vestiges of code that used to do that in the bytecode parser. * dfg/DFGByteCodeParser.cpp: (ByteCodeParser): (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::parse): 2013-03-27 Filip Pizlo JIT and DFG should NaN-check loads from Float32 arrays https://bugs.webkit.org/show_bug.cgi?id=113462 Reviewed by Mark Hahnenberg. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitFloatTypedArrayGetByVal): 2013-03-27 Mark Hahnenberg CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase https://bugs.webkit.org/show_bug.cgi?id=113453 Reviewed by Geoffrey Garen. * runtime/CodeCache.cpp: (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now. This prevents m_capacity from doing the same. 2013-03-27 Filip Pizlo DFG should use CheckStructure for typed array checks whenever possible https://bugs.webkit.org/show_bug.cgi?id=113374 Reviewed by Geoffrey Garen. We used to do the right thing, but it appears that this regressed at some point. Since the FixupPhase now has the ability to outright remove spurious CheckStructures on array operations, it is profitable for the ByteCodeParser to insert CheckStructures whenver there is a chance that it might be profitable, and when the profiling tells us what structure to check. Also added some code for doing ArrayProfile debugging. This is a slightly speed-up. Maybe 3% on Mandreel. * bytecode/ArrayProfile.cpp: (JSC::ArrayProfile::computeUpdatedPrediction): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::benefitsFromStructureCheck): 2013-03-27 Zeno Albisser [Qt] Remove Qt specific WorkQueueItem definitions. https://bugs.webkit.org/show_bug.cgi?id=112891 This patch is preparation work for removing WorkQueue related code from TestRunnerQt and replacing it with generic TestRunner code. Reviewed by Benjamin Poulain. * API/JSStringRefQt.cpp: (JSStringCreateWithQString): Adding a convenience function to create a JSStringRef from a QString. * API/JSStringRefQt.h: 2013-03-26 Filip Pizlo REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype https://bugs.webkit.org/show_bug.cgi?id=113353 Reviewed by Mark Hahnenberg and Geoffrey Garen. ToString should call speculateStringObject() even if you know that it's a string object, since it calls it to also get the watchpoint. Note that even with this change, if you do Phantom(Check:StringObject:@a), it might get eliminated just because we proved that @a is a string object (thereby eliminating the prototype watchpoint); that's fine since ToString is MustGenerate and never decays to Phantom. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToStringOnCell): (JSC::DFG::SpeculativeJIT::speculateStringObject): (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 2013-03-26 Mark Hahnenberg REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit https://bugs.webkit.org/show_bug.cgi?id=112106 Rubber stamped by Filip Pizlo. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): Get rid of the case for constants because we would have done constant folding anyways on a ValueToInt32. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): Fixed a random compile error with this flag enabled. 2013-03-26 Filip Pizlo JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere https://bugs.webkit.org/show_bug.cgi?id=113144 Reviewed by Geoffrey Garen. Forgot to include Geoff's requested change in the original commit. * profiler/ProfilerDatabase.cpp: (Profiler): 2013-03-25 Filip Pizlo JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere https://bugs.webkit.org/show_bug.cgi?id=113144 Reviewed by Geoffrey Garen. Added the ability to save profiler output with JSC_enableProfiler=true. It will save it to the current directory, or JSC_PROFILER_PATH if the latter was specified. This works by saving the Profiler::Database either when it is destroyed or atexit(), whichever happens first. This allows use of the profiler from any WebKit client. * jsc.cpp: (jscmain): * profiler/ProfilerDatabase.cpp: (Profiler): (JSC::Profiler::Database::Database): (JSC::Profiler::Database::~Database): (JSC::Profiler::Database::registerToSaveAtExit): (JSC::Profiler::Database::addDatabaseToAtExit): (JSC::Profiler::Database::removeDatabaseFromAtExit): (JSC::Profiler::Database::performAtExitSave): (JSC::Profiler::Database::removeFirstAtExitDatabase): (JSC::Profiler::Database::atExitCallback): * profiler/ProfilerDatabase.h: (JSC::Profiler::Database::databaseID): (Database): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): 2013-03-25 Filip Pizlo ArrayMode should not consider SpecOther when refining the base https://bugs.webkit.org/show_bug.cgi?id=113271 Reviewed by Geoffrey Garen. 9% speed-up on Octane/pdfjs. * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine): 2013-03-26 Csaba Osztrogonác Fix unused parameter warnings in JITInlines.h https://bugs.webkit.org/show_bug.cgi?id=112560 Reviewed by Zoltan Herczeg. * jit/JITInlines.h: (JSC::JIT::beginUninterruptedSequence): (JSC::JIT::endUninterruptedSequence): (JSC): 2013-03-25 Kent Tamura Rename ENABLE_INPUT_TYPE_DATETIME https://bugs.webkit.org/show_bug.cgi?id=113254 Reviewed by Kentaro Hara. Rename ENABLE_INPUT_TYPE_DATETIME to ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE. Actually I'd like to remove the code, but we shouldn't remove it yet because we shipped products with it on some platforms. * Configurations/FeatureDefines.xcconfig: 2013-03-25 Mark Lam Offlineasm cloop backend compiles op+branch incorrectly. https://bugs.webkit.org/show_bug.cgi?id=113146. Reviewed by Geoffrey Garen. * dfg/DFGRepatch.h: (JSC::DFG::dfgResetGetByID): (JSC::DFG::dfgResetPutByID): - These functions never return when the DFG is dsiabled, not just when asserts are enabled. Changing the attribute from NO_RETURN_DUE_TO_ASSERT to NO_RETURN. * llint/LLIntOfflineAsmConfig.h: - Added some #defines needed to get the cloop building again. * offlineasm/cloop.rb: - Fix cloopEmitOpAndBranchIfOverflow() and cloopEmitOpAndBranch() to emit code that unconditionally executes the specified operation before doing the conditional branch. 2013-03-25 Mark Hahnenberg JSObject::enterDictionaryIndexingMode doesn't have a case for ALL_BLANK_INDEXING_TYPES https://bugs.webkit.org/show_bug.cgi?id=113236 Reviewed by Geoffrey Garen. * runtime/JSObject.cpp: (JSC::JSObject::enterDictionaryIndexingMode): We forgot blank indexing types. 2013-03-23 Mark Hahnenberg HandleSet should use HeapBlocks for storing handles https://bugs.webkit.org/show_bug.cgi?id=113145 Reviewed by Geoffrey Garen. * GNUmakefile.list.am: Build project changes. * JavaScriptCore.gypi: Ditto. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. * JavaScriptCore.xcodeproj/project.pbxproj: Ditto. * heap/BlockAllocator.cpp: Rename the RegionSet to m_fourKBBlockRegionSet because there are too many block types to include them all in the name now. (JSC::BlockAllocator::BlockAllocator): * heap/BlockAllocator.h: (BlockAllocator): Add the appropriate override for regionSetFor. (JSC::WeakBlock): (JSC::MarkStackSegment): (JSC::HandleBlock): * heap/HandleBlock.h: Added. (HandleBlock): New class for HandleBlocks. (JSC::HandleBlock::blockFor): Static method to get the block of the given HandleNode pointer. Allows us to quickly figure out which HandleSet the HandleNode belongs to without storing the pointer to it in the HandleNode. (JSC::HandleBlock::handleSet): Getter. * heap/HandleBlockInlines.h: Added. (JSC::HandleBlock::create): (JSC::HandleBlock::HandleBlock): (JSC::HandleBlock::payloadEnd): (JSC::HandleBlock::payload): (JSC::HandleBlock::nodes): (JSC::HandleBlock::nodeAtIndex): (JSC::HandleBlock::nodeCapacity): * heap/HandleSet.cpp: (JSC::HandleSet::~HandleSet): (JSC::HandleSet::grow): * heap/HandleSet.h: (HandleNode): Move the internal Node class from HandleSet to be its own public class so it can be used by HandleBlock. (HandleSet): Add a typedef so that Node refers to the new HandleNode class. (JSC::HandleSet::toHandle): (JSC::HandleSet::toNode): (JSC::HandleSet::allocate): (JSC::HandleSet::deallocate): (JSC::HandleNode::HandleNode): (JSC::HandleNode::slot): (JSC::HandleNode::handleSet): Use the new blockFor static function to get the right HandleBlock and lookup the HandleSet. (JSC::HandleNode::setPrev): (JSC::HandleNode::prev): (JSC::HandleNode::setNext): (JSC::HandleNode::next): (JSC::HandleSet::forEachStrongHandle): * heap/Heap.h: Friend HandleSet so that it can access the BlockAllocator when allocating HandleBlocks. 