GitLab

https://bugs.webkit.org/show_bug.cgi?id=101174

Reviewed by Geoffrey Garen.

Introduces a #define QNaN in JSValue.h, and replaces all previous uses of
std::numeric_limits<double>::quiet_NaN() with QNaN.

* API/JSValueRef.cpp:
(JSValueMakeNumber):
(JSValueToNumber):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitFloatTypedArrayGetByVal):
* runtime/CachedTranscendentalFunction.h:
(JSC::CachedTranscendentalFunction::initialize):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
* runtime/DateInstanceCache.h:
(JSC::DateInstanceData::DateInstanceData):
(JSC::DateInstanceCache::reset):
* runtime/ExceptionHelpers.cpp:
(JSC::InterruptedExecutionError::defaultValue):
(JSC::TerminatedExecutionError::defaultValue):
* runtime/JSCell.h:
(JSC::JSValue::getPrimitiveNumber):
* runtime/JSDateMath.cpp:
(JSC::parseDateFromNullTerminatedCharacters):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
(JSC::JSGlobalData::resetDateCache):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::parseInt):
(JSC::jsStrDecimalLiteral):
(JSC::toDouble):
(JSC::jsToNumber):
(JSC::parseFloat):
* runtime/JSValue.cpp:
(JSC::JSValue::toNumberSlowCase):
* runtime/JSValue.h:
(JSC):
* runtime/JSValueInlineMethods.h:
(JSC::jsNaN):
* runtime/MathObject.cpp:
(JSC::mathProtoFuncMax):
(JSC::mathProtoFuncMin):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133493 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
https://bugs.webkit.org/show_bug.cgi?id=99154

Reviewed by Gavin Barraclough.

In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
the X64 platform), we assume that the JSValue size is same to the
pointer size, and thus EncodedJSValue is simply type defined as a
"void*". In the JIT compiler, we also take this assumption and invoke
the same macro assembler interfaces for both JSValue and pointer
operands. We need to differentiate the operations on pointers from the
operations on JSValues, and let them invoking different macro
assembler interfaces. For example, we now use the interface of
"loadPtr" to load either a pointer or a JSValue, and we need to switch
to using "loadPtr" to load a pointer and some new "load64" interface
to load a JSValue. This would help us supporting other JSVALUE64
platforms where pointer size is not necessarily 64-bits, for example
x32 (bug #99153).

The major modification I made is to introduce the "*64" interfaces in
the MacroAssembler for those operations on JSValues, keep the "*Ptr"
interfaces for those operations on real pointers, and go through all
the JIT compiler code to correct the usage.

This is the second part of the work, i.e, to correct the usage of the
new MacroAssembler interfaces in the JIT compilers, which also means
that now EncodedJSValue is defined as a 64-bit integer, and the "*64"
interfaces are used for it.

