2011-11-03 Filip Pizlo JIT-specific code should be able to refer to register types even on JIT-disabled builds https://bugs.webkit.org/show_bug.cgi?id=71498 Reviewed by Gavin Barraclough. * assembler/MacroAssembler.h: (MacroAssembler::MacroAssembler): 2011-11-03 Mark Hahnenberg De-virtualize JSObject::className https://bugs.webkit.org/show_bug.cgi?id=71428 Reviewed by Sam Weinig. Added className to the MethodTable, changed all the virtual implementations of className to static ones, and replaced all call sites with corresponding lookups in the MethodTable. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::className): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::className): * debugger/DebuggerActivation.h: * jsc.cpp: (GlobalObject::createStructure): * profiler/Profiler.cpp: (JSC::Profiler::createCallIdentifier): * runtime/ClassInfo.h: * runtime/JSCell.cpp: (JSC::JSCell::className): * runtime/JSCell.h: * runtime/JSObject.cpp: (JSC::JSObject::className): * runtime/JSObject.h: * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * testRegExp.cpp: (GlobalObject::createStructure): 2011-11-02 Jer Noble Add Clock class and platform-specific implementations. https://bugs.webkit.org/show_bug.cgi?id=71341 Reviewed by Sam Weinig. Add WTF_USE_COREAUDIO macro for use by PlatformClockCA. * wtf/Platform.h: 2011-11-03 Pavel Feldman Not reviewed: fixing win build. step2. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-11-03 Pavel Feldman Not reviewed: fix windows build, step1 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-11-03 Pavel Feldman Web Inspector: preserve script location for inline handlers. https://bugs.webkit.org/show_bug.cgi?id=71367 Makes SourceCode factories receive TextPosition instead of the line number; Stores consistent position values in SourceCode and SourceProvider; Reviewed by Yury Semikhatsky. * API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * API/JSObjectRef.cpp: (JSObjectMakeFunction): * parser/SourceCode.h: (JSC::makeSource): * parser/SourceProvider.h: (JSC::SourceProvider::SourceProvider): (JSC::SourceProvider::startPosition): (JSC::UStringSourceProvider::create): (JSC::UStringSourceProvider::UStringSourceProvider): * runtime/FunctionConstructor.cpp: (JSC::constructFunction): (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/FunctionConstructor.h: 2011-11-03 Kentaro Hara Fixed wrong implementation of doubleValue % 2^{64}. https://bugs.webkit.org/show_bug.cgi?id=67980 Reviewed by Hajime Morita. fast/events/constructors/progress-event-constructor.html was failing because of the wrong implementation of conversion from an ECMAScript value to an IDL unsigned long long value (Spec: http://www.w3.org/TR/WebIDL/#es-unsigned-long-long). In particular, the calculation of doubleValue % 2^{64} was wrong. This patch implemented it correctly in doubleToInteger() in wtf/MathExtras.h. * wtf/MathExtras.h: (doubleToInteger): Implemented the spec correctly. 2011-11-03 Sheriff Bot Unreviewed, rolling out r99089. http://trac.webkit.org/changeset/99089 https://bugs.webkit.org/show_bug.cgi?id=71448 @plt postfix for math functions cause crash on Linux 32 (the symbol is defined but it points to NULL) (Requested by zherczeg on #webkit). * dfg/DFGOperations.cpp: * jit/JITStubs.cpp: * jit/ThunkGenerators.cpp: 2011-11-02 Filip Pizlo DFG inlining breaks function.arguments[something] if the argument being retrieved was subjected to DFG's unboxing optimizations https://bugs.webkit.org/show_bug.cgi?id=71436 Reviewed by Oliver Hunt. This makes inlined arguments retrieval use some of the same machinery as OSR to determine where from, and how, to retrieve a value that the DFG might have somehow squirreled away while the old JIT would put it in its obvious location, using an obvious format. To that end, previously DFG-internal notions such as DataFormat, VirtualRegister, and ValueRecovery are now in bytecode/ since they are stored as part of InlineCallFrames. * bytecode/CodeOrigin.h: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallerFrame): * interpreter/CallFrame.h: (JSC::ExecState::inlineCallFrame): * interpreter/Register.h: (JSC::Register::asInlineCallFrame): (JSC::Register::unboxedInt32): (JSC::Register::unboxedBoolean): (JSC::Register::unboxedCell): * runtime/Arguments.h: (JSC::Arguments::finishCreationAndCopyRegisters): 2011-11-02 Filip Pizlo ValueRecovery should be moved out of the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=71439 Reviewed by Oliver Hunt. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/DataFormat.h: Added. (JSC::dataFormatToString): (JSC::needDataFormatConversion): (JSC::isJSFormat): (JSC::isJSInteger): (JSC::isJSDouble): (JSC::isJSCell): (JSC::isJSBoolean): * bytecode/ValueRecovery.h: Added. (JSC::ValueRecovery::ValueRecovery): (JSC::ValueRecovery::alreadyInRegisterFile): (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32): (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedCell): (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedBoolean): (JSC::ValueRecovery::inGPR): (JSC::ValueRecovery::inPair): (JSC::ValueRecovery::inFPR): (JSC::ValueRecovery::displacedInRegisterFile): (JSC::ValueRecovery::constant): (JSC::ValueRecovery::technique): (JSC::ValueRecovery::isInRegisters): (JSC::ValueRecovery::gpr): (JSC::ValueRecovery::tagGPR): (JSC::ValueRecovery::payloadGPR): (JSC::ValueRecovery::fpr): (JSC::ValueRecovery::virtualRegister): (JSC::ValueRecovery::dump): * bytecode/VirtualRegister.h: Added. * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::isJSFormat): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): * dfg/DFGSpeculativeJIT.h: * dfg/DFGVariableAccessData.h: 2011-11-02 Sam Weinig Object.getOwnPropertyDescriptor() does not retrieve the getter/setter from a property on the window that has been overridden with a getter/setter https://bugs.webkit.org/show_bug.cgi?id=71333 Reviewed by Gavin Barraclough. Tested by fast/dom/getter-on-window-object2.html * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::setDescriptor): The attributes returned from Structure::get do not include Getter or Setter, so instead check if the value is a GetterSetter like we do elsewhere. If it is, update the descriptor's attributes accordingly. 2011-11-02 Yuqiang Xian FunctionPtr should accept FASTCALL functions on X86 https://bugs.webkit.org/show_bug.cgi?id=71434 Reviewed by Filip Pizlo. On X86 we sometimes use FASTCALL convention functions, for example the cti functions, and we may need the pointers to such functions, e.g., in current DFG register file check and arity check, though long term we may avoid such usage of cti calls in DFG. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): 2011-11-02 Filip Pizlo Inlined uses of the global object should use the right global object https://bugs.webkit.org/show_bug.cgi?id=71427 Reviewed by Oliver Hunt. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::globalObjectFor): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-11-02 Yuqiang Xian Remove some unnecessary loads/stores in DFG JIT 32_64 https://bugs.webkit.org/show_bug.cgi?id=71090 Reviewed by Filip Pizlo. In fillSpeculateCell and OSR exit, some unnecessary loads/stores can be eliminated. * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 2011-11-02 Adam Klein Replace usage of StringImpl with String where possible in CharacterData and Text https://bugs.webkit.org/show_bug.cgi?id=71383 Reviewed by Darin Adler. * wtf/text/WTFString.h: (WTF::String::containsOnlyWhitespace): Added new method. 2011-11-02 Mark Hahnenberg De-virtualize JSObject::getOwnPropertyNames https://bugs.webkit.org/show_bug.cgi?id=71307 Reviewed by Darin Adler. Added getOwnPropertyNames to the MethodTable, changed all the virtual implementations of getOwnPropertyNames to static ones, and replaced all call sites with corresponding lookups in the MethodTable. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertyNames): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::getOwnPropertyNames): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertyNames): * runtime/Arguments.h: * runtime/ClassInfo.h: * runtime/JSActivation.cpp: (JSC::JSActivation::getOwnPropertyNames): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::getOwnPropertyNames): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::getOwnPropertyNames): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertyNames): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertyNames): * runtime/JSFunction.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::getOwnPropertyNames): * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): (JSC::JSObject::getOwnPropertyNames): * runtime/JSObject.h: * runtime/JSVariableObject.cpp: (JSC::JSVariableObject::~JSVariableObject): (JSC::JSVariableObject::getOwnPropertyNames): * runtime/JSVariableObject.h: * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetOwnPropertyNames): (JSC::objectConstructorKeys): (JSC::defineProperties): * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::getOwnPropertyNames): * runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertyNames): * runtime/StringObject.h: * runtime/Structure.h: 2011-11-02 Dean Jackson Add ENABLE_CSS_SHADERS flag https://bugs.webkit.org/show_bug.cgi?id=71394 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: 2011-11-02 Alexey Shabalin TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586) https://bugs.webkit.org/show_bug.cgi?id=70610 Reviewed by Martin Robinson. Properly annotate ASM on BSD and Linux x86 systems. * dfg/DFGOperations.cpp: Add annotation for X86. * jit/JITStubs.cpp: Ditto. * jit/ThunkGenerators.cpp: Ditto. 2011-11-02 Xianzhu Wang Missing Force8BitConstructor in 8-bit version of StringImpl::reallocate() https://bugs.webkit.org/show_bug.cgi?id=71347 Reviewed by Geoffrey Garen. * wtf/text/StringImpl.cpp: (WTF::StringImpl::reallocate): 2011-11-01 Darin Adler Cut down on malloc/free a bit in the parser arena https://bugs.webkit.org/show_bug.cgi?id=71343 Reviewed by Oliver Hunt. * parser/ParserArena.cpp: (JSC::ParserArena::deallocateObjects): Call the destructors of the deletable objects before freeing the pools. Don't call fastFree on the deletable objects any more. * parser/ParserArena.h: (JSC::ParserArena::allocateDeletable): Use allocateFreeable instead of fastMalloc here. 2011-11-01 Sam Weinig Implement __lookupGetter__/__lookupSetter__ in terms of getPropertyDescriptor https://bugs.webkit.org/show_bug.cgi?id=71336 Reviewed by Darin Adler. * debugger/DebuggerActivation.cpp: * debugger/DebuggerActivation.h: Remove overrides of lookupGetter/lookupSetter, which are no longer needed due to implementing getPropertyDescriptor. * runtime/JSObject.cpp: (JSC::JSObject::lookupGetter): (JSC::JSObject::lookupSetter): * runtime/JSObject.h: De-virtualize lookupGetter/lookupSetter, and implement them in terms of getPropertyDescriptor. 2011-11-01 Mark Hahnenberg De-virtualize JSObject::defineSetter https://bugs.webkit.org/show_bug.cgi?id=71303 Reviewed by Darin Adler. Added defineSetter to the MethodTable, changed all the virtual implementations of defineSetter to static ones, and replaced all call sites with corresponding lookups in the MethodTable. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::defineSetter): * debugger/DebuggerActivation.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ClassInfo.h: * runtime/JSCell.cpp: (JSC::JSCell::defineSetter): * runtime/JSCell.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::defineSetter): * runtime/JSGlobalObject.h: * runtime/JSObject.cpp: (JSC::JSObject::defineSetter): (JSC::putDescriptor): * runtime/JSObject.h: * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineSetter): 2011-11-01 Filip Pizlo DFG inlining breaks function.arguments https://bugs.webkit.org/show_bug.cgi?id=71329 Reviewed by Oliver Hunt. The DFG was forgetting to store code origin mappings for inlined call sites. Some of the fast-path optimizations for CallFrame::trueCallerFrame() were wrong. An assertion in Arguments was wrong. I also took the opportunity to decrease code duplication between DFG64 and DFG32_64, because I didn't feel like writing the same code twice. * bytecode/CodeBlock.h: (JSC::ExecState::isInlineCallFrame): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler32_64.cpp: * dfg/DFGNode.h: * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallerFrame): * interpreter/CallFrame.h: * runtime/Arguments.h: (JSC::Arguments::getArgumentsData): 2011-11-01 Xianzhu Wang StringImpl::reallocate() should have a 8-bit version https://bugs.webkit.org/show_bug.cgi?id=71210 Reviewed by Geoffrey Garen. * wtf/text/StringImpl.cpp: (WTF::StringImpl::reallocate): * wtf/text/StringImpl.h: 2011-10-31 Filip Pizlo The GC should be parallel https://bugs.webkit.org/show_bug.cgi?id=70995 Reviewed by Geoff Garen. Added parallel tracing to the GC. This works by having local mark stacks per thread, and a global shared one. Threads sometimes donate cells from the mark stack to the global one if the heuristics tell them that it's affordable to do so. Threads that have depleted their local mark stacks try to steal some from the shared one. Marking is now done using an atomic weak relaxed CAS (compare-and-swap). This is a 23% speed-up on V8-splay when I use 4 marking threads, leading to a 3.5% speed-up on V8. It also appears that this reduces GC pause times on real websites by more than half. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::~Heap): (JSC::Heap::markRoots): * heap/Heap.h: * heap/MarkStack.cpp: (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator): (JSC::MarkStackSegmentAllocator::~MarkStackSegmentAllocator): (JSC::MarkStackSegmentAllocator::allocate): (JSC::MarkStackSegmentAllocator::release): (JSC::MarkStackSegmentAllocator::shrinkReserve): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::~MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::refill): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): (JSC::MarkStackThreadSharedData::markingThreadMain): (JSC::MarkStackThreadSharedData::markingThreadStartFunc): (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData): (JSC::MarkStackThreadSharedData::~MarkStackThreadSharedData): (JSC::MarkStackThreadSharedData::reset): (JSC::MarkStack::reset): (JSC::SlotVisitor::donateSlow): (JSC::SlotVisitor::drain): (JSC::SlotVisitor::drainFromShared): (JSC::MarkStack::mergeOpaqueRoots): (JSC::SlotVisitor::harvestWeakReferences): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (JSC::MarkStackSegment::capacityFromSize): (JSC::MarkStackSegment::sizeFromCapacity): (JSC::MarkStackArray::postIncTop): (JSC::MarkStackArray::preDecTop): (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::setTopForEmptySegment): (JSC::MarkStackArray::top): (JSC::MarkStackArray::validatePrevious): (JSC::MarkStack::addWeakReferenceHarvester): (JSC::MarkStack::mergeOpaqueRootsIfNecessary): (JSC::MarkStack::mergeOpaqueRootsIfProfitable): (JSC::MarkStack::MarkStack): (JSC::MarkStack::addOpaqueRoot): (JSC::MarkStack::containsOpaqueRoot): (JSC::MarkStack::opaqueRootCount): (JSC::MarkStackArray::append): (JSC::MarkStackArray::canRemoveLast): (JSC::MarkStackArray::removeLast): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::canDonateSomeCells): (JSC::MarkStackArray::size): (JSC::ParallelModeEnabler::ParallelModeEnabler): (JSC::ParallelModeEnabler::~ParallelModeEnabler): * heap/MarkedBlock.h: (JSC::MarkedBlock::testAndSetMarked): * heap/SlotVisitor.h: (JSC::SlotVisitor::donate): (JSC::SlotVisitor::donateAndDrain): (JSC::SlotVisitor::donateKnownParallel): (JSC::SlotVisitor::SlotVisitor): * heap/WeakReferenceHarvester.h: * runtime/Heuristics.cpp: (JSC::Heuristics::initializeHeuristics): * runtime/Heuristics.h: * wtf/Atomics.h: (WTF::weakCompareAndSwap): * wtf/Bitmap.h: (WTF::::Bitmap): (WTF::::get): (WTF::::set): (WTF::::testAndSet): (WTF::::testAndClear): (WTF::::concurrentTestAndSet): (WTF::::concurrentTestAndClear): (WTF::::clear): (WTF::::clearAll): (WTF::::nextPossiblyUnset): (WTF::::findRunOfZeros): (WTF::::count): (WTF::::isEmpty): (WTF::::isFull): * wtf/MainThread.h: (WTF::isMainThreadOrGCThread): * wtf/Platform.h: * wtf/ThreadSpecific.h: (WTF::::isSet): * wtf/mac/MainThreadMac.mm: (WTF::initializeGCThreads): (WTF::initializeMainThreadPlatform): (WTF::initializeMainThreadToProcessMainThreadPlatform): (WTF::registerGCThread): (WTF::isMainThreadOrGCThread): 2011-10-31 Mark Hahnenberg De-virtualize JSObject::defaultValue https://bugs.webkit.org/show_bug.cgi?id=71146 Reviewed by Sam Weinig. Added defaultValue to the MethodTable. Replaced all virtual versions of defaultValue with static versions. Replaced all call sites with lookups in the MethodTable. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/ClassInfo.h: * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::defaultValue): (JSC::TerminatedExecutionError::defaultValue): * runtime/ExceptionHelpers.h: * runtime/JSCell.cpp: (JSC::JSCell::defaultValue): * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::defaultValue): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::getPrimitiveNumber): (JSC::JSObject::defaultValue): * runtime/JSObject.h: (JSC::JSObject::toPrimitive): 2011-10-31 Mark Hahnenberg Interpreter build fix Unreviewed build fix * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): 2011-10-31 Filip Pizlo DFG OSR exits should add to value profiles https://bugs.webkit.org/show_bug.cgi?id=71202 Reviewed by Oliver Hunt. Value profiles now have an extra special slot not used by the old JIT's profiling, which is reserved for OSR exits. The DFG's OSR exit code now knows which register, node index, and value profiling site was responsible for the (possibly flawed) information that led to the OSR failure. This is somewhat opportunistic and imperfect; if there's a lot of control flow between the value profiling site and the OSR failure point, then this mechanism simply gives up. It also gives up if the OSR failure is caused by either known deficiencies in the DFG (like that we always assume that the index in a strict charCodeAt access is within bounds) or where the OSR failure would be catalogues and profiled through other means (like slow case counters). This patch also adds the notion of a JSValueRegs, which is either a single register in JSVALUE64 or a pair in JSVALUE32_64. We should probably move the 32_64 DFG towards using this, since it often makes it easier to share code between 64 and 32_64. Also fixed a number of pathologies that this uncovered. op_method_check didn't have a value profiling site on the slow path. GetById should not always force OSR exit if it never executed in the old JIT; we may be able to infer its type if it's a array or string length get. Finally, these changes benefit from a slight tweak to optimization delay heuristics (profile fullness is now 0.35 instead of 0.25). 3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes and imaging-darkroom. * bytecode/ValueProfile.cpp: (JSC::ValueProfile::computeStatistics): (JSC::ValueProfile::computeUpdatedPrediction): * bytecode/ValueProfile.h: (JSC::ValueProfile::ValueProfile): (JSC::ValueProfile::specFailBucket): (JSC::ValueProfile::numberOfSamples): (JSC::ValueProfile::isLive): (JSC::ValueProfile::numberOfInt32s): (JSC::ValueProfile::numberOfDoubles): (JSC::ValueProfile::numberOfCells): (JSC::ValueProfile::numberOfObjects): (JSC::ValueProfile::numberOfFinalObjects): (JSC::ValueProfile::numberOfStrings): (JSC::ValueProfile::numberOfArrays): (JSC::ValueProfile::numberOfBooleans): (JSC::ValueProfile::dump): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): (JSC::DFG::ByteCodeParser::getPrediction): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGPRInfo.h: (JSC::DFG::JSValueRegs::JSValueRegs): (JSC::DFG::JSValueRegs::operator!): (JSC::DFG::JSValueRegs::gpr): (JSC::DFG::JSValueSource::JSValueSource): (JSC::DFG::JSValueSource::unboxedCell): (JSC::DFG::JSValueSource::operator!): (JSC::DFG::JSValueSource::isAddress): (JSC::DFG::JSValueSource::offset): (JSC::DFG::JSValueSource::base): (JSC::DFG::JSValueSource::gpr): (JSC::DFG::JSValueSource::asAddress): (JSC::DFG::JSValueSource::notAddress): (JSC::DFG::JSValueRegs::tagGPR): (JSC::DFG::JSValueRegs::payloadGPR): (JSC::DFG::JSValueSource::tagGPR): (JSC::DFG::JSValueSource::payloadGPR): (JSC::DFG::JSValueSource::hasKnownTag): (JSC::DFG::JSValueSource::tag): * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::jsValueRegs): * dfg/DFGGraph.h: (JSC::DFG::Graph::valueProfileFor): * dfg/DFGJITCodeGenerator.h: (JSC::JSValueOperand::jsValueRegs): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::valueProfileFor): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitSlow_op_method_check): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_method_check): * runtime/Heuristics.cpp: (JSC::Heuristics::initializeHeuristics): * runtime/JSValue.h: 2011-10-31 Sam Weinig Remove need for virtual JSObject::unwrappedObject https://bugs.webkit.org/show_bug.cgi?id=71034 Reviewed by Geoffrey Garen. * JavaScriptCore.exp: Update exports. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: Add JSGlobalThis.cpp. * runtime/JSGlobalThis.cpp: Added. (JSC::JSGlobalThis::visitChildren): (JSC::JSGlobalThis::unwrappedObject): * runtime/JSGlobalThis.h: (JSC::JSGlobalThis::createStructure): Move underlying object from JSDOMWindowShell down to JSGlobalThis and corresponding visitChildren method. * runtime/JSObject.cpp: (JSC::JSObject::unwrappedObject): Change unwrappedObject from virtual, to just needing an if check. * runtime/JSObject.h: (JSC::JSObject::isGlobalThis): * runtime/JSType.h: Add isGlobalThis predicate and type. 2011-10-31 Xianzhu Wang WTF::StringImpl::create(const char*, unsigned) calls itself https://bugs.webkit.org/show_bug.cgi?id=71206 The original implementation just calls itself, causing infinite recursion. Cast the first parameter to const LChar* to fix that. Reviewed by Ryosuke Niwa. * wtf/text/StringImpl.h: (WTF::StringImpl::create): 2011-10-31 Andy Wingo Fix DFG JIT compilation on Linux targets. https://bugs.webkit.org/show_bug.cgi?id=70904 Reviewed by Darin Adler. * jit/JITStubs.cpp (SYMBOL_STRING_RELOCATION): Simplify this macro. * dfg/DFGOperations.cpp (SYMBOL_STRING_RELOCATION): Copy the simplified definition from jit/JITStubs.cpp. (FUNCTION_WRAPPER_WITH_RETURN_ADDRESS, getHostCallReturnValue): Use the macro to access trampoline targets through the PLT on PIC systems, instead of introducing a text relocation. Otherwise, the library fails to link. 2011-10-31 Mark Hahnenberg De-virtualize JSObject::defineGetter https://bugs.webkit.org/show_bug.cgi?id=71134 Reviewed by Darin Adler. Added defineGetter to the MethodTable. Replaced all virtual versions of defineGetter with static versions. Replaced all call sites with lookups in the MethodTable. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::defineGetter): * debugger/DebuggerActivation.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ClassInfo.h: * runtime/JSCell.cpp: (JSC::JSCell::defineGetter): * runtime/JSCell.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::defineGetter): * runtime/JSGlobalObject.h: * runtime/JSObject.cpp: (JSC::JSObject::defineGetter): (JSC::putDescriptor): * runtime/JSObject.h: * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): 2011-10-31 Michael Saboff Towards 8-bit Strings: Move Lexer and Parser Objects out of JSGlobalData https://bugs.webkit.org/show_bug.cgi?id=71138 Restructure and movement of Lexer and Parser code. Moved Lexer and Parser objects out of JSGlobalData. Added a new ParserTokens class and instance to JSGlobalData that have JavaScript token related definitions. Replaced JSGlobalData arguments to Node classes with lineNumber, as that was the only use of the JSGlobalData. Combined JSParser and Parser classes into one class, eliminating JSParser.h and .cpp. Various supporting #include changes. These mostly mechanical changes are done in preparation to making the Lexer and Parser template classes. Reviewed by Darin Adler. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::toArgumentList): (JSC::ApplyFunctionCallDotNode::emitBytecode): * parser/ASTBuilder.h: (JSC::ASTBuilder::ASTBuilder): (JSC::ASTBuilder::createSourceElements): (JSC::ASTBuilder::createCommaExpr): (JSC::ASTBuilder::createLogicalNot): (JSC::ASTBuilder::createUnaryPlus): (JSC::ASTBuilder::createVoid): (JSC::ASTBuilder::thisExpr): (JSC::ASTBuilder::createResolve): (JSC::ASTBuilder::createObjectLiteral): (JSC::ASTBuilder::createArray): (JSC::ASTBuilder::createNumberExpr): (JSC::ASTBuilder::createString): (JSC::ASTBuilder::createBoolean): (JSC::ASTBuilder::createNull): (JSC::ASTBuilder::createBracketAccess): (JSC::ASTBuilder::createDotAccess): (JSC::ASTBuilder::createRegExp): (JSC::ASTBuilder::createNewExpr): (JSC::ASTBuilder::createConditionalExpr): (JSC::ASTBuilder::createAssignResolve): (JSC::ASTBuilder::createFunctionExpr): (JSC::ASTBuilder::createFunctionBody): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createArguments): (JSC::ASTBuilder::createArgumentsList): (JSC::ASTBuilder::createPropertyList): (JSC::ASTBuilder::createElementList): (JSC::ASTBuilder::createFormalParameterList): (JSC::ASTBuilder::createClause): (JSC::ASTBuilder::createClauseList): (JSC::ASTBuilder::createFuncDeclStatement): (JSC::ASTBuilder::createBlockStatement): (JSC::ASTBuilder::createExprStatement): (JSC::ASTBuilder::createIfStatement): (JSC::ASTBuilder::createForLoop): (JSC::ASTBuilder::createForInLoop): (JSC::ASTBuilder::createEmptyStatement): (JSC::ASTBuilder::createVarStatement): (JSC::ASTBuilder::createReturnStatement): (JSC::ASTBuilder::createBreakStatement): (JSC::ASTBuilder::createContinueStatement): (JSC::ASTBuilder::createTryStatement): (JSC::ASTBuilder::createSwitchStatement): (JSC::ASTBuilder::createWhileStatement): (JSC::ASTBuilder::createDoWhileStatement): (JSC::ASTBuilder::createLabelStatement): (JSC::ASTBuilder::createWithStatement): (JSC::ASTBuilder::createThrowStatement): (JSC::ASTBuilder::createDebugger): (JSC::ASTBuilder::createConstStatement): (JSC::ASTBuilder::appendConstDecl): (JSC::ASTBuilder::combineCommaNodes): (JSC::ASTBuilder::appendBinaryOperation): (JSC::ASTBuilder::createAssignment): (JSC::ASTBuilder::createNumber): (JSC::ASTBuilder::makeTypeOfNode): (JSC::ASTBuilder::makeDeleteNode): (JSC::ASTBuilder::makeNegateNode): (JSC::ASTBuilder::makeBitwiseNotNode): (JSC::ASTBuilder::makeMultNode): (JSC::ASTBuilder::makeDivNode): (JSC::ASTBuilder::makeModNode): (JSC::ASTBuilder::makeAddNode): (JSC::ASTBuilder::makeSubNode): (JSC::ASTBuilder::makeLeftShiftNode): (JSC::ASTBuilder::makeRightShiftNode): (JSC::ASTBuilder::makeURightShiftNode): (JSC::ASTBuilder::makeBitOrNode): (JSC::ASTBuilder::makeBitAndNode): (JSC::ASTBuilder::makeBitXOrNode): (JSC::ASTBuilder::makeFunctionCallNode): (JSC::ASTBuilder::makeBinaryNode): (JSC::ASTBuilder::makeAssignNode): (JSC::ASTBuilder::makePrefixNode): (JSC::ASTBuilder::makePostfixNode): * parser/JSParser.cpp: Removed. * parser/JSParser.h: Removed. * parser/Lexer.cpp: (JSC::Keywords::Keywords): (JSC::Lexer::Lexer): (JSC::Lexer::~Lexer): (JSC::Lexer::setCode): (JSC::Lexer::parseIdentifier): * parser/Lexer.h: (JSC::Keywords::isKeyword): (JSC::Keywords::getKeyword): (JSC::Keywords::~Keywords): (JSC::Lexer::setIsReparsing): (JSC::Lexer::isReparsing): (JSC::Lexer::lineNumber): (JSC::Lexer::setLastLineNumber): (JSC::Lexer::lastLineNumber): (JSC::Lexer::prevTerminator): (JSC::Lexer::sawError): (JSC::Lexer::getErrorMessage): (JSC::Lexer::currentOffset): (JSC::Lexer::setOffset): (JSC::Lexer::setLineNumber): (JSC::Lexer::sourceProvider): (JSC::Lexer::isWhiteSpace): (JSC::Lexer::isLineTerminator): (JSC::Lexer::convertHex): (JSC::Lexer::convertUnicode): (JSC::Lexer::makeIdentifier): (JSC::Lexer::lexExpectIdentifier): * parser/NodeConstructors.h: (JSC::ParserArenaFreeable::operator new): (JSC::ParserArenaDeletable::operator new): (JSC::ParserArenaRefCounted::ParserArenaRefCounted): (JSC::Node::Node): (JSC::ExpressionNode::ExpressionNode): (JSC::StatementNode::StatementNode): (JSC::NullNode::NullNode): (JSC::BooleanNode::BooleanNode): (JSC::NumberNode::NumberNode): (JSC::StringNode::StringNode): (JSC::RegExpNode::RegExpNode): (JSC::ThisNode::ThisNode): (JSC::ResolveNode::ResolveNode): (JSC::ElementNode::ElementNode): (JSC::ArrayNode::ArrayNode): (JSC::PropertyNode::PropertyNode): (JSC::PropertyListNode::PropertyListNode): (JSC::ObjectLiteralNode::ObjectLiteralNode): (JSC::BracketAccessorNode::BracketAccessorNode): (JSC::DotAccessorNode::DotAccessorNode): (JSC::ArgumentListNode::ArgumentListNode): (JSC::ArgumentsNode::ArgumentsNode): (JSC::NewExprNode::NewExprNode): (JSC::EvalFunctionCallNode::EvalFunctionCallNode): (JSC::FunctionCallValueNode::FunctionCallValueNode): (JSC::FunctionCallResolveNode::FunctionCallResolveNode): (JSC::FunctionCallBracketNode::FunctionCallBracketNode): (JSC::FunctionCallDotNode::FunctionCallDotNode): (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): (JSC::PrePostResolveNode::PrePostResolveNode): (JSC::PostfixResolveNode::PostfixResolveNode): (JSC::PostfixBracketNode::PostfixBracketNode): (JSC::PostfixDotNode::PostfixDotNode): (JSC::PostfixErrorNode::PostfixErrorNode): (JSC::DeleteResolveNode::DeleteResolveNode): (JSC::DeleteBracketNode::DeleteBracketNode): (JSC::DeleteDotNode::DeleteDotNode): (JSC::DeleteValueNode::DeleteValueNode): (JSC::VoidNode::VoidNode): (JSC::TypeOfResolveNode::TypeOfResolveNode): (JSC::TypeOfValueNode::TypeOfValueNode): (JSC::PrefixResolveNode::PrefixResolveNode): (JSC::PrefixBracketNode::PrefixBracketNode): (JSC::PrefixDotNode::PrefixDotNode): (JSC::PrefixErrorNode::PrefixErrorNode): (JSC::UnaryOpNode::UnaryOpNode): (JSC::UnaryPlusNode::UnaryPlusNode): (JSC::NegateNode::NegateNode): (JSC::BitwiseNotNode::BitwiseNotNode): (JSC::LogicalNotNode::LogicalNotNode): (JSC::BinaryOpNode::BinaryOpNode): (JSC::MultNode::MultNode): (JSC::DivNode::DivNode): (JSC::ModNode::ModNode): (JSC::AddNode::AddNode): (JSC::SubNode::SubNode): (JSC::LeftShiftNode::LeftShiftNode): (JSC::RightShiftNode::RightShiftNode): (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode): (JSC::LessNode::LessNode): (JSC::GreaterNode::GreaterNode): (JSC::LessEqNode::LessEqNode): (JSC::GreaterEqNode::GreaterEqNode): (JSC::ThrowableBinaryOpNode::ThrowableBinaryOpNode): (JSC::InstanceOfNode::InstanceOfNode): (JSC::InNode::InNode): (JSC::EqualNode::EqualNode): (JSC::NotEqualNode::NotEqualNode): (JSC::StrictEqualNode::StrictEqualNode): (JSC::NotStrictEqualNode::NotStrictEqualNode): (JSC::BitAndNode::BitAndNode): (JSC::BitOrNode::BitOrNode): (JSC::BitXOrNode::BitXOrNode): (JSC::LogicalOpNode::LogicalOpNode): (JSC::ConditionalNode::ConditionalNode): (JSC::ReadModifyResolveNode::ReadModifyResolveNode): (JSC::AssignResolveNode::AssignResolveNode): (JSC::ReadModifyBracketNode::ReadModifyBracketNode): (JSC::AssignBracketNode::AssignBracketNode): (JSC::AssignDotNode::AssignDotNode): (JSC::ReadModifyDotNode::ReadModifyDotNode): (JSC::AssignErrorNode::AssignErrorNode): (JSC::CommaNode::CommaNode): (JSC::ConstStatementNode::ConstStatementNode): (JSC::SourceElements::SourceElements): (JSC::EmptyStatementNode::EmptyStatementNode): (JSC::DebuggerStatementNode::DebuggerStatementNode): (JSC::ExprStatementNode::ExprStatementNode): (JSC::VarStatementNode::VarStatementNode): (JSC::IfNode::IfNode): (JSC::IfElseNode::IfElseNode): (JSC::DoWhileNode::DoWhileNode): (JSC::WhileNode::WhileNode): (JSC::ForNode::ForNode): (JSC::ContinueNode::ContinueNode): (JSC::BreakNode::BreakNode): (JSC::ReturnNode::ReturnNode): (JSC::WithNode::WithNode): (JSC::LabelNode::LabelNode): (JSC::ThrowNode::ThrowNode): (JSC::TryNode::TryNode): (JSC::ParameterNode::ParameterNode): (JSC::FuncExprNode::FuncExprNode): (JSC::FuncDeclNode::FuncDeclNode): (JSC::CaseClauseNode::CaseClauseNode): (JSC::ClauseListNode::ClauseListNode): (JSC::CaseBlockNode::CaseBlockNode): (JSC::SwitchNode::SwitchNode): (JSC::ConstDeclNode::ConstDeclNode): (JSC::BlockNode::BlockNode): (JSC::ForInNode::ForInNode): * parser/NodeInfo.h: * parser/Nodes.cpp: (JSC::StatementNode::setLoc): (JSC::ScopeNode::ScopeNode): (JSC::ProgramNode::ProgramNode): (JSC::ProgramNode::create): (JSC::EvalNode::EvalNode): (JSC::EvalNode::create): (JSC::FunctionBodyNode::FunctionBodyNode): (JSC::FunctionBodyNode::create): * parser/Nodes.h: (JSC::Node::lineNo): * parser/Parser.cpp: (JSC::Parser::Parser): (JSC::Parser::~Parser): (JSC::Parser::parseInner): (JSC::Parser::allowAutomaticSemicolon): (JSC::Parser::parseSourceElements): (JSC::Parser::parseVarDeclaration): (JSC::Parser::parseConstDeclaration): (JSC::Parser::parseDoWhileStatement): (JSC::Parser::parseWhileStatement): (JSC::Parser::parseVarDeclarationList): (JSC::Parser::parseConstDeclarationList): (JSC::Parser::parseForStatement): (JSC::Parser::parseBreakStatement): (JSC::Parser::parseContinueStatement): (JSC::Parser::parseReturnStatement): (JSC::Parser::parseThrowStatement): (JSC::Parser::parseWithStatement): (JSC::Parser::parseSwitchStatement): (JSC::Parser::parseSwitchClauses): (JSC::Parser::parseSwitchDefaultClause): (JSC::Parser::parseTryStatement): (JSC::Parser::parseDebuggerStatement): (JSC::Parser::parseBlockStatement): (JSC::Parser::parseStatement): (JSC::Parser::parseFormalParameters): (JSC::Parser::parseFunctionBody): (JSC::Parser::parseFunctionInfo): (JSC::Parser::parseFunctionDeclaration): (JSC::LabelInfo::LabelInfo): (JSC::Parser::parseExpressionOrLabelStatement): (JSC::Parser::parseExpressionStatement): (JSC::Parser::parseIfStatement): (JSC::Parser::parseExpression): (JSC::Parser::parseAssignmentExpression): (JSC::Parser::parseConditionalExpression): (JSC::isUnaryOp): (JSC::Parser::isBinaryOperator): (JSC::Parser::parseBinaryExpression): (JSC::Parser::parseProperty): (JSC::Parser::parseObjectLiteral): (JSC::Parser::parseStrictObjectLiteral): (JSC::Parser::parseArrayLiteral): (JSC::Parser::parsePrimaryExpression): (JSC::Parser::parseArguments): (JSC::Parser::parseMemberExpression): (JSC::Parser::parseUnaryExpression): * parser/Parser.h: (JSC::isEvalNode): (JSC::EvalNode): (JSC::DepthManager::DepthManager): (JSC::DepthManager::~DepthManager): (JSC::ScopeLabelInfo::ScopeLabelInfo): (JSC::Scope::Scope): (JSC::Scope::startSwitch): (JSC::Scope::endSwitch): (JSC::Scope::startLoop): (JSC::Scope::endLoop): (JSC::Scope::inLoop): (JSC::Scope::breakIsValid): (JSC::Scope::continueIsValid): (JSC::Scope::pushLabel): (JSC::Scope::popLabel): (JSC::Scope::getLabel): (JSC::Scope::setIsFunction): (JSC::Scope::isFunction): (JSC::Scope::isFunctionBoundary): (JSC::Scope::declareVariable): (JSC::Scope::declareWrite): (JSC::Scope::preventNewDecls): (JSC::Scope::allowsNewDecls): (JSC::Scope::declareParameter): (JSC::Scope::useVariable): (JSC::Scope::setNeedsFullActivation): (JSC::Scope::collectFreeVariables): (JSC::Scope::getUncapturedWrittenVariables): (JSC::Scope::getCapturedVariables): (JSC::Scope::setStrictMode): (JSC::Scope::strictMode): (JSC::Scope::isValidStrictMode): (JSC::Scope::shadowsArguments): (JSC::Scope::copyCapturedVariablesToVector): (JSC::Scope::saveFunctionInfo): (JSC::Scope::restoreFunctionInfo): (JSC::ScopeRef::ScopeRef): (JSC::ScopeRef::operator->): (JSC::ScopeRef::index): (JSC::ScopeRef::hasContainingScope): (JSC::ScopeRef::containingScope): (JSC::Parser::AllowInOverride::AllowInOverride): (JSC::Parser::AllowInOverride::~AllowInOverride): (JSC::Parser::AutoPopScopeRef::AutoPopScopeRef): (JSC::Parser::AutoPopScopeRef::~AutoPopScopeRef): (JSC::Parser::AutoPopScopeRef::setPopped): (JSC::Parser::currentScope): (JSC::Parser::pushScope): (JSC::Parser::popScopeInternal): (JSC::Parser::popScope): (JSC::Parser::declareVariable): (JSC::Parser::declareWrite): (JSC::Parser::findCachedFunctionInfo): (JSC::Parser::isFunctionBodyNode): (JSC::Parser::next): (JSC::Parser::nextExpectIdentifier): (JSC::Parser::nextTokenIsColon): (JSC::Parser::consume): (JSC::Parser::getToken): (JSC::Parser::match): (JSC::Parser::tokenStart): (JSC::Parser::tokenLine): (JSC::Parser::tokenEnd): (JSC::Parser::getTokenName): (JSC::Parser::updateErrorMessageSpecialCase): (JSC::Parser::updateErrorMessage): (JSC::Parser::updateErrorWithNameAndMessage): (JSC::Parser::startLoop): (JSC::Parser::endLoop): (JSC::Parser::startSwitch): (JSC::Parser::endSwitch): (JSC::Parser::setStrictMode): (JSC::Parser::strictMode): (JSC::Parser::isValidStrictMode): (JSC::Parser::declareParameter): (JSC::Parser::breakIsValid): (JSC::Parser::continueIsValid): (JSC::Parser::pushLabel): (JSC::Parser::popLabel): (JSC::Parser::getLabel): (JSC::Parser::autoSemiColon): (JSC::Parser::canRecurse): (JSC::Parser::lastTokenEnd): (JSC::Parser::DepthManager::DepthManager): (JSC::Parser::DepthManager::~DepthManager): (JSC::Parser::parse): (JSC::parse): * parser/ParserTokens.h: Added. (JSC::JSTokenInfo::JSTokenInfo): * parser/SourceCode.h: (JSC::SourceCode::subExpression): * parser/SourceProviderCacheItem.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::SyntaxChecker): (JSC::SyntaxChecker::makeFunctionCallNode): (JSC::SyntaxChecker::createCommaExpr): (JSC::SyntaxChecker::makeAssignNode): (JSC::SyntaxChecker::makePrefixNode): (JSC::SyntaxChecker::makePostfixNode): (JSC::SyntaxChecker::makeTypeOfNode): (JSC::SyntaxChecker::makeDeleteNode): (JSC::SyntaxChecker::makeNegateNode): (JSC::SyntaxChecker::makeBitwiseNotNode): (JSC::SyntaxChecker::createLogicalNot): (JSC::SyntaxChecker::createUnaryPlus): (JSC::SyntaxChecker::createVoid): (JSC::SyntaxChecker::thisExpr): (JSC::SyntaxChecker::createResolve): (JSC::SyntaxChecker::createObjectLiteral): (JSC::SyntaxChecker::createArray): (JSC::SyntaxChecker::createNumberExpr): (JSC::SyntaxChecker::createString): (JSC::SyntaxChecker::createBoolean): (JSC::SyntaxChecker::createNull): (JSC::SyntaxChecker::createBracketAccess): (JSC::SyntaxChecker::createDotAccess): (JSC::SyntaxChecker::createRegExp): (JSC::SyntaxChecker::createNewExpr): (JSC::SyntaxChecker::createConditionalExpr): (JSC::SyntaxChecker::createAssignResolve): (JSC::SyntaxChecker::createFunctionExpr): (JSC::SyntaxChecker::createFunctionBody): (JSC::SyntaxChecker::createArguments): (JSC::SyntaxChecker::createArgumentsList): (JSC::SyntaxChecker::createProperty): (JSC::SyntaxChecker::createPropertyList): (JSC::SyntaxChecker::createFuncDeclStatement): (JSC::SyntaxChecker::createBlockStatement): (JSC::SyntaxChecker::createExprStatement): (JSC::SyntaxChecker::createIfStatement): (JSC::SyntaxChecker::createForLoop): (JSC::SyntaxChecker::createForInLoop): (JSC::SyntaxChecker::createEmptyStatement): (JSC::SyntaxChecker::createVarStatement): (JSC::SyntaxChecker::createReturnStatement): (JSC::SyntaxChecker::createBreakStatement): (JSC::SyntaxChecker::createContinueStatement): (JSC::SyntaxChecker::createTryStatement): (JSC::SyntaxChecker::createSwitchStatement): (JSC::SyntaxChecker::createWhileStatement): (JSC::SyntaxChecker::createWithStatement): (JSC::SyntaxChecker::createDoWhileStatement): (JSC::SyntaxChecker::createLabelStatement): (JSC::SyntaxChecker::createThrowStatement): (JSC::SyntaxChecker::createDebugger): (JSC::SyntaxChecker::createConstStatement): (JSC::SyntaxChecker::appendConstDecl): (JSC::SyntaxChecker::createGetterOrSetterProperty): (JSC::SyntaxChecker::combineCommaNodes): (JSC::SyntaxChecker::operatorStackPop): * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::checkSyntax): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::produceCodeBlockFor): (JSC::FunctionExecutable::fromGlobalCode): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: * runtime/LiteralParser.cpp: (JSC::LiteralParser::tryJSONPParse): 2011-10-31 Filip Pizlo REGRESSION (r97118): Reproducible crash in JSCell::toPrimitive when adding https://bugs.webkit.org/show_bug.cgi?id=71227 Reviewed by Oliver Hunt. No new tests, since while I can see exactly where the DFG went wrong on the site in question from looking at the generated machine code, and while I can certainly believe that such a scenario would happen, I cannot visualize how to make it happen reproducibly. It requires an odd combination of double values getting spilled and then refilled, but then reboxed at just the right time so that the spilled value is an unboxed double while the in-register value is a boxed double. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): 2011-10-30 Filip Pizlo JSParser::parsePrimaryExpression should have an overflow check https://bugs.webkit.org/show_bug.cgi?id=71197 Reviewed by Geoff Garen. * parser/JSParser.cpp: (JSC::JSParser::parsePrimaryExpression): 2011-10-30 Filip Pizlo DFG ValueAdd(string, int) should not fail speculation https://bugs.webkit.org/show_bug.cgi?id=71195 Reviewed by Geoff Garen. 1% speed-up on V8. * dfg/DFGNode.h: (JSC::DFG::Node::shouldNotSpeculateInteger): (JSC::DFG::Node::shouldSpeculateInteger): 2011-10-30 Filip Pizlo The DFG inliner should not flush the callee https://bugs.webkit.org/show_bug.cgi?id=71191 Reviewed by Oliver Hunt. 0.6% speed-up on V8. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeOrigin.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallerFrameSlow): 2011-10-28 Mark Hahnenberg De-virtualize isGlobalObject, isVariableObject, isActivationObject, and isErrorInstance in JSObject https://bugs.webkit.org/show_bug.cgi?id=70968 Reviewed by Geoffrey Garen. * API/JSCallbackObject.cpp: Added two specializations for createStructure that use different JSTypes in their TypeInfo. Had to also create a specialization for JSNonFinalObject, even JSGlobalObject was the only that needed it because Windows wouldn't build without it. (JSC::::createStructure): * API/JSCallbackObject.h: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/ErrorInstance.h: Removed virtual function and changed JSType provided to TypeInfo in createStructure. (JSC::ErrorInstance::createStructure): * runtime/ErrorPrototype.h: Ditto (JSC::ErrorPrototype::createStructure): * runtime/JSActivation.h: Ditto (JSC::JSActivation::createStructure): * runtime/JSGlobalObject.h: Ditto (JSC::JSGlobalObject::createStructure): * runtime/JSObject.h: De-virtualized functions. They now check the JSType of the object for the corresponding type. (JSC::JSObject::isGlobalObject): (JSC::JSObject::isVariableObject): (JSC::JSObject::isActivationObject): (JSC::JSObject::isErrorInstance): * runtime/JSType.h: Added new types for GlobalObject, VariableObject, ActivationObject, and ErrorInstance. * runtime/JSVariableObject.cpp: Removed virtual function. * runtime/JSVariableObject.h: Changed JSType provided to TypeInfo in createStructure. (JSC::JSVariableObject::createStructure): 2011-10-28 Pavel Feldman Reset line numbers for scripts generated with document.write. https://bugs.webkit.org/show_bug.cgi?id=71099 Reviewed by Yury Semikhatsky. * wtf/text/TextPosition.h: (WTF::OrdinalNumber::OrdinalNumber): 2011-10-27 Daniel Bates CMake: Add support to optionally install the built JavaScript shell https://bugs.webkit.org/show_bug.cgi?id=71062 Reviewed by Antonio Gomes. Generate an installation rule for installing the JavaScript shell in /bin (with respect to the prefix path) when SHOULD_INSTALL_JS_SHELL is defined. * shell/CMakeLists.txt: 2011-10-27 Kentaro Hara Generate WebKitCSSMatrix constructor for JSC by [Constructor] IDL https://bugs.webkit.org/show_bug.cgi?id=70215 Reviewed by Adam Barth. Added a method that judges if a given JSValue is empty. Tests: transforms/svg-vs-css.xhtml transforms/cssmatrix-2d-interface.xhtml transforms/cssmatrix-3d-interface.xhtml * runtime/JSValue.h: * runtime/JSValueInlineMethods.h: (JSC::JSValue::isEmpty): 2011-10-27 Michael Saboff ENH: Add 8 bit string support to JSC JIT https://bugs.webkit.org/show_bug.cgi?id=71073 Changed the JIT String character access generation to create code to check the character size and load8() or load16() as approriate. Reviewed by Gavin Barraclough. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::load8): * assembler/X86Assembler.h: (JSC::X86Assembler::movzbl_mr): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * jit/JITInlineMethods.h: (JSC::JIT::emitLoadCharacterString): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/JSInterfaceJIT.h: (JSC::ThunkHelpers::stringImplFlagsOffset): (JSC::ThunkHelpers::stringImpl8BitFlag): * jit/ThunkGenerators.cpp: (JSC::stringCharLoad): 2011-10-27 Filip Pizlo If the bytecode generator emits code after the return in the first basic block, DFG's inliner crashes https://bugs.webkit.org/show_bug.cgi?id=71071 Reviewed by Gavin Barraclough. Removed some cruft dealing with parsing failures due to unsupported functionality (that's never reached anymore due to it being caught in DFGCapabilities). This allowed me to repurpose the bool return from parseBlock() to mean: true if we should continue to parse, or false if we've already parsed all live code. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::parseCodeBlock): 2011-10-27 Joseph Pecoraro Reviewed by David Kilzer. Make FeatureDefines Identical Across OS X Projects https://bugs.webkit.org/show_bug.cgi?id=71051 * Configurations/FeatureDefines.xcconfig: 2011-10-27 Filip Pizlo Crash in JSC::Structure::materializePropertyMap when viewing Garden-O-Matic https://bugs.webkit.org/show_bug.cgi?id=71045 Reviewed by Geoff Garen. Make sure that if a structure is pinned, it also has a property map. * runtime/Structure.cpp: (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::pin): (JSC::Structure::copyPropertyTableForPinning): * runtime/Structure.h: (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 2011-10-27 Michael Saboff 32bit build failure after r98624 https://bugs.webkit.org/show_bug.cgi?id=71064 Disambiguated operator overload with unsigned index (0u). Reviewed by Sam Weinig. * runtime/UString.h: (JSC::operator==): 2011-10-27 Gustavo Noronha Silva Fix building on GNU/kFreeBSD https://bugs.webkit.org/show_bug.cgi?id=71005 Reviewed by Darin Adler. * config.h: * wtf/Platform.h: 2011-10-27 Michael Saboff Investigate storing strings in 8-bit buffers when possible https://bugs.webkit.org/show_bug.cgi?id=66161 Investigate storing strings in 8-bit buffers when possible https://bugs.webkit.org/show_bug.cgi?id=66161 Added support for 8 bit string data in StringImpl. Changed (UChar*) m_data to m_data16. Added char* m_data8 as a union with m_data16. Added UChar* m_copyData16 to the other union to store a 16 bit copy of an 8 bit string when needed. Added characters8() and characters16() accessor methods that assume the caller has checked the underlying string type via the new is8Bit() method. The characters() method will return a UChar* of the string, materializing a 16 bit copy if the string is an 8 bit string. Added two flags, one for 8 bit buffer and a second for a 16 bit copy for an 8 bit string. Fixed method name typo (StringHasher::defaultCoverter()). Over time the goal is to eliminate calls to characters() and us the character8() and characters16() accessors. This patch does not include changes that actually create 8 bit strings. This is the first of at least 8 patches. Subsequent patches will be submitted for JIT changes, making the JSC lexer, parser and literal parser, JavaScript string changes and then changes in webcore to take advantage of the 8 bit strings. This change is performance neutral for SunSpider and V8 when run from the command line with "jsc". Reviewed by Geoffrey Garen. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): * parser/SourceProvider.h: (JSC::UStringSourceProvider::data): (JSC::UStringSourceProvider::UStringSourceProvider): * runtime/Identifier.cpp: (JSC::IdentifierCStringTranslator::hash): (JSC::IdentifierCStringTranslator::equal): (JSC::IdentifierCStringTranslator::translate): (JSC::Identifier::add): (JSC::Identifier::toUInt32): * runtime/Identifier.h: (JSC::Identifier::equal): (JSC::operator==): (JSC::operator!=): * runtime/JSString.cpp: (JSC::JSString::resolveRope): (JSC::JSString::resolveRopeSlowCase): * runtime/RegExp.cpp: (JSC::RegExp::match): * runtime/StringPrototype.cpp: (JSC::jsSpliceSubstringsWithSeparators): * runtime/UString.cpp: (JSC::UString::UString): (JSC::equalSlowCase): (JSC::UString::utf8): * runtime/UString.h: (JSC::UString::characters): (JSC::UString::characters8): (JSC::UString::characters16): (JSC::UString::is8Bit): (JSC::UString::operator[]): (JSC::UString::find): (JSC::operator==): * wtf/StringHasher.h: (WTF::StringHasher::computeHash): (WTF::StringHasher::defaultConverter): * wtf/text/AtomicString.cpp: (WTF::CStringTranslator::hash): (WTF::CStringTranslator::equal): (WTF::CStringTranslator::translate): (WTF::AtomicString::add): * wtf/text/AtomicString.h: (WTF::AtomicString::AtomicString): (WTF::AtomicString::contains): (WTF::AtomicString::find): (WTF::AtomicString::add): (WTF::operator==): (WTF::operator!=): (WTF::equalIgnoringCase): * wtf/text/StringConcatenate.h: * wtf/text/StringHash.h: (WTF::StringHash::equal): (WTF::CaseFoldingHash::hash): * wtf/text/StringImpl.cpp: (WTF::StringImpl::~StringImpl): (WTF::StringImpl::createUninitialized): (WTF::StringImpl::create): (WTF::StringImpl::getData16SlowCase): (WTF::StringImpl::containsOnlyWhitespace): (WTF::StringImpl::substring): (WTF::StringImpl::characterStartingAt): (WTF::StringImpl::lower): (WTF::StringImpl::upper): (WTF::StringImpl::fill): (WTF::StringImpl::foldCase): (WTF::StringImpl::stripMatchedCharacters): (WTF::StringImpl::removeCharacters): (WTF::StringImpl::simplifyMatchedCharactersToSpace): (WTF::StringImpl::toIntStrict): (WTF::StringImpl::toUIntStrict): (WTF::StringImpl::toInt64Strict): (WTF::StringImpl::toUInt64Strict): (WTF::StringImpl::toIntPtrStrict): (WTF::StringImpl::toInt): (WTF::StringImpl::toUInt): (WTF::StringImpl::toInt64): (WTF::StringImpl::toUInt64): (WTF::StringImpl::toIntPtr): (WTF::StringImpl::toDouble): (WTF::StringImpl::toFloat): (WTF::equal): (WTF::equalIgnoringCase): (WTF::StringImpl::find): (WTF::StringImpl::findIgnoringCase): (WTF::StringImpl::reverseFind): (WTF::StringImpl::replace): (WTF::StringImpl::defaultWritingDirection): (WTF::StringImpl::adopt): (WTF::StringImpl::createWithTerminatingNullCharacter): * wtf/text/StringImpl.h: (WTF::StringImpl::StringImpl): (WTF::StringImpl::create): (WTF::StringImpl::create8): (WTF::StringImpl::tryCreateUninitialized): (WTF::StringImpl::flagsOffset): (WTF::StringImpl::flagIs8Bit): (WTF::StringImpl::dataOffset): (WTF::StringImpl::is8Bit): (WTF::StringImpl::characters8): (WTF::StringImpl::characters16): (WTF::StringImpl::characters): (WTF::StringImpl::has16BitShadow): (WTF::StringImpl::setHash): (WTF::StringImpl::hash): (WTF::StringImpl::copyChars): (WTF::StringImpl::operator[]): (WTF::StringImpl::find): (WTF::StringImpl::findIgnoringCase): (WTF::equal): (WTF::equalIgnoringCase): (WTF::StringImpl::isolatedCopy): * wtf/text/WTFString.cpp: (WTF::String::String): (WTF::String::append): (WTF::String::format): (WTF::String::fromUTF8): (WTF::String::fromUTF8WithLatin1Fallback): * wtf/text/WTFString.h: (WTF::String::find): (WTF::String::findIgnoringCase): (WTF::String::contains): (WTF::String::append): (WTF::String::fromUTF8): (WTF::String::fromUTF8WithLatin1Fallback): (WTF::operator==): (WTF::operator!=): (WTF::equalIgnoringCase): * wtf/unicode/Unicode.h: * yarr/YarrJIT.cpp: (JSC::Yarr::execute): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::execute): * yarr/YarrParser.h: (JSC::Yarr::Parser::Parser): 2011-10-27 Mark Hahnenberg Fixing windows build Unreviewed build fix * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-10-27 Mark Hahnenberg Add ability to check for presence of static members at compile time https://bugs.webkit.org/show_bug.cgi?id=70986 Reviewed by Geoffrey Garen. Added new CREATE_MEMBER_CHECKER macro to instantiate the template and the HAS_MEMBER_NAMED macro to use that template to check if the specified class does indeed have a method with that name. This mechanism is not currently used anywhere, but will be in the future when adding virtual methods from JSObject to the MethodTable. * runtime/ClassInfo.h: 2011-10-27 Mark Hahnenberg De-virtualize JSCell::toThisObject https://bugs.webkit.org/show_bug.cgi?id=70958 Reviewed by Geoffrey Garen. Converted all instances of toThisObject to static functions, added toThisObject to the MethodTable, and replaced all call sites with a corresponding lookup in the MethodTable. * API/JSContextRef.cpp: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/ClassInfo.h: * runtime/JSActivation.cpp: (JSC::JSActivation::toThisObject): * runtime/JSActivation.h: * runtime/JSCell.cpp: (JSC::JSCell::toThisObject): * runtime/JSCell.h: * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::toThisObject): * runtime/JSObject.h: (JSC::JSValue::toThisObject): * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::toThisObject): * runtime/JSStaticScopeObject.h: * runtime/JSString.cpp: (JSC::JSString::toThisObject): * runtime/JSString.h: * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::toThisObject): * runtime/StrictEvalActivation.h: 2011-10-27 Yuqiang Xian Fix a small bug in callOperation after r98431 https://bugs.webkit.org/show_bug.cgi?id=70984 Reviewed by Geoffrey Garen. TrustedImmPtr is not expecting "int" type parameters. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): 2011-10-26 Oliver Hunt Restore structure-clearing behaviour of allocateCell<> https://bugs.webkit.org/show_bug.cgi?id=70976 Reviewed by Geoffrey Garen. This restores the logic that allows the markstack to filter live objects that have not yet been initialised. * runtime/JSCell.h: (JSC::JSCell::clearStructure): Validation-safe method to clear a cell's structure. (JSC::allocateCell): Call the above method. * runtime/Structure.h: (JSC::MarkStack::internalAppend): Don't visit cells that haven't been initialised. 2011-10-26 Filip Pizlo REGRESSION (r97030): Cannot log in to progressive.com https://bugs.webkit.org/show_bug.cgi?id=70094 Reviewed by Oliver Hunt. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): 2011-10-26 Mark Hahnenberg Remove getOwnPropertySlotVirtual https://bugs.webkit.org/show_bug.cgi?id=70741 Reviewed by Geoffrey Garen. Removed all declarations and definitions of getOwnPropertySlotVirtual. Also replaced all call sites to getOwnPropertyVirtualVirtual with a corresponding lookup in the MethodTable. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertyDescriptor): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::getOwnPropertySlot): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: * runtime/Arguments.h: * runtime/ArrayConstructor.cpp: * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: * runtime/ArrayPrototype.h: * runtime/BooleanPrototype.cpp: * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: * runtime/DateConstructor.h: * runtime/DatePrototype.cpp: * runtime/DatePrototype.h: (JSC::DatePrototype::create): * runtime/ErrorPrototype.cpp: * runtime/ErrorPrototype.h: * runtime/JSActivation.cpp: * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::getOwnPropertySlotByIndex): * runtime/JSArray.h: * runtime/JSByteArray.cpp: * runtime/JSByteArray.h: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertyDescriptor): (JSC::JSFunction::getOwnPropertyNames): (JSC::JSFunction::put): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): (JSC::Walker::walk): * runtime/JSONObject.h: * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertySlotByIndex): (JSC::JSObject::hasOwnProperty): * runtime/JSObject.h: (JSC::JSCell::fastGetOwnPropertySlot): (JSC::JSObject::getPropertySlot): (JSC::JSValue::get): * runtime/JSStaticScopeObject.cpp: * runtime/JSStaticScopeObject.h: * runtime/JSString.cpp: (JSC::JSString::getOwnPropertySlot): * runtime/JSString.h: * runtime/MathObject.cpp: * runtime/MathObject.h: (JSC::MathObject::create): * runtime/NumberConstructor.cpp: * runtime/NumberConstructor.h: * runtime/NumberPrototype.cpp: * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: * runtime/ObjectPrototype.cpp: * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::createStructure): * runtime/RegExpObject.cpp: * runtime/RegExpObject.h: * runtime/RegExpPrototype.cpp: * runtime/RegExpPrototype.h: * runtime/StringConstructor.cpp: * runtime/StringConstructor.h: * runtime/StringObject.cpp: * runtime/StringObject.h: * runtime/StringPrototype.cpp: * runtime/StringPrototype.h: 2011-10-26 Alejandro G. Castro [GTK] [WK2] Add WebKit2 distcheck support https://bugs.webkit.org/show_bug.cgi?id=70933 Reviewed by Martin Robinson. * GNUmakefile.list.am: Add MemoryStatistics.h to the sources list. 2011-10-26 Michael Saboff Increase StringImpl Flag Bits for 8 bit Strings https://bugs.webkit.org/show_bug.cgi?id=70937 Increased the number of bits used for flags in StringImpl from 6 to 8 bits. This frees up 2 flag bits that will be used for 8-bit string support. Updated hash methods accordingly. Changed hash value masking from the low bits to the high bits. Reviewed by Darin Adler. * create_hash_table: * wtf/StringHasher.h: (WTF::StringHasher::hash): * wtf/text/StringImpl.h: 2011-10-26 Dan Bernstein Build fix. Reverted r98488, which caused the scripts’ status messages to be included in the generated files. * create_hash_table: * create_jit_stubs: 2011-10-26 Tor Arne Vestbø Don't print regular output to STDERR when generating hashtables and JIT stubs Reviewed by Simon Hausmann. * create_hash_table: * create_jit_stubs: 2011-10-25 Gavin Barraclough Split DFGJITCodeGenerator::callOperation methods https://bugs.webkit.org/show_bug.cgi?id=70870 Reviewed by Filip Pizlo. The DFGJITCodeGenerator currently contains two sets of callOperation methods. One set works with the JSVALUE64 value representation and passes arguments in registers (suitable for use on x86-64), and one set works with the JSVALUE32_64 value representation and passes arguments in memory (suitable for use on x86). By refactoring out the representation and calling convention specific aspects of the code we can also configure the DFG JIT to operator on platforms that use the JSVALUE32_64 value representation but pass arguments in registers. On platforms supported by the JIT, the payload precedes the tag of a value in argument/result ordering, as such, in order to make the setupResults method generally applicable to return the results of a function that are returned in two registers, the ordering of arguments to this function has been reversed - as is the ordering of augments passed to setupArguments methods, with respect to the ordering with which they are passed in to callOperation. This inconsistency will be resolved in a later change when we combine the pairs of arguments passed into callOperation, such that the function signatures can be made consistent across the two value representations (the callOperation methods will be passed a reference to a struct representing the JSValue temporary, this will consist of two gprs on 32_64 and one on 64). * dfg/DFGJITCodeGenerator.h: (JSC::DFG::resetCallArguments): (JSC::DFG::addCallArgument): - moved, removed tag,payload version of this method. (JSC::DFG::setupArguments): (JSC::DFG::setupArgumentsExecState): (JSC::DFG::setupArgumentsWithExecState): - Calling convention specific portion of callOperation refactored out into these methods. (JSC::DFG::callOperation): - updated these methods to use setupArguments* methods. (JSC::DFG::setupResults): - setupResults is now passed payload,tag. (JSC::DFG::appendCallWithExceptionCheckSetResult): - Added fpr versions of this function. (JSC::DFG::appendCallSetResult): - Added versions of this function without exception check. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::emitCall): - setupResults is now passed payload,tag. 2011-10-25 Mark Hahnenberg Remove deletePropertyVirtual https://bugs.webkit.org/show_bug.cgi?id=70738 Reviewed by Geoffrey Garen. Removed all declarations and definitions of deletePropertyVirtual. Also replaced all call sites to deletePropertyVirtual with a corresponding lookup in the MethodTable. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::deletePropertyByIndex): * API/JSObjectRef.cpp: (JSObjectDeleteProperty): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::deleteProperty): * debugger/DebuggerActivation.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Arguments.cpp: * runtime/Arguments.h: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): * runtime/JSActivation.cpp: * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::deleteProperty): (JSC::JSArray::deletePropertyByIndex): * runtime/JSArray.h: * runtime/JSCell.cpp: (JSC::JSCell::deleteProperty): (JSC::JSCell::deletePropertyByIndex): * runtime/JSCell.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::deletePropertyByIndex): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: * runtime/JSVariableObject.cpp: * runtime/JSVariableObject.h: * runtime/RegExpMatchesArray.h: * runtime/StrictEvalActivation.cpp: * runtime/StrictEvalActivation.h: * runtime/StringObject.cpp: * runtime/StringObject.h: 2011-10-25 Mark Hahnenberg Remove putVirtual https://bugs.webkit.org/show_bug.cgi?id=70740 Reviewed by Geoffrey Garen. Removed all declarations and definitions of putVirtual. Also replaced all call sites to putVirtual with a corresponding lookup in the MethodTable. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * API/JSObjectRef.cpp: (JSObjectSetProperty): (JSObjectSetPropertyAtIndex): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::put): * debugger/DebuggerActivation.h: * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::privateExecute): * jsc.cpp: (GlobalObject::finishCreation): * runtime/Arguments.cpp: * runtime/Arguments.h: * runtime/ArrayPrototype.cpp: (JSC::putProperty): (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): * runtime/JSActivation.cpp: * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::putSlowCase): (JSC::JSArray::push): (JSC::JSArray::shiftCount): (JSC::JSArray::unshiftCount): * runtime/JSArray.h: * runtime/JSByteArray.cpp: * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::put): (JSC::JSCell::putByIndex): * runtime/JSCell.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::putByIndex): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: (JSC::JSValue::put): * runtime/JSStaticScopeObject.cpp: * runtime/JSStaticScopeObject.h: * runtime/ObjectPrototype.cpp: * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: * runtime/RegExpObject.cpp: * runtime/RegExpObject.h: * runtime/StringObject.cpp: * runtime/StringObject.h: * runtime/StringPrototype.cpp: (JSC::stringProtoFuncSplit): 2011-10-25 Gavin Barraclough Separate out function linking & exception check data structures. https://bugs.webkit.org/show_bug.cgi?id=70858 Reviewed by Oliver Hunt. This will make it easier to refactor the callOperation methods to spilt the value representation specific handling from the cpu/calling-convention implementation. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::appendCallWithExceptionCheck): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::CallLinkRecord::CallLinkRecord): (JSC::DFG::CallExceptionRecord::CallExceptionRecord): (JSC::DFG::JITCompiler::JITCompiler): (JSC::DFG::JITCompiler::notifyCall): (JSC::DFG::JITCompiler::appendCall): (JSC::DFG::JITCompiler::addExceptionCheck): (JSC::DFG::JITCompiler::addFastExceptionCheck): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): 2011-10-25 Filip Pizlo Tiered compilation may introduce dangling pointers in constant buffers https://bugs.webkit.org/show_bug.cgi?id=70854 Reviewed by Oliver Hunt. Tiered compilation now copies constant buffers, which fixes the regression in https://bugs.webkit.org/show_bug.cgi?id=70246. No new tests because this regression relies on a subtle interleaving of optimized compilation and garbage collection, and cannot be reproduced in a simple test. This also adds some new debug support, which was used to fix this bug and is likely to be useful in the future. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::copyDataFrom): (JSC::CodeBlock::usesOpcode): * bytecode/CodeBlock.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): 2011-10-25 Mark Hahnenberg Fixing Windows build after r98367 Unreviewed build fix * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-10-25 Yuqiang Xian Add missing DFG file entries to the make lists for GTK and Qt ports https://bugs.webkit.org/show_bug.cgi?id=70806 Reviewed by Darin Adler. * GNUmakefile.list.am: * JavaScriptCore.pro: 2011-10-25 Mark Hahnenberg Add getOwnPropertySlot to MethodTable https://bugs.webkit.org/show_bug.cgi?id=69807 Reviewed by Oliver Hunt. * JavaScriptCore.exp: * runtime/ClassInfo.h: Added both versions of getOwnPropertySlot to the MethodTable. * runtime/JSCell.h: Changed getOwnPropertySlot to be protected so other classes can reference it in their MethodTables. 2011-10-25 Oliver Hunt Need to support marking of multiple nested codeblocks when compiling https://bugs.webkit.org/show_bug.cgi?id=70832 Reviewed by Gavin Barraclough. When inlining a function we end up with multiple codeblocks being compiled at the same time, so we need to support a list of live codeblocks. * heap/Heap.cpp: (JSC::Heap::markRoots): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::startedCompiling): (JSC::JSGlobalData::finishedCompiling): 2011-10-24 Yuqiang Xian DFG JIT 32_64 - fillInteger should accept DataFormatJSInteger https://bugs.webkit.org/show_bug.cgi?id=70798 Reviewed by Filip Pizlo. When filling an integer for a known integer node (not speculated), it should accept DataFormatJSInteger as well. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): 2011-10-24 Geoffrey Garen Build fix: removed some cases of threadsafeCopy() that I missed in my previous patch. * JavaScriptCore.order: 2011-10-24 Geoffrey Garen Removed SharedUChar and tightened language around its previous uses https://bugs.webkit.org/show_bug.cgi?id=70698 Reviewed by David Levin. - Removed SharedUChar because most of its functionality has moved into other abstraction layers, and we want remaining clients to choose their abstractions explicitly instead of relying on StringImpl to provide this behavior implicitly, since we think they can sometimes make more efficient choices. - Renamed "threadSafeCopy" and "crossThreadCopy" to "isolatedCopy" because the former names could give the impression that the resulting object was thread-safe, but actually it's just an isolated copy, which is not thread-safe by itself, but can be used to implement a thread-safe algorithm through isolation. * wtf/CrossThreadRefCounted.h: Removed. * JavaScriptCore.exp: Export! * wtf/text/StringImpl.cpp: (WTF::StringImpl::~StringImpl): Removed the stuff mentioned above. * wtf/text/StringImpl.h: (WTF::StringImpl::length): Ditto. (WTF::StringImpl::isolatedCopy): Inlined this, since it's now trivial. * wtf/text/WTFString.cpp: (WTF::String::isolatedCopy): * wtf/text/WTFString.h: Updated for StringImpl changes. * API/OpaqueJSString.h: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.order: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/OwnFastMallocPtr.h: * wtf/RefCounted.h: * wtf/SizeLimits.cpp: * wtf/ThreadSafeRefCounted.h: * wtf/wtf.pri: * yarr/YarrPattern.h: Updated these files to accomodate removal of CrossThreadRefCounted.h. 2011-10-24 Oliver Hunt Crash in void JSC::validateCell(JSC::RegExp*) https://bugs.webkit.org/show_bug.cgi?id=70689 Reviewed by Filip Pizlo. While performing codegen we need to make the GlobalData explicitly aware of the codeblock being compiled, as compilation may trigger GC and CodeBlock holds GC values, but has not yet been assigned to its owner executable. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::~BytecodeGenerator): * bytecompiler/BytecodeGenerator.h: * heap/AllocationSpace.cpp: (JSC::AllocationSpace::allocateSlowCase): * heap/Heap.cpp: (JSC::Heap::markRoots): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::startedCompiling): (JSC::JSGlobalData::finishedCompiling): 2011-10-24 Filip Pizlo Object-or-other branch speculation may corrupt the state for OSR if the child of the branch is an integer https://bugs.webkit.org/show_bug.cgi?id=70777 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 2011-10-24 Filip Pizlo op_new_array_buffer is not inlined correctly https://bugs.webkit.org/show_bug.cgi?id=70770 Reviewed by Oliver Hunt. Disabled inlining of op_new_array_buffer, for now. * dfg/DFGCapabilities.h: (JSC::DFG::canInlineOpcode): 2011-10-24 Yuqiang Xian Add boolean speculations to DFG JIT 32_64 https://bugs.webkit.org/show_bug.cgi?id=70706 Reviewed by Filip Pizlo. Different from the boolean speculations in DFG 64, the boolean speculations in DFG 32_64 will use a 32bit GPR to hold the primitive boolean instead of a JSBoolean. This choice is not only for performance, but also to save a register as we're short of registers on X86. To accomplish this we make use of DataFormatBoolean, allow a value to be represented as a primitive boolean and converted from/to a JSBoolean. This patch also fixes SpillOrder in 32_64, which should be different from 64, and fixes needDataFormatConversion logic in 32_64. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::branchTest32): We don't expect byte test actually as it doesn't work for registers esp..edi on X86. * dfg/DFGGenerationInfo.h: (JSC::DFG::needDataFormatConversion): (JSC::DFG::GenerationInfo::initBoolean): (JSC::DFG::GenerationInfo::gpr): (JSC::DFG::GenerationInfo::fillInteger): (JSC::DFG::GenerationInfo::fillBoolean): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::checkConsistency): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::use): (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::spill): (JSC::DFG::cellResult): (JSC::DFG::booleanResult): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::ValueRecovery::dump): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedBoolean): (JSC::DFG::ValueRecovery::inGPR): (JSC::DFG::ValueRecovery::gpr): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): 2011-10-24 Mark Hahnenberg Fixing Windows build Unreviewed build fix * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-10-24 Yuqiang Xian BitVector isInline check could fail https://bugs.webkit.org/show_bug.cgi?id=70691 Reviewed by Geoffrey Garen. Current BitVector uses the highest bit of m_bitsOrPointer to indicate whether it's an inlined bit set or a pointer to an outOfLine bit set. This check may fail in case the pointer also has the highest bit set, which is surely possible on IA32 (Linux). In this case the check failure can result in unexpected behaviors, for example if the BitVector is incorrectly determined as having an inlined bit set, then setting a bit exceeding maxInlineBits will wrongly modify the memory adjacent to the BitVector object. This fix is to use the lowest bit of m_bitsOrPointer to indicate inline or outofline, based on the assumption that the pointer to OutOfLineBits should be 4 or 8 byte aligned. We could mark the lowest bit (bit 0) with 1 for inlined bit set, and bits 1~bitsInPointer are used for bit set/test. In this case we need do one bit more shift for bit set/test. * wtf/BitVector.cpp: (WTF::BitVector::resizeOutOfLine): * wtf/BitVector.h: (WTF::BitVector::quickGet): (WTF::BitVector::quickSet): (WTF::BitVector::quickClear): (WTF::BitVector::makeInlineBits): (WTF::BitVector::isInline): 2011-10-24 Mark Hahnenberg Rename static getOwnPropertySlot to getOwnPropertySlotByIndex https://bugs.webkit.org/show_bug.cgi?id=70271 Reviewed by Darin Adler. Renaming versions of getOwnPropertySlot that use an unsigned as the property name to "getOwnPropertySlotByIndex" in preparation for adding them to the MethodTable, which requires unique names for each method. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertySlotVirtual): (JSC::Arguments::getOwnPropertySlotByIndex): * runtime/Arguments.h: * runtime/JSArray.cpp: (JSC::JSArray::getOwnPropertySlotVirtual): (JSC::JSArray::getOwnPropertySlotByIndex): (JSC::JSArray::getOwnPropertySlot): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::getOwnPropertySlotVirtual): (JSC::JSByteArray::getOwnPropertySlotByIndex): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertySlotVirtual): (JSC::JSCell::getOwnPropertySlotByIndex): * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::getOwnPropertySlotVirtual): (JSC::JSNotAnObject::getOwnPropertySlotByIndex): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertySlotVirtual): (JSC::JSObject::getOwnPropertySlotByIndex): * runtime/JSObject.h: * runtime/JSString.cpp: (JSC::JSString::getOwnPropertySlotVirtual): (JSC::JSString::getOwnPropertySlotByIndex): * runtime/JSString.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::getOwnPropertySlotVirtual): (JSC::ObjectPrototype::getOwnPropertySlotByIndex): * runtime/ObjectPrototype.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual): (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex): * runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertySlotVirtual): (JSC::StringObject::getOwnPropertySlotByIndex): * runtime/StringObject.h: 2011-10-24 Patrick Gansterer Interpreter build fix after r98179. * bytecode/CodeBlock.h: Moved CodeBlock::baselineVersion() into ENABLE(JIT) block, since it is only used there. 2011-10-23 Geoffrey Garen Fixed a typo Darin spotted. * wtf/StringHasher.h: (WTF::StringHasher::hash): Expelliarmus! 2011-10-23 Geoffrey Garen Removed StringImpl::createStrippingNullCharacters https://bugs.webkit.org/show_bug.cgi?id=70700 Reviewed by David Levin. It was unused. * JavaScriptCore.exp: * wtf/text/StringImpl.cpp: * wtf/text/StringImpl.h: 2011-10-22 Filip Pizlo DFG should inline constructors https://bugs.webkit.org/show_bug.cgi?id=70675 Reviewed by Oliver Hunt. Adds support for inlining constructors. Also fixes two pathologies uncovered along the way: CheckMethod claimed that it never returned a result (causing CheckMethod -> SetLocal -> GetLocal sequences to result in the GetLocal doing OSR exit), and get_by_id parsing never checked if it was hot in slow path. Also fiddled with inlining heuristics; it appears that for now, the more inlining, the happier V8 is. Finally, a bug was uncovered where a silent spill of a boxed integer that had previously been spilled unboxed causes the silent fill to forget to unbox. This appears to be a 4% speed-up on V8 in their harness, or a 1% speed-up in my harness. The difference is due to warm-up: in my harness we see significant amounts of time spent in compilation, but in V8's harness compilation gets amortizes. Profiling indicates that we have the potential for a 5% win from basic optimizations like generating OSR exits lazily and holding onto bytecode longer. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGCapabilities.h: (JSC::DFG::mightInlineFunctionForConstruct): (JSC::DFG::canInlineOpcode): (JSC::DFG::mightInlineFunctionFor): (JSC::DFG::canInlineFunctionFor): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): * runtime/Executable.h: (JSC::isCall): (JSC::ExecutableBase::intrinsicFor): * runtime/Heuristics.cpp: (JSC::Heuristics::initializeHeuristics): * runtime/Heuristics.h: 2011-10-23 Noel Gordon [chromium] Remove RopeImpl.{h,cpp} from the gyp projects https://bugs.webkit.org/show_bug.cgi?id=70703 Reviewed by Kent Tamura. runtime/RopeImpl.{h,cpp} were removed in r97872, remove references to these files from the gyp project files. * JavaScriptCore.gypi: 2011-10-23 Mark Hahnenberg Add deleteProperty to the MethodTable https://bugs.webkit.org/show_bug.cgi?id=70162 Reviewed by Sam Weinig. * JavaScriptCore.exp: * runtime/ClassInfo.h: Added both versions of deleteProperty to the MethodTable. * runtime/JSFunction.h: Changed JSFunction::deleteProperty to be protected rather than private for subclasses who don't provide their own implementation. 2011-10-23 Mark Hahnenberg Remove getConstructDataVirtual https://bugs.webkit.org/show_bug.cgi?id=70638 Reviewed by Darin Adler. Removed all declarations and definitions of getConstructDataVirtual. Also replaced all call sites to getConstructDataVirtual with a corresponding lookup in the MethodTable. * API/JSCallbackConstructor.cpp: * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * API/JSObjectRef.cpp: (JSObjectIsConstructor): (JSObjectCallAsConstructor): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: * runtime/DateConstructor.h: * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::getConstructData): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: * runtime/JSObject.h: (JSC::getConstructData): * runtime/NativeErrorConstructor.cpp: * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: * runtime/StringConstructor.h: 2011-10-23 Geoffrey Garen Try to fix the SL build. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): Cast away int vs unisgned warning. 2011-10-21 Geoffrey Garen Separated string lifetime bits from character buffer state bits https://bugs.webkit.org/show_bug.cgi?id=70673 Reviewed by Anders Carlsson. Moved the static/immortal bit into the bottom bit of the refcount, and moved all other bits into the high bits of the hash code. This is the first step toward a new Characters/PassString class, and it makes ref/deref slightly more efficient. * create_hash_table: * wtf/StringHasher.h: (WTF::StringHasher::hash): Tweaked the string hashing function to leave the top bits clear, so they can be used as flags. Fixed some small differences between the PERL copy of this function and the C++ copy of this function, which could have in theory caused subtle crashes. * wtf/text/StringImpl.cpp: (WTF::StringImpl::sharedBuffer): (WTF::StringImpl::createWithTerminatingNullCharacter): * wtf/text/StringImpl.h: (WTF::StringImpl::StringImpl): (WTF::StringImpl::cost): Renamed s_refCountFlagShouldReportedCost to s_didReportExtraCost, since the original name was both self-contradictory and used as a double-negative. (WTF::StringImpl::isIdentifier): (WTF::StringImpl::setIsIdentifier): (WTF::StringImpl::hasTerminatingNullCharacter): (WTF::StringImpl::isAtomic): (WTF::StringImpl::setIsAtomic): (WTF::StringImpl::setHash): (WTF::StringImpl::rawHash): (WTF::StringImpl::hasHash): (WTF::StringImpl::existingHash): (WTF::StringImpl::hash): (WTF::StringImpl::hasOneRef): (WTF::StringImpl::ref): (WTF::StringImpl::deref): (WTF::StringImpl::bufferOwnership): (WTF::StringImpl::isStatic): Moved the static/immortal bit into the bottom bit of the refcount. Now, all lifetime information lives in the refcount field. Moved the other bits into the hash code field. 2011-10-21 Filip Pizlo DFG inlining sometimes fails to reset constant references https://bugs.webkit.org/show_bug.cgi?id=70668 Reviewed by Anders Carlsson. Reset constant references when we need to (new block created) and not when we don't (change of inlining depth). * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::prepareToParseBlock): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::parseCodeBlock): 2011-10-21 Filip Pizlo DFG should have inlining https://bugs.webkit.org/show_bug.cgi?id=69996 Reviewed by Oliver Hunt. Implements inlining that's hooked into the bytecode parser. Only works for calls, for now, though nothing fundamentally prevents us from inlining constructor calls. 2% overall speed-up on all benchmarks. 7% speed-up on V8 (around 34% and 27% on deltablue and richards respectively), neutral on Kraken and SunSpider. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: (JSC::CodeBlock::baselineVersion): (JSC::CodeBlock::setInstructionCount): (JSC::CodeBlock::likelyToTakeSlowCase): (JSC::CodeBlock::couldTakeSlowCase): (JSC::CodeBlock::likelyToTakeSpecialFastCase): (JSC::CodeBlock::likelyToTakeDeepestSlowCase): (JSC::CodeBlock::likelyToTakeAnySlowCase): * bytecode/CodeOrigin.h: (JSC::CodeOrigin::inlineDepthForCallFrame): (JSC::CodeOrigin::inlineDepth): (JSC::CodeOrigin::operator==): (JSC::CodeOrigin::inlineStack): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::beginBasicBlock): (JSC::DFG::AbstractState::execute): (JSC::DFG::AbstractState::mergeStateAtTail): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::BasicBlock::ensureLocals): (JSC::DFG::UnlinkedBlock::UnlinkedBlock): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getDirect): (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::setDirect): (JSC::DFG::ByteCodeParser::set): (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::getArgument): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry): (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::processPhiStack): (JSC::DFG::ByteCodeParser::linkBlock): (JSC::DFG::ByteCodeParser::linkBlocks): (JSC::DFG::ByteCodeParser::handleSuccessor): (JSC::DFG::ByteCodeParser::determineReachability): (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parseCodeBlock): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGCapabilities.cpp: (JSC::DFG::canHandleOpcodes): (JSC::DFG::canCompileOpcodes): (JSC::DFG::canInlineOpcodes): * dfg/DFGCapabilities.h: (JSC::DFG::mightCompileEval): (JSC::DFG::mightCompileProgram): (JSC::DFG::mightCompileFunctionForCall): (JSC::DFG::mightCompileFunctionForConstruct): (JSC::DFG::mightInlineFunctionForCall): (JSC::DFG::mightInlineFunctionForConstruct): (JSC::DFG::canInlineOpcode): (JSC::DFG::canInlineOpcodes): (JSC::DFG::canInlineFunctionForCall): (JSC::DFG::canInlineFunctionForConstruct): * dfg/DFGGraph.cpp: (JSC::DFG::printWhiteSpace): (JSC::DFG::Graph::dumpCodeOrigin): (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::GetBytecodeBeginForBlock::operator()): (JSC::DFG::Graph::blockIndexForBytecodeOffset): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::decodedCodeMapFor): (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::debugCall): (JSC::DFG::JITCompiler::baselineCodeBlockFor): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGNode.h: (JSC::DFG::Node::hasVariableAccessData): (JSC::DFG::Node::shouldGenerate): * dfg/DFGOperands.h: (JSC::DFG::Operands::ensureLocals): (JSC::DFG::Operands::setLocal): (JSC::DFG::Operands::getLocal): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallerFrameSlow): * jit/JITCall.cpp: (JSC::JIT::compileOpCallSlowCase): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.cpp: (JSC::FunctionExecutable::baselineCodeBlockFor): (JSC::FunctionExecutable::produceCodeBlockFor): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (JSC::FunctionExecutable::profiledCodeBlockFor): (JSC::FunctionExecutable::parameterCount): * runtime/Heuristics.cpp: (JSC::Heuristics::initializeHeuristics): * runtime/Heuristics.h: * runtime/JSFunction.h: 2011-10-21 Mark Hahnenberg Add put to the MethodTable https://bugs.webkit.org/show_bug.cgi?id=70439 Reviewed by Oliver Hunt. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/ClassInfo.h: Added put and putByIndex to the MethodTable. * runtime/JSFunction.h: Changed access modifier for put to protected since some subclasses of JSFunction need to reference it in their MethodTables. 2011-10-21 Mark Hahnenberg Add finalizer to JSObject https://bugs.webkit.org/show_bug.cgi?id=70336 Reviewed by Darin Adler. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::callDestructor): Skip the call to the destructor if we're a JSFinalObject, since the finalizer takes care of things. * runtime/JSCell.h: (JSC::JSCell::~JSCell): Remove the GC validation due to a conflict with future changes and the fact that we no longer always call the destructor, making the information provided less useful. * runtime/JSObject.cpp: (JSC::JSObject::finalize): Add finalizer for JSObject. (JSC::JSObject::allocatePropertyStorage): The first time we need to allocate out-of-line property storage, we add a finalizer to ourself. * runtime/JSObject.h: 2011-10-21 Simon Hausmann Remove QtScript source code from WebKit. https://bugs.webkit.org/show_bug.cgi?id=64088 Reviewed by Tor Arne Vestbø. Removed dead code that isn't developed anymore. * JavaScriptCore.gypi: * JavaScriptCore.pri: * qt/api/QtScript.pro: Removed. * qt/api/qscriptconverter_p.h: Removed. * qt/api/qscriptengine.cpp: Removed. * qt/api/qscriptengine.h: Removed. * qt/api/qscriptengine_p.cpp: Removed. * qt/api/qscriptengine_p.h: Removed. * qt/api/qscriptfunction.cpp: Removed. * qt/api/qscriptfunction_p.h: Removed. * qt/api/qscriptoriginalglobalobject_p.h: Removed. * qt/api/qscriptprogram.cpp: Removed. * qt/api/qscriptprogram.h: Removed. * qt/api/qscriptprogram_p.h: Removed. * qt/api/qscriptstring.cpp: Removed. * qt/api/qscriptstring.h: Removed. * qt/api/qscriptstring_p.h: Removed. * qt/api/qscriptsyntaxcheckresult.cpp: Removed. * qt/api/qscriptsyntaxcheckresult.h: Removed. * qt/api/qscriptsyntaxcheckresult_p.h: Removed. * qt/api/qscriptvalue.cpp: Removed. * qt/api/qscriptvalue.h: Removed. * qt/api/qscriptvalue_p.h: Removed. * qt/api/qscriptvalueiterator.cpp: Removed. * qt/api/qscriptvalueiterator.h: Removed. * qt/api/qscriptvalueiterator_p.h: Removed. * qt/api/qtscriptglobal.h: Removed. * qt/benchmarks/benchmarks.pri: Removed. * qt/benchmarks/benchmarks.pro: Removed. * qt/benchmarks/qscriptengine/qscriptengine.pro: Removed. * qt/benchmarks/qscriptengine/tst_qscriptengine.cpp: Removed. * qt/benchmarks/qscriptvalue/qscriptvalue.pro: Removed. * qt/benchmarks/qscriptvalue/tst_qscriptvalue.cpp: Removed. * qt/tests/qscriptengine/qscriptengine.pro: Removed. * qt/tests/qscriptengine/tst_qscriptengine.cpp: Removed. * qt/tests/qscriptstring/qscriptstring.pro: Removed. * qt/tests/qscriptstring/tst_qscriptstring.cpp: Removed. * qt/tests/qscriptvalue/qscriptvalue.pro: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue.cpp: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue.h: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue_generated_comparison.cpp: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue_generated_init.cpp: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue_generated_istype.cpp: Removed. * qt/tests/qscriptvalue/tst_qscriptvalue_generated_totype.cpp: Removed. * qt/tests/qscriptvalueiterator/qscriptvalueiterator.pro: Removed. * qt/tests/qscriptvalueiterator/tst_qscriptvalueiterator.cpp: Removed. * qt/tests/tests.pri: Removed. * qt/tests/tests.pro: Removed. 2011-10-21 Zheng Liu bytecompiler sometimes generates incorrect bytecode for put_by_id https://bugs.webkit.org/show_bug.cgi?id=70403 Reviewed by Filip Pizlo. * bytecompiler/NodesCodegen.cpp: (JSC::AssignDotNode::emitBytecode): (JSC::AssignBracketNode::emitBytecode): 2011-10-20 Filip Pizlo DFG should not try to predict argument types by looking at the values of argument registers at the time of compilation https://bugs.webkit.org/show_bug.cgi?id=70578 Reviewed by Oliver Hunt. * bytecode/CodeBlock.cpp: * dfg/DFGDriver.cpp: (JSC::DFG::compile): (JSC::DFG::tryCompile): (JSC::DFG::tryCompileFunction): * dfg/DFGDriver.h: (JSC::DFG::tryCompileFunction): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: * runtime/Executable.cpp: (JSC::FunctionExecutable::compileOptimizedForCall): (JSC::FunctionExecutable::compileOptimizedForConstruct): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (JSC::FunctionExecutable::compileForCall): (JSC::FunctionExecutable::compileForConstruct): (JSC::FunctionExecutable::compileFor): (JSC::FunctionExecutable::compileOptimizedFor): 2011-10-20 Filip Pizlo DFG call optimization handling will fail if the call had been unlinked due to the callee being optimized https://bugs.webkit.org/show_bug.cgi?id=70468 Reviewed by Geoff Garen. If a call had ever been linked, we remember this fact as well as the function to which it was linked even if unlinkIncomingCalls() or unlinkCalls() are called. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkFor): * jit/JIT.cpp: (JSC::JIT::linkFor): 2011-10-20 Yuqiang Xian DFG JIT 32_64 - Fix ByteArray speculation https://bugs.webkit.org/show_bug.cgi?id=70571 Reviewed by Filip Pizlo. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-20 Vincent Scheib MouseLock compile and run time flags. https://bugs.webkit.org/show_bug.cgi?id=70530 Reviewed by Darin Fisher. * wtf/Platform.h: 2011-10-20 Mark Hahnenberg Rename static deleteProperty to deletePropertyByIndex https://bugs.webkit.org/show_bug.cgi?id=70257 Reviewed by Geoffrey Garen. Renaming versions of deleteProperty that use an unsigned as the property name to "deletePropertyByIndex" in preparation for adding them to the MethodTable, which requires unique names for each method. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::deletePropertyVirtual): (JSC::::deletePropertyByIndex): * runtime/Arguments.cpp: (JSC::Arguments::deletePropertyVirtual): (JSC::Arguments::deletePropertyByIndex): * runtime/Arguments.h: * runtime/JSArray.cpp: (JSC::JSArray::deletePropertyVirtual): (JSC::JSArray::deletePropertyByIndex): * runtime/JSArray.h: * runtime/JSCell.cpp: (JSC::JSCell::deletePropertyVirtual): (JSC::JSCell::deletePropertyByIndex): * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::deletePropertyVirtual): (JSC::JSNotAnObject::deletePropertyByIndex): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::deletePropertyVirtual): (JSC::JSObject::deletePropertyByIndex): * runtime/JSObject.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::deletePropertyVirtual): (JSC::RegExpMatchesArray::deletePropertyByIndex): 2011-10-20 Filip Pizlo https://bugs.webkit.org/show_bug.cgi?id=70482 DFG-related stubs in the old JIT should not be built if the DFG is disabled Reviewed by Zoltan Herczeg. Aiming for a slight code size/build time reduction if the DFG is not in play. This should also make further DFG development slightly easier since the bodies of these JIT stubs can now safely refer to things that are only declared when the DFG is enabled. * jit/JITStubs.cpp: * jit/JITStubs.h: 2011-10-19 Filip Pizlo DFG ConvertThis emits slow code when the source node is known to be, but not predicted to be, a final object https://bugs.webkit.org/show_bug.cgi?id=70466 Reviewed by Oliver Hunt. Added a new case in ConvertThis compilation. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-19 Filip Pizlo Optimization triggers in the old JIT may sometimes fire repeatedly even though there is no optimization to be done https://bugs.webkit.org/show_bug.cgi?id=70467 Reviewed by Oliver Hunt. If optimize_from_ret does nothing, it delays the next optimization trigger. This is performance-neutral. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Heuristics.cpp: (JSC::Heuristics::initializeHeuristics): 2011-10-19 Yuqiang Xian DFG JIT 32_64 - remove unnecessary double unboxings in fillDouble/fillSpeculateDouble https://bugs.webkit.org/show_bug.cgi?id=70460 Reviewed by Filip Pizlo. As pointed out by Gavin in bug #70418, when a value is already in memory we can avoid loading it to two GPRs at first and then unboxing them to a FPR. This gives 9% improvement on Kraken if without the change in bug #70418, and 1% if based on the code with bug #70418 change. Performance is neutral in V8 and SunSpider. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-10-19 Gavin Barraclough Poisoning of strict caller,arguments inappropriately poisoning "in" https://bugs.webkit.org/show_bug.cgi?id=63398 Reviewed by Oliver Hunt. This fixes the problem by correctly implementing the spec - the error should actually be being thrown from a standard JS getter/setter. This implements spec correct behaviour for strict mode JS functions & bound functions, I'll follow up with a patch to do the same for arguments. * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::finishCreation): - Add the poisoned caller/arguments properties. * runtime/JSBoundFunction.h: * runtime/JSFunction.cpp: (JSC::JSFunction::finishCreation): (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::getOwnPropertyDescriptor): (JSC::JSFunction::put): - If the caller/arguments are accessed on a strict mode function, lazily add the ThrowTypeError getter. * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::createThrowTypeError): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::throwTypeErrorGetterSetter): - Add a ThrowTypeError type, per ES5 13.2.3. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncThrowTypeError): * runtime/JSGlobalObjectFunctions.h: - Implementation of ThrowTypeError. * runtime/JSObject.cpp: (JSC::JSObject::initializeGetterSetterProperty): * runtime/JSObject.h: - This function adds a new property (must not exist already) that is an initialized getter/setter. 2011-10-19 Yuqiang Xian DFG JIT 32_64 - improve double boxing/unboxing https://bugs.webkit.org/show_bug.cgi?id=70418 Reviewed by Gavin Barraclough. Double boxing/unboxing in DFG JIT 32_64 is currently implemented inefficiently, which tries to exchange data through memory. On X86 some SSE instructions can help us on such operations with better performance. This improves 32-bit DFG performance by 29% on Kraken, 7% on SunSpider, and 2% on V8, tested on Linux X86 (Core i7 Nehalem). * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::lshiftPacked): (JSC::MacroAssemblerX86Common::rshiftPacked): (JSC::MacroAssemblerX86Common::orPacked): (JSC::MacroAssemblerX86Common::moveInt32ToPacked): (JSC::MacroAssemblerX86Common::movePackedToInt32): * assembler/X86Assembler.h: (JSC::X86Assembler::movd_rr): (JSC::X86Assembler::psllq_i8r): (JSC::X86Assembler::psrlq_i8r): (JSC::X86Assembler::por_rr): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::boxDouble): (JSC::DFG::JITCodeGenerator::unboxDouble): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::boxDouble): (JSC::DFG::JITCompiler::unboxDouble): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::convertToDouble): (JSC::DFG::SpeculativeJIT::compile): 2011-10-19 Gyuyoung Kim [EFL] Fix DSO linkage of wtf_efl. Unreviewed build fix. Need to add -ldl to jsc_efl (requested by dladdr). * wtf/CMakeListsEfl.txt: 2011-10-19 Geoffrey Garen Removed StringImplBase, fusing it into StringImpl https://bugs.webkit.org/show_bug.cgi?id=70443 Reviewed by Gavin Barraclough. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.order: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/text/StringImpl.h: (WTF::StringImpl::StringImpl): (WTF::StringImpl::ref): (WTF::StringImpl::length): * wtf/text/StringImplBase.h: Removed. * wtf/wtf.pri: Removed! 2011-10-19 Mark Hahnenberg Add getConstructData to the MethodTable https://bugs.webkit.org/show_bug.cgi?id=70163 Reviewed by Geoffrey Garen. Adding getConstructData to the MethodTable in order to be able to remove all calls to getConstructDataVirtual soon. Part of the process of de-virtualizing JSCell. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/ClassInfo.h: 2011-10-18 Oliver Hunt Support CanvasPixelArray in the DFG https://bugs.webkit.org/show_bug.cgi?id=70384 Reviewed by Filip Pizlo. Add support for the old CanvasPixelArray optimisations to the DFG. This removes the regression seen in the DFG when using a CPA. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::store8): (JSC::MacroAssemblerX86Common::truncateDoubleToInt32): * assembler/X86Assembler.h: (JSC::X86Assembler::movb_rm): (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): * bytecode/PredictedType.cpp: (JSC::predictionToString): (JSC::predictionFromClassInfo): * bytecode/PredictedType.h: (JSC::isByteArrayPrediction): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::execute): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateByteArray): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::compileClampDoubleToByte): (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray): (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSByteArray.h: (JSC::JSByteArray::offsetOfStorage): * wtf/ByteArray.cpp: * wtf/ByteArray.h: (WTF::ByteArray::offsetOfSize): (WTF::ByteArray::offsetOfData): 2011-10-18 Geoffrey Garen Some rope cleanup following r97827 https://bugs.webkit.org/show_bug.cgi?id=70398 Reviewed by Oliver Hunt. 9% speedup on date-format-xparb, neutral overall. - Removed RopeImpl*. - Removed JSString::m_fiberCount, since this can be deduced from other data. - Renamed a jsString() variant to jsStringFromArguments for clarity. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.order: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: Removed RopeImpl*. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * jit/JITInlineMethods.h: (JSC::JIT::emitLoadCharacterString): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::loadJSStringArgument): * jit/ThunkGenerators.cpp: (JSC::stringCharLoad): Use a NULL m_value to signal rope-iness, instead of testing m_fiberCount, since m_fiberCount is gone now. * runtime/JSString.cpp: (JSC::JSString::RopeBuilder::expand): (JSC::JSString::visitChildren): (JSC::JSString::resolveRope): (JSC::JSString::resolveRopeSlowCase): (JSC::JSString::outOfMemory): Use a NULL fiber to indicate "last fiber in the vector" instead of testing m_fiberCount, since m_fiberCount is gone now. * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::finishCreation): (JSC::RopeBuilder::offsetOfLength): (JSC::RopeBuilder::isRope): (JSC::RopeBuilder::string): Removed m_fiberCount. Renamed jsString => jsStringFromArguments for clarity. * runtime/Operations.h: (JSC::jsStringFromArguments): Renamed. * runtime/RopeImpl.cpp: Removed. * runtime/RopeImpl.h: Removed. * runtime/SmallStrings.cpp: (JSC::SmallStrings::createEmptyString): Switched to StringImpl::empty, which is slightly faster. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncConcat): Updated for rename. * wtf/text/StringImplBase.h: (WTF::StringImplBase::StringImplBase): Removed the concept of an invalid StringImpl, since this was only used by RopeImpl, which is now gone. 2011-10-19 Rafael Antognolli [EFL] Fix DSO linkage of jsc_efl. https://bugs.webkit.org/show_bug.cgi?id=70412 Unreviewed build fix. Need to add -ldl to jsc_efl (requested by dladdr). * shell/CMakeListsEfl.txt: 2011-10-18 Geoffrey Garen Rolled out last Windows build fix because it was wrong. 2011-10-18 Geoffrey Garen Rolled out last Windows build fix because it was wrong. 2011-10-18 Geoffrey Garen Try to fix part of the Windows build. Export! 2011-10-18 Geoffrey Garen Switched ropes from malloc memory to GC memory https://bugs.webkit.org/show_bug.cgi?id=70364 Reviewed by Gavin Barraclough. ~1% SunSpider speedup. Neutral elsewhere. Removes one cause for strings having C++ destructors. * heap/MarkStack.cpp: (JSC::visitChildren): Call the JSString visitChildren function now, since it's no longer a no-op. * runtime/JSString.cpp: (JSC::JSString::~JSString): Moved this destructor out of line because it's called virtually, so there's no value to inlining. (JSC::JSString::RopeBuilder::expand): Switched RopeBuilder to be a thin initializing wrapper around JSString. JSString now represents ropes directly, rather than relying on an underlying malloc object. (JSC::JSString::visitChildren): Visit our rope fibers, since they're GC objects now. (JSC::JSString::resolveRope): (JSC::JSString::resolveRopeSlowCase): (JSC::JSString::outOfMemory): Updated for operating on JSStrings instead of malloc objects. (JSC::JSString::replaceCharacter): Removed optimizations for substringing ropes and replacing subsections of ropes. We want to reimplement versions of these optimizations in the future, but this patch already has good performance without them. * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::finishCreation): (JSC::RopeBuilder::createNull): (JSC::RopeBuilder::create): (JSC::RopeBuilder::createHasOtherOwner): (JSC::jsSingleCharacterString): (JSC::jsSingleCharacterSubstring): (JSC::jsNontrivialString): (JSC::jsString): (JSC::jsSubstring): (JSC::jsOwnedString): Lots of mechanical changes here. The two important things are: (1) The fibers in JSString::m_fibers are JSStrings now, not malloc objects; (2) I simplified the JSString constructor interface to only accept PassRefPtr, instead of variations on that like UString, reducing refcount churn. * runtime/JSValue.h: * runtime/JSValue.cpp: (JSC::JSValue::toPrimitiveString): Updated this function to return a JSString instead of a UString, since that's what clients want now. * runtime/Operations.cpp: (JSC::jsAddSlowCase): * runtime/Operations.h: (JSC::jsString): * runtime/SmallStrings.cpp: (JSC::SmallStrings::createEmptyString): Updated for interface changes above. * runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor): * runtime/StringObject.h: (JSC::StringObject::create): Don't create a new JSString if we already have a JSString. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncConcat): Updated for interface changes above. 2011-10-18 Gavin Barraclough Errrk, fix partial commit of r97825! * runtime/DatePrototype.cpp: (JSC::dateProtoFuncToISOString): 2011-10-18 Gavin Barraclough Date.prototype.toISOString fails to throw exception https://bugs.webkit.org/show_bug.cgi?id=70394 Reviewed by Sam Weinig. * runtime/DatePrototype.cpp: (JSC::dateProtoFuncToISOString): - Should throw a range error if the internal value is not finite. 2011-10-18 Mark Hahnenberg Rename static put to putByIndex https://bugs.webkit.org/show_bug.cgi?id=70281 Reviewed by Geoffrey Garen. Renaming versions of deleteProperty that use an unsigned as the property name to "deletePropertyByIndex" in preparation for adding them to the MethodTable, which requires unique names for each method. * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Arguments.cpp: (JSC::Arguments::putVirtual): (JSC::Arguments::putByIndex): * runtime/Arguments.h: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncMap): * runtime/JSArray.cpp: (JSC::JSArray::put): (JSC::JSArray::putVirtual): (JSC::JSArray::putByIndex): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::putVirtual): (JSC::JSByteArray::putByIndex): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::putVirtual): (JSC::JSCell::putByIndex): * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::putVirtual): (JSC::JSNotAnObject::putByIndex): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::putVirtual): (JSC::JSObject::putByIndex): * runtime/JSObject.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpMatchesArray::fillArrayInstance): * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::putVirtual): (JSC::RegExpMatchesArray::putByIndex): 2011-10-18 Gavin Barraclough Array.prototype methods missing exception checks https://bugs.webkit.org/show_bug.cgi?id=70360 Reviewed by Geoff Garen. Missing exception checks after calls to the static getProperty helper, these may result in the wrong exception being thrown (or an ASSERT being hit, as is currently the case running test-262). No performance impact. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): 2011-10-18 Adam Barth Always enable ENABLE(XPATH) https://bugs.webkit.org/show_bug.cgi?id=70217 Reviewed by Eric Seidel. * Configurations/FeatureDefines.xcconfig: 2011-10-18 Gavin Barraclough Indexed arguments on the Arguments object should be enumerable. https://bugs.webkit.org/show_bug.cgi?id=70302 Reviewed by Sam Weinig. See ECMA-262 5.1 chapter 10.6 step 11b. This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in. * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertyDescriptor): - The 'enumerable' property should be true for indexed arguments. (JSC::Arguments::getOwnPropertyNames): - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'. 2011-10-18 Gustavo Noronha Silva Fix distcheck. * GNUmakefile.list.am: fix a typo and add a missing header to the list. 2011-10-18 Balazs Kelemen ParallelJobs: maximum number of threads should be determined dynamically https://bugs.webkit.org/show_bug.cgi?id=68540 Reviewed by Zoltan Herczeg. Add logic to determine the number of cores and use this as the maximum number of threads. The implementation currently covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD. The patch was tested on Linux, Mac and Windows which was enough to cover all code path. It should work on the rest accoring to the documentation of those OS's. The hard coded constant is still used on uncovered OS's which should be fixed in the future. * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber argument because clients should always fill it and the 0 default value was incorrect anyway. (WTF::ParallelJobs::ParallelJobs): * wtf/ParallelJobsGeneric.cpp: (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads): * wtf/ParallelJobsGeneric.h: (WTF::ParallelEnvironment::ParallelEnvironment): 2011-10-17 Gavin Barraclough Reverted r997709, this caused test failures. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::hasProperty): (JSC::JSObject::hasOwnProperty): 2011-10-17 Ryosuke Niwa Rename deregister* to unregister* https://bugs.webkit.org/show_bug.cgi?id=70272 Reviewed by Darin Adler. Renamed deregisterWeakMap to unregisterWeakMap. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::unregisterWeakMap): 2011-10-17 Gavin Barraclough Poisoning of strict caller/arguments inappropriately poisoning "in" https://bugs.webkit.org/show_bug.cgi?id=63398 Reviewed by Sam Weinig. The problem here is that the has[Own]Property methods get the slot rather than the descriptor, and getting the slot may cause the property to be eagerly accessed. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - We don't expect hasProperty to ever throw. If it does, it won't get caught (since it is after the exception check), so ASSERT to guard against this. * runtime/JSObject.cpp: (JSC::JSObject::hasProperty): (JSC::JSObject::hasOwnProperty): - These methods should not check for the presence of the descriptor; never get the value. 2011-10-17 Gavin Barraclough Exception ordering in String.prototype.replace https://bugs.webkit.org/show_bug.cgi?id=70290 If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called. Reviewed by Oliver Hunt. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncReplace): 2011-10-17 Filip Pizlo DFG bytecode parser should understand inline stacks https://bugs.webkit.org/show_bug.cgi?id=70278 Reviewed by Oliver Hunt. The DFG bytecode parser is now capable of parsing multiple code blocks at once. This remains turned off since not all inlining functionality is implemented. This required making a few changes elsewhere in the system. The bytecode parser now may do some of the same things that the bytecode generator does, like allocating constants and identifiers. Basic block linking relies on bytecode indices, which are only meaningful within the context of one basic block. This is fine, so long as linking is done eagerly whenever switching from one code block to another. * bytecode/CodeOrigin.h: (JSC::CodeOrigin::CodeOrigin): * bytecompiler/BytecodeGenerator.h: * dfg/DFGBasicBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::set): (JSC::DFG::ByteCodeParser::getThis): (JSC::DFG::ByteCodeParser::setThis): (JSC::DFG::ByteCodeParser::currentCodeOrigin): (JSC::DFG::ByteCodeParser::getPrediction): (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::makeDivSafe): (JSC::DFG::ByteCodeParser::InlineStackEntry::executable): (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry): (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::linkBlock): (JSC::DFG::ByteCodeParser::linkBlocks): (JSC::DFG::ByteCodeParser::setupPredecessors): (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parseCodeBlock): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGGraph.h: (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock): (JSC::DFG::GetBytecodeBeginForBlock::operator()): (JSC::DFG::Graph::blockIndexForBytecodeOffset): * dfg/DFGNode.h: * runtime/Identifier.h: (JSC::IdentifierMapIndexHashTraits::emptyValue): * runtime/JSValue.h: * wtf/StdLibExtras.h: (WTF::binarySearchWithFunctor): 2011-10-17 Gavin Barraclough Incorrect behavior from String match/search & undefined pattern https://bugs.webkit.org/show_bug.cgi?id=70286 Reviewed by Sam weinig. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncMatch): - In case of undefined, pattern is "". (JSC::stringProtoFuncSearch): - In case of undefined, pattern is "". 2011-10-17 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=70207 After deleting __defineSetter__, it is absent but appears in name list Reviewed by Darin Adler. * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertyNames): - This should check whether static functions have been reified. 2011-10-17 Geoffrey Garen Mac build fix. * JavaScriptCore.exp: Export! 2011-10-17 Geoffrey Garen Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export! 2011-10-17 Geoffrey Garen Windows build fix. * heap/HandleStack.cpp: Added a missing #include. 2011-10-17 Geoffrey Garen Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no longer existant symbol. * heap/MarkStack.cpp: (JSC::MarkStackArray::shrinkAllocation): Cast to the right type. 2011-10-17 Geoffrey Garen Simplified GC marking logic https://bugs.webkit.org/show_bug.cgi?id=70258 Reviewed by Filip Pizlo. No perf. change. This is a first step toward GC allocating string backing stores, starting with ropes. It also enables future simplifications and optimizations. - Replaced some complex mark stack logic with a simple linear stack of JSCell pointers. - Replaced logic for short-circuiting marking based on JSType and/or Structure flags with special cases for object, array, and string. - Fiddled with inlining for better codegen. * JavaScriptCore.exp: * heap/HandleStack.cpp: Build! * heap/Heap.cpp: (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking. * heap/HeapRootVisitor.h: Removed unused functions that no longer build. * heap/MarkStack.cpp: (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::~MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::shrinkAllocation): (JSC::MarkStack::reset): (JSC::visitChildren): (JSC::SlotVisitor::drain): * heap/MarkStack.h: (JSC::MarkStack::MarkStack): (JSC::MarkStack::~MarkStack): (JSC::MarkStackArray::append): (JSC::MarkStackArray::removeLast): (JSC::MarkStackArray::isEmpty): (JSC::MarkStack::append): (JSC::MarkStack::appendUnbarrieredPointer): (JSC::MarkStack::internalAppend): Replaced complex mark set logic with simple linear stack. * heap/SlotVisitor.h: (JSC::SlotVisitor::SlotVisitor): Updated for above changes. * runtime/JSArray.cpp: (JSC::JSArray::visitChildren): * runtime/JSArray.h: * runtime/JSObject.cpp: (JSC::JSObject::visitChildren): * runtime/JSObject.h: Don't inline visitChildren; it's too big. * runtime/Structure.h: (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType because it prevented strings from owning GC pointers. * runtime/WriteBarrier.h: (JSC::MarkStack::appendValues): No need to validate; internalAppend will do that for us. 2011-10-17 Adam Roben Windows build fix after r97536, part 3 * runtime/JSAPIValueWrapper.h: * runtime/JSObject.h: Use JS_EXPORTDATA to export the s_info members. 2011-10-17 Adam Roben Interpreter build fix after r97564 * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used there. 2011-10-17 Adam Roben Windows build fix after r97536, part 2 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I was at it. 2011-10-17 Adam Roben Windows build fix after r97536 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of s_info members, which need to be exported via JS_EXPORTDATA instead. 2011-10-17 Patrick Gansterer Interpreter build fix after r97436, r97506, r97532 and r97537. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): 2011-10-16 Adam Barth Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code https://bugs.webkit.org/show_bug.cgi?id=70216 Reviewed by Eric Seidel. * wtf/Platform.h: 2011-10-16 Noel Gordon [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files https://bugs.webkit.org/show_bug.cgi?id=70205 Reviewed by James Robinson. wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557. wtf/gtk/ThreadingGtk.cpp was removed in r97269. * JavaScriptCore.gypi: 2011-10-16 Adam Barth Always enable ENABLE(DOM_STORAGE) https://bugs.webkit.org/show_bug.cgi?id=70189 Reviewed by Eric Seidel. * Configurations/FeatureDefines.xcconfig: 2011-10-15 Dan Horák The s390 and s390x architectures both use 64-bit double type that conforms to the IEEE-754 standard. https://bugs.webkit.org/show_bug.cgi?id=69940 Reviewed by Gavin Barraclough. * wtf/dtoa/utils.h: 2011-10-14 Filip Pizlo FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks https://bugs.webkit.org/show_bug.cgi?id=70157 Reviewed by Geoff Garen. Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal() and compileForConstructInternal() to use this method. This required more cleanly exposing some of CodeBlock's tiering functionality and moving the CompilationKind enum to Executable.h, as this was the easiest way to make it available to the declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::copyDataFrom): (JSC::CodeBlock::copyDataFromAlternative): * bytecode/CodeBlock.h: (JSC::CodeBlock::setAlternative): * bytecompiler/BytecodeGenerator.h: * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::produceCodeBlockFor): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (JSC::FunctionExecutable::codeBlockFor): 2011-10-15 Laszlo Gombos [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port https://bugs.webkit.org/show_bug.cgi?id=69920 Reviewed by Kenneth Rohde Christiansen. * JavaScriptCore.pri: * JavaScriptCore.pro: * heap/MarkStack.h: (JSC::::shrinkAllocation): * jit/ExecutableAllocator.cpp: * jit/ExecutableAllocator.h: (JSC::ExecutableAllocator::cacheFlush): * jit/JITStubs.cpp: * jsc.pro: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): * runtime/DatePrototype.cpp: (JSC::formatLocaleDate): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncLastIndexOf): * runtime/TimeoutChecker.cpp: (JSC::getCPUTime): * wtf/Assertions.cpp: * wtf/Assertions.h: * wtf/Atomics.h: * wtf/MathExtras.h: * wtf/OSAllocator.h: (WTF::OSAllocator::decommitAndRelease): * wtf/OSAllocatorSymbian.cpp: Removed. * wtf/OSRandomSource.cpp: (WTF::cryptographicallyRandomValuesFromOS): * wtf/PageAllocation.h: * wtf/PageAllocatorSymbian.h: Removed. * wtf/PageBlock.cpp: * wtf/Platform.h: * wtf/StackBounds.cpp: * wtf/wtf.pri: 2011-10-15 Yuqiang Xian Trivial fix for a missing change in r97512 https://bugs.webkit.org/show_bug.cgi?id=70166 Reviewed by Gavin Barraclough. * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::link): 2011-10-14 Mark Hahnenberg Rename getOwnPropertySlot to getOwnPropertySlotVirtual https://bugs.webkit.org/show_bug.cgi?id=69810 Reviewed by Geoffrey Garen. Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual in preparation for when we add the static getOwnPropertySlot to the MethodTable in ClassInfo. Also added a few static getOwnPropertySlot functions where they had been overlooked before (especially in CodeGeneratorJS.pm). * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertySlotVirtual): (JSC::::getOwnPropertySlot): (JSC::::getOwnPropertyDescriptor): (JSC::::staticFunctionGetter): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::getOwnPropertySlotVirtual): (JSC::DebuggerActivation::getOwnPropertySlot): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertySlotVirtual): (JSC::Arguments::getOwnPropertySlot): * runtime/Arguments.h: * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::getOwnPropertySlotVirtual): (JSC::ArrayConstructor::getOwnPropertySlot): * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::getOwnPropertySlotVirtual): * runtime/ArrayPrototype.h: * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::getOwnPropertySlotVirtual): * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getOwnPropertySlotVirtual): * runtime/DateConstructor.h: * runtime/DatePrototype.cpp: (JSC::DatePrototype::getOwnPropertySlotVirtual): * runtime/DatePrototype.h: * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::getOwnPropertySlotVirtual): * runtime/ErrorPrototype.h: * runtime/JSActivation.cpp: (JSC::JSActivation::getOwnPropertySlotVirtual): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::getOwnPropertySlotVirtual): (JSC::JSArray::getOwnPropertySlot): * runtime/JSArray.h: * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::getOwnPropertySlotVirtual): * runtime/JSBoundFunction.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::getOwnPropertySlotVirtual): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertySlotVirtual): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertySlotVirtual): (JSC::JSFunction::getOwnPropertyDescriptor): (JSC::JSFunction::getOwnPropertyNames): (JSC::JSFunction::put): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::getOwnPropertySlotVirtual): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::hasOwnPropertyForWrite): * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::getOwnPropertySlotVirtual): * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): (JSC::JSONObject::getOwnPropertySlotVirtual): (JSC::Walker::walk): * runtime/JSONObject.h: * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertySlotVirtual): (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::hasOwnProperty): * runtime/JSObject.h: (JSC::JSObject::getOwnPropertySlotVirtual): (JSC::JSCell::fastGetOwnPropertySlot): (JSC::JSObject::getPropertySlot): (JSC::JSValue::get): * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual): * runtime/JSStaticScopeObject.h: * runtime/JSString.cpp: (JSC::JSString::getOwnPropertySlotVirtual): (JSC::JSString::getOwnPropertySlot): * runtime/JSString.h: * runtime/Lookup.h: (JSC::getStaticPropertySlot): (JSC::getStaticFunctionSlot): (JSC::getStaticValueSlot): * runtime/MathObject.cpp: (JSC::MathObject::getOwnPropertySlotVirtual): * runtime/MathObject.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getOwnPropertySlotVirtual): * runtime/NumberConstructor.h: * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::getOwnPropertySlotVirtual): * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getOwnPropertySlotVirtual): * runtime/ObjectConstructor.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::getOwnPropertySlotVirtual): * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getOwnPropertySlotVirtual): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual): * runtime/RegExpObject.cpp: (JSC::RegExpObject::getOwnPropertySlotVirtual): * runtime/RegExpObject.h: * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::getOwnPropertySlotVirtual): * runtime/RegExpPrototype.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getOwnPropertySlotVirtual): * runtime/StringConstructor.h: * runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertySlotVirtual): * runtime/StringObject.h: * runtime/StringPrototype.cpp: (JSC::StringPrototype::getOwnPropertySlotVirtual): * runtime/StringPrototype.h: 2011-10-14 Gavin Barraclough Most built-in properties are not deletable https://bugs.webkit.org/show_bug.cgi?id=61014 Reviewed by Filip Pizlo. Our static hash tables don't allow for deleting properties. This is the cause of a bunch of expected failures in LayoutTests/sputnik. This fixes the problem by reifying all static functions immediately prior to the first deletion. Reification is tracked by a flag on the structure, so properties will no longer 'bounce-back' on later access. Theoretically there could probably also be an issue with custom accessor properties, but we probably do not really require any of these to be Configurable anyway. I'll follow up with a separate patch to address this. * runtime/ClassInfo.h: (JSC::ClassInfo::hasStaticProperties): - detects static property tables. * runtime/JSObject.cpp: (JSC::JSObject::deleteProperty): - call reifyStaticFunctions before deletion. (JSC::JSObject::reifyStaticFunctions): - If the class has static functions, set them up now. * runtime/JSObject.h: (JSC::JSObject::staticFunctionsReified): - returns true if static functions have been reified, and as such should no longer be added. * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): - If static functions have been reified do not add. * runtime/Lookup.h: (JSC::HashTable::ConstIterator::ConstIterator): (JSC::HashTable::ConstIterator::operator->): (JSC::HashTable::ConstIterator::operator*): (JSC::HashTable::ConstIterator::operator!=): (JSC::HashTable::ConstIterator::operator++): (JSC::HashTable::ConstIterator::skipInvalidKeys): (JSC::HashTable::begin): (JSC::HashTable::end): (JSC::getStaticPropertySlot): (JSC::getStaticPropertyDescriptor): (JSC::getStaticFunctionSlot): (JSC::getStaticFunctionDescriptor): - setUpStaticFunctionSlot may not add, returns a bool. (JSC::lookupPut): - remove redundant branch. * runtime/Structure.cpp: (JSC::Structure::Structure): - initialize new flag in constructors. * runtime/Structure.h: (JSC::Structure::staticFunctionsReified): (JSC::Structure::setStaticFunctionsReified): - added flag 2011-10-14 Mark Hahnenberg Rename virtual put to putVirtual https://bugs.webkit.org/show_bug.cgi?id=69851 Reviewed by Darin Adler. Renamed virtual versions of put to putVirtual in prepration for adding the static put to the MethodTable in ClassInfo since the compiler gets mad if the virtual and static versions have the same name. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::putVirtual): * API/JSObjectRef.cpp: (JSObjectSetProperty): (JSObjectSetPropertyAtIndex): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::putVirtual): (JSC::DebuggerActivation::put): * debugger/DebuggerActivation.h: * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (GlobalObject::finishCreation): * runtime/Arguments.cpp: (JSC::Arguments::putVirtual): * runtime/Arguments.h: * runtime/ArrayPrototype.cpp: (JSC::putProperty): (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): * runtime/JSActivation.cpp: (JSC::JSActivation::putVirtual): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::putVirtual): (JSC::JSArray::putSlowCase): (JSC::JSArray::push): (JSC::JSArray::shiftCount): (JSC::JSArray::unshiftCount): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::putVirtual): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::putVirtual): (JSC::JSCell::put): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::putVirtual): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::putVirtual): (JSC::JSGlobalObject::putWithAttributes): * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::putVirtual): * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::putVirtual): (JSC::JSObject::put): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: (JSC::JSValue::put): * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::putVirtual): * runtime/JSStaticScopeObject.h: * runtime/Lookup.h: (JSC::lookupPut): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::putVirtual): * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpMatchesArray::fillArrayInstance): (JSC::RegExpConstructor::putVirtual): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::putVirtual): * runtime/RegExpObject.cpp: (JSC::RegExpObject::putVirtual): * runtime/RegExpObject.h: * runtime/StringObject.cpp: (JSC::StringObject::putVirtual): * runtime/StringObject.h: * runtime/StringPrototype.cpp: (JSC::stringProtoFuncSplit): 2011-10-13 Filip Pizlo Reflective Arguments retrieval should be hardened for the possibility of inlining https://bugs.webkit.org/show_bug.cgi?id=70068 Reviewed by Oliver Hunt. CodeBlock can now track, as part of its RareData, the virtual inline stack at callsites. CallFrame walking can now rematerialize "inline" CallFrames by combining the meta-data in CodeBlock with the information already in the JS stack. Arguments can now safely retrieve the arguments from inline CallFrames. The DFG already had the notion of a "CodeOrigin" in preparation for inlining. This notion will now be saved into the CodeBlock, if the DFG had done inlining. So, CodeOrigin has been moved to bytecode/ and has been changed to behave more like a struct since that is how it's meant to be used. * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: (JSC::CodeBlock::inlineCallFrames): (JSC::CodeBlock::codeOrigins): (JSC::CodeBlock::hasCodeOrigins): (JSC::CodeBlock::codeOriginForReturn): * bytecode/CodeOrigin.h: Added. (JSC::CodeOrigin::CodeOrigin): (JSC::CodeOrigin::isSet): (JSC::getCallReturnOffsetForCodeOrigin): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGNode.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/CallFrame.cpp: (JSC::CallFrame::isInlineCallFrame): (JSC::CallFrame::trueCallerFrame): * interpreter/CallFrame.h: (JSC::ExecState::inlineCallFrame): (JSC::ExecState::setInlineCallFrame): (JSC::ExecState::isInlineCallFrame): (JSC::ExecState::trueCallerFrame): * interpreter/Interpreter.cpp: (JSC::Interpreter::findFunctionCallFrame): * interpreter/Register.h: (JSC::Register::operator=): (JSC::Register::inlineCallFrame): * runtime/Arguments.h: (JSC::Arguments::getArgumentsData): (JSC::Arguments::finishCreationButDontCopyRegisters): (JSC::Arguments::finishCreation): (JSC::Arguments::finishCreationAndCopyRegisters): * runtime/Executable.h: (JSC::FunctionExecutable::parameterCount): 2011-10-14 Mark Hahnenberg Rename virtual deleteProperty to deletePropertyVirtual https://bugs.webkit.org/show_bug.cgi?id=69884 Reviewed by Darin Adler. Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for adding the static deleteProperty to the MethodTable in ClassInfo since the compiler gets mad if the virtual and static versions have the same name. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::deletePropertyVirtual): (JSC::::deleteProperty): * API/JSObjectRef.cpp: (JSObjectDeleteProperty): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::deletePropertyVirtual): (JSC::DebuggerActivation::deleteProperty): * debugger/DebuggerActivation.h: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Arguments.cpp: (JSC::Arguments::deletePropertyVirtual): * runtime/Arguments.h: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): * runtime/JSActivation.cpp: (JSC::JSActivation::deletePropertyVirtual): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::deletePropertyVirtual): (JSC::JSArray::deleteProperty): * runtime/JSArray.h: * runtime/JSCell.cpp: (JSC::JSCell::deletePropertyVirtual): (JSC::JSCell::deleteProperty): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::deletePropertyVirtual): * runtime/JSFunction.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::deletePropertyVirtual): * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::Walker::walk): * runtime/JSObject.cpp: (JSC::JSObject::deletePropertyVirtual): (JSC::JSObject::deleteProperty): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: * runtime/JSVariableObject.cpp: (JSC::JSVariableObject::deletePropertyVirtual): * runtime/JSVariableObject.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::deletePropertyVirtual): * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::deletePropertyVirtual): * runtime/StrictEvalActivation.h: * runtime/StringObject.cpp: (JSC::StringObject::deletePropertyVirtual): * runtime/StringObject.h: 2011-10-14 Peter Beverloo [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo https://bugs.webkit.org/show_bug.cgi?id=70028 Reviewed by Adam Barth. * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-10-14 Yuqiang Xian DFG JIT 32_64 - Performance fix for ResolveGlobal https://bugs.webkit.org/show_bug.cgi?id=70096 Reviewed by Gavin Barraclough. Structure check of global object should be a pointer comparison instead of a tag and payload pair comparison. This fix improves SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X. Also two trivial fixes for successful 32-bit build are included. * dfg/DFGSpeculativeJIT.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-13 Filip Pizlo Speculation failures in ValueToInt32 are causing a 2x slow-down in Kraken/stanford-crypto-pbkdf2 https://bugs.webkit.org/show_bug.cgi?id=70089 Reviewed by Gavin Barraclough. If we can't truncate to Int32 using machine code, then don't fail speculation. Just call JSC::toInt32. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-13 Mark Hahnenberg Rename virtual getConstructData to getConstructDataVirtual https://bugs.webkit.org/show_bug.cgi?id=69872 Reviewed by Geoffrey Garen. Renamed virtual getConstructData functions to getConstructDataVirtual to avoid conflicts when we add static getConstructData to the MethodTable. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::getConstructDataVirtual): * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getConstructDataVirtual): * API/JSObjectRef.cpp: (JSObjectIsConstructor): (JSObjectCallAsConstructor): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * dfg/DFGOperations.cpp: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::getConstructDataVirtual): * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::getConstructDataVirtual): * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getConstructDataVirtual): * runtime/DateConstructor.h: * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::getConstructDataVirtual): * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::getConstructDataVirtual): * runtime/FunctionConstructor.h: * runtime/JSCell.cpp: (JSC::JSCell::getConstructDataVirtual): * runtime/JSCell.h: (JSC::getConstructData): * runtime/JSFunction.cpp: (JSC::JSFunction::getConstructDataVirtual): * runtime/JSFunction.h: * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::getConstructDataVirtual): * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getConstructDataVirtual): * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getConstructDataVirtual): * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getConstructDataVirtual): * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getConstructDataVirtual): * runtime/StringConstructor.h: 2011-10-13 Filip Pizlo Rubber stamped Stephanie Lewis. DFG_ENABLE() macro was always returning false. * dfg/DFGNode.h: 2011-10-13 Gavin Barraclough Speculative build fix for !DFG builds. * jit/JIT.cpp: (JSC::JIT::privateCompile): 2011-10-13 Oliver Hunt Fix performance of ValueToInt32 node when predicting double https://bugs.webkit.org/show_bug.cgi?id=70063 Reviewed by Filip Pizlo. Currently we fail to inline double to int conversion when performing a ValueToInt32 operation on a value we predict to be a double. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): Apply correct filter for the double prediction path * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): Support double parameters even when value has been spilled. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): Moved old valueToInt32 code to this function, and added path for double prediction * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Made the two implementations of ValueToInt32 call a single shared compileValueToInt32 function. 2011-10-13 Chris Marrin Sync requestAnimationFrame callback to CVDisplayLink on Mac https://bugs.webkit.org/show_bug.cgi?id=68911 Reviewed by Simon Fraser. Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations that use the DisplayRefreshMonitor logic. * wtf/Platform.h: 2011-10-13 Gavin Barraclough DFG JIT should not be using ENABLE macro to enable features https://bugs.webkit.org/show_bug.cgi?id=70060 Reviewed by Oliver Hunt. The ENABLE macro is only intended to be used to detect features that are configured in Platform.h. Using its to detect settings defined in other headers is an error. The problem is that the ENABLE macro checks if the value is defined, so will silently return false if you fail to include the header defining the switch. This is not a problem if (1) the settings are defined in the same header that defines the macro that tests them, or (2) the header is included everywhere. In the case of ENABLE settings defined in Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro. * bytecode/CodeBlock.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getPrediction): (JSC::DFG::ByteCodeParser::makeSafe): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): * dfg/DFGNode.h: * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::propagateArithNodeFlags): (JSC::DFG::Propagator::propagateArithNodeFlagsForward): (JSC::DFG::Propagator::propagateArithNodeFlagsBackward): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::propagatePredictionsForward): (JSC::DFG::Propagator::propagatePredictionsBackward): (JSC::DFG::Propagator::propagatePredictions): (JSC::DFG::Propagator::toDouble): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::fixup): (JSC::DFG::Propagator::startIndexForChildren): (JSC::DFG::Propagator::endIndexForPureCSE): (JSC::DFG::Propagator::setReplacement): (JSC::DFG::Propagator::eliminate): (JSC::DFG::Propagator::performNodeCSE): (JSC::DFG::Propagator::localCSE): (JSC::DFG::Propagator::allocateVirtualRegisters): (JSC::DFG::Propagator::performBlockCFA): (JSC::DFG::Propagator::performForwardCFA): (JSC::DFG::Propagator::globalCFA): * dfg/DFGScoreBoard.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompile): 2011-10-13 Gavin Barraclough terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell Rubber stamped by Filip Pizlo This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-10-13 Mark Hahnenberg De-virtualized JSCell::toNumber https://bugs.webkit.org/show_bug.cgi?id=69858 Reviewed by Sam Weinig. Removed JSCallbackObject::toNumber because its no longer necessary since JSObject::toNumber now suffices since we implicitly add valueOf to an object's prototype whenever a convertToType callback is provided. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber. * runtime/JSCell.cpp: (JSC::JSCell::toNumber): * runtime/JSCell.h: * runtime/JSObject.h: * runtime/JSString.h: Removed JSNotAnObject::toNumber because its result doesn't matter and it implements defaultValue, therefore JSObject::toNumber can cover its case. * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: 2011-10-13 Xianzhu Wang Use realloc() to expand/shrink StringBuilder buffer https://bugs.webkit.org/show_bug.cgi?id=69913 Reviewed by Darin Adler. * wtf/text/StringBuilder.cpp: (WTF::StringBuilder::reserveCapacity): (WTF::StringBuilder::reallocateBuffer): (WTF::StringBuilder::appendUninitialized): (WTF::StringBuilder::shrinkToFit): * wtf/text/StringBuilder.h: * wtf/text/StringImpl.cpp: (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer. * wtf/text/StringImpl.h: 2011-10-12 Filip Pizlo If an Arguments object is being used to copy the arguments, then make this explicit https://bugs.webkit.org/show_bug.cgi?id=69995 Reviewed by Sam Weinig. * interpreter/Interpreter.cpp: (JSC::Interpreter::retrieveArguments): * runtime/Arguments.h: (JSC::Arguments::createAndCopyRegisters): (JSC::Arguments::finishCreationButDontCopyRegisters): (JSC::Arguments::finishCreation): (JSC::Arguments::finishCreationAndCopyRegisters): 2011-10-12 Filip Pizlo DFG CFA does not filter structures aggressively enough. https://bugs.webkit.org/show_bug.cgi?id=69989 Reviewed by Oliver Hunt. * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::clear): (JSC::DFG::AbstractValue::makeTop): (JSC::DFG::AbstractValue::clobberStructures): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::merge): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::checkConsistency): 2011-10-12 Adam Barth Remove ENABLE(XHTMLMP) and associated code https://bugs.webkit.org/show_bug.cgi?id=69729 Reviewed by David Levin. * Configurations/FeatureDefines.xcconfig: 2011-10-12 Gavin Barraclough MacroAssemblerX86 8-bit register ops unsafe on CPU(X86) https://bugs.webkit.org/show_bug.cgi?id=69978 Reviewed by Filip Pizlo. Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ). compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding a couple of xchg instructions. branchTest8 with a register argument is also affected. In all cases this is currently used this is testing a value that is correct to 32 or more bits, so we can simply switch these to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the 32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction). This fixes the remaining fast/js failures with the DFG JIT 32_64. * assembler/MacroAssemblerARMv7.h - removed branchTest8. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::compare32): (JSC::MacroAssemblerX86Common::test8): (JSC::MacroAssemblerX86Common::test32): (JSC::MacroAssemblerX86Common::set32): - added set32 helper that is 'h' register safe. - removed branchTest8. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): - switch uses of branchTest8 to branchTest32. * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): - switch uses of branchTest8 to branchTest32. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): - switch uses of branchTest8 to branchTest32. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): - switch uses of branchTest8 to branchTest32. 2011-10-12 Gavin Barraclough Errrk, revert accidental commit! * wtf/Platform.h: 2011-10-12 Gavin Barraclough Unreviewed, re-land changes from #69890, #69903. These were reverted due to bug #69897, but #69903 fixed this problem. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): 2011-10-12 Filip Pizlo ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly https://bugs.webkit.org/show_bug.cgi?id=69906 Reviewed by Gavin Barraclough. It turns out that the simplest fix is to switch computeUpdatedPredictions() to using predictionFromValue() combined with mergePrediction(). Doing so allowed me to kill off weakBuckets and visitWeakReferences(). Hence this not only fixes a performance bug but kills off a lot of code that I never liked to begin with. This appears to be a 1% win on V8. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: * bytecode/PredictedType.cpp: (JSC::predictionFromValue): * bytecode/ValueProfile.cpp: (JSC::ValueProfile::computeStatistics): (JSC::ValueProfile::computeUpdatedPrediction): * bytecode/ValueProfile.h: (JSC::ValueProfile::classInfo): (JSC::ValueProfile::numberOfSamples): (JSC::ValueProfile::isLive): (JSC::ValueProfile::dump): 2011-10-12 Mark Hahnenberg De-virtualize JSCell::toString https://bugs.webkit.org/show_bug.cgi?id=69677 Reviewed by Sam Weinig. Removed toString from JSCallbackObject, since it is no longer necessary since we now implicitly add toString and valueOf functions to object prototypes when a convertToType callback is provided, which is now the standard way to override toString and valueOf in the JSC C API. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed toString from InterruptedExecutionError and TerminatedExecutionError and replaced it with defaultValue, which JSObject::toString calls. We'll probably have to de-virtualize defaultValue eventually, but we'll cross that bridge when we come to it. * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::defaultValue): (JSC::TerminatedExecutionError::defaultValue): * runtime/ExceptionHelpers.h: Removed toString from JSNotAnObject, since its return value doesn't actually matter and JSObject::toString can cover it. * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: De-virtualized JSCell::toString, JSObject::toString and JSString::toString. Added handling of all cases for JSCell to JSCell::toString. * runtime/JSObject.h: * runtime/JSString.h: * runtime/JSCell.cpp: (JSC::JSCell::toString): * runtime/JSCell.h: 2011-10-12 Oliver Hunt Global stringStructure caches its prototype chain, abandoning a web page https://bugs.webkit.org/show_bug.cgi?id=69952 Reviewed by Filip Pizlo. When visiting a structure, we don't keep the prototype chain alive if we're not the structure for an object type. * runtime/Structure.cpp: (JSC::Structure::visitChildren): 2011-10-12 Yuqiang Xian DFG JIT 32_64 - Fix ArrayPop https://bugs.webkit.org/show_bug.cgi?id=69918 Reviewed by Filip Pizlo. The storageLengthGPR is polluted by EmptyValueTag and later used to index the array, which results in abnormal behaviors in execution. This fix makes 32_64 DFG pass v8-deltablue and kraken crypto-sha256-iterative on Linux ia32. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::store32): * assembler/X86Assembler.h: (JSC::X86Assembler::movl_i32m): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-12 Gustavo Noronha Silva Fix build with GLib 2.31 https://bugs.webkit.org/show_bug.cgi?id=69840 Reviewed by Martin Robinson. * GNUmakefile.list.am: removed ThreadingGtk.cpp. * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions. * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations. * wtf/gobject/GOwnPtr.h: ditto. * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations. * wtf/gtk/ThreadingGtk.cpp: Removed. 2011-10-12 Filip Pizlo Layout tests crashing in DFG JIT code https://bugs.webkit.org/show_bug.cgi?id=69897 Reviewed by Gavin Barraclough. Abstract value filtration didn't take into account cases where a structure set filter, combined with predicted type knowledge, could lead to a stronger filter for the structure abstract value. This bug would have been benign in release builds; it would have just meant that the analysis was less precise and some optimization opportunities would be missed. I have an ASSERT that is meant to catch such cases, and it was triggering sporadically in one of the LayoutTests. * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::filter): 2011-10-11 Gavin Barraclough Unreviewed, temporarily reverted r97216 due to bug #69897. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): 2011-10-11 Yuqiang Xian DFG 32_64 - fix silentFillGPR https://bugs.webkit.org/show_bug.cgi?id=69903 Reviewed by Filip Pizlo. Fix a small bug in silentFillGPR, and add the newly introduced DFG file to CMakeListsEfl. * CMakeListsEfl.txt: * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): 2011-10-08 Filip Pizlo DFG does not have flow-sensitive intraprocedural control flow analysis https://bugs.webkit.org/show_bug.cgi?id=69690 Reviewed by Gavin Barraclough. Implemented a control flow analysis (CFA). It currently propagates type proofs only. For example, if all predecessors to a basic block have checks that variable X is a JSFinalObject with structure 0xabcdef, then this basic block will now know this fact and will know that it does not have to emit either JSFinalObject checks or any structure checks since the structure is precisely known. The CFA takes heap side-effects into account (though somewhat conservatively), so that if the object pointed to by variable X could have possibly undergone a structure transition then this is reflected: the analysis may simply say that X's structure is unknown. This also propagates a wealth of other type information which is currently not being used. For example, we now know when a variable can only hold doubles. Even if a variable may hold other types at different points in its live range, we can still prove exactly when it will only be double. There's a bunch of stuff that the CFA could do that it still does not do, like precise handling of PutStructure (i.e. structure transitions), precise handling of CheckFunction and CheckMethod, etc. So this is very much intended to be a starting point rather than an end unto itself. This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue) and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate). Neutral on SunSpider. * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/ActionablePrediction.h: Removed. * bytecode/PredictedType.cpp: (JSC::predictionToString): * bytecode/PredictedType.h: * dfg/DFGAbstractState.cpp: Added. (JSC::DFG::AbstractState::AbstractState): (JSC::DFG::AbstractState::~AbstractState): (JSC::DFG::AbstractState::beginBasicBlock): (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::endBasicBlock): (JSC::DFG::AbstractState::reset): (JSC::DFG::AbstractState::execute): (JSC::DFG::AbstractState::clobberStructures): (JSC::DFG::AbstractState::mergeStateAtTail): (JSC::DFG::AbstractState::merge): (JSC::DFG::AbstractState::mergeToSuccessors): (JSC::DFG::AbstractState::mergeVariableBetweenBlocks): (JSC::DFG::AbstractState::dump): * dfg/DFGAbstractState.h: Added. (JSC::DFG::AbstractState::forNode): (JSC::DFG::AbstractState::isValid): * dfg/DFGAbstractValue.h: Added. (JSC::DFG::StructureAbstractValue::StructureAbstractValue): (JSC::DFG::StructureAbstractValue::clear): (JSC::DFG::StructureAbstractValue::makeTop): (JSC::DFG::StructureAbstractValue::top): (JSC::DFG::StructureAbstractValue::add): (JSC::DFG::StructureAbstractValue::addAll): (JSC::DFG::StructureAbstractValue::contains): (JSC::DFG::StructureAbstractValue::isSubsetOf): (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): (JSC::DFG::StructureAbstractValue::isSupersetOf): (JSC::DFG::StructureAbstractValue::filter): (JSC::DFG::StructureAbstractValue::isClear): (JSC::DFG::StructureAbstractValue::isTop): (JSC::DFG::StructureAbstractValue::size): (JSC::DFG::StructureAbstractValue::at): (JSC::DFG::StructureAbstractValue::operator[]): (JSC::DFG::StructureAbstractValue::last): (JSC::DFG::StructureAbstractValue::predictionFromStructures): (JSC::DFG::StructureAbstractValue::operator==): (JSC::DFG::StructureAbstractValue::dump): (JSC::DFG::AbstractValue::AbstractValue): (JSC::DFG::AbstractValue::clear): (JSC::DFG::AbstractValue::isClear): (JSC::DFG::AbstractValue::makeTop): (JSC::DFG::AbstractValue::clobberStructures): (JSC::DFG::AbstractValue::isTop): (JSC::DFG::AbstractValue::top): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::operator==): (JSC::DFG::AbstractValue::merge): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::validate): (JSC::DFG::AbstractValue::dump): * dfg/DFGBasicBlock.h: Added. (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::BasicBlock::getBytecodeBegin): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::getArgument): (JSC::DFG::ByteCodeParser::setArgument): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::processPhiStack): (JSC::DFG::ByteCodeParser::setupPredecessors): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: * dfg/DFGJITCodeGenerator.h: (JSC::DFG::block): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGNode.h: (JSC::DFG::NodeIndexTraits::defaultValue): (JSC::DFG::Node::variableAccessData): (JSC::DFG::Node::takenBytecodeOffsetDuringParsing): (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing): (JSC::DFG::Node::setTakenBlockIndex): (JSC::DFG::Node::setNotTakenBlockIndex): (JSC::DFG::Node::takenBlockIndex): (JSC::DFG::Node::notTakenBlockIndex): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: * dfg/DFGOperands.h: Added. (JSC::DFG::operandIsArgument): (JSC::DFG::OperandValueTraits::defaultValue): (JSC::DFG::Operands::Operands): (JSC::DFG::Operands::numberOfArguments): (JSC::DFG::Operands::numberOfLocals): (JSC::DFG::Operands::argument): (JSC::DFG::Operands::local): (JSC::DFG::Operands::setLocal): (JSC::DFG::Operands::setArgumentFirstTime): (JSC::DFG::Operands::setLocalFirstTime): (JSC::DFG::Operands::operand): (JSC::DFG::Operands::setOperand): (JSC::DFG::Operands::clear): (JSC::DFG::dumpOperands): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::propagateArithNodeFlags): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::propagatePredictions): (JSC::DFG::Propagator::performBlockCFA): (JSC::DFG::Propagator::performForwardCFA): (JSC::DFG::Propagator::globalCFA): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStructureSet.h: (JSC::DFG::StructureSet::clear): (JSC::DFG::StructureSet::predictionFromStructures): (JSC::DFG::StructureSet::operator==): (JSC::DFG::StructureSet::dump): * dfg/DFGVariableAccessData.h: Added. 2011-10-11 Gavin Barraclough DFG JIT 32_64 - Fix silentFillGPR for non-integer constants. https://bugs.webkit.org/show_bug.cgi?id=69890 Reviewed by Oliver Hunt. Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): 2011-10-11 Ryosuke Niwa GTK build fix attempt after r97197. * wtf/BitVector.h: 2011-10-11 Oliver Hunt Remove unintentional logging. * heap/Heap.cpp: 2011-10-11 Oliver Hunt Tidy up card walking logic https://bugs.webkit.org/show_bug.cgi?id=69883 Reviewed by Gavin Barraclough. Special case common cell sizes when walking a block's cards. * heap/CardSet.h: (JSC::::testAndClear): * heap/Heap.cpp: (JSC::GCTimer::GCCounter::GCCounter): (JSC::GCTimer::GCCounter::count): (JSC::GCTimer::GCCounter::~GCCounter): (JSC::Heap::markRoots): * heap/MarkStack.cpp: (JSC::MarkStack::reset): * heap/MarkStack.h: (JSC::MarkStack::visitCount): (JSC::MarkStack::MarkStack): (JSC::MarkStack::append): * heap/MarkedBlock.h: (JSC::MarkedBlock::gatherDirtyCellsWithSize): (JSC::MarkedBlock::gatherDirtyCells): * runtime/Structure.h: (JSC::MarkStack::internalAppend): 2011-10-11 Filip Pizlo DFG virtual register allocator should be more aggressive in reusing temporary slots https://bugs.webkit.org/show_bug.cgi?id=69868 Reviewed by Oliver Hunt. 1.2% win on V8, neutral elsewhere. The win is probably because it increases precision of GC conservative scans. This required making the DFG::ScoreBoard operate over a bitvector of preserved variables, rather than just a preserved variable threshold. To do this, I improved the WTF::BitVector class to make it more user-friendly. It still retains all previous functionality. Also made changes to PackedIntVector to accomodate those changes. Finally, this adds more debugging to the virtual register allocator and to the OSR exit code, as this was necessary to track down bugs in an earlier version of this patch. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getLocal): * dfg/DFGGraph.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::allocateVirtualRegisters): * dfg/DFGScoreBoard.h: (JSC::DFG::ScoreBoard::ScoreBoard): (JSC::DFG::ScoreBoard::~ScoreBoard): (JSC::DFG::ScoreBoard::allocate): (JSC::DFG::ScoreBoard::use): (JSC::DFG::ScoreBoard::highWatermark): (JSC::DFG::ScoreBoard::dump): (JSC::DFG::ScoreBoard::max): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueRecovery::dump): * wtf/BitVector.cpp: (WTF::BitVector::setSlow): (WTF::BitVector::resizeOutOfLine): (WTF::BitVector::dump): * wtf/BitVector.h: (WTF::BitVector::BitVector): (WTF::BitVector::operator=): (WTF::BitVector::quickGet): (WTF::BitVector::quickSet): (WTF::BitVector::quickClear): (WTF::BitVector::get): (WTF::BitVector::set): (WTF::BitVector::clear): * wtf/PackedIntVector.h: (WTF::PackedIntVector::get): (WTF::PackedIntVector::set): 2011-10-11 Gavin Barraclough DFG JIT 32_64 - Switch to cdecl calling convention. https://bugs.webkit.org/show_bug.cgi?id=69863 Reviewed by Oliver Hunt. This makes it easier to keep the stack correctly aligned, which is required on OS X. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): - Switch calls to poke arguments rather than pushing them. (JSC::DFG::resetCallArguments): (JSC::DFG::addCallArgument): (JSC::DFG::addCallArgumentBoxed): - Helper functions to stack up call arguments on X86. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::emitCall): - Don't push, poke! * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::compileBody): - Don't push, poke! * dfg/DFGOperations.cpp: - Switch ReturnAddress wrappers to push return address last, update asm trampolines. * dfg/DFGOperations.h: - switch DFG_OPERATION to assert CDECL on STDCALL platforms. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::fmodWithCDecl): (JSC::DFG::SpeculativeJIT::compile): - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL. 2011-10-11 Gavin Barraclough Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t https://bugs.webkit.org/show_bug.cgi?id=69821 Reviewed by Filip Pizlo. Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building. dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary move), so by switching all associated operations to return a size_t we can fix the type problem on Linux & make it a small tweak that removes an unnecessary instruction. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): - comparisons now return a size_t. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): - Removed Z_DFGOperation_EJ form. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): - comparisons now return a size_t. * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): - comparisons now return a size_t. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t, Both need to return values zero extended to fill a register. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): - comparisons now return a size_t. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compare): - comparisons now return a size_t. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compare): - comparisons now return a size_t. 2011-10-11 Tor Arne Vestbø [Qt] Remove all references to QTDIR_build and standalone_package Qt is now modularized, which means we no longer import WebKit into the Qt source tree. Instead we use git submodules, and building QtWebKit as "part of Qt" is really building QtWebKit as from trunk. To decrease the number of buildsystem configurations we also remove the standalone_package code-path used when we were providing tarballs with the derived sources pre-generated. Reviewed by Simon Hausmann. * DerivedSources.pro: * JavaScriptCore.pri: * JavaScriptCore.pro: 2011-10-11 Yuqiang Xian Add missing copyright notice in DFG JIT files https://bugs.webkit.org/show_bug.cgi?id=69809 Reviewed by Gavin Barraclough. * dfg/DFGJITCodeGenerator32_64.cpp: * dfg/DFGJITCompiler32_64.cpp: * dfg/DFGJITCompilerInlineMethods.h: * dfg/DFGSpeculativeJIT32_64.cpp: 2011-10-10 Filip Pizlo DFG JSVALUE64 spill/fill code should not box integers and doubles https://bugs.webkit.org/show_bug.cgi?id=69782 Reviewed by Oliver Hunt. Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat. This required changing all of the places that spill registers (both silently and not) and filling registers (both silently and on demand). It also required changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile) may have the wrong format for the old JIT (unboxed int or double). This is a slight win on Kraken (0.25%) and neutral elsewhere. * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::spill): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::spill): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueRecovery::displacedInRegisterFile): (JSC::DFG::ValueRecovery::virtualRegister): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 2011-10-10 Gavin Barraclough DFG JIT switch dfgConvert methods to use callOperation https://bugs.webkit.org/show_bug.cgi?id=69806 Reviewed by Filip Pizlo. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): * dfg/DFGOperations.h: 2011-10-10 Gavin Barraclough Remove some unused methods from the DFG JIT. Rubber stamped by Oliver Hunt Thee methods were only used by the non-speculative JIT, and can be removed. * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCodeGenerator32_64.cpp: * dfg/DFGJITCodeGenerator64.cpp: - removed: nonSpeculativeAdd nonSpeculativeArithSub nonSpeculativeArithMod nonSpeculativeCheckHasInstance nonSpeculativeInstanceOf * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: - removed: operationArithMod operationInstanceOf operationThrowHasInstanceError 2011-10-10 Gavin Barraclough Switch most calls in DFGJITCodeGenerator to use callOperation. https://bugs.webkit.org/show_bug.cgi?id=69802 Reviewed by Oliver Hunt. Compares, add, mod are the easy cases. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: 2011-10-10 Gavin Barraclough DFG: Switch GetById / PutById to use callOperation https://bugs.webkit.org/show_bug.cgi?id=69795 Reviewed by Oliver Hunt. Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::appropriatePutByIdFunction): 2011-10-10 Filip Pizlo REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs https://bugs.webkit.org/show_bug.cgi?id=69412 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: 2011-10-10 Mark Hahnenberg Remove getCallDataVirtual methods https://bugs.webkit.org/show_bug.cgi?id=69186 Reviewed by Geoffrey Garen. Removed all getCallDataVirtual methods and replaced their call sites with an explicit lookup in the MethodTable. * API/JSCallbackFunction.cpp: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * API/JSObjectRef.cpp: (JSObjectIsFunction): (JSObjectCallAsFunction): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: * runtime/DateConstructor.h: Moved StrictModeTypeErrorFunction to Error.h in order to be able to include the class definition in JSGlobalObject.cpp. * runtime/Error.cpp: (JSC::createTypeErrorFunction): * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): (JSC::StrictModeTypeErrorFunction::create): (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): (JSC::StrictModeTypeErrorFunction::getConstructData): (JSC::StrictModeTypeErrorFunction::callThrowTypeError): (JSC::StrictModeTypeErrorFunction::getCallData): (JSC::StrictModeTypeErrorFunction::createStructure): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: * runtime/FunctionPrototype.h: To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have to declare their own ClassInfo if they don't override getCallData, provided an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same functionality as of the pure virtual method InternalFunction used to have. Also made this new implementation protected rather than private for the same reason. Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever object is being created provides their own implementation of getCallData. This just makes execution fail earlier in a place where the source of the error is easy to trace. These ASSERTs are better than putting a null in the MethodTable because they appear much more intentional to anybody who fails to provide their own implementation or who tries to explicitly call InternalFunction::getCallData. * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): (JSC::InternalFunction::getCallData): * runtime/InternalFunction.h: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable it to be reused rather than creating a new Structure every time we instantiate it. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure): * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): * runtime/JSObject.cpp: (JSC::JSObject::put): * runtime/JSObject.h: (JSC::getCallData): * runtime/NativeErrorConstructor.cpp: * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectType): (JSC::jsIsFunctionType): * runtime/PropertySlot.cpp: (JSC::PropertySlot::functionGetter): * runtime/RegExpConstructor.cpp: * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: * runtime/StringConstructor.h: * runtime/Structure.h: 2011-10-10 Gavin Barraclough Switch last calls from DFGSpeculativeJIT to use callOperation. https://bugs.webkit.org/show_bug.cgi?id=69780 Reviewed by Oliver Hunt. Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * wtf/Platform.h: 2011-10-10 Yuqiang Xian JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace" https://bugs.webkit.org/show_bug.cgi?id=69748 Reviewed by Filip Pizlo. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::cachedGetMethod): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectEquality): 2011-10-10 Adam Roben Build fix * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros. 2011-10-10 Yuqiang Xian JSVALUE32_64 DFG JIT - Bug fix for BranchNull https://bugs.webkit.org/show_bug.cgi?id=69743 Reviewed by Darin Adler. This fixes the error in access-binary-trees. All SunSpider cases passed. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): 2011-10-07 Gavin Barraclough DFG JIT: callOperation should return the Call. https://bugs.webkit.org/show_bug.cgi?id=69682 Reviewed by Oliver Hunt. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): (JSC::DFG::appendCallWithExceptionCheckSetResult): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::appendCall): * wtf/Platform.h: 2011-10-10 Sheriff Bot Unreviewed, rolling out r97045. http://trac.webkit.org/changeset/97045 https://bugs.webkit.org/show_bug.cgi?id=69746 makes apple bots very crashy :( (Requested by kling on #webkit). * config.h: 2011-10-10 Andreas Kling Shrink BorderValue. https://bugs.webkit.org/show_bug.cgi?id=69521 Reviewed by Antti Koivisto. * config.h: Touch to force full rebuild. 2011-10-09 Yuqiang Xian Improve Null or Undefined test in 32_64 DFG https://bugs.webkit.org/show_bug.cgi?id=69734 Reviewed by Darin Adler. Currently Null or Undefined value test in 32_64 DFG will check Null and Undefined tag separately and introduce one more branch. It can be improved in the way how the baseline JIT is doing - by relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1". * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 2011-10-09 Yuqiang Xian JSVALUE32_64 DFG JIT - Bug fix for ConvertThis https://bugs.webkit.org/show_bug.cgi?id=69721 Reviewed by Darin Adler. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-09 Yuqiang Xian Remove unused callOperation code of DFG JIT on X86 https://bugs.webkit.org/show_bug.cgi?id=69722 Reviewed by Filip Pizlo. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): 2011-10-09 Yuqiang Xian JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble https://bugs.webkit.org/show_bug.cgi?id=69720 Reviewed by Filip Pizlo. In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by a FPR and will be used for further optimizations, though we currently don't fully utilize it. For now when filling a JS value which was spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat to DataFormatJS to avoid compilation errors. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillJSValue): 2011-10-09 Filip Pizlo DFG should not always speculate that a ByVal access has an integer index https://bugs.webkit.org/show_bug.cgi?id=69716 Reviewed by Oliver Hunt. 1% win on SunSpider, neutral elsewhere. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGNode.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::byValHasIntBase): (JSC::DFG::Propagator::clobbersWorld): (JSC::DFG::Propagator::getMethodLoadElimination): (JSC::DFG::Propagator::checkStructureLoadElimination): (JSC::DFG::Propagator::getByOffsetLoadElimination): (JSC::DFG::Propagator::getPropertyStorageLoadElimination): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-09 Yuqiang Xian Fix value profiling in 32_64 JIT https://bugs.webkit.org/show_bug.cgi?id=69717 Reviewed by Filip Pizlo. Current value profiling for 32_64 JIT is broken and cannot record correct predicated types, which results in many speculation failures in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations again and again. With this fix 32_64 DFG JIT can demonstrate real performance gains. * bytecode/ValueProfile.cpp: (JSC::ValueProfile::computeStatistics): * bytecode/ValueProfile.h: (JSC::ValueProfile::classInfo): (JSC::ValueProfile::numberOfSamples): (JSC::ValueProfile::isLive): (JSC::ValueProfile::numberOfInt32s): (JSC::ValueProfile::numberOfDoubles): (JSC::ValueProfile::numberOfBooleans): (JSC::ValueProfile::dump): Empty value check should be performed on decoded JSValue, as for 32_64 empty value is not identical to encoded 0. * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): * jit/JITStubCall.h: (JSC::JITStubCall::callWithValueProfiling): Record the right profiling result for 32_64. 2011-10-09 Yuqiang Xian Remove 32 bit restrictions in DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69711 Reviewed by Filip Pizlo. op_call/op_construct support was disabled for 32 bit DFG JIT because there was regression in javascriptcore tests. Now the bugs are fixed and there should be no regression. This makes 32 bit DFG have the same capability as 64 bit DFG, and improves the coverage. * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): 2011-10-08 Mark Hahnenberg Add static version of JSCell::getConstructData https://bugs.webkit.org/show_bug.cgi?id=69673 Reviewed by Geoffrey Garen. Added static version of getConstructData to all classes that override it and changed the virtual versions to call the static versions. This is the first step in de-virtualizing JSCell::getConstructData. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::getConstructData): * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getConstructData): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::getConstructData): * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::getConstructData): * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getConstructData): * runtime/DateConstructor.h: * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::getConstructData): * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::getConstructData): * runtime/FunctionConstructor.h: * runtime/JSCell.cpp: (JSC::JSCell::getConstructData): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::getConstructData): * runtime/JSFunction.h: * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::getConstructData): * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getConstructData): * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getConstructData): * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getConstructData): * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getConstructData): * runtime/StringConstructor.h: 2011-10-08 Mark Hahnenberg Add static version of JSCell::getOwnPropertySlot https://bugs.webkit.org/show_bug.cgi?id=69593 Reviewed by Geoffrey Garen. Added static version of getOwnPropertySlot to every class that overrides JSCell::getOwnPropertySlot. The virtual versions now call the static versions. This is the first step in de-virtualizing JSCell::getOwnPropertySlot. * JavaScriptCore.exp: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::getOwnPropertySlot): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertySlot): * runtime/Arguments.h: * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::getOwnPropertySlot): * runtime/ArrayPrototype.h: * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::getOwnPropertySlot): * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getOwnPropertySlot): * runtime/DateConstructor.h: * runtime/DatePrototype.cpp: (JSC::DatePrototype::getOwnPropertySlot): * runtime/DatePrototype.h: * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::getOwnPropertySlot): * runtime/ErrorPrototype.h: * runtime/JSActivation.cpp: (JSC::JSActivation::getOwnPropertySlot): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::getOwnPropertySlot): * runtime/JSArray.h: * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::getOwnPropertySlot): * runtime/JSBoundFunction.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::getOwnPropertySlot): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertySlot): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::getOwnPropertySlot): * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::getOwnPropertySlot): * runtime/JSNotAnObject.h: * runtime/JSONObject.cpp: (JSC::JSONObject::getOwnPropertySlot): * runtime/JSONObject.h: * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertySlot): * runtime/JSObject.h: (JSC::JSObject::getOwnPropertySlot): * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::getOwnPropertySlot): * runtime/JSStaticScopeObject.h: * runtime/JSString.cpp: (JSC::JSString::getOwnPropertySlot): * runtime/JSString.h: * runtime/MathObject.cpp: (JSC::MathObject::getOwnPropertySlot): * runtime/MathObject.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getOwnPropertySlot): * runtime/NumberConstructor.h: * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::getOwnPropertySlot): * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getOwnPropertySlot): * runtime/ObjectConstructor.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::getOwnPropertySlot): * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getOwnPropertySlot): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::getOwnPropertySlot): * runtime/RegExpObject.cpp: (JSC::RegExpObject::getOwnPropertySlot): * runtime/RegExpObject.h: * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::getOwnPropertySlot): * runtime/RegExpPrototype.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getOwnPropertySlot): * runtime/StringConstructor.h: * runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertySlot): * runtime/StringObject.h: * runtime/StringPrototype.cpp: (JSC::StringPrototype::getOwnPropertySlot): * runtime/StringPrototype.h: 2011-10-08 Yuqiang Xian JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions https://bugs.webkit.org/show_bug.cgi?id=69699 Reviewed by Filip Pizlo. It should match SetLocal where only payload is stored for array predictions. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-08 Yuqiang Xian JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot https://bugs.webkit.org/show_bug.cgi?id=69702 Reviewed by Filip Pizlo. There are some errors in generating code for Branch and LogicalNot, when the operand is predicted as ObjectOrOther. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 2011-10-08 Sheriff Bot Unreviewed, rolling out r96996. http://trac.webkit.org/changeset/96996 https://bugs.webkit.org/show_bug.cgi?id=69697 It broke all tests on the Qt bot (Requested by Ossy_night on #webkit). * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::getCallDataVirtual): * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getCallDataVirtual): * API/JSObjectRef.cpp: (JSObjectIsFunction): (JSObjectCallAsFunction): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::getCallDataVirtual): * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::getCallDataVirtual): * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getCallDataVirtual): * runtime/DateConstructor.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): (JSC::StrictModeTypeErrorFunction::create): (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): (JSC::StrictModeTypeErrorFunction::getConstructData): (JSC::StrictModeTypeErrorFunction::callThrowTypeError): (JSC::StrictModeTypeErrorFunction::getCallDataVirtual): (JSC::StrictModeTypeErrorFunction::getCallData): (JSC::StrictModeTypeErrorFunction::createStructure): (JSC::createTypeErrorFunction): * runtime/Error.h: * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::getCallDataVirtual): * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::getCallDataVirtual): * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::getCallDataVirtual): * runtime/FunctionPrototype.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): * runtime/InternalFunction.h: * runtime/JSCell.cpp: (JSC::JSCell::getCallDataVirtual): * runtime/JSCell.h: (JSC::getCallData): * runtime/JSFunction.cpp: (JSC::JSFunction::getCallDataVirtual): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): * runtime/JSObject.cpp: (JSC::JSObject::put): * runtime/JSObject.h: * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::getCallDataVirtual): * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getCallDataVirtual): * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getCallDataVirtual): * runtime/ObjectConstructor.h: * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectType): (JSC::jsIsFunctionType): * runtime/PropertySlot.cpp: (JSC::PropertySlot::functionGetter): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getCallDataVirtual): * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getCallDataVirtual): * runtime/StringConstructor.h: * runtime/Structure.h: 2011-10-08 Yuqiang Xian DFG JIT - only Array predictions can result in unboxed cells in register file https://bugs.webkit.org/show_bug.cgi?id=69695 Reviewed by Filip Pizlo. In current DFG JIT, only array predictions can result in unboxed cells in register file, not for the other cell predictions. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): 2011-10-07 Yuqiang Xian bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69696 Reviewed by Filip Pizlo. On 32-bit, we should use TimesEight (8) instead of ScalePtr (4) to compute the address of a JS array element. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-07 Mark Hahnenberg Add static version of JSCell::deleteProperty https://bugs.webkit.org/show_bug.cgi?id=69659 Reviewed by Geoffrey Garen. Added static version of both versions of put to all classes that override them and changed the virtual versions to call the static versions. This is the first step in de-virtualizing JSCell::deleteProperty. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::deleteProperty): * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::deleteProperty): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: (JSC::Arguments::deleteProperty): * runtime/Arguments.h: * runtime/JSActivation.cpp: (JSC::JSActivation::deleteProperty): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::deleteProperty): * runtime/JSArray.h: * runtime/JSCell.cpp: (JSC::JSCell::deleteProperty): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::deleteProperty): * runtime/JSFunction.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::deleteProperty): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::deleteProperty): * runtime/JSObject.h: * runtime/JSVariableObject.cpp: (JSC::JSVariableObject::deleteProperty): * runtime/JSVariableObject.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::deleteProperty): * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::deleteProperty): * runtime/StrictEvalActivation.h: * runtime/StringObject.cpp: (JSC::StringObject::deleteProperty): * runtime/StringObject.h: 2011-10-07 Mark Hahnenberg Remove getCallDataVirtual methods https://bugs.webkit.org/show_bug.cgi?id=69186 Reviewed by Geoffrey Garen. Removed all getCallDataVirtual methods and replaced their call sites with an explicit lookup in the MethodTable. * API/JSCallbackFunction.cpp: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: * API/JSObjectRef.cpp: (JSObjectIsFunction): (JSObjectCallAsFunction): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: * runtime/DateConstructor.h: * runtime/Error.cpp: (JSC::createTypeErrorFunction): Moved StrictModeTypeErrorFunction to Error.h in order to be able to include the class definition in JSGlobalObject.cpp. * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): (JSC::StrictModeTypeErrorFunction::create): (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): (JSC::StrictModeTypeErrorFunction::getConstructData): (JSC::StrictModeTypeErrorFunction::callThrowTypeError): (JSC::StrictModeTypeErrorFunction::getCallData): (JSC::StrictModeTypeErrorFunction::createStructure): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: * runtime/FunctionPrototype.h: To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have to declare their own ClassInfo if they don't override getCallData, provided an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same functionality as of the pure virtual method InternalFunction used to have. Also made this new implementation protected rather than private for the same reason. Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever object is being created provides their own implementation of getCallData. This just makes execution fail earlier in a place where the source of the error is easy to trace. These ASSERTs are better than putting a null in the MethodTable because they appear much more intentional to anybody who fails to provide their own implementation or who tries to explicitly call InternalFunction::getCallData. * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): (JSC::InternalFunction::getCallData): * runtime/InternalFunction.h: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable it to be reused rather than creating a new Structure every time we instantiate it. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure): * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): * runtime/JSObject.cpp: (JSC::JSObject::put): * runtime/JSObject.h: (JSC::getCallData): * runtime/NativeErrorConstructor.cpp: * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectType): (JSC::jsIsFunctionType): * runtime/PropertySlot.cpp: (JSC::PropertySlot::functionGetter): * runtime/RegExpConstructor.cpp: * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: * runtime/StringConstructor.h: * runtime/Structure.h: 2011-10-07 Oliver Hunt Add missing break statement. Reviewed by Gavin Barraclough. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): 2011-10-07 Oliver Hunt Support some string intrinsics in the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69678 Reviewed by Gavin Barraclough. Add support for charAt and charCodeAt intrinsics in the DFG. * create_hash_table: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGIntrinsic.h: * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-07 Mark Hahnenberg Add static version of JSCell::put https://bugs.webkit.org/show_bug.cgi?id=69382 Reviewed by Geoffrey Garen. Added static version of both versions of put to all classes that override them and changed the virtual versions to call the static versions. * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::put): * JavaScriptCore.exp: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::put): * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: (JSC::Arguments::put): * runtime/Arguments.h: * runtime/JSActivation.cpp: (JSC::JSActivation::put): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::put): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::put): * runtime/JSByteArray.h: * runtime/JSCell.cpp: (JSC::JSCell::put): * runtime/JSCell.h: * runtime/JSFunction.cpp: (JSC::JSFunction::put): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::put): * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::put): * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: (JSC::JSObject::put): * runtime/JSObject.h: * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::put): * runtime/JSStaticScopeObject.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::put): * runtime/ObjectPrototype.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::put): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::put): * runtime/RegExpObject.cpp: (JSC::RegExpObject::put): * runtime/RegExpObject.h: * runtime/StringObject.cpp: (JSC::StringObject::put): * runtime/StringObject.h: 2011-10-07 Gavin Barraclough Refactor DFG to make for use of callOperation https://bugs.webkit.org/show_bug.cgi?id=69672 Reviewed by Oliver Hunt. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): - Added new callOperation calls, don't ASSERT flushed (use helpers for unexpected calls, too). * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: - Switch operationNewObject/operationCreateThis to return Cells, - Added C_DFGOperation_E/C_DFGOperation_EC/J_DFGOperation_EA/J_DFGOperation_EJA call types. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): - Replace code plating calls to operations to with calls to callOperation. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): - Replace code plating calls to operations to with calls to callOperation. 2011-10-07 Oliver Hunt Support string indexing in the DFG https://bugs.webkit.org/show_bug.cgi?id=69671 Reviewed by Gavin Barraclough. Emit code to support inline indexing of strings * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Shared code to perform string indexing. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Use compileGetByValOnString if we predict that the base object is a string in GetByVal. * runtime/JSString.h: (JSC::JSString::offsetOfFiberCount): (JSC::JSString::offsetOfValue): 2011-10-07 Filip Pizlo DFG ConvertThis speculation logic is wrong https://bugs.webkit.org/show_bug.cgi?id=69663 Reviewed by Oliver Hunt. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixupNode): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-07 Oliver Hunt Verify that our call speculation is valid. Reviewed by Filip Pizlo. Before specialising an intrinsic we need to verify that we our speculation is correct. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2011-10-07 Brent Fulgham [WinCairo] Unreviewed build correction for the build bot. * JavaScriptCore.vcproj/JavaScriptCore.sln: Add the missing Release_Cairo_CFLite and Debug_Cairo_CFLite targets so that build-jsc can find the target it needs to run the JSC tests. 2011-10-07 Oliver Hunt Fix 32-bit build. * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2011-10-07 Oliver Hunt Support direct calls to intrinsic functions https://bugs.webkit.org/show_bug.cgi?id=69646 Reviewed by Gavin Barraclough. Add support for optimising non-method_check calls to intrinsic functions (eg. when Math.abs, etc are cached in local variables). * bytecode/CodeBlock.h: (JSC::getCallLinkInfoBytecodeIndex): Support searching CallLinkInfos by bytecode index * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): Add support for linked calls in addition to method_check when searching for intrinsics * dfg/DFGNode.h: (JSC::DFG::Node::hasFunctionCheckData): (JSC::DFG::Node::function): Add ability to store a JSFunction* in a node - this is safe as the function will be marked by the codeblock we're compiling * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::checkFunctionElimination): (JSC::DFG::Propagator::performNodeCSE): Add support for new CheckFunction node, and implement CSE pass. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Rather trivial implementation of CheckFunction * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): Need to propagate bytecode index for calls now. 2011-10-07 Dominic Cooney [JSC] Disable ThreadRestrictionVerifier for JIT ExecutableMemoryHandles https://bugs.webkit.org/show_bug.cgi?id=69599 Reviewed by Sam Weinig. DFG JIT manipulates MetaAllocatorHandles across threads, eg in allocating JITCode buffers on a background thread to execute a proxy autoconfiguration PAC file but garbage collecting it in response to allocation on the main thread. Disabling ThreadRestrictionVerification until there is a verification scheme that understands this handoff. * wtf/MetaAllocator.cpp: (WTF::MetaAllocator::allocate): 2011-10-06 Filip Pizlo DFG should not always speculate that ConvertThis is operating on an object https://bugs.webkit.org/show_bug.cgi?id=69570 Reviewed by Oliver Hunt. Mostly neutral, but with a slight regression in Kraken since it increases coverage in DFG and thus reveals some performance pathologies (which I prefer to think of as performance opportunities, in a good way). * bytecode/PredictedType.cpp: (JSC::predictionToString): * bytecode/PredictedType.h: (JSC::isOtherPrediction): (JSC::mergePredictions): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-06 Mark Hahnenberg Windows build fix Unreviewed build fix. Weird runtime failures on Windows due to linking issues caused by the ClassInfo struct in JSByteArray not being declared with JS_EXPORTDATA. * runtime/JSByteArray.h: 2011-10-06 Filip Pizlo Structure does not reset m_previous when pinning the property map https://bugs.webkit.org/show_bug.cgi?id=69583 Reviewed by Gavin Barraclough. This is an 0.6% performance improvement in V8, and 0.2% overall. * runtime/Structure.cpp: (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::pin): * runtime/Structure.h: 2011-10-06 Anders Carlsson When building with clang, enable -Wglobal-constructors and -Wexit-time-destructors https://bugs.webkit.org/show_bug.cgi?id=69586 Reviewed by Darin Adler. * Configurations/Base.xcconfig: Add -Wglobal-constructors and -Wexit-time-destructors when building with clang. * JavaScriptCore.xcodeproj/project.pbxproj: When building with clang, we don't need to run the check-for-global-initializers and check-for-exit-time-destructors anymore. * jsc.cpp: (runInteractive): Move interpreterName into runInteractive. * wtf/StdLibExtras.h: When building with clang, disable the -Wglobal-constructors and -Wexit-time-destructors warnings around the variable declaration. 2011-10-06 Anders Carlsson Add DEFINE_DEBUG_ONLY_GLOBAL for globals that should be defined in debug builds https://bugs.webkit.org/show_bug.cgi?id=69584 Reviewed by Darin Adler. Add DEFINE_DEBUG_ONLY_GLOBAL macro. * wtf/StdLibExtras.h: 2011-10-06 Oliver Hunt Write barrier shouldn't allocate temporaries inside control flow https://bugs.webkit.org/show_bug.cgi?id=69582 Reviewed by Gavin Barraclough. Reorder the code to avoid spill-related badness. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): 2011-10-06 Filip Pizlo DFG::shouldSpeculate methods are too complicated https://bugs.webkit.org/show_bug.cgi?id=69560 Reviewed by Geoffrey Garen. Moved shouldSpeculate methods to DFG::Node, and cleaned them up to just use node predictions. By itself this would have meant that SpeculativeJIT code would have had to say things like m_jit.graph()[nodeIndex].shouldSpeculateXYZ(). So this adds an at(NodeIndex) method to JITCodeGenerator. I replaced all uses of the m_jit.graph()[nodeIndex] idiom with at(nodeIndex). This is an 0.4% progression overall that shows up in all benchmarks, for reasons unknown. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::at): (JSC::DFG::JITCodeGenerator::canReuse): (JSC::DFG::JITCodeGenerator::isFilled): (JSC::DFG::JITCodeGenerator::isFilledDouble): (JSC::DFG::JITCodeGenerator::use): (JSC::DFG::JITCodeGenerator::silentSpillFPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::detectPeepHoleBranch): (JSC::DFG::integerResult): (JSC::DFG::noResult): (JSC::DFG::cellResult): (JSC::DFG::jsValueResult): (JSC::DFG::storageResult): (JSC::DFG::doubleResult): (JSC::DFG::initConstantInfo): (JSC::DFG::appendCallWithExceptionCheck): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateInteger): (JSC::DFG::Node::shouldSpeculateDouble): (JSC::DFG::Node::shouldSpeculateNumber): (JSC::DFG::Node::shouldNotSpeculateInteger): (JSC::DFG::Node::shouldSpeculateFinalObject): (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther): (JSC::DFG::Node::shouldSpeculateArray): (JSC::DFG::Node::shouldSpeculateArrayOrOther): (JSC::DFG::Node::shouldSpeculateObject): (JSC::DFG::Node::shouldSpeculateCell): (JSC::DFG::Node::canSpeculateInteger): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isInteger): (JSC::DFG::SpeculativeJIT::isKnownArray): (JSC::DFG::SpeculativeJIT::isKnownString): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::convertToDouble): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): 2011-10-06 Gavin Peters REGRESSION (r96595): First frame in assertion backtraces is no longer labeled "1" https://bugs.webkit.org/show_bug.cgi?id=69556 Reviewed by Adam Roben. * wtf/Assertions.cpp: 2011-10-06 Filip Pizlo DFG implementation of UInt32ToNumber is missing a break statement https://bugs.webkit.org/show_bug.cgi?id=69552 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-06 Gavin Barraclough Unreviewed build fix for DFG JIT 32_64 release builds. * dfg/DFGJITCompiler.cpp: * dfg/DFGJITCompiler.h: * dfg/DFGJITCompiler32_64.cpp: - Remove three unused methods. 2011-10-06 Gavin Barraclough DFG JIT 32_64 should check type of values being filled by fillSpeculateInt https://bugs.webkit.org/show_bug.cgi?id=69549 Reviewed by Oliver Hunt. This breaks sunspider/3d-cube. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): - Speculation check on the tag. 2011-10-06 Mark Hahnenberg Snow Leopard build fix Unreviewed build fix * JavaScriptCore.exp: 2011-10-05 Gavin Barraclough Add explicit JSGlobalThis type. https://bugs.webkit.org/show_bug.cgi?id=69478 Reviewed by Darin Adler. JSC supports a split global object, as used by WebCore for the Window. As a stage of making this visible to JSC, make it so that if the global this value is not the global object itself, it must be a subclass of JSGlobalThis. * API/JSCallbackObjectFunctions.h: (JSC::::finishCreation): - Don't pass the thisValue to JSGlobalObject::finishCreation. * JavaScriptCore.xcodeproj/project.pbxproj: - Added JSGlobalThis.h * jsc.cpp: (GlobalObject::finishCreation): - Don't pass the thisValue to JSGlobalObject::finishCreation. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): (JSC::JSGlobalObject::finishCreation): - finishCreation takes a JSGlobalThis, or thisValue is implicit. * runtime/JSGlobalThis.h: Added. (JSC::JSGlobalThis::create): (JSC::JSGlobalThis::JSGlobalThis): (JSC::JSGlobalThis::finishCreation): - Thin wrapper on JSNonFinalObject to allow type checking. * testRegExp.cpp: (GlobalObject::finishCreation): - Don't pass the thisValue to JSGlobalObject::finishCreation. 2011-10-06 Mark Hahnenberg JSC objects need to know their own cell size at runtime. https://bugs.webkit.org/show_bug.cgi?id=69390 Reviewed by Geoffrey Garen. Added the cellSize field to ClassInfo and the static calculation of size of each class to the CREATE_METHOD_TABLE macro, which will be renamed in a followup patch to make its name match its broader use. Also added a few ClassInfo structs so that each object that is allocated has its correct size. * JavaScriptCore.exp: * runtime/ClassInfo.h: Changed JSByteArray s_defaultInfo to s_info so that the template will get the correct ClassInfo struct from it when it's allocated. * runtime/JSByteArray.cpp: * runtime/JSByteArray.h: * runtime/JSCell.h: (JSC::allocateCell): * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: * runtime/JSObject.h: (JSC::JSCell::cellSize): * runtime/JSStaticScopeObject.cpp: * runtime/JSStaticScopeObject.h: * runtime/StrictEvalActivation.cpp: * runtime/StrictEvalActivation.h: 2011-10-06 Gavin Peters export new stack dumping method https://bugs.webkit.org/show_bug.cgi?id=69018 The original landing of bug 69018 didn't export WTFGetBacktrace, so that when bug 69453 landed, the first use of this function, many builds broke. So here we add the exports, so that the function is usable. Reviewed by Adam Roben. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-10-06 Csaba Osztrogonác REGRESSION(r96347): Build is broken with MSVC compiler if !PLATFORM(WINDOWS) https://bugs.webkit.org/show_bug.cgi?id=69413 Reviewed by Darin Adler. * assembler/MacroAssemblerCodeRef.h: Define STDCALL for MSVC in a proper way. 2011-10-05 Filip Pizlo SpeculativeJIT::isKnownString() is wrong https://bugs.webkit.org/show_bug.cgi?id=69501 Reviewed by Oliver Hunt. Removed the wrong case (GetLocal predicted String) and added a case that works (StrCat). * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isKnownString): 2011-10-05 Ryosuke Niwa Windows build fix attempt after r96760. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-10-05 Chris Rogers Define a log2f() function for Windows in wtf/MathExtras.h https://bugs.webkit.org/show_bug.cgi?id=69491 Reviewed by Darin Adler. * wtf/MathExtras.h: (log2f): 2011-10-05 Jer Noble Enable WEB_AUDIO by default in the WebKit/mac port. https://bugs.webkit.org/show_bug.cgi?id=68587 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: * wtf/Platform.h: 2011-10-05 Filip Pizlo Assertion hit in JSC::DFG::SpeculativeJIT::compile on SL bots https://bugs.webkit.org/show_bug.cgi?id=69346 Reviewed by Oliver Hunt. Removed the assertion, since it was completely wrong for op_post_inc. Short of having specialized PostInc nodes in the DFG, there is no robust way of asserting what this assertion was trying to assert while also supporting op_post_inc. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-05 Geoffrey Garen Added a simpler mechanism for registering one-off finalizers https://bugs.webkit.org/show_bug.cgi?id=69466 Reviewed by Oliver Hunt. * heap/Heap.cpp: (JSC::Heap::addFinalizer): (JSC::Heap::FinalizerOwner::finalize): * heap/Heap.h: New function for adding an arbitrary finalizer for an arbitrary cell without declaring any special classes or Handles yourself. * JavaScriptCore.exp: Fix build. * runtime/Executable.cpp: (JSC::ExecutableBase::clearCode): (JSC::ExecutableBase::clearCodeVirtual): (JSC::EvalExecutable::clearCodeVirtual): (JSC::ProgramExecutable::clearCodeVirtual): (JSC::FunctionExecutable::discardCode): (JSC::FunctionExecutable::clearCodeVirtual): * runtime/Executable.h: (JSC::ExecutableBase::finishCreation): Use the new mechanism for eager finalization of executables. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::clearRareData): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::createRareDataIfNeeded): (JSC::JSGlobalObject::registerWeakMap): Use the new mechanism for eager finalization of weak maps. 2011-10-05 Adam Roben Ensure RetainPtr::hashTableDeletedValue returns a pointer, not a pointer to a pointer RetainPtr's behavior of allowing the template parameter to be either a pointer type or a pointed-to type confused us when we implemented hashTableDeletedValue. Fixes Using RetainPtr as the key type in HashMap/HashSet fails to compile Reviewed by John Sullivan. * wtf/RetainPtr.h: (WTF::RetainPtr::hashTableDeletedValue): Changed to use the PtrType typedef rather than T*, since T might itself be a pointer. (WTF::PtrHash >): Updated this to use PtrType everywhere, even though T* didn't seem to be causing a problem. 2011-10-05 Oliver Hunt Remove last vestiges of anonymous storage. Reviewed by Gavin Barraclough. One anonymous storage function escaped my prior purge of this feature, this patch removes it. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::finishCreation): * runtime/JSObject.h: 2011-10-04 Filip Pizlo DFG should be capable of a broader range of speculations on branch and not https://bugs.webkit.org/show_bug.cgi?id=69322 Reviewed by Oliver Hunt. * bytecode/PredictedType.h: (JSC::isFinalObjectOrOtherPrediction): (JSC::isArrayOrOtherPrediction): * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::JITCodeGenerator): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObjectOrOther): (JSC::DFG::SpeculativeJIT::shouldSpeculateArrayOrOther): (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::emitBranch): 2011-10-05 Sheriff Bot Unreviewed, rolling out r96733. http://trac.webkit.org/changeset/96733 https://bugs.webkit.org/show_bug.cgi?id=69454 Broke GCC for some reason (Requested by andersca on #webkit). * wtf/ListHashSet.h: (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator): (WTF::ListHashSetReverseIterator::get): (WTF::ListHashSetReverseIterator::operator*): (WTF::ListHashSetReverseIterator::operator->): (WTF::ListHashSetReverseIterator::operator++): (WTF::ListHashSetReverseIterator::operator--): (WTF::ListHashSetReverseIterator::operator==): (WTF::ListHashSetReverseIterator::operator!=): (WTF::ListHashSetReverseIterator::operator const_reverse_iterator): (WTF::ListHashSetReverseIterator::node): (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator): (WTF::ListHashSetConstReverseIterator::get): (WTF::ListHashSetConstReverseIterator::operator*): (WTF::ListHashSetConstReverseIterator::operator->): (WTF::ListHashSetConstReverseIterator::operator++): (WTF::ListHashSetConstReverseIterator::operator--): (WTF::ListHashSetConstReverseIterator::operator==): (WTF::ListHashSetConstReverseIterator::operator!=): (WTF::ListHashSetConstReverseIterator::node): (WTF::::rbegin): (WTF::::rend): (WTF::::makeReverseIterator): (WTF::::makeConstReverseIterator): 2011-10-04 Oliver Hunt Add rudimentary filtering to write barriers https://bugs.webkit.org/show_bug.cgi?id=69392 Reviewed by Filip Pizlo. Add approximate filtering for write barriers based on the target's mark bit. Also add some macros to support dumping GC phase timings. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::markCellCard): * heap/Heap.cpp: (JSC::GCTimer::GCTimerScope::GCTimerScope): (JSC::GCTimer::GCTimerScope::~GCTimerScope): (JSC::Heap::markRoots): (JSC::Heap::collect): Add phase timing information. * heap/MarkedBlock.h: (JSC::MarkedBlock::offsetOfMarks): (JSC::MarkedBlock::gatherDirtyCells): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitWriteBarrier): 2011-10-05 Anders Carlsson Use std::reverse_iterator for ListHashSet reverse iterators https://bugs.webkit.org/show_bug.cgi?id=69446 Reviewed by Darin Adler. * wtf/ListHashSet.h: Use the std::reverse_iterator iterator adaptor for the ListHashSet reverse iterators and get rid of the ListHashSetReverseIterator and ListHashSetConstReverseIterator classes. 2011-10-04 Gavin Barraclough Make Object.prototype getter/setter methods match ES5 behaviour https://bugs.webkit.org/show_bug.cgi?id=69393 Reviewed by Sam Weinig. The rest of Object.prototype no longer substitute Null/Undefined with the global object, this is old ES3 behaviour. Remove it here too. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): (JSC::objectProtoFuncLookupGetter): (JSC::objectProtoFuncLookupSetter): 2011-10-05 Patrick Gansterer Get rid of posixThread in MachineStackMarker::Thread https://bugs.webkit.org/show_bug.cgi?id=54836 Reviewed by Oliver Hunt. * heap/MachineStackMarker.cpp: (JSC::MachineThreads::Thread::Thread): (JSC::getCurrentPlatformThread): (JSC::equalThread): (JSC::MachineThreads::addCurrentThread): (JSC::MachineThreads::removeCurrentThread): (JSC::MachineThreads::gatherConservativeRoots): 2011-10-04 Geoffrey Garen Removed JSValue::toJSNumber https://bugs.webkit.org/show_bug.cgi?id=69399 No perf. change. toJSNumber() used to provide an implicit fast path for immediate numbers, but those fast paths are all explicit now, so it's just cruft. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSValue.h: * runtime/JSValueInlineMethods.h: 2011-10-05 Gavin Peters REGRESSION (r96595): WTFReportBacktrace listed as the top frame in all assertion backtraces https://bugs.webkit.org/show_bug.cgi?id=69424 Skip an extra frame in WTFReportBacktrace. As well, I now don't count skipped frames in maxFrames, so I've updated maxFrames to 31, as with one skipped frame the previous value was effectively 31 reported frames. Reviewed by Adam Roben. * wtf/Assertions.cpp: * wtf/Assertions.h: 2011-10-05 Patrick Gansterer Unreviewed WinCE build fix for r96595. * wtf/Assertions.cpp: RtlCaptureStackBackTrace() isn't available on WinCE. 2011-10-04 Kent Tamura Introduce feature flags for incomplete input types https://bugs.webkit.org/show_bug.cgi?id=68971 Reviewed by Hajime Morita. * Configurations/FeatureDefines.xcconfig: Add ENABLE_INPUT_TYPE_* flags. They are enabled only for iOS. 2011-10-04 Geoffrey Garen Build fix. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): Use an explicit cast when shortening. 2011-10-04 Mark Hahnenberg Add static ClassInfo structs to classes that override JSCell::getCallData https://bugs.webkit.org/show_bug.cgi?id=69311 Reviewed by Darin Adler. Added ClassInfo structs to each class that defined its own getCallData function but did not already have its own ClassInfo struct. This is a necessary addition for when we switch over to looking up getCallData from the MethodTable in ClassInfo rather than doing the virtual call (which we are removing). These new ClassInfo structs are public because we often use these structs in other areas of the code to uniquely identify JSC classes and to enforce runtime invariants based on those class identities using ASSERTs. Also added new createStructure methods to those classes that didn't have them so that the new ClassInfo structs would be used when creating the Structures in these classes. * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: (JSC::BooleanConstructor::createStructure): getCallData was not marked as static in StrictModeTypeErrorFunction. * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::getCallDataVirtual): (JSC::StrictModeTypeErrorFunction::getCallData): (JSC::StrictModeTypeErrorFunction::createStructure): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::createStructure): * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: (JSC::FunctionConstructor::createStructure): * runtime/FunctionPrototype.cpp: * runtime/FunctionPrototype.h: 2011-10-03 Geoffrey Garen Some JSValue cleanup https://bugs.webkit.org/show_bug.cgi?id=69320 Reviewed by Darin Adler. No measurable performance change. Removed some JSValue::get* functions. get* used to be an optimization when every value operation was a virtual function call: get* would combine two virtual calls into one. Now, with non-virtual, inlined functions, get* isn't faster, and may be slightly slower. Merged getBoolean(bool&) and getBoolean() into asBoolean(). Merged uncheckedGetNumber(), getJSNumber() and getNumber() into asNumber(). * runtime/JSValue.h: * runtime/JSValueInlineMethods.h: (JSC::JSValue::asNumber): (JSC::JSValue::asBoolean): As promised! * runtime/NumberPrototype.cpp: (JSC::toThisNumber): (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToFixed): (JSC::numberProtoFuncToPrecision): (JSC::numberProtoFuncToString): (JSC::numberProtoFuncToLocaleString): (JSC::numberProtoFuncValueOf): Removed a bunch of uses of getJSNumber() by switching to toThisNumber(). * API/JSCallbackObjectFunctions.h: (JSC::::toNumber): * dfg/DFGGraph.h: (JSC::DFG::Graph::valueOfNumberConstant): (JSC::DFG::Graph::valueOfBooleanConstant): * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/DateInstance.h: (JSC::DateInstance::internalNumber): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncBind): * runtime/JSArray.cpp: (JSC::compareNumbersForQSort): Replaced getNumber() => isNumber() / asNumber(). getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber(). * runtime/JSCell.cpp: * runtime/JSCell.h: Nixed getJSNumber(). * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): * runtime/JSONObject.cpp: (JSC::gap): (JSC::Stringifier::Stringifier): (JSC::Stringifier::appendStringifiedValue): * runtime/NumberObject.cpp: * runtime/NumberObject.h: (JSC::NumberObject::createStructure): * runtime/Operations.h: (JSC::JSValue::equalSlowCaseInline): (JSC::JSValue::strictEqual): (JSC::jsLess): (JSC::jsLessEq): (JSC::jsAdd): Replaced getNumber() => isNumber() / asNumber(). getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber(). 2011-10-04 Scott Graham Add GAMEPAD feature flag https://bugs.webkit.org/show_bug.cgi?id=66859 Reviewed by Darin Fisher. * Configurations/FeatureDefines.xcconfig: 2011-10-03 Filip Pizlo JITCodeGenerator should no longer have code that tries too hard to be both speculative and non-speculative https://bugs.webkit.org/show_bug.cgi?id=69321 Reviewed by Gavin Barraclough. Removed m_isSpeculative and speculationCheck() from JITCodeGenerator. This required moving emitBranch() to SpeculativeJIT, since it was the main user of that field and method. Other than trvial clean-ups in emitBranch(), the code is unchanged (and still has some disparity between 64 and 32_64, and still lacks some obvious optimizations). * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::JITCodeGenerator): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): * dfg/DFGJITCodeGenerator64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): 2011-10-04 David Hyatt https://bugs.webkit.org/show_bug.cgi?id=69372 [CSS3 Regions] Make sure overflow:visible lets content spill out of regions. Add support for reverse iteration to ListHashSet to support being able to walk them backwards easily. Reviewed by Anders Carlsson. * wtf/ListHashSet.h: (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator): (WTF::ListHashSetReverseIterator::get): (WTF::ListHashSetReverseIterator::operator*): (WTF::ListHashSetReverseIterator::operator->): (WTF::ListHashSetReverseIterator::operator++): (WTF::ListHashSetReverseIterator::operator--): (WTF::ListHashSetReverseIterator::operator==): (WTF::ListHashSetReverseIterator::operator!=): (WTF::ListHashSetReverseIterator::operator const_reverse_iterator): (WTF::ListHashSetReverseIterator::node): (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator): (WTF::ListHashSetConstReverseIterator::get): (WTF::ListHashSetConstReverseIterator::operator*): (WTF::ListHashSetConstReverseIterator::operator->): (WTF::ListHashSetConstReverseIterator::operator++): (WTF::ListHashSetConstReverseIterator::operator--): (WTF::ListHashSetConstReverseIterator::operator==): (WTF::ListHashSetConstReverseIterator::operator!=): (WTF::ListHashSetConstReverseIterator::node): (WTF::::rbegin): (WTF::::rend): (WTF::::makeReverseIterator): (WTF::::makeConstReverseIterator): (WTF::::makeConstIterator): 2011-10-04 Gavin Peters fix gtk breakage caused by changeset 96595 https://bugs.webkit.org/show_bug.cgi?id=69371 ews did not catch build breakage in the gtk WebKitPluginProcess target; this patch removes the pretty printer on gtk, which should fix the build on that platform. Reviewed by NOBODY, this is a build fix. * wtf/Assertions.cpp: 2011-10-04 Sheriff Bot Unreviewed, rolling out r96630. http://trac.webkit.org/changeset/96630 https://bugs.webkit.org/show_bug.cgi?id=69368 Caused assertion failures in validateCell (Requested by mhahnenberg on #webkit). * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::getCallDataVirtual): (JSC::StrictModeTypeErrorFunction::getCallData): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: * runtime/FunctionPrototype.h: 2011-10-04 Mark Hahnenberg Add static ClassInfo structs to classes that override JSCell::getCallData https://bugs.webkit.org/show_bug.cgi?id=69311 Reviewed by Darin Adler. Added ClassInfo structs to each class that defined its own getCallData function but did not already have its own ClassInfo struct. This is a necessary addition for when we switch over to looking up getCallData from the MethodTable in ClassInfo rather than doing the virtual call (which we are removing). These new ClassInfo structs are public because we often use these structs in other areas of the code to uniquely identify JSC classes and to enforce runtime invariants based on those class identities using ASSERTs. * runtime/BooleanConstructor.cpp: * runtime/BooleanConstructor.h: getCallData was not marked as static is StrictModeTypeErrorFunction. * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::getCallDataVirtual): (JSC::StrictModeTypeErrorFunction::getCallData): * runtime/ErrorConstructor.cpp: * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: * runtime/FunctionPrototype.h: 2011-10-04 Ryosuke Niwa Leopard build fix after r96613. * wtf/Platform.h: 2011-10-04 Mark Hahnenberg Implicitly add toString and valueOf to prototype when convertToType callback is provided https://bugs.webkit.org/show_bug.cgi?id=69156 Reviewed by Geoffrey Garen. Added callbacks for toString and valueOf which are implicitly added to a client object's prototype if they provide a convertToType callback when declaring their class through the JSC API. * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::toStringCallback): (JSC::JSCallbackFunction::valueOfCallback): * API/JSCallbackFunction.h: * API/JSClassRef.cpp: (OpaqueJSClass::prototype): * API/tests/testapi.js: 2011-10-03 Jon Lee Extend DOM WheelEvent to differentiate between physical and logical scroll directions https://bugs.webkit.org/show_bug.cgi?id=68959 Reviewed by Sam Weinig. * wtf/Platform.h: Added HAVE_INVERTED_WHEEL_EVENTS for Lion and later. 2011-10-04 Csaba Osztrogonác MinGW warning fix after r96286. Avoid redefining STDCALL, because STDCALL is also defined in mingw32/include/windef.h: #define __stdcall __attribute__((stdcall)) #define STDCALL __stdcall Reviewed by Tor Arne Vestbø. * assembler/MacroAssemblerCodeRef.h: 2011-10-04 Gavin Peters add more stack dumping methods https://bugs.webkit.org/show_bug.cgi?id=69018 In addition to WTFReportBacktrace, this adds the cross-platform WTFGetBacktrace, which lets WebKit programmatically retrieve the current stack. This is useful if you need to add more reporting to field crash report uploads, if you're tracking down an irreproducable bug, for instance. Reviewed by Darin Adler. * wtf/Assertions.cpp: * wtf/Assertions.h: 2011-10-03 Filip Pizlo DFG should inline Array.push and Array.pop https://bugs.webkit.org/show_bug.cgi?id=69314 Reviewed by Geoff Garen. Fix 32-bit. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-03 Filip Pizlo DFG should inline Array.push and Array.pop https://bugs.webkit.org/show_bug.cgi?id=69314 Reviewed by Oliver Hunt. 1% speed-up in V8 due to 6% speed-up in V8-deltablue. * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::storePtr): * create_hash_table: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGIntrinsic.h: * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::getByValLoadElimination): (JSC::DFG::Propagator::getMethodLoadElimination): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-03 Filip Pizlo JSC ASSERT Opening the Web Inspector https://bugs.webkit.org/show_bug.cgi?id=69293 Reviewed by Oliver Hunt. If a polymorphic access structure list has a duplicated structure, then don't crash. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): 2011-10-03 Gavin Barraclough On X86, switch bucketCount into a register, timeoutCheck into memory https://bugs.webkit.org/show_bug.cgi?id=69299 Reviewed by Geoff Garen. We don't have sufficient registers to keep both in registers, and DFG JIT will trample esi; it doesn't matter if the bucketCount gets stomped on (in fact it may add to randomness!), but it if the timeoutCheck gets trashed we may make calls out to the timout_check stub function too frequently (regressing performance). This patch has no perf impact on sunspider. * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::branchAdd32): (JSC::MacroAssemblerX86::branchSub32): - Added branchSub32 with AbsoluteAddress. * jit/JIT.cpp: (JSC::JIT::emitTimeoutCheck): - Keep timeout count in memory on X86. * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): - remove X86 specific code, switch bucket count back into a register. * jit/JITStubs.cpp: - Stop initializing esi (it is no longer the timeoutCheck!) * jit/JSInterfaceJIT.h: - change definition of esi to be the bucketCountRegister. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: - Add timeoutCount as a property to global data (the counter should be per-thread). 2011-10-03 Filip Pizlo DFG backends don't have access to per-node predictions from the propagator https://bugs.webkit.org/show_bug.cgi?id=69291 Reviewed by Oliver Hunt. Nodes now have two notion of predictions: the heap prediction, which is what came directly from value profiling, and the propagator's predictions, which arise out of abstract interpretation. Every node has a propagator prediction, but not every node has a heap prediction; and there is no guarantee that a node that has both will keep them consistent as the propagator may have additional information available to it. This is performance neutral. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::getPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::Node): (JSC::DFG::Node::hasHeapPrediction): (JSC::DFG::Node::getHeapPrediction): (JSC::DFG::Node::predictHeap): (JSC::DFG::Node::prediction): (JSC::DFG::Node::predict): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::Propagator): (JSC::DFG::Propagator::setPrediction): (JSC::DFG::Propagator::mergePrediction): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::isPredictedNumerical): (JSC::DFG::Propagator::logicalNotIsPure): (JSC::DFG::Propagator::setReplacement): 2011-10-03 Jer Noble Unreviewed, rolling out r96526. http://trac.webkit.org/changeset/96526 https://bugs.webkit.org/show_bug.cgi?id=68587 WEB_AUDIO has numerous 64->32 bit casting warnings, causing build breakages where -Wall is enabled. * Configurations/FeatureDefines.xcconfig: * wtf/Platform.h: 2011-10-03 Gavin Barraclough Unreviewed build fix for DFG JIT 32_64. * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-10-02 Filip Pizlo DFG should speculate more aggressively on obvious cases on polymorphic get_by_id https://bugs.webkit.org/show_bug.cgi?id=69235 Reviewed by Oliver Hunt. This implements trivial polymorphic get_by_id. It also fixes problems in the CSE for CheckStructure in the put_by_id transition case. Doing this required knowing whether a polymorphic get_by_id stub was doing a direct access rather than a call of some kind. Slight speed-up on Kraken and SunSpider. 0.5% speed-up in the scaled mean of all benchmarks. * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/Instruction.h: (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::cellConstant): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::Graph::addStructureSet): (JSC::DFG::Graph::addStructureTransitionData): * dfg/DFGNode.h: (JSC::DFG::StructureTransitionData::StructureTransitionData): (JSC::DFG::Node::hasStructureTransitionData): (JSC::DFG::Node::structureTransitionData): (JSC::DFG::Node::hasStructureSet): (JSC::DFG::Node::structureSet): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::checkStructureLoadElimination): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGRepatch.cpp: (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryBuildGetByIDProtoList): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStructureSet.h: Added. (JSC::DFG::StructureSet::StructureSet): (JSC::DFG::StructureSet::add): (JSC::DFG::StructureSet::addAll): (JSC::DFG::StructureSet::remove): (JSC::DFG::StructureSet::contains): (JSC::DFG::StructureSet::isSubsetOf): (JSC::DFG::StructureSet::isSupersetOf): (JSC::DFG::StructureSet::size): (JSC::DFG::StructureSet::at): (JSC::DFG::StructureSet::operator[]): (JSC::DFG::StructureSet::last): * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): (JSC::getPolymorphicAccessStructureListSlot): 2011-10-03 Jer Noble Enable WEB_AUDIO by default in the WebKit/mac port. https://bugs.webkit.org/show_bug.cgi?id=68587 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: * wtf/Platform.h: 2011-10-03 Carlos Garcia Campos [GTK] Fix make distcheck build https://bugs.webkit.org/show_bug.cgi?id=69243 Reviewed by Martin Robinson. * GNUmakefile.list.am: 2011-10-03 Pierre Rossi [Qt] Build fix: Qt::escape is deprecated in Qt5 https://bugs.webkit.org/show_bug.cgi?id=69162 Use QString::toHtmlEscaped in the Qt5 case. Reviewed by Andreas Kling. * JavaScriptCore.pri: * wtf/qt/UtilsQt.h: Added. (escapeHtml): * wtf/wtf.pri: 2011-10-03 Balazs Kelemen libdispatch based ParallelJobs is not enough parallel https://bugs.webkit.org/show_bug.cgi?id=66378 Reviewed by Zoltan Herczeg. Use the appropriate libdispatch API for our use case. Throw away the hard coded limit of parallel threads and use dispatch_apply with the default priority normal queue istead of using our own custom serial queue (which was a misuse of the API). Enabling PARALLEL_JOBS is now a 60% win (2.63x as fast) on the methanol benchmark (https://gitorious.org/methanol) with an SVG centric test set while the old implementation was almost identical (less than 5% win). * wtf/ParallelJobsLibdispatch.h: (WTF::ParallelEnvironment::ParallelEnvironment): (WTF::ParallelEnvironment::execute): 2011-10-02 Zoltan Herczeg [Qt]REGRESSION(r95912): It made sputnik tests flakey https://bugs.webkit.org/show_bug.cgi?id=68990 Reviewed by Geoffrey Garen. Changing signed char to int in r96354 solved the problem. However transitionCount still returns with a signed char and should be changed to int. * runtime/Structure.h: (JSC::Structure::transitionCount): 2011-10-02 Filip Pizlo DFG misses some obvious opportunities for common subexpression elimination https://bugs.webkit.org/show_bug.cgi?id=69233 Reviewed by Oliver Hunt. 0.7% speed-up on SunSpider. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::getByValLoadElimination): (JSC::DFG::Propagator::getMethodLoadElimination): (JSC::DFG::Propagator::checkStructureLoadElimination): (JSC::DFG::Propagator::getByOffsetLoadElimination): (JSC::DFG::Propagator::getPropertyStorageLoadElimination): (JSC::DFG::Propagator::performNodeCSE): 2011-10-02 Gavin Barraclough Bug 67455 - Different regular expression result Reviewed by Darin Adler. Fix a regression introduced in r72140. A return was added to the backtracking loop for backtrackParentheses with QuantifierNonGreedy, so it always returns after one iteration. This is incorrect. The additional return should only trigger to force an early return if an error has occured. * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::matchParentheses): - Simplify some nested if else logic. (JSC::Yarr::Interpreter::backtrackParentheses): - Simplify some nested if else logic. - Only return early from backtrackParentheses on success/error, not on failure. 2011-10-01 Geoffrey Garen Removed redundant helper functions for allocating Strong handles https://bugs.webkit.org/show_bug.cgi?id=69218 Reviewed by Sam Weinig. * heap/Heap.h: (JSC::Heap::handleHeap): * runtime/JSGlobalData.h: Removed these helper functions, since they just created indirection. * heap/StrongInlines.h: Added. Broke out a header for inline functions to resolve circular dependencies created by inlining. I'm told this is the future for JavaScriptCore. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: Go forth and build. * API/JSCallbackObjectFunctions.h: (JSC::::init): * runtime/WeakGCMap.h: (JSC::WeakGCMap::add): (JSC::WeakGCMap::set): * runtime/StructureTransitionTable.h: (JSC::StructureTransitionTable::setSingleTransition): * heap/Local.h: (JSC::::Local): * heap/Strong.h: (JSC::::Strong): (JSC::::set): * heap/Weak.h: (JSC::Weak::Weak): (JSC::Weak::set): Allocate handles directly instead of going through a chain of forwarding functions. * bytecompiler/BytecodeGenerator.cpp: * runtime/JSGlobalData.cpp: * runtime/LiteralParser.cpp: * runtime/RegExpCache.cpp: Updated for header changes. 2011-09-30 Filip Pizlo All of JSC's heuristics should be in one place for easier tuning https://bugs.webkit.org/show_bug.cgi?id=69201 Reviewed by Oliver Hunt. This makes it possible to change tiered compilation heuristics in one place (Heuristics.cpp) without recompiling the whole project. It also makes it possible to enable setting heuristics using environment variables. This is off by default. When turned on, it makes tuning the system much easier. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::shouldOptimizeNow): * bytecode/CodeBlock.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): * runtime/Heuristics.cpp: Added. (JSC::Heuristics::parse): (JSC::Heuristics::setHeuristic): (JSC::Heuristics::initializeHeuristics): * runtime/Heuristics.h: Added. * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): 2011-10-01 Oliver Hunt Support string length in the DFG https://bugs.webkit.org/show_bug.cgi?id=69215 Reviewed by Geoff Garen. Adds a GetStringLength node to the DFG so that we can support string.length inline. * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isKnownString): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSString.h: (JSC::JSString::offsetOfLength): 2011-10-01 Yuqiang Xian JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69205 Reviewed by Gavin Barraclough. If there are unboxed integers and cells in register file (e.g. by SetLocal), they must be reboxed before exiting from the speculative DFG JIT execution. This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new ValueRecoveryTechnique (AlreadyInRegisterFileAsCell). * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::ValueRecovery::dump): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell): 2011-10-01 Sheriff Bot Unreviewed, rolling out r96421. http://trac.webkit.org/changeset/96421 https://bugs.webkit.org/show_bug.cgi?id=69206 It broke Qt-WK2 build (Requested by ossy on #webkit). * JavaScriptCore.pri: * wtf/qt/UtilsQt.h: Removed. * wtf/wtf.pri: 2011-09-30 Daniel Bates Attempt to fix the Apple Windows and WinCairo Debug builds after (https://bugs.webkit.org/show_bug.cgi?id=69203). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove the symbol ?toStrictThisObject@JSObject@JSC@@UBE?AVJSValue@2@PAVExecState@2@@Z since the corresponding function, JSValue::toStrictThisObject(), was removed. 2011-09-30 Yuqiang Xian DFG operation results are not set correctly in JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69126 Reviewed by Gavin Barraclough. The setupResults routine has the bug of reversing the source and destination. Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::setupTwoStubArgs): (JSC::DFG::setupResults): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): 2011-09-30 Gavin Barraclough Remove toStrictThisObject, toThisString, toThisJSString https://bugs.webkit.org/show_bug.cgi?id=69203 Rubber stamped by Sam Weinig These are no longer used. * JavaScriptCore.exp: * runtime/JSActivation.cpp: * runtime/JSActivation.h: * runtime/JSObject.cpp: * runtime/JSObject.h: * runtime/JSStaticScopeObject.cpp: * runtime/JSStaticScopeObject.h: * runtime/JSValue.h: * runtime/StrictEvalActivation.cpp: * runtime/StrictEvalActivation.h: 2011-09-30 Filip Pizlo DFG does not speculate aggressively enough on put_by_id https://bugs.webkit.org/show_bug.cgi?id=69114 Reviewed by Oliver Hunt. This adds new nodes along with optimizations for those nodes: GetPropertyStorage: CheckStructure used to do both the structure check and retrieve the storage pointer. Now CheckStructure just checks the structure, and GetPropertyStorage retrieves the storage pointer. PutStructure: Changes the structure, and has the expected store to load optimization with CheckStructure. PutByOffset: Directly sets the value. Has store to load optimization with GetByOffset. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::cellConstant): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNode.h: (JSC::DFG::Node::hasStructure): (JSC::DFG::Node::hasStorageAccessData): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::impureCSE): (JSC::DFG::Propagator::checkStructureLoadElimination): (JSC::DFG::Propagator::getByOffsetLoadElimination): (JSC::DFG::Propagator::getPropertyStorageLoadElimination): (JSC::DFG::Propagator::eliminate): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-30 Gavin Barraclough StringRecursionChecker should not work in terms of EncodedJSValue https://bugs.webkit.org/show_bug.cgi?id=69188 Reviewed by Oliver Hunt. 0 is not the empty value on 32_64. Code that casts literals to EncodedJSValues may be unsafe if we change our internal representation. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): * runtime/ErrorPrototype.cpp: (JSC::errorProtoFuncToString): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncToString): * runtime/StringRecursionChecker.cpp: (JSC::StringRecursionChecker::throwStackOverflowError): (JSC::StringRecursionChecker::emptyString): * runtime/StringRecursionChecker.h: (JSC::StringRecursionChecker::performCheck): (JSC::StringRecursionChecker::earlyReturnValue): 2011-09-30 Gavin Barraclough DFG JIT, Branch on integer can always be a 32-bit compare. https://bugs.webkit.org/show_bug.cgi?id=69174 Reviewed by Sam Weinig. if (shouldSpeculateInteger(node.child1()) && !isStrictInt32(node.child1())), the JSVALUE64 JIT will currently compare all 64bits in the register, but in these cases the DataFormat is always a JS boxed integer. In these cases we can just compare the low 32bits anyway - no need to check the tag. This allows the code to be unified with the JSVALUE32_64 JIT. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-30 Oliver Hunt Need a sensible GGC policy Reviewed by Geoff Garen. This replaces the existing random collection policy with a deterministic policy based on nursery size. * heap/AllocationSpace.cpp: (JSC::AllocationSpace::allocateSlowCase): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::markRoots): (JSC::Heap::collect): * heap/Heap.h: * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::resetAllocator): * heap/MarkedSpace.h: (JSC::MarkedSpace::nurseryWaterMark): (JSC::MarkedSpace::allocate): 2011-09-30 Filip Pizlo DFG 32-bit support for op_call and op_construct causes run-javascriptcore-tests to fail https://bugs.webkit.org/show_bug.cgi?id=69171 Reviewed by Gavin Barraclough. This fixes one obvious bug that was causing test failures (no support for dummy slow case for op_add in 32_64), and disables op_call and op_construct by default. * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_add): (JSC::JIT::emitSlow_op_add): 2011-09-30 Geoffrey Garen Crash due to out of bounds read/write in MarkedSpace https://bugs.webkit.org/show_bug.cgi?id=69148 This was a case of being surprised by a poorly aritulcated cell size limit, plus an incorrect ASSERT guarding the cell size limit. Reviewed by Oliver Hunt. * heap/MarkedSpace.h: (JSC::MarkedSpace::sizeClassFor): Changed heap size ranges to be inclusive, since it makes the ranges easier to understand. Bumped up the max cell size to support the use case in this bug. Since the atomSize is much bigger than it used to be, there isn't much accounting cost to handling more size classes. Switched to FixedArray, to help catch SizeClass indexing bugs in the future. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::resetAllocator): (JSC::MarkedSpace::canonicalizeCellLivenessData): Updated for size ranges being inclusive. 2011-09-30 Pierre Rossi [Qt] Build fix: Qt::escape is deprecated in Qt5 https://bugs.webkit.org/show_bug.cgi?id=69162 Use QString::toHtmlEscaped in the Qt5 case. Reviewed by Andreas Kling. * JavaScriptCore.pri: * wtf/qt/UtilsQt.h: Added. (escapeHtml): * wtf/wtf.pri: 2011-09-30 Yuqiang Xian Fix bug in getHostCallReturnValue of DFG JIT on X86 https://bugs.webkit.org/show_bug.cgi?id=69133 Reviewed by Gavin Barraclough. We need to insert the additional argument in the stack slot before return address instead of simply pushing it afterwards. Also getHostCallReturnValue* should be attributed as stdcall to make the stack cleaned up by the callee. * dfg/DFGOperations.cpp: 2011-09-30 Pierre Rossi [Qt] wtf header files are unknown to Qt Creator https://bugs.webkit.org/show_bug.cgi?id=69158 Adding the HEADERS variable in wtf.pri so that the header files can be accessed easily. Reviewed by Andreas Kling. * wtf/wtf.pri: 2011-09-30 Gavin Barraclough Merge some more of DFGSpeculativeJIT 32_64/64 https://bugs.webkit.org/show_bug.cgi?id=69164 Reviewed by Oliver Hunt. * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCodeGenerator32_64.cpp: * dfg/DFGJITCodeGenerator64.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compileValueAdd): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::compile): 2011-09-30 Mark Hahnenberg Add getCallData to MethodTable in ClassInfo https://bugs.webkit.org/show_bug.cgi?id=69024 Reviewed by Sam Weinig. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added the getCallData to the MethodTable in the ClassInfo struct. * runtime/ClassInfo.h: 2011-09-29 Yuqiang Xian Add op_call/op_constructor support to JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69120 Reviewed by Gavin Barraclough. Improve the coverage of JSVALUE32_64 DFG JIT. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::tagOfCallData): (JSC::DFG::payloadOfCallData): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::emitCall): 2011-09-29 Yuqiang Xian DFG JIT - register not unlocked after usage in ArithDiv https://bugs.webkit.org/show_bug.cgi?id=69122 Reviewed by Geoffrey Garen. Some allocated register is not unlocked after the usage in ArithDiv. Also there's a typo in "ENBALE_DFG_CONSISTENTCY_CHECK". * dfg/DFGNode.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-29 Mark Hahnenberg De-virtualize JSCell::toObject https://bugs.webkit.org/show_bug.cgi?id=68937 Reviewed by Darin Adler. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: De-virtualized JSCell::toObject and changed its implementation to manually check the cases for JSString and JSObject rather than leaving it up to the virtual method call. * runtime/JSCell.cpp: (JSC::JSCell::toObject): * runtime/JSCell.h: Removed JSNotAnObject::toObject because the case for JSObject works for it. Also removed JSObject::toObject because it was essentially the identity function, which is not necessary since toObject is no longer virtual. * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSObject.cpp: * runtime/JSObject.h: De-virtualized JSObject::toObject and JSString::toObject. * runtime/JSString.h: 2011-09-29 Gavin Barraclough Start refactoring DFGSpeculativeJIT https://bugs.webkit.org/show_bug.cgi?id=69112 Reviewed by Oliver Hunt. Again, move JSVALUE64 code into a DFJSpeculativeJIT64.cpp * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::ValueRecovery::dump): (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::OSRExit::dump): (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compare): * dfg/DFGSpeculativeJIT64.cpp: Copied from Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp. (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compile): 2011-09-29 Gavin Barraclough Refactor out trivially duplicated code in DFGJITCodeGenerator. https://bugs.webkit.org/show_bug.cgi?id=69109 Reviewed by Oliver Hunt. Some code is trivially redundant between DFGJITCodeGenerator.cpp & DFGJITCodeGenerator32_64.cpp Basically move a JSVALUE64 specific code into a new DFGJITCodeGenerator64.cpp, leave common code in DFGJITCodeGenerator.cpp, and remove copies from DFGJITCodeGenerator32_64.cpp. For some function differences are trivial & make more sense to ifdef individually, and some Operand methods make more sense left in DFGJITCodeGenerator.cpp alongside similar constructors. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownNotNumber): (JSC::DFG::JITCodeGenerator::isKnownBoolean): (JSC::DFG::JITCodeGenerator::writeBarrier): (JSC::DFG::JITCodeGenerator::dump): (JSC::DFG::JITCodeGenerator::checkConsistency): (JSC::DFG::GPRTemporary::GPRTemporary): (JSC::DFG::FPRTemporary::FPRTemporary): * dfg/DFGJITCodeGenerator32_64.cpp: * dfg/DFGJITCodeGenerator64.cpp: Copied from Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::branchIfNotCell): * dfg/DFGJITCompilerInlineMethods.h: 2011-09-28 Filip Pizlo DFG JIT should infer which uses of a variable are not aliased https://bugs.webkit.org/show_bug.cgi?id=68593 Reviewed by Oliver Hunt. This separates how a variable is stored (i.e. its virtual register) from how it's predicted. Each variable now takes a VariableAccessData as its operand, instead of the virtual register. The VariableAccessData stores the operand and the prediction. If multiple uses of a variable are aliased, their VariableAccessDatas are unified. This also adds tracking of which argument values are used. It correctly observes that an argument value is not used, if the argument is assigned to inside the function before being used. This also adds tracking of which variables are live at the head of a basic block, and separates that from a variable being live at the tail. Finally, this communicates to both OSR entry and OSR exit code how a variable is predicted at a particular point in the code, rather than just communicating how it was predicted in the entire code block (since with this patch there is no longer the notion of a variable having just one prediction for a code block). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/ActionablePrediction.h: Added. (JSC::actionablePredictionFromPredictedType): (JSC::valueObeysPrediction): (JSC::actionablePredictionToString): (JSC::ActionablePredictions::ActionablePredictions): (JSC::ActionablePredictions::setArgument): (JSC::ActionablePredictions::argument): (JSC::ActionablePredictions::setVariable): (JSC::ActionablePredictions::variable): (JSC::ActionablePredictions::argumentUpperBound): (JSC::ActionablePredictions::variableUpperBound): (JSC::ActionablePredictions::pack): (JSC::ActionablePredictions::packVector): * bytecode/CodeBlock.h: * bytecode/PredictionTracker.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::newVariableAccessData): (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::getArgument): (JSC::DFG::ByteCodeParser::setArgument): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::processPhiStack): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::nameOfVariableAccessData): (JSC::DFG::Graph::dump): (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: (JSC::DFG::operandIsArgument): (JSC::DFG::VariableRecord::setFirstTime): (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::Graph::predict): (JSC::DFG::Graph::getPrediction): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGNode.h: (JSC::DFG::Node::hasVariableAccessData): (JSC::DFG::Node::hasLocal): (JSC::DFG::Node::variableAccessData): (JSC::DFG::Node::local): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::ValueSource): (JSC::DFG::ValueSource::forPrediction): (JSC::DFG::ValueSource::isSet): (JSC::DFG::ValueSource::kind): (JSC::DFG::ValueSource::nodeIndex): (JSC::DFG::ValueSource::nodeIndexFromKind): (JSC::DFG::ValueSource::kindFromNodeIndex): (JSC::DFG::SpeculativeJIT::isKnownArray): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * wtf/PackedIntVector.h: Added. (WTF::PackedIntVector::PackedIntVector): (WTF::PackedIntVector::operator=): (WTF::PackedIntVector::size): (WTF::PackedIntVector::ensureSize): (WTF::PackedIntVector::resize): (WTF::PackedIntVector::clearAll): (WTF::PackedIntVector::get): (WTF::PackedIntVector::set): (WTF::PackedIntVector::mask): * wtf/Platform.h: * wtf/UnionFind.h: Added. (WTF::UnionFind::UnionFind): (WTF::UnionFind::find): (WTF::UnionFind::unify): 2011-09-29 Oliver Hunt Build fix. * heap/AllocationSpace.h: 2011-09-29 Oliver Hunt Add logic to collect dirty objects as roots https://bugs.webkit.org/show_bug.cgi?id=69100 Reviewed by Geoff Garen. This gives us the ability to walk all the MarkedBlocks in an AllocationSpace and collect the dirty objects, and then use them as GC roots. I also rearranged the order of these instructions because it makes them smaller on some platforms with some card sizes. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::markCellCard): * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::markCellCard): * heap/AllocationSpace.cpp: Tidy up the write barrier logic a bit. (JSC::MarkedBlock::gatherDirtyObjects): (JSC::TakeIfDirty::returnValue): (JSC::TakeIfDirty::TakeIfDirty): (JSC::TakeIfDirty::operator()): (JSC::AllocationSpace::gatherDirtyObjects): * heap/AllocationSpace.h: * heap/CardSet.h: (JSC::::isCardMarked): (JSC::::clearCard): * heap/Heap.cpp: (JSC::Heap::markRoots): * heap/Heap.h: (JSC::Heap::writeBarrier): * heap/MarkStack.cpp: (JSC::SlotVisitor::visitChildren): * heap/MarkedBlock.h: (JSC::MarkedBlock::setDirtyObject): (JSC::MarkedBlock::addressOfCardFor): * heap/SlotVisitor.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitWriteBarrier): Tidy the write barrier a bit. 2011-09-29 Gavin Barraclough Unreviewed windows build fix. * assembler/MacroAssemblerCodeRef.h: * dfg/DFGOperations.h: 2011-09-29 Filip Pizlo Structure transitions involving many (> 64) properties sometimes cause structure corruption https://bugs.webkit.org/show_bug.cgi?id=69102 Reviewed by Darin Adler. Made m_offset an int instead of a signed char. Changed the code to ensure that transitions don't lead to the dictionary kind being forgotten. * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: 2011-09-29 Yuqiang Xian DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69058 Reviewed by Gavin Barraclough. Also Fixed the stdcall FunctionPtr constructors to make them compiled correctly on Linux * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): 2011-09-29 Mark Hahnenberg De-virtualize JSCell::visitChildrenVirtual and remove all other visitChildrenVirtual methods https://bugs.webkit.org/show_bug.cgi?id=68839 Reviewed by Geoffrey Garen. Removed the remaining visitChildrenVirtual methods. This patch completes the process of de-virtualizing visitChildren. * API/JSCallbackObject.h: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: * debugger/DebuggerActivation.h: * runtime/Arguments.cpp: * runtime/Arguments.h: * runtime/Executable.cpp: * runtime/Executable.h: * runtime/GetterSetter.cpp: * runtime/GetterSetter.h: * runtime/JSActivation.cpp: * runtime/JSActivation.h: * runtime/JSArray.cpp: * runtime/JSArray.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSObject.cpp: * runtime/JSPropertyNameIterator.cpp: * runtime/JSPropertyNameIterator.h: * runtime/JSStaticScopeObject.cpp: * runtime/JSStaticScopeObject.h: * runtime/JSValue.h: * runtime/NativeErrorConstructor.cpp: * runtime/NativeErrorConstructor.h: * runtime/RegExpObject.cpp: * runtime/RegExpObject.h: * runtime/Structure.cpp: * runtime/Structure.h: * runtime/StructureChain.cpp: * runtime/StructureChain.h: Inlined the method table access and call to the visitChildren function (the only call sites to visitChildren are here). * heap/MarkStack.cpp: (JSC::SlotVisitor::visitChildren): Changed the field name for the visitChildren function pointer to visitChildren (from visitChildrenFunctionPtr) to make call sites less verbose. * runtime/ClassInfo.h: Discovered JSBoundFunction doesn't have its own ClassInfo (it used JSFunction's ClassInfo) but overrides visitChildren, so it needs to have its own ClassInfo. * runtime/JSBoundFunction.cpp: * runtime/JSBoundFunction.h: Had to move className up to make sure that the virtual destructor in JSObject wasn't the first non-inline virtual method in JSObject (as per the comment in the file). Also moved JSCell::visitChildrenVirtual into JSObject.h in order for it be inline-able to mitigate the cost of an extra method call. Also added a convenience accessor function methodTable() to JSCell to return the MethodTable to make call sites more concise. Implementation is inline in JSObject.h. * runtime/JSObject.h: (JSC::JSCell::methodTable): * runtime/JSCell.h: Added an out of line virtual destructor to JSWrapperObject and ScopeChainNode to appease the vtable gods. It refused to compile if there were no virtual methods in both of these classes due to the presence of a weak vtable pointer. * runtime/JSWrapperObject.cpp: (JSC::JSWrapperObject::~JSWrapperObject): * runtime/JSWrapperObject.h: * runtime/ScopeChain.cpp: (JSC::ScopeChainNode::~ScopeChainNode): * runtime/ScopeChain.h: 2011-09-29 Yuqiang Xian Bug fixes for CreateThis, NewObject and GetByOffset in JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=69075 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-29 Yuqiang Xian JSVALUE32_64 DFG JIT failed to be built on 32-bit Linux due to incorrect overloaded OpInfo constructor https://bugs.webkit.org/show_bug.cgi?id=69054 Reviewed by Gavin Barraclough. size_t is equal to uint32_t on most 32-bit platforms, except for Mac OS. * dfg/DFGNode.h: 2011-09-28 Filip Pizlo DFG checkArgumentTypes fails to check boolean predictions https://bugs.webkit.org/show_bug.cgi?id=69059 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 2011-09-28 Gavin Barraclough Build fix pt 2 for r96286. * assembler/MacroAssemblerCodeRef.h: 2011-09-28 Ryosuke Niwa Build fix attempt for r96286. * assembler/MacroAssemblerCodeRef.h: 2011-09-28 Gavin Barraclough DFG JIT Operations on 32_64 should use stdcall calling convention. https://bugs.webkit.org/show_bug.cgi?id=69046 Reviewed by Sam Weinig. All calls out are expecting stdcall conventions, but the default on OS X are cdecl. Leave D_DFGOperation_DD calls as the one exception, since we want to be able to link directly to std library functions like fmod - leave these calls obeying the default platform calling convention. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): - Add implicit constructors for std calls. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): - Make this work non-Mac platforms. * dfg/DFGOperations.cpp: (JSC::DFG::operationPutByValInternal): * dfg/DFGOperations.h: - Mark all operations as stdcalls. 2011-09-28 Filip Pizlo DFG JIT falls back on numerical comparisons when it does not recognize a prediction https://bugs.webkit.org/show_bug.cgi?id=68977 Reviewed by Geoffrey Garen. This fixes both the way comparison implementations are selected. It also fixes a bug where comparisons other than equality (like < or >) on objects are compiled as if the comparison was equality. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compare): 2011-09-28 Gavin Barraclough Implement callOperation(D_DFGOperation_DD) for DFG JIT 32_64 https://bugs.webkit.org/show_bug.cgi?id=69026 Reviewed by Sam Weinig. * assembler/X86Assembler.h: (JSC::X86Assembler::fstpl): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): 2011-09-28 Gavin Barraclough Merge bug#68580, bug#68932 for DFG JIT with JSVALUE32_64 https://bugs.webkit.org/show_bug.cgi?id=69017 Reviewed by Oliver Hunt. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): (JSC::DFG::SpeculativeJIT::compile): 2011-09-28 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64679 Fix bugs in Array.prototype this handling. Reviewed by Oliver Hunt. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): (JSC::arrayProtoFuncEvery): (JSC::arrayProtoFuncForEach): (JSC::arrayProtoFuncSome): (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): - These methods should throw if this value is undefined. 2011-09-27 Yuqiang Xian Value profiling in baseline JIT for JSVALUE32_64 https://bugs.webkit.org/show_bug.cgi?id=68750 Reviewed by Geoff Garen. * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_div): * jit/JITCall32_64.cpp: (JSC::JIT::emit_op_call_put_result): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_resolve): (JSC::JIT::emit_op_resolve_base): (JSC::JIT::emit_op_resolve_skip): (JSC::JIT::emit_op_resolve_global): (JSC::JIT::emitSlow_op_resolve_global): (JSC::JIT::emit_op_resolve_with_base): (JSC::JIT::emit_op_resolve_with_this): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emit_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emit_op_get_scoped_var): (JSC::JIT::emit_op_get_global_var): * jit/JITStubCall.h: (JSC::JITStubCall::callWithValueProfiling): 2011-09-28 Yuqiang Xian Wrong integer checks in JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=68985 Reviewed by Geoffrey Garen. * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-09-28 Adam Barth Remove empty directories. * wtf/brew: Removed. * wtf/unicode/brew: Removed. 2011-09-27 Filip Pizlo DFG JIT cannot compile op_new_object, op_new_array, op_new_array_buffer, or op_new_regexp https://bugs.webkit.org/show_bug.cgi?id=68580 Reviewed by Oliver Hunt. This implements all four opcodes, but has op_new_regexp turns off by default because it unveils some bad speculation logic when compiling string-validate-input. With op_new_regexp turned off, this is a 5% win on Kraken and a 0.7% speed-up on V8. Neutral on SunSpider. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::callOperation): * dfg/DFGNode.h: (JSC::DFG::Node::hasConstantBuffer): (JSC::DFG::Node::startConstant): (JSC::DFG::Node::numConstants): (JSC::DFG::Node::hasRegexpIndex): (JSC::DFG::Node::regexpIndex): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isKnownArray): 2011-09-27 Filip Pizlo DFG JIT should speculate more aggressively on reads of array.length https://bugs.webkit.org/show_bug.cgi?id=68932 Reviewed by Oliver Hunt. This is a 2% speed-up on Kraken, neutral elsewhere. * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-27 Gavin Barraclough DFG JIT - merge changes between 95905 - 96175 https://bugs.webkit.org/show_bug.cgi?id=68963 Reviewed by Sam Weinig. Merge missing changes from bug#68677, bug#68784, bug#68785. * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-27 Gavin Barraclough Get JSVALUE32_64 DFG JIT building on OS X. https://bugs.webkit.org/show_bug.cgi?id=68961 Reviewed by Geoff Garen. * Merge bug #68763 (DFG JIT should not eagerly initialize integer tags in the register file). * Forward-declare functions in DFGOperations.cpp * UNUSED_PARAM for unused arguments * NO_RETURN for unimplemented function that ASSERT_NOT_REACHED * Fix argument types handled by OpInfo constructor. * Use SYMBOL_STRING instead of STRINGIZE for asm symbols. * Add files to Xcode project. 2011-09-27 Yuqiang Xian Bug fixes for GetById, PutById, and GetByOffset in JSVALUE32_64 DFG JIT https://bugs.webkit.org/show_bug.cgi?id=68755 Reviewed by Gavin Barraclough. We need to load/store and repatch both tag and payload of a property for GetById/PutById. Also reorder the loads of tag and payload for GetByOffset as the result tag GPR could reuse the storage GPR. * bytecode/StructureStubInfo.h: * dfg/DFGJITCodeGenerator32_64.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addPropertyAccess): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): * dfg/DFGJITCompiler32_64.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchByIdSelfAccess): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-24 Gavin Barraclough Macro assembler branch8 & 16 methods vary in treatment of upper bits https://bugs.webkit.org/show_bug.cgi?id=68301 Reviewed by Sam Weinig. Fix for branch16 - remove it! No performance impact. * assembler/MacroAssembler.h: * assembler/MacroAssemblerARM.h: * assembler/MacroAssemblerARMv7.h: * assembler/MacroAssemblerMIPS.h: * assembler/MacroAssemblerSH4.h: * assembler/MacroAssemblerX86Common.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals): (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed): (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): 2011-09-27 Mark Hahnenberg Add static version of JSCell::getCallData https://bugs.webkit.org/show_bug.cgi?id=68741 Reviewed by Darin Adler. In this patch we just extract the bodies of the virtual getCallData methods throughout the JSCell inheritance hierarchy out into static methods, which are now called from the virtual methods. This is an intermediate step in trying to move the virtual-ness of getCallData into our own method table stored in ClassInfo. We need to convert the methods to static methods because static methods can be represented as function pointers rather than pointers to member functions, and function pointers are smaller and faster to call than pointers to member functions. * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::getCallDataVirtual): (JSC::JSCallbackFunction::getCallData): * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::getCallDataVirtual): (JSC::::getCallData): * API/JSObjectRef.cpp: (JSObjectIsFunction): (JSObjectCallAsFunction): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::getCallDataVirtual): (JSC::ArrayConstructor::getCallData): * runtime/ArrayConstructor.h: * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::getCallDataVirtual): (JSC::BooleanConstructor::getCallData): * runtime/BooleanConstructor.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::getCallDataVirtual): (JSC::DateConstructor::getCallData): * runtime/DateConstructor.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::getCallDataVirtual): (JSC::StrictModeTypeErrorFunction::getCallData): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::getCallDataVirtual): (JSC::ErrorConstructor::getCallData): * runtime/ErrorConstructor.h: * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::getCallDataVirtual): (JSC::FunctionConstructor::getCallData): * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::getCallDataVirtual): (JSC::FunctionPrototype::getCallData): * runtime/FunctionPrototype.h: * runtime/InternalFunction.h: * runtime/JSCell.cpp: (JSC::JSCell::getCallDataVirtual): (JSC::JSCell::getCallData): * runtime/JSCell.h: (JSC::getCallData): * runtime/JSFunction.cpp: (JSC::JSFunction::getCallDataVirtual): (JSC::JSFunction::getCallData): * runtime/JSFunction.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Stringifier): (JSC::Stringifier::toJSON): (JSC::Stringifier::appendStringifiedValue): * runtime/JSObject.cpp: (JSC::JSObject::put): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::getCallDataVirtual): (JSC::NativeErrorConstructor::getCallData): * runtime/NativeErrorConstructor.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::getCallDataVirtual): (JSC::NumberConstructor::getCallData): * runtime/NumberConstructor.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::getCallDataVirtual): (JSC::ObjectConstructor::getCallData): * runtime/ObjectConstructor.h: * runtime/Operations.cpp: (JSC::jsTypeStringForValue): (JSC::jsIsObjectType): (JSC::jsIsFunctionType): * runtime/PropertySlot.cpp: (JSC::PropertySlot::functionGetter): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::getCallDataVirtual): (JSC::RegExpConstructor::getCallData): * runtime/RegExpConstructor.h: * runtime/StringConstructor.cpp: (JSC::StringConstructor::getCallDataVirtual): (JSC::StringConstructor::getCallData): * runtime/StringConstructor.h: 2011-09-27 Tim Horton Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption https://bugs.webkit.org/show_bug.cgi?id=68816 Reviewed by Simon Fraser. Add ByteArray::clear, which zeros the memory in the ByteArray. * wtf/ByteArray.h: (WTF::ByteArray::clear): Added. 2011-09-27 Sheriff Bot Unreviewed, rolling out r96131. http://trac.webkit.org/changeset/96131 https://bugs.webkit.org/show_bug.cgi?id=68927 It made 18+ tests crash on all platform (Requested by Ossy_night on #webkit). * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * interpreter/Interpreter.h: * jsc.cpp: (GlobalObject::finishCreation): * parser/Parser.h: (JSC::Parser::parse): * runtime/CommonIdentifiers.h: * runtime/Error.cpp: (JSC::addErrorInfo): * runtime/Error.h: 2011-09-27 Mark Hahnenberg De-virtualize JSCell::getPrimitiveNumber https://bugs.webkit.org/show_bug.cgi?id=68851 Reviewed by Darin Adler. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Changed JSCell::getPrimitiveNumber to manually handle the dispatch for JSCells (JSObject and JSString in this case). * runtime/JSCell.cpp: (JSC::JSCell::getPrimitiveNumber): * runtime/JSCell.h: Removed JSNotAnObject::getPrimitiveNumber since its return value doesn't matter and it already implements defaultValue, so JSObject::getPrimitiveNumber can cover the case for JSNotAnObject. * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: De-virtualized JSObject::getPrimitiveNumber and JSString::getPrimitiveNumber and changed them to be const. Also made JSString::getPrimitiveNumber public because it needs to be called from JSCell::getPrimitiveNumber and also since it's no longer virtual, we want people who have a more specific pointer (JSString* instead of JSCell*) to not have to pay the cost of a virtual method call. * runtime/JSObject.cpp: (JSC::JSObject::getPrimitiveNumber): * runtime/JSObject.h: * runtime/JSString.cpp: (JSC::JSString::getPrimitiveNumber): * runtime/JSString.h: 2011-09-27 Juan Carlos Montemayor Elosua Implement Error.stack https://bugs.webkit.org/show_bug.cgi?id=66994 Reviewed by Oliver Hunt. This patch utilizes topCallFrame to create a stack trace when an error is thrown. Users will also be able to use the stack() command in jsc to get arrays with stack trace information. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::getCallerLine): (JSC::getSourceURLFromCallFrame): (JSC::getStackFrameCodeType): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (JSC::StackFrame::toString): * jsc.cpp: (GlobalObject::finishCreation): (functionJSCStack): * parser/Parser.h: (JSC::Parser::parse): * runtime/CommonIdentifiers.h: * runtime/Error.cpp: (JSC::addErrorInfo): * runtime/Error.h: 2011-09-27 Carlos Garcia Campos [GTK] Reorganize header files https://bugs.webkit.org/show_bug.cgi?id=65616 Reviewed by Martin Robinson. Install header files under $libwebkitgtkincludedir/JavaScriptCore. * GNUmakefile.am: Use $libwebkitgtkincludedir. * javascriptcoregtk.pc.in: Use webkitgtk- as include dir. 2011-09-26 Geoffrey Garen REGRESSION (r95912): Conservative marking doesn't filter out pointers to MarkedBlock metadata https://bugs.webkit.org/show_bug.cgi?id=68860 Reviewed by Oliver Hunt. Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom. * heap/MarkedBlock.h: (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask because the mask doesn't produce the actual atom number. (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good enough; we also need to test that a pointer is beyond the metadata section of a MarkedBlock, to avoid treating random metadata as a JSCell. 2011-09-26 Mark Hahnenberg Make JSCell::toBoolean non-virtual https://bugs.webkit.org/show_bug.cgi?id=67727 Reviewed by Geoffrey Garen. JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where before it was simply virtual and would crash if its implementation was called). Its descendants in JSObject and JSString have also been made non-virtual. JSCell now explicitly covers all cases of toBoolean, so having a virtual implementation of JSCell::toBoolean is no longer necessary. This is part of a larger process of un-virtualizing JSCell. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: (JSC::JSCell::toBoolean): (JSC::JSValue::toBoolean): 2011-09-26 Chris Marrin Enable requestAnimationFrame on Windows https://bugs.webkit.org/show_bug.cgi?id=68397 Reviewed by Simon Fraser. Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows * wtf/Platform.h: 2011-09-26 Noel Gordon [Chromium] Remove DFGAliasTracker.h references from gyp project files https://bugs.webkit.org/show_bug.cgi?id=68787 Reviewed by Geoffrey Garen. DFG/DFGAliasTracker.h was removed in r95389. Cleanup (remove) references to that file from the gyp project files. * JavaScriptCore.gypi: 2011-09-26 Zoltan Herczeg [Qt]REGRESSION(r95865): It made 4 tests crash https://bugs.webkit.org/show_bug.cgi?id=68780 Reviewed by Oliver Hunt. emitJumpSlowCaseIfNotJSCell(...) cannot be moved away since the next load depends on it. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): 2011-09-25 Mark Hahnenberg Add custom vtable struct to ClassInfo struct https://bugs.webkit.org/show_bug.cgi?id=68567 Reviewed by Oliver Hunt. Declared/defined the MethodTable struct and added it to the ClassInfo struct. Also defined the CREATE_METHOD_TABLE macro to generate these method tables succinctly where they need to be defined. Also added to it the first function to use this macro, visitChildren. This is part of the process of getting rid of all C++ virtual methods in JSCell. Eventually all virtual functions in JSCell that can't easily be converted to non-virtual functions will be put into this custom vtable structure. * runtime/ClassInfo.h: Added the CREATE_METHOD_TABLE macro call as the last argument to each of the ClassInfo structs declared in these classes. This saves us from having to visit each s_info definition in the future when we add more methods to the MethodTable. * API/JSCallbackConstructor.cpp: * API/JSCallbackFunction.cpp: * API/JSCallbackObject.cpp: * JavaScriptCore.exp: * runtime/Arguments.cpp: * runtime/ArrayConstructor.cpp: * runtime/ArrayPrototype.cpp: * runtime/BooleanObject.cpp: * runtime/BooleanPrototype.cpp: * runtime/DateConstructor.cpp: * runtime/DateInstance.cpp: * runtime/DatePrototype.cpp: * runtime/ErrorInstance.cpp: * runtime/ErrorPrototype.cpp: * runtime/ExceptionHelpers.cpp: * runtime/Executable.cpp: * runtime/GetterSetter.cpp: * runtime/InternalFunction.cpp: * runtime/JSAPIValueWrapper.cpp: * runtime/JSActivation.cpp: * runtime/JSArray.cpp: * runtime/JSByteArray.cpp: * runtime/JSFunction.cpp: * runtime/JSGlobalObject.cpp: * runtime/JSONObject.cpp: * runtime/JSObject.cpp: * runtime/JSPropertyNameIterator.cpp: * runtime/JSString.cpp: * runtime/MathObject.cpp: * runtime/NativeErrorConstructor.cpp: * runtime/NumberConstructor.cpp: * runtime/NumberObject.cpp: * runtime/NumberPrototype.cpp: * runtime/ObjectConstructor.cpp: * runtime/ObjectPrototype.cpp: * runtime/RegExp.cpp: * runtime/RegExpConstructor.cpp: * runtime/RegExpObject.cpp: * runtime/RegExpPrototype.cpp: * runtime/ScopeChain.cpp: * runtime/StringConstructor.cpp: * runtime/StringObject.cpp: * runtime/StringPrototype.cpp: * runtime/Structure.cpp: * runtime/StructureChain.cpp: Had to make visitChildren and visitChildrenVirtual protected instead of private because some of the subclasses of JSWrapperObject need access to JSWrapperObject's visitChildren function pointer in their vtable since they don't provide their own implementation. Same for RegExpObject. * runtime/JSWrapperObject.h: * runtime/RegExpObject.h: 2011-09-25 Adam Barth Finish removing PLATFORM(BREWMP) by removing associated code https://bugs.webkit.org/show_bug.cgi?id=68779 Reviewed by Sam Weinig. * JavaScriptCore.gyp/JavaScriptCore.gyp: * JavaScriptCore.gypi: * gyp/JavaScriptCore.gyp: * wscript: * wtf/FastMalloc.cpp: (WTF::fastMallocSize): * wtf/Vector.h: * wtf/brew: Removed. * wtf/brew/MainThreadBrew.cpp: Removed. * wtf/brew/OwnPtrBrew.cpp: Removed. * wtf/brew/RefPtrBrew.h: Removed. * wtf/brew/ShellBrew.h: Removed. * wtf/brew/StringBrew.cpp: Removed. * wtf/brew/SystemMallocBrew.h: Removed. * wtf/unicode/brew: Removed. * wtf/unicode/brew/UnicodeBrew.cpp: Removed. * wtf/unicode/brew/UnicodeBrew.h: Removed. 2011-09-25 Filip Pizlo DFG JIT does not count speculation successes correctly https://bugs.webkit.org/show_bug.cgi?id=68785 Reviewed by Geoffrey Garen. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): * dfg/DFGOperations.cpp: 2011-09-25 Filip Pizlo DFG support for op_resolve_global is not enabled https://bugs.webkit.org/show_bug.cgi?id=68786 Reviewed by Geoffrey Garen. * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): 2011-09-25 Filip Pizlo DFG static prediction code is no longer needed and should be removed https://bugs.webkit.org/show_bug.cgi?id=68784 Reviewed by Oliver Hunt. This gets rid of static prediction code, and ensures that we do not try to compile code where dynamic predictions are not available. This is accomplished by immediately performing an OSR exit wherever a value is retrieved for which no predictions exist. This also adds value profiling for this on functions used for calls. The heuristics for deciding when to optimize code are also tweaked, since it is now profitable to optimize sooner. This may need to be tweaked further, but this patch only makes minimal changes. This results in a 16% speed-up on Kraken/ai-astar, leading to a 3% overall win on Kraken. It's neutral elsewhere. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::shouldOptimizeNow): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: * bytecode/PredictedType.cpp: (JSC::predictionToString): * bytecode/PredictedType.h: (JSC::isCellPrediction): (JSC::isObjectPrediction): (JSC::isFinalObjectPrediction): (JSC::isStringPrediction): (JSC::isArrayPrediction): (JSC::isInt32Prediction): (JSC::isDoublePrediction): (JSC::isNumberPrediction): (JSC::isBooleanPrediction): (JSC::mergePredictions): * bytecode/PredictionTracker.h: (JSC::PredictionTracker::predictArgument): (JSC::PredictionTracker::predict): (JSC::PredictionTracker::predictGlobalVar): * bytecode/ValueProfile.cpp: (JSC::ValueProfile::computeUpdatedPrediction): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::set): (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::getPrediction): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): (JSC::DFG::Graph::predictGlobalVar): (JSC::DFG::Graph::getMethodCheckPrediction): (JSC::DFG::Graph::getJSConstantPrediction): (JSC::DFG::Graph::getPrediction): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): (JSC::DFG::JITCodeGenerator::emitBranch): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::getPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::valueOfJSConstantNode): (JSC::DFG::Node::isInt32Constant): (JSC::DFG::Node::isDoubleConstant): (JSC::DFG::Node::isNumberConstant): (JSC::DFG::Node::isBooleanConstant): (JSC::DFG::Node::predict): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::Propagator): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::isPredictedNumerical): (JSC::DFG::Propagator::logicalNotIsPure): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger): (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble): (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber): (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger): (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject): (JSC::DFG::SpeculativeJIT::shouldSpeculateArray): (JSC::DFG::SpeculativeJIT::shouldSpeculateObject): (JSC::DFG::SpeculativeJIT::shouldSpeculateCell): * jit/JIT.cpp: (JSC::JIT::privateCompile): 2011-09-25 Filip Pizlo DFG JIT Construct opcode takes a this argument even though it's not passed https://bugs.webkit.org/show_bug.cgi?id=68782 Reviewed by Oliver Hunt. This is performance-neutral, mostly. It's a slight speed-up on v8-splay. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): 2011-09-25 Filip Pizlo DFG tracking of the value in cachedResultRegister does not handle op_mov correctly https://bugs.webkit.org/show_bug.cgi?id=68781 Reviewed by Oliver Hunt. This takes the simplest approach: it makes the old JIT dumber rather than making the DFG JIT smarter. This is performance-neutral. * jit/JIT.h: (JSC::JIT::canBeOptimized): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_mov): 2011-09-25 Adam Barth Remove PLATFORM(HAIKU) and associated code https://bugs.webkit.org/show_bug.cgi?id=68774 Reviewed by Sam Weinig. * JavaScriptCore.gyp/JavaScriptCore.gyp: * JavaScriptCore.gypi: * gyp/JavaScriptCore.gyp: * heap/MachineStackMarker.cpp: * wtf/PageAllocation.h: * wtf/Platform.h: * wtf/StackBounds.cpp: * wtf/haiku: Removed. * wtf/haiku/MainThreadHaiku.cpp: Removed. * wtf/haiku/StringHaiku.cpp: Removed. * wtf/text/WTFString.h: 2011-09-24 Adam Barth Always enable ENABLE(OFFLINE_WEB_APPLICATIONS) https://bugs.webkit.org/show_bug.cgi?id=68767 Reviewed by Eric Seidel. * Configurations/FeatureDefines.xcconfig: 2011-09-24 Filip Pizlo JIT implementation of put_by_val increments m_length instead of setting it to index+1 https://bugs.webkit.org/show_bug.cgi?id=68766 Reviewed by Geoffrey Garen. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): 2011-09-24 Geoffrey Garen More build fixage. * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos. 2011-09-24 Filip Pizlo The DFG should not attempt to guess types in the absence of value profiles https://bugs.webkit.org/show_bug.cgi?id=68677 Reviewed by Oliver Hunt. This adds the ForceOSRExit node, which is ignored by the propagator and virtual register allocator (and hence ensuring that liveness analysis works correctly), but forces terminateSpeculativeExecution() in the back-end. This appears to be a slight speed-up on benchmark averages, with ~5% swings on individual benchmarks, in both directions. But it's never a regression on any average, and appears to be a ~1% progression in the SunSpider average. This also adds a bit better debugging support in the old JIT and in DFG, as this was necessary to debug the much more frequent OSR transitions that occur with this change. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::getStrongPrediction): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): * jit/JIT.h: 2011-09-24 Geoffrey Garen Some Windows build fixage. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::sweep): * heap/MarkedBlock.h: (JSC::MarkedBlock::isLive): Show the compiler that all control paths return a value. There, there, compiler. Everything's going to be OK. * runtime/JSCell.h: (JSC::JSCell::setVPtr): Oops! Unrename this function. 2011-09-24 Geoffrey Garen Allocate new objects unmarked https://bugs.webkit.org/show_bug.cgi?id=68764 Reviewed by Oliver Hunt. This is a pre-requisite to using the mark bit to determine object age. ~2% v8 speedup, mostly due to a 12% v8-splay speedup. * heap/MarkedBlock.h: (JSC::MarkedBlock::isLive): (JSC::MarkedBlock::isLiveCell): These two functions are the reason for this patch. They can now determine object liveness without relying on newly allocated objects having their mark bits set. Each MarkedBlock now has a state variable that tells us how to determine whether its cells are live. (This new state variable supercedes the old one about destructor state. The rest of this patch is just refactoring to support the invariants of this new state variable without introducing a performance regression.) (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal state when a block becomes fully allocated. (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into this function because, logically, clearing all mark bits is the first step in saying "mark bits now exactly reflect object liveness". (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify that this function only tells you about the mark bits, so it's only meaningful if you've put the mark bits into a meaningful state before calling it. (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function instead of testing mark bits, since mark bits are not always the right way to find out if an object is live anymore. (New objects are live, but not marked.) * heap/MarkedBlock.cpp: (JSC::MarkedBlock::recycle): (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even initialization when recycling an old block -- into the MarkedBlock constructor, for simplicity. (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for a zapped cell before running a destructor, and always zap after running a destructor. This does not seem to be expensive, and the alternative just creates a too-confusing matrix of possible cell states ((zombie undestructed cell + zombie destructed cell + zapped destructed cell) * 5! permutations for progressing through block states = "Oh my!"). (JSC::MarkedBlock::specializedSweep): (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing optimization to use template specialization to constant fold lots of branches and elide certain operations entirely during a sweep. Merged four or five functions that were logically about sweeping into this one function pair, so there's only one way to do things now, it's automatically correct, and it's always fast. (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit about exactly what it does, and to honor the new block state system. * heap/AllocationSpace.cpp: (JSC::AllocationSpace::allocateBlock): Updated for rename. (JSC::AllocationSpace::freeBlocks): Updated for changed interface. (JSC::TakeIfUnmarked::TakeIfUnmarked): (JSC::TakeIfUnmarked::operator()): (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed to clarify that this functor only tests the mark bits, so it's only valid if you've put the mark bits into a meaningful state before calling it. (JSC::AllocationSpace::shrink): Updated for rename. * heap/AllocationSpace.h: (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a little more specific about what we're making canonical. (JSC::AllocationSpace::forEachCell): Updated for rename. (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell liveness data before iterating blocks -- clients that want iterated blocks to have valid cell lieveness data should make this call for themselves. (And not all clients want it.) * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed obsolete comment. * heap/Heap.cpp: (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...() because clearMarks() now does that implicitly. (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since tear-down tests cell liveness when running destructors. (JSC::Heap::markRoots): (JSC::Heap::collect): Moved weak reference harvesting out of markRoots() and into collect, since it strictly depends on root marking, and does not contribute to root marking. (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more specific about what we're making canonical. * heap/Heap.h: (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness data before iterating protected cells, since we know they're all live, and don't need to test for it. * heap/Local.h: (JSC::::set): Can't make the same ASSERT we used to because we just don't have the mark bits for it anymore. Perhaps we can bring this ASSERT back in a weaker form in the future. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::addBlock): (JSC::MarkedSpace::removeBlock): Updated for interface change. (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more specific about what we're making canonical. * heap/MarkedSpace.h: (JSC::MarkedSpace::allocate): (JSC::MarkedSpace::SizeClass::SizeClass): (JSC::MarkedSpace::SizeClass::resetAllocator): (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator functionality a bit. We now track only one block -- "currentBlock" -- and rely on its internal state to know whether it has more cells to allocate. * heap/Weak.h: (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't have the mark bits for it anymore. Perhaps we can bring this ASSERT back in a weaker form in the future. * runtime/JSCell.h: (JSC::JSCell::vptr): (JSC::JSCell::zap): (JSC::JSCell::isZapped): (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction. In the future, exactly how a JSCell zaps itself will change, as the internal representation of JSCell changes. 2011-09-24 Filip Pizlo DFG JIT should not eagerly initialize integer tags in the register file https://bugs.webkit.org/show_bug.cgi?id=68763 Reviewed by Oliver Hunt. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueRecovery::dump): (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32): (JSC::DFG::OSRExit::operandForArgument): (JSC::DFG::OSRExit::operandForIndex): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2011-09-23 Yuqiang Xian Add JSVALUE32_64 support to DFG JIT https://bugs.webkit.org/show_bug.cgi?id=67460 Reviewed by Gavin Barraclough. This is the initial attempt to add JSVALUE32_64 support to DFG JIT. It's tested on IA32 Linux EFL port currently. It still cannot run all the test cases and benchmarks so should be turned off now. The major work includes: 1) dealing with JSVALUE32_64 data format in DFG JIT; 2) bindings between 64-bit JS Value and 32-bit registers; 3) handling of function calls. Currently for DFG operation function calls we follow the X86 cdecl calling convention on Linux, and the implementation is in a naive way by pushing the arguments into stack one by one. The known issues include: 1) some code duplicates unnecessarily, especially in Speculative JIT code generation, where most of the operations on SpeculataInteger / SpeculateDouble should be identical to the JSVALUE64 code. Refactoring is needed in the future; 2) lack of op_call and op_construct support, comparing to current JSVALUE64 DFG; 3) currently integer speculations assume to be StrictInt32; 4) lack of JSBoolean speculations; 5) boxing and unboxing doubles could be improved; 6) DFG X86 register description is different with the baseline JIT, the timeoutCheckRegister is used for general purpose usage; 7) calls to runtime functions with primitive double parameters (e.g. fmod) don't work. Support needs to be added to the assembler to implement the mechanism of passing double parameters for X86 cdecl convention. And there should be many other hidden bugs which should be exposed and resolved in later debugging process. * CMakeListsEfl.txt: * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::loadDouble): (JSC::MacroAssemblerX86::storeDouble): * assembler/X86Assembler.h: (JSC::X86Assembler::movsd_rm): * bytecode/StructureStubInfo.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGFPRInfo.h: (JSC::DFG::FPRInfo::debugName): * dfg/DFGGPRInfo.h: (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): (JSC::DFG::GPRInfo::debugName): * dfg/DFGGenerationInfo.h: (JSC::DFG::needDataFormatConversion): (JSC::DFG::GenerationInfo::initJSValue): (JSC::DFG::GenerationInfo::initDouble): (JSC::DFG::GenerationInfo::gpr): (JSC::DFG::GenerationInfo::tagGPR): (JSC::DFG::GenerationInfo::payloadGPR): (JSC::DFG::GenerationInfo::fpr): (JSC::DFG::GenerationInfo::fillJSValue): (JSC::DFG::GenerationInfo::fillCell): (JSC::DFG::GenerationInfo::fillDouble): * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::allocate): (JSC::DFG::JITCodeGenerator::use): (JSC::DFG::JITCodeGenerator::registersMatched): (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters): (JSC::DFG::JITCodeGenerator::silentFillAllRegisters): (JSC::DFG::JITCodeGenerator::boxDouble): (JSC::DFG::JITCodeGenerator::unboxDouble): (JSC::DFG::JITCodeGenerator::spill): (JSC::DFG::addressOfDoubleConstant): (JSC::DFG::integerResult): (JSC::DFG::jsValueResult): (JSC::DFG::setupResults): (JSC::DFG::callOperation): (JSC::JSValueOperand::JSValueOperand): (JSC::JSValueOperand::~JSValueOperand): (JSC::JSValueOperand::isDouble): (JSC::JSValueOperand::fill): (JSC::JSValueOperand::tagGPR): (JSC::JSValueOperand::payloadGPR): (JSC::JSValueOperand::fpr): (JSC::GPRTemporary::~GPRTemporary): (JSC::GPRTemporary::gpr): (JSC::GPRResult2::GPRResult2): * dfg/DFGJITCodeGenerator32_64.cpp: Added. (JSC::DFG::JITCodeGenerator::clearGenerationInfo): (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::fillStorage): (JSC::DFG::JITCodeGenerator::useChildren): (JSC::DFG::JITCodeGenerator::isStrictInt32): (JSC::DFG::JITCodeGenerator::isKnownInteger): (JSC::DFG::JITCodeGenerator::isKnownNumeric): (JSC::DFG::JITCodeGenerator::isKnownCell): (JSC::DFG::JITCodeGenerator::isKnownNotInteger): (JSC::DFG::JITCodeGenerator::isKnownNotNumber): (JSC::DFG::JITCodeGenerator::isKnownBoolean): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod): (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance): (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf): (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::writeBarrier): (JSC::DFG::JITCodeGenerator::cachedPutById): (JSC::DFG::JITCodeGenerator::cachedGetMethod): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq): (JSC::DFG::JITCodeGenerator::emitBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot): (JSC::DFG::JITCodeGenerator::emitCall): (JSC::DFG::JITCodeGenerator::speculationCheck): (JSC::DFG::dataFormatString): (JSC::DFG::JITCodeGenerator::dump): (JSC::DFG::JITCodeGenerator::checkConsistency): (JSC::DFG::GPRTemporary::GPRTemporary): (JSC::DFG::FPRTemporary::FPRTemporary): * dfg/DFGJITCompiler.cpp: * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::tagForGlobalVar): (JSC::DFG::JITCompiler::payloadForGlobalVar): (JSC::DFG::JITCompiler::appendCallWithExceptionCheck): (JSC::DFG::JITCompiler::addressOfDoubleConstant): (JSC::DFG::JITCompiler::boxDouble): (JSC::DFG::JITCompiler::unboxDouble): (JSC::DFG::JITCompiler::addPropertyAccess): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): * dfg/DFGJITCompiler32_64.cpp: Added. (JSC::DFG::JITCompiler::fillNumericToDouble): (JSC::DFG::JITCompiler::fillInt32ToInteger): (JSC::DFG::JITCompiler::fillToJS): (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::jitAssertIsInt32): (JSC::DFG::JITCompiler::jitAssertIsJSInt32): (JSC::DFG::JITCompiler::jitAssertIsJSNumber): (JSC::DFG::JITCompiler::jitAssertIsJSDouble): (JSC::DFG::JITCompiler::jitAssertIsCell): (JSC::DFG::JITCompiler::emitCount): (JSC::DFG::JITCompiler::setSamplingFlag): (JSC::DFG::JITCompiler::clearSamplingFlag): * dfg/DFGJITCompilerInlineMethods.h: Added. (JSC::DFG::JITCompiler::emitLoadTag): (JSC::DFG::JITCompiler::emitLoadPayload): (JSC::DFG::JITCompiler::emitLoad): (JSC::DFG::JITCompiler::emitLoad2): (JSC::DFG::JITCompiler::emitLoadDouble): (JSC::DFG::JITCompiler::emitLoadInt32ToDouble): (JSC::DFG::JITCompiler::emitStore): (JSC::DFG::JITCompiler::emitStoreInt32): (JSC::DFG::JITCompiler::emitStoreCell): (JSC::DFG::JITCompiler::emitStoreBool): (JSC::DFG::JITCompiler::emitStoreDouble): * dfg/DFGNode.h: * dfg/DFGOperations.cpp: * dfg/DFGRepatch.cpp: (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryCachePutByID): * dfg/DFGSpeculativeJIT.cpp: * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueRecovery::inGPR): (JSC::DFG::ValueRecovery::inPair): (JSC::DFG::ValueRecovery::tagGPR): (JSC::DFG::ValueRecovery::payloadGPR): * dfg/DFGSpeculativeJIT32_64.cpp: Added. (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::ValueSource::dump): (JSC::DFG::ValueRecovery::dump): (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::OSRExit::dump): (JSC::DFG::SpeculativeJIT::fillSpeculateInt): (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::convertToDouble): (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileMovHint): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::initializeVariableTypes): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * runtime/JSValue.h: 2011-09-23 Filip Pizlo wtf/BitVector.h has a variety of bugs which manifest when the vector grows beyond 63 bits https://bugs.webkit.org/show_bug.cgi?id=68746 Reviewed by Oliver Hunt. Out-of-lined slow path code in BitVector so that not every user of CodeBlock ends up having to compile it. Fixed a variety of index computation and size computation bugs. I have not seen these issues manifest themselves, but they are blocking a patch that uses BitVector more aggressively. * GNUmakefile.list.am: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/BitVector.cpp: Added. (BitVector::BitVector): (BitVector::operator=): (BitVector::resize): (BitVector::clearAll): (BitVector::OutOfLineBits::create): (BitVector::OutOfLineBits::destroy): (BitVector::resizeOutOfLine): * wtf/BitVector.h: (WTF::BitVector::ensureSize): (WTF::BitVector::get): (WTF::BitVector::set): (WTF::BitVector::clear): (WTF::BitVector::byteCount): (WTF::BitVector::OutOfLineBits::numWords): (WTF::BitVector::OutOfLineBits::bits): (WTF::BitVector::outOfLineBits): * wtf/CMakeLists.txt: * wtf/wtf.pri: 2011-09-23 Adam Klein Add ENABLE_MUTATION_OBSERVERS feature flag https://bugs.webkit.org/show_bug.cgi?id=68732 Reviewed by Ojan Vafai. This flag will guard an implementation of the "Mutation Observers" proposed in http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html * Configurations/FeatureDefines.xcconfig: 2011-09-23 Mark Hahnenberg De-virtualize JSCell::getJSNumber https://bugs.webkit.org/show_bug.cgi?id=68651 Reviewed by Oliver Hunt. Added a new JSType to check whether or not something is a NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not currently a better way to determine whether something is indeed a NumberObject. Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo for whether the object is a NumberObject or not. This patch is part of the larger process of de-virtualizing JSCell. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: (JSC::JSCell::getJSNumber): * runtime/JSCell.h: (JSC::JSValue::getJSNumber): * runtime/JSType.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::isNumberObject): * runtime/JSValue.h: * runtime/NumberObject.cpp: (JSC::NumberObject::getJSNumber): * runtime/NumberObject.h: (JSC::NumberObject::createStructure): * runtime/NumberPrototype.h: (JSC::NumberPrototype::createStructure): 2011-09-23 Filip Pizlo Resolve opcodes should have value profiling. https://bugs.webkit.org/show_bug.cgi?id=68723 Reviewed by Oliver Hunt. This adds value profiling to all forms of op_resolve in the old JIT, and patches that information into the DFG along with performing the appropriate type propagation. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): * dfg/DFGNode.h: (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::resolveGlobalDataIndex): (JSC::DFG::Node::hasPrediction): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_resolve): (JSC::JIT::emit_op_resolve_base): (JSC::JIT::emit_op_resolve_skip): (JSC::JIT::emit_op_resolve_global): (JSC::JIT::emitSlow_op_resolve_global): (JSC::JIT::emit_op_resolve_with_base): (JSC::JIT::emit_op_resolve_with_this): (JSC::JIT::emitSlow_op_resolve_global_dynamic): * jit/JITStubCall.h: (JSC::JITStubCall::callWithValueProfiling): 2011-09-23 Oliver Hunt Fix windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-23 Gavin Barraclough Strict mode does not work in non-trivial nested functions. https://bugs.webkit.org/show_bug.cgi?id=68740 Reviewed by Oliver Hunt. Function-info caching does not preserve all state that it should. * parser/JSParser.cpp: (JSC::JSParser::Scope::saveFunctionInfo): (JSC::JSParser::Scope::restoreFunctionInfo): (JSC::JSParser::parseFunctionInfo): * parser/SourceProviderCacheItem.h: 2011-09-23 Filip Pizlo ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED https://bugs.webkit.org/show_bug.cgi?id=68724 Reviewed by Oliver Hunt. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): 2011-09-23 Oliver Hunt Build fix. * JavaScriptCore.xcodeproj/project.pbxproj: 2011-09-23 Filip Pizlo DFG implementation of PutScopedVar corrupts register allocation https://bugs.webkit.org/show_bug.cgi?id=68735 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-23 Oliver Hunt Make write barriers actually do something when enabled https://bugs.webkit.org/show_bug.cgi?id=68717 Reviewed by Geoffrey Garen. Add a basic card marking style write barrier to JSC (currently turned off). This requires two scratch registers in the JIT so there was some register re-arranging to satisfy that requirement. Happily this produced a minor perf bump in sunspider (~0.5%). Turning the barriers on causes an overall regression of around 1.5% * JavaScriptCore.exp: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::store8): * assembler/X86Assembler.h: (JSC::X86Assembler::movb_i8m): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownNotCell): (JSC::DFG::JITCodeGenerator::writeBarrier): (JSC::DFG::JITCodeGenerator::markCellCard): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: * dfg/DFGRepatch.cpp: (JSC::DFG::tryCachePutByID): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * heap/CardSet.h: Added. (JSC::CardSet::CardSet): (JSC::::cardForAtom): (JSC::::cardMarkedForAtom): (JSC::::markCardForAtom): * heap/Heap.cpp: * heap/Heap.h: (JSC::Heap::addressOfCardFor): (JSC::Heap::writeBarrierFastCase): * heap/MarkedBlock.h: (JSC::MarkedBlock::setDirtyObject): (JSC::MarkedBlock::addressOfCardFor): (JSC::MarkedBlock::offsetOfCards): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): (JSC::JIT::emitWriteBarrier): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): 2011-09-23 Thouraya ANDOLSI https://bugs.webkit.org/show_bug.cgi?id=68077 SH4 assemblers doesn't refer to executable memory handle. Reviewed by Gavin Barraclough. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::branch8): * assembler/SH4Assembler.h: (JSC::SH4Assembler::executableCopy): 2011-09-23 Oliver Hunt PutScopedVar nodes should report that it has a var number https://bugs.webkit.org/show_bug.cgi?id=68721 Reviewed by Anders Carlsson. Another assertion fix. * dfg/DFGNode.h: (JSC::DFG::Node::hasVarNumber): 2011-09-23 Oliver Hunt Add a bunch of unhandled node types to the propagator https://bugs.webkit.org/show_bug.cgi?id=68716 Reviewed by Darin Adler. Remove the ASSERT_NOT_REACHED() default for debug builds in the prediction propagator, this way unhandled nodes will just cause compile time failures rather than failing at some point in the future. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): 2011-09-23 Mark Hahnenberg Add static version of JSCell::visitChildren https://bugs.webkit.org/show_bug.cgi?id=68404 Reviewed by Darin Adler. In this patch we just extract the bodies of the virtual visitChildren methods throughout the JSCell inheritance hierarchy out into static methods, which are now called from the virtual methods. This is an intermediate step in trying to move the virtual-ness of visitChildren into our own custom vtable stored in ClassInfo. We need to convert the methods to static methods in order to be able to more easily store and refer to them in our custom vtable since normal member methods store some implicit information in their types, making it impossible to store them generically in ClassInfo. * API/JSCallbackObject.h: (JSC::JSCallbackObject::visitChildrenVirtual): (JSC::JSCallbackObject::visitChildren): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::visitChildrenVirtual): (JSC::DebuggerActivation::visitChildren): * debugger/DebuggerActivation.h: * heap/MarkStack.cpp: (JSC::SlotVisitor::visitChildren): (JSC::SlotVisitor::drain): * runtime/Arguments.cpp: (JSC::Arguments::visitChildrenVirtual): (JSC::Arguments::visitChildren): * runtime/Arguments.h: * runtime/Executable.cpp: (JSC::EvalExecutable::visitChildrenVirtual): (JSC::EvalExecutable::visitChildren): (JSC::ProgramExecutable::visitChildrenVirtual): (JSC::ProgramExecutable::visitChildren): (JSC::FunctionExecutable::visitChildrenVirtual): (JSC::FunctionExecutable::visitChildren): * runtime/Executable.h: * runtime/GetterSetter.cpp: (JSC::GetterSetter::visitChildrenVirtual): (JSC::GetterSetter::visitChildren): * runtime/GetterSetter.h: * runtime/JSActivation.cpp: (JSC::JSActivation::visitChildrenVirtual): (JSC::JSActivation::visitChildren): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::visitChildrenVirtual): (JSC::JSArray::visitChildren): * runtime/JSArray.h: * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::visitChildrenVirtual): (JSC::JSBoundFunction::visitChildren): * runtime/JSBoundFunction.h: * runtime/JSCell.h: (JSC::JSCell::visitChildrenVirtual): (JSC::JSCell::visitChildren): * runtime/JSFunction.cpp: (JSC::JSFunction::visitChildrenVirtual): (JSC::JSFunction::visitChildren): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildrenVirtual): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: * runtime/JSObject.cpp: (JSC::JSObject::visitChildrenVirtual): (JSC::JSObject::visitChildren): * runtime/JSObject.h: (JSC::JSObject::visitChildrenDirect): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::visitChildrenVirtual): (JSC::JSPropertyNameIterator::visitChildren): * runtime/JSPropertyNameIterator.h: * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::visitChildrenVirtual): (JSC::JSStaticScopeObject::visitChildren): * runtime/JSStaticScopeObject.h: * runtime/JSWrapperObject.cpp: (JSC::JSWrapperObject::visitChildrenVirtual): (JSC::JSWrapperObject::visitChildren): * runtime/JSWrapperObject.h: * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::visitChildrenVirtual): (JSC::NativeErrorConstructor::visitChildren): * runtime/NativeErrorConstructor.h: * runtime/RegExpObject.cpp: (JSC::RegExpObject::visitChildrenVirtual): (JSC::RegExpObject::visitChildren): * runtime/RegExpObject.h: * runtime/ScopeChain.cpp: (JSC::ScopeChainNode::visitChildrenVirtual): (JSC::ScopeChainNode::visitChildren): * runtime/ScopeChain.h: * runtime/Structure.cpp: (JSC::Structure::visitChildrenVirtual): (JSC::Structure::visitChildren): * runtime/Structure.h: * runtime/StructureChain.cpp: (JSC::StructureChain::visitChildrenVirtual): (JSC::StructureChain::visitChildren): * runtime/StructureChain.h: 2011-09-23 Oliver Hunt Node propagation doesn't handle PutScopedVar https://bugs.webkit.org/show_bug.cgi?id=68713 Reviewed by Sam Weinig. This was causing assertion failures. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): 2011-09-23 Anders Carlsson Make sure to define OVERRIDE and FINAL for older builds of clang. * wtf/Compiler.h: 2011-09-23 Gavin Barraclough Implement op_resolve_global in the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=68704 Reviewed by Oliver Hunt. This is performance neutral, but increases coverage. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::resolveInfoIndex): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-23 Mark Rowe Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h. * wtf/Platform.h: 2011-09-22 Anders Carlsson We should add support for OVERRIDE and FINAL annotations https://bugs.webkit.org/show_bug.cgi?id=68654 Reviewed by David Hyatt. Add OVERRIDE and FINAL macros for compilers that support them. * wtf/Compiler.h: 2011-09-22 Filip Pizlo GetScopedVar should have value profiling https://bugs.webkit.org/show_bug.cgi?id=68676 Reviewed by Oliver Hunt. Added GetScopedVar value profiling and predictin propagation. Added GetScopeChain to CSE. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): * dfg/DFGNode.h: (JSC::DFG::Node::hasPrediction): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::getScopeChainLoadElimination): (JSC::DFG::Propagator::performNodeCSE): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_scoped_var): 2011-09-22 Filip Pizlo PPC build fix, part 3. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForConstructInternal): 2011-09-22 Filip Pizlo Another PPC build fix. * runtime/Executable.cpp: * runtime/Executable.h: 2011-09-22 Dean Jackson Add ENABLE_CSS_FILTERS https://bugs.webkit.org/show_bug.cgi?id=68652 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: 2011-09-22 Gavin Barraclough Incorrect this value passed to callbacks. https://bugs.webkit.org/show_bug.cgi?id=68668 Reviewed by Oliver Hunt. From Array/String prototype function. Should be undefined, but global object is passed instead (this is visible for strict callbacks). * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): (JSC::arrayProtoFuncEvery): (JSC::arrayProtoFuncForEach): (JSC::arrayProtoFuncSome): * runtime/JSArray.cpp: (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): (JSC::JSArray::sort): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncReplace): 2011-09-22 Gavin Barraclough Function.prototype.bind.length shoudl be 1. Rubber stamped by Olier Hunt. * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): 2011-09-22 Filip Pizlo PPC build fix. * bytecode/CodeBlock.h: 2011-09-22 Gavin Barraclough Windows build fix pt. 2 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-22 Gavin Barraclough Windows build fix pt. 1 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-21 Filip Pizlo DFG JIT does not support to_primitive or strcat https://bugs.webkit.org/show_bug.cgi?id=68582 Reviewed by Darin Adler. This adds functional support for to_primitive and strcat. It focuses on minimizing the amount of code emitted on to_primitive (if we know that it is a primitive or can speculate cheaply, then we omit the slow path) and on keeping the implementation of strcat simple while leveraging whatever optimizations we have already. In particular, unlike the Call and Construct nodes which require extending the size of the DFG's callee registers, StrCat takes advantage of the fact that no JS code can run while StrCat is in progress and uses a scratch buffer, rather than the register file, to store the list of values to concatenate. This was done mainly to keep the code simple, but there are probably other benefits to keeping call frame sizes down. Essentially, this patch ensures that the presence of an op_strcat does not mess up any other optimizations we might do while ensuring that if you do execute it, it'll work about as well as you'd expect. When combined with the previous patch for integer division, this is a 14% speed-up on Kraken. Without it, it would have been a 2% loss. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::callOperation): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): * dfg/DFGNode.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::scratchBufferForSize): 2011-09-22 Filip Pizlo DFG JIT should support integer division https://bugs.webkit.org/show_bug.cgi?id=68597 Reviewed by Darin Adler. This adds support for ArithDiv speculating integer, and speculating that the result is integer (i.e. remainder = 0). This is a 4% win on Kraken and a 1% loss on V8. * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeDivSafe): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasArithNodeFlags): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateArithNodeFlags): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_div): 2011-09-22 Oliver Hunt Implement put_scoped_var in the DFG jit https://bugs.webkit.org/show_bug.cgi?id=68653 Reviewed by Gavin Barraclough. Naive implementation of put_scoped_var. Same story as the get_scoped_var implementation, although I've hoisted scope object acquisition into a separate dfg node. Ideally in the future we would reuse the resolved scope chain object, but for now we don't. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGNode.h: (JSC::DFG::Node::hasScopeChainDepth): (JSC::DFG::Node::scopeChainDepth): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-22 Gavin Barraclough Implement Function.prototype.bind https://bugs.webkit.org/show_bug.cgi?id=26382 Reviewed by Sam Weinig. This patch provides a basic functional implementation for Function.bind. It should (hopefully!) be fully functionally correct, and the bound functions can be called to quickly (since they are a subclass of JSFunction, not InternalFunction), but we'll probably want to follow up with some optimization work to keep bound calls in JIT code. * JavaScriptCore.JSVALUE32_64only.exp: * JavaScriptCore.JSVALUE64only.exp: * JavaScriptCore.exp: * JavaScriptCore.xcodeproj/project.pbxproj: * jit/JITStubs.cpp: (JSC::JITThunks::hostFunctionStub): * jit/JITStubs.h: * jsc.cpp: (GlobalObject::addFunction): * runtime/CommonIdentifiers.h: * runtime/ConstructData.h: * runtime/Executable.h: (JSC::NativeExecutable::NativeExecutable): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): (JSC::functionProtoFuncBind): * runtime/FunctionPrototype.h: * runtime/JSBoundFunction.cpp: Added. (JSC::boundFunctionCall): (JSC::boundFunctionConstruct): (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::hasInstance): (JSC::JSBoundFunction::getOwnPropertySlot): (JSC::JSBoundFunction::getOwnPropertyDescriptor): (JSC::JSBoundFunction::JSBoundFunction): (JSC::JSBoundFunction::finishCreation): * runtime/JSBoundFunction.h: Added. (JSC::JSBoundFunction::targetFunction): (JSC::JSBoundFunction::boundThis): (JSC::JSBoundFunction::boundArgs): (JSC::JSBoundFunction::createStructure): * runtime/JSFunction.cpp: (JSC::JSFunction::create): (JSC::JSFunction::finishCreation): (JSC::createDescriptorForThrowingProperty): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::getHostFunction): * runtime/JSGlobalData.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::boundFunctionStructure): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): 2011-09-22 Oliver Hunt Implement get_scoped_var in the DFG https://bugs.webkit.org/show_bug.cgi?id=68640 Reviewed by Gavin Barraclough. Naive implementation of get_scoped_var in the DFG. Essentially this is the bare minimum required to get correct behaviour, so there's no load/store coalescing or type profiling involved, even though these would be wins. No impact on SunSpider or V8. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGNode.h: (JSC::DFG::Node::hasVarNumber): (JSC::DFG::Node::hasScopeChainDepth): (JSC::DFG::Node::scopeChainDepth): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-22 Adam Roben Remove FindSafari from all our .sln files It isn't used anymore, so there's no point in building it. Part of Remove FindSafari Reviewed by Steve Falkenburg. * JavaScriptCore.vcproj/JavaScriptCore.sln: 2011-09-22 Filip Pizlo 32-bit call code clobbers the function cell tag https://bugs.webkit.org/show_bug.cgi?id=68606 Reviewed by Csaba Osztrogonác. This is a minimalistic fix: it simply emits code to restore the cell tag on the slow path, if we know that we failed due to emitCallIfNotType. * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCallVarargsSlowCase): (JSC::JIT::compileOpCallSlowCase): 2011-09-21 Gavin Barraclough Add missing addPtr->add32 mapping for X86. Rubber stamped by Sam Weinig. * assembler/MacroAssembler.h: (JSC::MacroAssembler::addPtr): 2011-09-21 Gavin Barraclough Add missing addDouble for AbsoluteAddress to X86 Rubber stamped by Geoff Garen. * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::addDouble): * assembler/X86Assembler.h: (JSC::X86Assembler::addsd_mr): (JSC::X86Assembler::cvtsi2sd_rr): (JSC::X86Assembler::cvtsi2sd_mr): 2011-09-21 Gavin Barraclough Build fix following fix for bug #68586. * jit/JIT.cpp: * jit/JITInlineMethods.h: 2011-09-21 Filip Pizlo DFG JIT should be able to compile op_throw https://bugs.webkit.org/show_bug.cgi?id=68571 Reviewed by Geoffrey Garen. This compiles op_throw in the simplest way possible: it's an OSR point back to the old JIT. This is a good step towards increasing coverage, particularly on Kraken, but it's neutral because the same functions that do throw also use some other unsupported opcodes. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-21 Filip Pizlo DFG should support continuous optimization https://bugs.webkit.org/show_bug.cgi?id=68329 Reviewed by Geoffrey Garen. This adds the ability to reoptimize a code block if speculation failures happen frequently. 6% speed-up on Kraken, 1% slow-down on V8, neutral on SunSpider. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::ProgramCodeBlock::jettison): (JSC::EvalCodeBlock::jettison): (JSC::FunctionCodeBlock::jettison): (JSC::CodeBlock::shouldOptimizeNow): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getStrongPrediction): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: (JSC::DFG::getOSREntryDataBytecodeIndex): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::ConservativeRoots): (JSC::ConservativeRoots::~ConservativeRoots): (JSC::DummyMarkHook::mark): (JSC::ConservativeRoots::genericAddPointer): (JSC::ConservativeRoots::genericAddSpan): (JSC::ConservativeRoots::add): * heap/ConservativeRoots.h: * heap/Heap.cpp: (JSC::Heap::addJettisonCodeBlock): (JSC::Heap::markRoots): * heap/Heap.h: * heap/JettisonedCodeBlocks.cpp: Added. (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks): (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks): (JSC::JettisonedCodeBlocks::addCodeBlock): (JSC::JettisonedCodeBlocks::clearMarks): (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks): (JSC::JettisonedCodeBlocks::traceCodeBlocks): * heap/JettisonedCodeBlocks.h: Added. (JSC::JettisonedCodeBlocks::mark): * interpreter/RegisterFile.cpp: (JSC::RegisterFile::gatherConservativeRoots): * interpreter/RegisterFile.h: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.cpp: (JSC::jettisonCodeBlock): (JSC::EvalExecutable::jettisonOptimizedCode): (JSC::ProgramExecutable::jettisonOptimizedCode): (JSC::FunctionExecutable::jettisonOptimizedCodeForCall): (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct): * runtime/Executable.h: (JSC::FunctionExecutable::jettisonOptimizedCodeFor): * wtf/BitVector.h: Added. (WTF::BitVector::BitVector): (WTF::BitVector::~BitVector): (WTF::BitVector::operator=): (WTF::BitVector::size): (WTF::BitVector::ensureSize): (WTF::BitVector::resize): (WTF::BitVector::clearAll): (WTF::BitVector::get): (WTF::BitVector::set): (WTF::BitVector::clear): (WTF::BitVector::bitsInPointer): (WTF::BitVector::maxInlineBits): (WTF::BitVector::byteCount): (WTF::BitVector::makeInlineBits): (WTF::BitVector::OutOfLineBits::numBits): (WTF::BitVector::OutOfLineBits::numWords): (WTF::BitVector::OutOfLineBits::bits): (WTF::BitVector::OutOfLineBits::create): (WTF::BitVector::OutOfLineBits::destroy): (WTF::BitVector::OutOfLineBits::OutOfLineBits): (WTF::BitVector::isInline): (WTF::BitVector::outOfLineBits): (WTF::BitVector::resizeOutOfLine): (WTF::BitVector::bits): 2011-09-21 Gavin Barraclough Add X86 GPRInfo for DFG JIT. https://bugs.webkit.org/show_bug.cgi?id=68586 Reviewed by Geoff Garen. * dfg/DFGGPRInfo.h: (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): (JSC::DFG::GPRInfo::debugName): 2011-09-21 Gavin Barraclough Should support value profiling on CPU(X86) https://bugs.webkit.org/show_bug.cgi?id=68575 Reviewed by Sam Weinig. Fix verbose profiling in ToT (SlowCaseProfile had been partially renamed to RareCaseProfile), add in-memory bucket counter for CPU(X86), move JIT::m_canBeOptimized out of the DFG_JIT ifdef. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::resetRareCaseProfiles): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): 2011-09-21 Filip Pizlo DFG does not support compiling functions as constructors https://bugs.webkit.org/show_bug.cgi?id=68500 Reviewed by Oliver Hunt. This adds support for compiling constructors to the DFG. It's a 1% speed-up on V8, mostly due to a 6% speed-up on early-boyer. It's also a 13% win on access-binary-trees, but it's neutral in the SunSpider and Kraken averages. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::mightCompileFunctionForConstruct): (JSC::DFG::canCompileOpcode): * dfg/DFGNode.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/Executable.cpp: (JSC::FunctionExecutable::compileOptimizedForConstruct): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (JSC::FunctionExecutable::compileForConstruct): (JSC::FunctionExecutable::compileFor): (JSC::FunctionExecutable::compileOptimizedFor): 2011-09-21 Gavin Barraclough Replace jsFunctionVPtr compares with a type check on the Structure. https://bugs.webkit.org/show_bug.cgi?id=68557 Reviewed by Oliver Hunt. This will permit calls to still optimize to subclasses of JSFunction that have the correct type (but a different C++ vptr). This patch stops passing the globalData into numerous functions. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::isFunctionConstant): (JSC::DFG::Graph::valueOfFunctionConstant): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::isFunctionConstant): (JSC::DFG::JITCompiler::valueOfFunctionConstant): * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileOpCallVarargs): (JSC::JIT::compileOpCallSlowCase): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCallVarargs): (JSC::JIT::compileOpCallSlowCase): * jit/JITInlineMethods.h: (JSC::JIT::emitJumpIfNotType): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.h: (JSC::isHostFunction): * runtime/JSFunction.h: (JSC::JSFunction::createStructure): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putWithAttributes): * runtime/JSObject.h: (JSC::getJSFunction): (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition): * runtime/JSType.h: 2011-09-21 Geoffrey Garen Removed WTFTHREADDATA_MULTITHREADED, making it always true https://bugs.webkit.org/show_bug.cgi?id=68549 Reviewed by Darin Adler. Another part of making threads exist in WebKit. * wtf/WTFThreadData.cpp: * wtf/WTFThreadData.h: (WTF::wtfThreadData): 2011-09-21 Dan Bernstein JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes https://bugs.webkit.org/show_bug.cgi?id=68451 Reviewed by Darin Adler. * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS". 2011-09-20 Gavin Barraclough MacroAssembler fixes. https://bugs.webkit.org/show_bug.cgi?id=68494 Reviewed by Sam Weinig. Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch * assembler/MacroAssembler.h: (JSC::MacroAssembler::orPtr): (JSC::MacroAssembler::loadPtr): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::or32): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::or32): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::or32): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::or32): (JSC::MacroAssemblerSH4::load32): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::load32): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::load32): 2011-09-20 Geoffrey Garen Some Heap cleanup. Reviewed by Beth Dakin. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath() because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock() since there is only one now. * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused. Updated mark bit overhead calculation. Deployed atomsPerBlock in one place where we were recalculating it. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::addBlock): Updated for rename. 2011-09-20 Filip Pizlo DFG JIT always speculates integer on modulo https://bugs.webkit.org/show_bug.cgi?id=68485 Reviewed by Oliver Hunt. Added support for double modulo, which is a call to fmod(). Also added support for recording the old JIT's statistics on op_mod and propagating them along the graph. Finally, fixed a goof in the ArithNodeFlags propagation logic that was made obvious when I started testing ArithMod. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: (JSC::DFG::Node::hasArithNodeFlags): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateArithNodeFlags): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-20 ChangSeok Oh [GTK] requestAnimationFrame support for gtk port https://bugs.webkit.org/show_bug.cgi?id=66280 Reviewed by Martin Robinson. Let GTK port use REQUEST_ANIMATION_FRAME_TIMER. * wtf/Platform.h: 2011-09-20 Filip Pizlo DFG JIT performs too many negative zero checks, and too many overflow checks https://bugs.webkit.org/show_bug.cgi?id=68430 Reviewed by Oliver Hunt. This adds comprehensive support for deciding how to perform an arithmetic operations based on a combination of overflow profiling, negative zero profiling, value profiling, and a static analysis of how the results of these operations get used. This is a 72% speed-up on stanford-crypto-sha256-iterative, and a 2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8 geomean, and neutral on SunSpider. It's also an 8.5% speed-up on V8-crypto, because apparenty everything we do speeds up crypto. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::toInt32): (JSC::DFG::ByteCodeParser::toNumber): (JSC::DFG::ByteCodeParser::isSmallInt32Constant): (JSC::DFG::ByteCodeParser::valueOfInt32Constant): (JSC::DFG::ByteCodeParser::weaklyPredictInt32): (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::processPhiStack): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): * dfg/DFGNode.h: (JSC::DFG::nodeUsedAsNumber): (JSC::DFG::nodeCanTruncateInteger): (JSC::DFG::nodeCanIgnoreNegativeZero): (JSC::DFG::nodeCanSpeculateInteger): (JSC::DFG::arithNodeFlagsAsString): (JSC::DFG::Node::Node): (JSC::DFG::Node::hasArithNodeFlags): (JSC::DFG::Node::rawArithNodeFlags): (JSC::DFG::Node::arithNodeFlags): (JSC::DFG::Node::arithNodeFlagsForCompare): (JSC::DFG::Node::setArithNodeFlag): (JSC::DFG::Node::mergeArithNodeFlags): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::isNotNegZero): (JSC::DFG::Propagator::isNotZero): (JSC::DFG::Propagator::propagateArithNodeFlags): (JSC::DFG::Propagator::propagateArithNodeFlagsForward): (JSC::DFG::Propagator::propagateArithNodeFlagsBackward): (JSC::DFG::Propagator::propagateNodePredictions): (JSC::DFG::Propagator::propagatePredictionsForward): (JSC::DFG::Propagator::propagatePredictionsBackward): (JSC::DFG::Propagator::toDouble): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::fixup): (JSC::DFG::Propagator::startIndexForChildren): (JSC::DFG::Propagator::endIndexForPureCSE): (JSC::DFG::Propagator::pureCSE): (JSC::DFG::Propagator::clobbersWorld): (JSC::DFG::Propagator::setReplacement): (JSC::DFG::Propagator::performNodeCSE): (JSC::DFG::Propagator::localCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2011-09-19 Oliver Hunt Refactor Heap allocation logic into separate AllocationSpace class https://bugs.webkit.org/show_bug.cgi?id=68409 Reviewed by Gavin Barraclough. This patch hoists direct manipulation of the MarkedSpace and related data out of Heap and into a separate class. This will allow us to have multiple allocation spaces in future, so easing the way towards having GC'd backing stores for objects. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * debugger/Debugger.cpp: (JSC::Debugger::recompileAllJSFunctions): * heap/AllocationSpace.cpp: Added. (JSC::AllocationSpace::tryAllocate): (JSC::AllocationSpace::allocateSlowCase): (JSC::AllocationSpace::allocateBlock): (JSC::AllocationSpace::freeBlocks): (JSC::TakeIfEmpty::TakeIfEmpty): (JSC::TakeIfEmpty::operator()): (JSC::TakeIfEmpty::returnValue): (JSC::AllocationSpace::shrink): * heap/AllocationSpace.h: Added. (JSC::AllocationSpace::AllocationSpace): (JSC::AllocationSpace::blocks): (JSC::AllocationSpace::sizeClassFor): (JSC::AllocationSpace::setHighWaterMark): (JSC::AllocationSpace::highWaterMark): (JSC::AllocationSpace::canonicalizeBlocks): (JSC::AllocationSpace::resetAllocator): (JSC::AllocationSpace::forEachCell): (JSC::AllocationSpace::forEachBlock): (JSC::AllocationSpace::allocate): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): (JSC::Heap::clearMarks): (JSC::Heap::sweep): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::globalObjectCount): (JSC::Heap::objectTypeCounts): (JSC::Heap::collect): (JSC::Heap::canonicalizeBlocks): (JSC::Heap::resetAllocator): (JSC::Heap::freeBlocks): (JSC::Heap::shrink): * heap/Heap.h: (JSC::Heap::objectSpace): (JSC::Heap::sizeClassForObject): (JSC::Heap::allocate): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateBasicJSObject): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::recompileAllJSFunctions): (JSC::JSGlobalData::releaseExecutableMemory): 2011-09-19 Geoffrey Garen Removed BREWMP* platform #ifdefs https://bugs.webkit.org/show_bug.cgi?id=68425 BREWMP* has no maintainer, and this is dead code. Reviewed by Darin Adler. * heap/MarkStack.h: (JSC::::shrinkAllocation): * jit/ExecutableAllocator.h: (JSC::ExecutableAllocator::cacheFlush): * runtime/TimeoutChecker.cpp: (JSC::getCPUTime): * wtf/Assertions.cpp: * wtf/Assertions.h: * wtf/CurrentTime.cpp: * wtf/DateMath.cpp: (WTF::calculateUTCOffset): * wtf/FastMalloc.cpp: (WTF::fastMalloc): (WTF::fastCalloc): (WTF::fastMallocSize): * wtf/FastMalloc.h: * wtf/MainThread.cpp: * wtf/MathExtras.h: * wtf/OwnPtrCommon.h: * wtf/Platform.h: * wtf/RandomNumber.cpp: (WTF::randomNumber): * wtf/RandomNumberSeed.h: (WTF::initializeRandomNumberGenerator): * wtf/text/WTFString.h: * wtf/unicode/Unicode.h: 2011-09-20 Adam Roben Windows build fix after r95523 * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined. 2011-09-18 Filip Pizlo DFG JIT does not speculate aggressively enough on GetById https://bugs.webkit.org/show_bug.cgi?id=68320 Reviewed by Oliver Hunt. This adds the ability to access properties directly, by offset. This optimization kicks in when at the time of DFG compilation, it appears that the given get_by_id is self-cached by the old JIT. Two new opcodes get introduced: CheckStructure and GetByOffset. CheckStructure performs a speculation check on the object's structure, and returns the storage pointer. GetByOffset performs a direct read of the field from the storage pointer. Both CheckStructure and GetByOffset can be CSE'd, so that we can eliminate redundant structure checks, and redundant reads of the same field. This is a 4% speed-up on V8, a 2% slow-down on Kraken, and neutral on SunSpider. * bytecode/PredictedType.cpp: (JSC::predictionFromClassInfo): (JSC::predictionFromStructure): (JSC::predictionFromCell): * bytecode/PredictedType.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGenerationInfo.h: (JSC::DFG::dataFormatToString): (JSC::DFG::needDataFormatConversion): (JSC::DFG::GenerationInfo::initStorage): (JSC::DFG::GenerationInfo::spill): (JSC::DFG::GenerationInfo::fillStorage): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): (JSC::DFG::Graph::getPrediction): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::fillStorage): (JSC::DFG::GPRTemporary::GPRTemporary): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::spill): (JSC::DFG::JITCodeGenerator::storageResult): (JSC::DFG::StorageOperand::StorageOperand): (JSC::DFG::StorageOperand::~StorageOperand): (JSC::DFG::StorageOperand::index): (JSC::DFG::StorageOperand::gpr): (JSC::DFG::StorageOperand::use): * dfg/DFGNode.h: (JSC::DFG::OpInfo::OpInfo): (JSC::DFG::Node::Node): (JSC::DFG::Node::hasPrediction): (JSC::DFG::Node::hasStructure): (JSC::DFG::Node::structure): (JSC::DFG::Node::hasStorageAccessData): (JSC::DFG::Node::storageAccessDataIndex): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::globalVarLoadElimination): (JSC::DFG::Propagator::getMethodLoadElimination): (JSC::DFG::Propagator::checkStructureLoadElimination): (JSC::DFG::Propagator::getByOffsetLoadElimination): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * wtf/StdLibExtras.h: (WTF::safeCast): 2011-09-19 Mark Hahnenberg Remove toPrimitive from JSCell https://bugs.webkit.org/show_bug.cgi?id=67875 Reviewed by Darin Adler. Part of the refactoring process to un-virtualize JSCell. We move all of the implicit functionality provided by the virtual toPrimitive method in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while also de-virtualizing JSCell::toPrimitive. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: (JSC::JSCell::toPrimitive): * runtime/JSCell.h: We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from JSObject. This pushes the virtual method further down, enabling us to get rid of the virtual call in JSCell. Eventually we'll probably have to deal with this again, but we'll cross that bridge when we come to it. * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::defaultValue): * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: 2011-09-19 Geoffrey Garen Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs https://bugs.webkit.org/show_bug.cgi?id=68424 As discussed on webkit-dev. All ports build with threads enabled in JSC now. This may break WinCE and other ports that have not built and tested with this configuration. I've filed bugs for port maintainers. It's time for WebKit to move forward. Reviewed by Mark Rowe. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::~Heap): (JSC::Heap::destroy): (JSC::Heap::blockFreeingThreadMain): (JSC::Heap::allocateBlock): (JSC::Heap::freeBlocks): (JSC::Heap::releaseFreeBlocks): * heap/Heap.h: * wtf/Platform.h: 2011-09-19 Geoffrey Garen Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs https://bugs.webkit.org/show_bug.cgi?id=68423 As discussed on webkit-dev. All ports build with threads enabled in WTF now. This may break WinCE and other ports that have not built and tested with this configuration. I've filed bugs for port maintainers. It's time for WebKit to move forward. Reviewed by Mark Rowe. * wtf/CryptographicallyRandomNumber.cpp: (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber): (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues): * wtf/FastMalloc.cpp: * wtf/Platform.h: * wtf/RandomNumber.cpp: (WTF::randomNumber): * wtf/RefCountedLeakCounter.cpp: (WTF::RefCountedLeakCounter::increment): (WTF::RefCountedLeakCounter::decrement): * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): * wtf/ThreadingWin.cpp: (WTF::initializeThreading): * wtf/dtoa.cpp: (WTF::pow5mult): * wtf/gtk/ThreadingGtk.cpp: (WTF::initializeThreading): * wtf/qt/ThreadingQt.cpp: (WTF::initializeThreading): 2011-09-19 Geoffrey Garen Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs. https://bugs.webkit.org/show_bug.cgi?id=68422 As discussed on webkit-dev. All ports build with threads enabled in JSC now. This may break WinCE and other ports that have not built and tested with this configuration. I've filed bugs for port maintainers. It's time for WebKit to move forward. Reviewed by Sam Weinig. * API/APIShims.h: (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): * API/JSContextRef.cpp: * heap/MachineStackMarker.cpp: (JSC::MachineThreads::MachineThreads): (JSC::MachineThreads::~MachineThreads): (JSC::MachineThreads::gatherConservativeRoots): * heap/MachineStackMarker.h: * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): (JSC::initializeThreading): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::sharedInstance): * runtime/JSGlobalData.h: (JSC::JSGlobalData::makeUsableFromMultipleThreads): * runtime/JSLock.cpp: * runtime/Structure.cpp: * wtf/Platform.h: 2011-09-19 Sheriff Bot Unreviewed, rolling out r95493 and r95496. http://trac.webkit.org/changeset/95493 http://trac.webkit.org/changeset/95496 https://bugs.webkit.org/show_bug.cgi?id=68418 Broke Windows build (Requested by rniwa on #webkit). * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * debugger/Debugger.cpp: (JSC::Debugger::recompileAllJSFunctions): * heap/AllocationSpace.cpp: Removed. * heap/AllocationSpace.h: Removed. * heap/Heap.cpp: (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty): (JSC::CountFunctor::TakeIfEmpty::operator()): (JSC::CountFunctor::TakeIfEmpty::returnValue): (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::tryAllocate): (JSC::Heap::allocateSlowCase): (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): (JSC::Heap::clearMarks): (JSC::Heap::sweep): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::globalObjectCount): (JSC::Heap::objectTypeCounts): (JSC::Heap::collect): (JSC::Heap::canonicalizeBlocks): (JSC::Heap::resetAllocator): (JSC::Heap::allocateBlock): (JSC::Heap::freeBlocks): (JSC::Heap::shrink): * heap/Heap.h: (JSC::Heap::markedSpace): (JSC::Heap::forEachCell): (JSC::Heap::forEachBlock): (JSC::Heap::sizeClassFor): (JSC::Heap::allocate): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateBasicJSObject): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::recompileAllJSFunctions): (JSC::JSGlobalData::releaseExecutableMemory): 2011-09-19 Gavin Barraclough Errrk, missed stylebot comments in last commit. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncSplit): 2011-09-19 Gavin Barraclough String#split is buggy https://bugs.webkit.org/show_bug.cgi?id=68348 Reviewed by Sam Weinig. * runtime/StringPrototype.cpp: (JSC::jsStringWithReuse): - added helper function to reuse original JSString value. (JSC::stringProtoFuncSplit): - Rewritten from the spec. * tests/mozilla/ecma/String/15.5.4.8-2.js: (getTestCases): - This test is not ES5 compliant. 2011-09-19 Geoffrey Garen Removed lots of friend declarations from JSCell, so we can more effectively make use of private and protected. Reviewed by Sam Weinig. * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of confusion for not much safety. (JSC::JSCell::operator new): Made this public because it is used by a few clients, and not really dangerous. * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::deleteProperty): (JSC::JSObject::defineGetter): (JSC::JSObject::defineSetter): (JSC::JSObject::getPropertySpecificValue): (JSC::JSObject::getOwnPropertyNames): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::removeDirect): (JSC::JSObject::createInheritorID): (JSC::JSObject::allocatePropertyStorage): (JSC::JSObject::getOwnPropertyDescriptor): * runtime/JSObject.h: (JSC::JSObject::getDirect): (JSC::JSObject::getDirectLocation): (JSC::JSObject::hasCustomProperties): (JSC::JSObject::hasGetterSetterProperties): (JSC::JSObject::isSealed): (JSC::JSObject::isFrozen): (JSC::JSObject::isExtensible): (JSC::JSObject::flattenDictionaryObject): (JSC::JSObject::finishCreation): (JSC::JSObject::prototype): (JSC::JSObject::setPrototype): (JSC::JSObject::inlineGetOwnPropertySlot): (JSC::JSCell::fastGetOwnProperty): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::transitionTo): (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to structure() / setStructure(), so we don't have to be a friend of JSCell. * runtime/Structure.h: (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject to JSCell::m_structure. 2011-09-19 Adam Barth Always enable ENABLE(EVENTSOURCE) https://bugs.webkit.org/show_bug.cgi?id=68414 Reviewed by Eric Seidel. * Configurations/FeatureDefines.xcconfig: 2011-09-19 Eli Fidler Enable JSC_MULTIPLE_THREADS for OS(QNX). https://bugs.webkit.org/show_bug.cgi?id=68047 Reviewed by Daniel Bates. SA_RESTART was required for SIGUSR2-based debugging, but is not present on QNX. This debugging doesn't seem critical to JSC_MULTIPLE_THREADS, so allow it to proceed. * heap/MachineStackMarker.cpp: (JSC::MachineThreads::Thread::Thread): (JSC::getPlatformThreadRegisters): (JSC::otherThreadStackPointer): (JSC::freePlatformThreadRegisters): * wtf/Platform.h: enable PTHREADS for OS(QNX) 2011-09-19 Oliver Hunt Windows build fix. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-19 Oliver Hunt Refactor Heap allocation logic into separate AllocationSpace class https://bugs.webkit.org/show_bug.cgi?id=68409 Reviewed by Gavin Barraclough. This patch hoists direct manipulation of the MarkedSpace and related data out of Heap and into a separate class. This will allow us to have multiple allocation spaces in future, so easing the way towards having GC'd backing stores for objects. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * debugger/Debugger.cpp: (JSC::Debugger::recompileAllJSFunctions): * heap/AllocationSpace.cpp: Added. (JSC::AllocationSpace::tryAllocate): (JSC::AllocationSpace::allocateSlowCase): (JSC::AllocationSpace::allocateBlock): (JSC::AllocationSpace::freeBlocks): (JSC::TakeIfEmpty::TakeIfEmpty): (JSC::TakeIfEmpty::operator()): (JSC::TakeIfEmpty::returnValue): (JSC::AllocationSpace::shrink): * heap/AllocationSpace.h: Added. (JSC::AllocationSpace::AllocationSpace): (JSC::AllocationSpace::blocks): (JSC::AllocationSpace::sizeClassFor): (JSC::AllocationSpace::setHighWaterMark): (JSC::AllocationSpace::highWaterMark): (JSC::AllocationSpace::canonicalizeBlocks): (JSC::AllocationSpace::resetAllocator): (JSC::AllocationSpace::forEachCell): (JSC::AllocationSpace::forEachBlock): (JSC::AllocationSpace::allocate): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): (JSC::Heap::clearMarks): (JSC::Heap::sweep): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::globalObjectCount): (JSC::Heap::objectTypeCounts): (JSC::Heap::collect): (JSC::Heap::canonicalizeBlocks): (JSC::Heap::resetAllocator): (JSC::Heap::freeBlocks): (JSC::Heap::shrink): * heap/Heap.h: (JSC::Heap::objectSpace): (JSC::Heap::sizeClassForObject): (JSC::Heap::allocate): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateBasicJSObject): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::recompileAllJSFunctions): (JSC::JSGlobalData::releaseExecutableMemory): 2011-09-19 Adam Roben Windows build fix after r95310 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found. 2011-09-19 Filip Pizlo DFG speculation failures should act as additional value profiles https://bugs.webkit.org/show_bug.cgi?id=68335 Reviewed by Oliver Hunt. This adds slow-case counters to the old JIT. It also ensures that negative zero in multiply is handled carefully. The old JIT previously took slow path if the result of a multiply was zero, which, without any changes, would cause the DFG to think that every such multiply produced a double result. This also fixes a bug in the old JIT's handling of decrements. It would take the slow path if the result was zero, but not if it underflowed. By itself, this would be a 1% slow-down on V8 and Kraken. But then I wrote optimizations in the DFG that take advantage of this new information. It's no longer the case that every multiply needs to do a check for negative zero; it only happens if the negative zero is ignored. This results in a 12% speed-up on v8-crypto, for a 1.4% geomean speed-up in V8. It's mostly neutral on Kraken. I can see an 0.5% slow-down and it appears to be significant. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::resetRareCaseProfiles): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: * bytecode/ValueProfile.h: (JSC::RareCaseProfile::RareCaseProfile): (JSC::getRareCaseProfileBytecodeOffset): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::toInt32): (JSC::DFG::ByteCodeParser::makeSafe): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::GPRTemporary::GPRTemporary): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::clobbersWorld): (JSC::DFG::Propagator::performNodeCSE): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: (JSC::JIT::linkDummySlowCase): * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_post_dec): (JSC::JIT::emit_op_pre_dec): (JSC::JIT::compileBinaryArithOp): (JSC::JIT::emit_op_add): (JSC::JIT::emitSlow_op_add): * jit/JITInlineMethods.h: (JSC::JIT::addSlowCase): 2011-09-19 Adam Roben Windows build fix after r94575 * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp now builds just before FindSafari. 2011-09-19 Sheriff Bot Unreviewed, rolling out r95466. http://trac.webkit.org/changeset/95466 https://bugs.webkit.org/show_bug.cgi?id=68389 Incorrect version of the patch. (Requested by mhahnenberg on #webkit). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: (JSC::JSCell::toPrimitive): * runtime/JSCell.h: (JSC::JSCell::JSValue::toPrimitive): * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::toPrimitive): * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: 2011-09-19 Mark Hahnenberg Remove toPrimitive from JSCell https://bugs.webkit.org/show_bug.cgi?id=67875 Reviewed by Geoffrey Garen. Part of the refactoring process to un-virtualize JSCell. We move all of the implicit functionality provided by the virtual toPrimitive method in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while also de-virtualizing JSCell::toPrimitive. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: (JSC::JSCell::toPrimitive): * runtime/JSCell.h: We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from JSObject. This pushes the virtual method further down, enabling us to get rid of the virtual call in JSCell. Eventually we'll probably have to deal with this again, but we'll cross that bridge when we come to it. * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::defaultValue): * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: (JSC::JSValue::toPrimitive): 2011-09-19 Oliver Hunt Build fix. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetDirectOffset): 2011-09-19 Oliver Hunt Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp} https://bugs.webkit.org/show_bug.cgi?id=68376 Reviewed by Gavin Barraclough. Renamed the the MarkedSpace files to match new name, and updated the relevant references. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.h: * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp. (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::addBlock): (JSC::MarkedSpace::removeBlock): (JSC::MarkedSpace::resetAllocator): (JSC::MarkedSpace::canonicalizeBlocks): * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h. (JSC::MarkedSpace::waterMark): (JSC::MarkedSpace::highWaterMark): (JSC::MarkedSpace::setHighWaterMark): (JSC::MarkedSpace::sizeClassFor): (JSC::MarkedSpace::allocate): (JSC::MarkedSpace::forEachBlock): (JSC::MarkedSpace::SizeClass::SizeClass): (JSC::MarkedSpace::SizeClass::resetAllocator): (JSC::MarkedSpace::SizeClass::canonicalizeBlock): * runtime/JSCell.h: 2011-09-19 Oliver Hunt Rename NewSpace to MarkedSpace https://bugs.webkit.org/show_bug.cgi?id=68375 Reviewed by Gavin Barraclough. Rename NewSpace to a more accurate name, and update all uses. This patch doesn't rename the files themselves as that will just make the patch appear bigger than it is. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * heap/Heap.cpp: (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty): (JSC::CountFunctor::TakeIfEmpty::operator()): (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::tryAllocate): (JSC::Heap::allocateSlowCase): (JSC::Heap::collect): (JSC::Heap::canonicalizeBlocks): (JSC::Heap::resetAllocator): (JSC::Heap::isValidAllocation): (JSC::Heap::shrink): * heap/Heap.h: (JSC::Heap::markedSpace): (JSC::Heap::sizeClassFor): (JSC::Heap::allocate): * heap/NewSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::addBlock): (JSC::MarkedSpace::removeBlock): (JSC::MarkedSpace::resetAllocator): (JSC::MarkedSpace::canonicalizeBlocks): * heap/NewSpace.h: (JSC::MarkedSpace::waterMark): (JSC::MarkedSpace::highWaterMark): (JSC::MarkedSpace::setHighWaterMark): (JSC::MarkedSpace::sizeClassFor): (JSC::MarkedSpace::allocate): (JSC::MarkedSpace::forEachBlock): (JSC::MarkedSpace::SizeClass::SizeClass): (JSC::MarkedSpace::SizeClass::resetAllocator): (JSC::MarkedSpace::SizeClass::canonicalizeBlock): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateBasicJSObject): 2011-09-19 Peter Rybin TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes https://bugs.webkit.org/show_bug.cgi?id=63541 Reviewed by Adam Barth. * parser/SourceProvider.h: (JSC::SourceProvider::startPosition): * wtf/text/TextPosition.h: (WTF::OrdinalNumber::fromZeroBasedInt): (WTF::OrdinalNumber::fromOneBasedInt): (WTF::OrdinalNumber::OrdinalNumber): (WTF::OrdinalNumber::zeroBasedInt): (WTF::OrdinalNumber::oneBasedInt): (WTF::OrdinalNumber::operator==): (WTF::OrdinalNumber::operator!=): (WTF::OrdinalNumber::first): (WTF::OrdinalNumber::beforeFirst): (WTF::TextPosition::TextPosition): (WTF::TextPosition::minimumPosition): (WTF::TextPosition::belowRangePosition): 2011-09-19 Dan Bernstein JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes https://bugs.webkit.org/show_bug.cgi?id=68323 Reviewed by Sam Weinig. Renamed WTFMainThreadCaller to JSWTFMainThreadCaller. * wtf/mac/MainThreadMac.mm: (WTF::initializeMainThreadPlatform): (WTF::initializeMainThreadToProcessMainThreadPlatform): 2011-09-19 Oliver Hunt Remove direct property slot pointers from the instruction stream https://bugs.webkit.org/show_bug.cgi?id=68373 Reviewed by Gavin Barraclough. Use an indirect load to access prototype properties rather than directly storing the property address in the instruction stream. This should allow further optimisations in future, and also provides a 0.5% win to sunspider. * dfg/DFGRepatch.cpp: (JSC::DFG::generateProtoChainAccessStub): * jit/JITPropertyAccess.cpp: (JSC::JIT::compileGetDirectOffset): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetDirectOffset): * runtime/JSObject.h: (JSC::JSObject::addressOfPropertyStorage): 2011-09-19 Oliver Hunt Remove bump allocator https://bugs.webkit.org/show_bug.cgi?id=68370 Reviewed by Sam Weinig. Can't do anything with this allocator currently, and it's increasing the complexity of the GC code. Slight progression on SunSpider, slight regression (undoing the original progression) in V8. * heap/Heap.cpp: (JSC::Heap::collect): * heap/Heap.h: * heap/NewSpace.cpp: (JSC::NewSpace::NewSpace): * heap/NewSpace.h: (JSC::NewSpace::allocate): * runtime/JSObject.cpp: (JSC::JSObject::allocatePropertyStorage): * runtime/JSObject.h: (JSC::JSObject::~JSObject): (JSC::JSObject::visitChildrenDirect): * runtime/StorageBarrier.h: (JSC::StorageBarrier::set): 2011-09-19 Carlos Garcia Campos [GTK] Fix distcheck build https://bugs.webkit.org/show_bug.cgi?id=68346 Reviewed by Philippe Normand. * GNUmakefile.list.am: 2011-09-19 Carlos Garcia Campos [GTK] Fix distcheck build https://bugs.webkit.org/show_bug.cgi?id=68241 Reviewed by Martin Robinson. * GNUmakefile.list.am: 2011-09-18 Dan Bernstein Removed ProfilerServer. Reviewed by Mark Rowe. * JavaScriptCore.gypi: * JavaScriptCore.xcodeproj/project.pbxproj: * profiler/ProfilerServer.h: Removed. * profiler/ProfilerServer.mm: Removed. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * wscript: 2011-09-17 Filip Pizlo DFG JIT should inline Math.min, Math.max, and Math.sqrt https://bugs.webkit.org/show_bug.cgi?id=68318 Reviewed by Gavin Barraclough. Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for a function to have an intrinsic but not a thunk generator. This is a 7% speed-up on access-nbody, and neutral elsewhere, mainly because we're still not DFG compiling the bulk of the hot code in Kraken audio benchmarks. * create_hash_table: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGIntrinsic.h: * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITStubs.cpp: (JSC::JITThunks::hostFunctionStub): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): 2011-09-18 Nico Weber Remove two files from JavaScriptCore.gypi that were removed in r95240 https://bugs.webkit.org/show_bug.cgi?id=68327 Unreviewed, build warning fix. * JavaScriptCore.gypi: 2011-09-17 Oliver Hunt Remove special case handling of inline storage from the JIT https://bugs.webkit.org/show_bug.cgi?id=68319 Reviewed by Gavin Barraclough. Simplify logic used for reading and writing to property storage by removing the special cases for inline storage. This has no perf impact. * dfg/DFGRepatch.cpp: (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryBuildGetByIDList): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::compilePutDirectOffset): (JSC::JIT::compileGetDirectOffset): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompileGetByIdSelfList): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compilePutDirectOffset): (JSC::JIT::compileGetDirectOffset): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompileGetByIdSelfList): 2011-09-17 Filip Pizlo DFG JIT does not have full block-local CSE https://bugs.webkit.org/show_bug.cgi?id=68316 Reviewed by Oliver Hunt. This adds block-local CSE to the DFG. CSE runs in the propagator just after type propagation. It is part of the propagator itself because it needs to use the propagator's internal data structures to determine which operations may have side effects. Because it changes the live-ranges of nodes, the virtual register allocator had to be moved into the propagator so that it runs after CSE. To ensure that the back-end knows to keep the inputs to any eliminated node alive for OSR, a new node type, Phantom, was introduced. It is a no-op but prolonges the live-range of its inputs. This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on Kraken. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAliasTracker.h: Removed. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::MethodCheckData::operator==): (JSC::DFG::MethodCheckData::operator!=): * dfg/DFGNode.h: (JSC::DFG::Node::hasVirtualRegister): (JSC::DFG::Node::setRefCount): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::Propagator): (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::canonicalize): (JSC::DFG::Propagator::computeStartIndex): (JSC::DFG::Propagator::startIndex): (JSC::DFG::Propagator::pureCSE): (JSC::DFG::Propagator::globalVarLoadElimination): (JSC::DFG::Propagator::getByValLoadElimination): (JSC::DFG::Propagator::getMethodLoadElimination): (JSC::DFG::Propagator::performSubstitution): (JSC::DFG::Propagator::setReplacement): (JSC::DFG::Propagator::performNodeCSE): (JSC::DFG::Propagator::performBlockCSE): (JSC::DFG::Propagator::localCSE): (JSC::DFG::Propagator::allocateVirtualRegisters): (JSC::DFG::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-16 Filip Pizlo method_check should repatch itself if it finds that the new structure(s) are the result of transitions from the old structure(s) https://bugs.webkit.org/show_bug.cgi?id=68294 Reviewed by Gavin Barraclough. Previously a patched method_check would slow-path to get_by_id. Now it slow-paths to method_check_update, which attempts to correct the method_check due to structure transitions before bailing to get_by_id. This is a 1-2% speed-up on some benchmarks and is not a slow-down anywhere, leading to a 0.6% speed-up on the Kraken geomean. * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: * runtime/Structure.h: (JSC::Structure::transitivelyTransitionedFrom): 2011-09-16 Ryosuke Niwa Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests). * wtf/Platform.h: 2011-09-16 Sam Weinig Rename APIValueWrapper type to APIValueWrapperType for consistency https://bugs.webkit.org/show_bug.cgi?id=68306 Reviewed by Anders Carlsson. * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): Update name. * runtime/JSType.h: Update name and un-indent. * runtime/Structure.h: (JSC::JSCell::isAPIValueWrapper): Update name. 2011-09-16 Sam Weinig Remove unused isStrictModeFunction function https://bugs.webkit.org/show_bug.cgi?id=68305 Reviewed by Anders Carlsson. * runtime/JSObject.h: (JSC::JSObject::isStrictModeFunction): 2011-09-16 Sam Weinig Cleanup JSTypeInfo a bit https://bugs.webkit.org/show_bug.cgi?id=68289 Reviewed by Anders Carlsson. * dfg/DFGOperations.cpp: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): Replace direct access to flags() with predicate. * runtime/JSObject.h: (JSC::JSFinalObject::createStructure): Pass FinalObjectType instead of using special IsJSFinalObject. * runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo): Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set. (JSC::TypeInfo::isFinalObject): Added. (JSC::TypeInfo::masqueradesAsUndefined): (JSC::TypeInfo::implementsHasInstance): (JSC::TypeInfo::isEnvironmentRecord): (JSC::TypeInfo::overridesHasInstance): (JSC::TypeInfo::implementsDefaultHasInstance): (JSC::TypeInfo::overridesGetOwnPropertySlot): (JSC::TypeInfo::overridesVisitChildren): (JSC::TypeInfo::overridesGetPropertyNames): (JSC::TypeInfo::prohibitsPropertyCaching): (JSC::TypeInfo::isSetOnFlags1): (JSC::TypeInfo::isSetOnFlags2): Replace direct bit twiddling with helper functions. * runtime/Structure.cpp: (JSC::Structure::Structure): Use new isFinalObject() predicate. 2011-09-16 Gavin Barraclough Unsigned bit shift fails under certain conditions in 32 bit builds https://bugs.webkit.org/show_bug.cgi?id=68166 Reviewed by Geoff Garen. The major bug here is that the slow case (which handles shifts of doubles) doesn't check for negative results from an unsigned shift (which should be unsigned, and as such can't be represented by a signed integer immediate). The implementation is also flawed for shifts by negative shift amounts (treats as shift by zero). * jit/JITArithmetic32_64.cpp: (JSC::JIT::emitRightShift): (JSC::JIT::emitRightShiftSlowCase): 2011-09-16 Geoffrey Garen Removed undetectable style.filter. Reviewed by Sam Weinig. This feature was added in http://trac.webkit.org/changeset/15557 to support housingmaps.com. But housingmaps.com no longer needs this hack, we don't know of other websites that need it, and we don't know of any other browsers that have implemented this feature. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/JSTypeInfo.h: * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed. 2011-09-15 Sam Weinig Prepare JSTypes for more Object subtypes https://bugs.webkit.org/show_bug.cgi?id=68200 Reviewed by Gavin Barraclough. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::branchIfNotObject): * jit/JITInlineMethods.h: (JSC::JIT::emitJumpIfNotObject): * runtime/JSGlobalObject.h: (JSC::Structure::prototypeForLookup): * runtime/JSObject.h: (JSC::JSObject::finishCreation): * runtime/JSType.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::type): (JSC::TypeInfo::isObject): (JSC::TypeInfo::isFinal): (JSC::TypeInfo::prohibitsPropertyCaching): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::finishCreation): * runtime/Operations.cpp: (JSC::jsIsObjectType): * runtime/Structure.cpp: (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): * runtime/Structure.h: (JSC::Structure::isObject): (JSC::JSCell::isObject): 2011-09-16 Geoffrey Garen Rolled back in r95201 with test failure fixed. I missed two cases of jumpSlowToHot in rshift -- these cases need to be sure to initialize regT1 to the int tag, since it will otherwise hold the top 32 bits of a double. * jit/JIT.h: * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_lshift): (JSC::JIT::emitRightShift): (JSC::JIT::emitRightShiftSlowCase): (JSC::JIT::emit_op_bitand): (JSC::JIT::emit_op_bitor): (JSC::JIT::emit_op_bitxor): (JSC::JIT::emit_op_bitnot): (JSC::JIT::emit_op_post_inc): (JSC::JIT::emit_op_post_dec): (JSC::JIT::emit_op_pre_inc): (JSC::JIT::emit_op_pre_dec): * jit/JITInlineMethods.h: (JSC::JIT::emitStoreAndMapInt32): 2011-09-16 Filip Pizlo Unreviewed Windows build fix after 95318. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-16 Adam Roben Windows build fix after r95310 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found. 2011-09-16 Gavin Barraclough Rationalize JSObject::putDirect* methods https://bugs.webkit.org/show_bug.cgi?id=68274 Reviewed by Sam Weinig. Delete the *Function variants. These are overall inefficient, in the way they get the name back from the function rather than just passing it in. * JavaScriptCore.exp: * jsc.cpp: (GlobalObject::finishCreation): (GlobalObject::addFunction): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putWithAttributes): (JSC::JSObject::defineGetter): (JSC::JSObject::defineSetter): * runtime/JSObject.h: (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::lookupPut): 2011-09-16 Filip Pizlo Unreviewed build fix for Windows. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 2011-09-16 Filip Pizlo Unreviewed build fix for non-DFG builds. * runtime/Executable.h: (JSC::NativeExecutable::finishCreation): 2011-09-16 Filip Pizlo DFG JIT should inline Math.abs https://bugs.webkit.org/show_bug.cgi?id=68227 Reviewed by Oliver Hunt. This adds the ability to track intrinsic functions throughout the host function infrastructure, so that the DFG can easily query whether or not a call's target is intrinsic, and if so, which intrinsic it is. On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs) is transformed into ValueToNumber<-ArithAbs nodes. These nodes then get optimized using the usual tricks. Also had to make a completely unrelated change to DateInstanceCache.h in order to fix a preexisting alphabetical sorting problem in JSGlobalData.h This results in a big win in imaging-gaussian-blur: 61% faster than before. The net win on Kraken is around 13%. * JavaScriptCore.xcodeproj/project.pbxproj: * create_hash_table: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::isFunctionConstant): (JSC::DFG::Graph::valueOfFunctionConstant): * dfg/DFGIntrinsic.h: Added. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::isFunctionConstant): (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::isFunctionConstant): (JSC::DFG::JITCompiler::valueOfFunctionConstant): * dfg/DFGNode.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITStubs.cpp: (JSC::JITThunks::hostFunctionStub): * jit/JITStubs.h: * runtime/DateInstanceCache.h: * runtime/Executable.cpp: (JSC::ExecutableBase::intrinsic): (JSC::NativeExecutable::intrinsic): * runtime/Executable.h: (JSC::NativeExecutable::create): (JSC::NativeExecutable::finishCreation): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::getHostFunction): * runtime/JSGlobalData.h: * runtime/Lookup.cpp: (JSC::HashTable::createTable): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::HashEntry::initialize): (JSC::HashEntry::intrinsic): 2011-09-16 Filip Pizlo REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences using Domino's online ordering https://bugs.webkit.org/show_bug.cgi?id=68220 Reviewed by Oliver Hunt. Weak handle processing can result in new objects being marked, which results in new WeakReferencesHarvesters being added. But weak reference harvesters are only processed before weak handle processing, so there's the risk that a weak reference harvester will persist until the next collection, by which time it may have been deleted. * heap/Heap.cpp: (JSC::Heap::markRoots): 2011-09-16 Csaba Osztrogonác REGRESSION(r95201): It made two tests fail https://bugs.webkit.org/show_bug.cgi?id=68230 Unreviewed rolling out r95201. * jit/JIT.h: * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_lshift): (JSC::JIT::emitRightShift): (JSC::JIT::emit_op_bitand): (JSC::JIT::emit_op_bitor): (JSC::JIT::emit_op_bitxor): (JSC::JIT::emit_op_bitnot): (JSC::JIT::emit_op_post_inc): (JSC::JIT::emit_op_post_dec): (JSC::JIT::emit_op_pre_inc): (JSC::JIT::emit_op_pre_dec): * jit/JITInlineMethods.h: 2011-09-15 Filip Pizlo DFG JIT does not optimize method_check https://bugs.webkit.org/show_bug.cgi?id=68215 Reviewed by Oliver Hunt. MethodCallLinkInfo and StructureStubInfo are now searchable by bytecodeIndex, so that DFG::ByteCodeParser can use that information to determine how to optimize GetMethod. A new node op has been added to DFG: CheckMethod. This is a variant of GetMethod that has been optimized for the case that GetMethod always takes the fast path. CheckMethod results in only a very small amount of code (two loads and two branches in the worst case, one load and one branch in the best case). CheckMethod behaves as if it were a constant. Introduced the notion that a DFG node that is not JSConstant behaves as a constant. CheckMethod uses this functionality. This is a 3% speed-up on Kraken, and a small speed-up on V8. Appears to be neutral on SunSpider. * bytecode/CodeBlock.h: (JSC::getStructureStubInfoBytecodeIndex): (JSC::getMethodCallLinkInfoBytecodeIndex): * bytecode/PredictedType.cpp: (JSC::predictionFromCell): (JSC::predictionFromValue): * bytecode/PredictedType.h: * bytecode/StructureStubInfo.h: * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordGetMethod): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::Graph::getMethodCheckPrediction): (JSC::DFG::Graph::getPrediction): (JSC::DFG::Graph::isConstant): (JSC::DFG::Graph::isJSConstant): (JSC::DFG::Graph::valueOfJSConstant): (JSC::DFG::Graph::valueOfInt32Constant): (JSC::DFG::Graph::valueOfNumberConstant): (JSC::DFG::Graph::valueOfBooleanConstant): (JSC::DFG::Graph::valueOfJSConstantNode): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::isKnownNotInteger): (JSC::DFG::JITCodeGenerator::isKnownNotNumber): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentSpillFPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::fillNumericToDouble): (JSC::DFG::JITCompiler::fillInt32ToInteger): (JSC::DFG::JITCompiler::fillToJS): * dfg/DFGNode.h: (JSC::DFG::Node::hasConstant): (JSC::DFG::Node::hasIdentifier): (JSC::DFG::Node::hasMethodCheckData): (JSC::DFG::Node::methodCheckDataIndex): (JSC::DFG::Node::valueOfJSConstant): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo): (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::emit_op_put_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::emit_op_put_by_id): * runtime/JSCell.h: (JSC::JSCell::JSCell::structureAddress): 2011-09-15 Adam Barth Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE) https://bugs.webkit.org/show_bug.cgi?id=68205 Reviewed by Eric Seidel. * Configurations/FeatureDefines.xcconfig: * wtf/Platform.h: 2011-09-15 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (7/7) https://bugs.webkit.org/show_bug.cgi?id=68122 Reviewed by Geoffrey Garen. Completed the seventh and final level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. JSCallbackObject was missed in previous patches due to the fact that it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so this is just a bit of retroactive cleanup. * API/JSCallbackObject.h: (JSC::JSCallbackObject::create): * API/JSCallbackObjectFunctions.h: (JSC::::JSCallbackObject): 2011-09-15 Filip Pizlo The DFG non-speculative JIT is no longer used and should be removed. https://bugs.webkit.org/show_bug.cgi?id=68177 Reviewed by Geoffrey Garen. This removes the non-speculative JIT and everything that relied on it, including the ability to turn on DFG but not tiered compilation the, ability to perform speculation failure into non-speculative JIT code, and the ability to statically terminate speculation. * GNUmakefile.list.am: * JavaScriptCore.pro: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoopHint): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getStrongPrediction): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGenerationInfo.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::compileBody): * dfg/DFGJITCompiler.h: * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: Removed. * dfg/DFGNonSpeculativeJIT.h: Removed. * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGPropagator.cpp: * dfg/DFGPropagator.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::osrExits): (JSC::DFG::SpeculativeJIT::speculationRecovery): (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITCode.h: (JSC::JITCode::bottomTierJIT): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: * wtf/Platform.h: 2011-09-15 Eric Seidel Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default https://bugs.webkit.org/show_bug.cgi?id=68182 Reviewed by Adam Barth. * Configurations/FeatureDefines.xcconfig: 2011-09-15 Filip Pizlo DFG speculative JIT sometimes asserts that a value is not a number even when it doesn't know anything about the number https://bugs.webkit.org/show_bug.cgi?id=68189 Reviewed by Oliver Hunt. * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::isUnknownJS): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownNotNumber): 2011-09-15 Filip Pizlo All of the functionality in the non-speculative JIT should be available to the speculative JIT via helper methods https://bugs.webkit.org/show_bug.cgi?id=68186 Reviewed by Oliver Hunt. Stole all of the goodness from NonSpeculativeJIT and placed it in JITCodeGenerator. Left all of the badness (i.e. subtle code duplication with SpeculativeJIT, etc). This is in preparation for removing the NonSpeculativeJIT entirely, but having its goodness available for reuse in the SpeculativeJIT if necessary. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32): (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber): (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp): (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod): (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance): (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd): (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGNonSpeculativeJIT.h: 2011-09-15 Sheriff Bot Unreviewed, rolling out r95167. http://trac.webkit.org/changeset/95167 https://bugs.webkit.org/show_bug.cgi?id=68191 Patch needs further work. (Requested by mhahnenberg on #webkit). * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: (JSC::JSCell::toBoolean): * runtime/JSCell.h: (JSC::JSCell::JSValue::toBoolean): * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::toBoolean): * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean): 2011-09-15 Filip Pizlo Unreviewed build fix for platforms that expect a linkable symbol for primitive static const's. * bytecode/CodeBlock.h: * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): 2011-09-15 Filip Pizlo Unreviewed build fix for assertion on existence of alternative CodeBlock. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): 2011-09-14 Filip Pizlo Value profiles collect no information for global variables https://bugs.webkit.org/show_bug.cgi?id=68143 Reviewed by Geoffrey Garen. 17% speed-up on string-fasta. Neutral elsewhere. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getStrongPrediction): (JSC::DFG::ByteCodeParser::stronglyPredict): (JSC::DFG::ByteCodeParser::parseBlock): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_global_var): 2011-09-15 Eric Seidel Remove ENABLE_SVG_ANIMATION as all major ports have it on by default https://bugs.webkit.org/show_bug.cgi?id=68022 Reviewed by Ryosuke Niwa. * Configurations/FeatureDefines.xcconfig: 2011-09-15 Gavin Barraclough Ooops, revert accidentally commited unreviewed changes. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_jfalse): (JSC::JIT::emit_op_jtrue): * jit/JSInterfaceJIT.h: * runtime/JSValue.h: 2011-09-15 Sheriff Bot Unreviewed, rolling out r95163. http://trac.webkit.org/changeset/95163 https://bugs.webkit.org/show_bug.cgi?id=68180 [Qt] The QT_GCC_X variables were removed in Qt5 by accident. (Requested by darktears on #webkit). * JavaScriptCore.pro: 2011-09-15 Gavin Barraclough Windows build fix p1. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_jfalse): (JSC::JIT::emit_op_jtrue): * jit/JSInterfaceJIT.h: * runtime/JSValue.h: 2011-09-14 Filip Pizlo Tiered compilation should be enabled by default on platforms that support the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=68136 Reviewed by Sam Weinig. Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on Kraken. Large progressions on some benchmarks, including 3x on imaging-desaturate. * wtf/Platform.h: 2011-09-15 Gavin Barraclough devirtualize preventExtensions https://bugs.webkit.org/show_bug.cgi?id=68176 Reviewed by Oliver Hunt. This is virtual due to problems in JSFunction putting the prototype property, but we can fix this problem a different way, just setting the checkReadOnly flag to false in the put. * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSObject.h: 2011-09-15 Geoffrey Garen Value chaining for JSValue32_64 bitops. Reviewed by Sam Weinig. SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto). * jit/JIT.h: * jit/JITInlineMethods.h: (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores that can chain their results, which is the common case. * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_lshift): (JSC::JIT::emitRightShift): (JSC::JIT::emit_op_bitand): (JSC::JIT::emit_op_bitor): (JSC::JIT::emit_op_bitxor): (JSC::JIT::emit_op_bitnot): (JSC::JIT::emit_op_pre_inc): (JSC::JIT::emit_op_pre_dec): Deployed new function. (JSC::JIT::emit_op_post_inc): (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they computed their result values last, to make them elligible for chaining. 2011-09-15 Adam Roben Clang build fix after r95172 * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject): (JSC::DFG::SpeculativeJIT::shouldSpeculateArray): Added parentheses to make precendence clear. 2011-09-14 Filip Pizlo DFG does not speculate aggressively enough on comparisons https://bugs.webkit.org/show_bug.cgi?id=68138 Reviewed by Oliver Hunt. This is a 75% speed-up on Kraken/ai-astar. It's a 1% win on V8 and an 8.5% win on Kraken. Neutral on SunSpider. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compare): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject): (JSC::DFG::SpeculativeJIT::shouldSpeculateArray): (JSC::DFG::SpeculativeJIT::shouldSpeculateObject): (JSC::DFG::SpeculativeJIT::shouldSpeculateCell): 2011-09-14 Filip Pizlo DFG JIT does not leverage integer speculations on branches https://bugs.webkit.org/show_bug.cgi?id=68140 Reviewed by Oliver Hunt. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isStrictInt32): * dfg/DFGJITCodeGenerator.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-14 Gavin Barraclough [n]stricteq code is bogus in JSValue32_64 JIT https://bugs.webkit.org/show_bug.cgi?id=68141 Reviewed by Sam Weinig. The code tries to check for both ints or cells, but this check also catches cases where values that are undefined, null, etc (probably was incorrectly assuming cell was the 2nd highest tag?). Also, there is no need not to handle int on the fast path. stricteq is just a case of comparing the payloads, if we: * handle cases of differing tags on a slow path * handle doubles a slow path * handle both-are-string on a slow path * jit/JITOpcodes32_64.cpp: (JSC::JIT::compileOpStrictEq): (JSC::JIT::emitSlow_op_stricteq): (JSC::JIT::emitSlow_op_nstricteq): 2011-09-14 Mark Hahnenberg Make JSCell::toBoolean non-virtual https://bugs.webkit.org/show_bug.cgi?id=67727 Reviewed by Sam Weinig. JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where before it was simply virtual and would crash if its implementation was called). Its descendants in JSObject and JSString have also been made non-virtual. JSCell now explicitly covers all cases of toBoolean, so having a virtual implementation of JSCell::toBoolean is no longer necessary. This is part of a larger process of un-virtualizing JSCell. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: * runtime/JSCell.h: * runtime/JSNotAnObject.cpp: * runtime/JSNotAnObject.h: * runtime/JSObject.h: * runtime/JSString.h: (JSC::JSCell::toBoolean): (JSC::JSValue::toBoolean): * runtime/StringObjectThatMasqueradesAsUndefined.h: 2011-09-14 Alexis Menard [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore. https://bugs.webkit.org/show_bug.cgi?id=68114 Reviewed by Kenneth Rohde Christiansen. Use the new GCC_X variables defined in WebKit.pri to replace the usage of QT_GCC_X. * JavaScriptCore.pro: 2011-09-14 Sheriff Bot Unreviewed, rolling out r95145. http://trac.webkit.org/changeset/95145 https://bugs.webkit.org/show_bug.cgi?id=68139 The GTK+ build is working now, so revert this trial build fix. (Requested by mrobinson on #webkit). * GNUmakefile.list.am: 2011-09-14 Patrick Gansterer Port MachineStackMarker to Windows ARM and MIPS https://bugs.webkit.org/show_bug.cgi?id=68068 Reviewed by Geoffrey Garen. Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS). Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS). * heap/MachineStackMarker.cpp: (JSC::getPlatformThreadRegisters): (JSC::otherThreadStackPointer): 2011-09-12 Filip Pizlo DFG JIT always speculates that ValueAdd is a numeric addition https://bugs.webkit.org/show_bug.cgi?id=67956 Reviewed by Geoffrey Garen. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownNotNumber): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber): 2011-09-14 Anders Carlsson Stop building BinarySemaphore to see if that's what's breaking the GTK+ build. * GNUmakefile.list.am: 2011-09-14 Anders Carlsson This is getting old. Yet another build fix attempt. * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: 2011-09-14 Anders Carlsson Yet another build fix attempt. * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: 2011-09-14 Anders Carlsson How I "love" Visual Studio... Try to fix build again. * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: 2011-09-14 Anders Carlsson Try to fix Windows build. * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: 2011-09-14 Anders Carlsson Add BinarySemaphore class from WebKit2 to WTF https://bugs.webkit.org/show_bug.cgi?id=68132 Reviewed by Sam Weinig. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: Update build systems. * wtf/threads: Added. * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp. * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h. * wtf/threads/win: Added. * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp. 2011-09-14 Filip Pizlo Unreviewed build fix for Interpreter. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): 2011-09-14 Anders Carlsson Add wtf/threads and wtf/threads/win, so we can be sure that the EWS bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132 Rubber-stamped by Sam Weinig. * wtf/threads: Added. * wtf/threads/win: Added. 2011-09-14 Filip Pizlo DFG JIT should not speculate integer if the value is always going to be used as a double anyway https://bugs.webkit.org/show_bug.cgi?id=68127 Reviewed by Oliver Hunt. Added a ValueToDouble node, which is a variant of ValueToNumber that hints that it will only be used as a double and never as an integer. Thus, it turns off integer speculation even if the value profiler told us that the value source is an int. The logic for converting a ValueToNumber into a ValueToDouble is found in Propagator. This appears to be a 22% speed-up in imaging-darkroom. * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::toDouble): (JSC::DFG::Propagator::fixupNode): (JSC::DFG::Propagator::fixup): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2011-09-14 Filip Pizlo Tiered compilation heuristics do not account for value profile fullness https://bugs.webkit.org/show_bug.cgi?id=68116 Reviewed by Oliver Hunt. Tiered compilation avoids invoking the DFG JIT if it finds that value profiles contain insufficient information. Instead, it produces a prediction from the current value profile, and then clears the value profile. This allows the value profile to heat up from scratch for some number of additional executions. The new profiles will then be merged with the previous prediction. Once the amount of information in predictions is enough according to heuristics in CodeBlock.cpp, DFG optimization is allowed to proceed. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitAggregate): (JSC::CodeBlock::visitWeakReferences): (JSC::CodeBlock::shouldOptimizeNow): (JSC::CodeBlock::dumpValueProfiles): * bytecode/CodeBlock.h: * bytecode/PredictedType.cpp: (JSC::predictionToString): * bytecode/PredictedType.h: * bytecode/ValueProfile.cpp: Added. (JSC::ValueProfile::computeStatistics): (JSC::ValueProfile::computeUpdatedPrediction): * bytecode/ValueProfile.h: (JSC::ValueProfile::ValueProfile): (JSC::ValueProfile::classInfo): (JSC::ValueProfile::numberOfSamples): (JSC::ValueProfile::totalNumberOfSamples): (JSC::ValueProfile::isLive): (JSC::ValueProfile::numberOfInt32s): (JSC::ValueProfile::numberOfDoubles): (JSC::ValueProfile::numberOfBooleans): (JSC::ValueProfile::dump): (JSC::getValueProfileBytecodeOffset): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::stronglyPredict): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): 2011-09-14 Filip Pizlo DFG should not speculate that the child of LogicalNot is a boolean if predictions tell us otherwise https://bugs.webkit.org/show_bug.cgi?id=68118 Reviewed by Geoffrey Garen. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-09-14 Filip Pizlo Unreviewed build fix. Turn off tiered compilation. * wtf/Platform.h: 2011-09-13 Filip Pizlo Prediction tracking is not precise enough https://bugs.webkit.org/show_bug.cgi?id=67993 Reviewed by Oliver Hunt. Added a richer set of type predictions, including JSFinalObject, JSString, object that is not a JSFinalObject or JSArray (ObjectOther), some object but we don't or care know what kind (SomeObject), definitely an object, cell that is not an object or JSString, an value that is none of the above (so either Undefined or Null). Made the propagator and value profiler work with the new types. Performance is neutral, because the DFG JIT does not take advantage of this new knowledge yet. In the process of writing predictionToString() (which is now considerably more complex) I decided to finally add a BoundsCheckedPointer, which should come in handy in other places, like at least the OSR scratch buffer and the CompactJITCodeMap. It's great for cases where you want to do pointer arithmetic, you want to have assertions about the pointer not going out of bounds, but you don't want to write those assertions yourself. This also required refactoring inherits(), since the ValueProfiler may want to do the equivalent of inherits() but given two ClassInfo's. * GNUmakefile.list.am: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/PredictedType.cpp: Added. (JSC::predictionToString): (JSC::makePrediction): (JSC::predictionFromValue): * bytecode/PredictedType.h: (JSC::isCellPrediction): (JSC::isObjectPrediction): (JSC::isFinalObjectPrediction): (JSC::isStringPrediction): (JSC::mergePredictions): * bytecode/ValueProfile.h: (JSC::ValueProfile::numberOfObjects): (JSC::ValueProfile::numberOfFinalObjects): (JSC::ValueProfile::numberOfStrings): (JSC::ValueProfile::probabilityOfObject): (JSC::ValueProfile::probabilityOfFinalObject): (JSC::ValueProfile::probabilityOfString): (JSC::ValueProfile::dump): (JSC::ValueProfile::Statistics::Statistics): (JSC::ValueProfile::computeStatistics): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::stronglyPredict): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGNode.h: (JSC::DFG::Node::predict): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagateNode): * runtime/ClassInfo.h: (JSC::ClassInfo::isSubClassOf): * runtime/JSObject.h: (JSC::JSCell::inherits): * wtf/BoundsCheckedPointer.h: Added. (WTF::BoundsCheckedPointer::BoundsCheckedPointer): (WTF::BoundsCheckedPointer::operator=): (WTF::BoundsCheckedPointer::operator+=): (WTF::BoundsCheckedPointer::operator-=): (WTF::BoundsCheckedPointer::operator+): (WTF::BoundsCheckedPointer::operator-): (WTF::BoundsCheckedPointer::operator++): (WTF::BoundsCheckedPointer::operator--): (WTF::BoundsCheckedPointer::operator<): (WTF::BoundsCheckedPointer::operator<=): (WTF::BoundsCheckedPointer::operator>): (WTF::BoundsCheckedPointer::operator>=): (WTF::BoundsCheckedPointer::operator==): (WTF::BoundsCheckedPointer::operator!=): (WTF::BoundsCheckedPointer::operator!): (WTF::BoundsCheckedPointer::get): (WTF::BoundsCheckedPointer::operator*): (WTF::BoundsCheckedPointer::operator[]): (WTF::BoundsCheckedPointer::strcat): (WTF::BoundsCheckedPointer::validate): * wtf/CMakeLists.txt: 2011-09-14 Csaba Osztrogonác [Qt] Win32 builds with threads turned off https://bugs.webkit.org/show_bug.cgi?id=67864 Reviewed by Geoffrey Garen. * JavaScriptCore.pri: Link pthread library on Windows platform. * wtf/Platform.h: Enable multiple threads. 2011-09-14 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (6/7) https://bugs.webkit.org/show_bug.cgi?id=67692 Reviewed by Geoffrey Garen. Completed the sixth level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. This primarily consists of pushing the calls to finishCreation() down into the constructors of the subclasses of the fifth level of the hierarchy as well as pulling the finishCreation() calls out into the class's corresponding create() method if it has one. Doing both simultaneously allows us to maintain the invariant that the finishCreation() method chain is called exactly once during the creation of an object, since calling it any other number of times (0, 2, or more) will cause an assertion failure. * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::JSCallbackFunction): * API/JSCallbackFunction.h: (JSC::JSCallbackFunction::create): * jsc.cpp: (GlobalObject::create): (GlobalObject::GlobalObject): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::ArrayConstructor): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::create): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::BooleanConstructor): * runtime/BooleanConstructor.h: (JSC::BooleanConstructor::create): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::create): * runtime/DateConstructor.cpp: (JSC::DateConstructor::DateConstructor): * runtime/DateConstructor.h: (JSC::DateConstructor::create): * runtime/DatePrototype.cpp: (JSC::DatePrototype::DatePrototype): * runtime/DatePrototype.h: (JSC::DatePrototype::create): * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): (JSC::StrictModeTypeErrorFunction::create): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::ErrorConstructor): * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::create): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::FunctionConstructor): * runtime/FunctionConstructor.h: (JSC::FunctionConstructor::create): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::FunctionPrototype): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::create): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::create): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::finishCreation): * runtime/NativeErrorPrototype.h: (JSC::NativeErrorPrototype::create): * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::NumberConstructor): * runtime/NumberConstructor.h: (JSC::NumberConstructor::create): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): * runtime/NumberPrototype.h: (JSC::NumberPrototype::create): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::ObjectConstructor): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::create): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::create): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::RegExpPrototype): * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::create): * runtime/StringConstructor.cpp: (JSC::StringConstructor::StringConstructor): * runtime/StringConstructor.h: (JSC::StringConstructor::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::create): (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): * runtime/StringPrototype.h: (JSC::StringPrototype::create): 2011-09-13 Eric Seidel Remove ENABLE_SVG_USE as is required by HTML5 https://bugs.webkit.org/show_bug.cgi?id=68019 Reviewed by Ryosuke Niwa. * Configurations/FeatureDefines.xcconfig: 2011-09-14 Iain Merrick HashTraits.h should include template specialization for WTF::String https://bugs.webkit.org/show_bug.cgi?id=67851 Ensure that the template specialization for HashTraits is always picked up. (Previously it was possible to include HashSet and String but not the correct HashTraits, so you would get an inefficient template instantiation.) Reviewed by Darin Adler. * wtf/HashTraits.h: * wtf/text/StringHash.h: 2011-09-13 Filip Pizlo SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should return false if either node can be double https://bugs.webkit.org/show_bug.cgi?id=67985 Reviewed by Geoffrey Garen. This is a 17% speed-up on 3d-cube. This required allowing us to check if a constant is double but not integer, and making the shouldSpeculateInteger() check test for any hints of doubly-ness in its operands. This also required changing some terminology: previously "isDouble" often meant "isDouble or isInt32". Now "isDouble" means exactly what the name suggests, and "isNumber" means "isDouble or isInt32". * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::toNumber): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGenerationInfo.h: (JSC::DFG::isJSFormat): (JSC::DFG::isJSInteger): (JSC::DFG::isJSDouble): (JSC::DFG::isJSCell): (JSC::DFG::isJSBoolean): (JSC::DFG::GenerationInfo::isJSFormat): (JSC::DFG::GenerationInfo::isJSInteger): (JSC::DFG::GenerationInfo::isJSDouble): (JSC::DFG::GenerationInfo::isJSCell): (JSC::DFG::GenerationInfo::isJSBoolean): * dfg/DFGGraph.h: (JSC::DFG::Graph::isNumberConstant): (JSC::DFG::Graph::valueOfNumberConstant): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::isKnownInteger): (JSC::DFG::JITCodeGenerator::isKnownNumeric): (JSC::DFG::JITCodeGenerator::isKnownCell): (JSC::DFG::JITCodeGenerator::isKnownNotInteger): (JSC::DFG::JITCodeGenerator::isKnownBoolean): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::isNumberConstant): (JSC::DFG::JITCodeGenerator::valueOfNumberConstant): (JSC::DFG::JITCodeGenerator::initConstantInfo): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::fillNumericToDouble): (JSC::DFG::JITCompiler::fillToJS): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::isNumberConstant): (JSC::DFG::JITCompiler::valueOfNumberConstant): * dfg/DFGNode.h: (JSC::DFG::Node::isDoubleConstant): (JSC::DFG::Node::isNumberConstant): (JSC::DFG::Node::valueOfNumberConstant): (JSC::DFG::Node::hasNumberResult): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isInteger): (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble): (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger): (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger): 2011-09-13 Anders Carlsson Disable C++ exceptions when building with clang https://bugs.webkit.org/show_bug.cgi?id=68031 Reviewed by Mark Rowe. * Configurations/Base.xcconfig: 2011-09-13 Eric Seidel Remove ENABLE_SVG_FOREIGN_OBJECT as it is a required part of HTML5 https://bugs.webkit.org/show_bug.cgi?id=68018 Reviewed by Ryosuke Niwa. * Configurations/FeatureDefines.xcconfig: 2011-09-13 Sam Weinig Object.getPrototypeOf should use JSValue::get() https://bugs.webkit.org/show_bug.cgi?id=67973 Reviewed by Darin Adler. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetPrototypeOf): Pipe through JSValue::get() to allow overrides. 2011-09-12 Filip Pizlo JavaScriptCore does not have baseline->speculative OSR https://bugs.webkit.org/show_bug.cgi?id=67920 Reviewed by Oliver Hunt. This adds the ability to on-stack-replace (OSR) from code that is running hot in the old JIT to code compiled by the new JIT. This ensures that long-running loops benefit from DFG optimization. It also ensures that if code experiences a speculation failure in DFG code, it has an opportunity to reenter the DFG once every 1,000 loop iterations or so. This results in a 2.88x speed-up on Kraken/imaging-desaturate, and is a pure win on the main three benchmark suites (SunSpider, V8, Kraken), when tiered compilation is enabled. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): (JSC::CodeBlock::CodeBlock): (JSC::ProgramCodeBlock::compileOptimized): (JSC::EvalCodeBlock::compileOptimized): (JSC::FunctionCodeBlock::compileOptimized): * bytecode/CodeBlock.h: * bytecode/Opcode.h: * bytecode/PredictedType.h: Added. (JSC::isCellPrediction): (JSC::isArrayPrediction): (JSC::isInt32Prediction): (JSC::isDoublePrediction): (JSC::isNumberPrediction): (JSC::isBooleanPrediction): (JSC::isStrongPrediction): (JSC::predictionToString): (JSC::mergePredictions): (JSC::mergePrediction): (JSC::makePrediction): * bytecode/PredictionTracker.h: Added. (JSC::operandIsArgument): (JSC::PredictionSlot::PredictionSlot): (JSC::PredictionTracker::PredictionTracker): (JSC::PredictionTracker::initializeSimilarTo): (JSC::PredictionTracker::copyLocalsFrom): (JSC::PredictionTracker::numberOfArguments): (JSC::PredictionTracker::numberOfVariables): (JSC::PredictionTracker::argumentIndexForOperand): (JSC::PredictionTracker::predictArgument): (JSC::PredictionTracker::predict): (JSC::PredictionTracker::predictGlobalVar): (JSC::PredictionTracker::getArgumentPrediction): (JSC::PredictionTracker::getPrediction): (JSC::PredictionTracker::getGlobalVarPrediction): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoopHint): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::DoWhileNode::emitBytecode): (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::Graph::predict): (JSC::DFG::Graph::getPrediction): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGNode.h: * dfg/DFGOSREntry.cpp: Added. (JSC::DFG::predictionIsValid): (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: Added. (JSC::DFG::prepareOSREntry): * dfg/DFGPredictionTracker.h: Removed. * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::mergeUse): (JSC::DFG::Propagator::mergePrediction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/CompactJITCodeMap.h: (JSC::CompactJITCodeMap::numberOfEntries): (JSC::CompactJITCodeMap::decode): (JSC::CompactJITCodeMap::Decoder::Decoder): (JSC::CompactJITCodeMap::Decoder::numberOfEntriesRemaining): (JSC::CompactJITCodeMap::Decoder::read): * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): (JSC::JIT::emitTimeoutCheck): (JSC::JIT::privateCompileMainPass): * jit/JIT.h: (JSC::JIT::emit_op_loop_hint): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): 2011-09-12 Sam Weinig Don't allow setting __proto__ to be a getter or setter https://bugs.webkit.org/show_bug.cgi?id=67982 Reviewed by Gavin Barraclough. * runtime/JSObject.cpp: (JSC::JSObject::defineGetter): (JSC::JSObject::defineSetter): Disallow setting a getter or setter on __proto__. 2011-09-12 James Robinson Unreviewed build fix for chromium. Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which is currently only compiled in by ports that use JavaScriptCore. This code is currently unreachable in builds so no change in functionality. * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::CharAccess::CharAccess): 2011-09-09 Filip Pizlo JavaScriptCore does not have speculative->baseline OSR https://bugs.webkit.org/show_bug.cgi?id=67826 Reviewed by Oliver Hunt. This adds the ability to bail out of DFG speculative JIT execution by performing an on-stack replacement (OSR) that results in the control flow going to the equivalent code generated by the old JIT. This required a number of new features, as well as taking advantage of some features that happened to already be present: We already had a policy of storing the bytecode index for which a DFG node was generated inside the DFG::Node class. This was previously called exceptionInfo. It's now renamed to codeOrigin to reflect that it's used for more than just excpetions. OSR uses this to figure out which bytecode index to use to look up the machine code location in the code generated by the old JIT that we should be jumping to. CodeBlock now stores a mapping between bytecode indices and machine code offsets for code generated by the old JIT. This is implemented by CompactJITCodeMap, which tries to compress this data a bit. The OSR compiler decodes this and uses it to find the machine code locations it should be jumping to. We already had a mechanism that emitted SetLocal nodes in the DFG graph that told us the time at which the old JIT would have stored something into its register file, and the DFG::Node that corresponds to the value that it would have stored. These SetLocal's were mostly dead-code- eliminated, but our DCE leaves the nodes intact except for making them have 0 as the ref count. This allows the OSR compiler to construct a mapping between the state as it would have been seen by the old JIT and the state as the DFG JIT sees it. The OSR compiler uses this to generate code that reshapes the call frame so that it is like what the old JIT would expect. Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION) we no longer emit the non-speculative path. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::currentCodeOrigin): (JSC::DFG::ByteCodeParser::addToGraph): * dfg/DFGGPRInfo.h: * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::alive): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::exitSpeculativeWithOSR): (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::CallRecord::CallRecord): (JSC::DFG::JITCompiler::notifyCall): (JSC::DFG::JITCompiler::appendCallWithExceptionCheck): (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck): (JSC::DFG::JITCompiler::addJSCall): (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): * dfg/DFGNode.h: (JSC::DFG::CodeOrigin::CodeOrigin): (JSC::DFG::CodeOrigin::isSet): (JSC::DFG::CodeOrigin::bytecodeIndex): (JSC::DFG::Node::Node): (JSC::DFG::Node::child1Unchecked): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::ValueRecovery::dump): (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileMovHint): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::ValueSource): (JSC::DFG::ValueSource::isSet): (JSC::DFG::ValueSource::nodeIndex): (JSC::DFG::ValueRecovery::ValueRecovery): (JSC::DFG::ValueRecovery::alreadyInRegisterFile): (JSC::DFG::ValueRecovery::inGPR): (JSC::DFG::ValueRecovery::inFPR): (JSC::DFG::ValueRecovery::displacedInRegisterFile): (JSC::DFG::ValueRecovery::constant): (JSC::DFG::ValueRecovery::technique): (JSC::DFG::ValueRecovery::gpr): (JSC::DFG::ValueRecovery::fpr): (JSC::DFG::ValueRecovery::virtualRegister): (JSC::DFG::OSRExit::numberOfRecoveries): (JSC::DFG::OSRExit::valueRecovery): (JSC::DFG::OSRExit::isArgument): (JSC::DFG::OSRExit::argumentForIndex): (JSC::DFG::OSRExit::variableForIndex): (JSC::DFG::OSRExit::operandForIndex): (JSC::DFG::SpeculativeJIT::osrExits): (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::valueSourceForOperand): (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand): (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator): (JSC::DFG::SpeculativeJIT::SpeculativeJIT): * jit/CompactJITCodeMap.h: Added. (JSC::BytecodeAndMachineOffset::BytecodeAndMachineOffset): (JSC::BytecodeAndMachineOffset::getBytecodeIndex): (JSC::BytecodeAndMachineOffset::getMachineCodeOffset): (JSC::CompactJITCodeMap::~CompactJITCodeMap): (JSC::CompactJITCodeMap::decode): (JSC::CompactJITCodeMap::CompactJITCodeMap): (JSC::CompactJITCodeMap::at): (JSC::CompactJITCodeMap::decodeNumber): (JSC::CompactJITCodeMap::Encoder::Encoder): (JSC::CompactJITCodeMap::Encoder::~Encoder): (JSC::CompactJITCodeMap::Encoder::append): (JSC::CompactJITCodeMap::Encoder::finish): (JSC::CompactJITCodeMap::Encoder::appendByte): (JSC::CompactJITCodeMap::Encoder::encodeNumber): (JSC::CompactJITCodeMap::Encoder::ensureCapacityFor): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompile): * jit/JIT.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::osrScratchBufferForSize): * runtime/JSValue.cpp: (JSC::JSValue::description): 2011-09-12 Geoffrey Garen Re-enabled ENABLE(LAZY_BLOCK_FREEING). Reviewed by Stephanie Lewis. I accidentally disabled this in r94890, causing a big performance regression. * wtf/Platform.h: 2011-09-12 Michael Saboff Broken Build for ARM - lshift32() needs TrustedImm32 arg https://bugs.webkit.org/show_bug.cgi?id=67965 Change lshift32(16, ARMRegisters::S1); to lshift32(TrustedImm32(16), ARMRegisters::S1); Reviewed by Anders Carlsson. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branch16): 2011-09-12 Michael Saboff Broken ARM build - missing semicolon in JavaScriptCore/assembler/MacroAssemblerARM.h https://bugs.webkit.org/show_bug.cgi?id=67961 Added missing semicolon. Reviewed by Ryosuke Niwa. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branch16): 2011-09-12 Michael Saboff Update RegExp and related classes to use 8 bit strings when available https://bugs.webkit.org/show_bug.cgi?id=67337 Modified both the Yarr interpreter and JIT to handle 8 bit subject strings. The code paths are triggered by the UString::is8bit() method which currently returns false. Implemented JIT changes for all current architectures. Tested X86_64 and ARM v7. This includes some code that will likely change as we complete the 8 bit string changes. This includes the way the raw buffer pointers are accessed as well as replacing the CharAccess class with a string interator returned from UString. Fixed build breakage in testRegExp.cpp due to globalObject construction changes. Reviewed by Gavin Barraclough. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * testRegExp.cpp: (GlobalObject::finishCreation): (GlobalObject::GlobalObject): * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::baseIndexTransfer32): * assembler/ARMAssembler.h: * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::ubfx): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg40Imm3Reg4Imm20Imm5): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::load8): (JSC::MacroAssemblerARM::branch8): (JSC::MacroAssemblerARM::branch16): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::load8): (JSC::MacroAssemblerARMv7::branch16): (JSC::MacroAssemblerARMv7::branch8): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::load8): (JSC::MacroAssemblerMIPS::branch8): (JSC::MacroAssemblerMIPS::branch16): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::load8): (JSC::MacroAssemblerSH4::branch8): (JSC::MacroAssemblerSH4::branch16): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::load8): (JSC::MacroAssemblerX86Common::branch16): (JSC::MacroAssemblerX86Common::branch8): * assembler/SH4Assembler.h: (JSC::SH4Assembler::extub): (JSC::SH4Assembler::printInstr): * assembler/X86Assembler.h: (JSC::X86Assembler::cmpw_ir): (JSC::X86Assembler::movzbl_mr): * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileIfNecessary): (JSC::RegExp::match): (JSC::RegExp::matchCompareWithInterpreter): * runtime/RegExp.h: * runtime/UString.h: (JSC::UString::is8Bit): * yarr/Yarr.h: * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::CharAccess::CharAccess): (JSC::Yarr::Interpreter::CharAccess::~CharAccess): (JSC::Yarr::Interpreter::CharAccess::operator[]): (JSC::Yarr::Interpreter::InputStream::InputStream): (JSC::Yarr::Interpreter::Interpreter): (JSC::Yarr::interpret): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals): (JSC::Yarr::YarrGenerator::readCharacter): (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed): (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): (JSC::Yarr::YarrGenerator::generateCharacterClassFixed): (JSC::Yarr::YarrGenerator::generateDotStarEnclosure): (JSC::Yarr::YarrGenerator::YarrGenerator): (JSC::Yarr::YarrGenerator::compile): (JSC::Yarr::jitCompile): (JSC::Yarr::execute): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::has8BitCode): (JSC::Yarr::YarrCodeBlock::has16BitCode): (JSC::Yarr::YarrCodeBlock::set8BitCode): (JSC::Yarr::YarrCodeBlock::set16BitCode): (JSC::Yarr::YarrCodeBlock::execute): * yarr/YarrParser.h: (JSC::Yarr::Parser::Parser): 2011-09-12 Andras Becsi [Qt] Build fails after r94920 with strict compiler https://bugs.webkit.org/show_bug.cgi?id=67928 Reviewed by Csaba Osztrogonác. * wtf/RedBlackTree.h: (WTF::RedBlackTree::insert): Remove dead variables updateStart and newSubTreeRoot. 2011-09-12 Patrick Gansterer Unreviewed build fix after r94871. * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): * wtf/FastMalloc.cpp: * wtf/RefCountedLeakCounter.h: 2011-09-11 Filip Pizlo DFGNode.h has macros that indicate the enabling of a feature, but they do not use the ENABLE() idiom. https://bugs.webkit.org/show_bug.cgi?id=67907 Reviewed by Oliver Hunt. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::stronglyPredict): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGJITCodeGenerator.cpp: * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::fillInt32ToInteger): (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::propagateForward): (JSC::DFG::Propagator::propagateBackward): (JSC::DFG::propagate): * dfg/DFGScoreBoard.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): * jit/JIT.cpp: (JSC::JIT::privateCompile): 2011-09-11 Fumitoshi Ukai Unreviewed build fix for chromium/mac & clang. Fix the macro redefinition error by r94927, because chromium set ENABLE_JSC_MULTIPLE_THREADS=0 in WebKit/chromium/features.gypi and it is not PLATFORM(QT). ../../JavaScriptCore/wtf/Platform.h:512:9: error: 'ENABLE_JSC_MULTIPLE_THREADS' macro redefined [-Werror] #define ENABLE_JSC_MULTIPLE_THREADS 1 :43:9: note: previous definition is here #define ENABLE_JSC_MULTIPLE_THREADS 0 1 error generated. * wtf/Platform.h: 2011-09-11 Sam Weinig Remove JSCell::isPropertyNameIterator(), it is unused https://bugs.webkit.org/show_bug.cgi?id=67911 Reviewed by Oliver Hunt. * runtime/JSCell.h: * runtime/JSPropertyNameIterator.h: 2011-09-11 Sam Weinig De-virtualize JSCell::isAPIValueWrapper https://bugs.webkit.org/show_bug.cgi?id=67909 Reviewed by Oliver Hunt. * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): Set the correct type on structure creation. * runtime/JSCell.h: Remove virtual keyword and default implementation. * runtime/JSType.h: Add type for APIValueWrapper. It must come after CompoundType since the APIValueWrapper has children in need of marking. * runtime/Structure.h: (JSC::JSCell::isAPIValueWrapper): Implement predicate using type info. 2011-09-10 Sam Weinig De-virtualize JSCell::isGetterSetter, type information is available for it https://bugs.webkit.org/show_bug.cgi?id=67902 Reviewed by Dan Bernstein. * runtime/GetterSetter.cpp: * runtime/GetterSetter.h: Remove override of isGetterSetter. * runtime/JSCell.cpp: * runtime/JSCell.h: De-virtualize and remove silly base implementation. * runtime/Structure.h: (JSC::JSCell::isGetterSetter): Use type info to determine getter-setter-hood. 2011-09-09 Oliver Hunt Remove support for anonymous storage from jsobjects https://bugs.webkit.org/show_bug.cgi?id=67881 Reviewed by Sam Weinig. Remove all use of anonymous slots, essentially a mechanical change in JavaScriptCore * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::createStructure): * API/JSCallbackFunction.h: (JSC::JSCallbackFunction::createStructure): * API/JSCallbackObject.h: (JSC::JSCallbackObject::createStructure): * JavaScriptCore.exp: * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::createStructure): * heap/MarkStack.cpp: (JSC::MarkStack::validateValue): * heap/MarkStack.h: * runtime/Arguments.h: (JSC::Arguments::createStructure): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::createStructure): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::createStructure): * runtime/BooleanObject.h: (JSC::BooleanObject::createStructure): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::createStructure): * runtime/DateConstructor.h: (JSC::DateConstructor::createStructure): * runtime/DateInstance.h: (JSC::DateInstance::createStructure): * runtime/DatePrototype.cpp: (JSC::DatePrototype::DatePrototype): * runtime/DatePrototype.h: (JSC::DatePrototype::createStructure): * runtime/ErrorInstance.h: (JSC::ErrorInstance::createStructure): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::finishCreation): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::createStructure): * runtime/ExceptionHelpers.h: (JSC::InterruptedExecutionError::createStructure): (JSC::TerminatedExecutionError::createStructure): * runtime/Executable.h: (JSC::ExecutableBase::createStructure): (JSC::NativeExecutable::createStructure): (JSC::EvalExecutable::createStructure): (JSC::ProgramExecutable::createStructure): (JSC::FunctionExecutable::createStructure): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::createStructure): * runtime/GetterSetter.h: (JSC::GetterSetter::createStructure): * runtime/InternalFunction.h: (JSC::InternalFunction::createStructure): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): * runtime/JSActivation.h: (JSC::JSActivation::createStructure): * runtime/JSArray.h: (JSC::JSArray::createStructure): * runtime/JSByteArray.cpp: (JSC::JSByteArray::createStructure): * runtime/JSCell.h: * runtime/JSFunction.h: (JSC::JSFunction::createStructure): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::finishCreation): (JSC::JSGlobalObject::createStructure): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::createStructure): * runtime/JSONObject.h: (JSC::JSONObject::createStructure): * runtime/JSObject.h: (JSC::JSObject::createStructure): (JSC::JSNonFinalObject::createStructure): (JSC::JSFinalObject::createStructure): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::createStructure): * runtime/JSString.h: (JSC::RopeBuilder::createStructure): * runtime/JSVariableObject.h: (JSC::JSVariableObject::createStructure): * runtime/JSWrapperObject.h: (JSC::JSWrapperObject::createStructure): * runtime/MathObject.h: (JSC::MathObject::createStructure): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::createStructure): * runtime/NumberConstructor.h: (JSC::NumberConstructor::createStructure): * runtime/NumberObject.h: (JSC::NumberObject::createStructure): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): * runtime/NumberPrototype.h: (JSC::NumberPrototype::createStructure): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::createStructure): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::finishCreation): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::createStructure): * runtime/RegExp.h: (JSC::RegExp::createStructure): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::createStructure): * runtime/RegExpObject.h: (JSC::RegExpObject::createStructure): * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::createStructure): * runtime/ScopeChain.h: (JSC::ScopeChainNode::createStructure): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::createStructure): * runtime/StringConstructor.h: (JSC::StringConstructor::createStructure): * runtime/StringObject.h: (JSC::StringObject::createStructure): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::createStructure): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): * runtime/StringPrototype.h: (JSC::StringPrototype::createStructure): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::get): (JSC::Structure::putSpecificValue): (JSC::Structure::remove): (JSC::Structure::checkConsistency): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::propertyStorageSize): (JSC::Structure::get): * runtime/StructureChain.h: (JSC::StructureChain::createStructure): 2011-09-11 Jarred Nicholls [Qt] Win32 build broken due to MachineStackMarker.cpp/.o failing to link against pthreads library https://bugs.webkit.org/show_bug.cgi?id=67864 Qt Win32 is not pthread compatible and cannot participate in multithreaded JSC or it fails to build. Reviewed by Csaba Osztrogonác. * wtf/Platform.h: 2011-09-11 Filip Pizlo ARM and MIPS assemblers still refer to executable pools. https://bugs.webkit.org/show_bug.cgi?id=67903 Reviewed by Csaba Osztrogonác. * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::executableCopy): * assembler/ARMAssembler.h: * assembler/AssemblerBufferWithConstantPool.h: * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::executableCopy): 2011-09-08 Filip Pizlo The executable allocator makes it difficult to free individual chunks of executable memory https://bugs.webkit.org/show_bug.cgi?id=66363 Reviewed by Oliver Hunt. Introduced a best-fit, balanced-tree based allocator. The allocator required a balanced tree that does not allocate memory and that permits the removal of individual nodes directly (as opposed to by key); neither AVLTree nor WebCore's PODRedBlackTree supported this. Changed all references to executable code to use a reference counted handle. * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::executableCopy): * assembler/LinkBuffer.h: (JSC::LinkBuffer::LinkBuffer): (JSC::LinkBuffer::finalizeCode): (JSC::LinkBuffer::linkCode): * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef): (JSC::MacroAssemblerCodeRef::executableMemory): (JSC::MacroAssemblerCodeRef::code): (JSC::MacroAssemblerCodeRef::size): (JSC::MacroAssemblerCodeRef::operator!): * assembler/X86Assembler.h: (JSC::X86Assembler::executableCopy): (JSC::X86Assembler::X86InstructionFormatter::executableCopy): * bytecode/CodeBlock.h: * bytecode/Instruction.h: * bytecode/StructureStubInfo.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGRepatch.cpp: (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryBuildGetByIDProtoList): (JSC::DFG::tryCachePutByID): * jit/ExecutableAllocator.cpp: (JSC::ExecutableAllocator::initializeAllocator): (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutableAllocator::allocate): (JSC::ExecutableAllocator::committedByteCount): (JSC::ExecutableAllocator::dumpProfile): * jit/ExecutableAllocator.h: (JSC::ExecutableAllocator::dumpProfile): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::initializeAllocator): (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutableAllocator::isValid): (JSC::ExecutableAllocator::underMemoryPressure): (JSC::ExecutableAllocator::allocate): (JSC::ExecutableAllocator::committedByteCount): (JSC::ExecutableAllocator::dumpProfile): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: (JSC::JIT::compileCTIMachineTrampolines): (JSC::JIT::compileCTINativeCall): * jit/JITCode.h: (JSC::JITCode::operator !): (JSC::JITCode::addressForCall): (JSC::JITCode::offsetOf): (JSC::JITCode::execute): (JSC::JITCode::start): (JSC::JITCode::size): (JSC::JITCode::getExecutableMemory): (JSC::JITCode::HostFunction): (JSC::JITCode::JITCode): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): * jit/JITStubs.cpp: (JSC::JITThunks::JITThunks): (JSC::DEFINE_STUB_FUNCTION): (JSC::getPolymorphicAccessStructureListSlot): (JSC::JITThunks::ctiStub): (JSC::JITThunks::hostFunctionStub): * jit/JITStubs.h: * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::SpecializedThunkJIT): (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: (JSC::charCodeAtThunkGenerator): (JSC::charAtThunkGenerator): (JSC::fromCharCodeThunkGenerator): (JSC::sqrtThunkGenerator): (JSC::floorThunkGenerator): (JSC::ceilThunkGenerator): (JSC::roundThunkGenerator): (JSC::expThunkGenerator): (JSC::logThunkGenerator): (JSC::absThunkGenerator): (JSC::powThunkGenerator): * jit/ThunkGenerators.h: * runtime/Executable.h: (JSC::NativeExecutable::create): * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::dumpSampleData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::getCTIStub): * wtf/CMakeLists.txt: * wtf/MetaAllocator.cpp: Added. (WTF::MetaAllocatorHandle::MetaAllocatorHandle): (WTF::MetaAllocatorHandle::~MetaAllocatorHandle): (WTF::MetaAllocatorHandle::shrink): (WTF::MetaAllocator::MetaAllocator): (WTF::MetaAllocator::allocate): (WTF::MetaAllocator::currentStatistics): (WTF::MetaAllocator::findAndRemoveFreeSpace): (WTF::MetaAllocator::addFreeSpaceFromReleasedHandle): (WTF::MetaAllocator::addFreshFreeSpace): (WTF::MetaAllocator::debugFreeSpaceSize): (WTF::MetaAllocator::addFreeSpace): (WTF::MetaAllocator::incrementPageOccupancy): (WTF::MetaAllocator::decrementPageOccupancy): (WTF::MetaAllocator::roundUp): (WTF::MetaAllocator::allocFreeSpaceNode): (WTF::MetaAllocator::freeFreeSpaceNode): (WTF::MetaAllocator::dumpProfile): * wtf/MetaAllocator.h: Added. (WTF::MetaAllocator::bytesAllocated): (WTF::MetaAllocator::bytesReserved): (WTF::MetaAllocator::bytesCommitted): (WTF::MetaAllocator::dumpProfile): (WTF::MetaAllocator::~MetaAllocator): * wtf/MetaAllocatorHandle.h: Added. * wtf/RedBlackTree.h: Added. (WTF::RedBlackTree::Node::Node): (WTF::RedBlackTree::Node::successor): (WTF::RedBlackTree::Node::predecessor): (WTF::RedBlackTree::Node::reset): (WTF::RedBlackTree::Node::parent): (WTF::RedBlackTree::Node::setParent): (WTF::RedBlackTree::Node::left): (WTF::RedBlackTree::Node::setLeft): (WTF::RedBlackTree::Node::right): (WTF::RedBlackTree::Node::setRight): (WTF::RedBlackTree::Node::color): (WTF::RedBlackTree::Node::setColor): (WTF::RedBlackTree::RedBlackTree): (WTF::RedBlackTree::insert): (WTF::RedBlackTree::remove): (WTF::RedBlackTree::findExact): (WTF::RedBlackTree::findLeastGreaterThanOrEqual): (WTF::RedBlackTree::findGreatestLessThanOrEqual): (WTF::RedBlackTree::first): (WTF::RedBlackTree::last): (WTF::RedBlackTree::size): (WTF::RedBlackTree::isEmpty): (WTF::RedBlackTree::treeMinimum): (WTF::RedBlackTree::treeMaximum): (WTF::RedBlackTree::treeInsert): (WTF::RedBlackTree::leftRotate): (WTF::RedBlackTree::rightRotate): (WTF::RedBlackTree::removeFixup): * wtf/wtf.pri: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): * yarr/YarrJIT.h: (JSC::Yarr::YarrCodeBlock::execute): (JSC::Yarr::YarrCodeBlock::getAddr): 2011-09-10 Sam Weinig Remove JSC::isZombie() function, it did nothing and was called by no-one. https://bugs.webkit.org/show_bug.cgi?id=67901 Reviewed by Andy Estes. * JavaScriptCore.exp: * runtime/JSCell.cpp: * runtime/JSValue.h: 2011-09-10 Sam Weinig Add isInterruptedExecutionException and isTerminatedExecutionException predicates https://bugs.webkit.org/show_bug.cgi?id=67892 Reviewed by Andy "First Time Reviewer" Estes. * JavaScriptCore.exp: Add symbols. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): Use new predicates. * runtime/ExceptionHelpers.cpp: (JSC::createInterruptedExecutionException): (JSC::isInterruptedExecutionException): (JSC::createTerminatedExecutionException): (JSC::isTerminatedExecutionException): * runtime/ExceptionHelpers.h: (JSC::InterruptedExecutionError::InterruptedExecutionError): Add predicates. 2011-09-10 Filip Pizlo DFG JIT completely undoes speculative compilation even in the case of a partial static speculation failure https://bugs.webkit.org/show_bug.cgi?id=67798 Reviewed by Geoffrey Garen. This is a regression with static speculation, so it is turned off by default. But it is a necessary prerequisite for further work on dynamic speculation. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::clearGenerationInfo): * dfg/DFGJITCodeGenerator.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 2011-09-09 Chris Marrin requestAnimationFrame doesn't throttle on Mac https://bugs.webkit.org/show_bug.cgi?id=67171 Reviewed by Simon Fraser. Added WTF_USE_REQUEST_ANIMATION_FRAME_TIMER to allow any platform to run requestAnimationFrame callbacks on a Timer defined in ScriptedAnimationController. Currently only enabled for PLATFORM(MAC) * wtf/Platform.h: 2011-09-09 Geoffrey Garen Reviewed by Dan Bernstein. Removed ENABLE(SINGLE_THREADED) support, since it is always false https://bugs.webkit.org/show_bug.cgi?id=67862 Next step toward making the baseline platform assumption that threads exist. * wtf/wtf.pri: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed references to ThreadingNone.cpp, which was only compiled in single-threaded mode. * wtf/Platform.h: * wtf/ThreadSpecific.h: (WTF::::destroy): * wtf/qt/ThreadingQt.cpp: Removed now-dead code. * wtf/ThreadingNone.cpp: Removed. 2011-09-09 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (5/7) https://bugs.webkit.org/show_bug.cgi?id=67420 Reviewed by Geoffrey Garen. Completed the fifth level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. This primarily consists of pushing the calls to finishCreation() down into the constructors of the subclasses of the second level of the hierarchy as well as pulling the finishCreation() calls out into the class's corresponding create() method if it has one. Doing both simultaneously allows us to maintain the invariant that the finishCreation() method chain is called exactly once during the creation of an object, since calling it any other number of times (0, 2, or more) will cause an assertion failure. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::create): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::JSCallbackFunction): (JSC::JSCallbackFunction::finishCreation): * API/JSCallbackFunction.h: * API/JSCallbackObject.h: * API/JSCallbackObjectFunctions.h: (JSC::::JSCallbackObject): (JSC::::finishCreation): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::create): * jsc.cpp: (GlobalObject::finishCreation): (GlobalObject::GlobalObject): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::ArrayConstructor): (JSC::ArrayConstructor::finishCreation): * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::ArrayPrototype): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::create): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::BooleanConstructor): (JSC::BooleanConstructor::finishCreation): * runtime/BooleanConstructor.h: * runtime/BooleanObject.cpp: (JSC::BooleanObject::BooleanObject): * runtime/BooleanObject.h: (JSC::BooleanObject::create): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): (JSC::BooleanPrototype::finishCreation): * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::DateConstructor): (JSC::DateConstructor::finishCreation): * runtime/DateConstructor.h: * runtime/DateInstance.cpp: (JSC::DateInstance::DateInstance): * runtime/DateInstance.h: (JSC::DateInstance::create): * runtime/DatePrototype.cpp: (JSC::DatePrototype::DatePrototype): (JSC::DatePrototype::finishCreation): * runtime/DatePrototype.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::ErrorConstructor): (JSC::ErrorConstructor::finishCreation): * runtime/ErrorConstructor.h: * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::create): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::FunctionConstructor): (JSC::FunctionConstructor::finishCreation): * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::FunctionPrototype): (JSC::FunctionPrototype::finishCreation): * runtime/FunctionPrototype.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): * runtime/InternalFunction.h: * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): * runtime/JSActivation.h: (JSC::JSActivation::create): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): * runtime/JSONObject.h: (JSC::JSONObject::create): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::create): (JSC::JSStaticScopeObject::JSStaticScopeObject): * runtime/JSString.cpp: (JSC::StringObject::create): * runtime/MathObject.cpp: (JSC::MathObject::MathObject): * runtime/MathObject.h: (JSC::MathObject::create): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::finishCreation): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::finishCreation): * runtime/NativeErrorPrototype.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::NumberConstructor): (JSC::NumberConstructor::finishCreation): * runtime/NumberConstructor.h: * runtime/NumberObject.cpp: (JSC::NumberObject::NumberObject): * runtime/NumberObject.h: (JSC::NumberObject::create): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): (JSC::NumberPrototype::finishCreation): * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::ObjectConstructor): (JSC::ObjectConstructor::finishCreation): * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor): (JSC::RegExpConstructor::finishCreation): (JSC::RegExpMatchesArray::RegExpMatchesArray): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::create): * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): * runtime/RegExpObject.h: (JSC::RegExpObject::create): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::RegExpPrototype): * runtime/StringConstructor.cpp: (JSC::StringConstructor::StringConstructor): (JSC::StringConstructor::finishCreation): * runtime/StringConstructor.h: * runtime/StringObject.cpp: (JSC::StringObject::StringObject): * runtime/StringObject.h: (JSC::StringObject::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): (JSC::StringPrototype::finishCreation): * runtime/StringPrototype.h: 2011-09-09 Geoffrey Garen Build fix: Guard against double-#define for something already #defined by the build system. * wtf/Platform.h: 2011-09-09 Geoffrey Garen Reviewed by Dan Bernstein. Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS, or !ENABLE_WTF_MULTIPLE_THREADS https://bugs.webkit.org/show_bug.cgi?id=67860 First step toward making the baseline platform assumption that threads exist: Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS, or !ENABLE_WTF_MULTIPLE_THREADS. * wtf/Platform.h: 2011-09-09 Laszlo Gombos [Qt] Remove common.pri https://bugs.webkit.org/show_bug.cgi?id=67814 Reviewed by Andreas Kling. * JavaScriptCore.pri: 2011-09-08 Mark Hahnenberg REGRESSION(r94811): Assertion failure in 2 worker tests https://bugs.webkit.org/show_bug.cgi?id=67829 Reviewed by Sam Weinig. Fixing a couple tests that were broken due to the wrong values being set in the parent class pointers in the ClassInfo structs for TerminatedExecutionError and InterruptedExecutionError. * runtime/ExceptionHelpers.cpp: 2011-09-08 Oliver Hunt Use bump allocator for initial property storage https://bugs.webkit.org/show_bug.cgi?id=67494 Reviewed by Geoffrey Garen. Use a bump allocator for initial allocation of property storage, and promote to fastMalloc memory only if it survives a GC pass. Comes out as a 1% win on v8, and is a useful step on the way to GC allocation of all property storage. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.cpp: (JSC::Heap::collect): * heap/Heap.h: (JSC::Heap::allocatePropertyStorage): (JSC::Heap::inPropertyStorageNursery): * heap/MarkedBlock.h: * heap/NewSpace.cpp: (JSC::NewSpace::NewSpace): * heap/NewSpace.h: (JSC::NewSpace::resetPropertyStorageNursery): (JSC::NewSpace::allocatePropertyStorage): (JSC::NewSpace::inPropertyStorageNursery): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::allocatePropertyStorage): * runtime/JSObject.h: (JSC::JSObject::isUsingInlineStorage): (JSC::JSObject::JSObject): (JSC::JSObject::propertyStorage): (JSC::JSObject::~JSObject): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::putDirectFunctionWithoutTransition): (JSC::JSObject::transitionTo): (JSC::JSObject::visitChildrenDirect): * runtime/StorageBarrier.h: Added. (JSC::StorageBarrier::StorageBarrier): (JSC::StorageBarrier::set): (JSC::StorageBarrier::operator->): (JSC::StorageBarrier::operator*): (JSC::StorageBarrier::operator[]): (JSC::StorageBarrier::get): 2011-09-08 Sam Weinig Remove the Completion object from JSC, I have never liked it https://bugs.webkit.org/show_bug.cgi?id=67755 Reviewed by Gavin Barraclough. - Removes the Completion object and replaces its use with out parameter exceptions. - Remove ComplType and virtual exceptionType() function on JSObject. Replace with ClassInfo for InterruptedExecutionError and TerminatedExecutionError. * API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * jsc.cpp: (functionLoad): (functionCheckSyntax): (runWithScripts): (runInteractive): * runtime/Completion.cpp: (JSC::checkSyntax): (JSC::evaluate): * runtime/Completion.h: * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::toString): (JSC::TerminatedExecutionError::toString): (JSC::createInterruptedExecutionException): * runtime/ExceptionHelpers.h: (JSC::InterruptedExecutionError::InterruptedExecutionError): (JSC::InterruptedExecutionError::create): (JSC::InterruptedExecutionError::createStructure): (JSC::TerminatedExecutionError::TerminatedExecutionError): (JSC::TerminatedExecutionError::create): (JSC::TerminatedExecutionError::createStructure): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSObject.h: 2011-09-08 Ryosuke Niwa Build fix. * dfg/DFGCapabilities.cpp: 2011-09-08 Filip Pizlo Value profling and execution count profiling is performed even for code that cannot be optimized https://bugs.webkit.org/show_bug.cgi?id=67694 Reviewed by Gavin Barraclough. This is a 2% speed-up on V8 when tiered compilation is enabled. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::ProgramCodeBlock::canCompileWithDFG): (JSC::EvalCodeBlock::canCompileWithDFG): (JSC::FunctionCodeBlock::canCompileWithDFG): * bytecode/CodeBlock.h: * dfg/DFGCapabilities.cpp: Added. (JSC::DFG::canCompileOpcodes): * dfg/DFGCapabilities.h: Added. (JSC::DFG::mightCompileEval): (JSC::DFG::mightCompileProgram): (JSC::DFG::mightCompileFunctionForCall): (JSC::DFG::mightCompileFunctionForConstruct): (JSC::DFG::canCompileOpcode): (JSC::DFG::canCompileEval): (JSC::DFG::canCompileProgram): (JSC::DFG::canCompileFunctionForCall): (JSC::DFG::canCompileFunctionForConstruct): * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): (JSC::JIT::privateCompile): * jit/JIT.h: (JSC::JIT::shouldEmitProfiling): * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): 2011-09-08 Filip Pizlo DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries https://bugs.webkit.org/show_bug.cgi?id=67840 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::initializeVariableTypes): 2011-09-08 Thouraya ANDOLSI https://bugs.webkit.org/show_bug.cgi?id=67771 Fix sequenceGetByIdSlowCaseInstructionSpace, sequenceGetByIdSlowCaseConstantSpace and patchOffsetGetByIdSlowCaseCall and enables DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS flag for SH4 platforms. Reviewed by Gavin Barraclough. * jit/JIT.h: * wtf/dtoa/utils.h: 2011-09-08 Mark Hahnenberg Remove getUInt32 from JSCell https://bugs.webkit.org/show_bug.cgi?id=67691 Reviewed by Oliver Hunt. We don't use JSCell::getUInt32 anymore, so it has been removed. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSCell.cpp: * runtime/JSCell.h: 2011-09-07 Filip Pizlo PPC build fix. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): 2011-09-07 Oliver Hunt Release mode build fix. * API/JSCallbackObject.h: (JSC::JSCallbackObject::create): 2011-09-06 Oliver Hunt Remove JSObjectWithGlobalObject https://bugs.webkit.org/show_bug.cgi?id=67689 Reviewed by Geoff Garen. Remove JSObjectWithGlobalObject, and update code to stop using anonymous storage to access the global object that a JSObject comes from. Largely mechanical change to remove the use of anonymous storage and JSObjectWithGlobalObject. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): (JSC::JSCallbackConstructor::finishCreation): * API/JSCallbackConstructor.h: * API/JSCallbackObject.cpp: * API/JSCallbackObject.h: (JSC::JSCallbackObject::create): * API/JSCallbackObjectFunctions.h: (JSC::::JSCallbackObject): (JSC::::finishCreation): (JSC::::staticFunctionGetter): * API/JSClassRef.cpp: (OpaqueJSClass::prototype): * API/JSObjectRef.cpp: (JSObjectMake): (JSObjectGetPrivate): (JSObjectSetPrivate): (JSObjectGetPrivateProperty): (JSObjectSetPrivateProperty): (JSObjectDeletePrivateProperty): * API/JSValueRef.cpp: (JSValueIsObjectOfClass): * API/JSWeakObjectMapRefPrivate.cpp: * JavaScriptCore.exp: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchGetMethodFast): (JSC::DFG::tryCacheGetMethod): * jit/JIT.h: * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSFunction): * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/DatePrototype.cpp: * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): (JSC::InternalFunction::finishCreation): * runtime/InternalFunction.h: * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::finishCreation): * runtime/JSFunction.h: (JSC::JSFunction::create): (JSC::JSFunction::createStructure): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): (JSC::JSONObject::finishCreation): * runtime/JSONObject.h: * runtime/JSObject.h: (JSC::JSObject::globalObject): * runtime/JSObjectWithGlobalObject.cpp: Removed. * runtime/JSObjectWithGlobalObject.h: Removed. * runtime/JSValue.cpp: (JSC::JSValue::isValidCallee): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: * runtime/MathObject.cpp: (JSC::MathObject::MathObject): (JSC::MathObject::finishCreation): * runtime/MathObject.h: * runtime/NumberPrototype.cpp: * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): (JSC::RegExpObject::finishCreation): * runtime/RegExpObject.h: * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::globalObject): 2011-09-07 Gavin Barraclough Refactor JIT checks for ObjectType into helper functions. Rubber stamped by Sam Weinig. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::branchIfNotObject): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.h: * jit/JITCall32_64.cpp: (JSC::JIT::emit_op_ret_object_or_this): * jit/JITInlineMethods.h: (JSC::JIT::emitJumpIfNotObject): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_instanceof): (JSC::JIT::emit_op_ret_object_or_this): (JSC::JIT::emit_op_get_pnames): (JSC::JIT::emit_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_instanceof): (JSC::JIT::emit_op_get_pnames): (JSC::JIT::emit_op_create_this): 2011-09-07 Sheriff Bot Unreviewed, rolling out r94627 and r94632. http://trac.webkit.org/changeset/94627 http://trac.webkit.org/changeset/94632 https://bugs.webkit.org/show_bug.cgi?id=67698 It broke tests on GTK and Qt (Requested by Ossy on #webkit). * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::create): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::JSCallbackFunction): * API/JSCallbackFunction.h: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::create): * debugger/DebuggerActivation.h: * jsc.cpp: (GlobalObject::constructorBody): (GlobalObject::GlobalObject): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::ArrayConstructor): * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::ArrayPrototype): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::create): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::BooleanConstructor): * runtime/BooleanConstructor.h: * runtime/BooleanObject.cpp: (JSC::BooleanObject::BooleanObject): * runtime/BooleanObject.h: (JSC::BooleanObject::create): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::DateConstructor): * runtime/DateConstructor.h: * runtime/DateInstance.cpp: (JSC::DateInstance::DateInstance): * runtime/DateInstance.h: (JSC::DateInstance::create): * runtime/DatePrototype.cpp: (JSC::DatePrototype::DatePrototype): * runtime/DatePrototype.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::ErrorConstructor): * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::create): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::create): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::FunctionConstructor): * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::FunctionPrototype): * runtime/FunctionPrototype.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): * runtime/InternalFunction.h: * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): * runtime/JSActivation.h: (JSC::JSActivation::create): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): * runtime/JSONObject.h: (JSC::JSONObject::create): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::create): (JSC::JSStaticScopeObject::JSStaticScopeObject): * runtime/JSString.cpp: (JSC::StringObject::create): * runtime/MathObject.cpp: (JSC::MathObject::MathObject): * runtime/MathObject.h: (JSC::MathObject::create): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::constructorBody): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::constructorBody): * runtime/NativeErrorPrototype.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::NumberConstructor): * runtime/NumberConstructor.h: * runtime/NumberObject.cpp: (JSC::NumberObject::NumberObject): * runtime/NumberObject.h: (JSC::NumberObject::create): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::ObjectConstructor): * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor): (JSC::RegExpMatchesArray::RegExpMatchesArray): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::create): * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): * runtime/RegExpObject.h: (JSC::RegExpObject::create): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::RegExpPrototype): * runtime/StringConstructor.cpp: (JSC::StringConstructor::StringConstructor): * runtime/StringConstructor.h: * runtime/StringObject.cpp: (JSC::StringObject::StringObject): * runtime/StringObject.h: (JSC::StringObject::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): * runtime/StringPrototype.h: 2011-09-06 Xianzhu Wang Replace usages of Vector with existing StringBuilder https://bugs.webkit.org/show_bug.cgi?id=67079 Reviewed by Gavin Barraclough. This is part of work to support 8-bit string buffers. Adds StringBuilder::characters() because the original Vector::data() is widely used. Sets the minimum size of buffer to 16 to prevent possible performance regression. Further performance investigation should be done in https://bugs.webkit.org/show_bug.cgi?id=67084. * wtf/Forward.h: * wtf/text/StringBuilder.cpp: (WTF::StringBuilder::appendUninitialized): Sets minimum buffer size to 16 bytes. * wtf/text/StringBuilder.h: (WTF::StringBuilder::operator[]): (WTF::StringBuilder::characters): Added. 2011-09-06 Mark Hahnenberg Fix broken snow leopard build https://bugs.webkit.org/show_bug.cgi?id=67693 Reviewed by Daniel Bates. Removed unnecessary symbol export. * JavaScriptCore.exp: 2011-09-06 Filip Pizlo DFG JIT does not optimize booleans https://bugs.webkit.org/show_bug.cgi?id=67670 Reviewed by Gavin Barraclough. This adds boolean value profiling, boolean prediction in the DFG, boolean forward flow propagation in the DFGPropagator, boolean data format in DFG generation info, and comprehensive optimizations based on both boolean prediction and boolean generation info. This is brings the speed-up on v8-richards to 12%, and gives slight speed-ups elsewhere as well. Making this work right required navigating some subtleties in value profiling. Some functions get compiled with insufficient information because some important path of the function never executed. In these cases, we wish to fall back on static speculation. But to do so, we need to ensure that predictions that are inherent in the code (like that GetById almost certainly takes a cell operand) are reflected in predictions that we make in DFGPropagator. Thus, DFGPropagator now does both backward and forward flow, using a both forward and backward fixpoint. The backward flow in DFGPropagator is a separate static analysis, and needs to keep a set of backward flow abstract values for variables, arguments, and globals. To make this easy, this patch factors out DFGGraph's prediction tracking capability into DFGPredictionTracker, which now gets used by both DFGGraph (for forward flow predictions) and DFGPropagator (for backward flow predictions). Backward flow predictions eventually get merged into forward flow ones, but the two are not equivalent: a forward flow prediction is a superset of the backward flow prediction. Debugging these prediction issues required a better understanding of where we fail speculation, and what our value predictions look like. This patch also adds optional verbose speculation failure (so an informative printf fires whenever speculation failure occurs) and slight improvements to the verbosity in other places. * bytecode/ValueProfile.h: (JSC::ValueProfile::numberOfBooleans): (JSC::ValueProfile::probabilityOfBoolean): (JSC::ValueProfile::dump): (JSC::ValueProfile::computeStatistics): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::stronglyPredict): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGenerationInfo.h: (JSC::DFG::dataFormatToString): (JSC::DFG::needDataFormatConversion): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: (JSC::DFG::Graph::Graph): (JSC::DFG::Graph::predictions): (JSC::DFG::Graph::predict): (JSC::DFG::Graph::predictGlobalVar): (JSC::DFG::Graph::getPrediction): (JSC::DFG::Graph::getGlobalVarPrediction): (JSC::DFG::Graph::isBooleanConstant): (JSC::DFG::Graph::valueOfBooleanConstant): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillInteger): (JSC::DFG::JITCodeGenerator::fillDouble): (JSC::DFG::JITCodeGenerator::fillJSValue): (JSC::DFG::JITCodeGenerator::isKnownNotInteger): (JSC::DFG::JITCodeGenerator::isKnownBoolean): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::JITCodeGenerator::emitBranch): (JSC::DFG::JITCodeGenerator::speculationCheck): (JSC::DFG::GPRTemporary::GPRTemporary): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::isBooleanConstant): (JSC::DFG::JITCodeGenerator::valueOfBooleanConstant): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::debugCall): (JSC::DFG::JITCompiler::isBooleanConstant): (JSC::DFG::JITCompiler::valueOfBooleanConstant): * dfg/DFGNode.h: (JSC::DFG::isBooleanPrediction): (JSC::DFG::predictionToString): (JSC::DFG::mergePredictions): (JSC::DFG::makePrediction): (JSC::DFG::Node::isBooleanConstant): (JSC::DFG::Node::valueOfBooleanConstant): (JSC::DFG::Node::hasBooleanResult): (JSC::DFG::Node::hasNumericResult): (JSC::DFG::Node::predict): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionTracker.h: Added. (JSC::DFG::operandIsArgument): (JSC::DFG::PredictionSlot::PredictionSlot): (JSC::DFG::PredictionTracker::PredictionTracker): (JSC::DFG::PredictionTracker::initializeSimilarTo): (JSC::DFG::PredictionTracker::numberOfArguments): (JSC::DFG::PredictionTracker::numberOfVariables): (JSC::DFG::PredictionTracker::argumentIndexForOperand): (JSC::DFG::PredictionTracker::predictArgument): (JSC::DFG::PredictionTracker::predict): (JSC::DFG::PredictionTracker::predictGlobalVar): (JSC::DFG::PredictionTracker::getArgumentPrediction): (JSC::DFG::PredictionTracker::getPrediction): (JSC::DFG::PredictionTracker::getGlobalVarPrediction): * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::Propagator): (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::setPrediction): (JSC::DFG::Propagator::mergeUse): (JSC::DFG::Propagator::mergePrediction): (JSC::DFG::Propagator::propagateNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand): (JSC::DFG::SpeculateBooleanOperand::~SpeculateBooleanOperand): (JSC::DFG::SpeculateBooleanOperand::index): (JSC::DFG::SpeculateBooleanOperand::gpr): (JSC::DFG::SpeculateBooleanOperand::use): * runtime/JSGlobalData.h: * runtime/JSValue.cpp: (JSC::JSValue::description): 2011-09-06 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (5/7) https://bugs.webkit.org/show_bug.cgi?id=67420 Reviewed by Geoffrey Garen. Completed the fifth level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. This primarily consists of pushing the calls to finishCreation() down into the constructors of the subclasses of the second level of the hierarchy as well as pulling the finishCreation() calls out into the class's corresponding create() method if it has one. Doing both simultaneously allows us to maintain the invariant that the finishCreation() method chain is called exactly once during the creation of an object, since calling it any other number of times (0, 2, or more) will cause an assertion failure. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::create): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::JSCallbackFunction): (JSC::JSCallbackFunction::finishCreation): * API/JSCallbackFunction.h: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::create): * jsc.cpp: (GlobalObject::finishCreation): (GlobalObject::GlobalObject): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::ArrayConstructor): (JSC::ArrayConstructor::finishCreation): * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::ArrayPrototype): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::create): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::BooleanConstructor): (JSC::BooleanConstructor::finishCreation): * runtime/BooleanConstructor.h: * runtime/BooleanObject.cpp: (JSC::BooleanObject::BooleanObject): * runtime/BooleanObject.h: (JSC::BooleanObject::create): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::BooleanPrototype): (JSC::BooleanPrototype::finishCreation): * runtime/BooleanPrototype.h: * runtime/DateConstructor.cpp: (JSC::DateConstructor::DateConstructor): (JSC::DateConstructor::finishCreation): * runtime/DateConstructor.h: * runtime/DateInstance.cpp: (JSC::DateInstance::DateInstance): * runtime/DateInstance.h: (JSC::DateInstance::create): * runtime/DatePrototype.cpp: (JSC::DatePrototype::DatePrototype): (JSC::DatePrototype::finishCreation): * runtime/DatePrototype.h: * runtime/Error.cpp: (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::ErrorConstructor): (JSC::ErrorConstructor::finishCreation): * runtime/ErrorConstructor.h: * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::create): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::FunctionConstructor): (JSC::FunctionConstructor::finishCreation): * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::FunctionPrototype): (JSC::FunctionPrototype::finishCreation): * runtime/FunctionPrototype.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): * runtime/InternalFunction.h: * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): * runtime/JSActivation.h: (JSC::JSActivation::create): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): (JSC::JSGlobalObject::JSGlobalObject): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): * runtime/JSONObject.h: (JSC::JSONObject::create): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::create): (JSC::JSStaticScopeObject::JSStaticScopeObject): * runtime/JSString.cpp: (JSC::StringObject::create): * runtime/MathObject.cpp: (JSC::MathObject::MathObject): * runtime/MathObject.h: (JSC::MathObject::create): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::finishCreation): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::finishCreation): * runtime/NativeErrorPrototype.h: * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::NumberConstructor): (JSC::NumberConstructor::finishCreation): * runtime/NumberConstructor.h: * runtime/NumberObject.cpp: (JSC::NumberObject::NumberObject): * runtime/NumberObject.h: (JSC::NumberObject::create): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::NumberPrototype): (JSC::NumberPrototype::finishCreation): * runtime/NumberPrototype.h: * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::ObjectConstructor): (JSC::ObjectConstructor::finishCreation): * runtime/ObjectConstructor.h: * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor): (JSC::RegExpConstructor::finishCreation): (JSC::RegExpMatchesArray::RegExpMatchesArray): * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::create): * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): * runtime/RegExpObject.h: (JSC::RegExpObject::create): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::RegExpPrototype): * runtime/StringConstructor.cpp: (JSC::StringConstructor::StringConstructor): (JSC::StringConstructor::finishCreation): * runtime/StringConstructor.h: * runtime/StringObject.cpp: (JSC::StringObject::StringObject): * runtime/StringObject.h: (JSC::StringObject::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): (JSC::StringPrototype::finishCreation): * runtime/StringPrototype.h: 2011-09-06 Filip Pizlo Accessibility tests crashing in BasicRawSentinelNode code https://bugs.webkit.org/show_bug.cgi?id=67682 Reviewed by Geoffrey Garen. A CodeBlock should ensure that no other CodeBlocks have references to it after it is destroyed. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): 2011-09-06 Yong Li https://bugs.webkit.org/show_bug.cgi?id=67486 This reverts r65993 which gives wrong results for rshift in some corner cases (see the test). Reviewed by Gavin Barraclough. New test: fast/js/floating-point-truncate-rshift.html * assembler/ARMAssembler.h: * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::supportsFloatingPointTruncate): (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32): 2011-09-06 Filip Pizlo Unreviewed build fix for r94559. Marked the relevant parameters as unused if !ENABLE(JIT), and surrounded new out-of-line JIT-specific method definitions with !ENABLE(JIT). * bytecode/CodeBlock.cpp: * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::compileForCallInternal): 2011-09-06 Mark Hahnenberg Fix broken PPC build due to new dtoa library https://bugs.webkit.org/show_bug.cgi?id=67654 Reviewed by Dan Bernstein. Added condition for PPC in the new dtoa compatibility check so that building won't fail. * wtf/dtoa/utils.h: 2011-09-05 Oliver Hunt An object's structure should reference the global object responsible for its creation https://bugs.webkit.org/show_bug.cgi?id=67624 Reviewed by Gavin Barraclough. Add a reference to a GlobalObject to Structure, and update all calls to Structure::create() to pass the global object that is the origin for that structure. For objects where the appropriate global object isn't available at construction time (global object prototypes, etc), or objects that logically don't have a global object (strings, etc) we just pass null. This change is largely mechanical (passing a new globalObject parameter around). * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::createStructure): * API/JSCallbackFunction.h: (JSC::JSCallbackFunction::createStructure): * API/JSCallbackObject.h: (JSC::JSCallbackObject::createStructure): * API/JSContextRef.cpp: * JavaScriptCore.exp: * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::createStructure): * runtime/Arguments.h: (JSC::Arguments::createStructure): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::createStructure): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::createStructure): * runtime/BooleanObject.h: (JSC::BooleanObject::createStructure): * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::createStructure): * runtime/DateConstructor.h: (JSC::DateConstructor::createStructure): * runtime/DateInstance.h: (JSC::DateInstance::createStructure): * runtime/DatePrototype.h: (JSC::DatePrototype::createStructure): * runtime/ErrorInstance.h: (JSC::ErrorInstance::createStructure): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::createStructure): * runtime/Executable.h: (JSC::ExecutableBase::createStructure): (JSC::NativeExecutable::createStructure): (JSC::EvalExecutable::createStructure): (JSC::ProgramExecutable::createStructure): (JSC::FunctionExecutable::createStructure): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::createStructure): * runtime/GetterSetter.h: (JSC::GetterSetter::createStructure): * runtime/InternalFunction.h: (JSC::InternalFunction::createStructure): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::createStructure): * runtime/JSActivation.h: (JSC::JSActivation::createStructure): * runtime/JSArray.h: (JSC::JSArray::createStructure): * runtime/JSByteArray.cpp: (JSC::JSByteArray::createStructure): * runtime/JSByteArray.h: * runtime/JSFunction.h: (JSC::JSFunction::createStructure): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::finishCreation): (JSC::JSGlobalObject::createStructure): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::createStructure): * runtime/JSONObject.h: (JSC::JSONObject::createStructure): * runtime/JSObject.cpp: (JSC::JSObject::createInheritorID): * runtime/JSObject.h: (JSC::JSObject::createStructure): (JSC::JSNonFinalObject::createStructure): (JSC::JSFinalObject::createStructure): (JSC::createEmptyObjectStructure): * runtime/JSObjectWithGlobalObject.h: (JSC::JSObjectWithGlobalObject::createStructure): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::createStructure): * runtime/JSString.h: (JSC::RopeBuilder::createStructure): * runtime/JSVariableObject.h: (JSC::JSVariableObject::createStructure): * runtime/JSWrapperObject.h: (JSC::JSWrapperObject::createStructure): * runtime/MathObject.h: (JSC::MathObject::createStructure): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::createStructure): (JSC::NativeErrorConstructor::constructorBody): * runtime/NumberConstructor.h: (JSC::NumberConstructor::createStructure): * runtime/NumberObject.h: (JSC::NumberObject::createStructure): * runtime/NumberPrototype.h: (JSC::NumberPrototype::createStructure): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::createStructure): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::createStructure): * runtime/RegExp.h: (JSC::RegExp::createStructure): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::createStructure): * runtime/RegExpObject.h: (JSC::RegExpObject::createStructure): * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::createStructure): * runtime/ScopeChain.h: (JSC::ScopeChainNode::createStructure): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::createStructure): * runtime/StringConstructor.h: (JSC::StringConstructor::createStructure): * runtime/StringObject.h: (JSC::StringObject::createStructure): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::create): (JSC::StringObjectThatMasqueradesAsUndefined::createStructure): * runtime/StringPrototype.h: (JSC::StringPrototype::createStructure): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::visitChildren): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::globalObject): (JSC::Structure::setGlobalObject): * runtime/StructureChain.h: (JSC::StructureChain::createStructure): 2011-09-06 Michael Saboff Add windows changes for JSC:RegExp functional tests https://bugs.webkit.org/show_bug.cgi?id=67521 Windows build changes for regular expression functional test. Rubber-stamped by Gavin Barraclough. * JavaScriptCore.vcproj/JavaScriptCore.sln: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/testRegExp: Added. * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added. * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added. 2011-09-06 Filip Pizlo JavaScriptCore does not have tiered compilation https://bugs.webkit.org/show_bug.cgi?id=67176 Reviewed by Gavin Barraclough. This adds the ability to have multiple CodeBlocks associated with a particular role in an Executable. These are stored in descending order of compiler tier. CodeBlocks are optimized when a counter (m_executeCounter) that is incremented in loops and epilogues becomes positive. Optimizing means that all calls to the old CodeBlock are unlinked. The DFG can now pull in predictions from ValueProfiles, and propagate them along the graph. To support the new phase while maintaing some level of abstraction, a DFGDriver was introduced that encapsulates how to run the DFG compiler. This is turned off by default because it's not yet a performance win on all benchmarks. It speeds up crypto and richards by 10% and 6% respectively, but still does not do as good of a job as it could. Notably, the DFG backend has not changed, and is largely oblivious to the new information being made available to it. When turned off (the default), this patch is performance neutral. * CMakeLists.txt: * GNUmakefile.am: * GNUmakefile.list.am: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::branchAdd32): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::branchAdd32): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitAggregate): (JSC::CallLinkInfo::unlink): (JSC::CodeBlock::unlinkCalls): (JSC::CodeBlock::unlinkIncomingCalls): (JSC::CodeBlock::clearEvalCache): (JSC::replaceExistingEntries): (JSC::CodeBlock::copyDataFromAlternative): (JSC::ProgramCodeBlock::replacement): (JSC::EvalCodeBlock::replacement): (JSC::FunctionCodeBlock::replacement): (JSC::ProgramCodeBlock::compileOptimized): (JSC::EvalCodeBlock::compileOptimized): (JSC::FunctionCodeBlock::compileOptimized): * bytecode/CodeBlock.h: (JSC::GlobalCodeBlock::GlobalCodeBlock): (JSC::ProgramCodeBlock::ProgramCodeBlock): (JSC::EvalCodeBlock::EvalCodeBlock): (JSC::FunctionCodeBlock::FunctionCodeBlock): * bytecode/ValueProfile.h: (JSC::ValueProfile::dump): (JSC::ValueProfile::computeStatistics): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * bytecompiler/BytecodeGenerator.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::dynamicallyPredict): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::parse): * dfg/DFGDriver.cpp: Added. (JSC::DFG::compile): (JSC::DFG::tryCompile): (JSC::DFG::tryCompileFunction): * dfg/DFGDriver.h: Added. (JSC::DFG::tryCompile): (JSC::DFG::tryCompileFunction): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): (JSC::DFG::Graph::predictGlobalVar): (JSC::DFG::Graph::isConstant): (JSC::DFG::Graph::isJSConstant): (JSC::DFG::Graph::isInt32Constant): (JSC::DFG::Graph::isDoubleConstant): (JSC::DFG::Graph::valueOfJSConstant): (JSC::DFG::Graph::valueOfInt32Constant): (JSC::DFG::Graph::valueOfDoubleConstant): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::isConstant): (JSC::DFG::JITCompiler::isJSConstant): (JSC::DFG::JITCompiler::isInt32Constant): (JSC::DFG::JITCompiler::isDoubleConstant): (JSC::DFG::JITCompiler::valueOfJSConstant): (JSC::DFG::JITCompiler::valueOfInt32Constant): (JSC::DFG::JITCompiler::valueOfDoubleConstant): * dfg/DFGNode.h: (JSC::DFG::isCellPrediction): (JSC::DFG::isNumberPrediction): (JSC::DFG::predictionToString): (JSC::DFG::mergePrediction): (JSC::DFG::makePrediction): (JSC::DFG::Node::valueOfJSConstant): (JSC::DFG::Node::isInt32Constant): (JSC::DFG::Node::isDoubleConstant): (JSC::DFG::Node::valueOfInt32Constant): (JSC::DFG::Node::valueOfDoubleConstant): (JSC::DFG::Node::predict): * dfg/DFGPropagation.cpp: Added. (JSC::DFG::Propagator::Propagator): (JSC::DFG::Propagator::fixpoint): (JSC::DFG::Propagator::setPrediction): (JSC::DFG::Propagator::mergePrediction): (JSC::DFG::Propagator::propagateNode): (JSC::DFG::Propagator::propagateForward): (JSC::DFG::Propagator::propagateBackward): (JSC::DFG::propagate): * dfg/DFGPropagation.h: Added. (JSC::DFG::propagate): * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkFor): * heap/HandleHeap.h: (JSC::HandleHeap::Node::Node): * jit/JIT.cpp: (JSC::JIT::emitOptimizationCheck): (JSC::JIT::emitTimeoutCheck): (JSC::JIT::privateCompile): (JSC::JIT::linkFor): * jit/JIT.h: (JSC::JIT::emitOptimizationCheck): * jit/JITCall32_64.cpp: (JSC::JIT::emit_op_ret): (JSC::JIT::emit_op_ret_object_or_this): * jit/JITCode.h: (JSC::JITCode::JITCode): (JSC::JITCode::bottomTierJIT): (JSC::JITCode::topTierJIT): (JSC::JITCode::nextTierJIT): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_ret): (JSC::JIT::emit_op_ret_object_or_this): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: * runtime/Executable.cpp: (JSC::EvalExecutable::compileOptimized): (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::compileOptimized): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::compileOptimizedForCall): (JSC::FunctionExecutable::compileOptimizedForConstruct): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (JSC::EvalExecutable::compile): (JSC::ProgramExecutable::compile): (JSC::FunctionExecutable::compileForCall): (JSC::FunctionExecutable::compileForConstruct): (JSC::FunctionExecutable::compileOptimizedFor): * wtf/Platform.h: * wtf/SentinelLinkedList.h: (WTF::BasicRawSentinelNode::BasicRawSentinelNode): (WTF::BasicRawSentinelNode::setPrev): (WTF::BasicRawSentinelNode::setNext): (WTF::BasicRawSentinelNode::prev): (WTF::BasicRawSentinelNode::next): (WTF::BasicRawSentinelNode::isOnList): (WTF::::remove): (WTF::::SentinelLinkedList): (WTF::::begin): (WTF::::end): (WTF::::push): 2011-09-05 Sheriff Bot Unreviewed, rolling out r94445 and r94448. http://trac.webkit.org/changeset/94445 http://trac.webkit.org/changeset/94448 https://bugs.webkit.org/show_bug.cgi?id=67595 It broke everything (Requested by ossy on #webkit). * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * heap/Heap.cpp: (JSC::Heap::collect): * heap/Heap.h: * heap/NewSpace.cpp: (JSC::NewSpace::NewSpace): * heap/NewSpace.h: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::allocatePropertyStorage): * runtime/JSObject.h: (JSC::JSObject::~JSObject): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::putDirectFunctionWithoutTransition): (JSC::JSObject::transitionTo): (JSC::JSObject::visitChildrenDirect): 2011-09-05 Patrick Gansterer Unreviewed build fix for r94452. Add config.h as the first header to the cc files as required by the coding style. Reuse macros from Assertions.h instead of adding addional #ifdefs. * wtf/dtoa/bignum-dtoa.cc: * wtf/dtoa/bignum.cc: * wtf/dtoa/cached-powers.cc: * wtf/dtoa/diy-fp.cc: * wtf/dtoa/double-conversion.cc: * wtf/dtoa/fast-dtoa.cc: * wtf/dtoa/fixed-dtoa.cc: * wtf/dtoa/strtod.cc: * wtf/dtoa/utils.h: 2011-09-05 Andras Becsi [Qt][WK2] Fix the build Rubber-stamped by Csaba Osztrogonác. * wtf/dtoa/double-conversion.cc: Remove dead variable in file added in r94452. The variable fractional_part is only set but never used. 2011-09-04 Mark Hahnenberg REGRESSION (r94452): 20 http/tests tests failing on Qt Linux Release https://bugs.webkit.org/show_bug.cgi?id=67562 Reviewed by Darin Adler. Fixing the build (again which was broken by the dtoa patch. Needed to make sure WTF::double_conversion::initialize() is called for Qt as well as adding a check for WinCE in dtoa/utils.h * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): * wtf/dtoa/cached-powers.cc: * wtf/dtoa/utils.h: 2011-09-03 Filip Pizlo ThunkGenerators does not convert positive double zero into integer zero https://bugs.webkit.org/show_bug.cgi?id=67553 Reviewed by Gavin Barraclough. This is an 0.5% speed-up on V8 and neutral elsewhere. * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::returnDouble): 2011-09-03 Kevin Ollivier [wx] Unreviewed build fix. Add wtf/dtoa directory to build. * wscript: 2011-09-03 Filip Pizlo DFG variable predictions only work for local variables, not temporaries https://bugs.webkit.org/show_bug.cgi?id=67554 Reviewed by Gavin Barraclough. This appears to be a slight speed-up in Kraken (0.3% but significant) and neutral elsewhere. * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): 2011-09-02 Filip Pizlo DFG JIT speculation failure does recovery of additions in reverse and doesn't rebox https://bugs.webkit.org/show_bug.cgi?id=67551 Reviewed by Sam Weinig. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): 2011-09-02 Filip Pizlo ValueProfile does not make it safe to introspect cell values after garbage collection https://bugs.webkit.org/show_bug.cgi?id=67354 Reviewed by Gavin Barraclough. ValueProfile buckets are now weak references, implemented using a light-weight weak reference mechanism that this patch also adds (the WeakReferenceHarvester). If a cell stored in a ValueProfile bucket is not marked, then the bucket is transformed into a Structure pointer. If the Structure is not marked either, then it is turned into a ClassInfo pointer. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): (JSC::CodeBlock::visitAggregate): (JSC::CodeBlock::visitWeakReferences): * bytecode/CodeBlock.h: * bytecode/ValueProfile.h: (JSC::ValueProfile::ValueProfile): (JSC::ValueProfile::classInfo): (JSC::ValueProfile::numberOfInt32s): (JSC::ValueProfile::numberOfDoubles): (JSC::ValueProfile::numberOfCells): (JSC::ValueProfile::numberOfArrays): (JSC::ValueProfile::probabilityOfArray): (JSC::ValueProfile::WeakBucket::WeakBucket): (JSC::ValueProfile::WeakBucket::operator!): (JSC::ValueProfile::WeakBucket::isEmpty): (JSC::ValueProfile::WeakBucket::isClassInfo): (JSC::ValueProfile::WeakBucket::isStructure): (JSC::ValueProfile::WeakBucket::asStructure): (JSC::ValueProfile::WeakBucket::asClassInfo): (JSC::ValueProfile::WeakBucket::getClassInfo): * heap/Heap.cpp: (JSC::Heap::harvestWeakReferences): (JSC::Heap::markRoots): * heap/Heap.h: * heap/MarkStack.cpp: (JSC::SlotVisitor::drain): (JSC::SlotVisitor::harvestWeakReferences): * heap/MarkStack.h: (JSC::MarkStack::addWeakReferenceHarvester): (JSC::MarkStack::MarkStack): (JSC::MarkStack::appendUnbarrieredPointer): * heap/SlotVisitor.h: * heap/WeakReferenceHarvester.h: Added. (JSC::WeakReferenceHarvester::WeakReferenceHarvester): (JSC::WeakReferenceHarvester::~WeakReferenceHarvester): 2011-09-02 Michael Saboff Replace local implementation of string equals() methods with UString versions https://bugs.webkit.org/show_bug.cgi?id=67342 In preparation to allowing StringImpl to be backed by 8 bit characters when appropriate, we need to eliminate or change the usage of StringImpl::characters(). Change the uses of characters() that are used to implement redundant equals() methods. Reviewed by Gavin Barraclough. * runtime/Identifier.cpp: (JSC::Identifier::equal): * runtime/Identifier.h: (JSC::Identifier::equal): * wtf/text/AtomicString.cpp: (WTF::CStringTranslator::equal): Moved an optimized method to here. (WTF::operator==): * wtf/text/StringImpl.cpp: (WTF::equal): * wtf/text/StringImpl.h: 2011-09-02 Michael Saboff Add JSC:RegExp functional tests https://bugs.webkit.org/show_bug.cgi?id=67339 Added new test driver program (testRegExp) and corresponding data file along with build scripts changes. Reviewed by Gavin Barraclough. * JavaScriptCore.exp: * JavaScriptCore.xcodeproj/project.pbxproj: * testRegExp.cpp: Added. (Options::Options): (StopWatch::start): (StopWatch::stop): (StopWatch::getElapsedMS): (RegExpTest::RegExpTest): (GlobalObject::create): (GlobalObject::className): (GlobalObject::GlobalObject): (main): (cleanupGlobalData): (testOneRegExp): (scanString): (parseRegExpLine): (parseTestLine): (runFromFiles): (printUsageStatement): (parseArguments): (realMain): * tests/regexp: Added. * tests/regexp/RegExpTest.data: Added. 2011-09-02 Michael Saboff Add JSC:RegExp functional test data generator https://bugs.webkit.org/show_bug.cgi?id=67519 Add a data generator for regular expressions. To enable, change the #undef REGEXP_FUNC_TEST_DATA_GEN to #define. Then compile and use regular expressions. The resulting data will be in /tmp/RegExpTestsData. Reviewed by Gavin Barraclough. * runtime/RegExp.cpp: (JSC::regExpFlags): (JSC::RegExpFunctionalTestCollector::clearRegExp): (JSC::RegExpFunctionalTestCollector::get): (JSC::RegExpFunctionalTestCollector::outputOneTest): (JSC::RegExpFunctionalTestCollector::RegExpFunctionalTestCollector): (JSC::RegExpFunctionalTestCollector::~RegExpFunctionalTestCollector): (JSC::RegExpFunctionalTestCollector::outputEscapedUString): (JSC::RegExp::~RegExp): (JSC::RegExp::compile): (JSC::RegExp::match): (JSC::RegExp::matchCompareWithInterpreter): 2011-09-02 Mark Hahnenberg Fix the broken build due to dtoa patch https://bugs.webkit.org/show_bug.cgi?id=67534 Reviewed by Oliver Hunt. Fixing the build. * GNUmakefile.list.am: * wtf/dtoa/bignum.cc: * wtf/dtoa/fast-dtoa.cc: * wtf/dtoa/utils.h: 2011-09-02 Oliver Hunt Remove OldSpace classes https://bugs.webkit.org/show_bug.cgi?id=67533 Reviewed by Gavin Barraclough. Remove the unused OldSpace classes * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.cpp: (JSC::Heap::writeBarrierSlowCase): * heap/MarkedBlock.h: * heap/OldSpace.cpp: Removed. * heap/OldSpace.h: Removed. 2011-09-02 James Robinson Compile fix for mac build. * wtf/CheckedArithmetic.h: (WTF::operator+): (WTF::operator-): (WTF::operator*): 2011-08-30 Matthew Delaney Read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData https://bugs.webkit.org/show_bug.cgi?id=65352 Reviewed by Simon Fraser. New test: fast/canvas/canvas-getImageData-large-crash.html This patch prevents overflows from happening in getImageData, createImageData, and canvas creation calls that specify widths and heights that end up overflowing the ints that we store those values in as well as derived values such as area and maxX / maxY of the bounding rects involved. Overflow of integer arithmetic is detected via the use of the new Checked type that was introduced in r94207. The change to JSC is just to add a new helper method described below. * wtf/MathExtras.h: (isWithinIntRange): Reports if a float's value is within the range expressible by an int. 2011-09-02 Mark Hahnenberg Incorporate newer, faster dtoa library https://bugs.webkit.org/show_bug.cgi?id=66346 Reviewed by Oliver Hunt. Added new dtoa library at http://code.google.com/p/double-conversion/. Replaced old call to dtoa. The new library is much faster than the old one. We still use the old dtoa for some stuff in WebCore as well as the old strtod, but we can phase these out eventually as well. * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/InitializeThreading.cpp: * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToFixed): (JSC::numberProtoFuncToPrecision): * runtime/UString.cpp: (JSC::UString::number): * wtf/CMakeLists.txt: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): * wtf/ThreadingWin.cpp: (WTF::initializeThreading): * wtf/dtoa.cpp: (WTF::dtoa): * wtf/dtoa.h: * wtf/dtoa/COPYING: Added. * wtf/dtoa/LICENSE: Added. * wtf/dtoa/README: Added. * wtf/dtoa/bignum-dtoa.cc: Added. * wtf/dtoa/bignum-dtoa.h: Added. * wtf/dtoa/bignum.cc: Added. * wtf/dtoa/bignum.h: Added. (WTF::double_conversion::Bignum::Times10): (WTF::double_conversion::Bignum::Equal): (WTF::double_conversion::Bignum::LessEqual): (WTF::double_conversion::Bignum::Less): (WTF::double_conversion::Bignum::PlusEqual): (WTF::double_conversion::Bignum::PlusLessEqual): (WTF::double_conversion::Bignum::PlusLess): (WTF::double_conversion::Bignum::EnsureCapacity): (WTF::double_conversion::Bignum::BigitLength): * wtf/dtoa/cached-powers.cc: Added. * wtf/dtoa/cached-powers.h: Added. * wtf/dtoa/diy-fp.cc: Added. * wtf/dtoa/diy-fp.h: Added. (WTF::double_conversion::DiyFp::DiyFp): (WTF::double_conversion::DiyFp::Subtract): (WTF::double_conversion::DiyFp::Minus): (WTF::double_conversion::DiyFp::Times): (WTF::double_conversion::DiyFp::Normalize): (WTF::double_conversion::DiyFp::f): (WTF::double_conversion::DiyFp::e): (WTF::double_conversion::DiyFp::set_f): (WTF::double_conversion::DiyFp::set_e): * wtf/dtoa/double-conversion.cc: Added. * wtf/dtoa/double-conversion.h: Added. (WTF::double_conversion::DoubleToStringConverter::DoubleToStringConverter): (WTF::double_conversion::StringToDoubleConverter::StringToDoubleConverter): * wtf/dtoa/double.h: Added. (WTF::double_conversion::double_to_uint64): (WTF::double_conversion::uint64_to_double): (WTF::double_conversion::Double::Double): (WTF::double_conversion::Double::AsDiyFp): (WTF::double_conversion::Double::AsNormalizedDiyFp): (WTF::double_conversion::Double::AsUint64): (WTF::double_conversion::Double::NextDouble): (WTF::double_conversion::Double::Exponent): (WTF::double_conversion::Double::Significand): (WTF::double_conversion::Double::IsDenormal): (WTF::double_conversion::Double::IsSpecial): (WTF::double_conversion::Double::IsNan): (WTF::double_conversion::Double::IsInfinite): (WTF::double_conversion::Double::Sign): (WTF::double_conversion::Double::UpperBoundary): (WTF::double_conversion::Double::NormalizedBoundaries): (WTF::double_conversion::Double::value): (WTF::double_conversion::Double::SignificandSizeForOrderOfMagnitude): (WTF::double_conversion::Double::Infinity): (WTF::double_conversion::Double::NaN): (WTF::double_conversion::Double::DiyFpToUint64): * wtf/dtoa/fast-dtoa.cc: Added. * wtf/dtoa/fast-dtoa.h: Added. * wtf/dtoa/fixed-dtoa.cc: Added. * wtf/dtoa/fixed-dtoa.h: Added. * wtf/dtoa/strtod.cc: Added. * wtf/dtoa/strtod.h: Added. * wtf/dtoa/utils.h: Added. (WTF::double_conversion::Max): (WTF::double_conversion::Min): (WTF::double_conversion::StrLength): (WTF::double_conversion::Vector::Vector): (WTF::double_conversion::Vector::SubVector): (WTF::double_conversion::Vector::length): (WTF::double_conversion::Vector::is_empty): (WTF::double_conversion::Vector::start): (WTF::double_conversion::Vector::operator[]): (WTF::double_conversion::Vector::first): (WTF::double_conversion::Vector::last): (WTF::double_conversion::StringBuilder::StringBuilder): (WTF::double_conversion::StringBuilder::~StringBuilder): (WTF::double_conversion::StringBuilder::size): (WTF::double_conversion::StringBuilder::position): (WTF::double_conversion::StringBuilder::Reset): (WTF::double_conversion::StringBuilder::AddCharacter): (WTF::double_conversion::StringBuilder::AddString): (WTF::double_conversion::StringBuilder::AddSubstring): (WTF::double_conversion::StringBuilder::AddPadding): (WTF::double_conversion::StringBuilder::Finalize): (WTF::double_conversion::StringBuilder::is_finalized): (WTF::double_conversion::BitCast): * wtf/wtf.pri: 2011-09-02 Filip Pizlo DFG graph has no way of distinguishing or reconciling between static and dynamic predictions https://bugs.webkit.org/show_bug.cgi?id=67343 Reviewed by Gavin Barraclough. PredictedType now stores the source of the prediction. Merging predictions, which was previously done with a bitwise or, is now done via the mergePredictions (equivalent to |) and mergePrediction (equivalent to |=) functions, which correctly handle combinations of static and dynamic. This is performance-neutral, since all predictions are currently static and so the code has no visible effects. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::set): (JSC::DFG::ByteCodeParser::staticallyPredictArray): (JSC::DFG::ByteCodeParser::staticallyPredictInt32): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): (JSC::DFG::Graph::predictGlobalVar): * dfg/DFGNode.h: (JSC::DFG::isArrayPrediction): (JSC::DFG::isInt32Prediction): (JSC::DFG::isDoublePrediction): (JSC::DFG::isDynamicPrediction): (JSC::DFG::mergePredictions): (JSC::DFG::mergePrediction): (JSC::DFG::makePrediction): (JSC::DFG::Node::predict): 2011-09-02 Oliver Hunt Fix 32bit build. * heap/NewSpace.h: (JSC::NewSpace::allocatePropertyStorage): (JSC::NewSpace::inPropertyStorageNursery): 2011-09-02 Oliver Hunt Use bump allocator for initial property storage https://bugs.webkit.org/show_bug.cgi?id=67494 Reviewed by Gavin Barraclough. Switch to a bump allocator for the initial out of line property storage. This gives us slightly faster allocation for short lived objects that need out of line storage at the cost of an additional memcpy when the object survives a GC pass. No performance impact. * JavaScriptCore.exp: * heap/Heap.cpp: (JSC::Heap::collect): * heap/Heap.h: (JSC::Heap::allocatePropertyStorage): (JSC::Heap::inPropertyStorageNursary): * heap/NewSpace.cpp: (JSC::NewSpace::NewSpace): * heap/NewSpace.h: (JSC::NewSpace::resetPropertyStorageNursary): (JSC::NewSpace::allocatePropertyStorage): (JSC::NewSpace::inPropertyStorageNursary): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::allocatePropertyStorage): * runtime/JSObject.h: (JSC::JSObject::~JSObject): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::putDirectFunctionWithoutTransition): (JSC::JSObject::transitionTo): (JSC::JSObject::visitChildrenDirect): 2011-09-01 Mark Rowe Fix the build. * JavaScriptCore.JSVALUE32_64only.exp: * JavaScriptCore.JSVALUE64only.exp: * JavaScriptCore.exp: 2011-09-01 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (4/7) https://bugs.webkit.org/show_bug.cgi?id=67174 Reviewed by Oliver Hunt. Completed the fourth level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. This primarily consists of pushing the calls to finishCreation() down into the constructors of the subclasses of the second level of the hierarchy as well as pulling the finishCreation() calls out into the class's corresponding create() method if it has one. Doing both simultaneously allows us to maintain the invariant that the finishCreation() method chain is called exactly once during the creation of an object, since calling it any other number of times (0, 2, or more) will cause an assertion failure. * API/JSCallbackConstructor.cpp: (JSC::JSCallbackConstructor::JSCallbackConstructor): (JSC::JSCallbackConstructor::finishCreation): * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: (JSC::JSCallbackObject::create): * API/JSCallbackObjectFunctions.h: (JSC::::JSCallbackObject): (JSC::::finishCreation): * JavaScriptCore.JSVALUE64only.exp: * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::DebuggerActivation): (JSC::DebuggerActivation::create): * debugger/DebuggerActivation.h: * runtime/Arguments.h: (JSC::Arguments::create): (JSC::Arguments::createNoParameters): (JSC::Arguments::Arguments): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::ArrayPrototype): (JSC::ArrayPrototype::finishCreation): * runtime/ArrayPrototype.h: * runtime/BooleanObject.cpp: (JSC::BooleanObject::BooleanObject): (JSC::BooleanObject::finishCreation): * runtime/BooleanObject.h: * runtime/DateInstance.cpp: (JSC::DateInstance::DateInstance): (JSC::DateInstance::finishCreation): * runtime/DateInstance.h: * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/ErrorInstance.h: (JSC::ErrorInstance::create): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): (JSC::ErrorPrototype::finishCreation): * runtime/ErrorPrototype.h: * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::InterruptedExecutionError): (JSC::InterruptedExecutionError::create): (JSC::TerminatedExecutionError::TerminatedExecutionError): (JSC::TerminatedExecutionError::create): * runtime/Executable.cpp: (JSC::EvalExecutable::EvalExecutable): (JSC::ProgramExecutable::ProgramExecutable): (JSC::FunctionExecutable::FunctionExecutable): * runtime/Executable.h: (JSC::NativeExecutable::create): (JSC::NativeExecutable::NativeExecutable): (JSC::EvalExecutable::create): (JSC::ProgramExecutable::create): (JSC::FunctionExecutable::create): * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): (JSC::InternalFunction::finishCreation): * runtime/InternalFunction.h: * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): (JSC::JSActivation::finishCreation): * runtime/JSActivation.h: * runtime/JSArray.cpp: (JSC::JSArray::JSArray): * runtime/JSArray.h: (JSC::JSArray::create): * runtime/JSByteArray.cpp: (JSC::JSByteArray::JSByteArray): * runtime/JSByteArray.h: (JSC::JSByteArray::create): * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::finishCreation): * runtime/JSFunction.h: (JSC::JSFunction::create): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::finishCreation): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::JSNotAnObject): (JSC::JSNotAnObject::create): * runtime/JSONObject.cpp: (JSC::JSONObject::JSONObject): (JSC::JSONObject::finishCreation): * runtime/JSONObject.h: * runtime/JSObjectWithGlobalObject.cpp: (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject): * runtime/JSObjectWithGlobalObject.h: * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::create): (JSC::JSStaticScopeObject::finishCreation): (JSC::JSStaticScopeObject::JSStaticScopeObject): * runtime/JSVariableObject.h: (JSC::JSVariableObject::JSVariableObject): * runtime/JSWrapperObject.h: (JSC::JSWrapperObject::JSWrapperObject): * runtime/MathObject.cpp: (JSC::MathObject::MathObject): (JSC::MathObject::finishCreation): * runtime/MathObject.h: * runtime/NumberObject.cpp: (JSC::NumberObject::NumberObject): (JSC::NumberObject::finishCreation): * runtime/NumberObject.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::ObjectPrototype): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::create): * runtime/RegExpConstructor.cpp: (JSC::RegExpMatchesArray::RegExpMatchesArray): (JSC::RegExpMatchesArray::finishCreation): * runtime/RegExpMatchesArray.h: * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): (JSC::RegExpObject::finishCreation): * runtime/RegExpObject.h: * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::StrictEvalActivation): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::create): * runtime/StringObject.cpp: (JSC::StringObject::StringObject): (JSC::StringObject::finishCreation): * runtime/StringObject.h: 2011-09-01 Daniel Bates QNX GCC distribution doesn't support vasprintf() https://bugs.webkit.org/show_bug.cgi?id=67423 Reviewed by Antonio Gomes. * wtf/Platform.h: Don't enable HAVE_VASPRINTF when building with GCC on QNX. 2011-09-01 Michael Saboff Remove simple usage of UString::characters() from JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=67340 In preparation to allowing StringImpl to be backed by 8 bit characters when appropriate, we need to eliminate or change the usage of StringImpl::characters(). Most of the changes below change s->characters()[0] to s[0]. Reviewed by Geoffrey Garen. * bytecompiler/BytecodeGenerator.cpp: (JSC::keyForCharacterSwitch): * bytecompiler/NodesCodegen.cpp: (JSC::processClauseList): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Identifier.cpp: (JSC::Identifier::addSlowCase): * runtime/JSGlobalObjectFunctions.cpp: (JSC::jsToNumber): (JSC::parseFloat): * runtime/JSString.cpp: (JSC::JSString::substringFromRope): * runtime/JSString.h: (JSC::jsSingleCharacterSubstring): (JSC::jsString): (JSC::jsSubstring): (JSC::jsOwnedString): * runtime/RegExp.cpp: (JSC::regExpFlags): * wtf/text/StringBuilder.h: (WTF::StringBuilder::operator[]): 2011-09-01 Ada Chan Export fastMallocStatistics and Heap::objectTypeCounts for https://bugs.webkit.org/show_bug.cgi?id=67160. Reviewed by Darin Adler. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-09-01 Hao Zheng Define PTHREAD_KEYS_MAX to fix Android port build. https://bugs.webkit.org/show_bug.cgi?id=67362 Reviewed by Adam Barth. PTHREAD_KEYS_MAX is not defined in bionic, so explicitly define it. * wtf/ThreadIdentifierDataPthreads.cpp: 2011-08-31 Oliver Hunt Fix build. * wtf/CheckedArithmetic.h: (WTF::Checked::Checked): (WTF::Checked::operator=): 2011-08-31 Oliver Hunt fast/regex/overflow.html asserts in debug builds https://bugs.webkit.org/show_bug.cgi?id=67326 Reviewed by Gavin Barraclough. The deliberate overflows in these expressions don't interact nicely with Checked<32bit-type> so we just bump up to Checked for the intermediate calculations. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed): (JSC::Yarr::YarrGenerator::generateCharacterClassFixed): 2011-08-31 Jeff Miller REGRESSION(92210): AVFoundation media engine is disabled on OS X https://bugs.webkit.org/show_bug.cgi?id=67316 Move the definition of WTF_USE_AVFOUNDATION on the Mac back to JavaScriptCore/wtf/Platform.h, since WebKit2 doesn't have access to WebCore/config.h on this platform. This reverts the changes that were made in r92210. Reviewed by Darin Adler. * wtf/Platform.h: Added definition of WTF_USE_AVFOUNDATION on the Mac. 2011-08-31 Peter Beverloo Add Android's platform specification and the right atomic functions. https://bugs.webkit.org/show_bug.cgi?id=66687 Reviewed by Adam Barth. * wtf/Atomics.h: (WTF::atomicIncrement): (WTF::atomicDecrement): * wtf/Platform.h: 2011-08-30 Oliver Hunt Add support for checked arithmetic https://bugs.webkit.org/show_bug.cgi?id=67095 Reviewed by Sam Weinig. Add a checked arithmetic class Checked that provides overflow-safe arithmetic over all integral types. Checked supports addition, subtraction and multiplication, along with "bool" conversions and equality operators. Checked<> can be used in either CRASH() on overflow or delayed failure modes, although the default is to CRASH(). To ensure the code is actually in use (rather than checking in dead code) I've made a couple of properties in YARR use Checked and Checked instead of raw value arithmetic. This has resulted in a moderate set of changes, to YARR - mostly adding .get() calls, but a couple of casts from unsigned long to unsigned for some uses of sizeof, as Checked<> currently does not support mixed signed-ness of types wider that 32 bits. Happily the increased type safety of Checked<> means that it's not possible to accidentally assign away precision, nor accidentally call integer overload of a function instead of the bool version. No measurable regression in performance, and SunSpider claims this patch to be a progression of 0.3%. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/CheckedArithmetic.h: Added. (WTF::CrashOnOverflow::overflowed): (WTF::CrashOnOverflow::clearOverflow): (WTF::CrashOnOverflow::hasOverflowed): (WTF::RecordOverflow::RecordOverflow): (WTF::RecordOverflow::overflowed): (WTF::RecordOverflow::clearOverflow): (WTF::RecordOverflow::hasOverflowed): (WTF::isInBounds): (WTF::safeAdd): (WTF::safeSub): (WTF::safeMultiply): (WTF::safeEquals): (WTF::workAroundClangBug): (WTF::Checked::Checked): (WTF::Checked::operator=): (WTF::Checked::operator++): (WTF::Checked::operator--): (WTF::Checked::operator!): (WTF::Checked::operator UnspecifiedBoolType*): (WTF::Checked::get): (WTF::Checked::operator+=): (WTF::Checked::operator-=): (WTF::Checked::operator*=): (WTF::Checked::operator==): (WTF::Checked::operator!=): (WTF::operator+): (WTF::operator-): (WTF::operator*): * yarr/YarrInterpreter.cpp: (JSC::Yarr::ByteCompiler::atomPatternCharacter): (JSC::Yarr::ByteCompiler::atomCharacterClass): (JSC::Yarr::ByteCompiler::atomBackReference): (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd): (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd): (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd): (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd): * yarr/YarrInterpreter.h: (JSC::Yarr::ByteTerm::ByteTerm): (JSC::Yarr::ByteTerm::CheckInput): (JSC::Yarr::ByteTerm::UncheckInput): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateAssertionEOL): (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed): (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): (JSC::Yarr::YarrGenerator::generateCharacterClassOnce): (JSC::Yarr::YarrGenerator::generateCharacterClassFixed): (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy): (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy): * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): * yarr/YarrPattern.h: 2011-08-31 Andrei Popescu Investigate current uses of OS(ANDROID) https://bugs.webkit.org/show_bug.cgi?id=66761 Unreviewed, build fix for ARM platforms. * wtf/Platform.h: 2011-08-31 Andrei Popescu Investigate current uses of OS(ANDROID) https://bugs.webkit.org/show_bug.cgi?id=66761 Reviewed by Darin Adler. Remove the last legacy Android code. No new tests needed as the code wasn't tested in the first place. * wtf/Atomics.h: * wtf/Platform.h: * wtf/ThreadingPthreads.cpp: (WTF::createThreadInternal): 2011-08-30 Aaron Colwell Add MediaSource API to HTMLMediaElement https://bugs.webkit.org/show_bug.cgi?id=64731 Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: 2011-08-30 Oliver Hunt TypedArrays don't ensure that denormalised values are normalised https://bugs.webkit.org/show_bug.cgi?id=67178 Reviewed by Gavin Barraclough. Add a couple of assertions to jsNumber() to ensure that we block signaling NaNs * runtime/JSValue.h: (JSC::jsDoubleNumber): (JSC::jsNumber): 2011-08-30 Ademar de Souza Reis Jr. [Qt] Do not unconditionally use pkg-config in .pro files https://bugs.webkit.org/show_bug.cgi?id=67055 Reviewed by Andreas Kling. Original patch from Rohan McGovern Using the first pkg-config in PATH is prone to errors when cross compiling inside the Qt repository (using Qt's build-system). This patch protect calls for pkg-config with !contains(QT_CONFIG, no-pkg-config). no-pkg-config is added to QT_CONFIG by Qt's 'configure' when cross-compiling on systems without pkg-config. The respective change in Qt's configure has been submited already. No new tests as this is just a build change. * wtf/wtf.pri: protect pkg-config calls 2011-08-29 Daniel Bates Add HAVE(VASPRINTF) macro to test for vasprintf() support https://bugs.webkit.org/show_bug.cgi?id=67156 Reviewed by Darin Adler. Encapsulate testing of vasprintf() support in a HAVE macro instead of hardcoding the list of supported/unsupported compilers at the call site. * wtf/Platform.h: 2011-08-29 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (3/7) https://bugs.webkit.org/show_bug.cgi?id=67064 Reviewed by Darin Adler. Completed the third level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. This primarily consists of pushing the calls to finishCreation() down into the constructors of the subclasses of the second level of the hierarchy as well as pulling the finishCreation() calls out into the class's corresponding create() method if it has one. Doing both simultaneously allows us to maintain the invariant that the finishCreation() method chain is called exactly once during the creation of an object, since calling it any other number of times (0, 2, or more) will cause an assertion failure. * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::DebuggerActivation): (JSC::DebuggerActivation::finishCreation): * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::create): * runtime/Arguments.h: (JSC::Arguments::create): (JSC::Arguments::createNoParameters): (JSC::Arguments::Arguments): (JSC::Arguments::finishCreation): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/ErrorInstance.h: (JSC::ErrorInstance::finishCreation): * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::InterruptedExecutionError): (JSC::TerminatedExecutionError::TerminatedExecutionError): * runtime/Executable.cpp: (JSC::EvalExecutable::EvalExecutable): (JSC::ProgramExecutable::ProgramExecutable): (JSC::FunctionExecutable::FunctionExecutable): Moved the assignment of m_firstLine and m_lastLine into the FunctionExecutable::finishCreation() method in Executable.h * runtime/Executable.h: (JSC::ScriptExecutable::ScriptExecutable): (JSC::EvalExecutable::create): (JSC::ProgramExecutable::create): (JSC::FunctionExecutable::create): (JSC::FunctionExecutable::finishCreation): * runtime/JSArray.cpp: (JSC::JSArray::JSArray): (JSC::JSArray::finishCreation): * runtime/JSArray.h: * runtime/JSByteArray.cpp: (JSC::JSByteArray::JSByteArray): * runtime/JSByteArray.h: (JSC::JSByteArray::finishCreation): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::JSNotAnObject): * runtime/JSObject.h: (JSC::JSNonFinalObject::JSNonFinalObject): * runtime/JSObjectWithGlobalObject.cpp: (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject): (JSC::JSObjectWithGlobalObject::finishCreation): * runtime/JSObjectWithGlobalObject.h: * runtime/JSVariableObject.h: (JSC::JSVariableObject::JSVariableObject): (JSC::JSVariableObject::finishCreation): * runtime/JSWrapperObject.h: (JSC::JSWrapperObject::JSWrapperObject): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::ObjectPrototype): (JSC::ObjectPrototype::finishCreation): * runtime/ObjectPrototype.h: * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::StrictEvalActivation): 2011-08-29 Andreas Kling Unreviewed build fix after r93990. * wtf/HashTable.h: 2011-08-29 Andreas Kling Viewing a post on reddit.com wastes a lot of memory on event listeners. https://bugs.webkit.org/show_bug.cgi?id=67133 Reviewed by Darin Adler. Add a minimum table size to the HashTraits, instead of having it hard coded. The default value remains at 64, but can now be specialized. * runtime/StructureTransitionTable.h: * wtf/HashTable.h: (WTF::HashTable::shouldShrink): (WTF::::expand): (WTF::::checkTableConsistencyExceptSize): * wtf/HashTraits.h: 2011-08-28 Jonathan Liu Fix build error when compiling with MinGW-w64 by disabling JIT on Windows 64-bit https://bugs.webkit.org/show_bug.cgi?id=61235 Reviewed by Gavin Barraclough. The fixed mmap executable allocator for JIT on x86_64 requires sys/mman.h which is not available on Windows. * wtf/Platform.h: 2011-08-27 Filip Pizlo JSC::Executable is inconsistent about using weak handle finalizers and destructors for releasing memory https://bugs.webkit.org/show_bug.cgi?id=67072 Reviewed by Darin Adler. Moved more of the destruction of Executable state into the finalizer, which also resulted in an opportunity to mostly combine this with discardCode(). This also means that the finalizer is now enabled even when the JIT is turned off. This is performance neutral on SunSpider, V8, and Kraken. * runtime/Executable.cpp: (JSC::ExecutableBase::clearCode): (JSC::ExecutableFinalizer::finalize): (JSC::EvalExecutable::clearCode): (JSC::ProgramExecutable::clearCode): (JSC::FunctionExecutable::discardCode): (JSC::FunctionExecutable::clearCode): * runtime/Executable.h: (JSC::ExecutableBase::finishCreation): 2011-08-26 Gavin Barraclough DFG JIT - ArithMod may clobber operands. https://bugs.webkit.org/show_bug.cgi?id=67085 Reviewed by Sam Weinig. unboxDouble must be called on a temporary. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::boxDouble): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-08-26 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (2/7) https://bugs.webkit.org/show_bug.cgi?id=66957 Reviewed by Darin Adler. Completed the second level of the refactoring to add finishCreation() methods to all classes within the JSCell hierarchy with non-trivial constructor bodies. * runtime/Executable.h: (JSC::ExecutableBase::ExecutableBase): (JSC::ExecutableBase::create): (JSC::NativeExecutable::create): (JSC::NativeExecutable::finishCreation): (JSC::NativeExecutable::NativeExecutable): (JSC::ScriptExecutable::ScriptExecutable): (JSC::ScriptExecutable::finishCreation): * runtime/GetterSetter.h: (JSC::GetterSetter::GetterSetter): (JSC::GetterSetter::create): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::create): (JSC::JSAPIValueWrapper::JSAPIValueWrapper): * runtime/JSObject.h: (JSC::JSNonFinalObject::JSNonFinalObject): (JSC::JSNonFinalObject::finishCreation): (JSC::JSFinalObject::create): (JSC::JSFinalObject::finishCreation): (JSC::JSFinalObject::JSFinalObject): (JSC::JSObject::JSObject): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::JSPropertyNameIterator): (JSC::JSPropertyNameIterator::create): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::create): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::createWithoutCaching): * runtime/ScopeChain.h: (JSC::ScopeChainNode::ScopeChainNode): (JSC::ScopeChainNode::create): * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::finishCreation): (JSC::Structure::createStructure): * runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain): * runtime/StructureChain.h: (JSC::StructureChain::create): 2011-08-26 Filip Pizlo The GC does not have a facility for profiling the kinds of objects that occupy the heap https://bugs.webkit.org/show_bug.cgi?id=66849 Reviewed by Geoffrey Garen. Destructor calls and object scans are now optionally counted, per vtable. When the heap is destroyed and profiling is enabled, the counts are dumped, with care taken to print the names of classes (modulo C++ mangling) sorted in descending commonality. * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.cpp: (JSC::Heap::destroy): * heap/Heap.h: * heap/MarkStack.cpp: (JSC::SlotVisitor::visitChildren): (JSC::SlotVisitor::drain): * heap/MarkStack.h: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::callDestructor): * heap/MarkedBlock.h: * heap/VTableSpectrum.cpp: Added. (JSC::VTableSpectrum::VTableSpectrum): (JSC::VTableSpectrum::~VTableSpectrum): (JSC::VTableSpectrum::countVPtr): (JSC::VTableSpectrum::count): (JSC::VTableAndCount::VTableAndCount): (JSC::VTableAndCount::operator<): (JSC::VTableSpectrum::dump): * heap/VTableSpectrum.h: Added. * wtf/Platform.h: 2011-08-26 Juan C. Montemayor Update topCallFrame when calling host functions in the JIT https://bugs.webkit.org/show_bug.cgi?id=67010 Reviewed by Oliver Hunt. The topCallFrame is not being updated when a host function is called by the JIT. This causes problems when trying to create a stack trace (https://bugs.webkit.org/show_bug.cgi?id=66994). * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): 2011-08-26 Alexey Proskuryakov Get rid of frame life support timer https://bugs.webkit.org/show_bug.cgi?id=66874 Reviewed by Geoff Garen. * runtime/JSGlobalObject.h: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: globalExec() no longer needs to be virtual, its only override was in JSDOMWindowBase. 2011-08-26 Chao-ying Fu Fix MIPS patchOffsetGetByIdSlowCaseCall https://bugs.webkit.org/show_bug.cgi?id=67046 Reviewed by Gavin Barraclough. * jit/JIT.h: 2011-08-25 Mark Hahnenberg Fixing broken build due to unused variables in release mode https://bugs.webkit.org/show_bug.cgi?id=67004 Unreviewed, release build fix. Fixing broken build due to unused variables in ASSERTs in release build. * runtime/JSObject.h: (JSC::JSObject::finishCreation): * runtime/JSString.h: (JSC::RopeBuilder::finishCreation): * runtime/ScopeChain.h: (JSC::ScopeChainNode::finishCreation): 2011-08-25 Mark Hahnenberg Unzip initialization lists and constructors in JSCell hierarchy (1/7) https://bugs.webkit.org/show_bug.cgi?id=66827 Reviewed by Geoffrey Garen. Added finishCreation() methods to all immediately subclasses of JSCell with non-empty constructors. Part of a larger refactoring to "unzip" initialization lists and constructor bodies. Also renamed JSCell's constructorBody() method to finishCreation(). * runtime/Executable.h: (JSC::ExecutableBase::ExecutableBase): (JSC::ExecutableBase::constructorBody): * runtime/GetterSetter.h: (JSC::GetterSetter::GetterSetter): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::constructorBody): (JSC::JSAPIValueWrapper::JSAPIValueWrapper): * runtime/JSCell.h: (JSC::JSCell::JSCell::JSCell): (JSC::JSCell::JSCell::constructorBody): * runtime/JSObject.h: (JSC::JSObject::constructorBody): (JSC::JSObject::JSObject): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::constructorBody): * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::constructorBody): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::constructorBody): * runtime/RegExp.h: * runtime/ScopeChain.h: (JSC::ScopeChainNode::ScopeChainNode): (JSC::ScopeChainNode::constructorBody): * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain): * runtime/StructureChain.h: (JSC::StructureChain::create): (JSC::StructureChain::constructorBody): 2011-08-25 Gabor Loki REGRESSION(r93755): It made 14 jsc test and ~500 layout test fail on Qt-ARM bot https://bugs.webkit.org/show_bug.cgi?id=66956 Rebaseline constants for patching GetByIdSlowCaseCall on ARM. Reviewed by Oliver Hunt. * jit/JIT.h: 2011-08-24 Juan C. Montemayor Keep track of topCallFrame for Stack traces https://bugs.webkit.org/show_bug.cgi?id=66571 Reviewed by Geoffrey Garen. This patch adds a TopCallFrame to JSC in order to have that information when an error is thrown to create a stack trace. The TopCallFrame is updated throughout select points in the Interpreter and the JSC. * interpreter/Interpreter.cpp: (JSC::Interpreter::unwindCallFrame): (JSC::Interpreter::throwException): (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::privateExecute): * interpreter/Interpreter.h: (JSC::TopCallFrameSetter::TopCallFrameSetter): (JSC::TopCallFrameSetter::~TopCallFrameSetter): * jit/JIT.h: * jit/JITInlineMethods.h: (JSC::JIT::updateTopCallFrame): * jit/JITStubCall.h: (JSC::JITStubCall::call): * jit/JITStubs.cpp: (JSC::throwExceptionFromOpCall): (JSC::DEFINE_STUB_FUNCTION): (JSC::arityCheckFor): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: 2011-08-24 Filip Pizlo ErrorInstance::create sometimes has two heap object constructions in flight at once https://bugs.webkit.org/show_bug.cgi?id=66845 Reviewed by Darin Adler. The fix is simple since there is already a second create() method that takes a UString. * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::create): 2011-08-24 Filip Pizlo There is no facility for profiling how the write barrier is used https://bugs.webkit.org/show_bug.cgi?id=66747 Reviewed by Geoffrey Garen. Added facilities for the JIT to specify the kind of write barrier being executed. Added code for profiling the number of each kind of barrier encountered. * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::emitCount): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::emitCount): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGRepatch.cpp: (JSC::DFG::tryCachePutByID): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * heap/Heap.h: (JSC::Heap::writeBarrier): * heap/WriteBarrierSupport.cpp: Added. (JSC::WriteBarrierCounters::initialize): * heap/WriteBarrierSupport.h: Added. (JSC::WriteBarrierCounters::WriteBarrierCounters): (JSC::WriteBarrierCounters::jitCounterFor): (JSC::WriteBarrierCounters::countWriteBarrier): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): (JSC::JIT::emitWriteBarrier): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): (JSC::JIT::emitWriteBarrier): * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::setWithoutWriteBarrier): 2011-08-23 Mark Hahnenberg Add checks to ensure allocation does not take place during initialization of GC-managed objects https://bugs.webkit.org/show_bug.cgi?id=65288 Reviewed by Darin Adler. Adding the new validation functionality. In its current state, it will performs checks, but they don't fail unless you do allocation in the arguments to the parent constructor in the initialization list of a class. The allocateCell() method turns on the global flag disallowing any new allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still allowed in constructor bodies while other refactoring efforts continue. * runtime/JSCell.h: (JSC::JSCell::JSCell::constructorBody): (JSC::JSCell::JSCell::JSCell): (JSC::JSCell::allocateCell): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): * runtime/JSGlobalData.h: (JSC::JSGlobalData::isInitializingObject): (JSC::JSGlobalData::setInitializingObject): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::create): 2011-08-23 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=55347 "name" and "message" enumerable on *Error.prototype Reviewed by Sam Weinig. The default value of a NativeErrorPrototype's message property is "", not the name of the error. * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::create): (JSC::NativeErrorConstructor::constructorBody): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::constructorBody): * runtime/NativeErrorPrototype.h: (JSC::NativeErrorPrototype::create): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): * runtime/StringPrototype.h: (JSC::StringPrototype::create): 2011-08-23 Steve Block Remove last occurrences of PLATFORM(ANDROID) https://bugs.webkit.org/show_bug.cgi?id=66763 Reviewed by Tony Gentilcore. * wtf/Platform.h: 2011-08-23 Steve Block Remove all mention of removed Android files from build scripts https://bugs.webkit.org/show_bug.cgi?id=66755 Reviewed by Tony Gentilcore. * JavaScriptCore.gyp/JavaScriptCore.gyp: * JavaScriptCore.gypi: * gyp/JavaScriptCore.gyp: 2011-08-23 Adam Barth Remove WebCore/editing/android and other Android-specific directories https://bugs.webkit.org/show_bug.cgi?id=66739 Reviewed by Steve Block. Now that Android shares more code with Chromium, we don't need these Android-specific files. * wtf/android: Removed. * wtf/android/AndroidThreading.h: Removed. * wtf/android/MainThreadAndroid.cpp: Removed. 2011-08-23 Ilya Tikhonovsky Unreviewed build fix for compile error on Windows for r93560. * runtime/SamplingCounter.h: 2011-08-22 Filip Pizlo Sampling counter support is in the bytecode directory https://bugs.webkit.org/show_bug.cgi?id=66724 Reviewed by Darin Adler. Moved SamplingCounter to a separate header in runtime/. * GNUmakefile.list.am: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/SamplingTool.cpp: * bytecode/SamplingTool.h: * runtime/SamplingCounter.cpp: Added. (JSC::AbstractSamplingCounter::dump): * runtime/SamplingCounter.h: Added. (JSC::AbstractSamplingCounter::count): (JSC::AbstractSamplingCounter::addressOfCounter): (JSC::AbstractSamplingCounter::init): (JSC::SamplingCounter::SamplingCounter): (JSC::GlobalSamplingCounter::name): (JSC::DeletableSamplingCounter::DeletableSamplingCounter): (JSC::DeletableSamplingCounter::~DeletableSamplingCounter): 2011-08-21 Martin Robinson Fix 'make dist' for WebKitGTK+. * GNUmakefile.list.am: Add a missing header to the sources list. 2011-08-20 Filip Pizlo JavaScriptCore bytecompiler does not compute scope depth correctly in the case of constant declarations https://bugs.webkit.org/show_bug.cgi?id=66572 Reviewed by Oliver Hunt. Changed the handling of const to add the dynamic scope depth. * bytecompiler/NodesCodegen.cpp: (JSC::ConstDeclNode::emitCodeSingle): 2011-08-19 Daniel Bates Only #include and require SA_RESTART when building with JSC_MULTIPLE_THREADS https://bugs.webkit.org/show_bug.cgi?id=66617 Both and SA_RESTART usage are guarded behind ENABLE(JSC_MULTIPLE_THREADS). But we cause a compile error if the platform doesn't support SA_RESTART regardless of whether JSC_MULTIPLE_THREADS is enabled for the port. Instead, we shouldn't require SA_RESTART support unless we are building with JSC_MULTIPLE_THREADS enabled. Reviewed by Antonio Gomes. * heap/MachineStackMarker.cpp: 2011-08-19 Filip Pizlo The JSC JIT currently has no facility to profile and report the types of values https://bugs.webkit.org/show_bug.cgi?id=65901 Reviewed by Gavin Barraclough. Added the ability to profile the values seen at function calls (both arguments and results) and heap loads. This is done with emphasis on performance. A value profiling site consists of: add, and, move, and store; no branching is necessary. Each value profiling site (called a ValueProfile) has a ring buffer of 8 recently-seen values. ValueProfiles are stored in the CodeBlock; there will be one for each argument (excluding this) and each heap load or callsite. Each time a value profiling site executes, it stores the value into a pseudo-random element in the ValueProfile buffer. The point is that for frequently executed code, we will have 8 somewhat recent values in the buffer and will be able to not only figure out what type it is, but also to be able to reason about the actual values if we wish to do so. This feature is currently disabled by default. When enabled, it results in a 3.7% slow-down on SunSpider. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::addValueProfile): (JSC::CodeBlock::numberOfValueProfiles): (JSC::CodeBlock::valueProfile): (JSC::CodeBlock::valueProfileForBytecodeOffset): * bytecode/ValueProfile.h: Added. (JSC::ValueProfile::ValueProfile): (JSC::ValueProfile::numberOfSamples): (JSC::ValueProfile::computeProbability): (JSC::ValueProfile::numberOfInt32s): (JSC::ValueProfile::numberOfDoubles): (JSC::ValueProfile::numberOfCells): (JSC::ValueProfile::probabilityOfInt32): (JSC::ValueProfile::probabilityOfDouble): (JSC::ValueProfile::probabilityOfCell): (JSC::getValueProfileBytecodeOffset): * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): * jit/JIT.h: (JSC::JIT::emitValueProfilingSite): * jit/JITCall.cpp: (JSC::JIT::emit_op_call_put_result): * jit/JITInlineMethods.h: (JSC::JIT::emitValueProfilingSite): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emit_op_method_check): (JSC::JIT::emit_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): * jit/JSInterfaceJIT.h: * wtf/Platform.h: * wtf/StdLibExtras.h: (WTF::binarySearch): (WTF::genericBinarySearch): 2011-08-19 Daniel Bates Don't include DisallowCType.h when building on QNX https://bugs.webkit.org/show_bug.cgi?id=66616 Reviewed by Antonio Gomes. * config.h: 2011-08-19 Daniel Bates Implement ExecutableAllocator::cacheFlush() for QNX https://bugs.webkit.org/show_bug.cgi?id=66611 Reviewed by Antonio Gomes. * jit/ExecutableAllocator.h: (JSC::ExecutableAllocator::cacheFlush): 2011-08-19 Daniel Bates Implement WTF::atomic{Increment, Decrement}() for QNX https://bugs.webkit.org/show_bug.cgi?id=66605 Reviewed by Darin Adler. * wtf/Atomics.h: (WTF::atomicIncrement): (WTF::atomicDecrement): 2011-08-19 Beth Dakin https://bugs.webkit.org/show_bug.cgi?id=66590 Re-name scrollbar painter types Reviewed by Sam Weinig. WTF_USE_WK_SCROLLBAR_PAINTER is now WTF_USE_SCROLLBAR_PAINTER since WK no longer applies. * wtf/Platform.h: 2011-08-18 Mark Hahnenberg Move allocation in constructors into separate constructorBody() methods https://bugs.webkit.org/show_bug.cgi?id=66265 Reviewed by Oliver Hunt. Refactoring to put all allocations that need to be done after the object's initialization list has executed but before the object is ready for use into a separate constructorBody() method. This method is still called by the constructor, so the patch doesn't resolve any potential issues, it's just to set up the code for further refactoring. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jsc.cpp: (GlobalObject::constructorBody): (GlobalObject::GlobalObject): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/ErrorInstance.h: (JSC::ErrorInstance::constructorBody): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): (JSC::ErrorPrototype::constructorBody): * runtime/ErrorPrototype.h: * runtime/Executable.cpp: (JSC::FunctionExecutable::FunctionExecutable): * runtime/Executable.h: (JSC::FunctionExecutable::constructorBody): * runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction): * runtime/InternalFunction.h: (JSC::InternalFunction::constructorBody): * runtime/JSByteArray.cpp: (JSC::JSByteArray::JSByteArray): * runtime/JSByteArray.h: (JSC::JSByteArray::constructorBody): * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::constructorBody): * runtime/JSFunction.h: * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::constructorBody): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::JSPropertyNameIterator): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::constructorBody): * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::constructorBody): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::constructorBody): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): (JSC::NativeErrorPrototype::constructorBody): * runtime/NativeErrorPrototype.h: * runtime/StringObject.cpp: * runtime/StringObject.h: (JSC::StringObject::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::create): (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined): * runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype): * runtime/StringPrototype.h: (JSC::StringPrototype::create): 2011-08-10 Filip Pizlo DFG non-speculative JIT does not inline the double case of ValueAdd https://bugs.webkit.org/show_bug.cgi?id=66025 Reviewed by Gavin Barraclough. This is a 1.3% win on Kraken overall, with >=8% speed-ups on a few benchmarks (imaging-darkroom, stanford-crypto-pbkdf2, stanford-crypto-sha256-iterative). It looks like it might have a speed-up in SunSpider (though not statistically significant or particularly reproducible) and a slight slow-down in V8 (0.14%, not statistically significant). It does slow down v8-crypto by 1.5%. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownInteger): (JSC::DFG::JITCodeGenerator::isKnownNumeric): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): * dfg/DFGOperations.cpp: 2011-08-18 Filip Pizlo [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly https://bugs.webkit.org/show_bug.cgi?id=66426 Reviewed by Oliver Hunt. Changed the branchTestPtr to branchTest32. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-08-17 Thouraya ANDOLSI https://bugs.webkit.org/show_bug.cgi?id=66379 implements load32WithCompactAddressOffsetPatch function and fixes store32 and moveWithPatch functions for SH4 platforms. Reviewed by Gavin Barraclough. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::rshift32): (JSC::MacroAssemblerSH4::store32): (JSC::MacroAssemblerSH4::load32WithCompactAddressOffsetPatch): (JSC::MacroAssemblerSH4::moveWithPatch): * assembler/SH4Assembler.h: (JSC::SH4Assembler::movlMemRegCompact): (JSC::SH4Assembler::readPointer): (JSC::SH4Assembler::repatchCompact): * jit/JIT.h: 2011-08-17 Filip Pizlo JSC verbose debugging output sometimes doesn't work as expected. https://bugs.webkit.org/show_bug.cgi?id=66107 Reviewed by Gavin Barraclough. Hardened the CodeBlock::dump() code so that it no longer crashes. Improved the DFG verbose code so that it prints slightly more useful information. * assembler/LinkBuffer.h: (JSC::LinkBuffer::debugSize): * bytecode/CodeBlock.cpp: (JSC::valueToSourceString): (JSC::CodeBlock::dump): * bytecode/CodeBlock.h: (JSC::CodeBlock::numberOfRegExps): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): 2011-08-16 Michael Saboff Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure https://bugs.webkit.org/show_bug.cgi?id=66351 JIT::privateCompilePutByIdTransition expects that regT0 and regT1 have the basePayload and baseTag respectively. In some cases, we may get to this generated code with one or both of these registers trash. One know case is that regT0 on ARM may be trashed as regT0 (r0) is also arg0 and can be overrun with sp due to calls to JIT::restoreReturnAddress(). This patch uses the values on the stack. A longer term solution is to work out all cases so that the register entry assumptions can assured. While fixing this, also determined that the additional stack offset of sizeof(void*) is not needed for ARM. Reviewed by Gavin Barraclough. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::privateCompilePutByIdTransition): 2011-08-15 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=66263 DFG JIT does not always zero extend boolean result of DFG operations Reviewed by Sam Weinig. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: - Change bool return values to a 64-bit type. 2011-08-15 Gavin Barraclough Crash accessing static property on sealed object https://bugs.webkit.org/show_bug.cgi?id=66242 Reviewed by Sam Weinig. * runtime/JSObject.h: (JSC::JSObject::putDirectInternal): - should only check isExtensible if checkReadOnly. 2011-08-15 Sam Weinig Fix release build when building with Clang. Reviewed by Anders Carlsson. * runtime/Identifier.cpp: (JSC::Identifier::checkCurrentIdentifierTable): Add NO_RETURN_DUE_TO_CRASH. 2011-08-15 Oliver Varga Reviewed by Nikolas Zimmermann. Speed up SVGSMILElement::findInstanceTime. https://bugs.webkit.org/show_bug.cgi?id=61025 Add a new parameter to StdlibExtras.h::binarySerarch function to also handle cases when the array does not contain the key value. This is needed for an svg function. * wtf/StdLibExtras.h: (WTF::binarySearch): 2011-08-13 Sam Weinig Add back 0xbbadbeef to CRASH to allow for old habits https://bugs.webkit.org/show_bug.cgi?id=66190 Reviewed by David Kilzer. * wtf/Assertions.h: Add back the assignment to the memory address 0xbbadbeef in the CRASH macro, as it does not cause issue in the clang static analyzer and many people use its presence in crash reports to easily identify ASSERTs. 2011-08-13 Sam Weinig Fix a bunch of minor bugs caught by the clang static analyzer in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=66182 Reviewed by Dan Bernstein. Fixes 10 warnings in JavaScriptCore and 2 in testapi. * API/tests/testapi.c: (main): Remove dead variables. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): Initialize hasPrinted and silence an unused warning by casting to void (Ok here since it is debug code and I want to keep it clear that if other cases are added, the hasPrinted flag would be needed). * wtf/dtoa.cpp: (WTF::d2b): The variable "de" in the else block is always zero, so there is no reason to use it. 2011-08-12 Sam Weinig Use __builtin_trap() for CRASH when building with clang https://bugs.webkit.org/show_bug.cgi?id=66152 Reviewed by Anders Carlsson. * wtf/Assertions.h: Add Clang specific CRASH macro that calls __builtin_trap() instead of silly techniques to crash. This allows the static analyzer to understand that we are intentionally crashing. As a result, we need to mark some functions as not returning. Also adds a macros that annotates a function as never returning due to ASSERT or CRASH. * wtf/Compiler.h: Add COMPILIER(CLANG) and fix some formatting and spelling mistakes. * wtf/FastMalloc.cpp: (WTF::Internal::fastMallocMatchFailed): Add NO_RETURN_DUE_TO_CRASH. * yarr/YarrParser.h: (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary): (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference): Add NO_RETURN_DUE_TO_ASSERT. 2011-08-12 Filip Pizlo DFG JIT has inconsistent use of boxDouble and unboxDouble, inconsistent use of assertions regarding doubles, and those assertions are not turned on in debug builds https://bugs.webkit.org/show_bug.cgi?id=66160 Reviewed by Gavin Barraclough. JIT assertions are now turned on in debug builds. JIT assertions are now used for boxing and unboxing doubles, and boxing and unboxing no longer involves code duplication. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::boxDouble): (JSC::DFG::JITCodeGenerator::unboxDouble): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::fillNumericToDouble): (JSC::DFG::GeneralizedRegister::moveTo): (JSC::DFG::GeneralizedRegister::swapWith): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::boxDouble): (JSC::DFG::JITCompiler::unboxDouble): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::convertToDouble): 2011-08-12 Mark Rowe Be more forward-looking in the choice of compiler. Rubber-stamped by Jon Honeycutt. * Configurations/CompilerVersion.xcconfig: 2011-08-12 Kalev Lember [GTK] Fix non-pthreads build after r91906. https://bugs.webkit.org/show_bug.cgi?id=66151 Reviewed by David Levin. r91906 broke the non-pthreads GTK+ build by including a header which doesn't exist. Fix it by including DateMath.h instead of DateMap.h. * wtf/gtk/ThreadingGtk.cpp: 2011-08-12 Mark Rowe Update some configuration settings that were missed back in r92432. * Configurations/CompilerVersion.xcconfig: 2011-08-12 Filip Pizlo REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation: Matrix3D.invert) https://bugs.webkit.org/show_bug.cgi?id=66038 Reviewed by Gavin Barraclough. Simplest and lowest-impact fix for the case where the spilled format of a DFG node differs from the register format: if the format is converted then indicate that the spilled value is no longer valid ("kill the spill"). * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::killSpilled): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::fillDouble): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-08-12 Sam Weinig Move compiler specific macros to their own header https://bugs.webkit.org/show_bug.cgi?id=66119 Reviewed by Anders Carlsson. * JavaScriptCore.gypi: * JavaScriptCore.vcproj/WTF/WTF.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: Add Compiler.h * wtf/AlwaysInline.h: Move the contents of this file (which no longer was just about ALWAYS_INLINE) to Compiler.h. We can remove this file in a later commit. * wtf/Compiler.h: Added. Put all compiler specific checks and features in this file. * wtf/Platform.h: Move COMPILER macro and definitions (and the odd WARN_UNUSED_RETURN compiler feature) to Compiler.h. Include Compiler.h since it is necessary. 2011-08-11 Filip Pizlo DFG JIT-specific structure stub info code offset fields are signed 8-bit, but it is possible for the offsets to be greater than 127 https://bugs.webkit.org/show_bug.cgi?id=66122 Reviewed by Gavin Barraclough. * bytecode/StructureStubInfo.h: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): 2011-08-11 Filip Pizlo DFG JIT speculation failure code sometimes picks the wrong register as a scratch register. https://bugs.webkit.org/show_bug.cgi?id=66104 Reviewed by Gavin Barraclough. Hardened the code with more assertions and fixed the bug. Now a spilled register is only used for scratch if it also isn't being used for shuffling. * dfg/DFGJITCompiler.cpp: (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation): (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): 2011-08-11 Sheriff Bot Unreviewed, rolling out r92880. http://trac.webkit.org/changeset/92880 https://bugs.webkit.org/show_bug.cgi?id=66123 Breaks compile in VS2010 (Requested by jamesr_ on #webkit). * wtf/PassRefPtr.h: 2011-08-11 Mark Rowe Don't conditionalize the use of -fomit-frame-pointer on compiler version as all of our supported compilers are now new enough to have the same, sane behavior. Rubber-stamped by Sam Weinig. * Configurations/JavaScriptCore.xcconfig: 2011-08-11 Filip Pizlo DFG JIT verbose mode does not report the generated types of nodes https://bugs.webkit.org/show_bug.cgi?id=65830 Reviewed by Sam Weinig. Added code that prints the type selected for each node's result. * dfg/DFGGenerationInfo.h: (JSC::DFG::dataFormatToString): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-08-11 James Robinson nullptr can't be used for PassRefPtr https://bugs.webkit.org/show_bug.cgi?id=66024 Reviewed by Anders Carlsson. * wtf/PassRefPtr.h: (WTF::PassRefPtr::PassRefPtr): 2011-08-11 Daniel Bates Removed unused variable in StackBounds::initialize() to resolve compiler warning when building on QNX. https://bugs.webkit.org/show_bug.cgi?id=66072 Reviewed by Antonio Gomes. * wtf/StackBounds.cpp: (WTF::StackBounds::initialize): 2011-08-11 Devdatta Deshpande Implementation of monotonically increasing clock on GTK https://bugs.webkit.org/show_bug.cgi?id=62175 Reviewed by Martin Robinson. * wtf/CurrentTime.cpp: (WTF::monotonicallyIncreasingTime): The default implementation of monotonicallyIncreasingTime only guarantees the result to be non-decreasing. If the system time is changed to past then default implementation will still fail and WebCore timers will not fire. 2011-08-10 Geoffrey Garen Removed some incorrect code that was dead. Reviewed by Oliver Hunt. clearSingleTransition() wasn't resetting m_data. Luckily, no one cares, because its caller was unused. Removed both. * runtime/Structure.cpp: * runtime/StructureTransitionTable.h: (JSC::StructureTransitionTable::~StructureTransitionTable): 2011-08-10 Filip Pizlo REGRESSION(r92670-r92744): WebKit crashes when opening Gmail https://bugs.webkit.org/show_bug.cgi?id=66010 Reviewed by Oliver Hunt. Made sure that Construct calls use() on the this argument. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): 2011-08-10 Mark Hahnenberg JSC should always throw when function arg list is too long https://bugs.webkit.org/show_bug.cgi?id=65869 Reviewed by Oliver Hunt. Changed the behavior of the interpreter and JIT to throw an exception when too many arguments are passed rather than truncating the list. Added a new method to create a "Too many arguments." exception used by this new functionality. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/ExceptionHelpers.cpp: (JSC::createTooManyParamsError): * runtime/ExceptionHelpers.h: 2011-08-10 Oliver Hunt Make GC checks more aggressive in release builds https://bugs.webkit.org/show_bug.cgi?id=66001 Reviewed by Gavin Barraclough. * heap/HandleHeap.cpp: (JSC::HandleHeap::visitStrongHandles): (JSC::HandleHeap::visitWeakHandles): (JSC::HandleHeap::finalizeWeakHandles): (JSC::HandleHeap::writeBarrier): (JSC::HandleHeap::isLiveNode): (JSC::HandleHeap::isValidWeakNode): Increase handle heap validation logic, and make some of the crashes trigger in release builds as well as debug. * heap/HandleHeap.h: (JSC::HandleHeap::allocate): (JSC::HandleHeap::makeWeak): Ditto * runtime/JSGlobalData.cpp: (WTF::Recompiler::operator()): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildren): Fix GC bugs found while testing this patch 2011-08-10 Oliver Hunt JSEvaluteScript does not return the correct object when given JSONP data https://bugs.webkit.org/show_bug.cgi?id=66003 Reviewed by Gavin Barraclough. Make sure we propagate the result of the function call rather than the argument. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): 2011-08-10 Filip Pizlo DFG JIT heap prediction causes regressions when combined with aggressive integer prediction https://bugs.webkit.org/show_bug.cgi?id=65954 Reviewed by Gavin Barraclough. Disabled heap prediction, but did not remove the capability. This improves V8 crypto performance by 20%. * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): 2011-08-09 Filip Pizlo DFG JIT does not speculative integers as aggressively as it should https://bugs.webkit.org/show_bug.cgi?id=65949 Reviewed by Gavin Barraclough. Added a tree walk to propagate integer predictions through arithmetic expressions. This is a 71% speed-up on Kraken's imaging-gaussian-blur, which translates to a 19% speed-up on Kraken overall. It's neutral on other benchmarks. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::predictInt32): 2011-08-09 Filip Pizlo DFG JIT has no way of propagating predictions to loads and calls https://bugs.webkit.org/show_bug.cgi?id=65883 Reviewed by Gavin Barraclough. This introduces the capability to store predictions on graph nodes. To save space while being somewhat consistent, the prediction is always stored in the second OpInfo slot (since a GetById will use the first one for the identifier). This change is a natural extension of r92593 (global variable prediction). This is a 1.5% win on V8 in the arithmetic mean, and a 0.6% win on V8 in the geometric mean. It is neutral on SunSpider and Kraken. Interestingly, on V8 it regresses crypto by 3% while progressing deltablue and richards by 2.6% and 4.3%, respectively. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::Graph::predict): (JSC::DFG::Graph::getPrediction): * dfg/DFGNode.h: (JSC::DFG::isCellPrediction): (JSC::DFG::isArrayPrediction): (JSC::DFG::isInt32Prediction): (JSC::DFG::isDoublePrediction): (JSC::DFG::isNumberPrediction): (JSC::DFG::predictionToString): (JSC::DFG::Node::Node): (JSC::DFG::Node::hasPrediction): (JSC::DFG::Node::getPrediction): (JSC::DFG::Node::predict): 2011-08-09 Filip Pizlo DFG JIT passes the this argument to constructors even though it's not necessary https://bugs.webkit.org/show_bug.cgi?id=65943 Reviewed by Gavin Barraclough. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): 2011-08-09 Chao-ying Fu Fix one MIPS instruction to call JITStubThunked_##op https://bugs.webkit.org/show_bug.cgi?id=65942 Reviewed by Gavin Barraclough. Changed "bal" to "jalr" for a possible processor mode change from MIPS32 to MIPS16. * jit/JITStubs.cpp: 2011-08-09 Filip Pizlo DFG JIT failure loading web site https://bugs.webkit.org/show_bug.cgi?id=65930 Reviewed by Oliver Hunt. Put the use() call after the fpr()/gpr() calls, since doing otherwise breaks the register allocator. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): 2011-08-09 Mark Hahnenberg Add ParentClass typedef in all JSC classes https://bugs.webkit.org/show_bug.cgi?id=65731 Reviewed by Oliver Hunt. Just added the Base typedefs in all the classes that are a subclass of JSCell to point at their parent classes. This is a change to support future changes to the way constructors and destructors are implemented in JS objects, among other things. * API/JSCallbackConstructor.h: * API/JSCallbackFunction.h: * API/JSCallbackObject.h: (JSC::JSCallbackObject::createStructure): (JSC::JSCallbackObject::visitChildren): * API/JSCallbackObjectFunctions.h: (JSC::::asCallbackObject): (JSC::::JSCallbackObject): (JSC::::init): (JSC::::className): (JSC::::getOwnPropertySlot): (JSC::::getOwnPropertyDescriptor): (JSC::::put): (JSC::::deleteProperty): (JSC::::getConstructData): (JSC::::construct): (JSC::::hasInstance): (JSC::::getCallData): (JSC::::call): (JSC::::getOwnPropertyNames): (JSC::::toNumber): (JSC::::toString): (JSC::::setPrivate): (JSC::::getPrivate): (JSC::::inherits): (JSC::::getStaticValue): (JSC::::staticFunctionGetter): (JSC::::callbackGetter): * debugger/DebuggerActivation.h: * jsc.cpp: * runtime/Arguments.h: * runtime/ArrayConstructor.h: * runtime/ArrayPrototype.h: * runtime/BooleanConstructor.h: * runtime/BooleanObject.h: * runtime/BooleanPrototype.h: * runtime/DateConstructor.h: * runtime/DateInstance.h: * runtime/DatePrototype.h: * runtime/Error.cpp: * runtime/ErrorConstructor.h: * runtime/ErrorInstance.h: * runtime/ErrorPrototype.h: * runtime/ExceptionHelpers.cpp: * runtime/Executable.h: * runtime/FunctionConstructor.h: * runtime/FunctionPrototype.h: * runtime/GetterSetter.h: * runtime/InternalFunction.h: * runtime/JSAPIValueWrapper.h: * runtime/JSActivation.h: * runtime/JSArray.h: * runtime/JSFunction.h: * runtime/JSGlobalObject.h: * runtime/JSNotAnObject.h: * runtime/JSONObject.h: * runtime/JSObject.h: * runtime/JSPropertyNameIterator.h: * runtime/JSStaticScopeObject.h: * runtime/JSString.h: * runtime/JSVariableObject.h: * runtime/JSWrapperObject.h: * runtime/MathObject.h: * runtime/NativeErrorConstructor.h: * runtime/NativeErrorPrototype.h: * runtime/NumberConstructor.h: * runtime/NumberObject.h: * runtime/NumberPrototype.h: * runtime/ObjectConstructor.h: * runtime/ObjectPrototype.h: * runtime/RegExp.h: * runtime/RegExpConstructor.h: * runtime/RegExpMatchesArray.h: * runtime/RegExpObject.h: (JSC::RegExpObject::create): * runtime/RegExpPrototype.h: * runtime/ScopeChain.h: * runtime/StrictEvalActivation.h: * runtime/StringConstructor.h: * runtime/StringObject.h: * runtime/StringObjectThatMasqueradesAsUndefined.h: * runtime/StringPrototype.h: * runtime/Structure.h: * runtime/StructureChain.h: 2011-08-08 Oliver Hunt Using mprotect to create guard pages breaks our use of madvise to release executable memory https://bugs.webkit.org/show_bug.cgi?id=65870 Reviewed by Gavin Barraclough. Use mmap rather than mprotect to clear guard page permissions. * wtf/OSAllocatorPosix.cpp: (WTF::OSAllocator::reserveAndCommit): 2011-08-08 Oliver Hunt Non-extensibility does not prevent mutating [[Prototype]] https://bugs.webkit.org/show_bug.cgi?id=65832 Reviewed by Gavin Barraclough. Disallow mutation of __proto__ on objects that are not extensible. * runtime/JSObject.cpp: (JSC::JSObject::put): 2011-08-08 Filip Pizlo DFG JIT does not track speculation decisions for global variables https://bugs.webkit.org/show_bug.cgi?id=65825 Reviewed by Gavin Barraclough. Added the capability to track predictions for global variables, and ensured that code can abstract over the source of prediction (local versus global variable) wherever it is appropriate to do so. Also cleaned up the code in SpeculativeJIT that decides how to speculate based on recorded predictions (for example instead of using isInteger, which makes sense for local predictions where the GetLocal would return an integer value, we now tend to use shouldSpeculateInteger, which checks if the value is either already an integer or should be speculated to be an integer). This is an 0.8% win on SunSpider, almost entirely thanks to a 25% win on controlflow-recursive. It's also a 4.8% win on v8-crypto. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::predictArray): (JSC::DFG::ByteCodeParser::predictInt32): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::Graph::predictGlobalVar): (JSC::DFG::Graph::predict): (JSC::DFG::Graph::getGlobalVarPrediction): (JSC::DFG::Graph::getPrediction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger): (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble): 2011-08-07 Martin Robinson Distribution fix for GTK+. * GNUmakefile.list.am: Strip removed files from the source list. 2011-08-06 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65821 Don't form identifiers the first time a string is used as a property name. Reviewed by Oliver Hunt. This is a 1% win on SunSpider. * dfg/DFGOperations.cpp: - Use fastGetOwnProperty. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Use fastGetOwnProperty. * runtime/JSCell.h: * runtime/JSObject.h: (JSC::JSCell::fastGetOwnProperty): - Fast call to get a property without creating an identifier the first time. * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::find): (JSC::PropertyTable::findWithString): - Add interface to look up by either strinsg or identifiers. * runtime/Structure.h: (JSC::Structure::get): - Add a get() call that takes a UString, not an Identifier. * wtf/text/StringImpl.h: (WTF::StringImpl::hasHash): - Add a call to check if the has has been set (to detect the first use as a property name). 2011-08-06 Aron Rosenberg Reviewed by Benjamin Poulain. [Qt] Fix build with Intel compiler on Windows https://bugs.webkit.org/show_bug.cgi?id=65088 Intel compiler needs .lib suffixes instead of .a Intel compiler doesn't support nullptr Intel compiler supports unsized arrays * JavaScriptCore.pri: * jsc.cpp: * wtf/ByteArray.h: * wtf/NullPtr.h: 2011-08-05 Gavin Barraclough String replace with the empty string means string removal https://bugs.webkit.org/show_bug.cgi?id=65799 Reviewed by Sam Weinig. Optimization for String.prototype.replace([RegExp], ""), this improves v8-regexp by ~3%. * runtime/StringPrototype.cpp: (JSC::jsSpliceSubstrings): (JSC::stringProtoFuncReplace): 2011-08-05 Noel Gordon [Chromium] Remove JSZombie references from gyp project files. https://bugs.webkit.org/show_bug.cgi?id=65798 JSC runtime/JSZombie.{cpp,h} were removed in r92046. Remove references to these file names from the gyp projects. Reviewed by Darin Adler. * JavaScriptCore.gypi: zombies be gone. 2011-08-05 Mark Rowe ThreadRestrictionVerifier needs a mode where an object is tied to a particular dispatch queue A RefCounted object can be opted in to this mode by calling setDispatchQueueForVerifier with the dispatch queue it will be tied to. This will cause ThreadRestrictionVerifier to ensure that all operations are performed on the given dispatch queue. Reviewed by Anders Carlsson. * wtf/RefCounted.h: (WTF::RefCountedBase::setDispatchQueueForVerifier): * wtf/ThreadRestrictionVerifier.h: (WTF::ThreadRestrictionVerifier::ThreadRestrictionVerifier): (WTF::ThreadRestrictionVerifier::~ThreadRestrictionVerifier): (WTF::ThreadRestrictionVerifier::setDispatchQueueMode): (WTF::ThreadRestrictionVerifier::setShared): (WTF::ThreadRestrictionVerifier::isSafeToUse): 2011-08-05 Oliver Hunt Inline allocation of function objects https://bugs.webkit.org/show_bug.cgi?id=65779 Reviewed by Gavin Barraclough. Inline allocation and initilisation of function objects in generated code. This ended up being a 60-70% improvement in function allocation performance. This improvement shows up as a ~2% improvement in 32bit sunspider and V8, but is a wash on 64-bit. We currently don't inline the allocation of named function expressions, as that requires being able to gc allocate a variable object. * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: (JSC::JIT::emitStoreCell): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateBasicJSObject): (JSC::JIT::emitAllocateJSFinalObject): (JSC::JIT::emitAllocateJSFunction): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_func): (JSC::JIT::emitSlow_op_new_func): (JSC::JIT::emit_op_new_func_exp): (JSC::JIT::emitSlow_op_new_func_exp): * jit/JITOpcodes32_64.cpp: Removed duplicate implementation of op_new_func and op_new_func_exp * runtime/JSFunction.h: (JSC::JSFunction::offsetOfScopeChain): (JSC::JSFunction::offsetOfExecutable): 2011-08-04 David Levin CStringBuffer should have thread safety checks turned on. https://bugs.webkit.org/show_bug.cgi?id=58093 Reviewed by Dmitry Titov. * wtf/text/CString.h: (WTF::CStringBuffer::CStringBuffer): Removed the ifdef that turned this off for Chromium. 2011-08-04 Mark Rowe Future-proof Xcode configuration settings. * Configurations/Base.xcconfig: * Configurations/DebugRelease.xcconfig: * Configurations/JavaScriptCore.xcconfig: * Configurations/Version.xcconfig: 2011-08-04 Mark Hahnenberg Interpreter can potentially GC in the middle of initializing a structure chain https://bugs.webkit.org/show_bug.cgi?id=65638 Reviewed by Oliver Hunt. Moved the allocation of a prototype StructureChain before the initialization of the structure chain within the interpreter that was causing intermittent GC crashes. * interpreter/Interpreter.cpp: (JSC::Interpreter::tryCachePutByID): * wtf/Platform.h: 2011-08-04 Filip Pizlo Eval handling attempts literal parsing even when the eval string is in the cache https://bugs.webkit.org/show_bug.cgi?id=65675 Reviewed by Oliver Hunt. This is a 25% speed-up on date-format-tofte and a 1.5% speed-up overall in SunSpider. It's neutral on V8. * bytecode/EvalCodeCache.h: (JSC::EvalCodeCache::tryGet): (JSC::EvalCodeCache::getSlow): (JSC::EvalCodeCache::get): * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): 2011-08-03 Mark Rowe Bring some order to FeatureDefines.xcconfig to make it easier to follow. Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: 2011-08-03 Mark Rowe Clean up FeatureDefines.xcconfig to remove some unnecessary conditional settings Reviewed by Dave Kilzer. * Configurations/FeatureDefines.xcconfig: 2011-08-03 Filip Pizlo JSC GC heap size improvement breaks build on some platforms due to unused parameter https://bugs.webkit.org/show_bug.cgi?id=65641 Reviewed by Darin Adler. Fix build on non-x86 platforms, by ensuring that the relevant parameter always appears to be used even when it isn't. * heap/Heap.cpp: 2011-08-03 Carlos Garcia Campos [GTK] Reorganize pkg-config files https://bugs.webkit.org/show_bug.cgi?id=65548 Reviewed by Martin Robinson. * GNUmakefile.am: * javascriptcoregtk.pc.in: Renamed from Source/WebKit/gtk/javascriptcoregtk.pc.in. 2011-08-01 David Levin Add asserts to RefCounted to make sure ref/deref happens on the right thread. https://bugs.webkit.org/show_bug.cgi?id=31639 Reviewed by Dmitry Titov. * GNUmakefile.list.am: Added new files to the build. * JavaScriptCore.gypi: Ditto. * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto. * JavaScriptCore.xcodeproj/project.pbxproj: Ditto. * jit/ExecutableAllocator.h: (JSC::ExecutablePool::ExecutablePool): Turned off checks for this due to not being able to figure out what was guarding it (bug 58091). * parser/SourceProvider.h: (JSC::SourceProvider::SourceProvider): Ditto. * wtf/CMakeLists.txt: Added new files to the build. * wtf/ThreadRestrictionVerifier.h: Added. Everything is done in the header to avoid the issue with exports that are only useful in debug but still needing to export them. * wtf/RefCounted.h: (WTF::RefCountedBase::ref): Added checks using the non thread safe verifier. and filed bug 58171 about making it stricter. (WTF::RefCountedBase::hasOneRef): Ditto. (WTF::RefCountedBase::refCount): Ditto. (WTF::RefCountedBase::setMutexForVerifier): Expose a way to change the checks to be based on a mutex. This is in the header to avoid adding more exports from JavaScriptCore. (WTF::RefCountedBase::deprecatedTurnOffVerifier): Temporary way to turn off verification. Filed bug 58174 to remove this method. (WTF::RefCountedBase::derefBase): * wtf/SizeLimits.cpp: Adjusted the debug size check for RefCounted. * wtf/text/CString.h: (WTF::CStringBuffer::CStringBuffer): Turned off checks for this while a fix is being done in Chromium (bug 58093). 2011-08-02 Filip Pizlo JSC GC may not be able to reuse partially-free blocks after a full collection https://bugs.webkit.org/show_bug.cgi?id=65585 Reviewed by Darin Adler. This fixes the linked list management bug. This fix is performance neutral on SunSpider. * heap/NewSpace.cpp: (JSC::NewSpace::removeBlock): 2011-07-30 Oliver Hunt Simplify JSFunction creation for functions written in JS https://bugs.webkit.org/show_bug.cgi?id=65422 Reviewed by Gavin Barraclough. Remove hash lookups used to write name property and transition function structure by caching the resultant structure and property offset in JSGlobalObject. This doesn't impact performance, but we can use this change to make other improvements later. * runtime/Executable.cpp: (JSC::FunctionExecutable::FunctionExecutable): * runtime/Executable.h: (JSC::ScriptExecutable::ScriptExecutable): (JSC::FunctionExecutable::jsName): * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::namedFunctionStructure): (JSC::JSGlobalObject::functionNameOffset): 2011-08-02 Filip Pizlo JSC GC uses dummy cells to avoid having to remember which cells it has already destroyed https://bugs.webkit.org/show_bug.cgi?id=65556 Reviewed by Oliver Hunt. This gets rid of dummy cells, and ensures that it's not necessary to invoke a destructor on cells that have already been swept. In the common case, a block knows that either all of its free cells still need to have destructors called, or none of them do, which minimizes the amount of branching that needs to happen per cell when performing a sweep. This is performance neutral on SunSpider and V8. It is meant as a stepping stone to simplify the implementation of more sophisticated sweeping algorithms. * heap/Heap.cpp: (JSC::CountFunctor::ClearMarks::operator()): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::initForCellSize): (JSC::MarkedBlock::callDestructor): (JSC::MarkedBlock::specializedReset): (JSC::MarkedBlock::reset): (JSC::MarkedBlock::specializedSweep): (JSC::MarkedBlock::sweep): (JSC::MarkedBlock::produceFreeList): (JSC::MarkedBlock::lazySweep): (JSC::MarkedBlock::blessNewBlockForFastPath): (JSC::MarkedBlock::blessNewBlockForSlowPath): (JSC::MarkedBlock::canonicalizeBlock): * heap/MarkedBlock.h: (JSC::MarkedBlock::FreeCell::setNoObject): (JSC::MarkedBlock::setDestructorState): (JSC::MarkedBlock::destructorState): (JSC::MarkedBlock::notifyMayHaveFreshFreeCells): * runtime/JSCell.cpp: * runtime/JSCell.h: (JSC::JSCell::JSCell::JSCell): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::clearBuiltinStructures): * runtime/JSGlobalData.h: * runtime/Structure.h: 2011-08-01 Michael Saboff Virtual copying of FastMalloc allocated memory causes madvise MADV_FREE_REUSABLE errors https://bugs.webkit.org/show_bug.cgi?id=65502 Reviewed by Anders Carlsson. With the fix of the issues causing madvise MADV_FREE_REUSABLE to fail, added an assert to the return code of madvise to catch any regressions. * wtf/TCSystemAlloc.cpp: (TCMalloc_SystemRelease): 2011-08-02 Anders Carlsson Fix Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-08-02 Anders Carlsson Fix a Windows build error. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-08-02 Filip Pizlo JSC GC is far too conservative about growing the heap size, particularly on desktop platforms https://bugs.webkit.org/show_bug.cgi?id=65438 Reviewed by Oliver Hunt. The minimum heap size is now 16MB instead of 512KB, provided all of the following are true: a) ENABLE(LARGE_HEAP) is set, which currently only happens on x86 targets, but could reasonably happen on any platform that is known to have a decent amount of RAM. b) JSGlobalData is initialized with HeapSize = LargeHeap, which currently only happens when it's the JSDOMWindowBase in WebCore or in the jsc command-line tool. This is a 4.1% speed-up on SunSpider. * JavaScriptCore.exp: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::collect): * heap/Heap.h: * jsc.cpp: (main): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::createContextGroup): (JSC::JSGlobalData::create): (JSC::JSGlobalData::createLeaked): (JSC::JSGlobalData::sharedInstance): * runtime/JSGlobalData.h: * wtf/Platform.h: 2011-08-02 Filip Pizlo JSC does a GC even when the heap still has free pages https://bugs.webkit.org/show_bug.cgi?id=65445 Reviewed by Oliver Hunt. If the high watermark is not reached, then we allocate new blocks as before. If the current watermark does reach (or exceed) the high watermark, then we check if there is a block on the free block pool. If there is, we simply allocation from it. If there isn't, we invoke a collectin as before. This effectively couples the elastic scavenging to the collector's decision function. That is, if an application rapidly varies its heap usage (sometimes using more and sometimes less) then the collector will not thrash as it used to. But if heap usage drops and stays low then the scavenger thread and the GC will eventually reach a kind of consensus: the GC will set the watermark low because of low heap usage, and the scavenger thread will steadily eliminate pages from the free page pool, until the size of the free pool is below the high watermark. On command-line, this is neutral on SunSpider and Kraken and a 3% win on V8. In browser, this is a 1% win on V8 and neutral on the other two. * heap/Heap.cpp: (JSC::Heap::allocateSlowCase): (JSC::Heap::allocateBlock): * heap/Heap.h: 2011-08-02 Jeff Miller Move WTF_USE_AVFOUNDATION from JavaScriptCore/wtf/platform.h to WebCore/config.h https://bugs.webkit.org/show_bug.cgi?id=65552 Since this is a WebCore feature, there's no need to define it in JavaScriptCore/wtf/platform.h. Reviewed by Adam Roben. * wtf/Platform.h: Removed WTF_USE_AVFOUNDATION. 2011-08-01 Jean-luc Brouillet Removing old source files in gyp files that slow build https://bugs.webkit.org/show_bug.cgi?id=65503 Reviewed by Adam Barth. A number of stale files are listed in the gyp files. These slow the build on Visual Studio 2010. Removing them. * JavaScriptCore.gypi: 2011-07-14 David Levin currentThread is too slow! https://bugs.webkit.org/show_bug.cgi?id=64577 Reviewed by Darin Adler and Dmitry Titov. The problem is that currentThread results in a pthread_once call which always takes a lock. With this change, currentThread is 10% faster than isMainThread in release mode and only 5% slower than isMainThread in debug. * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff which is no longer needed because this is called from initializeThreading(). (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because intialization of the pthread key should already be done. (WTF::ThreadIdentifierData::initialize): Ditto. * wtf/ThreadIdentifierDataPthreads.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): Acquire the pthread key here. 2011-08-01 Filip Pizlo DFG JIT sometimes creates speculation check data structures that have invalid information about the format of a register https://bugs.webkit.org/show_bug.cgi?id=65490 Reviewed by Gavin Barraclough. The code now makes sure to (1) always have correct and up-to-date information about register format at the time that a speculation check is emitted, (2) assert that speculation data is correct inside the speculation check implementation, and (3) avoid creating speculation data altogether if compilation has already failed, since at that point the format data is almost guaranteed to be bogus. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::EntryLocation::EntryLocation): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculationCheck::SpeculationCheck): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::speculationCheck): 2011-08-01 Filip Pizlo REGRESSION(r92092): Build fails on 64 bit https://bugs.webkit.org/show_bug.cgi?id=65458 Reviewed by Oliver Hunt. The build was broken because some compilers were smart enough to see an array index out of bounds due to the decision fuction for when to go from precise size classes to imprecise size classes being broken: it would assume that sizes in the range 97..128 belonged to a precise size class when in fact they belonged to an imprecise one. In fact, the code would have run correctly, by way of a fluke, because though the 4th precise size class (for 97..128) didn't exist, the next array over from m_preciseSizeClasses was m_impreciseSizeClasses, and its first entry would have been a size class that is appropriate for allocations in the range 97..128. However, this relies on specific ordering of fields in NewSpace, so it's still a bug. This fixes the bug by ensuring that allocations larger than 96 use the imprecise size classes. * heap/NewSpace.h: (JSC::NewSpace::sizeClassFor): 2011-07-31 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64679 Fix bugs in Array.prototype this handling. Unreviewed - rolling out r91290. Looks like the wild wild web isn't ready for this yet. This change broke http://slides.html5rocks.com/#landing-slide. Interestingly, this might only be due to our lack of bind support - it looks like this site is calling Array.prototype.slice as a part of its bind implementation. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): (JSC::arrayProtoFuncEvery): (JSC::arrayProtoFuncForEach): (JSC::arrayProtoFuncSome): (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): 2011-07-31 Filip Pizlo JSC GC lays out size classes under wrong assumptions about expected object size. https://bugs.webkit.org/show_bug.cgi?id=65437 Reviewed by Oliver Hunt. Changed the atom size - which is both the smallest allocation size and the smallest possible stepping unit for size class spacing - from 8 bytes to 4 pointer-size words. This is a 1% win on SunSpider. * heap/MarkedBlock.h: 2011-07-31 Filip Pizlo DFG non-speculative JIT does not optimize PutByVal https://bugs.webkit.org/show_bug.cgi?id=65424 Reviewed by Gavin Barraclough. Added code to emit PutByVal inline fast path. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): 2011-07-31 Filip Pizlo The JSC garbage collector returns memory to the operating system too eagerly. https://bugs.webkit.org/show_bug.cgi?id=65382 Reviewed by Oliver Hunt. This introduces a memory reuse model similar to the one in FastMalloc. A periodic scavenger thread runs in the background and returns half the free memory to the OS on each timer fire. New block allocations first attempt to get the memory from the collector's internal pool, reverting to OS allocation only when this pool is empty. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::~Heap): (JSC::Heap::destroy): (JSC::Heap::waitForRelativeTimeWhileHoldingLock): (JSC::Heap::waitForRelativeTime): (JSC::Heap::blockFreeingThreadStartFunc): (JSC::Heap::blockFreeingThreadMain): (JSC::Heap::allocateBlock): (JSC::Heap::freeBlocks): (JSC::Heap::releaseFreeBlocks): * heap/Heap.h: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::destroy): (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::initForCellSize): (JSC::MarkedBlock::reset): * heap/MarkedBlock.h: * wtf/Platform.h: 2011-07-30 Filip Pizlo DFG JIT speculation failure pass sometimes forgets to emit code to move certain registers. https://bugs.webkit.org/show_bug.cgi?id=65421 Reviewed by Oliver Hunt. Restructured the offending loops (for gprs and fprs). It's once again possible to use spreadsheets on docs.google.com. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): 2011-07-30 Patrick Gansterer Remove inclusion of MainThread.h from Threading.h https://bugs.webkit.org/show_bug.cgi?id=65081 Reviewed by Darin Adler. Add missing and remove unneeded include statements for MainThread. * wtf/CryptographicallyRandomNumber.cpp: * wtf/Threading.h: * wtf/ThreadingPthreads.cpp: * wtf/text/StringStatics.cpp: 2011-07-30 Oliver Hunt Reduce the size of JSGlobalObject slightly https://bugs.webkit.org/show_bug.cgi?id=65417 Reviewed by Dan Bernstein. Push a few members that either aren't commonly used, or aren't frequently accessed into a separate struct. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::WeakMapsFinalizer::finalize): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData): (JSC::JSGlobalObject::createRareDataIfNeeded): (JSC::JSGlobalObject::setProfileGroup): (JSC::JSGlobalObject::profileGroup): (JSC::JSGlobalObject::registerWeakMap): (JSC::JSGlobalObject::deregisterWeakMap): 2011-07-30 Balazs Kelemen MessageQueue::waitForMessageFilteredWithTimeout can triggers an assertion https://bugs.webkit.org/show_bug.cgi?id=65263 Reviewed by Dmitry Titov. * wtf/Deque.h: (WTF::::operator): Don't check the validity of an iterator that will be reassigned right now. * wtf/MessageQueue.h: (WTF::::removeIf): Revert r51198 as I beleave this is the better solution for the problem that was solved by that. 2011-07-29 Filip Pizlo JSC GC zombie support no longer works, and is likely no longer needed. https://bugs.webkit.org/show_bug.cgi?id=65404 Reviewed by Darin Adler. This removes zombies, because they no longer work, are not tested, are probably not needed, and are getting in the way of GC optimization work. * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Handle.h: (JSC::HandleConverter::operator->): (JSC::HandleConverter::operator*): * heap/HandleHeap.cpp: (JSC::HandleHeap::isValidWeakNode): * heap/Heap.cpp: (JSC::Heap::destroy): (JSC::Heap::collect): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::sweep): * heap/MarkedBlock.h: (JSC::MarkedBlock::clearMarks): * interpreter/Register.h: (JSC::Register::Register): (JSC::Register::operator=): * runtime/ArgList.h: (JSC::MarkedArgumentBuffer::append): (JSC::ArgList::ArgList): * runtime/JSCell.cpp: (JSC::isZombie): * runtime/JSCell.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::clearBuiltinStructures): * runtime/JSGlobalData.h: * runtime/JSValue.h: * runtime/JSValueInlineMethods.h: (JSC::JSValue::JSValue): * runtime/JSZombie.cpp: Removed. * runtime/JSZombie.h: Removed. * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::setEarlyValue): (JSC::WriteBarrierBase::operator*): (JSC::WriteBarrierBase::setWithoutWriteBarrier): * wtf/Platform.h: 2011-07-29 Filip Pizlo DFG JIT verbose mode provides no details about predictions https://bugs.webkit.org/show_bug.cgi?id=65389 Reviewed by Darin Adler. Added a print-out of the predictions to the IR dump, with names as follows: "p-bottom" = the parser made no predictions "p-int32" = the parser predicted int32 ... (same for array, cell, double, number) "p-top" = the parser made conflicting predictions which will be ignored. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (JSC::DFG::predictionToString): 2011-07-29 Filip Pizlo DFG JIT does not have any way of undoing double speculation. https://bugs.webkit.org/show_bug.cgi?id=65334 Reviewed by Gavin Barraclough. This adds code to do a branchConvertDoubleToInt on specualtion failure. This is performance-neutral on most benchmarks but does result in a slight improvement in Kraken. * dfg/DFGJITCompiler.cpp: (JSC::DFG::GeneralizedRegister::moveTo): (JSC::DFG::GeneralizedRegister::swapWith): (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation): (JSC::DFG::ShuffledRegister::handleCyclingPermutation): (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): 2011-07-29 Filip Pizlo Crash when opening docs.google.com https://bugs.webkit.org/show_bug.cgi?id=65327 Reviewed by Gavin Barraclough. The speculative JIT was only checking whether a value is an array when we had already checked that it was, rather then when we hadn't. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-28 Oliver Hunt *_list instructions are only used in one place, where the code is wrong. https://bugs.webkit.org/show_bug.cgi?id=65348 Reviewed by Darin Adler. Simply remove the instructions and all users. Speeds up the interpreter slightly due to code motion, but otherwise has no effect (because none of the _list instructions are ever used). * bytecode/CodeBlock.cpp: (JSC::isPropertyAccess): (JSC::CodeBlock::dump): (JSC::CodeBlock::visitStructures): * bytecode/Instruction.h: * bytecode/Opcode.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): 2011-07-28 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65325 Performance tweak to parseInt Reviewed by Oliver Hunt. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): - This change may an existing optimization redundant, cleanup from Darin's comments, plus fix existing bugs. 2011-07-28 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65325 Performance tweak to parseInt Reviewed by Oliver Hunt. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): - parseInt applied to small positive numbers = floor. 2011-07-28 Dan Bernstein Build fix. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): 2011-07-28 Kent Tamura Improve StringImpl::stripWhiteSpace() and simplifyWhiteSpace(). https://bugs.webkit.org/show_bug.cgi?id=65300 Reviewed by Darin Adler. r91837 had performance regression of StringImpl::stripWhiteSpace() and simplifyWhiteSpace(). This changes the code so that compilers generates code equivalent to r91836 or piror. * wtf/text/StringImpl.cpp: (WTF::StringImpl::stripMatchedCharacters): A template member function for stripWhiteSpace(). This function takes a functor. (WTF::UCharPredicate): A functor for generic predicate for single UChar argument. (WTF::SpaceOrNewlinePredicate): A special functor for isSpaceOrNewline(). (WTF::StringImpl::stripWhiteSpace): Use stripmatchedCharacters(). (WTF::StringImpl::simplifyMatchedCharactersToSpace): A template member function for simplifyWhiteSpace(). (WTF::StringImpl::simplifyWhiteSpace): Use simplifyMatchedCharactersToSpace(). * wtf/text/StringImpl.h: 2011-07-27 Dmitry Lomov [chromium] Turn on WTF_MULTIPLE_THREADS. https://bugs.webkit.org/show_bug.cgi?id=61017 The patch turns on WTF_MULTIPLE_THREADS in chromium and pushes some relevant initializations from JSC::initializeThreading to WTF::initializeThreading. Reviewed by David Levin. * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): * wtf/FastMalloc.cpp: (WTF::isForbidden): (WTF::fastMallocForbid): (WTF::fastMallocAllow): * wtf/Platform.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): * wtf/ThreadingWin.cpp: (WTF::initializeThreading): * wtf/gtk/ThreadingGtk.cpp: (WTF::initializeThreading): * wtf/qt/ThreadingQt.cpp: (WTF::initializeThreading): 2011-07-27 Mark Hahnenberg Remove operator new from JSCell https://bugs.webkit.org/show_bug.cgi?id=64999 Reviewed by Oliver Hunt. Removed the implementation of operator new in JSCell, so any further uses will not successfully link. Also removed any remaining uses of operator new. * API/JSContextRef.cpp: * debugger/DebuggerActivation.h: (JSC::DebuggerActivation::create): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::createExceptionScope): (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSCell.h: * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::create): * runtime/JSStaticScopeObject.h: (JSC::JSStaticScopeObject::create): (JSC::JSStaticScopeObject::JSStaticScopeObject): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::create): 2011-07-27 Filip Pizlo DFG graph has no notion of double prediction. https://bugs.webkit.org/show_bug.cgi?id=65234 Reviewed by Gavin Barraclough. Added the notion of PredictDouble, and PredictNumber, which is the least upper bound of PredictInt32 and PredictDouble. Least upper bound is defined as the bitwise-or of two predictions. Bottom is defined as 0, and Top is defined as all bits being set. Added the ability to explicitly distinguish between a node having had a prediction associated with it, and that prediction still being valid (i.e. no conflicting predictions have also been added). Used this to guard the speculative JIT from speculating Int32 in cases where the graph knows that the value is double, which currently only happens for GetLocal nodes on arguments which were double at compile-time. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): * dfg/DFGGraph.h: (JSC::DFG::isCellPrediction): (JSC::DFG::isArrayPrediction): (JSC::DFG::isInt32Prediction): (JSC::DFG::isDoublePrediction): (JSC::DFG::isNumberPrediction): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::initializeVariableTypes): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble): 2011-07-27 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65294 DFG JIT - may speculate based on wrong arguments. Reviewed by Oliver Hunt In the case of a DFG compiled function calling to and compiling a second function that also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp), we call compileFor passing the caller functions exec state, rather than the callee's. This may lead to mis-optimization, since the DFG compiler will example the exec state's arguments on the assumption that these will be passed to the callee - it is wanting the callee exec state, not the caller's exec state. Fixing this for all cases of compilation is tricksy, due to the way the numeric sort function is compiled, & the structure of the calls in the Interpreter::execute methods. Only fix for compilation from the JIT, in other calls don't speculate based on arguments for now. * dfg/DFGOperations.cpp: * runtime/Executable.cpp: (JSC::tryDFGCompile): (JSC::tryDFGCompileFunction): (JSC::FunctionExecutable::compileForCallInternal): * runtime/Executable.h: (JSC::FunctionExecutable::compileForCall): (JSC::FunctionExecutable::compileFor): 2011-07-27 Oliver Hunt Handle callback oriented JSONP https://bugs.webkit.org/show_bug.cgi?id=65271 Reviewed by Gavin Barraclough. Handle the callback oriented versions of JSONP. The Literal parser now handles (. )* (jsonData). * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): * runtime/LiteralParser.cpp: (JSC::LiteralParser::tryJSONPParse): (JSC::LiteralParser::Lexer::lex): * runtime/LiteralParser.h: 2011-07-27 Stephanie Lewis Revert http://trac.webkit.org/changeset/90415. Caused a 5% sunspider regression in-browser. Unreviewed rollout. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * heap/Heap.cpp: (JSC::Heap::collectAllGarbage): * heap/MarkStack.h: (JSC::MarkStack::MarkStack): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::releaseExecutableMemory): * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::invalidateCode): * runtime/RegExp.h: 2011-07-27 Shinya Kawanaka Added an interface to take IsWhiteSpaceFunctionPtr. https://bugs.webkit.org/show_bug.cgi?id=57746 Reviewed by Kent Tamura. * wtf/text/StringImpl.cpp: (WTF::StringImpl::stripWhiteSpace): Added an interface to take IsWhiteSpaceFunctionPtr. (WTF::StringImpl::simplifyWhiteSpace): ditto. * wtf/text/StringImpl.h: * wtf/text/WTFString.cpp: (WTF::String::stripWhiteSpace): ditto. (WTF::String::simplifyWhiteSpace): ditto. * wtf/text/WTFString.h: 2011-07-27 Filip Pizlo DFG JIT speculation failure code performs incorrect conversions in the case where two registers need to be swapped. https://bugs.webkit.org/show_bug.cgi?id=65233 Reviewed by Gavin Barraclough. * dfg/DFGJITCompiler.cpp: (JSC::DFG::GeneralizedRegister::swapWith): 2011-07-26 Mark Hahnenberg reduce and reduceRight bind callback's this to null rather than undefined https://bugs.webkit.org/show_bug.cgi?id=62264 Reviewed by Oliver Hunt. Fixed Array.prototype.reduce and Array.prototype.reduceRight so that they behave correctly when calling the callback function without an argument for this, which means it should be undefined according to ES 15.4.4.21 and 15.4.4.22. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): 2011-07-26 Filip Pizlo JSC command-line tool does not come with any facility for measuring time precisely. https://bugs.webkit.org/show_bug.cgi?id=65223 Reviewed by Gavin Barraclough. Exposed WTF::currentTime() as currentTimePrecise(). * jsc.cpp: (GlobalObject::GlobalObject): (functionPreciseTime): 2011-07-26 Filip Pizlo DFG speculative JIT never emits inline double comparisons, even when it would be obvious more efficient to do so. https://bugs.webkit.org/show_bug.cgi?id=65212 Reviewed by Gavin Barraclough. This handles the obvious case of inlining double comparisons: it only addresses the speculative JIT, and only for fused compare/branch sequences. But it does handle the case where both operands are double (and there is no slow path), or where one operand is double and the other is unknown type (in which case it attempts to unbox the double, otherwise taking slow path). This is an 0.8% speed-up on SunSpider. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::convertToDouble): (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble): (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger): 2011-07-26 Filip Pizlo https://bugs.webkit.org/show_bug.cgi?id=64969 DFG JIT generates inefficient code for speculation failures. Reviewed by Gavin Barraclough. This implements a speculation failure strategy where (1) values spilled on non-speculative but not spilled on speculative are spilled, (2) values that are in registers on both paths are rearranged without ever touching memory, and (3) values spilled on speculative but not spilled on non-speculative are filled. The register shuffling is the most interesting part of this patch. It constructs a permutation graph for registers. Each node represents a register, and each directed edge corresponds to the register's value having to be moved to a different register as part of the shuffling. This is a directed graph where each node may only have 0 or 1 incoming edges, and 0 or 1 outgoing edges. The algorithm then first finds maximal non-cyclic subgraphs where all nodes in the subgraph are reachable from a start node. Such subgraphs always resemble linked lists, and correspond to simply moving the value in the second-to-last register into the last register, and then moving the value in the third-to-last register into the second-to-last register, and so on. Once these subgraphs are taken care of, the remaining subgraphs are cycles, and are handled using either (a) conversion or no-op if the cycle involves one node, (b) swap if it involves two nodes, or (c) a cyclic shuffle involving a scratch register if there are three or more nodes. * dfg/DFGGenerationInfo.h: (JSC::DFG::needDataFormatConversion): * dfg/DFGJITCompiler.cpp: (JSC::DFG::GeneralizedRegister::GeneralizedRegister): (JSC::DFG::GeneralizedRegister::createGPR): (JSC::DFG::GeneralizedRegister::createFPR): (JSC::DFG::GeneralizedRegister::dump): (JSC::DFG::GeneralizedRegister::findInSpeculationCheck): (JSC::DFG::GeneralizedRegister::findInEntryLocation): (JSC::DFG::GeneralizedRegister::previousDataFormat): (JSC::DFG::GeneralizedRegister::nextDataFormat): (JSC::DFG::GeneralizedRegister::convert): (JSC::DFG::GeneralizedRegister::moveTo): (JSC::DFG::GeneralizedRegister::swapWith): (JSC::DFG::ShuffledRegister::ShuffledRegister): (JSC::DFG::ShuffledRegister::isEndOfNonCyclingPermutation): (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation): (JSC::DFG::ShuffledRegister::handleCyclingPermutation): (JSC::DFG::ShuffledRegister::lookup): (JSC::DFG::lookupForRegister): (JSC::DFG::NodeToRegisterMap::Tuple::Tuple): (JSC::DFG::NodeToRegisterMap::NodeToRegisterMap): (JSC::DFG::NodeToRegisterMap::set): (JSC::DFG::NodeToRegisterMap::end): (JSC::DFG::NodeToRegisterMap::find): (JSC::DFG::NodeToRegisterMap::clear): (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): (JSC::DFG::JITCompiler::linkSpeculationChecks): * dfg/DFGJITCompiler.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::EntryLocation::EntryLocation): * dfg/DFGNonSpeculativeJIT.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculationCheck::SpeculationCheck): * dfg/DFGSpeculativeJIT.h: 2011-07-26 Oliver Hunt Buffer overflow creating error messages for JSON.parse https://bugs.webkit.org/show_bug.cgi?id=65211 Reviewed by Darin Adler. Parse string length to the UString constructor. * runtime/LiteralParser.cpp: (JSC::LiteralParser::parse): 2011-07-26 Mark Hahnenberg Refactor automatically generated JS DOM bindings to replace operator new with static create methods https://bugs.webkit.org/show_bug.cgi?id=64732 Reviewed by Oliver Hunt. Replacing the public constructors in the automatically generated JS DOM bindings with static create methods. JSByteArray is used by several of these bindings in WebCore. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/JSByteArray.cpp: (JSC::JSByteArray::create): * runtime/JSByteArray.h: 2011-07-26 Alexis Menard Unreviewed build fix for Qt/Linux. On platforms with no glib and gstreamer we should not build javascriptcore with the Glib support. This is related to http://trac.webkit.org/changeset/91752. * wtf/wtf.pri: 2011-07-26 Juan C. Montemayor JSON errors should be informative https://bugs.webkit.org/show_bug.cgi?id=63339 Added error messages to the JSON Parser. Reviewed by Oliver Hunt. * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::Lexer::lex): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::getErrorMessage): (JSC::LiteralParser::Lexer::sawError): (JSC::LiteralParser::Lexer::getErrorMessage): 2011-07-26 Sheriff Bot Unreviewed, rolling out r91746. http://trac.webkit.org/changeset/91746 https://bugs.webkit.org/show_bug.cgi?id=65180 It broke SL build (Requested by Ossy on #webkit). * wtf/text/StringImpl.cpp: (WTF::StringImpl::stripWhiteSpace): (WTF::StringImpl::simplifyWhiteSpace): * wtf/text/StringImpl.h: * wtf/text/WTFString.cpp: * wtf/text/WTFString.h: 2011-07-26 Alexis Menard Reviewed by Andreas Kling. [Qt] Change default backend to use GStreamer on Linux and QuickTime on Mac. https://bugs.webkit.org/show_bug.cgi?id=63472 Enable the bits needed for GStreamer only when QtMultimedia is not used. * wtf/wtf.pri: 2011-07-26 Shinya Kawanaka Added an interface to take IsWhiteSpaceFunctionPtr. https://bugs.webkit.org/show_bug.cgi?id=57746 Reviewed by Kent Tamura. * wtf/text/StringImpl.cpp: (WTF::StringImpl::stripWhiteSpace): Added an interface to take IsWhiteSpaceFunctionPtr. (WTF::StringImpl::simplifyWhiteSpace): ditto. * wtf/text/StringImpl.h: * wtf/text/WTFString.cpp: (WTF::String::stripWhiteSpace): ditto. (WTF::String::simplifyWhiteSpace): ditto. * wtf/text/WTFString.h: 2011-07-25 Filip Pizlo DFG non-speculative JIT emits inefficient code for arithmetic involving two registers https://bugs.webkit.org/show_bug.cgi?id=65160 Reviewed by Gavin Barraclough. The non-speculative JIT now emits inline code for double arithmetic, but still attempts integer arithmetic first. This is a speed-up on SunSpider (albeit a small one), and a large speed-up on Kraken. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::basicArithOp): 2011-07-25 Ryuan Choi [EFL] Build break with --debug after r89153. https://bugs.webkit.org/show_bug.cgi?id=65150 Unreviewed build fix. * wtf/CMakeListsEfl.txt: Add missing libraries. 2011-07-25 Filip Pizlo DFG non-speculative JIT emits obviously inefficient code for arithmetic where one operand is a constant. https://bugs.webkit.org/show_bug.cgi?id=65146 Reviewed by Gavin Barraclough. Changed the code to emit double arithmetic inline. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): 2011-07-25 Filip Pizlo DFG JIT bytecode parser misuses pointers into objects allocated as part of a WTF::Vector. https://bugs.webkit.org/show_bug.cgi?id=65128 Reviewed by Gavin Barraclough. The bytecode parser code seems to be right to have a DFGNode& phiNode reference into the graph, since this makes the code greatly more readable. This patch thus makes the minimal change necessary to make the code right: it uses a pointer (to disambiguate between reloading the pointer and performing a copy from one location of the vector to another) and reloads it after the calls to addToGraph(). * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::processPhiStack): 2011-07-25 Sheriff Bot Unreviewed, rolling out r91686. http://trac.webkit.org/changeset/91686 https://bugs.webkit.org/show_bug.cgi?id=65144 1.5% regression in JSC (Requested by jmontemayor on #webkit). * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::Lexer::lex): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: 2011-07-25 Jon Lee Assertion called in ExecutableBase::generatedJITCodeForCall() when JIT is not available https://bugs.webkit.org/show_bug.cgi?id=65132 Reviewed by Oliver Hunt. Make sure the JIT is available to use before running the following calls: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::unlinkCalls): Added check, return early if JIT is not available. * bytecode/CodeBlock.h: (JSC::CodeBlock::addMethodCallLinkInfos): Added assertion. 2011-07-25 Juan C. Montemayor JSON errors should be informative https://bugs.webkit.org/show_bug.cgi?id=63339 Added error messages to the JSON Parser. Reviewed by Oliver Hunt. * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::Lexer::lex): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::getErrorMessage): (JSC::LiteralParser::Lexer::sawError): (JSC::LiteralParser::Lexer::getErrorMessage): 2011-07-25 Filip Pizlo X86-64 assembler emits three instructions instead of two for certain loads and stores. https://bugs.webkit.org/show_bug.cgi?id=65095 Reviewed by Gavin Barraclough. Simply made these four methods in the assembler use the scratch register, which they were previously avoiding. It still optimizes for the case where an absolute address memory accesses is using EAX. This results in a slight performance improvement. * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::load32): (JSC::MacroAssemblerX86_64::store32): (JSC::MacroAssemblerX86_64::loadPtr): (JSC::MacroAssemblerX86_64::storePtr): 2011-07-25 Ryuan Choi [EFL] Implement EFL-specific current time and monotonicallyIncreasingTime. https://bugs.webkit.org/show_bug.cgi?id=64354 Use ecore_time_unix_get which returns unix time as double type for currentTime and ecore_time_get which uses monotonic clock for monotonicallyIncreasingTime. Reviewed by Kent Tamura. * wtf/CurrentTime.cpp: (WTF::currentTime): (WTF::monotonicallyIncreasingTime): 2011-07-22 Sommer Panage Reviewed by Oliver Hunt. export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h https://bugs.webkit.org/show_bug.cgi?id=64981 UIAutomation for iOS would like to support a Javascript backtrace in our error logs. Currently, the C API does not provide the tools to do this. However, the private API does expose the necessary functionality to get a backtrace (via Interpreter::retrieveLastCaller). We recognize this information may result in failure in the cases of programs run by 'eval', stack frames beneath host function call frames, and in programs run from other programs. Thus, we propose exporting our JSContextCreateBacktrace in JSContextRefPrivate.h. This will provide us with the tools we need while not advertising an API that isn't really ready for full use. * API/JSContextRef.cpp: * API/JSContextRefPrivate.h: * JavaScriptCore.exp: 2011-07-22 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65051 DFG JIT - Enable by default for mac platform on x86-64. Rubber Stamped by Geoff Garen. This is now a performance progression. * wtf/Platform.h: - Removed definition of ENABLE_DFG_JIT_RESTRICTIONS. 2011-07-22 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65047 DFG JIT - Add support for op_resolve/op_resolve_base Reviewed by Sam Weinig. These are necessary for any significant eval code coverage (and as such increase LayoutTest coverage). * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordResolve): - Conservatively blow aliasing optimizations for now. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): - Add support for op_resolve/op_resolve_base. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::callOperation): - Add call with exec, identifer aguments. * dfg/DFGNode.h: - Add new node types. (JSC::DFG::Node::hasIdentifier): - Resolve nodes have identifiers, too! * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): - Add generation for new Nodes. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: - Added new operations. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): - Add generation for new Nodes. 2011-07-22 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=65036 Messing with the register allocation within flow control = badness. Reviewed by Sam Weinig. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): - Fix register allocation. 2011-07-22 Mark Hahnenberg Date.prototype.toISOString doesn't handle negative years or years > 9999 correctly. https://bugs.webkit.org/show_bug.cgi?id=63986 Reviewed by Geoffrey Garen. Changed the implementation of Date.prototype.toISOString() to use the extended year format (+/-yyyyyy) for years outside of [0,9999] to be in compliance with ES 15.9.1.15.1. * runtime/DatePrototype.cpp: (JSC::dateProtoFuncToISOString): 2011-07-21 Gavin Barraclough Windows build fix * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-07-21 Ryosuke Niwa Build fix after r91555. * JavaScriptCore.exp: 2011-07-21 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=19271 eliminate PIC branches by changing NaN handling in JSValue::toNumber Reviewed by Sam Weinig. Moving the non-numeric cases out of line seems to be a consistent win on SunSpider for me, to the order of about 0.5%. * runtime/JSCell.h: (JSC::JSCell::JSValue::toNumber): - Changed to only handle values that are already numbers, moce non-numeric cases out of line. * runtime/JSValue.cpp: (JSC::JSValue::toNumberSlowCase): - Added toNumberSlowCase, handling non-numeric cases. * runtime/JSValue.h: - Add declaration of toNumberSlowCase. 2011-07-21 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64875 Use of `yield` keyword is broken Reviewed by Sam Weinig. * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): - The bug here is that a successful match of a RESERVED_IF_STRICT token from parseKeyword is being nullified back to IDENT. The problem is that in the case of IDENT matches parseKeyword should not move the lexer's input position, but in the case of RESERVED_IF_STRICT it has done so. 2011-07-21 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64900 Function.prototype.apply should accept an array-like object as its second argument Reviewed by Sam Weinig. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/FunctionPrototype.cpp: (JSC::functionProtoFuncApply): - Remove the type error if object is not an array. 2011-07-21 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64964 DFG JIT - Enable support for eval code Reviewed by Sam Weinig. This is basically the same as program code, to the JIT! * bytecode/Opcode.cpp: * bytecode/Opcode.h: - Enable opcodeNames in !NDEBUG builds. * dfg/DFGOperations.cpp: - Fix a bug exposed by eval support, throw correct type error for new. * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): - Enable DFG JIT for eval code. 2011-07-20 Sheriff Bot Unreviewed, rolling out r91380. http://trac.webkit.org/changeset/91380 https://bugs.webkit.org/show_bug.cgi?id=64924 Caused assertion failures in Chromium's IndexedDB tests (Requested by rniwa on #webkit). * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::identifier): (WTF::ThreadIdentifierData::initialize): (WTF::ThreadIdentifierData::initializeKeyOnceHelper): (WTF::ThreadIdentifierData::initializeKeyOnce): * wtf/ThreadIdentifierDataPthreads.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): 2011-07-20 Filip Pizlo DFG non-speculative JIT does not use() the aliased GetByVal, resulting in bloated use counts. https://bugs.webkit.org/show_bug.cgi?id=64911 Reviewed by Gavin Barraclough. Inserted a call to use() for the aliased GetByVal. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): 2011-07-20 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64909 DFG JIT - Missing ToInt32 conversions for double constants. Reviewed by Sam Weinig. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::toInt32): - We cannot trivially omit ToInt32 conversions on double constants. 2011-07-20 Filip Pizlo DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption. https://bugs.webkit.org/show_bug.cgi?id=64903 Reviewed by Gavin Barraclough. Move the calls to use() in SpeculativeJIT::compare() so that they only happen if the JITCodeGenerator's helper method (which also calls use()) is not called. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compare): 2011-07-20 Oliver Hunt Don't throw away code when JSGarbageCollect API is called https://bugs.webkit.org/show_bug.cgi?id=64894 Reviewed by Sam Weinig. Just call collectAllGarbage. That will clean up all unneeded code without causing any pathological recompilation problems. * API/JSBase.cpp: (JSGarbageCollect): 2011-07-20 Oliver Hunt Codeblock doesn't visit cached structures in global resolve instructions https://bugs.webkit.org/show_bug.cgi?id=64889 Reviewed by Sam Weinig. Visit the global resolve instructions. This fixes a couple of random crashes seen in the jquery tests when using the interpreter. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): 2011-07-20 James Robinson Revert worker and WebKit2 runloops to use currentTime() for scheduling instead of the monotonic clock https://bugs.webkit.org/show_bug.cgi?id=64841 Reviewed by Mark Rowe. http://trac.webkit.org/changeset/91206 converted most of WebKit's deferred work scheduling to using the monotonic clock instead of WTF::currentTime(). This broke many plugin tests on WebKit2 for reasons that are unclear. This reverts everything except for WebCore::ThreadTimers back to the previous behavior. * wtf/ThreadingPthreads.cpp: (WTF::ThreadCondition::timedWait): * wtf/ThreadingWin.cpp: (WTF::absoluteTimeToWaitTimeoutInterval): * wtf/gtk/ThreadingGtk.cpp: (WTF::ThreadCondition::timedWait): * wtf/qt/ThreadingQt.cpp: (WTF::ThreadCondition::timedWait): 2011-07-14 David Levin currentThread is too slow! https://bugs.webkit.org/show_bug.cgi?id=64577 Reviewed by Darin Adler and Dmitry Titov. The problem is that currentThread results in a pthread_once call which always takes a lock. With this change, currentThread is 10% faster than isMainThread in release mode and only 5% slower than isMainThread in debug. * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff which is no longer needed because this is called from initializeThreading(). (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because intialization of the pthread key should already be done. (WTF::ThreadIdentifierData::initialize): Ditto. * wtf/ThreadIdentifierDataPthreads.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): Acquire the pthread key here. 2011-07-20 Mark Rowe Fix the 32-bit build. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): 2011-07-19 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64678 Fix bugs in Object.prototype this handling. Reviewed by Darin Adler. Fix ES5.1 correctness issues identified by Mads Ager. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]". 2011-07-19 Mark Hahnenberg [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation https://bugs.webkit.org/show_bug.cgi?id=63918 Reviewed by Darin Adler. When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost method due to additional string copying within several of the constructors when dealing with UStrings. This has been added to the UString version of the appendStringInConstruct method within the JSString class. * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::appendStringInConstruct): 2011-07-19 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64679 Fix bugs in Array.prototype this handling. Reviewed by Oliver Hunt. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncConcat): (JSC::arrayProtoFuncPop): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncReverse): (JSC::arrayProtoFuncShift): (JSC::arrayProtoFuncSlice): (JSC::arrayProtoFuncSort): (JSC::arrayProtoFuncSplice): (JSC::arrayProtoFuncUnShift): (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncMap): (JSC::arrayProtoFuncEvery): (JSC::arrayProtoFuncForEach): (JSC::arrayProtoFuncSome): (JSC::arrayProtoFuncReduce): (JSC::arrayProtoFuncReduceRight): (JSC::arrayProtoFuncIndexOf): (JSC::arrayProtoFuncLastIndexOf): - These methods should throw if this value is undefined. 2011-07-19 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64677 Fix bugs in String.prototype this handling. Reviewed by Oliver Hunt. undefined/null this values should throw TypeErrors, not convert to the global object, and primitive values should not be converted via object types. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncReplace): (JSC::stringProtoFuncCharAt): (JSC::stringProtoFuncCharCodeAt): (JSC::stringProtoFuncIndexOf): (JSC::stringProtoFuncLastIndexOf): (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): (JSC::stringProtoFuncSlice): (JSC::stringProtoFuncSplit): (JSC::stringProtoFuncSubstr): (JSC::stringProtoFuncSubstring): (JSC::stringProtoFuncToLowerCase): (JSC::stringProtoFuncToUpperCase): (JSC::stringProtoFuncLocaleCompare): (JSC::stringProtoFuncBig): (JSC::stringProtoFuncSmall): (JSC::stringProtoFuncBlink): (JSC::stringProtoFuncBold): (JSC::stringProtoFuncFixed): (JSC::stringProtoFuncItalics): (JSC::stringProtoFuncStrike): (JSC::stringProtoFuncSub): (JSC::stringProtoFuncSup): (JSC::stringProtoFuncFontcolor): (JSC::stringProtoFuncFontsize): (JSC::stringProtoFuncAnchor): (JSC::stringProtoFuncLink): (JSC::trimString): - These methods should throw if this value is undefined, convert ToString directly, not via ToObject. 2011-07-19 Filip Pizlo DFG JIT sometimes emits spill code even when the respective values are never needed. https://bugs.webkit.org/show_bug.cgi?id=64774 Reviewed by Gavin Barraclough. The main high-level change is that it is now easier to call use() on a virtual register. JSValueOperand and its other-typed relatives now have a handy use() method, and jsValueResult() and friends now make it easier to pass UseChildrenCalledExplicitly. The rest of this patch hoists the call to use() as high as possible for all of those cases where either flushRegisters() or silentSpillAllRegisters() may be called. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedGetMethod): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq): (JSC::DFG::JITCodeGenerator::emitBranch): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::use): (JSC::DFG::JITCodeGenerator::integerResult): (JSC::DFG::JITCodeGenerator::jsValueResult): (JSC::DFG::IntegerOperand::use): (JSC::DFG::DoubleOperand::use): (JSC::DFG::JSValueOperand::use): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::valueToNumber): (JSC::DFG::NonSpeculativeJIT::valueToInt32): (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculateStrictInt32Operand::use): (JSC::DFG::SpeculateCellOperand::use): 2011-07-19 Xan Lopez ARMv7 backend broken, lacks 3 parameter rshift32 method https://bugs.webkit.org/show_bug.cgi?id=64571 Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method. 2011-07-18 Filip Pizlo DFG JIT does not optimize strict equality as effectively as the old JIT does. https://bugs.webkit.org/show_bug.cgi?id=64759 Reviewed by Gavin Barraclough. This adds a more complete set of strict equality optimizations. If either operand is known numeric, then the code reverts to the old style of optimizing (first try integer comparison). Otherwise it uses the old JIT's trick of first simultaneously checking if both operands are either numbers or cells; if not then a fast path is taken. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-18 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64760 DFG JIT - Should be able to compile program code. Reviewed by Geoff Garen. Add support for op_end, hooks to compile program code in Executable.cpp. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): - Add support for op_end * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): (JSC::DFG::JITCompiler::compileBody): (JSC::DFG::JITCompiler::link): - Added, separate out steps of compileFunction. (JSC::DFG::JITCompiler::compile): - Added, compile program code. (JSC::DFG::JITCompiler::compileFunction): - Sections separated out to helper functions. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::JITCompiler): - Added m_exceptionCheckCount. * runtime/Executable.cpp: (JSC::tryDFGCompile): (JSC::tryDFGCompileFunction): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::compileForCallInternal): - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code. 2011-07-18 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64678 Fix bugs in Object.prototype this handling. Reviewed by Oliver Hunt. undefined/null this values should throw TypeErrors, not convert to the global object, also, to toLocaleString should be calling the ToObject & invoking the object's toString function, even for values that are already strings. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncValueOf): (JSC::objectProtoFuncHasOwnProperty): (JSC::objectProtoFuncIsPrototypeOf): (JSC::objectProtoFuncPropertyIsEnumerable): (JSC::objectProtoFuncToLocaleString): (JSC::objectProtoFuncToString): 2011-07-18 Filip Pizlo JSC GC lazy sweep does not inline the common cases of cell destruction. https://bugs.webkit.org/show_bug.cgi?id=64745 Reviewed by Oliver Hunt. This inlines the case of JSFinalObject destruction. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::lazySweep): 2011-07-18 Oliver Hunt Interpreter build-fix * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): 2011-07-18 Filip Pizlo DFG JIT does not optimize equal-null comparisons and branches. https://bugs.webkit.org/show_bug.cgi?id=64659 Reviewed by Gavin Barraclough. Added a peephole-aware compare-to-null implementation to JITCodeGenerator, which is used by both the speculative and non-speculative JIT. Through the use of the new isNullConstant helper, the two JITs invoke the nonSpecualtiveCompareNull() helper instead of their regular comparison helpers when compiling CompareEq. Through the use of the new isKnownCell helper, the compare-null code will skip the is-a-cell check if the speculative JIT had been speculating cell. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownCell): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::isNullConstant): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-18 James Robinson Timer scheduling should be based off the monotonic clock https://bugs.webkit.org/show_bug.cgi?id=64544 Reviewed by Darin Adler. Switches ThreadCondition::timedWait and related utility functions from currentTime() to monotonicallyIncreasingTime(). Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * wtf/ThreadingPthreads.cpp: (WTF::ThreadCondition::timedWait): * wtf/ThreadingWin.cpp: (WTF::absoluteTimeToWaitTimeoutInterval): * wtf/gtk/ThreadingGtk.cpp: (WTF::ThreadCondition::timedWait): * wtf/qt/ThreadingQt.cpp: (WTF::ThreadCondition::timedWait): 2011-07-18 Filip Pizlo JSC JIT does not inline GC allocation fast paths https://bugs.webkit.org/show_bug.cgi?id=64582 Reviewed by Oliver Hunt. This addresses inlining allocation for the easiest-to-allocate cases: op_new_object and op_create_this. Inlining GC allocation fast paths required three changes. First, the JSGlobalData now saves the vtable pointer of JSFinalObject, since that's what op_new_object and op_create_this allocate. Second, the Heap exposes a reference to the appropriate SizeClass, so that the JIT may inline accesses directly to the SizeClass for JSFinalObject allocations. And third, the JIT is extended with code to emit inline fast paths for GC allocation. A stub call is emitted in the case where the inline fast path fails. * heap/Heap.h: (JSC::Heap::sizeClassFor): (JSC::Heap::allocate): * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSFinalObject): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emitSlow_op_new_object): (JSC::JIT::emit_op_create_this): (JSC::JIT::emitSlow_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_object): (JSC::JIT::emitSlow_op_new_object): (JSC::JIT::emit_op_create_this): (JSC::JIT::emitSlow_op_create_this): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::storeVPtrs): * runtime/JSGlobalData.h: * runtime/JSObject.h: (JSC::JSFinalObject::JSFinalObject): (JSC::JSObject::offsetOfInheritorID): 2011-07-18 Mark Hahnenberg Refactor JSC to replace JSCell::operator new with static create method https://bugs.webkit.org/show_bug.cgi?id=64466 Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com). First step in a longer refactoring process to remove the use of operator new overloading in order to allocate GC objects and to replace this method with static create methods for each individual type of heap-allocated JS object. This particular patch only deals with replacing uses of operator new within JSC proper. Future patches will remove it from the parts that interface with the DOM. Due to the DOM's continued dependence on it, operator new has not actually been removed from JSCell. * API/JSCallbackConstructor.h: (JSC::JSCallbackConstructor::create): * API/JSCallbackFunction.h: (JSC::JSCallbackFunction::create): * API/JSCallbackObject.h: (JSC::JSCallbackObject::operator new): (JSC::JSCallbackObject::create): * API/JSCallbackObjectFunctions.h: (JSC::::staticFunctionGetter): * API/JSClassRef.cpp: (OpaqueJSClass::prototype): * API/JSContextRef.cpp: * API/JSObjectRef.cpp: (JSObjectMake): (JSObjectMakeFunctionWithCallback): (JSObjectMakeConstructor): * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::createActivation): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::makeFunction): * bytecompiler/NodesCodegen.cpp: (JSC::RegExpNode::emitBytecode): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): (JSC::Interpreter::retrieveArguments): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (GlobalObject::create): (GlobalObject::GlobalObject): (functionRun): (jscmain): * runtime/Arguments.h: (JSC::Arguments::create): (JSC::Arguments::createNoParameters): * runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk): * runtime/ArrayConstructor.h: (JSC::ArrayConstructor::create): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): * runtime/ArrayPrototype.h: (JSC::ArrayPrototype::create): * runtime/BooleanConstructor.cpp: (JSC::constructBoolean): (JSC::constructBooleanFromImmediateBoolean): * runtime/BooleanConstructor.h: (JSC::BooleanConstructor::create): * runtime/BooleanObject.h: (JSC::BooleanObject::create): * runtime/BooleanPrototype.h: (JSC::BooleanPrototype::create): * runtime/DateConstructor.cpp: (JSC::constructDate): * runtime/DateConstructor.h: (JSC::DateConstructor::create): * runtime/DateInstance.h: (JSC::DateInstance::create): * runtime/DatePrototype.h: (JSC::DatePrototype::create): * runtime/Error.cpp: (JSC::createError): (JSC::createEvalError): (JSC::createRangeError): (JSC::createReferenceError): (JSC::createSyntaxError): (JSC::createTypeError): (JSC::createURIError): (JSC::StrictModeTypeErrorFunction::create): (JSC::createTypeErrorFunction): * runtime/ErrorConstructor.h: (JSC::ErrorConstructor::create): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): (JSC::ErrorInstance::create): * runtime/ErrorInstance.h: * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): * runtime/ErrorPrototype.h: (JSC::ErrorPrototype::create): * runtime/ExceptionHelpers.cpp: (JSC::InterruptedExecutionError::InterruptedExecutionError): (JSC::InterruptedExecutionError::create): (JSC::createInterruptedExecutionException): (JSC::TerminatedExecutionError::TerminatedExecutionError): (JSC::TerminatedExecutionError::create): (JSC::createTerminatedExecutionException): * runtime/Executable.cpp: (JSC::FunctionExecutable::FunctionExecutable): (JSC::FunctionExecutable::fromGlobalCode): * runtime/Executable.h: (JSC::ExecutableBase::create): (JSC::NativeExecutable::create): (JSC::ScriptExecutable::ScriptExecutable): (JSC::EvalExecutable::create): (JSC::ProgramExecutable::create): (JSC::FunctionExecutable::create): (JSC::FunctionExecutable::make): * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/FunctionConstructor.h: (JSC::FunctionConstructor::create): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::create): * runtime/GetterSetter.h: (JSC::GetterSetter::create): * runtime/JSAPIValueWrapper.h: (JSC::JSAPIValueWrapper::create): (JSC::jsAPIValueWrapper): * runtime/JSActivation.cpp: (JSC::JSActivation::argumentsGetter): * runtime/JSActivation.h: (JSC::JSActivation::create): * runtime/JSArray.h: (JSC::JSArray::create): * runtime/JSCell.h: (JSC::JSCell::allocateCell): * runtime/JSFunction.h: (JSC::JSFunction::create): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::reset): * runtime/JSGlobalObject.h: (JSC::constructEmptyArray): (JSC::constructArray): * runtime/JSNotAnObject.h: (JSC::JSNotAnObject::create): * runtime/JSONObject.h: (JSC::JSONObject::create): * runtime/JSObject.cpp: (JSC::JSObject::defineGetter): (JSC::JSObject::defineSetter): (JSC::putDescriptor): * runtime/JSObject.h: (JSC::JSFinalObject::create): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::create): * runtime/JSString.cpp: (JSC::JSString::substringFromRope): (JSC::JSString::replaceCharacter): (JSC::StringObject::create): * runtime/JSString.h: (JSC::RopeBuilder::JSString): (JSC::RopeBuilder::create): (JSC::RopeBuilder::createHasOtherOwner): (JSC::jsSingleCharacterString): (JSC::jsSingleCharacterSubstring): (JSC::jsNontrivialString): (JSC::jsString): (JSC::jsSubstring): (JSC::jsOwnedString): * runtime/JSValue.cpp: (JSC::JSValue::toObjectSlowCase): (JSC::JSValue::synthesizeObject): (JSC::JSValue::synthesizePrototype): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/MathObject.h: (JSC::MathObject::create): * runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::create): * runtime/NativeErrorPrototype.h: (JSC::NativeErrorPrototype::create): * runtime/NumberConstructor.cpp: (JSC::constructWithNumberConstructor): * runtime/NumberConstructor.h: (JSC::NumberConstructor::create): * runtime/NumberObject.cpp: (JSC::constructNumber): * runtime/NumberObject.h: (JSC::NumberObject::create): * runtime/NumberPrototype.h: (JSC::NumberPrototype::create): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::create): * runtime/ObjectPrototype.h: (JSC::ObjectPrototype::create): * runtime/Operations.h: (JSC::jsString): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::createWithoutCaching): (JSC::RegExp::create): * runtime/RegExp.h: * runtime/RegExpCache.cpp: (JSC::RegExpCache::lookupOrCreate): * runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::arrayOfMatches): (JSC::constructRegExp): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::create): * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::create): * runtime/RegExpObject.h: (JSC::RegExpObject::create): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncCompile): * runtime/RegExpPrototype.h: (JSC::RegExpPrototype::create): * runtime/ScopeChain.h: (JSC::ScopeChainNode::create): (JSC::ScopeChainNode::push): * runtime/SmallStrings.cpp: (JSC::SmallStrings::createEmptyString): (JSC::SmallStrings::createSingleCharacterString): * runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor): * runtime/StringConstructor.h: (JSC::StringConstructor::create): * runtime/StringObject.h: (JSC::StringObject::create): * runtime/StringObjectThatMasqueradesAsUndefined.h: (JSC::StringObjectThatMasqueradesAsUndefined::create): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): * runtime/StringPrototype.h: (JSC::StringPrototype::create): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::createStructure): * runtime/StructureChain.h: (JSC::StructureChain::create): 2011-07-17 Ryuan Choi [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash. https://bugs.webkit.org/show_bug.cgi?id=64337 Replace ecore_timer_add to Ecore_Pipe. This is needed because ecore_timer should not be called in a child thread, but in the main thread. Reviewed by Antonio Gomes. * wtf/efl/MainThreadEfl.cpp: (WTF::pipeObject): (WTF::monitorDispatchFunctions): (WTF::initializeMainThreadPlatform): (WTF::scheduleDispatchFunctionsOnMainThread): 2011-07-17 Filip Pizlo DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline. https://bugs.webkit.org/show_bug.cgi?id=64637 Reviewed by Gavin Barraclough. * dfg/DFGOperations.cpp: 2011-07-16 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64657 Converted this value not preserved when accessed via direct eval. Reviewed by Oliver Hunt. Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this. However we only do so where this is used lexically within the function (we omit the conversion op if not). The problem comes if a direct eval (running within the function's scope) accesses the this value. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): - If a function uses eval, we always need to convert this. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): - Don't convert primitive values here - this is too late! (JSC::Interpreter::privateExecute): - Changed op_convert_this to call new isPrimitive method. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Changed op_convert_this to call new isPrimitive method. * runtime/JSCell.h: (JSC::JSCell::JSValue::isPrimitive): - Added JSValue::isPrimitive. * runtime/JSValue.h: - Added JSValue::isPrimitive. 2011-07-16 Filip Pizlo DFG JIT compare/branch code emits is-integer tests even when a value is definitely not an integer. https://bugs.webkit.org/show_bug.cgi?id=64654 Reviewed by Gavin Barraclough. Added the isKnownNotInteger() method, which returns true if a node is definitely not an integer and will always fail any is-integer test. Then modified the compare and branch code to use this method; if it returns true then is-int tests are omitted and the compiler always emits a slow call. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownNotInteger): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): * dfg/DFGJITCodeGenerator.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compare): 2011-07-16 Filip Pizlo DFG speculative JIT has dead code for slow calls for branches. https://bugs.webkit.org/show_bug.cgi?id=64653 Reviewed by Gavin Barraclough. Removed SpeculativeJIT::compilePeepHoleCall. * dfg/DFGSpeculativeJIT.cpp: * dfg/DFGSpeculativeJIT.h: 2011-07-15 Mark Rowe Fix the build. * dfg/DFGGraph.h: 2011-07-15 Gavin Barraclough NativeError.prototype objects have [[Class]] of "Object" but should be "Error" https://bugs.webkit.org/show_bug.cgi?id=55346 Reviewed by Sam Weinig. * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype): - Switch to putDirect since we're not the only ones tranitioning this Structure now. * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): * runtime/NativeErrorPrototype.h: - Switch base class to ErrorPrototype. 2011-07-15 Gavin Barraclough DFG JIT - Where arguments passed are integers, speculate this. https://bugs.webkit.org/show_bug.cgi?id=64630 Reviewed by Sam Weinig. Presently the DFG JIT is overly aggressively predicting double. Use a bit of dynamic information, and curtail this a little. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::predictArgumentTypes): - Check for integer arguments. * dfg/DFGGraph.h: - Function declaration. * runtime/Executable.cpp: (JSC::tryDFGCompile): (JSC::FunctionExecutable::compileForCallInternal): - Add call to predictArgumentTypes. 2011-07-15 Filip Pizlo DFG JIT is inconsistent about fusing branches and speculating integer comparisons for branches. https://bugs.webkit.org/show_bug.cgi?id=64573 Reviewed by Gavin Barraclough. This patch moves some of NonSpeculativeJIT's functionality up into the JITCodeGenerator superclass so that it can be used from both JITs. Now, in cases where the speculative JIT doesn't want to speculate but still wants to emit good code, it can reliably emit the same code sequence as the non-speculative JIT. This patch also extends the non-speculative JIT's compare optimizations to include compare/branch fusing, and extends the speculative JIT's compare optimizations to cover StrictEqual. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::isKnownInteger): (JSC::DFG::JITCodeGenerator::isKnownNumeric): (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch): (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGNonSpeculativeJIT.h: * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: * wtf/Platform.h: 2011-07-14 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64250 Global strict mode function leaking global object as "this". Reviewed by Oliver Hunt. The root problem here is that we pass the wrong values into calls, and then try to fix them up in the callee. Correct behaviour per the spec is to pass in the value undefined, as this unless either (1) the function call is based on an explicit property access or (2) the base of the call comes directly from a 'with'. This change does away with the need for this conversion of objects (non strict code should only box primitives), and does away with all this conversion for strict functions. This patch may have web compatibility ramifications, and may require some advocacy. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): - Removed op_convert_this_strict, added op_resolve_with_this. * bytecode/Opcode.h: - Removed op_convert_this_strict, added op_resolve_with_this. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitResolveWithThis): - Removed op_convert_this_strict, added op_resolve_with_this. * bytecompiler/BytecodeGenerator.h: - Removed op_convert_this_strict, added op_resolve_with_this. * bytecompiler/NodesCodegen.cpp: (JSC::EvalFunctionCallNode::emitBytecode): (JSC::FunctionCallResolveNode::emitBytecode): - Removed op_convert_this_strict, added op_resolve_with_this. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): - Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion). * interpreter/Interpreter.cpp: (JSC::Interpreter::resolveThisAndProperty): - Based on resolveBaseAndProperty, but produce correct this value. (JSC::Interpreter::privateExecute): - Removed op_convert_this_strict, added op_resolve_with_this. * interpreter/Interpreter.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): - Removed op_convert_this_strict, added op_resolve_with_this. * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_resolve_with_this): - Removed op_convert_this_strict, added op_resolve_with_this. (JSC::JIT::emit_op_convert_this): (JSC::JIT::emitSlow_op_convert_this): - Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion). * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_resolve_with_this): - Removed op_convert_this_strict, added op_resolve_with_this. (JSC::JIT::emit_op_convert_this): (JSC::JIT::emitSlow_op_convert_this): - Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion). * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Removed op_convert_this_strict, added op_resolve_with_this. * jit/JITStubs.h: - Removed op_convert_this_strict, added op_resolve_with_this. * runtime/JSActivation.h: - removed NeedsThisConversion flag, added IsEnvironmentRecord. * runtime/JSStaticScopeObject.h: - removed NeedsThisConversion flag, added IsEnvironmentRecord. * runtime/JSString.h: (JSC::RopeBuilder::createStructure): - removed NeedsThisConversion. * runtime/JSTypeInfo.h: (JSC::TypeInfo::isEnvironmentRecord): (JSC::TypeInfo::overridesHasInstance): - removed NeedsThisConversion flag, added IsEnvironmentRecord. * runtime/JSValue.h: - removed NeedsThisConversion. * runtime/JSVariableObject.h: - Corrected StructureFlags inheritance. * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::createStructure): - Added IsEnvironmentRecord to StructureFlags, addded createStructure. * runtime/Structure.h: - removed NeedsThisConversion. * tests/mozilla/ecma/String/15.5.4.6-2.js: (getTestCases): - Removed invalid test case. 2011-07-15 Sheriff Bot Unreviewed, rolling out r91082, r91087, and r91089. http://trac.webkit.org/changeset/91082 http://trac.webkit.org/changeset/91087 http://trac.webkit.org/changeset/91089 https://bugs.webkit.org/show_bug.cgi?id=64616 gtk tests are failing a lot after this change. (Requested by dave_levin on #webkit). * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::identifier): (WTF::ThreadIdentifierData::initialize): (WTF::ThreadIdentifierData::initializeKeyOnceHelper): (WTF::ThreadIdentifierData::initializeKeyOnce): * wtf/ThreadIdentifierDataPthreads.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): 2011-07-15 David Levin Another attempted build fix. * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick up the definition of PTHREAD_KEYS_MAX. 2011-07-15 David Levin Chromium build fix. * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick up the definition of PTHREAD_KEYS_MAX. 2011-07-14 David Levin currentThread is too slow! https://bugs.webkit.org/show_bug.cgi?id=64577 Reviewed by Darin Adler and Dmitry Titov. The problem is that currentThread results in a pthread_once call which always takes a lock. With this change, currentThread is 10% faster than isMainThread in release mode and only 5% slower than isMainThread in debug. * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff which is no longer needed because this is called from initializeThreading(). (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because intialization of the pthread key should already be done. (WTF::ThreadIdentifierData::initialize): Ditto. * wtf/ThreadIdentifierDataPthreads.h: * wtf/ThreadingPthreads.cpp: (WTF::initializeThreading): Acquire the pthread key here. 2011-07-14 Filip Pizlo DFG JIT does not optimize Branch as well as it could. https://bugs.webkit.org/show_bug.cgi?id=64574 Reviewed by Gavin Barraclough. This creates a common code path for emitting unfused branches, which does no speculation, and only performs a slow call if absolutely necessary. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitBranch): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-14 Filip Pizlo GC allocation fast path has too many operations. https://bugs.webkit.org/show_bug.cgi?id=64493 Reviewed by Darin Adler. Changed the timing of the lazy sweep so that it occurs when we land on a previously-unsweeped block, rather than whenever we land on an unsweeped cell. After the per-block lazy sweep occurs, the block is turned into a singly linked list of free cells. The allocation fast path is now just a load-branch-store to remove a cell from the head of the list. Additionally, this changes the way new blocks are allocated. Previously, they would be populated with dummy cells. With this patch, they are turned into a free list, which means that there will never be destructor calls for allocations in fresh blocks. These changes result in a 1.9% speed-up on V8, and a 0.6% speed-up on SunSpider. There are no observed statistically significant slow-downs on any individual benchmark. * JavaScriptCore.exp: * heap/Heap.cpp: (JSC::Heap::allocateSlowCase): (JSC::Heap::collect): (JSC::Heap::canonicalizeBlocks): (JSC::Heap::resetAllocator): * heap/Heap.h: (JSC::Heap::forEachProtectedCell): (JSC::Heap::forEachCell): (JSC::Heap::forEachBlock): (JSC::Heap::allocate): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::lazySweep): (JSC::MarkedBlock::blessNewBlockForFastPath): (JSC::MarkedBlock::blessNewBlockForSlowPath): (JSC::MarkedBlock::canonicalizeBlock): * heap/MarkedBlock.h: * heap/NewSpace.cpp: (JSC::NewSpace::addBlock): (JSC::NewSpace::canonicalizeBlocks): * heap/NewSpace.h: (JSC::NewSpace::allocate): (JSC::NewSpace::SizeClass::SizeClass): (JSC::NewSpace::SizeClass::canonicalizeBlock): * heap/OldSpace.cpp: (JSC::OldSpace::addBlock): 2011-07-14 Filip Pizlo DFG JIT crashes on host constructor calls in debug mode. https://bugs.webkit.org/show_bug.cgi?id=64562 Reviewed by Gavin Barraclough. Fixed the relevant ASSERT. * dfg/DFGOperations.cpp: 2011-07-14 Filip Pizlo DFG speculative JIT contains a FIXME for rewinding speculative code generation that has already been fixed. https://bugs.webkit.org/show_bug.cgi?id=64022 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 2011-07-14 Ryuan Choi [EFL] Add OwnPtr specialization for Ecore_Pipe. https://bugs.webkit.org/show_bug.cgi?id=64515 Add an overload for deleteOwnedPtr(Ecore_Pipe*) on EFL port. Reviewed by Xan Lopez. * wtf/OwnPtrCommon.h: * wtf/efl/OwnPtrEfl.cpp: (WTF::deleteOwnedPtr): 2011-07-14 Filip Pizlo DFG JIT unnecessarily boxes and unboxes values during silent spilling. https://bugs.webkit.org/show_bug.cgi?id=64068 Reviewed by Gavin Barraclough. Silent spilling and filling of registers is done during slow-path C function calls. The silent spill/fill logic does not affect register allocation on paths that don't involve the C function call. This changes the silent spilling code to spill in unboxed form. The silent fill will refill in whatever form the register was spilled in. For example, the silent spill code may choose not to spill the register because it was already spilled previously, which would imply that it was spilled in boxed form. The filling code detects this and either unboxes, or not, depending on what is appropriate. This change also results in a simplification of the silent spill/fill API: silent spilling no longer needs to know about the set of registers that cannot be trampled, since it never does boxing and hence does not need a temporary register. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentSpillFPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::valueToNumber): (JSC::DFG::NonSpeculativeJIT::valueToInt32): (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): (JSC::DFG::NonSpeculativeJIT::compare): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-13 Michael Saboff https://bugs.webkit.org/show_bug.cgi?id=64202 Enh: Improve handling of RegExp in the form of /.*blah.*/ Reviewed by Gavin Barraclough. Added code to both the Yarr interpreter and JIT to handle these expressions a little differently. First off, the terms in between the leading and trailing .*'s cannot capture and also this enhancement is limited to single alternative expressions. If an expression is of the right form with the aforementioned restrictions, we process the inner terms and then look for the beginning of the string and end of the string. There is handling for multiline expressions to allow the beginning and end to be right after and right before newlines. This enhancement speeds up expressions of this type 12x on a MacBookPro. Cleaned up 'case' statement indentation. A new set of tests was added as LayoutTests/fast/regex/dotstar.html * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::InputStream::end): (JSC::Yarr::Interpreter::matchDotStarEnclosure): (JSC::Yarr::Interpreter::matchDisjunction): (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure): (JSC::Yarr::ByteCompiler::emitDisjunction): * yarr/YarrInterpreter.h: (JSC::Yarr::ByteTerm::DotStarEnclosure): * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generateDotStarEnclosure): (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure): (JSC::Yarr::YarrGenerator::generateTerm): (JSC::Yarr::YarrGenerator::backtrackTerm): * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms): (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions): (JSC::Yarr::YarrPattern::compile): * yarr/YarrPattern.h: (JSC::Yarr::PatternTerm::PatternTerm): 2011-07-13 Xan Lopez [GTK] Fix distcheck Reviewed by Martin Robinson. * GNUmakefile.list.am: add missing files. 2011-07-13 Filip Pizlo DFG JIT does not implement prototype chain or list caching for get_by_id. https://bugs.webkit.org/show_bug.cgi?id=64147 Reviewed by Gavin Barraclough. This implements unified support for prototype caching, prototype chain caching, and polymorphic (i.e. list) prototype and prototype chain caching. This is done by creating common code for emitting prototype or chain access stubs, and having it factored out into generateProtoChainAccessStub(). This function is called by tryCacheGetByID once the latter determines that some form of prototype access caching is necessary (i.e. the slot being accessed is not on the base value but on some other object). Direct prototype list, and prototype chain list, caching is implemented by linking the slow path to operationGetByIdProtoBuildList(), which uses the same helper function (generateProtoChainAccessStub()) as tryCacheGetByID. This change required ensuring that the value in the scratchGPR field in StructureStubInfo is preserved even after the stub info is in the chain, or proto_list, states. Hence scratchGPR was moved out of the union and into the top-level of StructureStubInfo. * bytecode/StructureStubInfo.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::emitRestoreScratch): (JSC::DFG::linkRestoreScratch): (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDProtoList): (JSC::DFG::dfgBuildGetByIDProtoList): (JSC::DFG::tryCachePutByID): * dfg/DFGRepatch.h: 2011-07-12 Brent Fulgham Standardize WinCairo conditionalized code under PLATFORM macro. https://bugs.webkit.org/show_bug.cgi?id=64377 Reviewed by Maciej Stachowiak. * wtf/Platform.h: Update to use PLATFORM(WIN_CAIRO) for tests. 2011-07-13 David Levin Possible race condition in ThreadIdentifierData::initializeKeyOnce and shouldCallRealDebugger. https://bugs.webkit.org/show_bug.cgi?id=64465 Reviewed by Dmitry Titov. There isn't a good way to test this as it is very highly unlikely to occur. * wtf/ThreadIdentifierDataPthreads.cpp: (WTF::ThreadIdentifierData::initializeKeyOnce): Since scoped static initialization isn't thread-safe, change the initialization to be global. 2011-07-12 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64424 Our direct eval behaviour deviates slightly from the spec. Reviewed by Oliver Hunt. The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();" or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables may be introduced into the caller's environment. ES5 direct calls are any call where the callee function is provided by a reference, a base of that Reference is an EnvironmentRecord (this corresponds to all productions "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name of the reference is "eval". This means any expression of the form "eval(...)", and that calls the standard built in eval method from on the Global Object, is considered to be direct. In JavaScriptCore we are currently overly restrictive. We also check that the EnvironmentRecord that is the base of the reference is the Declaractive Environment Record at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement that hits a var eval in a nested scope is not considered to be direct. This behaviour does not emanate from the spec, and is incorrect. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): - Fixed direct eval check in op_call_eval. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Fixed direct eval check in op_call_eval. * runtime/Executable.h: (JSC::isHostFunction): - Added check for host function with specific NativeFunction. 2011-07-13 Ademar de Souza Reis Jr. Reviewed by Andreas Kling. Broken build on QNX https://bugs.webkit.org/show_bug.cgi?id=63717 QNX doesn't support pthread's SA_RESTART (required by JSC_MULTIPLE_THREADS), JIT is broken at runtime and there a few minor compilation errors here and there. Original patch by Ritt Konstantin , also tested by him on QNX v6.5 (x86) * wtf/DateMath.cpp: fix usage of abs/labs * wtf/Platform.h: Disable JIT and JSC_MULTIPLE_THREADS * wtf/StackBounds.cpp: Add a couple of missing includes (and sort them) 2011-07-12 Anders Carlsson If a compiler has nullptr support, include to get the nullptr_t definition https://bugs.webkit.org/show_bug.cgi?id=64429 Include the cstddef which has the nullptr_t typedef according to the C++0x standard. * wtf/NullPtr.h: 2011-07-13 MORITA Hajime Refactoring: Ignored ExceptionCode value should be less annoying. https://bugs.webkit.org/show_bug.cgi?id=63688 Added ASSERT_AT macro. Reviewed by Darin Adler. * wtf/Assertions.h: 2011-07-12 Filip Pizlo DFG JIT does not implement op_construct. https://bugs.webkit.org/show_bug.cgi?id=64066 Reviewed by Gavin Barraclough. This is a fixed implementation of op_construct. Constructor calls are implemented by reusing almost all of the code for Call, with care taken to make sure that where the are differences (like selecting different code blocks), those differences are respected. The two fixes over the last patch are: (1) make sure the CodeBlock::unlinkCalls respects differences between Call and Construct, and (2) make sure that virtualFor() in DFGOperations respects the CodeSpecializationKind (either CodeForCall or CodeForConstruct) when invoking the compiler. * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordConstruct): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkFor): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/CodeBlock.cpp: (JSC::CodeBlock::unlinkCalls): 2011-07-12 Oliver Hunt Overzealous type validation in method_check https://bugs.webkit.org/show_bug.cgi?id=64415 Reviewed by Gavin Barraclough. method_check is essentially just a value look up optimisation, but it internally stores the value as a JSFunction, even though it never relies on this fact. Under GC validation however we end up trying to enforce that assumption. The fix is simply to store the value as a correct supertype. * bytecode/CodeBlock.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchGetMethodFast): (JSC::DFG::tryCacheGetMethod): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): 2011-07-12 Filip Pizlo COLLECT_ON_EVERY_ALLOCATION no longer works. https://bugs.webkit.org/show_bug.cgi?id=64388 Reviewed by Oliver Hunt. Added a flag to Heap that determines if it's safe to collect (which for now means that JSGlobalObject has actually been initialized, but it should work for other things, too). This allows JSGlobalObject to allocate even if the allocator wants to GC; instead of GCing it just grows the heap, if necessary. Then changed Heap::allocate() to not recurse ad infinitum when COLLECT_ON_EVERY_ALLOCATION is set. This also makes the allocator generally more resilient against bugs; this change allowed me to put in handy assertions, such as that an allocation must succeed after either a collection or after a new block was added. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::tryAllocate): (JSC::Heap::allocate): (JSC::Heap::collectAllGarbage): (JSC::Heap::collect): * heap/Heap.h: (JSC::Heap::notifyIsSafeToCollect): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): 2011-07-12 Filip Pizlo DFG JIT put_by_id transition caching does not inform the GC about the structure and prototype chain that it is referencing. https://bugs.webkit.org/show_bug.cgi?id=64387 Reviewed by Gavin Barraclough. Fixed the relevant code in DFGRepatch to call StructureStubInfo::initPutByIdTransition(). * dfg/DFGRepatch.cpp: (JSC::DFG::tryCachePutByID): 2011-07-12 Adam Roben Ensure no intermediate WTF::Strings are created when concatenating with string literals Fixes Concatenating string literals and WTF::Strings using operator+ is suboptimal Reviewed by Darin Adler. * wtf/text/StringConcatenate.h: (WTF::StringTypeAdapter::writeTo): Added a macro that can be used for testing how many WTF::Strings get copied while evaluating an operator+ expression. * wtf/text/StringOperators.h: (WTF::operator+): Changed the overload that takes a StringAppend to take it on the left-hand side, since operator+ is left-associative. Having the StringAppend on the right-hand side was causing us to make intermediate WTF::Strings when evaluating expressions that contained multiple calls to operator+. Added some more overloads for that take a left-hand side of const char* to resolve overload ambiguity for certain expressions. Added overloads that take a left-hand side of const UChar* (matching the const char* overloads) so that wide string literals don't first have to be converted to a WTF::String in operator+ expressions. 2011-07-12 Adam Roben Unreviewed, rolling out r90811. http://trac.webkit.org/changeset/90811 https://bugs.webkit.org/show_bug.cgi?id=61025 Several svg tests failing assertions beneath SVGSMILElement::findInstanceTime * wtf/StdLibExtras.h: (WTF::binarySearch): 2011-07-12 Oliver Varga Reviewed by Nikolas Zimmermann. Speed up SVGSMILElement::findInstanceTime. https://bugs.webkit.org/show_bug.cgi?id=61025 Add a new parameter to StdlibExtras.h::binarySerarch function to also handle cases when the array does not contain the key value. This is needed for an svg function. * wtf/StdLibExtras.h: (WTF::binarySearch): 2011-07-11 Filip Pizlo DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants. https://bugs.webkit.org/show_bug.cgi?id=64330 Reviewed by Gavin Barraclough. Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as soon as it notices that it's speculating on something that is a non-numeric JSConstant. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 2011-07-11 Filip Pizlo DFG Speculative JIT does not always insert speculation checks when speculating arrays. https://bugs.webkit.org/show_bug.cgi?id=64254 Reviewed by Gavin Barraclough. Changed the SetLocal instruction to always validate that the value being stored into the local variable is an array, if that variable was marked PredictArray. This is necessary since uses of arrays assume that if a PredictArray value is in a local variable then the speculation check validating that the value is an array was already performed. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-11 Gabor Loki Fix the condition of the optimized code in doubleTransfer https://bugs.webkit.org/show_bug.cgi?id=64261 Reviewed by Zoltan Herczeg. The condition of the optimized code in doubleTransfer is wrong. The data transfer should be executed with four bytes aligned address. VFP cannot perform unaligned memory access. Reported by Jacob Bramley. * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::doubleTransfer): 2011-07-11 Gabor Loki Signed arithmetic bug in dataTransfer32. https://bugs.webkit.org/show_bug.cgi?id=64257 Reviewed by Zoltan Herczeg. An arithmetic bug is fixed. If the offset of dataTransfer is half of the addressable memory space on a 32-bit machine (-2147483648 = 0x80000000) a load instruction is emitted with a wrong zero offset. Inspired by Jacob Bramley's patch from JaegerMonkey. * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::dataTransfer32): 2011-07-09 Thouraya Andolsi Fix unaligned userspace access for SH4 platforms. https://bugs.webkit.org/show_bug.cgi?id=62993 * wtf/Platform.h: 2011-07-09 Chao-ying Fu Fix MIPS build due to readInt32 and readPointer https://bugs.webkit.org/show_bug.cgi?id=63962 * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::readInt32): (JSC::MIPSAssembler::readPointer): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::rshift32): 2011-07-08 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=64181 REGRESSION (r90602): Gmail doesn't load Rolling out r90601, r90602. * dfg/DFGAliasTracker.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addVarArgChild): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::dfgLinkCall): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSObject.h: (JSC::JSObject::isUsingInlineStorage): 2011-07-08 Kalev Lember Reviewed by Adam Roben. Add missing _WIN32_WINNT and WINVER definitions https://bugs.webkit.org/show_bug.cgi?id=59702 Moved _WIN32_WINNT and WINVER definitions to config.h so that they are available for all source files. In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and DeleteTimerQueueTimer which are both guarded by #if (_WIN32_WINNT >= 0x0500) in MinGW headers. * config.h: * wtf/Assertions.cpp: 2011-07-08 Chang Shu Rename "makeSecure" to "fill" and remove the support for displaying last character to avoid layering violatation. https://bugs.webkit.org/show_bug.cgi?id=59114 Reviewed by Alexey Proskuryakov. * JavaScriptCore.exp: * JavaScriptCore.order: * wtf/text/StringImpl.cpp: (WTF::StringImpl::fill): * wtf/text/StringImpl.h: * wtf/text/WTFString.h: (WTF::String::fill): 2011-07-08 Benjamin Poulain [WK2] Do not forward touch events to the web process when it does not need them https://bugs.webkit.org/show_bug.cgi?id=64164 Reviewed by Kenneth Rohde Christiansen. Add a convenience function to obtain a reference to the last element of a Deque. * wtf/Deque.h: (WTF::Deque::last): 2011-07-07 Filip Pizlo DFG JIT does not implement op_construct. https://bugs.webkit.org/show_bug.cgi?id=64066 Reviewed by Gavin Barraclough. * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordConstruct): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkFor): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-07 Filip Pizlo DFG JIT does not implement get_by_id prototype caching. https://bugs.webkit.org/show_bug.cgi?id=64077 Reviewed by Gavin Barraclough. * dfg/DFGRepatch.cpp: (JSC::DFG::emitRestoreScratch): (JSC::DFG::linkRestoreScratch): (JSC::DFG::tryCacheGetByID): * runtime/JSObject.h: (JSC::JSObject::addressOfPropertyAtOffset): 2011-07-07 Filip Pizlo DFG JIT method_check implementation does not link to optimized get_by_id slow path. https://bugs.webkit.org/show_bug.cgi?id=64073 Reviewed by Gavin Barraclough. * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchGetMethodFast): 2011-07-07 Oliver Hunt Encode jump and link sizes into the appropriate enums https://bugs.webkit.org/show_bug.cgi?id=64123 Reviewed by Sam Weinig. Finally kill off the out of line jump and link size arrays, so we can avoid icky loads and constant fold the linking arithmetic. * assembler/ARMv7Assembler.cpp: * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::jumpSizeDelta): (JSC::ARMv7Assembler::computeJumpType): 2011-07-06 Juan C. Montemayor ASSERT_NOT_REACHED running test 262 https://bugs.webkit.org/show_bug.cgi?id=63951 Added a case to the switch statement where the code was failing. Fixed some logic as well that gave faulty error messages. Reviewed by Gavin Barraclough. * parser/JSParser.cpp: (JSC::JSParser::getTokenName): (JSC::JSParser::updateErrorMessageSpecialCase): (JSC::JSParser::updateErrorMessage): 2011-07-06 Filip Pizlo DFG JIT implementation of op_call results in regressions on sunspider controlflow-recursive. https://bugs.webkit.org/show_bug.cgi?id=64039 Reviewed by Gavin Barraclough. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::isSmallInt32Constant): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isInteger): 2011-07-06 Filip Pizlo DFG JIT does not support method_check https://bugs.webkit.org/show_bug.cgi?id=63972 Reviewed by Gavin Barraclough. * assembler/CodeLocation.h: (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: (JSC::MethodCallLinkInfo::MethodCallLinkInfo): (JSC::MethodCallLinkInfo::seenOnce): (JSC::MethodCallLinkInfo::setSeen): * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordGetMethod): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedGetMethod): * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addMethodGet): (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord): * dfg/DFGNode.h: (JSC::DFG::Node::hasIdentifier): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchGetMethodFast): (JSC::DFG::tryCacheGetMethod): (JSC::DFG::dfgRepatchGetMethod): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITWriteBarrier.h: (JSC::JITWriteBarrier::set): 2011-07-06 Filip Pizlo DFG JIT op_call implementation will flush registers even when those registers are dead https://bugs.webkit.org/show_bug.cgi?id=64023 Reviewed by Gavin Barraclough. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::integerResult): (JSC::DFG::JITCodeGenerator::noResult): (JSC::DFG::JITCodeGenerator::cellResult): (JSC::DFG::JITCodeGenerator::jsValueResult): (JSC::DFG::JITCodeGenerator::doubleResult): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-06 Filip Pizlo DFG speculative JIT may crash when speculating int on a non-int JSConstant. https://bugs.webkit.org/show_bug.cgi?id=64017 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::compile): 2011-07-06 Dmitriy Vyukov Reviewed by David Levin. Allow substitution of dynamic annotations and prevent identical code folding by the linker. https://bugs.webkit.org/show_bug.cgi?id=62443 * wtf/DynamicAnnotations.cpp: (WTFAnnotateBenignRaceSized): (WTFAnnotateHappensBefore): (WTFAnnotateHappensAfter): 2011-07-06 Zoltan Herczeg Calls on 32 bit machines are failed after r90423 https://bugs.webkit.org/show_bug.cgi?id=63980 Reviewed by Gavin Barraclough. Copy the necessary lines from JITCall.cpp. * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2011-07-05 Filip Pizlo DFG JIT virtual call implementation is inefficient. https://bugs.webkit.org/show_bug.cgi?id=63974 Reviewed by Gavin Barraclough. * dfg/DFGOperations.cpp: * runtime/Executable.h: (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck): (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck): (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor): (JSC::ExecutableBase::hasJITCodeForCall): (JSC::ExecutableBase::hasJITCodeForConstruct): (JSC::ExecutableBase::hasJITCodeFor): * runtime/JSFunction.h: (JSC::JSFunction::scopeUnchecked): 2011-07-05 Oliver Hunt Force inlining of simple functions that show up as not being inlined https://bugs.webkit.org/show_bug.cgi?id=63964 Reviewed by Gavin Barraclough. Looking at profile data indicates the gcc is failing to inline a number of trivial functions. This patch hits the ones that show up in profiles with the ALWAYS_INLINE hammer. We also replace the memcpy() call in linking with a manual loop. Apparently memcpy() is almost never faster than an inlined loop. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::add): (JSC::ARMv7Assembler::add_S): (JSC::ARMv7Assembler::ARM_and): (JSC::ARMv7Assembler::asr): (JSC::ARMv7Assembler::b): (JSC::ARMv7Assembler::blx): (JSC::ARMv7Assembler::bx): (JSC::ARMv7Assembler::clz): (JSC::ARMv7Assembler::cmn): (JSC::ARMv7Assembler::cmp): (JSC::ARMv7Assembler::eor): (JSC::ARMv7Assembler::it): (JSC::ARMv7Assembler::ldr): (JSC::ARMv7Assembler::ldrCompact): (JSC::ARMv7Assembler::ldrh): (JSC::ARMv7Assembler::ldrb): (JSC::ARMv7Assembler::lsl): (JSC::ARMv7Assembler::lsr): (JSC::ARMv7Assembler::movT3): (JSC::ARMv7Assembler::mov): (JSC::ARMv7Assembler::movt): (JSC::ARMv7Assembler::mvn): (JSC::ARMv7Assembler::neg): (JSC::ARMv7Assembler::orr): (JSC::ARMv7Assembler::orr_S): (JSC::ARMv7Assembler::ror): (JSC::ARMv7Assembler::smull): (JSC::ARMv7Assembler::str): (JSC::ARMv7Assembler::sub): (JSC::ARMv7Assembler::sub_S): (JSC::ARMv7Assembler::tst): (JSC::ARMv7Assembler::linkRecordSourceComparator): (JSC::ARMv7Assembler::link): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7): (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm): (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12): (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp): (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp): * assembler/LinkBuffer.h: (JSC::LinkBuffer::linkCode): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::nearCall): (JSC::MacroAssemblerARMv7::call): (JSC::MacroAssemblerARMv7::ret): (JSC::MacroAssemblerARMv7::moveWithPatch): (JSC::MacroAssemblerARMv7::branchPtrWithPatch): (JSC::MacroAssemblerARMv7::storePtrWithPatch): (JSC::MacroAssemblerARMv7::tailRecursiveCall): (JSC::MacroAssemblerARMv7::makeTailRecursiveCall): (JSC::MacroAssemblerARMv7::jump): (JSC::MacroAssemblerARMv7::makeBranch): 2011-07-05 Zoltan Herczeg Make "Add optimised paths for a few maths functions" work on Qt https://bugs.webkit.org/show_bug.cgi?id=63893 Reviewed by Oliver Hunt. Move the generated code to the .text section instead of .data section. Fix alignment for the 32 bit thunk code. * jit/ThunkGenerators.cpp: 2011-07-05 Filip Pizlo DFG JIT does not implement op_call. https://bugs.webkit.org/show_bug.cgi?id=63858 Reviewed by Gavin Barraclough. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::unlinkCalls): * bytecode/CodeBlock.h: (JSC::CodeBlock::setNumberOfCallLinkInfos): (JSC::CodeBlock::numberOfCallLinkInfos): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitConstruct): * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::lookupGetByVal): (JSC::DFG::AliasTracker::recordCall): (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::getArgument): (JSC::DFG::ByteCodeParser::toInt32): (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::addVarArgChild): (JSC::DFG::ByteCodeParser::predictInt32): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::processPhiStack): (JSC::DFG::ByteCodeParser::allocateVirtualRegisters): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::opName): (JSC::DFG::Graph::dump): (JSC::DFG::Graph::refChildren): * dfg/DFGGraph.h: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::useChildren): (JSC::DFG::JITCodeGenerator::emitCall): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::addressOfCallData): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (JSC::DFG::CallRecord::CallRecord): (JSC::DFG::JITCompiler::notifyCall): (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck): (JSC::DFG::JITCompiler::addJSCall): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): * dfg/DFGNode.h: (JSC::DFG::Node::Node): (JSC::DFG::Node::child1): (JSC::DFG::Node::child2): (JSC::DFG::Node::child3): (JSC::DFG::Node::firstChild): (JSC::DFG::Node::numChildren): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::basicArithOp): (JSC::DFG::NonSpeculativeJIT::compare): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkCall): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleCall): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): * interpreter/CallFrame.h: (JSC::ExecState::calleeAsValue): * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): (JSC::JIT::linkCall): (JSC::JIT::linkConstruct): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCode.h: (JSC::JITCode::JITCode): (JSC::JITCode::jitType): (JSC::JITCode::HostFunction): * runtime/JSFunction.h: * runtime/JSGlobalData.h: 2011-07-05 Oliver Hunt Initialize new MarkStack member * heap/MarkStack.h: (JSC::MarkStack::MarkStack): 2011-07-05 Oliver Hunt Don't throw out compiled code repeatedly https://bugs.webkit.org/show_bug.cgi?id=63960 Reviewed by Gavin Barraclough. Stop throwing away all compiled code every time we're told to do a full GC. Instead unlink all callsites during such GC passes to maximise the number of collectable functions, but otherwise leave compiled functions alone. * API/JSBase.cpp: (JSGarbageCollect): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * heap/Heap.cpp: (JSC::Heap::collectAllGarbage): * heap/MarkStack.h: (JSC::MarkStack::shouldUnlinkCalls): (JSC::MarkStack::setShouldUnlinkCalls): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::recompileAllJSFunctions): (JSC::JSGlobalData::releaseExecutableMemory): * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::invalidateCode): * runtime/RegExp.h: 2011-07-05 Filip Pizlo JSC JIT has code duplication for the handling of call and construct https://bugs.webkit.org/show_bug.cgi?id=63957 Reviewed by Gavin Barraclough. * jit/JIT.cpp: (JSC::JIT::linkFor): * jit/JIT.h: * jit/JITStubs.cpp: (JSC::jitCompileFor): (JSC::DEFINE_STUB_FUNCTION): (JSC::arityCheckFor): (JSC::lazyLinkFor): * runtime/Executable.h: (JSC::ExecutableBase::generatedJITCodeFor): (JSC::FunctionExecutable::compileFor): (JSC::FunctionExecutable::isGeneratedFor): (JSC::FunctionExecutable::generatedBytecodeFor): (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor): 2011-07-05 Gavin Barraclough Build fix following last patch. * runtime/JSFunction.cpp: (JSC::createPrototypeProperty): 2011-07-05 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=63947 ASSERT running Object.preventExtensions(Math.sin) Reviewed by Oliver Hunt. This is due to calling scope() on a hostFunction as a part of calling createPrototypeProperty to reify the prototype property. But host functions don't have a prototype property anyway! Prevent callling createPrototypeProperty on a host function. * runtime/JSFunction.cpp: (JSC::JSFunction::createPrototypeProperty): (JSC::JSFunction::preventExtensions): 2011-07-04 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=63880 Evaluation order of conversions of operands to >, >= incorrect. Reviewed by Sam Weinig. Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5 spec. This allows these methods to be reused to perform >, >= relational compares with correct ordering of type conversions. * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Operations.h: (JSC::jsLess): (JSC::jsLessEq): 2011-07-04 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=16652 Firefox and JavaScriptCore differ in Number.toString(integer) Our arbitrary radix (2..36) toString conversion is inaccurate. This is partly because it uses doubles to perform math that requires higher accuracy, and partly becasue it does not attempt to correctly detect where to terminate, instead relying on a simple 'epsilon'. * runtime/NumberPrototype.cpp: (JSC::decomposeDouble): - helper function to extract sign, exponent, mantissa from IEEE doubles. (JSC::Uint16WithFraction::Uint16WithFraction): - helper class, u16int with infinite precision fraction, used to convert the fractional part of the number to a string. (JSC::Uint16WithFraction::operator*=): - Multiply by a uint16. (JSC::Uint16WithFraction::operator<): - Compare two Uint16WithFractions. (JSC::Uint16WithFraction::floorAndSubtract): - Extract the integer portion of the number, and subtract it (clears the integer portion). (JSC::Uint16WithFraction::comparePoint5): - Compare to 0.5. (JSC::Uint16WithFraction::sumGreaterThanOne): - Passed a second Uint16WithFraction, returns true if the result of adding the two values would be greater than one. (JSC::Uint16WithFraction::isNormalized): - Used by ASSERTs to consistency check internal representation. (JSC::BigInteger::BigInteger): - helper class, unbounded integer value, used to convert the integer part of the number to a string. (JSC::BigInteger::divide): - Divide this value through by a uint32. (JSC::BigInteger::operator!): - test for zero. (JSC::toStringWithRadix): - Performs number to string conversion, with the given radix (2..36). (JSC::numberProtoFuncToString): - Changed to use toStringWithRadix. 2011-07-04 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=63881 Need separate bytecodes for handling >, >= comparisons. Reviewed by Oliver Hunt. This clears the way to fix Bug#63880. We currently handle greater-than comparisons as being using the corresponding op_less, etc opcodes. This is incorrect with respect to evaluation ordering of the implicit conversions performed on operands - we should be calling ToPrimitive on the LHS and RHS operands to the greater than, but instead convert RHS then LHS. This patch adds opcodes for greater-than comparisons mirroring existing ones used for less-than. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/Opcode.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitJumpIfTrue): (JSC::BytecodeGenerator::emitJumpIfFalse): * bytecompiler/NodesCodegen.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compare): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGNonSpeculativeJIT.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compare): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: (JSC::JIT::emit_op_loop_if_greater): (JSC::JIT::emitSlow_op_loop_if_greater): (JSC::JIT::emit_op_loop_if_greatereq): (JSC::JIT::emitSlow_op_loop_if_greatereq): * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_jgreater): (JSC::JIT::emit_op_jgreatereq): (JSC::JIT::emit_op_jngreater): (JSC::JIT::emit_op_jngreatereq): (JSC::JIT::emitSlow_op_jgreater): (JSC::JIT::emitSlow_op_jgreatereq): (JSC::JIT::emitSlow_op_jngreater): (JSC::JIT::emitSlow_op_jngreatereq): (JSC::JIT::emit_compareAndJumpSlow): * jit/JITArithmetic32_64.cpp: (JSC::JIT::emitBinaryDoubleOp): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: * parser/NodeConstructors.h: (JSC::GreaterNode::GreaterNode): (JSC::GreaterEqNode::GreaterEqNode): * parser/Nodes.h: 2011-07-03 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=63879 Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq. Reviewed by Sam Weinig. There is a lot of copy & paste code here; we can reduce duplication by making a shared implementation. * assembler/MacroAssembler.h: (JSC::MacroAssembler::branch32): (JSC::MacroAssembler::commute): - Make these function platform agnostic. * assembler/MacroAssemblerX86Common.h: - Moved branch32/commute up to MacroAssembler. * jit/JIT.h: (JSC::JIT::emit_op_loop_if_lesseq): (JSC::JIT::emitSlow_op_loop_if_lesseq): - Add an implementation matching that for op_loop_if_less, which just calls op_jless. * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_jless): (JSC::JIT::emit_op_jlesseq): (JSC::JIT::emit_op_jnless): (JSC::JIT::emit_op_jnlesseq): (JSC::JIT::emitSlow_op_jless): (JSC::JIT::emitSlow_op_jlesseq): (JSC::JIT::emitSlow_op_jnless): (JSC::JIT::emitSlow_op_jnlesseq): - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64. (JSC::JIT::emit_compareAndJump): (JSC::JIT::emit_compareAndJumpSlow): - Internal implmementation of jless etc for JSVALUE64. * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_compareAndJump): (JSC::JIT::emit_compareAndJumpSlow): - Internal implmementation of jless etc for JSVALUE32_64. * jit/JITOpcodes.cpp: * jit/JITOpcodes32_64.cpp: * jit/JITStubs.cpp: * jit/JITStubs.h: - Remove old implementation of emit_op_loop_if_lesseq. 2011-07-03 Sheriff Bot Unreviewed, rolling out r90347. http://trac.webkit.org/changeset/90347 https://bugs.webkit.org/show_bug.cgi?id=63886 Build breaks on Leopard, Chromium-win, WinCairo, and WinCE. (Requested by tkent on #webkit). * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/BigInteger.h: Removed. * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToPrecision): (JSC::numberProtoFuncToString): * runtime/Uint16WithFraction.h: Removed. * wtf/MathExtras.h: 2011-06-30 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=16652 Firefox and JavaScriptCore differ in Number.toString(integer) Our arbitrary radix (2..36) toString conversion is inaccurate. This is partly because it uses doubles to perform math that requires higher accuracy, and partly becasue it does not attempt to correctly detect where to terminate, instead relying on a simple 'epsilon'. * runtime/NumberPrototype.cpp: (JSC::decomposeDouble): - helper function to extract sign, exponent, mantissa from IEEE doubles. (JSC::Uint16WithFraction::Uint16WithFraction): - helper class, u16int with infinite precision fraction, used to convert the fractional part of the number to a string. (JSC::Uint16WithFraction::operator*=): - Multiply by a uint16. (JSC::Uint16WithFraction::operator<): - Compare two Uint16WithFractions. (JSC::Uint16WithFraction::floorAndSubtract): - Extract the integer portion of the number, and subtract it (clears the integer portion). (JSC::Uint16WithFraction::comparePoint5): - Compare to 0.5. (JSC::Uint16WithFraction::sumGreaterThanOne): - Passed a second Uint16WithFraction, returns true if the result of adding the two values would be greater than one. (JSC::Uint16WithFraction::isNormalized): - Used by ASSERTs to consistency check internal representation. (JSC::BigInteger::BigInteger): - helper class, unbounded integer value, used to convert the integer part of the number to a string. (JSC::BigInteger::divide): - Divide this value through by a uint32. (JSC::BigInteger::operator!): - test for zero. (JSC::toStringWithRadix): - Performs number to string conversion, with the given radix (2..36). (JSC::numberProtoFuncToString): - Changed to use toStringWithRadix. 2011-07-02 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=63866 DFG JIT - implement instanceof Reviewed by Sam Weinig. Add ops CheckHasInstance & InstanceOf to implement bytecodes op_check_has_instance & op_instanceof. This is an initial functional implementation, performance is a wash. We can follow up with changes to fuse the InstanceOf node with a subsequant branch, as we do with other comparisons. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::jitAssertIsCell): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::jitAssertIsCell): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-07-01 Oliver Hunt IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren() https://bugs.webkit.org/show_bug.cgi?id=63732 Reviewed by Gavin Barraclough. Initialise the memory at the head of the new storage so that GC is safe if triggered by reportExtraMemoryCost. * runtime/JSArray.cpp: (JSC::JSArray::increaseVectorPrefixLength): 2011-07-01 Oliver Hunt GC sweep can occur before an object is completely initialised https://bugs.webkit.org/show_bug.cgi?id=63836 Reviewed by Gavin Barraclough. In rare cases it's possible for a GC sweep to occur while a live, but not completely initialised object is on the stack. In such a case we may incorrectly choose to mark it, even though it has no children that need marking. We resolve this by always zeroing out the structure of any value returned from JSCell::operator new(), and making the markstack tolerant of a null structure. * runtime/JSCell.h: (JSC::JSCell::JSCell::~JSCell): (JSC::JSCell::JSCell::operator new): * runtime/Structure.h: (JSC::MarkStack::internalAppend): 2011-07-01 Filip Pizlo Reviewed by Gavin Barraclough. DFG non-speculative JIT always performs slow C calls for div and mod. https://bugs.webkit.org/show_bug.cgi?id=63684 * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): 2011-07-01 Juan C. Montemayor Reviewed by Oliver Hunt. Lexer error messages are currently appalling https://bugs.webkit.org/show_bug.cgi?id=63340 Added error messages for the Lexer. These messages will be displayed instead of the lexer error messages from the parser that are currently shown. * parser/Lexer.cpp: (JSC::Lexer::getInvalidCharMessage): (JSC::Lexer::setCode): (JSC::Lexer::parseString): (JSC::Lexer::lex): (JSC::Lexer::clear): * parser/Lexer.h: (JSC::Lexer::getErrorMessage): (JSC::Lexer::setOffset): * parser/Parser.cpp: (JSC::Parser::parse): 2011-07-01 Jungshik Shin Reviewed by Alexey Proskuryakov. Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in build files for ports not using ICU. Add icu/unicode/uscript.h for ports using ICU. It's taken from ICU 3.6 (the version used on Mac OS 10.5) http://bugs.webkit.org/show_bug.cgi?id=20797 * GNUmakefile.list.am: * JavaScriptCore.gypi: * icu/unicode/uscript.h: Added for UScriptCode enum. * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added. * wtf/unicode/icu/UnicodeIcu.h: * wtf/unicode/brew/UnicodeBrew.h: * wtf/unicode/glib/UnicodeGLib.h: * wtf/unicode/qt4/UnicodeQt4.h: * wtf/unicode/wince/UnicodeWinCE.h: 2011-07-01 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=63819 Escaping of forwardslashes in strings incorrect if multiple exist. The bug is in the parameters passed to a substring - should be start & length, but we're passing start & end indices! * runtime/RegExpObject.cpp: (JSC::regExpObjectSource): 2011-07-01 Adam Roben Roll out r90194 http://trac.webkit.org/changeset/90194 https://bugs.webkit.org/show_bug.cgi?id=63778 Fixes REGRESSION (r90194): Multiple tests intermittently failing assertions in WriteBarrierBase::get * runtime/JSCell.h: (JSC::JSCell::JSCell::~JSCell): 2011-06-30 Oliver Hunt Reviewed by Gavin Barraclough. Add optimised paths for a few maths functions https://bugs.webkit.org/show_bug.cgi?id=63757 Relanding as a Mac only patch. This adds specialised thunks for Math.abs, Math.round, Math.ceil, Math.floor, Math.log, and Math.exp as they are apparently more important in real web content than we thought, which is somewhat mind-boggling. On average doubles the performance of the common cases (eg. actually passing numbers in). They're not as efficient as they could be, but this way gives them the most portability. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::supportsDoubleBitops): (JSC::MacroAssemblerARM::andnotDouble): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::supportsDoubleBitops): (JSC::MacroAssemblerARMv7::andnotDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::andnotDouble): (JSC::MacroAssemblerMIPS::supportsDoubleBitops): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::supportsDoubleBitops): (JSC::MacroAssemblerSH4::andnotDouble): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::supportsDoubleBitops): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::andnotDouble): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::supportsDoubleBitops): * assembler/X86Assembler.h: (JSC::X86Assembler::andnpd_rr): * create_hash_table: * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): (JSC::SpecializedThunkJIT::callDoubleToDouble): * jit/ThunkGenerators.cpp: (JSC::floorThunkGenerator): (JSC::ceilThunkGenerator): (JSC::roundThunkGenerator): (JSC::expThunkGenerator): (JSC::logThunkGenerator): (JSC::absThunkGenerator): * jit/ThunkGenerators.h: 2011-07-01 David Kilzer Fix clang build error in JITOpcodes32_64.cpp Fixes the following build error in clang: JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3] map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0); ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3] map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0); ^ ( ) fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"(" fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")" JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3] map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0); ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the tertiary expression evaluate first. 2011-07-01 Sheriff Bot Unreviewed, rolling out r90177 and r90179. http://trac.webkit.org/changeset/90177 http://trac.webkit.org/changeset/90179 https://bugs.webkit.org/show_bug.cgi?id=63790 It caused crashes on Qt in debug mode (Requested by Ossy on #webkit). * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::rshift32): (JSC::MacroAssemblerARM::supportsFloatingPointSqrt): (JSC::MacroAssemblerARM::sqrtDouble): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt): (JSC::MacroAssemblerARMv7::sqrtDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::sqrtDouble): (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::sqrtDouble): * assembler/MacroAssemblerX86.h: * assembler/MacroAssemblerX86Common.h: * assembler/MacroAssemblerX86_64.h: * assembler/X86Assembler.h: * create_hash_table: * jit/JSInterfaceJIT.h: (JSC::JSInterfaceJIT::emitLoadDouble): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: * jit/ThunkGenerators.h: 2011-06-30 Oliver Hunt Reviewed by Beth Dakin. Make GC validation clear cell structure on destruction https://bugs.webkit.org/show_bug.cgi?id=63778 * runtime/JSCell.h: (JSC::JSCell::JSCell::~JSCell): 2011-06-30 Geoffrey Garen Reviewed by Gavin Barraclough. Added write barrier that was missing from put_by_id_transition https://bugs.webkit.org/show_bug.cgi?id=63775 * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a MacroAssembler& argument so our patching functions could use it. (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change. * dfg/DFGRepatch.cpp: (JSC::DFG::tryCachePutByID): Missing barrier! * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): Updated for signature change. * jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompilePutByIdTransition): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::privateCompilePutByIdTransition): * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier because its meaning isn't clear -- maybe in the future we'll have a clear way to pass all stores through a common function that guarantees a write barrier, but that's not the case right now. 2011-06-30 Filip Pizlo Reviewed by Gavin Barraclough. DFG non-speculative JIT does not reuse registers when compiling comparisons. https://bugs.webkit.org/show_bug.cgi?id=63565 * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): (JSC::DFG::NonSpeculativeJIT::compare): 2011-06-30 Geoffrey Garen Reviewed by Gavin Barraclough. Added empty write barrier stubs in all the right places in the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=63764 SunSpider thinks this might be a 0.5% speedup. Meh. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub. (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special for the case where base == scratch, since we now require base and scratch to be not equal, for the sake of the write barrier. * dfg/DFGJITCodeGenerator.h: Le stub. * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register as the scratch register, since that's incompatible with the write barrier, which needs a distinct base and scratch. Do put the global object into a register before loading its var storage, since it needs to be in a register for the write barrier to operate on it. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitWriteBarrier): Second verse, same as the first. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_scoped_var): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more places. (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function is a little more than meaningless. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_scoped_var): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more places. (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function is a little more than meaningless. * runtime/JSVariableObject.h: (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since we put the global object in a register and only then load its var storage by offset. (JSC::JIT::emitWriteBarrier): 2011-06-30 Oliver Hunt Fix ARMv6 build * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::rshift32): 2011-06-30 Oliver Hunt Reviewed by Gavin Barraclough. Add optimised paths for a few maths functions https://bugs.webkit.org/show_bug.cgi?id=63757 This adds specialised thunks for Math.abs, Math.round, Math.ceil, Math.floor, Math.log, and Math.exp as they are apparently more important in real web content than we thought, which is somewhat mind-boggling. On average doubles the performance of the common cases (eg. actually passing numbers in). They're not as efficient as they could be, but this way gives them the most portability. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::supportsDoubleBitops): (JSC::MacroAssemblerARM::andnotDouble): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::supportsDoubleBitops): (JSC::MacroAssemblerARMv7::andnotDouble): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::andnotDouble): (JSC::MacroAssemblerMIPS::supportsDoubleBitops): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::supportsDoubleBitops): (JSC::MacroAssemblerSH4::andnotDouble): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::supportsDoubleBitops): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::andnotDouble): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::supportsDoubleBitops): * assembler/X86Assembler.h: (JSC::X86Assembler::andnpd_rr): * create_hash_table: * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): (JSC::SpecializedThunkJIT::callDoubleToDouble): * jit/ThunkGenerators.cpp: (JSC::floorThunkGenerator): (JSC::ceilThunkGenerator): (JSC::roundThunkGenerator): (JSC::expThunkGenerator): (JSC::logThunkGenerator): (JSC::absThunkGenerator): * jit/ThunkGenerators.h: 2011-06-30 Cary Clark Reviewed by James Robinson. Use Skia if Skia on Mac Chrome is enabled https://bugs.webkit.org/show_bug.cgi?id=62999 * wtf/Platform.h: Add switch to use Skia if, externally, Skia has been enabled by a gyp define. 2011-06-30 Juan C. Montemayor Reviewed by Geoffrey Garen. Web Inspector fails to display source for eval with syntax error https://bugs.webkit.org/show_bug.cgi?id=63583 Web Inspector now displays a link to an eval statement that contains a syntax error. * parser/Parser.h: (JSC::isEvalNode): (JSC::EvalNode): (JSC::Parser::parse): 2011-06-30 Filip Pizlo Reviewed by Gavin Barraclough. X86Assembler does not encode byte registers in 64-bit mode correctly. https://bugs.webkit.org/show_bug.cgi?id=63665 * assembler/X86Assembler.h: (JSC::X86Assembler::testb_rr): (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): 2011-06-30 Sheriff Bot Unreviewed, rolling out r90102. http://trac.webkit.org/changeset/90102 https://bugs.webkit.org/show_bug.cgi?id=63714 Lots of tests asserting beneath SVGSMILElement::findInstanceTime (Requested by aroben on #webkit). * wtf/StdLibExtras.h: (WTF::binarySearch): 2011-06-30 Oliver Varga Reviewed by Nikolas Zimmermann. Speed up SVGSMILElement::findInstanceTime. https://bugs.webkit.org/show_bug.cgi?id=61025 Add a new parameter to StdlibExtras.h::binarySerarch function to also handle cases when the array does not contain the key value. This is needed for an svg function. * wtf/StdLibExtras.h: (WTF::binarySearch): 2011-06-29 Gavin Barraclough Reviewed by Geoff Garen. https://bugs.webkit.org/show_bug.cgi?id=63669 DFG JIT - fix spectral-norm regression The problem is a mis-speculation leading to us falling off the speculative path. Make the speculation logic slightly smarter, don't predict int if one of the operands is already loaded as a double (we use this logic already for compares). * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger): 2011-06-29 Filip Pizlo Reviewed by Gavin Barraclough. DFG JIT does not do put_by_id transition caching. https://bugs.webkit.org/show_bug.cgi?id=63662 * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addPropertyAccess): * dfg/DFGRepatch.cpp: (JSC::DFG::testPrototype): (JSC::DFG::tryCachePutByID): 2011-06-29 Geoffrey Garen Reviewed by Oliver Hunt. Added a dummy write barrier emitting function in all the right places in the old JIT https://bugs.webkit.org/show_bug.cgi?id=63667 SunSpider reports no change. * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emit_op_put_scoped_var): Do it. (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register for the sake of the write barrier. (JSC::JIT::emitWriteBarrier): Empty for now. Not for long! * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_by_val): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emit_op_put_scoped_var): Do it. (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register for the sake of the write barrier. (JSC::JIT::emitWriteBarrier): Empty for now. Not for long! 2011-06-29 Filip Pizlo Reviewed by Gavin Barraclough. DFG JIT does not perform get_by_id self list caching. https://bugs.webkit.org/show_bug.cgi?id=63605 * bytecode/StructureStubInfo.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::dfgBuildGetByIDList): * dfg/DFGRepatch.h: 2011-06-28 Filip Pizlo Reviewed by Gavin Barraclough. DFG JIT lacks array.length caching. https://bugs.webkit.org/show_bug.cgi?id=63505 * bytecode/StructureStubInfo.h: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::tryAllocate): (JSC::DFG::JITCodeGenerator::selectScratchGPR): (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addPropertyAccess): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): * dfg/DFGRegisterBank.h: (JSC::DFG::RegisterBank::tryAllocate): * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): 2011-06-28 Pierre Rossi Reviewed by Eric Seidel. Warnings in JSC's JIT on 32 bit https://bugs.webkit.org/show_bug.cgi?id=63259 Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::emit_op_put_by_id): 2011-06-28 Sheriff Bot Unreviewed, rolling out r89968. http://trac.webkit.org/changeset/89968 https://bugs.webkit.org/show_bug.cgi?id=63581 Broke chromium windows compile (Requested by jamesr on #webkit). * wtf/Platform.h: 2011-06-28 Oliver Hunt Reviewed by Gavin Barraclough. Fix sampling build https://bugs.webkit.org/show_bug.cgi?id=63579 Gets opcode sampling building again, doesn't seem to work alas * bytecode/SamplingTool.cpp: (JSC::SamplingTool::notifyOfScope): * bytecode/SamplingTool.h: (JSC::SamplingTool::SamplingTool): * interpreter/Interpreter.cpp: (JSC::Interpreter::enableSampler): * runtime/Executable.h: (JSC::ScriptExecutable::ScriptExecutable): 2011-06-28 Cary Clark Reviewed by James Robinson. Use Skia if Skia on Mac Chrome is enabled https://bugs.webkit.org/show_bug.cgi?id=62999 * wtf/Platform.h: Add switch to use Skia if, externally, Skia has been enabled by a gyp define. 2011-06-28 Oliver Hunt Reviewed by Gavin Barraclough. ASSERT when launching debug builds with interpreter and jit enabled https://bugs.webkit.org/show_bug.cgi?id=63566 Add appropriate guards to the various Executable's memory reporting logic. * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): 2011-06-28 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=63563 DFG JIT - add support for double arith to speculative path Add integer support for div & mod, add double support for div, mod, add, sub & mul, dynamically selecting based on operand types. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::FPRTemporary::FPRTemporary): * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::assembler): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand): (JSC::DFG::SpeculateDoubleOperand::index): (JSC::DFG::SpeculateDoubleOperand::fpr): 2011-06-28 Oliver Hunt Fix interpreter build. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): 2011-06-28 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=63561 DFG JIT - don't always assume integer in relational compare If neither operand is known integer, or either is in double representation, then at least use a function call (don't bail off the speculative path). * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleCall): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isDataFormatDouble): (JSC::DFG::SpeculativeJIT::compareIsInteger): 2011-06-28 Oliver Hunt Reviewed by Gavin Barraclough. Make constant array optimisation less strict about what constitutes a constant https://bugs.webkit.org/show_bug.cgi?id=63554 Now allow string constants in array literals to actually be considered constant, and so avoid codegen in array literals with strings in them. * bytecode/CodeBlock.h: (JSC::CodeBlock::addConstantBuffer): (JSC::CodeBlock::constantBuffer): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addConstantBuffer): (JSC::BytecodeGenerator::addStringConstant): (JSC::BytecodeGenerator::emitNewArray): * bytecompiler/BytecodeGenerator.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): 2011-06-28 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=63560 DFG_JIT allow allocation of specific machine registers This allow us to allocate the registers necessary to perform x86 idiv instructions for div/mod, and may be useful for shifts, too. * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::GPRTemporary::GPRTemporary): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::allocate): (JSC::DFG::GPRResult::GPRResult): * dfg/DFGRegisterBank.h: (JSC::DFG::RegisterBank::allocateSpecific): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::isInteger): 2011-06-28 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=55040 RegExp constructor returns the argument regexp instead of a new object Per 15.10.3.1, our current behaviour is correct if called as a function, but incorrect when called as a constructor. * runtime/RegExpConstructor.cpp: (JSC::constructRegExp): (JSC::constructWithRegExpConstructor): * runtime/RegExpConstructor.h: 2011-06-28 Luke Macpherson Reviewed by Darin Adler. Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits. https://bugs.webkit.org/show_bug.cgi?id=63469 * wtf/MathExtras.h: (defaultMinimumForClamp): Version of std::numeric_limits::min() that returns the largest negative value for floating point types. (defaultMaximumForClamp): Symmetric alias for std::numeric_limits::max() (clampTo): New templated clamping function that supports arbitrary output types. (clampToInteger): Use new clampTo template. (clampToFloat): Use new clampTo template. (clampToPositiveInteger): Use new clampTo template. 2011-06-28 Adam Roben Windows Debug build fix after r89885 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported JSGlobalData::releaseExecutableMemory for jsc.exe's benefit. 2011-06-28 Shinya Kawanaka Reviewed by Kent Tamura. Add const to show() method in WTFString and AtomicString. https://bugs.webkit.org/show_bug.cgi?id=63515 The lack of const in show() method is painful when doing something like printf-debug. * wtf/text/AtomicString.cpp: (WTF::AtomicString::show): * wtf/text/AtomicString.h: * wtf/text/WTFString.cpp: (String::show): * wtf/text/WTFString.h: 2011-06-27 Ryosuke Niwa Build fix attempt after r89885. * JavaScriptCore.exp: * jsc.cpp: 2011-06-27 Oliver Hunt Reviewed by Geoffrey Garen. Support throwing away non-running code even while other code is running https://bugs.webkit.org/show_bug.cgi?id=63485 Add a function to CodeBlock to support unlinking direct linked callsites, and then with that in place add logic to discard code from any function that is not currently on the stack. The unlinking completely reverts any optimized call sites, such that they may be relinked again in future. * JavaScriptCore.exp: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::unlinkCalls): (JSC::CodeBlock::clearEvalCache): * bytecode/CodeBlock.h: (JSC::CallLinkInfo::CallLinkInfo): (JSC::CallLinkInfo::unlink): * bytecode/EvalCodeCache.h: (JSC::EvalCodeCache::clear): * heap/Heap.cpp: (JSC::Heap::getConservativeRegisterRoots): * heap/Heap.h: * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITWriteBarrier.h: (JSC::JITWriteBarrierBase::clear): * jsc.cpp: (GlobalObject::GlobalObject): (functionReleaseExecutableMemory): * runtime/Executable.cpp: (JSC::EvalExecutable::unlinkCalls): (JSC::ProgramExecutable::unlinkCalls): (JSC::FunctionExecutable::discardCode): (JSC::FunctionExecutable::unlinkCalls): * runtime/Executable.h: * runtime/JSGlobalData.cpp: (JSC::SafeRecompiler::returnValue): (JSC::SafeRecompiler::operator()): (JSC::JSGlobalData::releaseExecutableMemory): 2011-06-27 Gavin Barraclough Reviewed by Darin Adler & Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=50554 RegExp.prototype.toString does not escape slashes The problem here is that we don't escape forwards slashes when converting a RegExp to a string. This means that RegExp("/").toString() is "///", which is not a valid RegExp literal. Also, we return an invalid literal for RegExp.prototype.toString() ("//", which is an empty single-line comment). From ES5: "NOTE: The returned String has the form of a RegularExpressionLiteral that evaluates to another RegExp object with the same behaviour as this object." * runtime/RegExpObject.cpp: (JSC::regExpObjectSource): - Escape forward slashes when getting the source of a RegExp. * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncToString): - Remove unnecessary and erroneous hack to return "//" as the string representation of RegExp.prototype. This is not a valid RegExp literal (it is an empty single-line comment). 2011-06-27 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=63497 Add DEBUG_WITH_BREAKPOINT support to the DFG JIT. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNode.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-06-27 Juan C. Montemayor Reviewed by Mark Rowe. Indirectly including TextPosition.h and XPathGrammar.h causes compile errors https://bugs.webkit.org/show_bug.cgi?id=63392 When both TextPosition.h and XPathGrammar.h are included a compile-error is caused, since XPathGrammar.h defines a macro called NUMBER and TextPosition has a typedef named NUMBER. * wtf/text/TextPosition.h: (WTF::TextPosition::TextPosition): (WTF::TextPosition::minimumPosition): (WTF::TextPosition::belowRangePosition): 2011-06-27 Filip Pizlo Reviewed by Gavin Barraclough. DFG JIT does not perform put_by_id caching. https://bugs.webkit.org/show_bug.cgi?id=63409 * bytecode/StructureStubInfo.h: * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedPutById): * dfg/DFGJITCodeGenerator.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addPropertyAccess): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchByIdSelfAccess): (JSC::DFG::tryCacheGetByID): (JSC::DFG::appropriatePutByIdFunction): (JSC::DFG::tryCachePutByID): (JSC::DFG::dfgRepatchPutByID): * dfg/DFGRepatch.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-06-27 Gustavo Noronha Silva Unreviewed build fix. One more filed missing during distcheck, for the MIPS build. * GNUmakefile.list.am: 2011-06-26 Filip Pizlo Reviewed by Gavin Barraclough. DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations. https://bugs.webkit.org/show_bug.cgi?id=63347 * dfg/DFGNonSpeculativeJIT.cpp: - Changed arithmetic operations to speculate in favor of integers. (JSC::DFG::NonSpeculativeJIT::valueToNumber): (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp): (JSC::DFG::NonSpeculativeJIT::basicArithOp): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGNonSpeculativeJIT.h: * dfg/DFGOperations.cpp: - Added slow-path routines for arithmetic that perform no speculation; the non-speculative JIT will generate calls to these in cases where its speculation fails. * dfg/DFGOperations.h: 2011-06-24 Nikolas Zimmermann Reviewed by Rob Buis. Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts https://bugs.webkit.org/show_bug.cgi?id=59085 * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS. 2011-06-24 Michael Saboff Reviewed by Gavin Barraclough. Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub https://bugs.webkit.org/show_bug.cgi?id=63345 The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10 return 9 and 10 bit quantities, therefore changed their return type from uint8_t to uint16_t. Also casted the places where they are used as they are currently shifted and used as 7 or 8 bit values. These methods are currently used for literals for stack offsets, including creating and destroying stack frames. The prior truncation of the upper bits caused stack frames to be too small, thus allowing a JIT'ed function to access and overwrite stack space outside of the incorrectly sized stack frame. * assembler/ARMv7Assembler.h: (JSC::ARMThumbImmediate::getUInt9): (JSC::ARMThumbImmediate::getUInt10): (JSC::ARMv7Assembler::add): (JSC::ARMv7Assembler::ldr): (JSC::ARMv7Assembler::str): (JSC::ARMv7Assembler::sub): (JSC::ARMv7Assembler::sub_S): 2011-06-24 Michael Saboff Reviewed by Geoffrey Garen. releaseFastMallocFreeMemory doesn't adjust free counts for scavenger https://bugs.webkit.org/show_bug.cgi?id=63015 Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList(). These adjustments are a bug. These need to reflect the pages that are released in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well. Made ReleaseFreeList a member of TCMalloc_PageHeap in the process. Updated Check() and helper method CheckList() to check the number of actual free pages with free_committed_pages_. The symptom of the problem of the existing code is that the scavenger may run unneccesarily without any real work to do, i.e. pages on the free lists. The scanvenger would also end up freeing too many pages, that is going below the current 528 target free pages. Note that the style of the changes was kept consistent with the existing style. * wtf/FastMalloc.cpp: (WTF::TCMalloc_PageHeap::Check): (WTF::TCMalloc_PageHeap::CheckList): (WTF::TCMalloc_PageHeap::ReleaseFreeList): 2011-06-24 Abhishek Arya Reviewed by Darin Adler. Match other clampTo* functions in style with clampToInteger(float) function. https://bugs.webkit.org/show_bug.cgi?id=53449 * wtf/MathExtras.h: (clampToInteger): (clampToFloat): (clampToPositiveInteger): 2011-06-24 Sheriff Bot Unreviewed, rolling out r89594. http://trac.webkit.org/changeset/89594 https://bugs.webkit.org/show_bug.cgi?id=63316 It broke 5 tests on the Qt bot (Requested by Ossy_DC on #webkit). * GNUmakefile.list.am: * JavaScriptCore.gypi: * icu/unicode/uscript.h: Removed. * wtf/unicode/ScriptCodesFromICU.h: Removed. * wtf/unicode/brew/UnicodeBrew.h: * wtf/unicode/glib/UnicodeGLib.h: * wtf/unicode/icu/UnicodeIcu.h: * wtf/unicode/qt4/UnicodeQt4.h: * wtf/unicode/wince/UnicodeWinCE.h: 2011-06-23 Filip Pizlo Reviewed by Gavin Barraclough. DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal https://bugs.webkit.org/show_bug.cgi?id=63173 * dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): * dfg/DFGJITCodeGenerator.h: * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): 2011-06-23 Oliver Hunt Fix Qt again. * assembler/ARMAssembler.h: (JSC::ARMAssembler::readPointer): 2011-06-23 Oliver Hunt Fix Qt Build * assembler/ARMAssembler.h: (JSC::ARMAssembler::readPointer): 2011-06-23 Stephanie Lewis Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=63298 Replace Malloc with FastMalloc to match the rest of wtf. * wtf/BlockStack.h: (WTF::::~BlockStack): (WTF::::grow): (WTF::::shrink): 2011-06-23 Oliver Hunt Reviewed by Gavin Barraclough. Add the ability to dynamically modify linked call sites https://bugs.webkit.org/show_bug.cgi?id=63291 Add JITWriteBarrier as a writebarrier class that allows reading and writing directly into the code stream. This required adding logic to all the assemblers to allow us to read values back out of the instruction stream. * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/ARMAssembler.h: (JSC::ARMAssembler::readPointer): * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::readPointer): (JSC::ARMv7Assembler::readInt32): (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst): (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond): * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::readPointer): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::readInt32): (JSC::MIPSAssembler::readPointer): * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::operator!): * assembler/SH4Assembler.h: (JSC::SH4Assembler::readPCrelativeAddress): (JSC::SH4Assembler::readPointer): (JSC::SH4Assembler::readInt32): * assembler/X86Assembler.h: (JSC::X86Assembler::readPointer): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: (JSC::MethodCallLinkInfo::seenOnce): (JSC::MethodCallLinkInfo::setSeen): * heap/MarkStack.h: * jit/JIT.cpp: (JSC::JIT::privateCompile): (JSC::JIT::linkCall): (JSC::JIT::linkConstruct): * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): * jit/JITPropertyAccess32_64.cpp: * jit/JITWriteBarrier.h: Added. (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): (JSC::JITWriteBarrierBase::operator!): (JSC::JITWriteBarrierBase::setFlagOnBarrier): (JSC::JITWriteBarrierBase::isFlagged): (JSC::JITWriteBarrierBase::setLocation): (JSC::JITWriteBarrierBase::location): (JSC::JITWriteBarrierBase::JITWriteBarrierBase): (JSC::JITWriteBarrierBase::set): (JSC::JITWriteBarrierBase::get): (JSC::JITWriteBarrier::JITWriteBarrier): (JSC::JITWriteBarrier::set): (JSC::JITWriteBarrier::get): (JSC::MarkStack::append): 2011-06-23 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=61585 Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/ This is due to use of int instead of unsigned, bad math around the 2^31 boundary. * yarr/YarrInterpreter.cpp: (JSC::Yarr::ByteCompiler::emitDisjunction): - Change some uses of int to unsigned, refactor compare logic to restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1). * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generate): (JSC::Yarr::YarrGenerator::backtrack): - Ditto. 