2013-03-22 David Kilzer BUILD FIX (r145119): Make JSValue* properties default to (assign) Reviewed by Mark Hahnenberg. Fixes the following build failures: Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute] @property JSValue *onclick; ^ Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: default property attrib ute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute] Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute] @property JSValue *weakOnclick; ^ Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: default property attribute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute] 4 errors generated. * API/tests/testapi.mm: Default to (assign) for JSValue* properties. 2013-03-22 Ryosuke Niwa testLeakingPrototypesAcrossContexts added in r146682 doesn't compile on Win and fails on Mac https://bugs.webkit.org/show_bug.cgi?id=113125 Reviewed by Mark Hahnenberg Remove the test added in r146682 as it's now failing on Mac. This is the test that was causing a compilation failure on Windows. * API/tests/testapi.c: (main): 2013-03-22 Ryosuke Niwa Fix the typo: WIN -> WINDOWS. * API/tests/testapi.c: (main): 2013-03-22 Ryosuke Niwa I really can't figure out what's wrong with this one. Temporarily disable the test added by r146682 on Windows since it doesn't compile. * API/tests/testapi.c: (main): 2013-03-22 Ryosuke Niwa Another build fix (after r146693) for r146682. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-03-22 Roger Fong Unreviewed. AppleWin build fix. * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: * JavaScriptCore.vcxproj/copy-files.cmd: 2013-03-22 Mark Hahnenberg -[TinyDOMNode dealloc] should call [super dealloc] when ARC is not enabled https://bugs.webkit.org/show_bug.cgi?id=113054 Reviewed by Geoffrey Garen. * API/tests/testapi.mm: (-[TinyDOMNode dealloc]): 2013-03-22 Mark Hahnenberg opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData https://bugs.webkit.org/show_bug.cgi?id=113086 Reviewed by Geoffrey Garen. opaqueJSClassData stores cached prototypes for JSClassRefs in the C API. It doesn't make sense to share these prototypes within a JSGlobalData across JSGlobalObjects, and in fact doing so will cause a leak of the original JSGlobalObject that these prototypes were created in. Therefore we should move this cache to JSGlobalObject where it belongs and where it won't cause memory leaks. * API/JSBase.cpp: Needed to add an extern "C" so that testapi.c can use the super secret GC function. * API/JSClassRef.cpp: We now grab the cached context data from the global object rather than the global data. (OpaqueJSClass::contextData): * API/JSClassRef.h: Remove this header because it's unnecessary and causes circular dependencies. * API/tests/testapi.c: Added a new test that makes sure that using the same JSClassRef in two different contexts doesn't cause leaks of the original global object. (leakFinalize): (nestedAllocateObject): This is a hack to bypass the conservative scan of the GC, which was unnecessarily marking objects and keeping them alive, ruining the test result. (testLeakingPrototypesAcrossContexts): (main): * API/tests/testapi.mm: extern "C" this so we can continue using it here. * runtime/JSGlobalData.cpp: Remove JSClassRef related stuff. (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): * runtime/JSGlobalObject.h: Add the stuff that JSGlobalData had. We add it to JSGlobalObjectRareData so that clients who don't use the C API don't have to pay the memory cost of this extra HashMap. (JSGlobalObject): (JSGlobalObjectRareData): (JSC::JSGlobalObject::opaqueJSClassData): 2013-03-19 Martin Robinson [GTK] Add support for building the WebCore bindings to the gyp build https://bugs.webkit.org/show_bug.cgi?id=112638 Reviewed by Nico Weber. * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Export all include directories to direct dependents and fix the indentation of the libjavascriptcore target. 2013-03-21 Filip Pizlo Fix some minor issues in the DFG's profiling of heap accesses https://bugs.webkit.org/show_bug.cgi?id=113010 Reviewed by Goeffrey Garen. 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites. 2) If a CodeBlock clears a structure stub during GC, it should record this, and the DFG should prefer to not inline that access (i.e. treat it as if it had an exit site). 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it, but it chose not to, then assume that it will take slow path. 4) If we frequently exited because of a structure check on a weak constant, don't try to inline that access in the future. 5) Treat all exits that were counted as being frequent. 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeUnconditionally): (JSC): (JSC::CodeBlock::resetStubDuringGCInternal): (JSC::CodeBlock::reoptimize): (JSC::CodeBlock::jettison): (JSC::ProgramCodeBlock::jettisonImpl): (JSC::EvalCodeBlock::jettisonImpl): (JSC::FunctionCodeBlock::jettisonImpl): (JSC::CodeBlock::tallyFrequentExitSites): * bytecode/CodeBlock.h: (CodeBlock): (JSC::CodeBlock::tallyFrequentExitSites): (ProgramCodeBlock): (EvalCodeBlock): (FunctionCodeBlock): * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFor): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::StructureStubInfo): (StructureStubInfo): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow): * dfg/DFGOSRExit.h: (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite): (OSRExit): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Options.h: (JSC): 2013-03-22 Filip Pizlo DFG folding of PutById to SimpleReplace should consider the specialized function case https://bugs.webkit.org/show_bug.cgi?id=113093 Reviewed by Geoffrey Garen and Mark Hahnenberg. * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor): 2013-03-22 David Kilzer BUILD FIX (r146558): Build testapi.mm with ARC enabled for armv7s Fixes the following build failure: Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls] } ^ 1 error generated. * Configurations/ToolExecutable.xcconfig: Enable ARC for armv7s architecture. 2013-03-22 David Kilzer Revert "BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]" This fixes a build failure introduced by this change: Source/JavaScriptCore/API/tests/testapi.mm:206:6: error: ARC forbids explicit message send of 'dealloc' [super dealloc]; ^ ~~~~~~~ 1 error generated. Not sure why this didn't fail locally on my Mac Pro. * API/tests/testapi.mm: (-[TinyDOMNode dealloc]): Remove call to [super dealloc]. 2013-03-22 David Kilzer BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc] Fixes the following build failure: Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls] } ^ 1 error generated. * API/tests/testapi.mm: (-[TinyDOMNode dealloc]): Call [super dealloc]. 2013-03-22 Ryosuke Niwa Leak bots erroneously report JSC::WatchpointSet as leaking https://bugs.webkit.org/show_bug.cgi?id=107781 Reviewed by Filip Pizlo. Since leaks doesn't support tagged pointers, avoid using it by flipping the bit flag to indicate the entry is "fat". We set the flag when the entry is NOT fat; i.e. slim. Replaced FatFlag by SlimFlag and initialized m_bits with this flag to indicate that the entry is initially "slim". * runtime/SymbolTable.cpp: (JSC::SymbolTableEntry::copySlow): Don't set FatFlag since it has been replaced by SlimFlag. (JSC::SymbolTableEntry::inflateSlow): Ditto. * runtime/SymbolTable.h: (JSC::SymbolTableEntry::Fast::Fast): Set SlimFlag by default. (JSC::SymbolTableEntry::Fast::isNull): Ignore SlimFlag. (JSC::SymbolTableEntry::Fast::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is not set. (JSC::SymbolTableEntry::SymbolTableEntry): Set SlimFlag by default. (JSC::SymbolTableEntry::SymbolTableEntry::getFast): Set SlimFlag when creating Fast from a fat entry. (JSC::SymbolTableEntry::isNull): Ignore SlimFlag. (JSC::SymbolTableEntry::FatEntry::FatEntry): Strip SlimFlag. (JSC::SymbolTableEntry::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is unset. (JSC::SymbolTableEntry::fatEntry): Don't strip FatFlag as this flag doesn't exist anymore. (JSC::SymbolTableEntry::pack): Preserve SlimFlag. (JSC::SymbolTableIndexHashTraits): empty value is no longer zero so don't set emptyValueIsZero true. 2013-03-21 Mark Hahnenberg Objective-C API: Need a good way to preserve custom properties on JS wrappers https://bugs.webkit.org/show_bug.cgi?id=112608 Reviewed by Geoffrey Garen. Currently, we just use a weak map, which means that garbage collection can cause a wrapper to disappear if it isn't directly exported to JavaScript. The most straightforward and safe way (with respect to garbage collection and concurrency) is to have clients add and remove their external references along with their owners. Effectively, the client is recording the structure of the external object graph so that the garbage collector can make sure to mark any wrappers that are reachable through either the JS object graph of the external Obj-C object graph. By keeping these wrappers alive, this has the effect that custom properties on these wrappers will also remain alive. The rule for if an object needs to be tracked by the runtime (and therefore whether the client should report it) is as follows: For a particular object, its references to its children should be added if: 1. The child is referenced from JavaScript. 