* assembler/MacroAssembler.h: JSValue immediates should be in Imm64 instead of ImmPtr.
(MacroAssembler):
(JSC::MacroAssembler::shouldBlind):
* dfg/DFGAssemblyHelpers.cpp: Correct the JIT compilers usage of the new interfaces.
(JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
(JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
(JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
(JSC::DFG::AssemblyHelpers::jitAssertIsCell):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
(JSC::DFG::AssemblyHelpers::branchIfNotCell):
(JSC::DFG::AssemblyHelpers::debugCall):
(JSC::DFG::AssemblyHelpers::boxDouble):
(JSC::DFG::AssemblyHelpers::unboxDouble):
(JSC::DFG::AssemblyHelpers::emitExceptionCheck):
* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(CCallHelpers):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGRepatch.cpp:
(JSC::DFG::generateProtoChainAccessStub):
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDList):
(JSC::DFG::emitPutReplaceStub):
(JSC::DFG::emitPutTransitionStub):
* dfg/DFGScratchRegisterAllocator.h:
(JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
(JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentSpill):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::spill):
(JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::branch64):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillInteger):
(JSC::DFG::SpeculativeJIT::fillDouble):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
(JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
(JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::convertToDouble):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileDoubleCompare):
(JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
(JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::throwExceptionFromCallSlowPathGenerator):
(JSC::DFG::slowPathFor):
(JSC::DFG::virtualForThunkGenerator):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpRegisters):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JIT.h:
(JIT):
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate):
(JSC::JIT::emitSlow_op_negate):
(JSC::JIT::emit_op_rshift):
(JSC::JIT::emitSlow_op_urshift):
(JSC::JIT::emit_compareAndJumpSlow):
(JSC::JIT::emit_op_bitand):
(JSC::JIT::compileBinaryArithOpSlowCase):
(JSC::JIT::emit_op_div):
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
* jit/JITInlineMethods.h: Have some clean-up work as well.
(JSC):
(JSC::JIT::emitPutCellToCallFrameHeader):
(JSC::JIT::emitPutIntToCallFrameHeader):
(JSC::JIT::emitPutToCallFrameHeader):
(JSC::JIT::emitGetFromCallFrameHeader32):
(JSC::JIT::emitGetFromCallFrameHeader64):
(JSC::JIT::emitAllocateJSArray):
(JSC::JIT::emitValueProfilingSite):
(JSC::JIT::emitGetJITStubArg):
(JSC::JIT::emitGetVirtualRegister):
(JSC::JIT::emitPutVirtualRegister):
(JSC::JIT::emitInitRegister):
(JSC::JIT::emitJumpIfJSCell):
(JSC::JIT::emitJumpIfBothJSCells):
(JSC::JIT::emitJumpIfNotJSCell):
(JSC::JIT::emitLoadInt32ToDouble):
(JSC::JIT::emitJumpIfImmediateInteger):
(JSC::JIT::emitJumpIfNotImmediateInteger):
(JSC::JIT::emitJumpIfNotImmediateIntegers):
(JSC::JIT::emitFastArithReTagImmediate):
(JSC::JIT::emitFastArithIntToImmNoCheck):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileCTINativeCall):
(JSC::JIT::emit_op_mov):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_boolean):
(JSC::JIT::emit_op_is_number):
(JSC::JIT::emit_op_tear_off_activation):
(JSC::JIT::emit_op_not):
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_jtrue):
(JSC::JIT::emit_op_bitxor):
(JSC::JIT::emit_op_bitor):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_next_pname):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_throw_reference_error):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_create_activation):
(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emit_op_init_lazy_reg):
(JSC::JIT::emitSlow_op_convert_this):
(JSC::JIT::emitSlow_op_not):
(JSC::JIT::emit_op_get_argument_by_val):
(JSC::JIT::emit_op_put_to_base):
(JSC::JIT::emit_resolve_operations):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitContiguousGetByVal):
(JSC::JIT::emitArrayStorageGetByVal):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::emit_op_get_by_pname):
(JSC::JIT::emitContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::compilePutDirectOffset):
(JSC::JIT::emit_op_init_global_const):
(JSC::JIT::emit_op_init_global_const_check):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITStubCall.h:
(JITStubCall):
(JSC::JITStubCall::JITStubCall):
(JSC::JITStubCall::addArgument):
(JSC::JITStubCall::call):
(JSC::JITStubCall::callWithValueProfiling):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitJumpIfImmediateNumber):
(JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber):
(JSC::JSInterfaceJIT::emitLoadJSCell):
(JSC::JSInterfaceJIT::emitLoadInt32):
(JSC::JSInterfaceJIT::emitLoadDouble):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::returnDouble):
(JSC::SpecializedThunkJIT::tagReturnAsInt32):
* runtime/JSValue.cpp:
(JSC::JSValue::description):
* runtime/JSValue.h: Define JSVALUE64 EncodedJSValue as int64_t, which is also unified with JSVALUE32_64.
(JSC):
* runtime/JSValueInlineMethods.h: New implementation of some JSValue methods to make them more conformant
with the new rule that "JSValue is a 64-bit integer rather than a pointer" for JSVALUE64 platforms.
(JSC):
(JSC::JSValue::JSValue):
(JSC::JSValue::operator bool):
(JSC::JSValue::operator==):
(JSC::JSValue::operator!=):
(JSC::reinterpretDoubleToInt64):
(JSC::reinterpretInt64ToDouble):
(JSC::JSValue::asDouble):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131858 268f45cc-cd09-0410-ab3c-d52691b4dbfc

If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
https://bugs.webkit.org/show_bug.cgi?id=96596

Reviewed by Gavin Barraclough.

Source/JavaScriptCore: 

Added comprehensive support for accessors and read-only indexed properties on the
prototype chain. This is done without any performance regression on benchmarks that
we're aware of, by having the entire VM's strategy with respect to arrays tilted
heavily in favor of:
        
- The prototype chain of JSArrays never having any accessors or read-only indexed
  properties. If that changes, you're going to have a bad time.
        
