Skip to content
  • fpizlo@apple.com's avatar
    Typed arrays should be rewritten · 0e0d9312
    fpizlo@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=119064
    
    .: 
    
    Reviewed by Oliver Hunt.
    
    Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
    
    * Source/autotools/symbols.filter:
    
    Source/JavaScriptCore: 
    
    Reviewed by Oliver Hunt.
            
    Typed arrays were previously deficient in several major ways:
            
    - They were defined separately in WebCore and in the jsc shell. The two
      implementations were different, and the jsc shell one was basically wrong.
      The WebCore one was quite awful, also.
            
    - Typed arrays were not visible to the JIT except through some weird hooks.
      For example, the JIT could not ask "what is the Structure that this typed
      array would have if I just allocated it from this global object". Also,
      it was difficult to wire any of the typed array intrinsics, because most
      of the functionality wasn't visible anywhere in JSC.
            
    - Typed array allocation was brain-dead. Allocating a typed array involved
      two JS objects, two GC weak handles, and three malloc allocations.
            
    - Neutering. It involved keeping tabs on all native views but not the view
      wrappers, even though the native views can autoneuter just by asking the
      buffer if it was neutered anytime you touch them; while the JS view
      wrappers are the ones that you really want to reach out to.
            
    - Common case-ing. Most typed arrays have one buffer and one view, and
      usually nobody touches the buffer. Yet we created all of that stuff
      anyway, using data structures optimized for the case where you had a lot
      of views.
            
    - Semantic goofs. Typed arrays should, in the future, behave like ES
      features rather than DOM features, for example when it comes to exceptions.
      Firefox already does this and I agree with them.
            
    This patch cleanses our codebase of these sins:
            
    - Typed arrays are almost entirely defined in JSC. Only the lifecycle
      management of native references to buffers is left to WebCore.
            
    - Allocating a typed array requires either two GC allocations (a cell and a
      copied storage vector) or one GC allocation, a malloc allocation, and a
      weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
      latter). The latter is only used for oversize arrays. Remember that before
      it was 7 allocations no matter what.
            
    - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
      mode/length, void* vector. Before it was a lot more than that - remember,
      there were five additional objects that did absolutely nothing for anybody.
            
    - Native views aren't tracked by the buffer, or by the wrappers. They are
      transient. In the future we'll probably switch to not even having them be
      malloc'd.
            
    - Native array buffers have an efficient way of tracking all of their JS view
      wrappers, both for neutering, and for lifecycle management. The GC
      special-cases native array buffers. This saves a bunch of grief; for example
      it means that a JS view wrapper can refer to its buffer via the butterfly,
      which would be dead by the time we went to finalize.
            
    - Typed array semantics now match Firefox, which also happens to be where the
      standards are going. The discussion on webkit-dev seemed to confirm that
      Chrome is also heading in this direction. This includes making
      Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
      ArrayBufferView as a JS-visible construct.
            
    This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
    It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
    further typed array optimizations in the JSC JITs, including inlining typed
    array allocation, inlining more of the accessors, reducing the cost of type
    checks, etc.
            
    An additional property of this patch is that typed arrays are mostly
    implemented using templates. This deduplicates a bunch of code, but does mean
    that we need some hacks for exporting s_info's of template classes. See
    JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
    low-impact compared to code duplication.
            
    Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
    
    * CMakeLists.txt:
    * DerivedSources.make:
    * GNUmakefile.list.am:
    * JSCTypedArrayStubs.h: Removed.
    * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * Target.pri:
    * bytecode/ByValInfo.h:
    (JSC::hasOptimizableIndexingForClassInfo):
    (JSC::jitArrayModeForClassInfo):
    (JSC::typedArrayTypeForJITArrayMode):
    * bytecode/SpeculatedType.cpp:
    (JSC::speculationFromClassInfo):
    * dfg/DFGArrayMode.cpp:
    (JSC::DFG::toTypedArrayType):
    * dfg/DFGArrayMode.h:
    (JSC::DFG::ArrayMode::typedArrayType):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::checkArray):
    (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
    (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
    (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
    (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
    (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
    (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
    * dfg/DFGSpeculativeJIT.h:
    * dfg/DFGSpeculativeJIT32_64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * heap/CopyToken.h:
    * heap/DeferGC.h:
    (JSC::DeferGCForAWhile::DeferGCForAWhile):
    (JSC::DeferGCForAWhile::~DeferGCForAWhile):
    * heap/GCIncomingRefCounted.h: Added.
    (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
    (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
    (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
    (JSC::GCIncomingRefCounted::incomingReferenceAt):
    (JSC::GCIncomingRefCounted::singletonFlag):
    (JSC::GCIncomingRefCounted::hasVectorOfCells):
    (JSC::GCIncomingRefCounted::hasAnyIncoming):
    (JSC::GCIncomingRefCounted::hasSingleton):
    (JSC::GCIncomingRefCounted::singleton):
    (JSC::GCIncomingRefCounted::vectorOfCells):
    * heap/GCIncomingRefCountedInlines.h: Added.
    (JSC::::addIncomingReference):
    (JSC::::filterIncomingReferences):
    * heap/GCIncomingRefCountedSet.h: Added.
    (JSC::GCIncomingRefCountedSet::size):
    * heap/GCIncomingRefCountedSetInlines.h: Added.
    (JSC::::GCIncomingRefCountedSet):
    (JSC::::~GCIncomingRefCountedSet):
    (JSC::::addReference):
    (JSC::::sweep):
    (JSC::::removeAll):
    (JSC::::removeDead):
    * heap/Heap.cpp:
    (JSC::Heap::addReference):
    (JSC::Heap::extraSize):
    (JSC::Heap::size):
    (JSC::Heap::capacity):
    (JSC::Heap::collect):
    (JSC::Heap::decrementDeferralDepth):
    (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
    * heap/Heap.h:
    * interpreter/CallFrame.h:
    (JSC::ExecState::dataViewTable):
    * jit/JIT.h:
    * jit/JITPropertyAccess.cpp:
    (JSC::JIT::privateCompileGetByVal):
    (JSC::JIT::privateCompilePutByVal):
    (JSC::JIT::emitIntTypedArrayGetByVal):
    (JSC::JIT::emitFloatTypedArrayGetByVal):
    (JSC::JIT::emitIntTypedArrayPutByVal):
    (JSC::JIT::emitFloatTypedArrayPutByVal):
    * jsc.cpp:
    (GlobalObject::finishCreation):
    * runtime/ArrayBuffer.cpp:
    (JSC::ArrayBuffer::transfer):
    * runtime/ArrayBuffer.h:
    (JSC::ArrayBuffer::createAdopted):
    (JSC::ArrayBuffer::ArrayBuffer):
    (JSC::ArrayBuffer::gcSizeEstimateInBytes):
    (JSC::ArrayBuffer::pin):
    (JSC::ArrayBuffer::unpin):
    (JSC::ArrayBufferContents::tryAllocate):
    * runtime/ArrayBufferView.cpp:
    (JSC::ArrayBufferView::ArrayBufferView):
    (JSC::ArrayBufferView::~ArrayBufferView):
    (JSC::ArrayBufferView::setNeuterable):
    * runtime/ArrayBufferView.h:
    (JSC::ArrayBufferView::isNeutered):
    (JSC::ArrayBufferView::buffer):
    (JSC::ArrayBufferView::baseAddress):
