1. 02 Oct, 2012 2 commits
  2. 01 Oct, 2012 3 commits
  3. 28 Sep, 2012 2 commits
    • fpizlo@apple.com's avatar
      ASSERTION in m_graph[tailNodeIndex].op() == Flush ||... · 0157e196
      fpizlo@apple.com authored
      ASSERTION in m_graph[tailNodeIndex].op() == Flush || m_graph[tailNodeIndex].op() == SetLocal on plus.google.com
      https://bugs.webkit.org/show_bug.cgi?id=97656
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      There were two bugs here:
              
      1) In case of multiple GetLocals to the same captured variable, the bytecode parser would linke the first,
         rather than the last, of the GetLocals into the vars-at-tail table.
              
      2) The constant folding phase was asserting that any GetLocal it eliminates must be linked into the
         vars-at-tail table, when for captured variables only the last of those should be.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      
      LayoutTests: 
      
      * fast/js/dfg-redundant-load-of-captured-variable-proven-constant-expected.txt: Added.
      * fast/js/dfg-redundant-load-of-captured-variable-proven-constant.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-redundant-load-of-captured-variable-proven-constant.js: Added.
      (o.f):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129948 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0157e196
    • fpizlo@apple.com's avatar
      DFGStructureHoistingPhase SetLocal assumes StructureTransitionWatchpoint has a structure set · 37108897
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97810
      
      Reviewed by Mark Hahnenberg.
      
      No tests because this can't happen in ToT: the structure check hoisting phase runs before any
      CFA or folding, so the only StructureTransitionWatchpoints it will see are the ones inserted
      by the parser. But the parser will only insert StructureTransitinWatchpoints on constants, which
      will not be subject to SetLocals.
      
      Still, it would be good to fix this in case things changed.
      
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129943 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      37108897
  4. 27 Sep, 2012 6 commits
  5. 26 Sep, 2012 11 commits
    • barraclough@apple.com's avatar
      Proxy the global this in JSC · bcf4db72
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97734
      
      Reviewed by Filip Pizlo.
      
      Eeep – fix a bug - was leaving the global this proxy's structure's globalObject as 0,
      and setting the proxy's prototype as the global object, rather than its prototype.
      
      * jsc.cpp:
      (GlobalObject::create):
      * runtime/JSProxy.h:
      (JSC::JSProxy::createStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bcf4db72
    • barraclough@apple.com's avatar
      Speculative Windows build fix. · 5f4d08b1
      barraclough@apple.com authored
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129718 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5f4d08b1
    • fpizlo@apple.com's avatar
      Unreviewed, 32-bit build fix. · 02d2bca2
      fpizlo@apple.com authored
      * llint/LowLevelInterpreter32_64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      02d2bca2
    • fpizlo@apple.com's avatar
      jneq_ptr shouldn't have a pointer · 1271fa3a
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97739
      
      Reviewed by Oliver Hunt.
      
      Slamming pointers directly into bytecode is sometimes cool, but in this case it's
      unwieldy and confusing. Switched the instruction to use an enum instead. This has
      zero effect on code gen behavior in the JITs. In the LLInt, there is now more
      indirection, but that doesn't affect benchmarks.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/Instruction.h:
      (JSC::Instruction::Instruction):
      (Instruction):
      * bytecode/SpecialPointer.cpp: Added.
      (JSC):
      (JSC::actualPointerFor):
      * bytecode/SpecialPointer.h: Added.
      (JSC):
      (JSC::pointerIsFunction):
      (JSC::pointerIsCell):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
      (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_jneq_ptr):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_jneq_ptr):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::actualPointerFor):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129713 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1271fa3a
    • barraclough@apple.com's avatar
      REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms · 1e61b896
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97529
      
      Reviewed by Filip Pizlo.
      
      A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
      
      Source/JavaScriptCore: 
      
      JSC currently throws an EvalError if you try to call eval with a this object that doesn't
      match the given eval function. This does not match other browsers, which generally just
      ignore the this value that was passed, and eval the string in the eval function's environment.
      
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
          - Remove EvalError, ignore passed this value.
      