- Prototypes of non-JSArray objects either having no indexed accessors or read-only
  indexed properties, or, having those indexed accessor thingies inserted before
  any instance object (i.e. object with that prototype as its prototype) is created.
  If you add indexed accessors or read-only indexed properties to an object that is
  already used as a prototype, you're going to have a bad time.
        
See below for the exact definition of having a bad time.
        
Put another way, "fair" uses of indexed accessors and read-only indexed properties
are:
        
- Put indexed accessors and read-only indexed properties on an object that is never
  used as a prototype. This will slow down accesses to that object, but will not
  have any effect on any other object.
        
- Put those indexed accessor thingies on an object before it is used as a prototype
  and then start instantiating objects that claim that object as their prototype.
  This will slightly slow down indexed stores to the instance objects, and greatly
  slow down all indexed accesses to the prototype, but will have no other effect.
        
In short, "fair" uses only affect the object itself and any instance objects. But
if you start using indexed accessors in more eclectic ways, you're going to have
a bad time.
        
Specifically, if an object that may be used as a prototype has an indexed accessor
added, the VM performs a whole-heap scan to find all objects that belong to the
same global object as the prototype you modified. If any of those objects has
indexed storage, their indexed storage is put into slow-put mode, just as if their
prototype chain had indexed accessors. This will happen even for objects that do
not currently have indexed accessors in their prototype chain. As well, all JSArray
allocations are caused to create arrays with slow-put storage, and all future
allocations of indexed storage for non-JSArray objects are also flipped to slow-put
mode. Note there are two aspects to having a bad time: (i) the whole-heap scan and
(ii) the poisoning of all indexed storage in the entire global object. (i) is
necessary for correctness. If we detect that an object that may be used as a
prototype has had an indexed accessor or indexed read-only property inserted into
it, then we need to ensure that henceforth all instances of that object inspect
the prototype chain whenever an indexed hole is stored to. But by default, indexed
stores do no such checking because doing so would be unnecessarily slow. So, we must
find all instances of the affected object and flip them into a different array
storage mode that omits all hole optimizations. Since prototypes never keep a list
of instance objects, the only way to find those objects is a whole-heap scan. But
(i) alone would be a potential disaster, if a program frequently allocated an
object without indexed accessors, then allocated a bunch of objects that used that
one as their prototype, and then added indexed accessors to the prototype. So, to
prevent massive heap scan storms in such awkward programs, having a bad time also
implies (ii): henceforth *all* objects belonging to that global object will use
slow put indexed storage, so that we don't ever have to scan the heap again. Note
that here we are using the global object as just an approximation of a program
module; it may be worth investigating in the future if other approximations can be
used instead.

* bytecode/ArrayProfile.h:
(JSC):
(JSC::arrayModeFromStructure):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::fromObserved):
(JSC::DFG::modeAlreadyChecked):
(JSC::DFG::modeToString):
* dfg/DFGArrayMode.h:
(DFG):
(JSC::DFG::isSlowPutAccess):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JIT.h:
* jit/JITInlineMethods.h:
(JSC::JIT::emitAllocateJSArray):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_array):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
(JSC::arrayProtoFuncSort):
* runtime/IndexingType.h:
(JSC):
(JSC::hasIndexedProperties):
(JSC::hasIndexingHeader):
(JSC::hasArrayStorage):
(JSC::shouldUseSlowPut):
* runtime/JSArray.cpp:
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArray.h:
(JSC::JSArray::createStructure):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::reset):
(JSC):
(JSC::JSGlobalObject::haveABadTime):
* runtime/JSGlobalObject.h:
(JSGlobalObject):
(JSC::JSGlobalObject::addressOfArrayStructure):
(JSC::JSGlobalObject::havingABadTimeWatchpoint):
(JSC::JSGlobalObject::isHavingABadTime):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterfly):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::put):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::resetInheritorID):
(JSC::JSObject::inheritorID):
(JSC::JSObject::allowsAccessFrom):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::unwrappedGlobalObject):
(JSC::JSObject::notifyUsedAsPrototype):
(JSC::JSObject::createInheritorID):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
(JSC::JSObject::attemptToInterceptPutByIndexOnHole):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::getOwnPropertyDescriptor):
* runtime/JSObject.h:
(JSC::JSObject::mayBeUsedAsPrototype):
(JSObject):
(JSC::JSObject::mayInterceptIndexedAccesses):
(JSC::JSObject::getArrayLength):
(JSC::JSObject::getVectorLength):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::completeInitialization):
(JSC::JSObject::inSparseIndexingMode):
(JSC::JSObject::arrayStorage):
(JSC::JSObject::arrayStorageOrNull):
(JSC::JSObject::ensureArrayStorage):
(JSC):
(JSC::JSValue::putByIndex):
* runtime/JSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
(JSC):
* runtime/JSValue.h:
(JSValue):
* runtime/ObjectPrototype.cpp:
(JSC::ObjectPrototype::finishCreation):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayEntry::put):
(JSC):
* runtime/SparseArrayValueMap.h:
(JSC):
(SparseArrayEntry):
* runtime/Structure.cpp:
(JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses):
(JSC):
(JSC::Structure::suggestedIndexingTransition):
* runtime/Structure.h:
(Structure):
(JSC::Structure::mayInterceptIndexedAccesses):
* runtime/StructureTransitionTable.h:
(JSC::newIndexingType):