    (JSC::ArrayBufferView::byteOffset):
    (JSC::ArrayBufferView::verifySubRange):
    (JSC::ArrayBufferView::clampOffsetAndNumElements):
    (JSC::ArrayBufferView::calculateOffsetAndLength):
    * runtime/ClassInfo.h:
    * runtime/CommonIdentifiers.h:
    * runtime/DataView.cpp: Added.
    (JSC::DataView::DataView):
    (JSC::DataView::create):
    (JSC::DataView::wrap):
    * runtime/DataView.h: Added.
    (JSC::DataView::byteLength):
    (JSC::DataView::getType):
    (JSC::DataView::get):
    (JSC::DataView::set):
    * runtime/Float32Array.h:
    * runtime/Float64Array.h:
    * runtime/GenericTypedArrayView.h: Added.
    (JSC::GenericTypedArrayView::data):
    (JSC::GenericTypedArrayView::set):
    (JSC::GenericTypedArrayView::setRange):
    (JSC::GenericTypedArrayView::zeroRange):
    (JSC::GenericTypedArrayView::zeroFill):
    (JSC::GenericTypedArrayView::length):
    (JSC::GenericTypedArrayView::byteLength):
    (JSC::GenericTypedArrayView::item):
    (JSC::GenericTypedArrayView::checkInboundData):
    (JSC::GenericTypedArrayView::getType):
    * runtime/GenericTypedArrayViewInlines.h: Added.
    (JSC::::GenericTypedArrayView):
    (JSC::::create):
    (JSC::::createUninitialized):
    (JSC::::subarray):
    (JSC::::wrap):
    * runtime/IndexingHeader.h:
    (JSC::IndexingHeader::arrayBuffer):
    (JSC::IndexingHeader::setArrayBuffer):
    * runtime/Int16Array.h:
    * runtime/Int32Array.h:
    * runtime/Int8Array.h:
    * runtime/JSArrayBuffer.cpp: Added.
    (JSC::JSArrayBuffer::JSArrayBuffer):
    (JSC::JSArrayBuffer::finishCreation):
    (JSC::JSArrayBuffer::create):
    (JSC::JSArrayBuffer::createStructure):
    (JSC::JSArrayBuffer::getOwnPropertySlot):
    (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
    (JSC::JSArrayBuffer::put):
    (JSC::JSArrayBuffer::defineOwnProperty):
    (JSC::JSArrayBuffer::deleteProperty):
    (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
    * runtime/JSArrayBuffer.h: Added.
    (JSC::JSArrayBuffer::impl):
    (JSC::toArrayBuffer):
    * runtime/JSArrayBufferConstructor.cpp: Added.
    (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
    (JSC::JSArrayBufferConstructor::finishCreation):
    (JSC::JSArrayBufferConstructor::create):
    (JSC::JSArrayBufferConstructor::createStructure):
    (JSC::constructArrayBuffer):
    (JSC::JSArrayBufferConstructor::getConstructData):
    (JSC::JSArrayBufferConstructor::getCallData):
    * runtime/JSArrayBufferConstructor.h: Added.
    * runtime/JSArrayBufferPrototype.cpp: Added.
    (JSC::arrayBufferProtoFuncSlice):
    (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
    (JSC::JSArrayBufferPrototype::finishCreation):
    (JSC::JSArrayBufferPrototype::create):
    (JSC::JSArrayBufferPrototype::createStructure):
    * runtime/JSArrayBufferPrototype.h: Added.
    * runtime/JSArrayBufferView.cpp: Added.
    (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
    (JSC::JSArrayBufferView::JSArrayBufferView):
    (JSC::JSArrayBufferView::finishCreation):
    (JSC::JSArrayBufferView::getOwnPropertySlot):
    (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
    (JSC::JSArrayBufferView::put):
    (JSC::JSArrayBufferView::defineOwnProperty):
    (JSC::JSArrayBufferView::deleteProperty):
    (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
    (JSC::JSArrayBufferView::finalize):
    * runtime/JSArrayBufferView.h: Added.
    (JSC::JSArrayBufferView::sizeOf):
    (JSC::JSArrayBufferView::ConstructionContext::operator!):
    (JSC::JSArrayBufferView::ConstructionContext::structure):
    (JSC::JSArrayBufferView::ConstructionContext::vector):