2. The child contains references to other objects for which (1) or (2) are true. * API/JSAPIWrapperObject.mm: (JSAPIWrapperObjectHandleOwner::finalize): (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): A wrapper object is kept alive only if its JSGlobalObject is marked and its corresponding Objective-C object was added to the set of opaque roots. (JSC::JSAPIWrapperObject::visitChildren): We now call out to scanExternalObjectGraph, which handles adding all Objective-C objects to the set of opaque roots. * API/JSAPIWrapperObject.h: (JSAPIWrapperObject): * API/JSContext.mm: Moved dealloc to its proper place in the main implementation. (-[JSContext dealloc]): * API/JSVirtualMachine.h: * API/JSVirtualMachine.mm: (-[JSVirtualMachine initWithContextGroupRef:]): (-[JSVirtualMachine dealloc]): (getInternalObjcObject): Helper funciton to get the Objective-C object out of JSManagedValues or JSValues if there is one. (-[JSVirtualMachine addManagedReference:withOwner:]): Adds the Objective-C object to the set of objects owned by the owner object in that particular virtual machine. (-[JSVirtualMachine removeManagedReference:withOwner:]): Removes the relationship between the two objects. (-[JSVirtualMachine externalObjectGraph]): (scanExternalObjectGraph): Does a depth-first search of the external object graph in a particular virtual machine starting at the specified root. Each new object it encounters it adds to the set of opaque roots. These opaque roots will keep their corresponding wrapper objects alive if they have them. * API/JSManagedReferenceInternal.h: Added. * API/JSVirtualMachine.mm: Added the per-JSVirtualMachine map between objects and the objects they own, which is more formally known as that virtual machine's external object graph. * API/JSWrapperMap.mm: (-[JSWrapperMap dealloc]): We were leaking this before :-( (-[JSVirtualMachine initWithContextGroupRef:]): (-[JSVirtualMachine dealloc]): (-[JSVirtualMachine externalObjectGraph]): * API/JSVirtualMachineInternal.h: * API/tests/testapi.mm: Added two new tests using the TinyDOMNode class. The first tests that a custom property added to a wrapper doesn't vanish after GC, even though that wrapper isn't directly accessible to the JS garbage collector but is accessible through the external Objective-C object graph. The second test makes sure that adding an object to the external object graph with the same owner doesn't cause any sort of problems. (+[TinyDOMNode sharedVirtualMachine]): (-[TinyDOMNode init]): (-[TinyDOMNode dealloc]): (-[TinyDOMNode appendChild:]): (-[TinyDOMNode numberOfChildren]): (-[TinyDOMNode childAtIndex:]): (-[TinyDOMNode removeChildAtIndex:]): * JavaScriptCore.xcodeproj/project.pbxproj: * heap/SlotVisitor.h: (SlotVisitor): * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::containsOpaqueRootTriState): Added a new method to SlotVisitor to allow scanExternalObjectGraph to have a thread-safe view of opaque roots during parallel marking. The set of opaque roots available to any one SlotVisitor isn't guaranteed to be 100% correct, but that just results in a small duplication of work in scanExternalObjectGraph. To indicate this change for false negatives we return a TriState that's either true or mixed, but never false. 2013-03-21 Mark Lam Fix O(n^2) op_debug bytecode charPosition to column computation. https://bugs.webkit.org/show_bug.cgi?id=112957. Reviewed by Geoffrey Garen. The previous algorithm does a linear reverse scan of the source string to find the line start for any given char position. This results in a O(n^2) algortithm when the source string has no line breaks. The new algorithm computes a line start column table for a SourceProvider on first use. This line start table is used to fix up op_debug's charPosition operand into a column operand when an UnlinkedCodeBlock is linked into a CodeBlock. The initialization of the line start table is O(n), and the CodeBlock column fix up is O(log(n)). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): - do column fix up. * interpreter/Interpreter.cpp: (JSC::Interpreter::debug): - no need to do column fixup anymore. * interpreter/Interpreter.h: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * parser/SourceProvider.cpp: (JSC::SourceProvider::lineStarts): (JSC::charPositionExtractor): (JSC::SourceProvider::charPositionToColumnNumber): - initialize line start column table if needed. - look up line start for the given char position. * parser/SourceProvider.h: 2013-03-21 Filip Pizlo JSC profiler should have an at-a-glance report of the success of DFG optimization https://bugs.webkit.org/show_bug.cgi?id=112988 Reviewed by Geoffrey Garen. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::parseBlock): * profiler/ProfilerCompilation.cpp: (JSC::Profiler::Compilation::Compilation): (JSC::Profiler::Compilation::toJS): * profiler/ProfilerCompilation.h: (JSC::Profiler::Compilation::noticeInlinedGetById): (JSC::Profiler::Compilation::noticeInlinedPutById): (JSC::Profiler::Compilation::noticeInlinedCall): (Compilation): * runtime/CommonIdentifiers.h: 2013-03-21 Mark Lam Fix lexer charPosition computation when "rewind"ing the lexer. https://bugs.webkit.org/show_bug.cgi?id=112952. Reviewed by Michael Saboff. Changed the Lexer to no longer keep a m_charPosition. Instead, we compute currentCharPosition() from m_code and m_codeStartPlusOffset, where m_codeStartPlusOffset is the SourceProvider m_codeStart + the SourceCode start offset. This ensures that the charPosition is always in sync with m_code. * parser/Lexer.cpp: (JSC::::setCode): (JSC::::internalShift): (JSC::::shift): (JSC::::lex): * parser/Lexer.h: (JSC::Lexer::currentCharPosition): (JSC::::lexExpectIdentifier): 2013-03-21 Alberto Garcia [BlackBerry] GCActivityCallback: replace JSLock with JSLockHolder https://bugs.webkit.org/show_bug.cgi?id=112448 Reviewed by Xan Lopez. This changed in r121381. * runtime/GCActivityCallbackBlackBerry.cpp: (JSC::DefaultGCActivityCallback::doWork): 2013-03-21 Mark Hahnenberg Objective-C API: wrapperClass holds a static JSClassRef, which causes JSGlobalObjects to leak https://bugs.webkit.org/show_bug.cgi?id=112856 Reviewed by Geoffrey Garen. Through a very convoluted path that involves the caching of prototypes on the JSClassRef, we can leak JSGlobalObjects when inserting an Objective-C object into multiple independent JSContexts. * API/JSAPIWrapperObject.cpp: Removed. * API/JSAPIWrapperObject.h: (JSAPIWrapperObject): * API/JSAPIWrapperObject.mm: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.cpp. Made this an Objective-C++ file so that we can call release on the wrappedObject. Also added a WeakHandleOwner for JSAPIWrapperObjects. This will also be used in a future patch for https://bugs.webkit.org/show_bug.cgi?id=112608. (JSAPIWrapperObjectHandleOwner): (jsAPIWrapperObjectHandleOwner): (JSAPIWrapperObjectHandleOwner::finalize): This finalize replaces the old finalize that was done through the C API. (JSC::JSAPIWrapperObject::finishCreation): Allocate the WeakImpl. Balanced in finalize. (JSC::JSAPIWrapperObject::setWrappedObject): We now do the retain of the wrappedObject here rather than in random places scattered around JSWrapperMap.mm * API/JSObjectRef.cpp: Added some ifdefs for platforms that don't support the Obj-C API. (JSObjectGetPrivate): Ditto. (JSObjectSetPrivate): Ditto. (JSObjectGetPrivateProperty): Ditto. (JSObjectSetPrivateProperty): Ditto. (JSObjectDeletePrivateProperty): Ditto. * API/JSValueRef.cpp: Ditto. (JSValueIsObjectOfClass): Ditto. * API/JSWrapperMap.mm: Remove wrapperClass(). (objectWithCustomBrand): Change to no longer use a parent class, which was only used to give the ability to finalize wrapper objects. (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Change to no longer use wrapperClass(). (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Ditto. (tryUnwrapObjcObject): We now check if the object inherits from JSAPIWrapperObject. * API/tests/testapi.mm: Added a test that exports an Objective-C object to two different JSContexts and makes sure that the first one is collected properly by using a weak JSManagedValue for the wrapper in the first JSContext. * CMakeLists.txt: Build file modifications. * GNUmakefile.list.am: Ditto. * JavaScriptCore.gypi: Ditto. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. * JavaScriptCore.xcodeproj/project.pbxproj: Ditto. * runtime/JSGlobalObject.cpp: More ifdefs for unsupported platforms. (JSC::JSGlobalObject::reset): Ditto. (JSC::JSGlobalObject::visitChildren): Ditto. * runtime/JSGlobalObject.h: Ditto. (JSGlobalObject): Ditto. (JSC::JSGlobalObject::objcCallbackFunctionStructure): Ditto. 2013-03-21 Anton Muhin Unreviewed, rolling out r146483. http://trac.webkit.org/changeset/146483 https://bugs.webkit.org/show_bug.cgi?id=111695 Breaks debug builds. * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo. 2013-03-21 Gabor Rapcsanyi Implement LLInt for CPU(ARM_TRADITIONAL) https://bugs.webkit.org/show_bug.cgi?id=97589 Reviewed by Zoltan Herczeg. Enable LLInt for ARMv5 and ARMv7 traditional as well. * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * offlineasm/arm.rb: * offlineasm/backends.rb: * offlineasm/instructions.rb: 2013-03-20 Cosmin Truta [QNX][ARM] REGRESSION(r135330): Various failures in Octane https://bugs.webkit.org/show_bug.cgi?id=112863 Reviewed by Yong Li. This was fixed in http://trac.webkit.org/changeset/146396 on Linux only. Enable this fix on QNX. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::replaceWithJump): (JSC::ARMv7Assembler::maxJumpReplacementSize): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 2013-03-20 Filip Pizlo Fix indentation of JSString.h Rubber stamped by Mark Hahnenberg. * runtime/JSString.h: 2013-03-20 Filip Pizlo "" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion https://bugs.webkit.org/show_bug.cgi?id=112845 Reviewed by Mark Hahnenberg. I like to do "" + x. So I decided to make DFG recognize it, and related idioms. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupToPrimitive): (FixupPhase): (JSC::DFG::FixupPhase::fixupToString): (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::resultOfToPrimitive): (DFG): (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGPredictionPropagationPhase.h: (DFG): 2013-03-20 Zoltan Herczeg ARMv7 replaceWithJump ASSERT failure after r135330. https://bugs.webkit.org/show_bug.cgi?id=103146 Reviewed by Filip Pizlo. On Linux, the 24 bit distance range of jumps sometimes does not enough to cover all targets addresses. This patch supports jumps outside of this range using a mov/movt/bx 10 byte long sequence. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): (JSC::ARMv7Assembler::nopw): (JSC::ARMv7Assembler::label): (JSC::ARMv7Assembler::replaceWithJump): (JSC::ARMv7Assembler::maxJumpReplacementSize): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 2013-03-20 Mark Hahnenberg Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo: https://bugs.webkit.org/show_bug.cgi?id=112832 Reviewed by Geoffrey Garen. If either the m_constructor or m_prototype (but not both) is collected, we will call allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one that was collected, but at the end of the method we call release on both of them. This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool. * API/JSWrapperMap.mm: (objectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method, which autoreleases for us. (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We no longer call release on the constructor or prototype JSValues. * API/tests/testapi.mm: Added a new test that crashes on ToT due to over-releasing. 2013-03-19 Filip Pizlo It's called "Hash Consing" not "Hash Consting" https://bugs.webkit.org/show_bug.cgi?id=112768 Rubber stamped by Mark Hahnenberg. See http://en.wikipedia.org/wiki/Hash_consing * heap/GCThreadSharedData.cpp: (JSC::GCThreadSharedData::GCThreadSharedData): (JSC::GCThreadSharedData::reset): * heap/GCThreadSharedData.h: (GCThreadSharedData): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::SlotVisitor): (JSC::SlotVisitor::setup): (JSC::SlotVisitor::reset): (JSC::JSString::tryHashConsLock): (JSC::JSString::releaseHashConsLock): (JSC::JSString::shouldTryHashCons): (JSC::SlotVisitor::internalAppend): * heap/SlotVisitor.h: (SlotVisitor): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): (JSC::JSGlobalData::haveEnoughNewStringsToHashCons): (JSC::JSGlobalData::resetNewStringsSinceLastHashCons): * runtime/JSString.h: (JSC::JSString::finishCreation): (JSString): (JSC::JSString::isHashConsSingleton): (JSC::JSString::clearHashConsSingleton): (JSC::JSString::setHashConsSingleton): 2013-03-20 Filip Pizlo DFG implementation of op_strcat should inline rope allocations https://bugs.webkit.org/show_bug.cgi?id=112780 Reviewed by Oliver Hunt. This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can take either two or three operands, and allocates a rope string with either two or three fibers. (The magic choice of three children for non-VarArg nodes happens to match exactly with the magic choice of three fibers for rope strings.) ValueAdd on KnownString is replaced with MakeRope with two children. StrCat gets replaced by an appropriate sequence of MakeRope's. MakeRope does not do the dynamic check to see if its children are empty strings. This is replaced by a static check, instead. The downside is that we may use more memory if the strings passed to MakeRope turn out to dynamically be empty. The upside is that we do fewer checks in the cases where either the strings are not empty, or where the strings are statically known to be empty. I suspect both of those cases are more common, than the case where the string is dynamically empty. This also results in some badness for X86. MakeRope needs six registers if it is allocating a three-rope. We don't have six registers to spare on X86. Currently, the code side-steps this problem by just never usign three-ropes in optimized code on X86. All other architectures, including X86_64, don't have this problem. This is a shocking speed-up. 9% progressions on both V8/splay and SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression on SunSpider. 2x speed-up on microbenchmarks that test op_strcat. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGAdjacencyList.h: (AdjacencyList): (JSC::DFG::AdjacencyList::removeEdge): * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild): * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::putStructureStoreElimination): (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::createToString): (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): (JSC::DFG::FixupPhase::convertStringAddUse): (FixupPhase): (JSC::DFG::FixupPhase::convertToMakeRope): (JSC::DFG::FixupPhase::fixupMakeRope): (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileAdd): (JSC::DFG::SpeculativeJIT::compileMakeRope): (DFG): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand): (JSC::DFG::SpeculateCellOperand::gpr): (JSC::DFG::SpeculateCellOperand::use): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSString.h: (JSRopeString): 2013-03-20 Peter Gal Implement and32 on MIPS platform https://bugs.webkit.org/show_bug.cgi?id=112665 Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::and32): Added missing method. (MacroAssemblerMIPS): 2013-03-20 Mark Lam Fix incorrect debugger column number value. https://bugs.webkit.org/show_bug.cgi?id=112741. Reviewed by Oliver Hunt. 1. In lexer, parser, and debugger code, renamed column to charPosition. 2. Convert the charPosition to the equivalent column number before passing it to the debugger. 3. Changed ScopeNodes to take both a startLocation and an endLocation. This allows FunctionBodyNodes, ProgramNodes, and EvalNodess to emit correct debug hooks with correct starting line and column numbers. 