LayoutTests: 

Removed failing expectation for primitive-property-access-edge-cases, and
added more tests to cover the numerical-setter-on-prototype cases.

* fast/js/array-bad-time-expected.txt: Added.
* fast/js/array-bad-time.html: Added.
* fast/js/array-slow-put-expected.txt: Added.
* fast/js/array-slow-put.html: Added.
* fast/js/cross-frame-bad-time-expected.txt: Added.
* fast/js/cross-frame-bad-time.html: Added.
* fast/js/jsc-test-list:
* fast/js/object-bad-time-expected.txt: Added.
* fast/js/object-bad-time.html: Added.
* fast/js/object-slow-put-expected.txt: Added.
* fast/js/object-slow-put.html: Added.
* fast/js/script-tests/array-bad-time.js: Added.
* fast/js/script-tests/array-slow-put.js: Added.
(foo):
* fast/js/script-tests/cross-frame-bad-time.js: Added.
(foo):
* fast/js/script-tests/object-bad-time.js: Added.
(Cons):
* fast/js/script-tests/object-slow-put.js: Added.
(Cons):
(foo):
* platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Removed.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128802 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=91052.

Patch by Mark Lam <mark.lam@apple.com> on 2012-09-01
Reviewed by Filip Pizlo.

Source/JavaScriptCore:

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dump):
(JSC::CodeBlock::bytecodeOffset):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC):
* interpreter/Interpreter.h:
* jit/JITStubs.h:
(JITStackFrame):
(JSC):
* llint/LLIntCLoop.cpp: Added.
(JSC):
(LLInt):
(JSC::LLInt::CLoop::initialize):
(JSC::LLInt::CLoop::catchRoutineFor):
(JSC::LLInt::CLoop::hostCodeEntryFor):
(JSC::LLInt::CLoop::jsCodeEntryWithArityCheckFor):
(JSC::LLInt::CLoop::jsCodeEntryFor):
* llint/LLIntCLoop.h: Added.
(JSC):
(LLInt):
(CLoop):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC):
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOpcode.h:
* llint/LLIntThunks.cpp:
(LLInt):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
(LLInt):
(JSC::LLInt::Ints2Double):
(JSC):
(JSC::CLoop::execute):
* llint/LowLevelInterpreter.h:
(JSC):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/asm.rb:
* offlineasm/backends.rb:
* offlineasm/cloop.rb: Added.
* offlineasm/instructions.rb:
* runtime/Executable.h:
(ExecutableBase):
(JSC::ExecutableBase::hostCodeEntryFor):
(JSC::ExecutableBase::jsCodeEntryFor):
(JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
(JSC::ExecutableBase::catchRoutineFor):
(NativeExecutable):
* runtime/JSValue.h:
(JSC):
(LLInt):
(JSValue):
* runtime/JSValueInlineMethods.h:
(JSC):
(JSC::JSValue::JSValue):
* runtime/Options.cpp:
(JSC::Options::initialize):

Source/WTF:

Added configs for the llint C loop backend.

* wtf/Platform.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127374 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=95271

Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-08-30
Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

Having JSC::UString and WTF::String increase the complexity of working on WebKit, and
add useless conversions in the bindings. It also cause some code bloat.

The performance advantages of UString have been ported over in previous patches. This patch
is the last step: getting rid of UString.

In addition to the simplified code, this also reduce the binary size by 15kb on x86_64.

* API/OpaqueJSString.cpp:
(OpaqueJSString::ustring):
* runtime/Identifier.h:
(JSC::Identifier::ustring):
To avoid changing everything at once, the function named ustring() were kept as is. They
will be renamed in a follow up patch.