    (JSC::JSArrayBufferView::ConstructionContext::length):
    (JSC::JSArrayBufferView::ConstructionContext::mode):
    (JSC::JSArrayBufferView::ConstructionContext::butterfly):
    (JSC::JSArrayBufferView::mode):
    (JSC::JSArrayBufferView::vector):
    (JSC::JSArrayBufferView::length):
    (JSC::JSArrayBufferView::offsetOfVector):
    (JSC::JSArrayBufferView::offsetOfLength):
    (JSC::JSArrayBufferView::offsetOfMode):
    * runtime/JSArrayBufferViewInlines.h: Added.
    (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
    (JSC::JSArrayBufferView::buffer):
    (JSC::JSArrayBufferView::impl):
    (JSC::JSArrayBufferView::neuter):
    (JSC::JSArrayBufferView::byteOffset):
    * runtime/JSCell.cpp:
    (JSC::JSCell::slowDownAndWasteMemory):
    (JSC::JSCell::getTypedArrayImpl):
    * runtime/JSCell.h:
    * runtime/JSDataView.cpp: Added.
    (JSC::JSDataView::JSDataView):
    (JSC::JSDataView::create):
    (JSC::JSDataView::createUninitialized):
    (JSC::JSDataView::set):
    (JSC::JSDataView::typedImpl):
    (JSC::JSDataView::getOwnPropertySlot):
    (JSC::JSDataView::getOwnPropertyDescriptor):
    (JSC::JSDataView::slowDownAndWasteMemory):
    (JSC::JSDataView::getTypedArrayImpl):
    (JSC::JSDataView::createStructure):
    * runtime/JSDataView.h: Added.
    * runtime/JSDataViewPrototype.cpp: Added.
    (JSC::JSDataViewPrototype::JSDataViewPrototype):
    (JSC::JSDataViewPrototype::create):
    (JSC::JSDataViewPrototype::createStructure):
    (JSC::JSDataViewPrototype::getOwnPropertySlot):
    (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
    (JSC::getData):
    (JSC::setData):
    (JSC::dataViewProtoFuncGetInt8):
    (JSC::dataViewProtoFuncGetInt16):
    (JSC::dataViewProtoFuncGetInt32):
    (JSC::dataViewProtoFuncGetUint8):
    (JSC::dataViewProtoFuncGetUint16):
    (JSC::dataViewProtoFuncGetUint32):
    (JSC::dataViewProtoFuncGetFloat32):
    (JSC::dataViewProtoFuncGetFloat64):
    (JSC::dataViewProtoFuncSetInt8):
    (JSC::dataViewProtoFuncSetInt16):
    (JSC::dataViewProtoFuncSetInt32):
    (JSC::dataViewProtoFuncSetUint8):
    (JSC::dataViewProtoFuncSetUint16):
    (JSC::dataViewProtoFuncSetUint32):
    (JSC::dataViewProtoFuncSetFloat32):
    (JSC::dataViewProtoFuncSetFloat64):
    * runtime/JSDataViewPrototype.h: Added.
    * runtime/JSFloat32Array.h: Added.
    * runtime/JSFloat64Array.h: Added.
    * runtime/JSGenericTypedArrayView.h: Added.
    (JSC::JSGenericTypedArrayView::byteLength):
    (JSC::JSGenericTypedArrayView::byteSize):
    (JSC::JSGenericTypedArrayView::typedVector):
    (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
    (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
    (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
    (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
    (JSC::JSGenericTypedArrayView::getIndexQuickly):
    (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
    (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
    (JSC::JSGenericTypedArrayView::setIndexQuickly):
    (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
    (JSC::JSGenericTypedArrayView::typedImpl):
    (JSC::JSGenericTypedArrayView::createStructure):
    (JSC::JSGenericTypedArrayView::info):
    (JSC::toNativeTypedView):
    * runtime/JSGenericTypedArrayViewConstructor.h: Added.
    * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
    (JSC::::JSGenericTypedArrayViewConstructor):
    (JSC::::finishCreation):
    (JSC::::create):
    (JSC::::createStructure):
    (JSC::constructGenericTypedArrayView):
    (JSC::::getConstructData):
    (JSC::::getCallData):