4. Fixed the Lexer to not reset the charPosition (previously columnNumber) in Lexer::lex(). * JavaScriptCore.order: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDebugHook): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitExpressionInfo): * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::toArgumentList): (JSC::ConstStatementNode::emitBytecode): (JSC::EmptyStatementNode::emitBytecode): (JSC::DebuggerStatementNode::emitBytecode): (JSC::ExprStatementNode::emitBytecode): (JSC::VarStatementNode::emitBytecode): (JSC::IfNode::emitBytecode): (JSC::IfElseNode::emitBytecode): (JSC::DoWhileNode::emitBytecode): (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::ContinueNode::emitBytecode): (JSC::BreakNode::emitBytecode): (JSC::ReturnNode::emitBytecode): (JSC::WithNode::emitBytecode): (JSC::SwitchNode::emitBytecode): (JSC::LabelNode::emitBytecode): (JSC::ThrowNode::emitBytecode): (JSC::TryNode::emitBytecode): (JSC::ProgramNode::emitBytecode): (JSC::EvalNode::emitBytecode): (JSC::FunctionBodyNode::emitBytecode): * interpreter/Interpreter.cpp: (JSC::Interpreter::debug): - convert charPosition to column for the debugger. * interpreter/Interpreter.h: * jit/JITStubs.cpp: (DEFINE_STUB_FUNCTION(void, op_debug)): * llint/LLIntSlowPaths.cpp: (LLINT_SLOW_PATH_DECL(slow_op_debug)): * parser/ASTBuilder.h: (JSC::ASTBuilder::createFunctionExpr): (JSC::ASTBuilder::createFunctionBody): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createFuncDeclStatement): (JSC::ASTBuilder::createBlockStatement): (JSC::ASTBuilder::createExprStatement): (JSC::ASTBuilder::createIfStatement): (JSC::ASTBuilder::createForLoop): (JSC::ASTBuilder::createForInLoop): (JSC::ASTBuilder::createVarStatement): (JSC::ASTBuilder::createReturnStatement): (JSC::ASTBuilder::createBreakStatement): (JSC::ASTBuilder::createContinueStatement): (JSC::ASTBuilder::createTryStatement): (JSC::ASTBuilder::createSwitchStatement): (JSC::ASTBuilder::createWhileStatement): (JSC::ASTBuilder::createDoWhileStatement): (JSC::ASTBuilder::createWithStatement): (JSC::ASTBuilder::createThrowStatement): (JSC::ASTBuilder::createDebugger): (JSC::ASTBuilder::createConstStatement): * parser/Lexer.cpp: (JSC::::setCode): (JSC::::internalShift): (JSC::::shift): (JSC::::lex): * parser/Lexer.h: (JSC::Lexer::currentCharPosition): (Lexer): (JSC::::lexExpectIdentifier): * parser/NodeConstructors.h: (JSC::Node::Node): * parser/Nodes.cpp: (JSC::StatementNode::setLoc): (JSC::ScopeNode::ScopeNode): (JSC::ProgramNode::ProgramNode): (JSC::ProgramNode::create): (JSC::EvalNode::EvalNode): (JSC::EvalNode::create): (JSC::FunctionBodyNode::FunctionBodyNode): (JSC::FunctionBodyNode::create): * parser/Nodes.h: (JSC::Node::charPosition): (Node): (StatementNode): (JSC::StatementNode::lastLine): (ScopeNode): (JSC::ScopeNode::startLine): (JSC::ScopeNode::startCharPosition): (ProgramNode): (EvalNode): (FunctionBodyNode): * parser/Parser.cpp: (JSC::::Parser): (JSC::::parseFunctionBody): (JSC::::parseFunctionInfo): * parser/Parser.h: (JSC::::parse): * parser/ParserTokens.h: (JSC::JSTokenLocation::JSTokenLocation): (JSTokenLocation): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createFunctionBody): 2013-03-20 Csaba Osztrogonác REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2 https://bugs.webkit.org/show_bug.cgi?id=112676 Rubber-stamped by Filip Pizlo. Add one more EABI_32BIT_DUMMY_ARG to make DFG JIT ARM EABI compatible again after r146089 similar to https://bugs.webkit.org/show_bug.cgi?id=84449 * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): 2013-03-19 Michael Saboff Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData https://bugs.webkit.org/show_bug.cgi?id=112694 Reviewed by Filip Pizlo. We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle nodes with variable arguments. Added code to insert a Phantom node in front of all the live children of a var args node. Added ASSERT not var args for convertToPhantom to catch any other similar cases. Added a new convertToPhantomUnchecked() for converting var arg nodes. * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): * dfg/DFGNode.h: (Node): (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs)) (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked): (JSC::DFG::Node::convertToPhantomUnchecked): 2013-03-19 Mark Hahnenberg Crash in SpeculativeJIT::fillSpeculateIntInternal on http://bellard.org/jslinux https://bugs.webkit.org/show_bug.cgi?id=112738 Reviewed by Filip Pizlo. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixIntEdge): We shouldn't be killing this node because it could be referenced by other people. 2013-03-19 Oliver Hunt RELEASE_ASSERT fires in exception handler lookup RS=Geoff Garen. Temporarily switch this RELEASE_ASSERT into a regular ASSERT as currently this is producing fairly bad crashiness. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::handlerForBytecodeOffset): 2013-03-18 Filip Pizlo DFG should optimize StringObject.length and StringOrStringObject.length https://bugs.webkit.org/show_bug.cgi?id=112658 Reviewed by Mark Hahnenberg. Implemented by injecting a ToString(StringObject:@a) or ToString(StringOrStringObject:@a) prior to GetArrayLength with ArrayMode(Array::String) if @a is predicted StringObject or StringOrStringObject. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::createToString): (FixupPhase): (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): (JSC::DFG::FixupPhase::convertStringAddUse): 2013-03-19 Gabor Rapcsanyi Implement and32 on ARMv7 and ARM traditional platforms https://bugs.webkit.org/show_bug.cgi?id=112663 Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::and32): Add missing method. (MacroAssemblerARM): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::and32): Add missing method. (MacroAssemblerARMv7): 2013-03-18 Filip Pizlo DFG ToString generic cases should work correctly https://bugs.webkit.org/show_bug.cgi?id=112654 Reviewed by Geoffrey Garen. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToStringOnCell): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2013-03-18 Michael Saboff Unreviewed build fix for 32 bit builds. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2013-03-18 Michael Saboff EFL: Unsafe branch detected in compilePutByValForFloatTypedArray() https://bugs.webkit.org/show_bug.cgi?id=112609 Reviewed by Geoffrey Garen. Created local valueFPR and scratchFPR and filled them with valueOp.fpr() and scratch.fpr() respectively so that if valueOp.fpr() causes a spill during allocation, it occurs before the branch and also to follow convention. Added register allocation checks to FPRTemporary. Cleaned up a couple of other places to follow the "AllocatVirtualRegType foo, get machine reg from foo" pattern. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::fprAllocate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::convertToDouble): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2013-03-18 Filip Pizlo DFG should inline binary string concatenations (i.e. ValueAdd with string children) https://bugs.webkit.org/show_bug.cgi?id=112599 Reviewed by Oliver Hunt. This does as advertised: if you do x + y where x and y are strings, you'll get a fast inlined JSRopeString allocation (along with whatever checks are necessary). It also does good things if either x or y (or both) are StringObjects, or some other thing like StringOrStringObject. It also lays the groundwork for making this fast if either x or y are numbers, or some other reasonably-cheap-to-convert value. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (FixupPhase): (JSC::DFG::FixupPhase::isStringObjectUse): (JSC::DFG::FixupPhase::convertStringAddUse): (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileAdd): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): * runtime/JSString.h: (JSC::JSString::offsetOfFlags): (JSString): (JSRopeString): (JSC::JSRopeString::offsetOfFibers): 2013-03-18 Filip Pizlo JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else https://bugs.webkit.org/show_bug.cgi?id=112639 Reviewed by Michael Saboff. Change it to take a string instead. * runtime/JSObject.h: (JSC): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::finishCreation): * runtime/StringPrototype.cpp: (JSC::StringPrototype::finishCreation): 2013-03-18 Brent Fulgham [WinCairo] Get build working under VS2010. https://bugs.webkit.org/show_bug.cgi?id=112604 Reviewed by Tim Horton. * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Use CFLite-specific build target (standard version links against CoreFoundation.lib instead of CFLite.lib). * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Added. * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Added. * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Added. 2013-03-18 Roger Fong AppleWin VS2010 Debug configuration build fix.. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2013-03-18 Brent Fulgham [WinCairo] Get build working under VS2010. https://bugs.webkit.org/show_bug.cgi?id=112604 Reviewed by Tim Horton. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add build targets for Debug_WinCairo and Release_WinCairo using CFLite. * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Added. * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Added. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Add Debug_WinCairo and Release_WinCairo build targets to make sure headers are copied to proper build folder. * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Ditto. * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Added. * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Add Debug_WinCairo and Release_WinCairo build targets to make sure headers are copied to proper build folder. * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto. * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Ditto. * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto. * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto. * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto. 2013-03-18 Michael Saboff Potentially unsafe register allocations in DFG code generation https://bugs.webkit.org/show_bug.cgi?id=112477 Reviewed by Geoffrey Garen. Moved allocation of temporary GPRs to be before any generated branches in the functions below. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 2013-03-15 Filip Pizlo DFG string conversions and allocations should be inlined https://bugs.webkit.org/show_bug.cgi?id=112376 Reviewed by Geoffrey Garen. This turns new String(), String(), String.prototype.valueOf(), and String.prototype.toString() into intrinsics. It gives the DFG the ability to handle conversions from StringObject to JSString and vice-versa, and also gives it the ability to handle cases where a variable may be either a StringObject or a JSString. To do this, I added StringObject to value profiling (and removed the stale distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive handling, using some of the new functionality but also taking advantage of the existence of Identity(String:@a). This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken. On microbenchmarks that stress new String() this is a 14x speed-up. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pri: * GNUmakefile.list.am: * bytecode/CodeBlock.h: (CodeBlock): (JSC::CodeBlock::hasExitSite): (JSC): * bytecode/DFGExitProfile.cpp: (JSC::DFG::ExitProfile::hasExitSite): (DFG): * bytecode/DFGExitProfile.h: (ExitProfile): (JSC::DFG::ExitProfile::hasExitSite): * bytecode/ExitKind.cpp: (JSC::exitKindToString): * bytecode/ExitKind.h: * bytecode/SpeculatedType.cpp: (JSC::dumpSpeculation): (JSC::speculationToAbbreviatedString): (JSC::speculationFromClassInfo): * bytecode/SpeculatedType.h: (JSC): (JSC::isStringObjectSpeculation): (JSC::isStringOrStringObjectSpeculation): * create_hash_table: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGAbstractState.h: (JSC::DFG::AbstractState::filterEdgeByUse): * dfg/DFGByteCodeParser.cpp: (ByteCodeParser): (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::emitArgumentPhantoms): (DFG): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::putStructureStoreElimination): * dfg/DFGEdge.h: (JSC::DFG::Edge::shift): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): (FixupPhase): (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): (JSC::DFG::FixupPhase::observeUseKindOnNode): * dfg/DFGGraph.h: (JSC::DFG::Graph::hasGlobalExitSite): (Graph): (JSC::DFG::Graph::hasExitSite): (JSC::DFG::Graph::clobbersWorld): * dfg/DFGNode.h: (JSC::DFG::Node::convertToToString): (Node): (JSC::DFG::Node::hasStructure): (JSC::DFG::Node::shouldSpeculateStringObject): (JSC::DFG::Node::shouldSpeculateStringOrStringObject): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToStringOnCell): (DFG): (JSC::DFG::SpeculativeJIT::compileNewStringObject): (JSC::DFG::SpeculativeJIT::speculateObject): (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): (JSC::DFG::SpeculativeJIT::speculateString): (JSC::DFG::SpeculativeJIT::speculateStringObject): (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): (JSC::DFG::SpeculativeJIT::speculate): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): (DFG): (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): * interpreter/CallFrame.h: (JSC::ExecState::regExpPrototypeTable): * runtime/CommonIdentifiers.h: * runtime/Intrinsic.h: * runtime/JSDestructibleObject.h: (JSDestructibleObject): (JSC::JSDestructibleObject::classInfoOffset): * runtime/JSGlobalData.cpp: (JSC): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): * runtime/JSObject.cpp: * runtime/JSObject.h: (JSC): * runtime/JSWrapperObject.h: (JSC::JSWrapperObject::allocationSize): (JSWrapperObject): (JSC::JSWrapperObject::internalValueOffset): (JSC::JSWrapperObject::internalValueCellOffset): * runtime/StringPrototype.cpp: (JSC): (JSC::StringPrototype::finishCreation): (JSC::StringPrototype::create): * runtime/StringPrototype.h: (StringPrototype): 2013-03-18 Filip Pizlo ObjectPrototype properties should be eagerly created rather than lazily via static tables https://bugs.webkit.org/show_bug.cgi?id=112539 Reviewed by Oliver Hunt. This is the first part of https://bugs.webkit.org/show_bug.cgi?id=112233. Rolling this in first since it's the less-likely-to-be-broken part. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pri: * GNUmakefile.list.am: * interpreter/CallFrame.h: (JSC::ExecState::objectConstructorTable): * runtime/CommonIdentifiers.h: * runtime/JSGlobalData.cpp: (JSC): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): * runtime/JSObject.cpp: (JSC::JSObject::putDirectNativeFunction): (JSC): * runtime/JSObject.h: (JSObject): (JSC): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/ObjectPrototype.cpp: (JSC): (JSC::ObjectPrototype::finishCreation): (JSC::ObjectPrototype::create): * runtime/ObjectPrototype.h: (ObjectPrototype): 2013-03-16 Pratik Solanki Disable High DPI Canvas on iOS https://bugs.webkit.org/show_bug.cgi?id=112511 Reviewed by Joseph Pecoraro. * Configurations/FeatureDefines.xcconfig: 2013-03-15 Andreas Kling Don't also clone StructureRareData when cloning Structure. Reviewed by Mark Hahnenberg. We were cloning a lot of StructureRareData with only the previousID pointer set since the enumerationCache is not shared between clones. Let the Structure copy constructor decide whether it wants to clone the rare data. The decision is made by StructureRareData::needsCloning() and will currently always return false, since StructureRareData only holds on to caches at present. This may change in the future as more members are added to StructureRareData. * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::cloneRareDataFrom): * runtime/StructureInlines.h: (JSC::Structure::create): 2013-03-15 Mark Hahnenberg Roll out r145838 https://bugs.webkit.org/show_bug.cgi?id=112458 Unreviewed. Requested by Filip Pizlo. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pri: * GNUmakefile.list.am: * dfg/DFGOperations.cpp: * interpreter/CallFrame.h: (JSC::ExecState::objectPrototypeTable): * jit/JITStubs.cpp: (JSC::getByVal): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): * runtime/CommonIdentifiers.h: * runtime/JSCell.cpp: (JSC): * runtime/JSCell.h: (JSCell): * runtime/JSCellInlines.h: (JSC): (JSC::JSCell::fastGetOwnProperty): * runtime/JSGlobalData.cpp: (JSC): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): * runtime/JSObject.cpp: (JSC): * runtime/JSObject.h: (JSObject): (JSC): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/ObjectPrototype.cpp: (JSC): (JSC::ObjectPrototype::finishCreation): (JSC::ObjectPrototype::getOwnPropertySlot): (JSC::ObjectPrototype::getOwnPropertyDescriptor): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::create): (ObjectPrototype): * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::findWithString): * runtime/Structure.h: (Structure): * runtime/StructureInlines.h: (JSC::Structure::get): 2013-03-15 Michael Saboff Cleanup of DFG and Baseline JIT debugging code https://bugs.webkit.org/show_bug.cgi?id=111871 Reviewed by Geoffrey Garen. Fixed various debug related issue in baseline and DFG JITs. See below. * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. * dfg/DFGScratchRegisterAllocator.h: Now use ScratchBuffer::activeLengthPtr() to get pointer to