* runtime/JSString.h:
(JSC::JSString::string):
(JSC::JSValue::toWTFString):
(JSC::inlineJSValueNotStringtoString):
(JSC::JSValue::toWTFStringInline):
Since JSValue::toString() already exist (and return the JSString), the direct accessor is renamed
to ::toWTFString(). We may change ::string() to ::jsString() and ::toWTFString() to ::toString()
in the future.

* runtime/StringPrototype.cpp:
(JSC::substituteBackreferencesSlow): Replace the use of UString::getCharacters<>() by String::getCharactersWithUpconvert<>().

Source/WebCore: 

Update the code to use String instead of UString.

On x86_64, this reduces the binary size by 22kb.

Since it is no longer possible to differenciate JSC::jsString() and WebCore::jsString() by the input
types, WebCore::jsString() is renated to WebCore::jsStringWithCache().

Since the cache is using a PtrHash, JSC::jsString() is used in place of the old WebCore::jsString() when
the string is generated locally. This is because the cache can never match in those cases.

Source/WebKit/blackberry: 

Replace UString by String.

* WebCoreSupport/ClientExtension.cpp:
* WebCoreSupport/PagePopupBlackBerry.cpp:
(WebCore::PagePopupBlackBerry::installDomFunction):

Source/WebKit/efl: 

Replace UString by String.

* WebCoreSupport/DumpRenderTreeSupportEfl.cpp:
(DumpRenderTreeSupportEfl::sendWebIntentResponse):
* ewk/ewk_frame.cpp:
(ewk_frame_script_execute):

Source/WebKit/gtk: 

Replace UString by String.

* gdom/ConvertToGCharPrivate.h:
(copyAsGchar):

Source/WebKit/mac: 

Get rid of UString, replace it by String, and simplify the code when possible.

On x86_64, this reduces the binary size by 7kb.

* Plugins/Hosted/NetscapePluginHostProxy.mm:
(identifierFromIdentifierRep):
* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray):
(WebKit::NetscapePluginInstanceProxy::moveGlobalExceptionToExecState):
* Plugins/Hosted/ProxyInstance.mm:
(WebKit::ProxyRuntimeMethod::create):
(WebKit::ProxyRuntimeMethod::finishCreation):
(WebKit::ProxyInstance::getPropertyNames):
(WebKit::ProxyInstance::methodsNamed):
(WebKit::ProxyInstance::fieldNamed):
* WebView/WebFrame.mm:
(-[WebFrame _stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
(-[WebFrame _stringByEvaluatingJavaScriptFromString:withGlobalObject:inScriptWorld:]):
* WebView/WebScriptDebugDelegate.mm:
(-[WebScriptCallFrame functionName]):
(-[WebScriptCallFrame evaluateWebScript:]):
* WebView/WebScriptDebugger.h:
(WTF):
(JSC):
(WebScriptDebugger):
* WebView/WebScriptDebugger.mm:
(toNSURL):
(WebScriptDebugger::sourceParsed):
* WebView/WebView.mm:
(aeDescFromJSValue):

Source/WebKit/qt: 

Replace UString by String.

* Api/qwebelement.cpp:
(QWebElement::evaluateJavaScript):

Source/WebKit/win: 

Replace UString by String.

* WebFrame.cpp:
(WebFrame::stringByEvaluatingJavaScriptInScriptWorld):
* WebView.cpp:
(WebView::stringByEvaluatingJavaScriptFromString):

Source/WebKit/wx: 

Update the #includes to use the correct types.

* WebFrame.cpp:
* WebView.cpp:

Source/WebKit2: 

Update to code to switch from UString to String.

* WebProcess/Plugins/Netscape/JSNPMethod.cpp:
(WebKit::JSNPMethod::finishCreation):
* WebProcess/Plugins/Netscape/JSNPMethod.h:
(WebKit::JSNPMethod::create):
(JSNPMethod):
* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::npIdentifierFromIdentifier):
* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::evaluate):
(WebKit::NPRuntimeObjectMap::moveGlobalExceptionToExecState):

Source/WTF: 

* wtf/Platform.h: Useless edit to force a full build. This is needed for some bots for some reason.
* wtf/text/WTFString.h: Export a symbol that was exported on UString and needed in WebCore.

Add String::getCharactersWithUpconvert<>(), which is similar to String::getCharacters<>() but with the same
behaviors as UString::getCharacters<>().

String::getCharactersWithUpconvert<>() is useful when manipulating multiple strings, it allow writting code
using 16bits characters if any of the input String is not 8bit.