    * runtime/JSGenericTypedArrayViewInlines.h: Added.
    (JSC::::JSGenericTypedArrayView):
    (JSC::::create):
    (JSC::::createUninitialized):
    (JSC::::validateRange):
    (JSC::::setWithSpecificType):
    (JSC::::set):
    (JSC::::getOwnPropertySlot):
    (JSC::::getOwnPropertyDescriptor):
    (JSC::::put):
    (JSC::::defineOwnProperty):
    (JSC::::deleteProperty):
    (JSC::::getOwnPropertySlotByIndex):
    (JSC::::putByIndex):
    (JSC::::deletePropertyByIndex):
    (JSC::::getOwnNonIndexPropertyNames):
    (JSC::::getOwnPropertyNames):
    (JSC::::visitChildren):
    (JSC::::copyBackingStore):
    (JSC::::slowDownAndWasteMemory):
    (JSC::::getTypedArrayImpl):
    * runtime/JSGenericTypedArrayViewPrototype.h: Added.
    * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
    (JSC::genericTypedArrayViewProtoFuncSet):
    (JSC::genericTypedArrayViewProtoFuncSubarray):
    (JSC::::JSGenericTypedArrayViewPrototype):
    (JSC::::finishCreation):
    (JSC::::create):
    (JSC::::createStructure):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::reset):
    (JSC::JSGlobalObject::visitChildren):
    * runtime/JSGlobalObject.h:
    (JSC::JSGlobalObject::arrayBufferPrototype):
    (JSC::JSGlobalObject::arrayBufferStructure):
    (JSC::JSGlobalObject::typedArrayStructure):
    * runtime/JSInt16Array.h: Added.
    * runtime/JSInt32Array.h: Added.
    * runtime/JSInt8Array.h: Added.
    * runtime/JSTypedArrayConstructors.cpp: Added.
    * runtime/JSTypedArrayConstructors.h: Added.
    * runtime/JSTypedArrayPrototypes.cpp: Added.
    * runtime/JSTypedArrayPrototypes.h: Added.
    * runtime/JSTypedArrays.cpp: Added.
    * runtime/JSTypedArrays.h: Added.
    * runtime/JSUint16Array.h: Added.
    * runtime/JSUint32Array.h: Added.
    * runtime/JSUint8Array.h: Added.
    * runtime/JSUint8ClampedArray.h: Added.
    * runtime/Operations.h:
    * runtime/Options.h:
    * runtime/SimpleTypedArrayController.cpp: Added.
    (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
    (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
    (JSC::SimpleTypedArrayController::toJS):
    * runtime/SimpleTypedArrayController.h: Added.
    * runtime/Structure.h:
    (JSC::Structure::couldHaveIndexingHeader):
    * runtime/StructureInlines.h:
    (JSC::Structure::hasIndexingHeader):
    * runtime/TypedArrayAdaptors.h: Added.
    (JSC::IntegralTypedArrayAdaptor::toNative):
    (JSC::IntegralTypedArrayAdaptor::toJSValue):
    (JSC::IntegralTypedArrayAdaptor::toDouble):
    (JSC::FloatTypedArrayAdaptor::toNative):
    (JSC::FloatTypedArrayAdaptor::toJSValue):
    (JSC::FloatTypedArrayAdaptor::toDouble):
    (JSC::Uint8ClampedAdaptor::toNative):
    (JSC::Uint8ClampedAdaptor::toJSValue):
    (JSC::Uint8ClampedAdaptor::toDouble):
    (JSC::Uint8ClampedAdaptor::clamp):
    * runtime/TypedArrayController.cpp: Added.
    (JSC::TypedArrayController::TypedArrayController):
    (JSC::TypedArrayController::~TypedArrayController):
    * runtime/TypedArrayController.h: Added.
    * runtime/TypedArrayDescriptor.h: Removed.
    * runtime/TypedArrayInlines.h: Added.
    * runtime/TypedArrayType.cpp: Added.
    (JSC::classInfoForType):
    (WTF::printInternal):
    * runtime/TypedArrayType.h: Added.
    (JSC::toIndex):
    (JSC::isTypedView):
    (JSC::elementSize):
    (JSC::isInt):
    (JSC::isFloat):
    (JSC::isSigned):
    (JSC::isClamped):
    * runtime/TypedArrays.h: Added.
    * runtime/Uint16Array.h:
    * runtime/Uint32Array.h:
    * runtime/Uint8Array.h:
    * runtime/Uint8ClampedArray.h:
    * runtime/VM.cpp:
    (JSC::VM::VM):
    (JSC::VM::~VM):
    * runtime/VM.h:
    