      LayoutTests: 
      
      * fast/js/eval-cross-window-expected.txt:
      * fast/js/eval-cross-window.html:
          - Changed not to expect EvalErrors (this matches other browsers), and modified testThis
            to check that the this object is always set to the global object.
      * http/tests/security/resources/xss-eval2.html:
      * http/tests/security/resources/xss-eval3.html:
      * http/tests/security/xss-eval-expected.txt:
      * http/tests/security/xss-eval.html:
          - Updated. Access via the global environment is not a security risk, since the eval is
            accessing it's own document's informantion. Access via the shell attempts to access
            the navigated pages document, tripping an access check & throwing a TypeError.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129712 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1e61b896
    • barraclough@apple.com's avatar
      Proxy the global this in JSC · 1bba3ce3
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97734
      
      Reviewed by Oliver Hunt.
      
      Having jsc diverge from WebCore here is not beneficial; it potentially masks bugs and/or performance
      problems from command line testing.
      
      * jsc.cpp:
      (GlobalObject::create):
          - Create a this value proxy for the global object.
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
          - Make setGlobalThis protected.
      * runtime/JSProxy.h:
      (JSC::JSProxy::create):
      (JSC::JSProxy::target):
      (JSC::JSProxy::finishCreation):
      (JSProxy):
          - Allow proxy target to be a JSObject, add target to create method.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129711 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1bba3ce3
    • barraclough@apple.com's avatar
      Speculative Windows build fix. · 44d84cd3
      barraclough@apple.com authored
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      44d84cd3
    • fpizlo@apple.com's avatar
      JSObject::ensureArrayStorage() ignores the possibility that extensions have been prevented · 98796c32
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97719
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      * runtime/JSObject.cpp:
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC):
      * runtime/JSObject.h:
      (JSC::JSObject::ensureArrayStorage):
      (JSObject):
      
      LayoutTests: 
      
      * fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt: Added.
      * fast/js/dfg-arrayify-when-late-prevent-extensions.html: Added.
      * fast/js/dfg-arrayify-when-prevent-extensions-expected.txt: Added.
      * fast/js/dfg-arrayify-when-prevent-extensions.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js: Added.
      (foo):
      * fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      98796c32
    • barraclough@apple.com's avatar
      Generalize JSGlobalThis as JSProxy · 4aef7247
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97716
      
      Reviewed by Oliver Hunt.
      
      ../JavaScriptCore: 
      
      Generalize JSGlobalThis as JSProxy and move proxying functionality up from the window shell into JSProxy.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::toThisObject):
          - Hoist toThisObject from WebCore.
      (JSC):
      * runtime/JSGlobalObject.h:
          - removed include.
      (JSC::JSGlobalObject::finishCreation):
          - JSGlobalThis -> JSObject
      (JSGlobalObject):
          - Hoist toThisObject from WebCore.
      * runtime/JSGlobalThis.cpp: Removed.
      * runtime/JSGlobalThis.h: Removed.
      * runtime/JSObject.cpp:
          - removed include.
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::isProxy):
          - isGlobalThis -> isProxy
          - GlobalThisType -> ProxyType
      * runtime/JSProxy.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.cpp.
      (JSC):
      (JSC::JSProxy::visitChildren):
      (JSC::JSProxy::setTarget):
      (JSC::JSProxy::className):
      (JSC::JSProxy::getOwnPropertySlot):
      (JSC::JSProxy::getOwnPropertySlotByIndex):
      (JSC::JSProxy::getOwnPropertyDescriptor):
      (JSC::JSProxy::put):
      (JSC::JSProxy::putByIndex):
      (JSC::JSProxy::putDirectVirtual):
      (JSC::JSProxy::defineOwnProperty):
      (JSC::JSProxy::deleteProperty):
      (JSC::JSProxy::deletePropertyByIndex):
      (JSC::JSProxy::getPropertyNames):
      (JSC::JSProxy::getOwnPropertyNames):
          - Class cretaed from JSGlobalThis, JSDOMWindowShell.
      * runtime/JSProxy.h: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.h.
      (JSC::JSProxy::create):
      (JSC::JSProxy::createStructure):
      (JSProxy):
      (JSC::JSProxy::target):
      (JSC::JSProxy::JSProxy):
          - Class cretaed from JSGlobalThis, JSDOMWindowShell.
      * runtime/JSType.h:
          - GlobalThisType -> ProxyType
      
      ../WebCore: 
      
      This patch moves window shell functionality up to JSC::JSProxy.
      