Tools: 

Get rid of UString.

* DumpRenderTree/efl/WorkQueueItemEfl.cpp:
* gdb/webkit.py:
(WTFStringPrinter.to_string):
(JSCIdentifierPrinter.to_string):
(JSCJSStringPrinter.to_string):
(add_pretty_printers):

Websites/webkit.org: 

Update the coding style to avoid mentioning a class that no longer exist.

* coding/coding-style.html:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127191 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=95316.

Patch by Mark Lam <mark.lam@apple.com> on 2012-08-29
Reviewed by Geoff Garen.

This change allows its opcodeMap to be easily queried from any function
without needing to go through a GlobalData object.  It also introduces
the LLInt::getCodePtr() methods that will be used by the LLInt C loop
later to redefine how llint symbols (opcodes and trampoline glue
labels) get resolved.

* assembler/MacroAssemblerCodeRef.h:
(MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(MacroAssemblerCodeRef):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::adjustPCIfAtCallSite):
(JSC::CodeBlock::bytecodeOffset):
* bytecode/Opcode.h:
    Remove the 'const' to simplify things and avoid having to do
    additional casts and #ifdefs in many places.
* bytecode/ResolveGlobalStatus.cpp:
(JSC::computeForLLInt):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::initialize):
* interpreter/Interpreter.h:
(Interpreter):
* jit/JITExceptions.cpp:
(JSC::genericThrow):
* llint/LLIntData.cpp:
(LLInt):
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC):
(LLInt):
(Data):
(JSC::LLInt::exceptionInstructions):
(JSC::LLInt::opcodeMap):
(JSC::LLInt::getOpcode):
(JSC::LLInt::getCodePtr):
(JSC::LLInt::Data::performAssertions):
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreadingOnce): Initialize the singleton LLInt data.
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
* runtime/JSGlobalData.h:
(JSGlobalData): Removed the now unneeded LLInt::Data instance in
    JSGlobalData.
* runtime/JSValue.h:
(JSValue):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127068 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=93884

Reviewed by Filip Pizlo.

Source/JavaScriptCore: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of  
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,  
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined  
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).  
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not  
masquerade as undefined within frame B, but it will continue to masquerade in frame A. 

There are two primary changes that are taking place here. One is to thread the ExecState* through  
JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's  
JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two  
are distinct, then the object cannot MasqueradeAsUndefined. 

The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined 
flag in the Structure is checked. For C++ code, this check has been factored into its own function in  
Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has  
had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed  
through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers 
that are MasqueradesAsUndefined.

* API/JSValueRef.cpp:
(JSValueToBoolean):
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
* bytecode/Watchpoint.h:
(WatchpointSet):
* debugger/DebuggerCallFrame.h:
(JSC::DebuggerCallFrame::callFrame):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncSome):
* runtime/BooleanConstructor.cpp:
(JSC::constructBoolean):
(JSC::callBooleanConstructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSGlobalObject):
(JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
* runtime/JSString.h:
(JSC::JSCell::toBoolean):
(JSC::JSValue::toBoolean):
* runtime/JSValue.h:
* runtime/ObjectConstructor.cpp:
(JSC::toPropertyDescriptor):
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectType):
* runtime/Operations.h:
(JSC):
(JSC::JSValue::equalSlowCaseInline):
* runtime/RegExpConstructor.cpp:
(JSC::setRegExpConstructorMultiline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncToString):
* runtime/Structure.h:
(Structure):
(JSC::Structure::globalObjectOffset):
(JSC::Structure::masqueradesAsUndefined):
(JSC):

Source/WebCore: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of  
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,  
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined  
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).  
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not  
masquerade as undefined within frame B, but it will continue to masquerade in frame A. 

Test: fast/js/document-all-between-frames.html

All of the changes in WebCore are simply passing the additional ExecState argument to JSValue::toBoolean. 