    Source/WebCore: 
    
    Reviewed by Oliver Hunt.
    
    Typed arrays are now implemented in JavaScriptCore, and WebCore is merely a
    client of them. There is only one layering violation: WebCore installs a
    WebCoreTypedArrayController on VM, which makes the
    ArrayBuffer<->JSArrayBuffer relationship resemble DOM wrappers. By default,
    JSC makes the ownership go one way; the JSArrayBuffer keeps the ArrayBuffer
    alive but if ArrayBuffer is kept alive from native code then the
    JSArrayByffer may die. WebCoreTypedArrayController will keep the
    JSArrayBuffer alive if the ArrayBuffer is in the opaque root set.
            
    To make non-JSDOMWrappers behave like DOM wrappers, a bunch of code is
    changed to make most references to wrappers refer to JSObject* rather than
    JSDOMWrapper*.
            
    Array buffer views are now transient; the JS array buffer view wrappers
    don't own them or keep them alive. This required a bunch of changes to make
    bindings code use RefPtr<ArrayBufferView> to hold onto their views.
            
    Also there is a bunch of new code to make JSC-provided array buffers and
    views obey the toJS/to<ClassName> idiom for wrapping and unwrapping.
            
    Finally, the DataView API is now completely different: the JSDataView
    provides the same user-visible JS API but using its own internal magic; the
    C++ code that uses DataView now uses a rather different API that is not
    aware of usual DOM semantics, since it's in JSC and not WebCore. It's
    equally useful for all of WebCore's purposes, but some code had to change
    to adapt the new conventions.
            
    Some tests have been changed or rebased due to changes in behavior, that
    bring us into conformance with where the standards are going and allow us to
    match Firefox behavior.
    
    Automake work and some additional GTK changes courtesy of
    Zan Dobersek <zdobersek@igalia.com>.
            
    Additional Qt changes courtesy of Arunprasad Rajkumar <arurajku@cisco.com>.
    