      * ForwardingHeaders/runtime/JSGlobalThis.h: Removed.
      * ForwardingHeaders/runtime/JSProxy.h: Copied from Source/WebCore/ForwardingHeaders/runtime/JSGlobalThis.h.
      * bindings/js/JSDOMGlobalObject.cpp:
      (WebCore::JSDOMGlobalObject::finishCreation):
          - JSGlobalThis -> JSObject
      * bindings/js/JSDOMGlobalObject.h:
      (JSDOMGlobalObject):
          - JSGlobalThis -> JSObject
      * bindings/js/JSDOMWindowBase.cpp:
      (WebCore):
          - Hoist toThisObject up into JSC.
      * bindings/js/JSDOMWindowBase.h:
      (JSDOMWindowBase):
          - Hoist toThisObject up into JSC.
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore):
          - JSGlobalThis -> JSProxy
          - moved JSObject callbacks to JSProxy
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
          - JSGlobalThis -> JSProxy
          - moved JSObject callbacks to JSProxy
      (WebCore::JSDOMWindowShell::window):
          - unwrappedObject() -> target()
      (WebCore::JSDOMWindowShell::setWindow):
          - setUnwrappedObject() -> setTarget()
      (WebCore::JSDOMWindowShell::createStructure):
          - GlobalThisType -> ProxyType
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129685 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4aef7247
    • msaboff@apple.com's avatar
      Add ability for JSArray::unshiftCount to unshift in middle of an array · a1c33e2b
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97691
      
      Reviewed by Filip Pizlo.
      
      Changed JSArray::unshiftCount and unshiftCountSlowCase to handle unshifting from the middle of an
      array.  Depending on where the unshift point is, either the front part of the array will be moved
      "left" or the back part will be moved right.  Given that unshiftCount only works on contiguous
      arrays it is safe to use memmove for the moves.
      
      This change is worth 25% performance improvement on pdfjs.  It doesn't seem to have any impact on
      any other benchmarks.
      
      * runtime/ArrayPrototype.cpp:
      (JSC::unshift):
      * runtime/JSArray.cpp:
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::unshiftCount):
      * runtime/JSArray.h:
      (JSArray):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129676 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a1c33e2b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r129592. · 9ab98ef6
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/129592
      https://bugs.webkit.org/show_bug.cgi?id=97670
      
      Failures in Chromium security tests (Requested by schenney on
      #webkit).
      
      Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-09-26
      
      Source/JavaScriptCore:
      
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
      
      LayoutTests:
      
      * fast/js/eval-cross-window-expected.txt:
      * fast/js/eval-cross-window.html:
      * http/tests/security/cross-frame-access-call-expected.txt:
      * http/tests/security/cross-frame-access-call.html:
      * http/tests/security/resources/xss-eval2.html:
      * http/tests/security/resources/xss-eval3.html:
      * http/tests/security/xss-eval-expected.txt:
      * http/tests/security/xss-eval.html:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129629 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9ab98ef6
  6. 25 Sep, 2012 9 commits
    • barraclough@apple.com's avatar
      REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms · b364bcbe
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97529
      
      Reviewed by Filip Pizlo.
      
      A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
      
      Source/JavaScriptCore: 
      
      JSC currently throws an EvalError if you try to call eval with a this object that doesn't
      match the given eval function. This does not match other browsers, which generally just
      ignore the this value that was passed, and eval the string in the eval function's environment.
      
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
          - Remove EvalError, ignore passed this value.
      
      LayoutTests: 
      
      * fast/js/eval-cross-window-expected.txt:
      * fast/js/eval-cross-window.html:
          - Changed not to expect EvalErrors (this matches other browsers), and modified testThis
            to check that the this object is always set to the global object.
      * http/tests/security/resources/xss-eval2.html:
      * http/tests/security/resources/xss-eval3.html:
      * http/tests/security/xss-eval-expected.txt:
      * http/tests/security/xss-eval.html:
          - Updated. Access via the global environment is not a security risk, since the eval is
            accessing it's own document's informantion. Access via the shell attempts to access
            the navigated pages document, tripping an access check & throwing a TypeError.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129592 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b364bcbe
    • fpizlo@apple.com's avatar
      DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly · e0480cf1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97535
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      LayoutTests: 
      
      Rubber stamped by Oliver Hunt.
      