* bindings/js/JSCustomSQLStatementErrorCallback.cpp:
(WebCore::JSSQLStatementErrorCallback::handleEvent):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener):
* bindings/js/JSDataViewCustom.cpp:
(WebCore::getDataViewMember):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::JSDeviceMotionEvent::initDeviceMotionEvent):
* bindings/js/JSDeviceOrientationEventCustom.cpp:
(WebCore::JSDeviceOrientationEvent::initDeviceOrientationEvent):
* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::getContext):
* bindings/js/JSInspectorFrontendHostCustom.cpp:
(WebCore::populateContextMenuItems):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::handleInitMessageEvent):
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::dataFunctionMatrix):
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open):
* bindings/js/JavaScriptCallFrame.cpp:
(WebCore::JavaScriptCallFrame::exec):
(WebCore):
* bindings/js/JavaScriptCallFrame.h:
(JavaScriptCallFrame):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::hasBreakpoint):
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpIfTerminal):
* bindings/scripts/CodeGeneratorJS.pm: Also add the custom create function for MasqueradesAsUndefined JS DOM wrappers. 
(GenerateEventListenerCall):
(GenerateHeader):
(JSValueToNative):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::jsTestEventTargetPrototypeFunctionAddEventListener):
(WebCore::jsTestEventTargetPrototypeFunctionRemoveEventListener):
* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::setJSTestObjCreate):
(WebCore::setJSTestObjReflectedBooleanAttr):
(WebCore::setJSTestObjReflectedCustomBooleanAttr):
(WebCore::jsTestObjPrototypeFunctionAddEventListener):
(WebCore::jsTestObjPrototypeFunctionRemoveEventListener):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/jni/jni_jsobject.mm:
(JavaJSObject::convertValueToJObject):
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::convertValueToQVariant):

Source/WebKit/mac: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of  
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,  
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined  
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).  
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not  
masquerade as undefined within frame B, but it will continue to masquerade in frame A. 

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray): Passing ExecState to toBoolean call.

Source/WebKit2: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of  
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,  
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined  
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).  
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not  
masquerade as undefined within frame B, but it will continue to masquerade in frame A.

* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant): Passing ExecState to toBoolean call.

LayoutTests: 

Added a test that uses a variety of ways of checking whether something is correctly 
masquerading as undefined (or not) in a subframe.

* fast/js/document-all-between-frames-expected.txt: Added.
* fast/js/document-all-between-frames.html: Added.
* fast/js/resources/document-all-between-frames-subframe.html: Added.
* platform/chromium/TestExpectations: Chromium treats document.all differently, so skip our new test.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@126494 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/125687
https://bugs.webkit.org/show_bug.cgi?id=94147

It broke the whole world (Requested by Ossy_night on #webkit).

Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-08-15

Source/JavaScriptCore:

* API/JSValueRef.cpp:
(JSValueToBoolean):
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
* bytecode/Watchpoint.h:
(WatchpointSet):
* debugger/DebuggerCallFrame.h:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncSome):
* runtime/BooleanConstructor.cpp:
(JSC::constructBoolean):
(JSC::callBooleanConstructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSGlobalObject):
* runtime/JSString.h:
(JSC::JSCell::toBoolean):
(JSC::JSValue::toBoolean):
* runtime/JSValue.h:
* runtime/ObjectConstructor.cpp:
(JSC::toPropertyDescriptor):
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectType):
* runtime/Operations.h:
(JSC):
(JSC::JSValue::equalSlowCaseInline):
* runtime/RegExpConstructor.cpp:
(JSC::setRegExpConstructorMultiline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncToString):
* runtime/Structure.h:

Source/WebCore:

* bindings/js/JSCustomSQLStatementErrorCallback.cpp:
(WebCore::JSSQLStatementErrorCallback::handleEvent):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener):
* bindings/js/JSDataViewCustom.cpp:
(WebCore::getDataViewMember):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::JSDeviceMotionEvent::initDeviceMotionEvent):
* bindings/js/JSDeviceOrientationEventCustom.cpp:
(WebCore::JSDeviceOrientationEvent::initDeviceOrientationEvent):
* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSDirectoryEntryCustom.cpp:
(WebCore::JSDirectoryEntry::getFile):
(WebCore::JSDirectoryEntry::getDirectory):
* bindings/js/JSDirectoryEntrySyncCustom.cpp:
(WebCore::getFlags):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::getContext):
* bindings/js/JSInspectorFrontendHostCustom.cpp:
(WebCore::populateContextMenuItems):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::handleInitMessageEvent):
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::dataFunctionMatrix):
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open):
* bindings/js/JavaScriptCallFrame.cpp:
* bindings/js/JavaScriptCallFrame.h:
(JavaScriptCallFrame):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::hasBreakpoint):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateEventListenerCall):
(GenerateHeader):
(JSValueToNative):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::jsTestEventTargetPrototypeFunctionAddEventListener):
(WebCore::jsTestEventTargetPrototypeFunctionRemoveEventListener):
* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::setJSTestObjCreate):
(WebCore::setJSTestObjReflectedBooleanAttr):
(WebCore::setJSTestObjReflectedCustomBooleanAttr):
(WebCore::jsTestObjPrototypeFunctionAddEventListener):
(WebCore::jsTestObjPrototypeFunctionRemoveEventListener):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/jni/jni_jsobject.mm:
(JavaJSObject::convertValueToJObject):
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::convertValueToQVariant):