2011-06-22 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=63218 DFG JIT - remove machine type guarantees from graph The DFG JIT currently makes assumptions about the types of machine registers that certain nodes will be loaded into. This will be broken as we generate nodes to produce both integer and double code paths. Remove int<->double conversions nodes. This design decision also gave rise to multiple types of constant nodes, requiring separate handling for each type. Merge these back into JSConstant. * dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getToInt32): (JSC::DFG::ByteCodeParser::getToNumber): (JSC::DFG::ByteCodeParser::toInt32): (JSC::DFG::ByteCodeParser::toNumber): (JSC::DFG::ByteCodeParser::isInt32Constant): (JSC::DFG::ByteCodeParser::isDoubleConstant): (JSC::DFG::ByteCodeParser::valueOfInt32Constant): (JSC::DFG::ByteCodeParser::valueOfDoubleConstant): (JSC::DFG::ByteCodeParser::one): (JSC::DFG::ByteCodeParser::predictInt32): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::isJSConstant): (JSC::DFG::JITCodeGenerator::isDoubleConstant): (JSC::DFG::JITCodeGenerator::valueOfJSConstantAsImmPtr): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::fillNumericToDouble): (JSC::DFG::JITCompiler::fillInt32ToInteger): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::isJSConstant): (JSC::DFG::JITCompiler::isInt32Constant): (JSC::DFG::JITCompiler::isDoubleConstant): (JSC::DFG::JITCompiler::valueOfJSConstant): (JSC::DFG::JITCompiler::valueOfInt32Constant): (JSC::DFG::JITCompiler::valueOfDoubleConstant): * dfg/DFGNode.h: (JSC::DFG::Node::Node): (JSC::DFG::Node::isConstant): (JSC::DFG::Node::notTakenBytecodeOffset): * dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::isKnownInteger): (JSC::DFG::NonSpeculativeJIT::isKnownNumeric): (JSC::DFG::NonSpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compile): 2011-06-23 Jungshik Shin Reviewed by Alexey Proskuryakov. Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in build files for ports not using ICU. Add icu/unicode/uscript.h for ports using ICU. It's taken from ICU 3.6 (the version used on Mac OS 10.5) http://bugs.webkit.org/show_bug.cgi?id=20797 * GNUmakefile.list.am: * JavaScriptCore.gypi: * icu/unicode/uscript.h: Added for UScriptCode enum. * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added. * wtf/unicode/icu/UnicodeIcu.h: * wtf/unicode/brew/UnicodeBrew.h: * wtf/unicode/glib/UnicodeGLib.h: * wtf/unicode/qt4/UnicodeQt4.h: * wtf/unicode/wince/UnicodeWinCE.h: 2011-06-23 Ryuan Choi Reviewed by Andreas Kling. [EFL][WK2] Add PLATFORM(EFL) to use UNIX_DOMAIN_SOCKETS. https://bugs.webkit.org/show_bug.cgi?id=63228 * wtf/Platform.h: Add PLATFORM(EFL) guard. 2011-06-23 Sheriff Bot Unreviewed, rolling out r89547. http://trac.webkit.org/changeset/89547 https://bugs.webkit.org/show_bug.cgi?id=63252 "Chrmium crash on start" (Requested by yurys on #webkit). * wtf/DynamicAnnotations.cpp: (WTFAnnotateBenignRaceSized): (WTFAnnotateHappensBefore): (WTFAnnotateHappensAfter): * wtf/DynamicAnnotations.h: 2011-06-23 Timur Iskhodzhanov Reviewed by David Levin. Make dynamic annotations weak symbols and prevent identical code folding by the linker https://bugs.webkit.org/show_bug.cgi?id=62443 * wtf/DynamicAnnotations.cpp: (WTFAnnotateBenignRaceSized): (WTFAnnotateHappensBefore): (WTFAnnotateHappensAfter): * wtf/DynamicAnnotations.h: 2011-06-22 Yael Aharon Reviewed by Andreas Kling. [Qt] Add a build flag for building with libxml2 and libxslt. https://bugs.webkit.org/show_bug.cgi?id=63113 * wtf/Platform.h: 2011-06-22 Sheriff Bot Unreviewed, rolling out r89489. http://trac.webkit.org/changeset/89489 https://bugs.webkit.org/show_bug.cgi?id=63203 Broke chromium mac build on build.webkit.org (Requested by abarth on #webkit). * wtf/Platform.h: 2011-06-22 Cary Clark Reviewed by Darin Fisher. Use Skia if Skia on Mac Chrome is enabled https://bugs.webkit.org/show_bug.cgi?id=62999 * wtf/Platform.h: Add switch to use Skia if, externally, Skia has been enabled by a gyp define. 2011-06-22 Geoffrey Garen Reviewed by Oliver Hunt. * interpreter/RegisterFile.h: Removed unnecessary #include . 2011-06-22 Geoffrey Garen Reviewed by Oliver Hunt. Removed the conceit that global variables are local variables when running global code https://bugs.webkit.org/show_bug.cgi?id=63106 This is required for write barrier correctness. SunSpider reports about a 0.5% regression, mostly from bitops-bitwise-and.js. I was able to reduce the regression with a tiny peephole optimization in the bytecompiler, but not eliminate it. I'm committing this assuming that turning on generational GC will win back at least 0.5%. (FWIW, the DFG JIT can easily eliminate any regression by sharing loads of the global object's var storage. I considered doing the same kind of optimization in the existing JIT, but it seemed like moving in the wrong direction.) * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addGlobalVar): (JSC::BytecodeGenerator::BytecodeGenerator): Don't give global variables negative indices, since they're no longer negatively offset from the current stack frame. Do give global variables monotonically increasing positive indices, since that's much easier to work with. Don't limit the number of optimizable global variables, since it's no longer limited by the register file, since they're no longer stored in the register file. (JSC::BytecodeGenerator::registerFor): Global code never has any local registers because a var in global code is actually a property of the global object. (JSC::BytecodeGenerator::constRegisterFor): Ditto. (JSC::BytecodeGenerator::emitResolve): Did a tiny bit of constant propagation and dead code elimination to speed up our compiles and reduce WTFs / minute. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::registerFor): Removed special handling of globals. (JSC::BytecodeGenerator::shouldOptimizeLocals): Don't optimize locals in global code, since there are none. (JSC::BytecodeGenerator::canOptimizeNonLocals): Do optimize non-locals in global code (i.e., global vars), since there are some. * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): (JSC::Interpreter::Interpreter): (JSC::Interpreter::dumpRegisters): (JSC::Interpreter::execute): * interpreter/Interpreter.h: Updated for deleted / renamed code. * interpreter/RegisterFile.cpp: (JSC::RegisterFile::gatherConservativeRoots): (JSC::RegisterFile::releaseExcessCapacity): Updated for deleted / renamed data members. * interpreter/RegisterFile.h: (JSC::RegisterFile::begin): (JSC::RegisterFile::size): (JSC::RegisterFile::RegisterFile): (JSC::RegisterFile::shrink): Removed all code and comments dealing with global variables stored in the register file. (JSC::RegisterFile::grow): Updated for same. Also, a slight correctness fix: Test the VM commit end, and not just the in-use end, when checking for stack overflow. In theory, it's invalid to commit past the end of your allocation, even if you never touch that memory. This makes the usable size of the stack slightly smaller. No test because we don't know of any case in practice where this crashes. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): Updated for changes above. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::resizeRegisters): (JSC::JSGlobalObject::addStaticGlobals): * runtime/JSGlobalObject.h: Simplified globals to have monotonically increasing indexes, always located in our external storage. 2011-06-21 MORITA Hajime Unreviewed, rolling out r89401 and r89403. http://trac.webkit.org/changeset/89401 http://trac.webkit.org/changeset/89403 https://bugs.webkit.org/show_bug.cgi?id=62970 Breaks mac build and mistakenly enables the spellcheck API * Configurations/FeatureDefines.xcconfig: * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-21 Kent Tamura [Mac] Sort Xcode project files. * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-20 MORITA Hajime Reviewed by Kent Tamura. Spellcheck API should be build-able. https://bugs.webkit.org/show_bug.cgi?id=62970 No new tests, changing only build related files * Configurations/FeatureDefines.xcconfig: 2011-06-21 Geoffrey Garen Reviewed by Oliver Hunt. Moved 'const' off the global-variable-as-local-variable crack pipe https://bugs.webkit.org/show_bug.cgi?id=63105 This is necessary for moving the rest of the code off of same. Many problems remain in our handling of const. I have fixed none of them. * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::scopeChain): New accessor, needed to enable const to directly implement its unique scoping rules. * bytecompiler/NodesCodegen.cpp: (JSC::PrefixResolveNode::emitBytecode): Do specify that our resolve is for writing, so we don't overwrite const variables. (JSC::ConstDeclNode::emitCodeSingle): Don't assume that all declared const variables are available as local variables, since this won't be the case once global variables are not available as local variables. Instead, use put_scoped_var in the case where there is no local variable. Like a local variable, put_scoped_var succeeds even though const properties are read-only, since put_scoped_var skips read-only checks. (Yay?) 2011-06-21 Oliver Hunt Reviewed by Alexey Proskuryakov. REGRESSION(r89257): It broke 2 jscore tests (Requested by Ossy_away on #webkit). https://bugs.webkit.org/show_bug.cgi?id=63052 Release mode only failure, the stack overflow guards were getting there error handling inlined, so that they were essentially causing their own demise. * parser/JSParser.cpp: (JSC::JSParser::updateErrorMessage): (JSC::JSParser::updateErrorWithNameAndMessage): 2011-06-20 Kenneth Russell Unreviewed. Rolled out r89233 and r89235 because of crashes in http/tests/misc/acid3.html on Snow Leopard and other platforms https://bugs.webkit.org/show_bug.cgi?id=63022 * wtf/Platform.h: 2011-06-18 Anders Carlsson Reviewed by Darin Adler. Disallow assigning into PassOwnArrayPtr, PassOwnPtr and PassRefPtr https://bugs.webkit.org/show_bug.cgi?id=62940 Remove clear() and all assignment operators except one which now has a COMPILE_ASSERT. * wtf/PassOwnArrayPtr.h: (WTF::PassOwnArrayPtr::operator=): * wtf/PassOwnPtr.h: (WTF::PassOwnPtr::operator=): * wtf/PassRefPtr.h: (WTF::PassRefPtr::operator=): (WTF::NonNullPassRefPtr::operator=): 2011-06-20 Oliver Hunt Reviewed by Darin Adler. REGRESSION (r79060): Searching for a flight at united.com fails https://bugs.webkit.org/show_bug.cgi?id=63003 This original change also broke Twitter, and we attempted to refine the fix to address that problem (http://trac.webkit.org/changeset/80542), but since it still breaks United, we need to revert the change until we understand the problem better. * wtf/DateMath.cpp: (WTF::parseDateFromNullTerminatedCharacters): 2011-06-20 Juan C. Montemayor Reviewed by Oliver Hunt. No context for javascript parse errors. https://bugs.webkit.org/show_bug.cgi?id=62613 Parse errors now show more details like: "Unexpected token: ]" or "Expected token: while" For reserved names, numbers, indentifiers, strings, lexer errors, and EOFs, the following error messages are printed: "Use of reserved word: super" "Unexpected number: 42" "Unexpected identifier: " "Unexpected string: "foobar"" "Invalid token character sequence: \u4023" "Unexpected EOF" * parser/JSParser.cpp: (JSC::JSParser::consume): (JSC::JSParser::getToken): (JSC::JSParser::getTokenName): (JSC::JSParser::updateErrorMessageSpecialCase): (JSC::JSParser::updateErrorMessage): (JSC::JSParser::updateErrorWithNameAndMessage): (JSC::jsParse): (JSC::JSParser::JSParser): (JSC::JSParser::parseProgram): (JSC::JSParser::parseVarDeclarationList): (JSC::JSParser::parseForStatement): (JSC::JSParser::parseBreakStatement): (JSC::JSParser::parseContinueStatement): (JSC::JSParser::parseWithStatement): (JSC::JSParser::parseTryStatement): (JSC::JSParser::parseStatement): (JSC::JSParser::parseFormalParameters): (JSC::JSParser::parseFunctionInfo): (JSC::JSParser::parseAssignmentExpression): (JSC::JSParser::parsePrimaryExpression): (JSC::JSParser::parseMemberExpression): (JSC::JSParser::parseUnaryExpression): * parser/JSParser.h: * parser/Lexer.cpp: (JSC::Lexer::lex): * parser/Parser.cpp: (JSC::Parser::parse): 2011-06-20 Nikolas Zimmermann Reviewed by Rob Buis. Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts https://bugs.webkit.org/show_bug.cgi?id=59085 * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS. 2011-06-19 Oliver Hunt Reviewed by Sam Weinig. Correct logic for putting errors on the correct line when handling JSONP https://bugs.webkit.org/show_bug.cgi?id=62962 Minor fix for the minor fix. *sigh* * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): 2011-06-19 Oliver Hunt Minor fix to correct layout test results. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): 2011-06-17 Oliver Hunt Reviewed by Gavin Barraclough. JSONP is unnecessarily slow https://bugs.webkit.org/show_bug.cgi?id=62920 JSONP has unfortunately become a fairly common idiom online, yet it triggers very poor performance in JSC as we end up doing codegen for a large number of property accesses that will * only be run once, so the vast amount of logic we dump to handle caching of accesses is unnecessary. * We are doing codegen that is directly proportional to just creating the object in the first place. This patch extends the use of the literal parser to JSONP-like structures in global code, handling a number of different forms I have seen online. In an extreme case this improves performance of JSONP by more than 2x due to removal of code generation and execution time, and a few optimisations that I made to the parser itself. * API/JSValueRef.cpp: (JSValueMakeFromJSONString): * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): (JSC::Interpreter::execute): * parser/Lexer.cpp: (JSC::Lexer::isKeyword): * parser/Lexer.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::tryJSONPParse): (JSC::LiteralParser::makeIdentifier): (JSC::LiteralParser::Lexer::lex): (JSC::LiteralParser::Lexer::next): (JSC::isSafeStringCharacter): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::LiteralParser): (JSC::LiteralParser::tryLiteralParse): (JSC::LiteralParser::Lexer::Lexer): 2011-06-18 Sheriff Bot Unreviewed, rolling out r89184. http://trac.webkit.org/changeset/89184 https://bugs.webkit.org/show_bug.cgi?id=62927 It broke 22 tests on all bot (Requested by Ossy_weekend on #webkit). * API/JSValueRef.cpp: (JSValueMakeFromJSONString): * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): (JSC::Interpreter::execute): * parser/Lexer.cpp: * parser/Lexer.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::Lexer::lex): (JSC::isSafeStringCharacter): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::LiteralParser): (JSC::LiteralParser::tryLiteralParse): (JSC::LiteralParser::Lexer::Lexer): (JSC::LiteralParser::Lexer::next): 2011-06-17 Oliver Hunt Reviewed by Gavin Barraclough. JSONP is unnecessarily slow https://bugs.webkit.org/show_bug.cgi?id=62920 JSONP has unfortunately become a fairly common idiom online, yet it triggers very poor performance in JSC as we end up doing codegen for a large number of property accesses that will * only be run once, so the vast amount of logic we dump to handle caching of accesses is unnecessary. * We are doing codegen that is directly proportional to just creating the object in the first place. This patch extends the use of the literal parser to JSONP-like structures in global code, handling a number of different forms I have seen online. In an extreme case this improves performance of JSONP by more than 2x due to removal of code generation and execution time, and a few optimisations that I made to the parser itself. * API/JSValueRef.cpp: (JSValueMakeFromJSONString): * interpreter/Interpreter.cpp: (JSC::Interpreter::callEval): (JSC::Interpreter::execute): * parser/Lexer.cpp: (JSC::Lexer::isKeyword): * parser/Lexer.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/LiteralParser.cpp: (JSC::LiteralParser::tryJSONPParse): (JSC::LiteralParser::makeIdentifier): (JSC::LiteralParser::Lexer::lex): (JSC::LiteralParser::Lexer::next): (JSC::isSafeStringCharacter): (JSC::LiteralParser::Lexer::lexString): (JSC::LiteralParser::Lexer::lexNumber): (JSC::LiteralParser::parse): * runtime/LiteralParser.h: (JSC::LiteralParser::LiteralParser): (JSC::LiteralParser::tryLiteralParse): (JSC::LiteralParser::Lexer::Lexer): 2011-06-17 Geoffrey Garen Reviewed by Oliver Hunt. Moved some property access JIT code into property access JIT files https://bugs.webkit.org/show_bug.cgi?id=62906 * jit/JITOpcodes.cpp: * jit/JITOpcodes32_64.cpp: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitSlow_op_put_by_val): (JSC::JIT::emit_op_get_scoped_var): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_get_global_var): (JSC::JIT::emit_op_put_global_var): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_scoped_var): (JSC::JIT::emit_op_put_scoped_var): (JSC::JIT::emit_op_get_global_var): (JSC::JIT::emit_op_put_global_var): 2011-06-17 Anders Carlsson Build fix. * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-17 Geoffrey Garen Try to fix the Leopard build? * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-16 Geoffrey Garen Reviewed by Oliver Hunt. Added some write barrier action, compiled out by default https://bugs.webkit.org/show_bug.cgi?id=62844 * JavaScriptCore.exp: Build! * JavaScriptCore.xcodeproj/project.pbxproj: Fixed an incremental build issue with Heap.cpp. * heap/Heap.cpp: (JSC::Heap::writeBarrierSlowCase): * heap/Heap.h: (JSC::Heap::writeBarrier): * heap/MarkedBlock.h: (JSC::MarkedBlock::isAtomAligned): (JSC::MarkedBlock::blockFor): (JSC::MarkedBlock::atomNumber): (JSC::MarkedBlock::ownerSetNumber): (JSC::MarkedBlock::addOldSpaceOwner): (JSC::MarkedBlock::OwnerSet::OwnerSet): (JSC::MarkedBlock::OwnerSet::add): (JSC::MarkedBlock::OwnerSet::clear): (JSC::MarkedBlock::OwnerSet::size): (JSC::MarkedBlock::OwnerSet::didOverflow): (JSC::MarkedBlock::OwnerSet::owners): Added a basic write barrier that tracks owners for regions within blocks. Currently unused. 2011-06-17 Raphael Kubo da Costa Reviewed by Eric Seidel. [EFL] Add some OwnPtr specializations for EFL types. For now there are specializations for Ecore_Evas and Evas_Object. https://bugs.webkit.org/show_bug.cgi?id=62877 * wtf/CMakeListsEfl.txt: * wtf/OwnPtrCommon.h: * wtf/efl/OwnPtrEfl.cpp: Added. (WTF::deleteOwnedPtr): 2011-06-17 Joone Hur Reviewed by Martin Robinson. [GTK] Replace GdkRectangle by cairo_rectangle_int_t https://bugs.webkit.org/show_bug.cgi?id=60687 Replace GdkRectangle by cairo_rectangle_int_t. * wtf/gobject/GTypedefs.h: Replace GdkRectangle by cairo_rectangle_int_t. 2011-06-16 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=53014 ES5 strict mode keyword restrictions aren't implemented The following are future restricted words is strict mode code: implements, interface, let, package, private, protected, public, static, yield * parser/JSParser.h: - Add RESERVED_IF_STRICT token. * parser/Keywords.table: - Add new future restricted words. * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): - Check for RESERVED_IF_STRICT; in nonstrict code this is converted to IDENT. (JSC::Lexer::lex): - Pass strictMode flag to parseIdentifier. * parser/Lexer.h: - parseIdentifier needs a strictMode flag. * runtime/CommonIdentifiers.h: - Add identifiers for new reserved words. 2011-06-16 Gavin Barraclough Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=23611 Multiline Javascript comments cause incorrect parsing of following script. From the spec: "A MultiLineComment [is] simply discarded if it contains no line terminator, but if a MultiLineComment contains one or more line terminators, then it is replaced with a single line terminator, which becomes part of the stream of inputs for the syntactic grammar." This may result in behavioural changes, due to automatic semicolon insertion. * parser/Lexer.cpp: (JSC::Lexer::parseMultilineComment): - Set m_terminator is we see a line terminator in a multiline comment. 2011-06-16 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=62824 DFG JIT - add support for branch-fusion of compareEq, JSValue comparisons in SpeculativeJIT CompareEq of non-integer values is the most common cause of speculation failure. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): - Support Equals. (JSC::DFG::SpeculativeJIT::compilePeepHoleEq): - new! - peephole optimized Eq of JSValues. (JSC::DFG::SpeculativeJIT::compile): - Add peephole optimization for CompareEq. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): - Add support for dead nodes between compare & branch. (JSC::DFG::SpeculativeJIT::isInteger): - Added to determine which form of peephole to do in CompareEq. 2011-06-16 Geoffrey Garen Try to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export another symbol. * bytecode/EvalCodeCache.h: * heap/HandleHeap.h: * heap/HeapRootVisitor.h: * heap/NewSpace.h: * runtime/ArgList.h: * runtime/ScopeChain.h: * runtime/SmallStrings.h: * runtime/Structure.h: Stop forward-declaring things that don't really exist anymore. 2011-06-16 Geoffrey Garen Try to fix the Mac build: Removed and re-added SlotVisitor.h to the Xcode project while crossing my fingers and facing west. * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-16 Geoffrey Garen Build fix: Removed an incorrect symbol on Windows. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-06-16 Geoffrey Garen Build fix: Removed an accidental commit from the future. * CMakeLists.txt: 2011-06-16 Geoffrey Garen Reviewed by Oliver Hunt. Introduced SlotVisitor into the project https://bugs.webkit.org/show_bug.cgi?id=62820 This resolves a class vs typedef forward declaration issue, and gives all exported symbols the correct names. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.xcodeproj/project.pbxproj: Build! * bytecode/EvalCodeCache.h: * heap/HandleHeap.h: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::markRoots): * heap/Heap.h: * heap/HeapRootVisitor.h: Replaced MarkStack with SlotVisitor. Now no clients operate on a MarkStack. * heap/MarkStack.cpp: (JSC::SlotVisitor::visitChildren): (JSC::SlotVisitor::drain): * heap/SlotVisitor.h: Added. (JSC::SlotVisitor::SlotVisitor): Used 'protected' and a little cheesy inheritance to give SlotVisitor all the attributes of MarkStack without making this change giant. Over time, we will move more behavior into SlotVisitor and its subclasses. * heap/MarkStack.h: * heap/NewSpace.h: Replaced MarkStack with SlotVisitor. Now no clients operate on a MarkStack. * runtime/ArgList.h: * runtime/JSCell.h: * runtime/JSObject.h: * runtime/ScopeChain.h: * runtime/SmallStrings.h: * runtime/Structure.h: Replaced MarkStack with SlotVisitor. Now no clients operate on a MarkStack. 2011-06-15 Oliver Hunt Reviewed by Geoffrey Garen. Reduce memory usage of resolve_global https://bugs.webkit.org/show_bug.cgi?id=62765 If we have a large number of resolve_globals in a single block start planting plain resolve instructions instead whenever we aren't in a loop. This allows us to reduce the code size for extremely large functions without losing the performance benefits of op_resolve_global. * bytecode/CodeBlock.h: (JSC::CodeBlock::globalResolveInfoCount): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::shouldAvoidResolveGlobal): (JSC::BytecodeGenerator::emitResolve): (JSC::BytecodeGenerator::emitResolveWithBase): * bytecompiler/BytecodeGenerator.h: 2011-06-16 Qi Zhang Reviewed by Laszlo Gombos. [Qt] Fix building with CONFIG(use_system_icu) https://bugs.webkit.org/show_bug.cgi?id=62744 Do not define WTF_USE_QT4_UNICODE if WTF_USE_ICU_UNICODE is set. * wtf/Platform.h: 2011-06-15 Darin Adler Reviewed by Adam Barth. Remove obsolete LOOSE_OWN_PTR code https://bugs.webkit.org/show_bug.cgi?id=59909 The internal Apple dependency on this is gone now. * wtf/OwnArrayPtr.h: Removed constructor that takes a raw pointer, set function that takes a raw pointer. * wtf/OwnPtr.h: Removed constructor that takes a raw pointer, set functino that takes a raw pointer. * wtf/PassOwnArrayPtr.h: Made constructor that takes a nullptr and assignment operator that takes a nullptr unconditional. Made constructor that takes a raw pointer private and explicit, and removed assignment operator that takes a raw pointer. * wtf/PassOwnPtr.h: Made assignment operator that takes a nullptr unconditional. Made constructor that takes a raw pointer private and explicit, and removed assignment operator that takes a raw pointer. 2011-06-15 Sam Weinig Reviewed by Geoffrey Garen and Gavin Barraclough. Make access-nseive ~9x faster on the non-speculative path by adding special casing for doubles that can lossless-ly be converted to a uint32_t in getByVal and putByVal. This avoids calls to stringification and the hash lookup. Long term, we should try and get property of a getByVal and putByVal to be an integer immediate even in the non-speculative path. * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): (JSC::DFG::operationPutByValInternal): 2011-06-15 Oliver Hunt Reviewed by Darin Adler. REGRESSION (r88719): 5by5.tv schedule is not visible https://bugs.webkit.org/show_bug.cgi?id=62720 Problem here is that the lexer wasn't considering '$' to be a valid character in an identifier. * parser/Lexer.h: (JSC::Lexer::lexExpectIdentifier): 2011-06-15 Oliver Hunt Reviewed by Sam Weinig. Reduce the size of global_resolve https://bugs.webkit.org/show_bug.cgi?id=62738 Reduce the code size of global_resolve in the JIT by replacing multiple pointer loads with a single pointer move + two offset loads. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_resolve_global): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_resolve_global): 2011-06-14 Geoffrey Garen Reviewed by Dan Bernstein. Fixed an inavlid ASSERT I found while investigating Crash in JSC::HandleHeap::finalizeWeakHandles + 92 https://bugs.webkit.org/show_bug.cgi?id=62699 No test since we don't know of a way to get WebCore to deallocate the next-to-finalize handle, which is also the last handle in the list, while finalizing the second-to-last handle in the list. * heap/HandleHeap.h: (JSC::HandleHeap::deallocate): Don't ASSERT that m_nextToFinalize has a non-0 next() after updating it, since it is valid to update m_nextToFinalize to point to the tail sentinel. Do ASSERT that m_nextToFinalize has a non-0 next() before updating it, since it is not valid to update m_nextToFinalize to point past the tail sentinel. Also, use m_nextToFinalize consistently for clarity. 2011-06-14 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=43841 SegmentedVector::operator== typo * wtf/SegmentedVector.h: (WTF::SegmentedVectorIterator::operator==): (WTF::SegmentedVectorIterator::operator!=): 2011-06-14 Oliver Hunt Reviewed by Gavin Barraclough. Constant array literals result in unnecessarily large amounts of code https://bugs.webkit.org/show_bug.cgi?id=62658 Add a new version of op_new_array that simply copies values from a buffer we hang off of the CodeBlock, rather than generating code to place each entry into the registerfile, and then copying it from the registerfile into the array. This is a slight improvement on some sunspider tests, but no measurable overall change. That's okay though as our goal was to reduce code size without hurting performance. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/CodeBlock.h: (JSC::CodeBlock::addImmediateBuffer): (JSC::CodeBlock::immediateBuffer): * bytecode/Opcode.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addImmediateBuffer): (JSC::BytecodeGenerator::emitNewArray): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_array): (JSC::JIT::emit_op_new_array_buffer): * jit/JITOpcodes32_64.cpp: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: 2011-06-14 Sheriff Bot Unreviewed, rolling out r88841. http://trac.webkit.org/changeset/88841 https://bugs.webkit.org/show_bug.cgi?id=62672 Caused many tests to crash (Requested by rniwa on #webkit). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/CodeBlock.h: * bytecode/Opcode.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewArray): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_array): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_new_array): * jit/JITStubs.cpp: * jit/JITStubs.h: 2011-06-14 Oliver Hunt Reviewed by Gavin Barraclough. Constant array literals result in unnecessarily large amounts of code https://bugs.webkit.org/show_bug.cgi?id=62658 Add a new version of op_new_array that simply copies values from a buffer we hang off of the CodeBlock, rather than generating code to place each entry into the registerfile, and then copying it from the registerfile into the array. This is a slight improvement on some sunspider tests, but no measurable overall change. That's okay though as our goal was to reduce code size without hurting performance. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/CodeBlock.h: (JSC::CodeBlock::addImmediateBuffer): (JSC::CodeBlock::immediateBuffer): * bytecode/Opcode.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addImmediateBuffer): (JSC::BytecodeGenerator::emitNewArray): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayNode::emitBytecode): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_array): (JSC::JIT::emit_op_new_array_buffer): * jit/JITOpcodes32_64.cpp: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: 2011-06-14 Stephanie Lewis Rubber stamped by Oliver Hunt. Update order files. * JavaScriptCore.order: 2011-06-14 Sam Weinig Reviewed by Geoffrey Garen. Fix dumping of constants to have the correct constant number. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): 2011-06-14 Benjamin Poulain Reviewed by Eric Seidel. KeywordLookupGenerator's Trie does not work with Python 3 https://bugs.webkit.org/show_bug.cgi?id=62635 With Python 3, dict.items() return an iterator. Since the iterator protocol changed between Python 2 and 3, the easiest way to get the values is to have something that use the iterator implicitely, like a for() loop. * KeywordLookupGenerator.py: 2011-06-13 Oliver Hunt Reviewed by Gavin Barraclough. Fix llocp and lvalp names in the lexer to something more meaningful https://bugs.webkit.org/show_bug.cgi?id=62605 A simple rename * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): (JSC::Lexer::parseString): (JSC::Lexer::lex): * parser/Lexer.h: (JSC::Lexer::lexExpectIdentifier): 2011-06-13 Oliver Hunt Reviewed by Gavin Barraclough. Make it possible to inline the common case of identifier lexing https://bugs.webkit.org/show_bug.cgi?id=62600 Add a lexing function that expects to lex an "normal" alpha numeric identifier (that ignores keywords) so it's possible to inline the common parsing cases. This comes out as a reasonable parsing speed boost. * parser/JSParser.cpp: (JSC::JSParser::nextExpectIdentifier): (JSC::JSParser::parseProperty): (JSC::JSParser::parseMemberExpression): * parser/Lexer.cpp: * parser/Lexer.h: (JSC::Lexer::makeIdentifier): (JSC::Lexer::lexExpectIdentifier): 2011-06-13 Xan Lopez Reviewed by Martin Robinson. Distcheck fixes. * GNUmakefile.am: * GNUmakefile.list.am: 2011-06-13 Oliver Hunt Reviewed by Simon Fraser. Make it possible to inline Identifier::equal https://bugs.webkit.org/show_bug.cgi?id=62584 Move Identifier::equal to the Identifier header file. * runtime/Identifier.cpp: * runtime/Identifier.h: (JSC::Identifier::equal): 2011-06-13 Tony Chang Reviewed by Dimitri Glazkov. rename ENABLE_NEW_FLEXBOX to ENABLE_CSS3_FLEXBOX https://bugs.webkit.org/show_bug.cgi?id=62578 * Configurations/FeatureDefines.xcconfig: 2011-06-13 Tony Chang Reviewed by Adam Barth. rename ENABLE_FLEXBOX to ENABLE_NEW_FLEXBOX https://bugs.webkit.org/show_bug.cgi?id=62545 * Configurations/FeatureDefines.xcconfig: 2011-06-12 Patrick Gansterer Unreviewed. Build fix for !ENABLE(JIT) after r88604. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): 2011-06-11 Gavin Barraclough Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=16777 Remove #define NaN per Darin's comments. * runtime/JSGlobalObjectFunctions.cpp: (JSC::parseIntOverflow): (JSC::parseInt): (JSC::jsStrDecimalLiteral): (JSC::jsToNumber): (JSC::parseFloat): * wtf/DateMath.cpp: (WTF::equivalentYearForDST): (WTF::parseES5DateFromNullTerminatedCharacters): (WTF::parseDateFromNullTerminatedCharacters): (WTF::timeClip): (JSC::parseDateFromNullTerminatedCharacters): 2011-06-11 Gavin Barraclough Rubber stamped by Geoff Garen. https://bugs.webkit.org/show_bug.cgi?id=62503 Remove JIT_OPTIMIZE_* switches The alternative code paths are untested, and not well maintained. These were useful when there was more churn in the JIT, but now are a maintenance overhead. Time to move on, removing. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * jit/JIT.cpp: (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): (JSC::JIT::linkConstruct): * jit/JIT.h: * jit/JITCall.cpp: * jit/JITCall32_64.cpp: * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): (JSC::JIT::softModulo): * jit/JITPropertyAccess.cpp: * jit/JITPropertyAccess32_64.cpp: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: * wtf/Platform.h: 2011-06-10 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=16777 Eliminate JSC::NaN and JSC::Inf There's no good reason for -K-J-S- JSC to have its own NAN and infinity constants. The ones in std::numeric_limits are perfectly good. Remove JSC::Inf, JSC::NaN, switch some cases of (isnan || isinf) to !isfinite. * API/JSCallbackObjectFunctions.h: (JSC::::toNumber): * API/JSValueRef.cpp: (JSValueMakeNumber): (JSValueToNumber): * JavaScriptCore.exp: * runtime/CachedTranscendentalFunction.h: (JSC::CachedTranscendentalFunction::initialize): * runtime/DateConstructor.cpp: (JSC::constructDate): * runtime/DateInstanceCache.h: (JSC::DateInstanceData::DateInstanceData): (JSC::DateInstanceCache::reset): * runtime/JSCell.cpp: * runtime/JSCell.h: (JSC::JSCell::JSValue::getPrimitiveNumber): (JSC::JSCell::JSValue::toNumber): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::resetDateCache): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): (JSC::globalFuncIsFinite): * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::toNumber): * runtime/JSValue.cpp: * runtime/JSValue.h: * runtime/JSValueInlineMethods.h: (JSC::jsNaN): * runtime/MathObject.cpp: (JSC::mathProtoFuncMax): (JSC::mathProtoFuncMin): * runtime/NumberConstructor.cpp: (JSC::numberConstructorNegInfinity): (JSC::numberConstructorPosInfinity): * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToFixed): (JSC::numberProtoFuncToPrecision): (JSC::numberProtoFuncToString): * runtime/UString.cpp: * wtf/DecimalNumber.h: (WTF::DecimalNumber::DecimalNumber): * wtf/dtoa.cpp: (WTF::dtoa): 2011-06-10 Tony Chang Reviewed by Ojan Vafai. add a compile guard ENABLE(FLEXBOX) https://bugs.webkit.org/show_bug.cgi?id=62049 * Configurations/FeatureDefines.xcconfig: 2011-06-10 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=55347 "name" and "message" enumerable on *Error.prototype This arises from chapter 15 of the spec: "Every other property described in this clause has the attributes { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: true } unless otherwise specified." Standardized properties are not enumerable. * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype): 2011-06-09 Geoffrey Garen Build fix: Corrected header spelling. * heap/OldSpace.h: 2011-06-09 Geoffrey Garen Reviewed by Oliver Hunt. Added OldSpace to the project https://bugs.webkit.org/show_bug.cgi?id=62417 Currently unused. Added OldSpace, the ability to iterate NewSpace vs OldSpace, and a per-block flag for testing whether you're in NewSpace vs OldSpace. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: Build! * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): * heap/MarkedBlock.h: (JSC::MarkedBlock::inNewSpace): (JSC::MarkedBlock::setInNewSpace): Added inNewSpace flag, for use in write barrier. * heap/NewSpace.cpp: (JSC::NewSpace::addBlock): (JSC::NewSpace::removeBlock): * heap/NewSpace.h: (JSC::NewSpace::forEachBlock): Added forEachBlock, to use for NewSpace-specific operations. * heap/OldSpace.cpp: Added. (JSC::OldSpace::OldSpace): (JSC::OldSpace::addBlock): (JSC::OldSpace::removeBlock): * heap/OldSpace.h: Added. (JSC::OldSpace::forEachBlock): New class for holding promoted blocks. Not in use yet. 2011-06-09 Hyowon Kim Reviewed by Antonio Gomes. [EFL] Make accelerated compositing build in Webkit-EFL https://bugs.webkit.org/show_bug.cgi?id=62361 Add PLATFORM(EFL) to enable ACCELERATED_COMPOSITING on EFL port. * wtf/Platform.h: 2011-06-09 Gavin Barraclough Reviewed by Geoff Garen. Bug 62405 - Fix integer overflow in Array.prototype.push Fix geoff's review comments re static_cast. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncPush): 2011-06-09 Geoffrey Garen Reviewed by Oliver Hunt. Factored MarkedBlock set management into a helper class with a fast case Bloom filter https://bugs.webkit.org/show_bug.cgi?id=62413 SunSpider reports a small speedup. This is in preparation for having ConservativeSet operate on arbitrary sets of MarkedBlocks, and in preparation for conservative scanning becoming proportionally more important than other GC activities. * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.xcodeproj/project.pbxproj: Build-o. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::add): * heap/ConservativeRoots.h: (JSC::ConservativeRoots::ConservativeRoots): Operate on a MarkedBlockSet directly, instead of a Heap, so we can operate on subsets of the Heap instead. Use a TinyBloomFilter for single-cycle exclusion of most pointers. This is particularly important since we expect not to find our subject pointer in the MarkedBlock hash, and hash misses are more expensive than typical hash lookups because they have high collision rates. No need for single-pointer add() to be public anymore, since nobody uses it. * heap/Heap.cpp: (JSC::Heap::markRoots): * heap/Heap.h: (JSC::Heap::forEachCell): (JSC::Heap::forEachBlock): Use MarkedBlockSet since that's what ConservativeRoots relies on. Nixed contains(), since nobody uses it anymore. * heap/MarkedBlock.h: (WTF::MarkedBlockHash::hash): Added a faster hash taking advantage of the VM layout properties of MarkedBlocks. * heap/MarkedBlockSet.h: Added. (JSC::MarkedBlockSet::add): (JSC::MarkedBlockSet::remove): (JSC::MarkedBlockSet::recomputeFilter): (JSC::MarkedBlockSet::filter): (JSC::MarkedBlockSet::set): * heap/TinyBloomFilter.h: Added. (JSC::TinyBloomFilter::TinyBloomFilter): (JSC::TinyBloomFilter::add): (JSC::TinyBloomFilter::ruleOut): New helper class, used above. * interpreter/RegisterFile.cpp: (JSC::RegisterFile::gatherConservativeRoots): No need to specifically exclude values by tag -- the tiny bloom filter is already a register-register compare, so adding another "rule out" factor just slows things down. 2011-06-09 Gavin Barraclough Reviewed by Oliver Hunt. Bug 62405 - Fix integer overflow in Array.prototype.push There are three integer overflows here, leading to safe (not a security risk) but incorrect (non-spec-compliant) behaviour. Two overflows occur when calculating the new length after pushing (one in the fast version of push in JSArray, one in the generic version in ArrayPrototype). The other occurs calculating indices to write to when multiple items are pushed. These errors result in three test-262 failures. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncPush): * runtime/JSArray.cpp: (JSC::JSArray::put): (JSC::JSArray::push): 2011-06-09 Dan Bernstein Reviewed by Anders Carlsson. Add Vector::reverse() https://bugs.webkit.org/show_bug.cgi?id=62393 * wtf/Vector.h: (WTF::Vector::reverse): Added 2011-06-08 Geoffrey Garen Reviewed by Oliver Hunt. Factored a bunch of Heap functionality into stand-alone functors https://bugs.webkit.org/show_bug.cgi?id=62337 This is in preparation for making these functors operate on arbitrary sets of MarkedBlocks. * JavaScriptCore.exp: This file is a small tragedy. * debugger/Debugger.cpp: (JSC::Debugger::recompileAllJSFunctions): Updated for type change and rename. * heap/HandleHeap.h: (JSC::HandleHeap::forEachStrongHandle): New function for iterating all strong handles, so we can play along in the functor game. * heap/Heap.cpp: (JSC::CountFunctor::CountFunctor::CountFunctor): (JSC::CountFunctor::CountFunctor::count): (JSC::CountFunctor::CountFunctor::returnValue): (JSC::CountFunctor::ClearMarks::operator()): (JSC::CountFunctor::ResetAllocator::operator()): (JSC::CountFunctor::Sweep::operator()): (JSC::CountFunctor::MarkCount::operator()): (JSC::CountFunctor::Size::operator()): (JSC::CountFunctor::Capacity::operator()): (JSC::CountFunctor::Count::operator()): (JSC::CountFunctor::CountIfGlobalObject::operator()): (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty): (JSC::CountFunctor::TakeIfEmpty::operator()): (JSC::CountFunctor::TakeIfEmpty::returnValue): (JSC::CountFunctor::RecordType::RecordType): (JSC::CountFunctor::RecordType::typeName): (JSC::CountFunctor::RecordType::operator()): (JSC::CountFunctor::RecordType::returnValue): These functors factor out behavior that used to be in the functions below. (JSC::Heap::clearMarks): (JSC::Heap::sweep): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::protectedGlobalObjectCount): (JSC::Heap::protectedObjectCount): (JSC::Heap::protectedObjectTypeCounts): (JSC::Heap::objectTypeCounts): (JSC::Heap::resetAllocator): (JSC::Heap::freeBlocks): (JSC::Heap::shrink): Factored out behavior into the functors above. * heap/Heap.h: (JSC::Heap::forEachProtectedCell): (JSC::Heap::forEachCell): (JSC::Heap::forEachBlock): Added forEach* iteration templates. I chose functor-based templates instead of plain iterators because they're simpler to implement in this case and they require a lot less code at the call site. * heap/MarkedBlock.h: (JSC::MarkedBlock::VoidFunctor::returnValue): Default parent class for trivial functors. (JSC::MarkedBlock::forEachCell): Renamed forEach to forEachCell because we have a few different kind of "for each" now. * runtime/JSGlobalData.cpp: (WTF::Recompile::operator()): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::recompileAllJSFunctions): Updated for type change and rename. * runtime/JSGlobalData.h: Removed globalObjectCount because it was unused. 2011-06-08 Mikołaj Małecki Reviewed by Pavel Feldman. Web Inspector: Crash by buffer overrun crash when serializing inspector object tree. https://bugs.webkit.org/show_bug.cgi?id=52791 No new tests. The problem can be reproduced by trying to create InspectorValue from 1.0e-100 and call ->toJSONString() on this. * JavaScriptCore.exp: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export 2 functions DecimalNumber::bufferLengthForStringExponential and DecimalNumber::toStringExponential. 2011-06-08 Sheriff Bot Unreviewed, rolling out r88404. http://trac.webkit.org/changeset/88404 https://bugs.webkit.org/show_bug.cgi?id=62342 broke win and mac build (Requested by tony^work on #webkit). * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-06-08 Evan Martin Reviewed by Adam Barth. [chromium] use gyp 'settings' type for settings target https://bugs.webkit.org/show_bug.cgi?id=62323 The 'settings' gyp target type is for targets that exist solely for their settings (no build rules). The comment above this target says it's for this, but it incorrectly uses 'none'. * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-06-08 Sailesh Agrawal Reviewed by Mihai Parparita. Chromium Mac: Enable overlay scrollbars https://bugs.webkit.org/show_bug.cgi?id=59756 Enable WTF_USE_WK_SCROLLBAR_PAINTER for Chromium Mac. This allows us to use overlay scrollbars on future versions of Mac OS X. * wtf/Platform.h: 2011-06-08 Oliver Hunt Reviewed by Geoffrey Garen. Add faster lookup cache for multi character identifiers https://bugs.webkit.org/show_bug.cgi?id=62327 Add a non-hash lookup for mutiple character identifiers. This saves us from adding repeated identifiers to the ParserArena's identifier list as people tend to not start all their variables and properties with the same character and happily identifier locality works in our favour. * parser/ParserArena.h: (JSC::IdentifierArena::isEmpty): (JSC::IdentifierArena::clear): (JSC::IdentifierArena::makeIdentifier): 2011-06-08 Geoffrey Garen Reviewed by Oliver Hunt. Took some responsibilities away from NewSpace https://bugs.webkit.org/show_bug.cgi?id=62325 NewSpace is basically just an allocator now. Heap acts as a controller, responsible for managing the set of all MarkedBlocks. This is in preparation for moving parts of the controller logic into separate helper classes that can act on arbitrary sets of MarkedBlocks that may or may not be in NewSpace. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::destroy): (JSC::Heap::allocate): (JSC::Heap::markRoots): (JSC::Heap::clearMarks): (JSC::Heap::sweep): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::collect): (JSC::Heap::resetAllocator): (JSC::Heap::allocateBlock): (JSC::Heap::freeBlocks): (JSC::Heap::shrink): Moved the set of MarkedBlocks from NewSpace to Heap, along with all functions that operate on the set of MarkedBlocks. Also moved responsibility for deciding whether to allocate a new MarkedBlock, and for allocating it. * heap/Heap.h: (JSC::Heap::contains): (JSC::Heap::forEach): Ditto. * heap/NewSpace.cpp: (JSC::NewSpace::addBlock): (JSC::NewSpace::removeBlock): (JSC::NewSpace::resetAllocator): * heap/NewSpace.h: (JSC::NewSpace::waterMark): (JSC::NewSpace::allocate): Ditto. 2011-06-08 Geoffrey Garen Reviewed by Oliver Hunt. Some more MarkedSpace => NewSpace renaming https://bugs.webkit.org/show_bug.cgi?id=62305 * JavaScriptCore.exp: * JavaScriptCore.order: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::destroy): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::allocate): (JSC::Heap::markRoots): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::collect): (JSC::Heap::isValidAllocation): * heap/Heap.h: (JSC::Heap::markedSpace): (JSC::Heap::contains): (JSC::Heap::forEach): (JSC::Heap::allocate): * runtime/JSCell.h: 2011-06-08 Kevin Ollivier Reviewed by Eric Seidel. Add export macros to profiler headers. https://bugs.webkit.org/show_bug.cgi?id=27551 * profiler/Profiler.h: 2011-06-08 Kevin Ollivier Reviewed by Eric Seidel. Add export symbols to parser headers. https://bugs.webkit.org/show_bug.cgi?id=27551 * parser/SourceProviderCache.h: 2011-06-08 Kevin Ollivier Reviewed by Eric Seidel. Add export symbols to interpreter headers. https://bugs.webkit.org/show_bug.cgi?id=27551 * interpreter/Interpreter.h: 2011-06-08 Kevin Ollivier Reviewed by Eric Seidel. Add export symbols to debugger headers. https://bugs.webkit.org/show_bug.cgi?id=27551 * debugger/Debugger.h: * debugger/DebuggerCallFrame.h: 2011-06-08 Geoffrey Garen Reviewed by Darin Adler. Moved MarkedSpace.* to NewSpace.* in preparation for more renaming https://bugs.webkit.org/show_bug.cgi?id=62268 * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/Heap.h: * heap/MarkedBlock.h: * heap/MarkedSpace.cpp: Removed. * heap/MarkedSpace.h: Removed. * heap/NewSpace.cpp: Copied from Source/JavaScriptCore/heap/MarkedSpace.cpp. * heap/NewSpace.h: Copied from Source/JavaScriptCore/heap/MarkedSpace.h. 2011-06-08 Sheriff Bot Unreviewed, rolling out r88365. http://trac.webkit.org/changeset/88365 https://bugs.webkit.org/show_bug.cgi?id=62301 windows bots broken (Requested by loislo_ on #webkit). * JavaScriptCore.exp: 2011-06-08 Ryan Sleevi Reviewed by Tony Chang. Suppress C++0x compat warnings when compiling Chromium port with GCC 4.6 Compiling Chromium port under GCC 4.6 produces warnings about nullptr https://bugs.webkit.org/show_bug.cgi?id=62242 * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-06-08 Ademar de Souza Reis Jr. Reviewed by Andreas Kling. Webkit on SPARC Solaris has wrong endian https://bugs.webkit.org/show_bug.cgi?id=29407 Bug 57256 fixed one crash on misaligned reads on sparc/solaris, but there are more ocurrences of the same code pattern in webkit. This patch includes the check on these other parts of the code. This is a speculative fix, I don't have a sparc machine to test and don't know which kind of test would trigger a crash (but it's quite obvious that it's the same code duplicated in different files). * runtime/UString.h: (JSC::UStringHash::equal): * wtf/text/StringHash.h: (WTF::StringHash::equal): 2011-06-08 Yael Aharon Reviewed by Andreas Kling. [Qt] Build fix for building QtWebKit inside of Qt. https://bugs.webkit.org/show_bug.cgi?id=62280 Remove CONFIG=staticlib, because it causes the configure script to add -ljavascriptcore into QtWebKit.prl. No new tests, as this is just a build fix. * JavaScriptCore.pri: 2011-06-07 Geoffrey Garen Reviewed by Oliver Hunt. Split 'reset' into 'collect' and 'resetAllocator' https://bugs.webkit.org/show_bug.cgi?id=62267 * heap/Heap.cpp: (JSC::Heap::allocate): (JSC::Heap::collectAllGarbage): (JSC::Heap::collect): * heap/Heap.h: * heap/MarkedBlock.h: (JSC::MarkedBlock::resetAllocator): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::resetAllocator): * heap/MarkedSpace.h: (JSC::MarkedSpace::SizeClass::resetAllocator): 2011-06-07 Geoffrey Garen Reviewed by Sam Weinig. Renamed some more marks to visits https://bugs.webkit.org/show_bug.cgi?id=62254 * heap/HandleHeap.cpp: (JSC::HandleHeap::visitStrongHandles): (JSC::HandleHeap::visitWeakHandles): * heap/HandleHeap.h: * heap/HandleStack.cpp: (JSC::HandleStack::visit): * heap/HandleStack.h: * heap/Heap.cpp: (JSC::Heap::markProtectedObjects): (JSC::Heap::markTempSortVectors): (JSC::Heap::markRoots): * heap/HeapRootVisitor.h: (JSC::HeapRootVisitor::visit): * runtime/ArgList.cpp: (JSC::MarkedArgumentBuffer::markLists): 2011-06-07 Gavin Barraclough Reviewed by Sam Weinig https://bugs.webkit.org/show_bug.cgi?id=55537 Functions claim to have 'callee' which they actually don't (and shouldn't) * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertyNames): 2011-06-07 Juan C. Montemayor Reviewed by Darin Adler. Make JSStaticFunction and JSStaticValue less "const" https://bugs.webkit.org/show_bug.cgi?id=62222 * API/JSObjectRef.h: * API/tests/testapi.c: (checkConstnessInJSObjectNames): (main): * JavaScriptCore.xcodeproj/project.pbxproj: 2011-06-07 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=62240 DFG JIT - add support for for-loop array initialization. Support put by val beyond vector length. Add a operationPutByValBeyondArrayBounds operation, make PutValVal call this if the vector length check fails. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters): (JSC::DFG::JITCodeGenerator::isDoubleConstantWithInt32Value): (JSC::DFG::JITCodeGenerator::isJSConstantWithInt32Value): (JSC::DFG::JITCodeGenerator::isIntegerConstant): (JSC::DFG::JITCodeGenerator::valueOfIntegerConstant): * dfg/DFGOperations.cpp: (JSC::DFG::operationPutByValInternal): * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: 2011-06-06 James Simonsen Reviewed by James Robinson. Add monotonicallyIncreasingTime() to get monotonically increasing time https://bugs.webkit.org/show_bug.cgi?id=37743 * wtf/CurrentTime.cpp: Add monotonicallyIncreasingTime() for mac and a fallback implementation that just wraps currentTime(). (WTF::monotonicallyIncreasingTime): * wtf/CurrentTime.h: Add monotonicallyIncreasingTime(). 2011-06-06 Alexandru Chiculita Reviewed by Kent Tamura. Add ENABLE_CSS_EXCLUSIONS support for build-webkit script https://bugs.webkit.org/show_bug.cgi?id=61628 * Configurations/FeatureDefines.xcconfig: 2011-06-06 Mihnea Ovidenie Reviewed by Kent Tamura. Add ENABLE(CSS_REGIONS) guard for CSS Regions support https://bugs.webkit.org/show_bug.cgi?id=61631 * Configurations/FeatureDefines.xcconfig: 2011-06-06 Carlos Garcia Campos Unreviewed. Fix the GTK+ build. * GNUmakefile.am: Add javascriptcore_cflags variable. 2011-06-04 Kevin Ollivier [wx] Unreviewed build fix. Restore the PPC build and allow users to specify architectures to build on Mac. * wtf/Platform.h: 2011-06-04 Gustavo Noronha Silva Unreviewed, MIPS build fix. WebKitGTK+ tarball fails to build on MIPS. https://buildd.debian.org/status/fetch.php?pkg=webkitgtk%2B&arch=mips&ver=1.4.0-1&stamp=1304786691 * GNUmakefile.list.am: Add missing MIPS-related file to the list of files that are added to the tarball on make dist, and fix sorting. 2011-06-04 Sam Weinig Reviewed by Darin Adler. Fix formatting of the output generated by KeywordLookupGenerator.py https://bugs.webkit.org/show_bug.cgi?id=62083 - Uses correct year for copyright. - Puts ending brace on same line as "else if" - Puts starting brace of function on its own line. - Adds some tasteful whitespace. - Adds comments to make clear that scopes are ending - Make macros actually split on two lines. * KeywordLookupGenerator.py: 2011-06-04 Adam Barth Reviewed by Eric Seidel. KeywordLookupGenerator.py spams stdout in Chromium Linux build https://bugs.webkit.org/show_bug.cgi?id=62087 This action does not appear to be needed. * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-06-03 Oliver Hunt Reviewed by Maciej Stachowiak. Lexer needs to provide Identifier for reserved words https://bugs.webkit.org/show_bug.cgi?id=62086 Alas it is necessary to provide an Identifier reference for keywords so that we can do the right thing when they're used in object literals. We now keep Identifiers for all reserved words in the CommonIdentifiers structure so that we can access them without a hash lookup. * KeywordLookupGenerator.py: * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): * parser/Lexer.h: * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::CommonIdentifiers): * runtime/CommonIdentifiers.h: 2011-06-03 Gavin Barraclough Reviewed by Sam Weinig. Add debug code to break on speculation failures. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGNode.h: 2011-06-03 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=62082 DFG JIT - bug passing arguments that need swap This is really just a typo. When setting up the arguments for a call out to a C operation, we'll fail to swap arguments where this is necessary. For example, in the case of 2 arg calls, where the first argument is in %rdx & the second is in %rsi we should swap (exec will be passed in %rdi), but we don't. This can also affect function calls passing three arguments. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::setupTwoStubArgs): - Call swap with the correct arguments. 2011-06-03 Oliver Hunt Reviewed by Gavin Barraclough. Force inlining of some hot lexer functions https://bugs.webkit.org/show_bug.cgi?id=62079 Fix more GCC stupidity * parser/Lexer.h: (JSC::Lexer::isWhiteSpace): (JSC::Lexer::isLineTerminator): 2011-06-03 Oliver Hunt Reviewed by Gavin Barraclough. GCC not inlining some functions that it really should be https://bugs.webkit.org/show_bug.cgi?id=62075 Add ALWAYS_INLINE to a number of parsing and lexing functions that should always be inlined. This gets us ~1.4% on my ad hoc parser test. * KeywordLookupGenerator.py: * parser/JSParser.cpp: (JSC::JSParser::next): (JSC::JSParser::nextTokenIsColon): (JSC::JSParser::consume): (JSC::JSParser::match): (JSC::JSParser::tokenStart): (JSC::JSParser::tokenLine): (JSC::JSParser::tokenEnd): * parser/Lexer.cpp: (JSC::isIdentPart): 2011-06-03 Oliver Hunt Whoops, fix last minute bug. * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): 2011-06-03 Martin Robinson Try to fix the GTK+ build. * GNUmakefile.am: Clean up some spaces that should be tabs. * GNUmakefile.list.am: Add KeywordLookup.h to the source list and clean up some spaces that should be tabs. 2011-06-03 Oliver Hunt Reviewed by Geoffrey Garen. Improve keyword lookup https://bugs.webkit.org/show_bug.cgi?id=61913 Rather than doing multiple hash lookups as we currently do when trying to identify keywords we now use an automatically generated decision tree (essentially it's a hard coded patricia trie). We still use the regular lookup table for the last few characters of an input as this allows us to completely skip all bounds checks. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pro: * GNUmakefile.am: * JavaScriptCore.gyp/JavaScriptCore.gyp: * JavaScriptCore.xcodeproj/project.pbxproj: * KeywordLookupGenerator.py: Added. * make-generated-sources.sh: * parser/Lexer.cpp: (JSC::Lexer::internalShift): (JSC::Lexer::shift): (JSC::Lexer::parseIdentifier): * parser/Lexer.h: 2011-06-03 Siddharth Mathur Reviewed by Benjamin Poulain. [Qt] Build flag for experimental ICU library support https://bugs.webkit.org/show_bug.cgi?id=60786 Adds a build-time flag (CONFIG+=use_system_icu) that enables experimental ICU powered Unicode support. * JavaScriptCore.pri: Support for use_system_icu CONFIG flag. * wtf/unicode/qt4/UnicodeQt4.h: Guard an include file with USE(ICU_UNICODE). 2011-06-03 Alexis Menard Reviewed by Benjamin Poulain. [Qt] Build fix of QtWebKit 2.2 when inside Qt tree with GCC 4.6. https://bugs.webkit.org/show_bug.cgi?id=61957 When building inside the Qt source tree, qmake always append the mkspecs defines after ours. We have to workaround and make sure that we append our flags after the qmake variable used inside Qt. This workaround was provided by our qmake folks. We need to append in both case because qmake behave differently when called with -spec or via SUBDIR+=. This patch unbreak r87950 on Mac for Qt port. * JavaScriptCore.pro: 2011-06-02 Jay Civelli Reviewed by Adam Barth. Added a method to generate RFC 2822 compliant date strings. https://bugs.webkit.org/show_bug.cgi?id=7169 * wtf/DateMath.cpp: (WTF::twoDigitStringFromNumber): (WTF::makeRFC2822DateString): * wtf/DateMath.h: 2011-06-02 Alexis Menard Reviewed by Andreas Kling. [Qt] Build fix of QtWebKit 2.2 when inside Qt tree with GCC 4.6. https://bugs.webkit.org/show_bug.cgi?id=61957 When building inside the Qt source tree, qmake always append the mkspecs defines after ours. We have to workaround and make sure that we append our flags after the qmake variable used inside Qt. This workaround was provided by our qmake folks. * JavaScriptCore.pro: 2011-06-01 Oliver Hunt Reviewed by Geoffrey Garen. Add single character lookup cache to IdentifierArena https://bugs.webkit.org/show_bug.cgi?id=61879 Add a simple lookup cache for single ascii character identifiers. Produces around a 2% improvement in parse time for my adhoc parser test. * parser/ParserArena.h: (JSC::IdentifierArena::IdentifierArena): (JSC::IdentifierArena::clear): (JSC::IdentifierArena::makeIdentifier): 2011-05-31 Oliver Hunt Reviewed by Geoffrey Garen. Freezing a function and its prototype causes browser to crash. https://bugs.webkit.org/show_bug.cgi?id=61758 Make JSObject::preventExtensions virtual so that we can override it and instantiate all lazy * JavaScriptCore.exp: * runtime/JSFunction.cpp: (JSC::createPrototypeProperty): (JSC::JSFunction::preventExtensions): (JSC::JSFunction::getOwnPropertySlot): * runtime/JSFunction.h: * runtime/JSObject.h: * runtime/JSObject.cpp: (JSC::JSObject::seal): (JSC::JSObject::seal): 2011-06-01 Sheriff Bot Unreviewed, rolling out r87788. http://trac.webkit.org/changeset/87788 https://bugs.webkit.org/show_bug.cgi?id=61856 breaks windows chromium canary (Requested by jknotten on #webkit). * wtf/DateMath.cpp: (WTF::timeClip): * wtf/DateMath.h: 2011-06-01 Jay Civelli Reviewed by Adam Barth. Added a method to generate RFC 2822 compliant date strings. https://bugs.webkit.org/show_bug.cgi?id=7169 * wtf/DateMath.cpp: (WTF::twoDigitStringFromNumber): (WTF::makeRFC2822DateString): * wtf/DateMath.h: 2011-05-31 Yong Li Reviewed by Eric Seidel. https://bugs.webkit.org/show_bug.cgi?id=54807 We have been assuming plain bitfields (like "int a : 31") are always signed integers. However some compilers can treat them as unsigned. For example, RVCT 4.0 states plain bitfields (declared without either signed or unsigned qualifiers) are treats as unsigned. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0348c/Babjddhe.html Although we can use "--signed-bitfields" flag to make RVCT 4.0 behave as most other compilers, always using "signed"/"unsigned" qualifier to declare integral type bitfields is still a good rule we should have in order to make our code independent from compilers and compiler flags. No new test added because this change is not known to fix any issue. * bytecode/StructureStubInfo.h: 2011-05-30 Hojong Han Reviewed by Geoffrey Garen. [JSC] malfunction during arithmetic condition check with negative number (-2147483648) https://bugs.webkit.org/show_bug.cgi?id=61416 * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::branch32): * tests/mozilla/ecma/Expressions/11.12-1.js: (getTestCases): 2011-05-29 Geoffrey Garen Reviewed by Sam Weinig. Some heap refactoring https://bugs.webkit.org/show_bug.cgi?id=61704 SunSpider says no change. * JavaScriptCore.exp: Export! * heap/Heap.cpp: COLLECT_ON_EVERY_ALLOCATION can actually do so now. (JSC::Heap::Heap): Changed Heap sub-objects to point to the heap. (JSC::Heap::allocate): Changed inline allocation code to only select the size class, since this can be optimized out at compile time -- everything else is now inlined into this out-of-line function. No need to duplicate ASSERTs made in our caller. * heap/Heap.h: (JSC::Heap::heap): (JSC::Heap::isMarked): (JSC::Heap::testAndSetMarked): (JSC::Heap::testAndClearMarked): (JSC::Heap::setMarked): Call directly into MarkedBlock instead of adding a layer of indirection through MarkedSpace. (JSC::Heap::allocate): See above. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::create): (JSC::MarkedBlock::MarkedBlock): * heap/MarkedBlock.h: Changed Heap sub-objects to point to the heap. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::allocateBlock): * heap/MarkedSpace.h: (JSC::MarkedSpace::allocate): Updated to match changes above. 2011-05-28 David Kilzer BUILD FIX when building only the interpreter Fixes the following compiler warning: JavaScriptCore/runtime/JSGlobalData.cpp:462:6: error: no previous prototype for function 'releaseExecutableMemory' [-Werror,-Wmissing-prototypes,3] void releaseExecutableMemory(JSGlobalData& globalData) ^ * jit/ExecutableAllocator.h: Moved declaration of JSC::releaseExecutableMemory(). 2011-05-28 David Kilzer BUILD FIX after r87527 with ENABLE(BRANCH_COMPACTION) * assembler/LinkBuffer.h: (JSC::LinkBuffer::linkCode): Added missing argument. 2011-05-27 Geoffrey Garen Reviewed by Oliver Hunt. JS API is too aggressive about throwing exceptions for NULL get or set operations https://bugs.webkit.org/show_bug.cgi?id=61678 * API/JSCallbackObject.h: Changed our staticValueGetter to a regular function that returns a JSValue, so it can fail and still forward to normal property lookup. * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertySlot): Don't throw an exception when failing to access a static property -- just forward the access. This allows objects to observe get/set operations but still let the JS object manage lifetime. (JSC::::put): Ditto. (JSC::::getStaticValue): Same as JSCallbackObject.h. * API/tests/testapi.c: (MyObject_set_nullGetForwardSet): * API/tests/testapi.js: Updated tests to reflect slightly less strict behavior, which matches headerdoc claims. 2011-05-27 Geoffrey Garen Reviewed by Oliver Hunt. Property caching is too aggressive for API objects https://bugs.webkit.org/show_bug.cgi?id=61677 * API/JSCallbackObject.h: Opt in to ProhibitsPropertyCaching, since our callback APIs allow the client to change its mind about our propertis at any time. * API/tests/testapi.c: (PropertyCatchalls_getProperty): (PropertyCatchalls_setProperty): (PropertyCatchalls_getPropertyNames): (PropertyCatchalls_class): (main): * API/tests/testapi.js: Some tests for dynamic API objects. * interpreter/Interpreter.cpp: (JSC::Interpreter::tryCachePutByID): (JSC::Interpreter::tryCacheGetByID): * jit/JITStubs.cpp: (JSC::JITThunks::tryCachePutByID): (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): Opt out of property caching if the client requires it. * runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo): (JSC::TypeInfo::isFinal): (JSC::TypeInfo::prohibitsPropertyCaching): (JSC::TypeInfo::flags): Added a flag to track opting out of property caching. Fixed an "&&" vs "&" typo that was previously harmless, but is now harmful since m_flags2 can have more than one bit set. 2011-05-27 Stephanie Lewis Unreviewed. Fix a typo in the order_file flag. * Configurations/Base.xcconfig: 2011-05-27 Patrick Gansterer Unreviewed. Build fix for !ENABLE(ASSEMBLER) after r87527. * runtime/JSGlobalData.cpp: (JSGlobalData::JSGlobalData): 2011-05-27 Oliver Hunt Reviewed by Geoffrey Garen. Add a few validity assertions to JSCallbackObject https://bugs.webkit.org/show_bug.cgi?id=61659 * API/JSCallbackObject.h: (JSC::JSCallbackObject::visitChildren): 2011-05-27 Oliver Hunt Build fix * runtime/RegExpCache.cpp: (JSC::RegExpCache::invalidateCode): 2011-05-27 Oliver Hunt Reviewed by Geoffrey Garen. Try to release unused executable memory when the FixedVMPool allocator is under pressure https://bugs.webkit.org/show_bug.cgi?id=61651 Rather than crashing when full the FixedVMPool allocator now returns a null allocation. We replace the code that used to CRASH() on null allocations with logic that asks the provided globalData to release any executable memory that it can. Currently this just means throwing away all regexp code, but in future we'll try to be more aggressive. * assembler/ARMAssembler.cpp: (JSC::ARMAssembler::executableCopy): * assembler/ARMAssembler.h: * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::executableCopy): * assembler/AssemblerBufferWithConstantPool.h: * assembler/LinkBuffer.h: (JSC::LinkBuffer::LinkBuffer): (JSC::LinkBuffer::linkCode): * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::executableCopy): * assembler/SH4Assembler.h: (JSC::SH4Assembler::executableCopy): * assembler/X86Assembler.h: (JSC::X86Assembler::executableCopy): (JSC::X86Assembler::X86InstructionFormatter::executableCopy): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): * jit/ExecutableAllocator.h: (JSC::ExecutablePool::create): (JSC::ExecutablePool::alloc): (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutableAllocator::poolForSize): (JSC::ExecutablePool::ExecutablePool): (JSC::ExecutablePool::poolAllocate): * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolAllocator::alloc): * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines): (JSC::JIT::privateCompileCTINativeCall): * jit/JITPropertyAccess.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::stringGetByValStubGenerator): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): * jit/SpecializedThunkJIT.h: (JSC::SpecializedThunkJIT::finalize): * jit/ThunkGenerators.cpp: (JSC::charCodeAtThunkGenerator): (JSC::charAtThunkGenerator): (JSC::fromCharCodeThunkGenerator): (JSC::sqrtThunkGenerator): (JSC::powThunkGenerator): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::releaseExecutableMemory): (JSC::releaseExecutableMemory): * runtime/JSGlobalData.h: * runtime/RegExpCache.cpp: (JSC::RegExpCache::invalidateCode): * runtime/RegExpCache.h: * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): 2011-05-26 Geoffrey Garen Reviewed by Oliver Hunt. Optimized ConservativeSet to avoid double-visiting objects https://bugs.webkit.org/show_bug.cgi?id=61592 SunSpider thinks this might be a 1% speedup * heap/ConservativeRoots.h: (JSC::ConservativeRoots::add): Use testAndClearMarked to avoid double-visiting an object. * heap/Heap.h: (JSC::Heap::isMarked): (JSC::Heap::testAndSetMarked): (JSC::Heap::testAndClearMarked): (JSC::Heap::setMarked): Added testAndClearMarked. Changed argument type to void*, since clients want to ask questions about arbitrary pointers into the heap, even when they aren't known to be JSCells. * heap/MarkedBlock.h: (JSC::MarkedBlock::testAndClearMarked): * heap/MarkedSpace.h: (JSC::MarkedSpace::isMarked): (JSC::MarkedSpace::testAndSetMarked): (JSC::MarkedSpace::testAndClearMarked): (JSC::MarkedSpace::setMarked): (JSC::MarkedSpace::contains): Ditto. * wtf/Bitmap.h: (WTF::::testAndClear): New function for ConservativeRoots's inverted marking pass. 2011-05-27 Stephanie Lewis Rubber Stamped by Adam Roben. Update Order Files. Use -order_file flag since it can order more of the binary. * Configurations/Base.xcconfig: * JavaScriptCore.order: 2011-05-26 Geoffrey Garen Reviewed by Oliver Hunt. Renamed heapRootMarker to heapRootVisitor to match its class name https://bugs.webkit.org/show_bug.cgi?id=61584 * heap/Heap.cpp: (JSC::Heap::markProtectedObjects): (JSC::Heap::markTempSortVectors): (JSC::Heap::markRoots): 2011-05-26 Geoffrey Garen Reviewed by Oliver Hunt. Removed some interdependency between Heap and SmallStrings by simplifying the SmallStrings lifetime model https://bugs.webkit.org/show_bug.cgi?id=61579 SunSpider reports no change. Using Weak could accomplish this too, but we're not sure it will give us the performance we need. This is a first step, and it accomplishes most of the value of using Weak. * heap/Heap.cpp: (JSC::Heap::destroy): (JSC::Heap::markRoots): (JSC::Heap::reset): Finalize small strings just like other weak handles. * runtime/SmallStrings.cpp: (JSC::finalize): (JSC::SmallStrings::finalizeSmallStrings): * runtime/SmallStrings.h: Make all small strings trivially weak, instead of having an "all for one, one for all" memory model. 2011-05-26 Oliver Hunt Reviewed by Geoffrey Garen. Make RegExpCache a weak map https://bugs.webkit.org/show_bug.cgi?id=61554 Switch to a weak map for the regexp cache, and hide that behaviour behind RegExp::create. When a RegExp is compiled it attempts to add itself to the "strong" cache. This cache is a simple round-robin buffer as was the old strong cache. Happily this can be smaller than the old strong cache as RegExps are only added when they're compiled so it is under less pressure to evict. * bytecompiler/NodesCodegen.cpp: (JSC::RegExpNode::emitBytecode): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::create): (JSC::RegExp::match): * runtime/RegExp.h: (JSC::RegExp::gcShouldInvalidateCode): (JSC::RegExp::hasCode): (JSC::RegExp::key): * runtime/RegExpCache.cpp: (JSC::RegExpCache::lookupOrCreate): (JSC::RegExpCache::RegExpCache): (JSC::RegExpCache::isReachableFromOpaqueRoots): (JSC::RegExpCache::finalize): * runtime/RegExpCache.h: * runtime/RegExpConstructor.cpp: (JSC::constructRegExp): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncCompile): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): 2011-05-26 Geoffrey Garen Reviewed by Oliver Hunt. Moved Heap-related functions out of JSCell.h and into respective header files https://bugs.webkit.org/show_bug.cgi?id=61567 * heap/Heap.h: (JSC::Heap::allocate): (JSC::Heap::heap): * heap/MarkedBlock.h: (JSC::MarkedBlock::allocate): * heap/MarkedSpace.h: (JSC::MarkedSpace::sizeClassFor): (JSC::MarkedSpace::allocate): * runtime/JSCell.h: (JSC::JSCell::destructor): 2011-05-26 Geoffrey Garen Try to fix Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2011-05-26 Ryosuke Niwa Reviewed by Eric Seidel. [debug feature] WTFString should have show() method https://bugs.webkit.org/show_bug.cgi?id=61149 Added String::show and AtomicString::show in NDEBUG. * wtf/text/AtomicString.cpp: (WTF::AtomicString::show): * wtf/text/AtomicString.h: * wtf/text/WTFString.cpp: (String::show): * wtf/text/WTFString.h: 2011-05-26 Geoffrey Garen Reviewed by Geoffrey Garen. Factored out some Heap ASSERTs https://bugs.webkit.org/show_bug.cgi?id=61565 * JavaScriptCore.exp: * heap/Heap.cpp: (JSC::isValidSharedInstanceThreadState): (JSC::isValidThreadState): (JSC::Heap::markRoots): (JSC::Heap::isValidAllocation): * heap/Heap.h: * runtime/JSCell.h: (JSC::JSCell::Heap::allocate): 2011-05-26 Gavin Barraclough Reviewed by Geoff Garen. https://bugs.webkit.org/show_bug.cgi?id=61508 DFG JIT - Add support for get by id self caching. Change the call out to be an unexpected call (using silent spill/fill functions), add a structure check & compact load to the JIT code, and add repatching mechanisms. Since DFGOperations may want to be be implemented in asm, make these symbols be extern "C". Add an asm wrapper to pass the return address to the optimizing get-by-id operation, so that it can look up its StructureStubInfo. * JavaScriptCore.xcodeproj/project.pbxproj: - Added new files. * bytecode/StructureStubInfo.h: - Added 'unset' entries to union. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck): - Return the call, we need this to populate the StructureStubInfo. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction): - Populate the CodebBlock's StructureStubInfo Vector. * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::appendCallWithExceptionCheck): - Return the call, we need this to populate the StructureStubInfo. (JSC::DFG::JITCompiler::addPropertyAccess): (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord): - Add structures to record property access info during compilation. * dfg/DFGOperations.cpp: - Made all external methods extern "C". (JSC::DFG::operationPutByValInternal): - Moved outside of the extern "C" block. * dfg/DFGOperations.h: - Made all external methods extern "C". * dfg/DFGRepatch.cpp: Added. (JSC::DFG::dfgRepatchCall): - repatch a call to link to a new callee function. (JSC::DFG::dfgRepatchGetByIdSelf): - Modify the JIT code to optimize self accesses. (JSC::DFG::tryCacheGetByID): - Internal implementation of dfgRepatchGetByID (factor out failing cases). (JSC::DFG::dfgRepatchGetByID): - Used to optimize 'operationGetByIdOptimize' - repatches to 'operationGetById', and tries to optimize self accesses! * dfg/DFGRepatch.h: Added. - Expose dfgRepatchGetByID. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): - Changed implementation of GetById ops. 2011-05-26 Geoffrey Garen Rolled back in http://trac.webkit.org/changeset/87408 with Windows build fixed. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): * heap/MarkedBlock.h: * wtf/DoublyLinkedList.h: (WTF::::DoublyLinkedListNode): (WTF::::setPrev): (WTF::::setNext): (WTF::::prev): (WTF::::next): (WTF::::DoublyLinkedList): (WTF::::isEmpty): (WTF::::size): (WTF::::clear): (WTF::::head): (WTF::::append): (WTF::::remove): (WTF::::removeHead): 2011-05-26 Geoffrey Garen Rolled out http://trac.webkit.org/changeset/87408 because it broke the Windows build. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): * heap/MarkedBlock.h: (JSC::MarkedBlock::setPrev): (JSC::MarkedBlock::setNext): (JSC::MarkedBlock::prev): (JSC::MarkedBlock::next): * wtf/DoublyLinkedList.h: (WTF::::DoublyLinkedList): (WTF::::isEmpty): (WTF::::head): (WTF::::append): (WTF::::remove): 2011-05-26 Geoffrey Garen Reviewed by Oliver Hunt. Provide a real owner when copying a property table, for the sake of write barriers. https://bugs.webkit.org/show_bug.cgi?id=61547 No test because we can't enable the writeBarrier() ASSERT just yet. * runtime/Structure.cpp: (JSC::Structure::addPropertyTransition): 2011-05-26 Adam Roben Windows build fix after r87346 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Fixed up exports to match reality. 2011-05-26 Patrick Gansterer Reviewed by Adam Barth. ASSERT(isMainThread()) when using single threaded jsc executable https://bugs.webkit.org/show_bug.cgi?id=60846 Remove the ASSERT since we do not have the concept of MainThread in JSC. * wtf/CryptographicallyRandomNumber.cpp: (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber): (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues): 2011-05-25 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=61506 Move the silent spill/fill methods in the DFG JIT to the JITCodeGenerator so that they are available to the SpeculativeJIT. * dfg/DFGJITCodeGenerator.h: (JSC::DFG::JITCodeGenerator::silentSpillGPR): (JSC::DFG::JITCodeGenerator::silentSpillFPR): (JSC::DFG::JITCodeGenerator::silentFillGPR): (JSC::DFG::JITCodeGenerator::silentFillFPR): (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters): (JSC::DFG::JITCodeGenerator::silentFillAllRegisters): * dfg/DFGNonSpeculativeJIT.h: 2011-05-25 Ryosuke Niwa An attempt to revive Windows bots. * runtime/RegExp.cpp: * runtime/RegExp.h: 2011-05-25 Gavin Barraclough Reviewed by Sam Weinig. Bug 61503 - Move population of CodeBlock::m_structureStubInfos into JIT This data structure, used at runtime by the JIT, is currently unnecessarily populated with default entries during byte compilation. Aside from meaning that there is JIT specific code in the bytecompiler, this also ties us to one entry per corresponding bytecode op, which may be undesirable. Instead, populate this array from the JIT. The type StructureStubInfo has two unused states, one for gets & one for puts. Unify these, so that the class can have a default constructor (and to simply switch statements in code walking over the table). This change has ramification for the DFG JIT, in that the DFG JIT used this datastructure to check for functions containing property access. Instead do so in the DFGByteCodeParser. * bytecode/CodeBlock.cpp: (JSC::printStructureStubInfo): * bytecode/CodeBlock.h: (JSC::CodeBlock::setNumberOfStructureStubInfos): (JSC::CodeBlock::numberOfStructureStubInfos): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::deref): (JSC::StructureStubInfo::visitAggregate): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::StructureStubInfo): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetById): (JSC::BytecodeGenerator::emitPutById): (JSC::BytecodeGenerator::emitDirectPutById): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_id): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::emitSlow_op_put_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): * runtime/Executable.cpp: (JSC::tryDFGCompile): 2011-05-25 Gavin Barraclough Reviewed by Sam Weinig. Bug 61501 - Unify AbstractMacroAssembler::differenceBetween methods. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::Call::Call): (JSC::AbstractMacroAssembler::Call::fromTailJump): (JSC::AbstractMacroAssembler::Jump::Jump): (JSC::AbstractMacroAssembler::Jump::link): (JSC::AbstractMacroAssembler::Jump::linkTo): (JSC::AbstractMacroAssembler::Jump::isSet): (JSC::AbstractMacroAssembler::differenceBetween): (JSC::AbstractMacroAssembler::linkJump): (JSC::AbstractMacroAssembler::getLinkerCallReturnOffset): * assembler/LinkBuffer.h: (JSC::LinkBuffer::link): (JSC::LinkBuffer::locationOf): (JSC::LinkBuffer::locationOfNearCall): (JSC::LinkBuffer::returnAddressOffset): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::linkCall): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::linkCall): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::linkCall): * assembler/MacroAssemblerSH4.cpp: (JSC::MacroAssemblerSH4::linkCall): * assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::linkCall): * assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::linkCall): 2011-05-25 Gavin Barraclough Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=61500 Add JSObject::offsetOfPropertyStorage * jit/JITPropertyAccess.cpp: (JSC::JIT::compileGetDirectOffset): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::compilePutDirectOffset): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::compilePutDirectOffset): (JSC::JIT::compileGetDirectOffset): * runtime/JSObject.h: (JSC::JSObject::offsetOfPropertyStorage): 2011-05-25 Oliver Hunt Reviewed by Geoffrey Garen. Make RegExp GC allocated https://bugs.webkit.org/show_bug.cgi?id=61490 Make RegExp GC allocated. Basically mechanical change to replace most use of [Pass]RefPtr with RegExp* or WriteBarrier where actual ownership happens. Made the RegExpCache use Strong<> references currently to avoid any changes in behaviour. * JavaScriptCore.exp: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate): * bytecode/CodeBlock.h: (JSC::CodeBlock::addRegExp): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addRegExp): (JSC::BytecodeGenerator::emitNewRegExp): * bytecompiler/BytecodeGenerator.h: * runtime/JSCell.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::clearBuiltinStructures): (JSC::JSGlobalData::addRegExpToTrace): * runtime/JSGlobalData.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::create): (JSC::RegExp::invalidateCode): * runtime/RegExp.h: (JSC::RegExp::createStructure): * runtime/RegExpCache.cpp: (JSC::RegExpCache::lookupOrCreate): (JSC::RegExpCache::create): * runtime/RegExpCache.h: * runtime/RegExpConstructor.cpp: (JSC::constructRegExp): * runtime/RegExpObject.cpp: (JSC::RegExpObject::RegExpObject): (JSC::RegExpObject::visitChildren): * runtime/RegExpObject.h: (JSC::RegExpObject::setRegExp): (JSC::RegExpObject::RegExpObjectData::RegExpObjectData): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::RegExpPrototype): (JSC::regExpProtoFuncCompile): * runtime/RegExpPrototype.h: * runtime/StringPrototype.cpp: (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): 2011-05-25 Oliver Hunt Reviewed by Geoffrey Garen. Generate regexp code lazily https://bugs.webkit.org/show_bug.cgi?id=61476 RegExp construction now simply validates the RegExp, it does not perform actual codegen. * runtime/RegExp.cpp: (JSC::RegExp::RegExp): (JSC::RegExp::recompile): (JSC::RegExp::compile): (JSC::RegExp::match): * runtime/RegExp.h: (JSC::RegExp::recompileIfNecessary): * runtime/RegExpConstructor.h: (JSC::RegExpConstructor::performMatch): * runtime/RegExpObject.cpp: (JSC::RegExpObject::match): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncReplace): (JSC::stringProtoFuncMatch): (JSC::stringProtoFuncSearch): (JSC::stringProtoFuncSplit): 2011-05-24 Geoffrey Garen Reviewed by Geoffrey Garen. Removed MarkSetProperties because it was unused https://bugs.webkit.org/show_bug.cgi?id=61418 * heap/MarkStack.h: (JSC::MarkSet::MarkSet): (JSC::MarkStack::append): * runtime/JSActivation.cpp: (JSC::JSActivation::visitChildren): * runtime/JSArray.h: (JSC::JSArray::visitChildrenDirect): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::visitChildren): * runtime/WriteBarrier.h: (JSC::MarkStack::appendValues): 2011-05-25 Oliver Hunt Reviewed by Geoffrey Garen. Make allocations with guard pages ensure that the allocation succeeded https://bugs.webkit.org/show_bug.cgi?id=61453 Add null checks, and make PageBlock's operator bool() use the realbase, rather than the start of usable memory. * wtf/OSAllocatorPosix.cpp: (WTF::OSAllocator::reserveAndCommit): * wtf/PageBlock.h: (WTF::PageBlock::operator bool): (WTF::PageBlock::PageBlock): 2011-04-10 Kevin Ollivier Reviewed by Eric Seidel. Add JS_EXPORT_PRIVATE macro for exported methods in bytecompiler headers. https://bugs.webkit.org/show_bug.cgi?id=27551 * bytecompiler/BytecodeGenerator.h: 2011-05-24 Keishi Hattori Reviewed by Kent Tamura. Disable textfield implementation of . Add INPUT_COLOR feature flag. Add input color sanitizer. https://bugs.webkit.org/show_bug.cgi?id=61273 * Configurations/FeatureDefines.xcconfig: Added COLOR_INPUT feature flag. 2011-05-24 Kevin Ollivier Reviewed by Eric Seidel. Add export macros to WTFString.h. https://bugs.webkit.org/show_bug.cgi?id=27551 * wtf/text/WTFString.h: (WTF::String::String): (WTF::String::findIgnoringCase): (WTF::String::isHashTableDeletedValue): 2011-05-24 Geoffrey Garen Maybe fix the Mac build now? * JavaScriptCore.xcodeproj/project.pbxproj: 2011-05-24 Geoffrey Garen Maybe fix the Mac build? * JavaScriptCore.xcodeproj/project.pbxproj: 2011-05-24 Geoffrey Garen Reviewed by Oliver Hunt. Split HeapRootVisitor into its own class https://bugs.webkit.org/show_bug.cgi?id=61399 * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/HandleHeap.cpp: * heap/HandleStack.cpp: * heap/Heap.cpp: * heap/HeapRootVisitor.h: Copied from Source/JavaScriptCore/heap/MarkStack.h. * heap/MarkStack.h: * runtime/ArgList.cpp: * runtime/SmallStrings.cpp: 2011-05-24 Jay Civelli Rubberstamped by David Kilzer. Updated some files that I forgot in my previous MHTML CL. * Configurations/FeatureDefines.xcconfig: 2011-05-24 Geoffrey Garen Fix the Mac build: Yes, please do remove these files, svn. * JavaScriptCore.xcodeproj/project.pbxproj: 2011-05-24 Geoffrey Garen Reviewed by Oliver Hunt. Let's just have one way to get the system page size, bokay? https://bugs.webkit.org/show_bug.cgi?id=61384 * CMakeListsEfl.txt: * CMakeListsWinCE.txt: * GNUmakefile.list.am: * JavaScriptCore.exp: * JavaScriptCore.gypi: * JavaScriptCore.pro: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: MarkStack[Platform].cpp is gone completely now, since it only existed to provide a duplicate way to access the system page size. * heap/MarkStack.cpp: (JSC::MarkStack::reset): * heap/MarkStack.h: (JSC::::MarkStackArray): (JSC::::shrinkAllocation): Use WTF::pageSize. * heap/MarkStackPosix.cpp: * heap/MarkStackSymbian.cpp: * heap/MarkStackWin.cpp: Removed now-empty files. * jit/ExecutableAllocator.cpp: (JSC::ExecutableAllocator::reprotectRegion): * jit/ExecutableAllocator.h: (JSC::ExecutableAllocator::ExecutableAllocator): (JSC::ExecutablePool::ExecutablePool): (JSC::ExecutablePool::poolAllocate): * jit/ExecutableAllocatorFixedVMPool.cpp: Use WTF::pageSize. * wscript: Removed now-empty files. * wtf/PageBlock.cpp: (WTF::systemPageSize): Integrated questionable Symbian page size rule from ExecutableAllocator, because that seems like what the original author should have done. 2011-05-24 Oliver Hunt Reviewed by Gavin Barraclough. Interpreter crashes with gc validation enabled due to failure to mark initial cache structure https://bugs.webkit.org/show_bug.cgi?id=61385 The interpreter uses the structure slot of get_by_id and put_by_id to hold the initial structure it encountered so that it can identify whether a given access is stable. When marking though we only visit the slot when we've decided to cache, and so this value could die. This was "safe" as the value was only used for a pointer compare, but it was incorrect. We now just mark the slot like we should have been doing already. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitStructures): 2011-05-24 Adam Roben Windows build fix * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed now-inline functions. 2011-05-24 Geoffrey Garen Windows build fix: update the #if OS(WINDOWS) section to match my last patch. * heap/MarkStack.h: (JSC::::shrinkAllocation): 2011-05-24 Geoffrey Garen Rubber-stamped by Oliver Hunt. Split out function definitions and class definitions from class declarations in MarkStack.h, for readability. * heap/MarkStack.h: (JSC::MarkStack::MarkStack): (JSC::MarkStack::~MarkStack): (JSC::MarkStack::addOpaqueRoot): (JSC::MarkStack::containsOpaqueRoot): (JSC::MarkStack::opaqueRootCount): (JSC::MarkSet::MarkSet): (JSC::MarkStack::allocateStack): (JSC::MarkStack::releaseStack): (JSC::MarkStack::pageSize): (JSC::::MarkStackArray): (JSC::::~MarkStackArray): (JSC::::expand): (JSC::::append): (JSC::::removeLast): (JSC::::last): (JSC::::isEmpty): (JSC::::size): (JSC::::shrinkAllocation): 2011-05-24 Oliver Hunt Reviewed by Geoffrey Garen. Avoid creating unnecessary identifiers and strings in the syntax checker https://bugs.webkit.org/show_bug.cgi?id=61378 Selectively tell the lexer that there are some places it does not need to do the real work of creating Identifiers for IDENT and STRING tokens. Make parseString and parseIdentifier templatized on whether they should do real work, or merely validate the tokens. SunSpider --parse-only reports ~5-8% win depending on hardware. * parser/ASTBuilder.h: (JSC::ASTBuilder::createDotAccess): * parser/JSParser.cpp: (JSC::JSParser::next): (JSC::JSParser::consume): (JSC::JSParser::parseVarDeclarationList): (JSC::JSParser::parseConstDeclarationList): (JSC::JSParser::parseExpression): (JSC::JSParser::parseAssignmentExpression): (JSC::JSParser::parseConditionalExpression): (JSC::JSParser::parseBinaryExpression): (JSC::JSParser::parseProperty): (JSC::JSParser::parseObjectLiteral): (JSC::JSParser::parseArrayLiteral): (JSC::JSParser::parseArguments): (JSC::JSParser::parseMemberExpression): * parser/Lexer.cpp: (JSC::Lexer::parseIdentifier): (JSC::Lexer::parseString): (JSC::Lexer::lex): * parser/Lexer.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createDotAccess): (JSC::SyntaxChecker::createProperty): 2011-05-23 Michael Saboff Reviewed by Mark Rowe. Safari often freezes when clicking "Return free memory" in Caches dialog https://bugs.webkit.org/show_bug.cgi?id=61325 There are two fixes and improvement in instrumentation code used to find one of the problems. Changed ReleaseFreeList() to set the "decommitted" bit when releasing pages to the system and moving Spans from the normal list to the returned list. Added a "not making forward progress" check to TCMalloc_PageHeap::scavenge to eliminate an infinite loop if we can't meet the pagesToRelease target. Added a check for the decommitted bit being set properly in TCMalloc_PageHeap::CheckList. * wtf/FastMalloc.cpp: (WTF::TCMalloc_PageHeap::scavenge): (WTF::TCMalloc_PageHeap::Check): (WTF::TCMalloc_PageHeap::CheckList): (WTF::ReleaseFreeList): 2011-05-23 Gavin Barraclough Reviewed by Geoff Garen. https://bugs.webkit.org/show_bug.cgi?id=61306 The begin characters optimization currently has issues (#61129), and does not appear to still be a performance win. The prudent next step seems to be to disable while we ascertain whether this is still a useful performance optimization. * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::matchDisjunction): (JSC::Yarr::Interpreter::interpret): * yarr/YarrInterpreter.h: (JSC::Yarr::BytecodePattern::BytecodePattern): * yarr/YarrPattern.cpp: (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): (JSC::Yarr::YarrPattern::compile): (JSC::Yarr::YarrPattern::YarrPattern): * yarr/YarrPattern.h: (JSC::Yarr::YarrPattern::reset): 2011-05-23 Matthew Delaney Reviewed by Simon Fraser. Remove safeFloatToInt() in FloatRect.cpp and replace with working version of clampToInteger() https://bugs.webkit.org/show_bug.cgi?id=58216 * wtf/MathExtras.h: (clampToInteger): (clampToPositiveInteger): 2011-05-23 Ruben Reviewed by Tony Chang. Chromium gyp patch to use new POSIX defines toolkit_uses_gtk and os_posix https://bugs.webkit.org/show_bug.cgi?id=61219 * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-05-23 Thouraya ANDOLSI Reviewed by Gavin Barraclough. [SH4] AssemblerLabel does not name a type https://bugs.webkit.org/show_bug.cgi?id=59927 SH4Assembler.h file shoold be included before AbstractMacroAssembler.h. * assembler/MacroAssemblerSH4.h: 2011-05-23 Ryuan Choi Rubber stamped by Eric Seidel. [CMAKE] Refactoring wtf related code. https://bugs.webkit.org/show_bug.cgi?id=60146 Move wtf-files to Source/JavaScriptCore/wtf/CMakeLists.txt. * CMakeLists.txt: * CMakeListsEfl.txt: * wtf/CMakeLists.txt: * wtf/CMakeListsEfl.txt: 2011-05-22 Adam Barth Enable strict PassOwnPtr for everyone. I expect this patch will need some followups to make the GTK and EFL bots green again. * wtf/PassOwnPtr.h: 2011-05-20 Oliver Hunt Reviewed by Gavin Barraclough. Reduce size of inline cache path of get_by_id on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=61221 This reduces the code size of get_by_id by 20 bytes * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::ldrCompact): (JSC::ARMv7Assembler::repatchCompact): (JSC::ARMv7Assembler::setUInt7ForLoad): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch): * jit/JIT.h: 2011-05-20 Zoltan Herczeg Reviewed by Oliver Hunt. Zombies should "live" forever https://bugs.webkit.org/show_bug.cgi?id=61170 Reusing zombie cells could still hide garbage collected cell related bugs. * JavaScriptCore.pro: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::clearMarks): * heap/MarkedBlock.h: * heap/MarkedSpace.cpp: (JSC::MarkedSpace::destroy): * runtime/JSCell.h: (JSC::JSCell::JSValue::isZombie): * runtime/JSZombie.h: (JSC::JSZombie::~JSZombie): * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::setWithoutWriteBarrier): 2011-05-20 Brady Eidson Reviewed by Sam Weinig. and https://bugs.webkit.org/show_bug.cgi?id=61203 Horrendous bug in callOnMainThreadAndWait * wtf/MainThread.cpp: (WTF::dispatchFunctionsFromMainThread): Before signaling the background thread with the syncFlag condition, reacquire the mutex first. 2011-05-20 Oliver Hunt Reviewed by Sam Weinig. Remove unnecessary double->int conversion at the end of op_div https://bugs.webkit.org/show_bug.cgi?id=61198 We don't attempt this conversion on 64bit, removing it actually speeds up sunspider and v8 slightly, and it reduces code size. * jit/JITArithmetic32_64.cpp: (JSC::JIT::emit_op_div): 2011-05-19 Evan Martin Reviewed by Tony Chang. [chromium] remove <(library) variable https://bugs.webkit.org/show_bug.cgi?id=61158 This was for a build experiment; we can just use the correct value now. * JavaScriptCore.gyp/JavaScriptCore.gyp: 2011-05-20 Oliver Hunt Reviewed by Sam Weinig. Interpreter uses wrong bytecode offset for determining exception handler https://bugs.webkit.org/show_bug.cgi?id=61191 The bytecode offset given for the returnPC from the JIT is actually the offset for the start of the instruction triggering the call, whereas in the interpreter it is the actual return VPC. This means if the next instruction following a call was in an exception region we would incorrectly redirect to its handler. Long term we want to completely redo how exceptions are handled anyway so the simplest and lowest risk fix here is to simply subtract one from the return vPC so that we have an offset in the triggering instruction. It turns out this is caught by a couple of tests already. * interpreter/Interpreter.cpp: (JSC::Interpreter::unwindCallFrame): 2011-05-20 Xan Lopez Reviewed by Oliver Hunt. JIT requires VM overcommit (particularly on x86-64), Linux does not by default support this without swap? https://bugs.webkit.org/show_bug.cgi?id=42756 Use the MAP_NORESERVE flag for mmap on Linux to skip the kernel check of the available memory. This should give us an overcommit-like behavior in most systems, which is what we want. * wtf/OSAllocatorPosix