      * fast/js/dfg-array-pop-side-effects-expected.txt: Added.
      * fast/js/dfg-array-pop-side-effects.html: Added.
      * fast/js/dfg-array-push-bad-time-expected.txt: Added.
      * fast/js/dfg-array-push-bad-time.html: Added.
      * fast/js/dfg-array-push-slow-put-expected.txt: Added.
      * fast/js/dfg-array-push-slow-put.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-array-pop-side-effects.js: Added.
      (foo):
      (.b):
      * fast/js/script-tests/dfg-array-push-bad-time.js: Added.
      * fast/js/script-tests/dfg-array-push-slow-put.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129588 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e0480cf1
    • ggaren@apple.com's avatar
      JSC should dump object size inference statistics · def139e9
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97618
      
      Reviewed by Filip Pizlo.
      
      Added an option to dump object size inference statistics.
      
      To see statistics on live objects:
      
          jsc --showHeapStatistics=1
      
      To see cumulative statistics on all objects ever allocated:
      
          jsc --showHeapStatistics=1 --objectsAreImmortal=1
      
          (This is useful for showing GC churn caused by over-allocation.)
      
      To support this second mode, I refactored Zombies to separate out their
      immortality feature so I could reuse it.
      
      * heap/Heap.cpp:
      (JSC::MarkObject): Helper for making things immortal. We have to checked
      for being zapped because blocks start out in this state.
      
      (JSC::StorageStatistics): Gather statistics by walking the heap. Ignore
      arrays and hash tables for now because they're not our focus. (We'll
      remove these exceptions in future.)
      
      (JSC::Heap::collect): Moved zombify to the end so it wouldn't interfere
      with statistics gathering.
      
      (JSC::Heap::showStatistics):
      (JSC::Heap::markAllObjects): Factored out helper, so statistics could
      take advantage of immortal objects.
      
      (Zombify): Don't mark immortal objects -- that's another class's job now.
      
      (JSC::Zombify::operator()):
      (JSC::Heap::zombifyDeadObjects): Take advantage of forEachDeadCell instead
      of rolling our own.
      
      * heap/Heap.h:
      (Heap):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::forEachDeadCell): Added, so clients don't have to do
      the iteration logic themselves.
      
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h: New options, listed above. Make sure to initialize
      based on environment variable first, so we can override with specific settings.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129586 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      def139e9
    • fpizlo@apple.com's avatar
      We shouldn't use the optimized versions of shift/unshift if the user is doing... · 8fd5e34c
      fpizlo@apple.com authored
      We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
      https://bugs.webkit.org/show_bug.cgi?id=97603
      <rdar://problem/12370864>
      
      Reviewed by Gavin Barraclough.
      
      You changed the length behind our backs? No optimizations for you then!
      
      * runtime/ArrayPrototype.cpp:
      (JSC::shift):
      (JSC::unshift):
      * runtime/JSArray.cpp:
      (JSC::JSArray::shiftCount):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129577 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8fd5e34c
    • fpizlo@apple.com's avatar
      JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode · 7ebfaed1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95610
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      Add better support for quickly accessing the indexed storage from bindings.
      
      * runtime/JSObject.h:
      (JSC::JSObject::tryGetIndexQuickly):
      (JSObject):
      (JSC::JSObject::getDirectIndex):
      (JSC::JSObject::getIndex):
      
      Source/WebCore: 
      
      Fix all of the cases I found where we were using getIndexQuickly(), which was wrong
      if we were in sparse mode.
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (CloneSerializer):
      (WebCore::CloneSerializer::serialize):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129574 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7ebfaed1
    • fpizlo@apple.com's avatar
      Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify · 3d94f71e
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97537
      
      Reviewed by Mark Hahnenberg.
      
      No tests because if we use Arrayify then we also use PutByVal(BlankToXYZ), and the latter is
      already known to be side-effecting. So this bug shouldn't have had any symptoms, as far as I
      can tell.
      
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129553 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3d94f71e
    • barraclough@apple.com's avatar
      Regression: put beyond vector length prefers prototype setters to sparse properties · 544a81b8
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97593
      
      Reviewed by Geoff Garen & Filip Pizlo.
      