scratch register length. (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkConsistency): Added missing case labels for DataFormatOSRMarker, DataFormatDead, and DataFormatArguments and made them RELEASE_ASSERT_NOT_REACHED(); * jit/JITCall.cpp: (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. * jit/JITCall32_64.cpp: (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. * runtime/JSGlobalData.h: (JSC::ScratchBuffer::ScratchBuffer): Fixed buffer allocation alignment to be on a double boundary. (JSC::ScratchBuffer::setActiveLength): (JSC::ScratchBuffer::activeLength): (JSC::ScratchBuffer::activeLengthPtr): 2013-03-15 Michael Saboff Add runtime check for improper register allocations in DFG https://bugs.webkit.org/show_bug.cgi?id=112380 Reviewed by Geoffrey Garen. Added framework to check for register allocation within a branch source - target range. All register allocations are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the currently saved register allocations are checked to make sure that they didn't occur in the range of code that was jumped over. This protects against the case where an allocation could have spilled register contents to free up a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled register may load garbage. See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug. This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION). The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link. (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link. (AbstractMacroAssembler): (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a jump range. (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset): (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check): (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset): (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::allocate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2013-03-14 Oliver Hunt REGRESSION(r145000): Crash loading arstechnica.com when Safari Web Inspector is open https://bugs.webkit.org/show_bug.cgi?id=111868 Reviewed by Antti Koivisto. Don't allow non-local property lookup when the debugger is enabled. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::resolve): 2013-03-11 Mark Hahnenberg Objective-C API: Objective-C functions exposed to JavaScript have the wrong type (object instead of function) https://bugs.webkit.org/show_bug.cgi?id=105892 Reviewed by Geoffrey Garen. Changed ObjCCallbackFunction to subclass JSCallbackFunction which already has all of the machinery to call functions using the C API. Since ObjCCallbackFunction is now a JSCell, we changed the old implementation of ObjCCallbackFunction to be the internal implementation and keep track of all the proper data so that we don't have to put all of that in the header, which will now be included from C++ files (e.g. JSGlobalObject.cpp). * API/JSCallbackFunction.cpp: Change JSCallbackFunction to allow subclassing. Originally it was internally passing its own Structure up the chain of constructors, but we now want to be able to pass other Structures as well. (JSC::JSCallbackFunction::JSCallbackFunction): (JSC::JSCallbackFunction::create): * API/JSCallbackFunction.h: (JSCallbackFunction): * API/JSWrapperMap.mm: Changed interface to tryUnwrapBlock. (tryUnwrapObjcObject): * API/ObjCCallbackFunction.h: (ObjCCallbackFunction): Moved into the JSC namespace, just like JSCallbackFunction. (JSC::ObjCCallbackFunction::createStructure): Overridden so that the correct ClassInfo gets used since we have a destructor. (JSC::ObjCCallbackFunction::impl): Getter for the internal impl. * API/ObjCCallbackFunction.mm: (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): What used to be ObjCCallbackFunction is now ObjCCallbackFunctionImpl. It handles the Objective-C specific parts of managing callback functions. (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): (JSC::objCCallbackFunctionCallAsFunction): Same as the old one, but now it casts to ObjCCallbackFunction and grabs the impl rather than using JSObjectGetPrivate. (JSC::ObjCCallbackFunction::ObjCCallbackFunction): New bits to allow being part of the JSCell hierarchy. (JSC::ObjCCallbackFunction::create): (JSC::ObjCCallbackFunction::destroy): (JSC::ObjCCallbackFunctionImpl::call): Handles the actual invocation, just like it used to. (objCCallbackFunctionForInvocation): (tryUnwrapBlock): Changed to check the ClassInfo for inheritance directly, rather than going through the C API call. * API/tests/testapi.mm: Added new test to make sure that doing Function.prototype.toString.call(f) won't result in an error when f is an Objective-C method or block underneath the covers. * runtime/JSGlobalObject.cpp: Added new Structure for ObjCCallbackFunction. (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::objcCallbackFunctionStructure): 2013-03-14 Mark Hahnenberg Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding https://bugs.webkit.org/show_bug.cgi?id=112377 Reviewed by Oliver Hunt. Accidental reassignment of the root task in the container conversion logic was causing the last array or dictionary processed to be returned in the case of nested containers. * API/JSValue.mm: (containerValueToObject): * API/tests/testapi.mm: 2013-03-13 Filip Pizlo JSObject fast by-string access optimizations should work even on the prototype chain, and even when the result is undefined https://bugs.webkit.org/show_bug.cgi?id=112233 Reviewed by Oliver Hunt. Extended the existing fast access path for String keys to work over the entire prototype chain, not just the self access case. This will fail as soon as it sees an object that intercepts getOwnPropertySlot, so this patch also ensures that ObjectPrototype does not fall into that category. This is accomplished by making ObjectPrototype eagerly reify all of its properties. This is safe for ObjectPrototype because it's so common and we expect all of its properties to be reified for any interesting programs anyway. A new idiom for adding native functions to prototypes is introduced, which ought to work well for any other prototypes that we wish to do this conversion for. This is a >60% speed-up in the case that you frequently do by-string lookups that "miss", i.e. they don't turn up anything. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pri: * GNUmakefile.list.am: * dfg/DFGOperations.cpp: * interpreter/CallFrame.h: (JSC::ExecState::objectConstructorTable): * jit/JITStubs.cpp: (JSC::getByVal): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): * runtime/CommonIdentifiers.h: * runtime/JSCell.cpp: (JSC::JSCell::getByStringSlow): (JSC): * runtime/JSCell.h: (JSCell): * runtime/JSCellInlines.h: (JSC): (JSC::JSCell::getByStringAndKey): (JSC::JSCell::getByString): * runtime/JSGlobalData.cpp: (JSC): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): * runtime/JSObject.cpp: (JSC::JSObject::putDirectNativeFunction): (JSC): * runtime/JSObject.h: (JSObject): (JSC): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/ObjectPrototype.cpp: (JSC): (JSC::ObjectPrototype::finishCreation): (JSC::ObjectPrototype::create): * runtime/ObjectPrototype.h: (ObjectPrototype): * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::findWithString): * runtime/Structure.h: (Structure): * runtime/StructureInlines.h: (JSC::Structure::get): (JSC): 2013-03-13 Filip Pizlo DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables https://bugs.webkit.org/show_bug.cgi?id=112287 Reviewed by Oliver Hunt. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::finalizeUnconditionally): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getLocal): 2013-03-13 Ryosuke Niwa Threaded HTML Parser is missing feature define flags in all but Chromium port's build files https://bugs.webkit.org/show_bug.cgi?id=112277 Reviewed by Adam Barth. * Configurations/FeatureDefines.xcconfig: 2013-03-13 Csaba Osztrogonác LLINT C loop warning fix for GCC https://bugs.webkit.org/show_bug.cgi?id=112145 Reviewed by Filip Pizlo. * llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): 2013-02-13 Simon Hausmann Add support for convenient conversion from JSStringRef to QString https://bugs.webkit.org/show_bug.cgi?id=109694 Reviewed by Allan Sandfeld Jensen. Add JSStringCopyQString helper function that allows for the convenient extraction of a QString out of a JSStringRef. * API/JSStringRefQt.cpp: Added. (JSStringCopyQString): * API/JSStringRefQt.h: Added. * API/OpaqueJSString.h: (OpaqueJSString): (OpaqueJSString::qString): (OpaqueJSString::OpaqueJSString): * Target.pri: 2013-03-13 Peter Gal Token 'not' is ignored in the offlineasm. https://bugs.webkit.org/show_bug.cgi?id=111568 Reviewed by Filip Pizlo. * offlineasm/parser.rb: Build the Not AST node if the 'not' token is found. 