    * CMakeLists.txt:
    * DerivedSources.make:
    * ForwardingHeaders/runtime/DataView.h: Added.
    * ForwardingHeaders/runtime/JSArrayBuffer.h: Added.
    * ForwardingHeaders/runtime/JSArrayBufferView.h: Added.
    * ForwardingHeaders/runtime/JSDataView.h: Added.
    * ForwardingHeaders/runtime/JSTypedArrays.h: Added.
    * ForwardingHeaders/runtime/TypedArrayController.h: Added.
    * ForwardingHeaders/runtime/TypedArrayInlines.h: Added.
    * ForwardingHeaders/runtime/TypedArrays.h: Added.
    * GNUmakefile.list.am:
    * Modules/webaudio/RealtimeAnalyser.h:
    * Target.pri:
    * UseJSC.cmake:
    * WebCore.exp.in:
    * WebCore.vcxproj/WebCore.vcxproj:
    * WebCore.xcodeproj/project.pbxproj:
    * bindings/js/DOMWrapperWorld.h:
    * bindings/js/JSArrayBufferCustom.cpp: Removed.
    * bindings/js/JSArrayBufferViewHelper.h: Removed.
    * bindings/js/JSAudioContextCustom.cpp:
    * bindings/js/JSBindingsAllInOne.cpp:
    * bindings/js/JSBlobCustom.cpp:
    * bindings/js/JSCSSRuleCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSCSSValueCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSCryptoCustom.cpp:
    (WebCore::JSCrypto::getRandomValues):
    * bindings/js/JSDOMBinding.h:
    (WebCore::wrapperOwner):
    (WebCore::wrapperContext):
    (WebCore::getInlineCachedWrapper):
    (WebCore::setInlineCachedWrapper):
    (WebCore::clearInlineCachedWrapper):
    (WebCore::getCachedWrapper):
    (WebCore::cacheWrapper):
    (WebCore::uncacheWrapper):
    (WebCore::wrap):
    (WebCore::toJS):
    (WebCore::toArrayBufferView):
    (WebCore::toInt8Array):
    (WebCore::toInt16Array):
    (WebCore::toInt32Array):
    (WebCore::toUint8Array):
    (WebCore::toUint8ClampedArray):
    (WebCore::toUint16Array):
    (WebCore::toUint32Array):
    (WebCore::toFloat32Array):
    (WebCore::toFloat64Array):
    (WebCore::toDataView):
    * bindings/js/JSDataViewCustom.cpp: Removed.
    * bindings/js/JSDictionary.cpp:
    * bindings/js/JSDictionary.h:
    * bindings/js/JSDocumentCustom.cpp:
    (WebCore::JSDocument::location):
    (WebCore::toJS):
    * bindings/js/JSEventCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSFileReaderCustom.cpp:
    * bindings/js/JSHTMLCollectionCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSHTMLTemplateElementCustom.cpp:
    (WebCore::JSHTMLTemplateElement::content):
    * bindings/js/JSImageDataCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSInjectedScriptHostCustom.cpp:
    * bindings/js/JSMessageEventCustom.cpp:
    * bindings/js/JSMessagePortCustom.cpp:
    * bindings/js/JSSVGPathSegCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSStyleSheetCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSTrackCustom.cpp:
    (WebCore::toJS):
    * bindings/js/JSWebGLRenderingContextCustom.cpp:
    * bindings/js/JSXMLHttpRequestCustom.cpp:
    (WebCore::JSXMLHttpRequest::send):
    * bindings/js/SerializedScriptValue.cpp:
    (WebCore::SerializedScriptValue::transferArrayBuffers):
    * bindings/js/WebCoreJSClientData.h:
    (WebCore::initNormalWorldClientData):
    * bindings/js/WebCoreTypedArrayController.cpp: Added.
    (WebCore::WebCoreTypedArrayController::WebCoreTypedArrayController):
    (WebCore::WebCoreTypedArrayController::~WebCoreTypedArrayController):
    (WebCore::WebCoreTypedArrayController::toJS):
    (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
    (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::finalize):
    * bindings/js/WebCoreTypedArrayController.h: Added.
    (WebCore::WebCoreTypedArrayController::wrapperOwner):
    * bindings/scripts/CodeGenerator.pm:
    (ForAllParents):
    (ParseInterface):
    (SkipIncludeHeader):
    (IsTypedArrayType):
    (IsWrapperType):
    * bindings/scripts/CodeGeneratorJS.pm:
    (AddIncludesForType):
    (GenerateHeader):
    (GenerateImplementation):
    (GenerateParametersCheck):
    (GetNativeType):
    (JSValueToNative):
    (NativeToJSValue):
    (GenerateConstructorDefinition):
    (GenerateConstructorHelperMethods):
    * fileapi/WebKitBlobBuilder.cpp:
    (WebCore::BlobBuilder::append):
    * fileapi/WebKitBlobBuilder.h:
    * html/canvas/ArrayBuffer.idl: Removed.
    * html/canvas/ArrayBufferView.idl: Removed.
    * html/canvas/DataView.cpp: Removed.
    * html/canvas/DataView.h: Removed.
    * html/canvas/DataView.idl: Removed.
    * html/canvas/Float32Array.idl: Removed.
    * html/canvas/Float64Array.idl: Removed.
    * html/canvas/Int16Array.idl: Removed.
    * html/canvas/Int32Array.idl: Removed.
    * html/canvas/Int8Array.idl: Removed.
    * html/canvas/Uint16Array.idl: Removed.
    * html/canvas/Uint32Array.idl: Removed.
    * html/canvas/Uint8Array.idl: Removed.
    * html/canvas/Uint8ClampedArray.idl: Removed.
    * html/canvas/WebGLRenderingContext.cpp:
    (WebCore::WebGLRenderingContext::readPixels):
    (WebCore::WebGLRenderingContext::validateTexFuncData):
    * page/Crypto.cpp:
    * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
    (WebCore::MediaPlayerPrivateAVFoundationObjC::shouldWaitForLoadingOfResource):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::extractKeyURIKeyIDAndCertificateFromInitData):
    * platform/graphics/filters/FECustomFilter.h:
    * platform/graphics/filters/FEGaussianBlur.cpp:
    * platform/graphics/filters/FilterEffect.cpp:
    * testing/MockCDM.cpp:
    
    Source/WebKit2: 
    
    Reviewed by Oliver Hunt.
            
    You don't need to include JSUint8Array anymore if you just want to
    unwrap one; JSDOMBinding gives you all of the things you need.
    