      Source/JavaScriptCore: 
      
      * runtime/JSObject.cpp:
      (JSC::JSObject::putByIndexBeyondVectorLength):
          - Check for self properties in the sparse map - if present, don't examine the protochain.
      
      LayoutTests: 
      
      * fast/js/script-tests/array-defineOwnProperty.js:
      (Object.defineProperty):
      (set Object.defineProperty):
          - Added test case.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129548 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      544a81b8
    • barraclough@apple.com's avatar
      https://bugs.webkit.org/show_bug.cgi?id=97530 · fb498f4b
      barraclough@apple.com authored
      Regression, freeze applied to numeric properties of non-array objects
      
      Reviewed by Filip Pizlo.
      
      Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
      For now, just fall back to the generic implementation if the object has numeric properties.
      
      Source/JavaScriptCore: 
      
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorFreeze):
          - fallback if the object has a non-zero indexed property vector length.
      
      LayoutTests: 
      
      * fast/js/preventExtensions-expected.txt:
      * fast/js/script-tests/preventExtensions.js:
          - Added a test case for freezing an object with a numeric property.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129461 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      fb498f4b
    • barraclough@apple.com's avatar
      Bug in numeric accessors on global environment · bedfae14
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97526
      
      Reviewed by Geoff Garen.
      
      I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
      The sparsemap is failing to map back from the global object to the window shell.
      A test case would need to resolve a numeric property name against the global environment.
      
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::put):
          - Add missing toThisObject calls.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bedfae14
  7. 24 Sep, 2012 7 commits
    • fpizlo@apple.com's avatar
      SerializedScriptValue isn't aware of indexed storage, but should be · 904bab81
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97515
      <rdar://problem/12361874>
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      Export a method that WebCore now uses.
      
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * runtime/JSObject.h:
      (JSObject):
      
      Source/WebCore: 
      
      New test: fast/js/post-message-numeric-property.html
      
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::putProperty):
      
      LayoutTests: 
      
      * fast/js/post-message-numeric-property-expected.txt: Added.
      * fast/js/post-message-numeric-property.html: Added.
      * fast/js/script-tests/post-message-numeric-property.js: Added.
      (window.onmessage):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129457 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      904bab81
    • barraclough@apple.com's avatar
      Remove JSObject::unwrappedGlobalObject(), JSObject::unwrappedObject() · 51bdc905
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97519
      
      Reviewed by Geoff Garen.
      
      ../JavaScriptCore: 
      
      unwrappedGlobalObject() was only needed because globalObject() doesn't always return a helpful result -
      specifically for WebCore's window shell the structure's globalObject is set to null. We can fix this by
      simply keeping the structure up to date as the window navigates, obviating the need for this function.
      
      The only other use of unwrappedObject() came from globalFuncEval(), and this can be trivially removed
      by flipping the way we perform this globalObject check (which we may also be able to remove!) - instead
      of getting the globalObject from the provided this value & comparing to the expected globalObject, we
      can get the this value from the expected globalObject, and compare to that provided.
      
      * runtime/JSGlobalObject.cpp:
          - Call globalObject() instead of unwrappedGlobalObject().
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
          - Changed to compare this object values, instead of globalObjects -
            this means we only need to be able to map globalObject -> this,
            and not vice versa.
      * runtime/JSObject.cpp:
      (JSC::JSObject::allowsAccessFrom):
      (JSC::JSObject::createInheritorID):
          - Call globalObject() instead of unwrappedGlobalObject().
      * runtime/JSObject.h:
      (JSObject):
          - Removed unwrappedGlobalObject(), unwrappedObject().
      
      ../WebCore: 
      
      JSDOMWindowShell::setWindow should update the structure's globalObject.
      