2013-03-12 Tim Horton WTF uses macros for exports. Try to fix the Windows build. Unreviewed. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2013-03-12 Filip Pizlo Array.prototype.sort should at least try to be PTIME even when the array is in some bizarre mode https://bugs.webkit.org/show_bug.cgi?id=112187 Reviewed by Michael Saboff and Gavin Barraclough. If we have an array-like object in crazy mode passed into Array.prototype.sort, and its length is large, then first copy all elements into a separate, compact, un-holy array and sort that. Then copy back. This means that sorting will be at worst O(n^2) in the actual number of things in the array, rather than O(n^2) in the array's length. * runtime/ArrayPrototype.cpp: (JSC::attemptFastSort): (JSC::performSlowSort): (JSC): (JSC::arrayProtoFuncSort): 2013-03-12 Tim Horton Try to fix the Windows build. Not reviewed. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2013-03-12 Geoffrey Garen Try to fix the Windows build. Not reviewed. * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Export a thing. 2013-03-11 Oliver Hunt Harden JSStringJoiner https://bugs.webkit.org/show_bug.cgi?id=112093 Reviewed by Filip Pizlo. Harden JSStringJoiner, make it use our CheckedArithmetic class to simplify everything. * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::build): * runtime/JSStringJoiner.h: (JSStringJoiner): (JSC::JSStringJoiner::JSStringJoiner): (JSC::JSStringJoiner::append): 2013-03-12 Filip Pizlo DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be https://bugs.webkit.org/show_bug.cgi?id=112183 Reviewed by Oliver Hunt. Slight speed-up on string-unpack-code. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::findAndRemoveUnnecessaryStructureCheck): (FixupPhase): (JSC::DFG::FixupPhase::checkArray): (JSC::DFG::FixupPhase::blessArrayOperation): 2013-03-12 Gabor Rapcsanyi https://bugs.webkit.org/show_bug.cgi?id=112141 LLInt CLoop backend misses Double2Ints() on 32bit architectures Reviewed by Filip Pizlo. Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures. * llint/LowLevelInterpreter.cpp: (LLInt): (JSC::LLInt::Double2Ints): * offlineasm/cloop.rb: 2013-03-12 Gabor Rapcsanyi Making more sophisticated cache flush on ARM Linux platform https://bugs.webkit.org/show_bug.cgi?id=111854 Reviewed by Zoltan Herczeg. The cache flush on ARM Linux invalidates whole pages instead of just the required area. * assembler/ARMAssembler.h: (ARMAssembler): (JSC::ARMAssembler::linuxPageFlush): (JSC::ARMAssembler::cacheFlush): * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::linuxPageFlush): (JSC::ARMv7Assembler::cacheFlush): 2013-03-12 Gabor Rapcsanyi Renaming the armv7.rb LLINT backend to arm.rb https://bugs.webkit.org/show_bug.cgi?id=110565 Reviewed by Zoltan Herczeg. This is the first step of a unified ARM backend for all ARM 32 bit architectures in LLInt. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * LLIntOffsetsExtractor.pro: * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb. * offlineasm/armv7.rb: Removed. * offlineasm/backends.rb: * offlineasm/risc.rb: 2013-03-12 Csaba Osztrogonác REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform https://bugs.webkit.org/show_bug.cgi?id=112112 Reviewed by Oliver Hunt. Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots. * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::build): * runtime/JSStringJoiner.h: (JSStringJoiner): (JSC::JSStringJoiner::JSStringJoiner): (JSC::JSStringJoiner::append): 2013-03-12 Filip Pizlo DFG prediction propagation phase should not rerun forward propagation if double voting has already converged https://bugs.webkit.org/show_bug.cgi?id=111920 Reviewed by Oliver Hunt. I don't know why we weren't exiting early after double voting if !m_changed. This change also removes backwards propagation from the voting fixpoint, since at that point short-circuiting loops is probably not particularly profitable. Profiling shows that this reduces the time spent in prediction propagation even further. This change appears to be a 1% SunSpider speed-up. * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::run): 2013-03-11 Filip Pizlo DFG overflow check elimination is too smart for its own good https://bugs.webkit.org/show_bug.cgi?id=111832 Reviewed by Oliver Hunt and Gavin Barraclough. Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized. It worked by always being false and always disabling the relvant optimization. This improves overflow check elimination in three ways: 1) It reduces the amount of time the compiler will spend doing it. 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children) are int32's and then perform a possibly-overflowing operation, we must be careful not to assume that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that @b->children are int32's and that hence @b might produce a large enough result that doubles would start chopping low bits. The specific implication of this is that for a binary operation to not propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that large won't even make it into the DFG currently. 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate NodeUsedAsNumber to either @a or @b. This is neutral on V8v7 and a slight speed-up on compile time benchmarks. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine): * dfg/DFGBackwardsPropagationPhase.cpp: Added. (DFG): (BackwardsPropagationPhase): (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase): (JSC::DFG::BackwardsPropagationPhase::run): (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): (JSC::DFG::BackwardsPropagationPhase::isNotZero): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags): (JSC::DFG::BackwardsPropagationPhase::propagate): (JSC::DFG::performBackwardsPropagation): * dfg/DFGBackwardsPropagationPhase.h: Added. (DFG): * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::run): (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom): (CPSRethreadingPhase): (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGNodeFlags.cpp: (JSC::DFG::dumpNodeFlags): (DFG): * dfg/DFGNodeFlags.h: (DFG): * dfg/DFGPredictionPropagationPhase.cpp: (PredictionPropagationPhase): (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGUnificationPhase.cpp: (JSC::DFG::UnificationPhase::run): * dfg/DFGVariableAccessData.h: (JSC::DFG::VariableAccessData::VariableAccessData): (JSC::DFG::VariableAccessData::mergeIsLoadedFrom): (VariableAccessData): (JSC::DFG::VariableAccessData::setIsLoadedFrom): (JSC::DFG::VariableAccessData::isLoadedFrom): 2013-03-11 Oliver Hunt Harden JSStringJoiner https://bugs.webkit.org/show_bug.cgi?id=112093 Reviewed by Filip Pizlo. Harden JSStringJoiner, make it use our CheckedArithmetic class to simplify everything. * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::build): * runtime/JSStringJoiner.h: (JSStringJoiner): (JSC::JSStringJoiner::JSStringJoiner): (JSC::JSStringJoiner::append): 2013-03-11 Michael Saboff Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only) https://bugs.webkit.org/show_bug.cgi?id=112067 Reviewed by Geoffrey Garen. We weren't setting the tag in SetCallee. Therefore set it to CellTag. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2013-03-11 Oliver Hunt Make SegmentedVector Noncopyable https://bugs.webkit.org/show_bug.cgi?id=112059 Reviewed by Geoffrey Garen. Copying a SegmentedVector is very expensive, and really shouldn't be necessary. So I've taken the one place where we currently copy and replaced it with a regular Vector, and replaced the address dependent logic with a indexing ref instead. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::newLabelScope): (JSC::BytecodeGenerator::emitComplexJumpScopes): * bytecompiler/BytecodeGenerator.h: (BytecodeGenerator): * bytecompiler/LabelScope.h: (JSC): (JSC::LabelScopePtr::LabelScopePtr): (LabelScopePtr): (JSC::LabelScopePtr::operator=): (JSC::LabelScopePtr::~LabelScopePtr): (JSC::LabelScopePtr::operator*): (JSC::LabelScopePtr::operator->): * bytecompiler/NodesCodegen.cpp: (JSC::DoWhileNode::emitBytecode): (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::SwitchNode::emitBytecode): (JSC::LabelNode::emitBytecode): 2013-03-10 Andreas Kling