    * WebProcess/InjectedBundle/InjectedBundle.cpp:
    
    Source/WTF: 
    
    Reviewed by Oliver Hunt.
            
    - Added the notion of a reference counted object that can be marked Deferred,
      which is like a special-purpose upref.
            
    - Added a common byte flipper.
    
    Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
    
    * GNUmakefile.list.am:
    * WTF.xcodeproj/project.pbxproj:
    * wtf/DeferrableRefCounted.h: Added.
    (WTF::DeferrableRefCountedBase::ref):
    (WTF::DeferrableRefCountedBase::hasOneRef):
    (WTF::DeferrableRefCountedBase::refCount):
    (WTF::DeferrableRefCountedBase::isDeferred):
    (WTF::DeferrableRefCountedBase::DeferrableRefCountedBase):
    (WTF::DeferrableRefCountedBase::~DeferrableRefCountedBase):
    (WTF::DeferrableRefCountedBase::derefBase):
    (WTF::DeferrableRefCountedBase::setIsDeferredBase):
    (WTF::DeferrableRefCounted::deref):
    (WTF::DeferrableRefCounted::setIsDeferred):
    (WTF::DeferrableRefCounted::DeferrableRefCounted):
    (WTF::DeferrableRefCounted::~DeferrableRefCounted):
    * wtf/FlipBytes.h: Added.
    (WTF::needToFlipBytesIfLittleEndian):
    (WTF::flipBytes):
    (WTF::flipBytesIfLittleEndian):
    
    LayoutTests: 
    
    Reviewed by Oliver Hunt.
    
    * fast/canvas/webgl/array-set-invalid-arguments-expected.txt:
    * fast/canvas/webgl/array-set-out-of-bounds-expected.txt:
    * fast/canvas/webgl/array-unit-tests-expected.txt:
    * fast/canvas/webgl/array-unit-tests.html:
    * fast/canvas/webgl/data-view-crash-expected.txt:
    * fast/canvas/webgl/script-tests/arraybuffer-transfer-of-control.js:
    (checkView):
    * fast/dom/call-a-constructor-as-a-function-expected.txt:
    * fast/dom/call-a-constructor-as-a-function.html:
    * fast/js/constructor-length.html:
    * fast/js/global-constructors-attributes-dedicated-worker-expected.txt:
    * fast/js/global-constructors-attributes-expected.txt:
    * fast/js/global-constructors-attributes-shared-worker-expected.txt:
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-expected.txt: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-huge-long-lived-expected.txt: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-huge-long-lived.html: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-expected.txt: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived.html: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-buffer-expected.txt: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-buffer.html: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived-expected.txt: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc-long-lived.html: Added.
    * fast/js/regress/ArrayBuffer-Int8Array-alloc.html: Added.
    * fast/js/regress/Int32Array-Int8Array-view-alloc-expected.txt: Added.
    * fast/js/regress/Int32Array-Int8Array-view-alloc.html: Added.
    * fast/js/regress/Int32Array-alloc-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-huge-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-huge-long-lived-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-huge-long-lived.html: Added.
    * fast/js/regress/Int32Array-alloc-huge.html: Added.
    * fast/js/regress/Int32Array-alloc-large-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-large-long-lived-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-large-long-lived.html: Added.
    * fast/js/regress/Int32Array-alloc-large.html: Added.
    * fast/js/regress/Int32Array-alloc-long-lived-expected.txt: Added.
    * fast/js/regress/Int32Array-alloc-long-lived.html: Added.
    * fast/js/regress/Int32Array-alloc.html: Added.
    * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-huge-long-lived.js: Added.
    * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived.js: Added.
    * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-long-lived-buffer.js: Added.
    * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-long-lived.js: Added.
    * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc.js: Added.
    * fast/js/regress/script-tests/Int32Array-Int8Array-view-alloc.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc-huge-long-lived.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc-huge.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc-large-long-lived.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc-large.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc-long-lived.js: Added.
    * fast/js/regress/script-tests/Int32Array-alloc.js: Added.
    * platform/mac/fast/js/constructor-length-expected.txt:
    * webgl/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html:
    * webgl/resources/webgl_test_files/conformance/typedarrays/data-view-test.html:
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154127 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    0e0d9312