      * bindings/js/JSDOMWindowShell.h:
      (WebCore::JSDOMWindowShell::setWindow):
          - Update the JSDOMWindowShell's structure's globalObject when the
            window changes.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129456 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      51bdc905
    • mark.lam@apple.com's avatar
      Deleting the classic interpreter and cleaning up some build options. · 74a9e837
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96969.
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::stronglyVisitStrongReferences):
      (JSC):
      * bytecode/Instruction.h:
      (JSC::Instruction::Instruction):
      * interpreter/AbstractPC.cpp:
      (JSC::AbstractPC::AbstractPC):
      * interpreter/AbstractPC.h:
      (AbstractPC):
      * interpreter/CallFrame.h:
      (ExecState):
      * interpreter/Interpreter.cpp:
      (JSC):
      (JSC::Interpreter::Interpreter):
      (JSC::Interpreter::~Interpreter):
      (JSC::Interpreter::initialize):
      (JSC::Interpreter::isOpcode):
      (JSC::Interpreter::unwindCallFrame):
      (JSC::getLineNumberForCallFrame):
      (JSC::getCallerInfo):
      (JSC::getSourceURLFromCallFrame):
      (JSC::Interpreter::execute):
      (JSC::Interpreter::executeCall):
      (JSC::Interpreter::executeConstruct):
      (JSC::Interpreter::retrieveArgumentsFromVMCode):
      (JSC::Interpreter::retrieveCallerFromVMCode):
      (JSC::Interpreter::retrieveLastCaller):
      * interpreter/Interpreter.h:
      (JSC::Interpreter::getOpcodeID):
      (Interpreter):
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
      * offlineasm/asm.rb:
      * offlineasm/offsets.rb:
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::compileForCallInternal):
      (JSC::FunctionExecutable::compileForConstructInternal):
      * runtime/Executable.h:
      (JSC::NativeExecutable::create):
      (NativeExecutable):
      (JSC::NativeExecutable::finishCreation):
      * runtime/JSGlobalData.cpp:
      (JSC):
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::getHostFunction):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      (JSC::JSGlobalData::canUseJIT):
      (JSC::JSGlobalData::canUseRegExpJIT):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      
      Source/WebKit/blackberry: 
      
      * WebCoreSupport/AboutDataEnableFeatures.in:
      
      Source/WTF: 
      
      * wtf/OSAllocatorPosix.cpp:
      (WTF::OSAllocator::reserveAndCommit):
      * wtf/Platform.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129453 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      74a9e837
    • fpizlo@apple.com's avatar
      Nested try/finally should not confuse the finally unpopper in... · 84c256c3
      fpizlo@apple.com authored
      Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
      https://bugs.webkit.org/show_bug.cgi?id=97508
      <rdar://problem/12361132>
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
      contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
      (like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
      context stack afterwards.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitComplexJumpScopes):
      
      LayoutTests: 
      
      * fast/js/jsc-test-list:
      * fast/js/script-tests/try-try-return-finally-finally.js: Added.
      (foo):
      * fast/js/try-try-return-finally-finally-expected.txt: Added.
      * fast/js/try-try-return-finally-finally.html: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129440 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      84c256c3
    • fpizlo@apple.com's avatar
      ValueToInt32 bool case does bad things to registers · 7539f5a7
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97505
      <rdar://problem/12356331>
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      
      LayoutTests: 
      
      * fast/js/dfg-bool-to-int32-reuse-expected.txt: Added.
      * fast/js/dfg-bool-to-int32-reuse.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129435 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7539f5a7
    • mark.lam@apple.com's avatar
      Add cloopDo instruction for debugging the llint C++ backend. · 9cc5df7d
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97502.
      
      Reviewed by Geoffrey Garen.
      
      * offlineasm/cloop.rb:
      * offlineasm/instructions.rb:
      * offlineasm/parser.rb:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9cc5df7d
    • fpizlo@apple.com's avatar
      JSArray::putByIndex asserts with readonly property on prototype · 44e841ff
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97435
      <rdar://problem/12357084>
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      Boy, there were some problems:
              
      - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
        in SlowPut mode, since that's the whole point of PutDirect.
              
      - We should have a fast path for putByIndex().
              
      - The LiteralParser should not use push(), since that may throw if we're having a bad time.
      
      * interpreter/Interpreter.cpp:
      (JSC::eval):
      * runtime/JSObject.h:
      (JSC::JSObject::putByIndexInline):
      (JSObject):
      (JSC::JSObject::putDirectIndex):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      
      LayoutTests: 
      
      * fast/js/concat-while-having-a-bad-time.html: Added.
      * fast/js/concat-while-having-a-bad-time-expected.txt: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/concat-while-having-a-bad-time.js: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      44e841ff