Source/WebKit/mac:

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray):

Source/WebKit2:

* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant):

LayoutTests:

* fast/js/document-all-between-frames-expected.txt: Removed.
* fast/js/document-all-between-frames.html: Removed.
* fast/js/resources/document-all-between-frames-subframe.html: Removed.
* platform/chromium/TestExpectations:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125711 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=93884

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
masquerade as undefined within frame B, but it will continue to masquerade in frame A.

There are two primary changes that are taking place here. One is to thread the ExecState* through 
JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's 
JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two 
are distinct, then the object cannot MasqueradeAsUndefined.

The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined
flag in the Structure is checked. For C++ code, this check has been factored into its own function in 
Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has 
had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed 
through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers
that are MasqueradesAsUndefined.

* API/JSValueRef.cpp:
(JSValueToBoolean):
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
* bytecode/Watchpoint.h:
(WatchpointSet):
* debugger/DebuggerCallFrame.h:
(JSC::DebuggerCallFrame::callFrame):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compile):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncSome):
* runtime/BooleanConstructor.cpp:
(JSC::constructBoolean):
(JSC::callBooleanConstructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSGlobalObject):
(JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
* runtime/JSString.h:
(JSC::JSCell::toBoolean):
(JSC::JSValue::toBoolean):
* runtime/JSValue.h:
* runtime/ObjectConstructor.cpp:
(JSC::toPropertyDescriptor):
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectType):
* runtime/Operations.h:
(JSC):
(JSC::JSValue::equalSlowCaseInline):
* runtime/RegExpConstructor.cpp:
(JSC::setRegExpConstructorMultiline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncToString):
* runtime/Structure.h:
(Structure):
(JSC::Structure::globalObjectOffset):
(JSC::Structure::masqueradesAsUndefined):
(JSC):

Source/WebCore: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
masquerade as undefined within frame B, but it will continue to masquerade in frame A.

Test: fast/js/document-all-between-frames.html

All of the changes in WebCore are simply passing the additional ExecState argument to JSValue::toBoolean.

* bindings/js/JSCustomSQLStatementErrorCallback.cpp:
(WebCore::JSSQLStatementErrorCallback::handleEvent):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener):
* bindings/js/JSDataViewCustom.cpp:
(WebCore::getDataViewMember):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::JSDeviceMotionEvent::initDeviceMotionEvent):
* bindings/js/JSDeviceOrientationEventCustom.cpp:
(WebCore::JSDeviceOrientationEvent::initDeviceOrientationEvent):
* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSDirectoryEntryCustom.cpp:
(WebCore::JSDirectoryEntry::getFile):
(WebCore::JSDirectoryEntry::getDirectory):
* bindings/js/JSDirectoryEntrySyncCustom.cpp:
(WebCore::getFlags):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::getContext):
* bindings/js/JSInspectorFrontendHostCustom.cpp:
(WebCore::populateContextMenuItems):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::handleInitMessageEvent):
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::dataFunctionMatrix):
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open):
* bindings/js/JavaScriptCallFrame.cpp:
(WebCore::JavaScriptCallFrame::exec):
(WebCore):
* bindings/js/JavaScriptCallFrame.h:
(JavaScriptCallFrame):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::hasBreakpoint):
* bindings/scripts/CodeGeneratorJS.pm: Also add the custom create function for MasqueradesAsUndefined JS DOM wrappers.
(GenerateEventListenerCall):
(GenerateHeader):
(JSValueToNative):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::jsTestEventTargetPrototypeFunctionAddEventListener):
(WebCore::jsTestEventTargetPrototypeFunctionRemoveEventListener):
* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::setJSTestObjCreate):
(WebCore::setJSTestObjReflectedBooleanAttr):
(WebCore::setJSTestObjReflectedCustomBooleanAttr):
(WebCore::jsTestObjPrototypeFunctionAddEventListener):
(WebCore::jsTestObjPrototypeFunctionRemoveEventListener):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/jni/jni_jsobject.mm:
(JavaJSObject::convertValueToJObject):
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::convertValueToQVariant):

Source/WebKit/mac: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
masquerade as undefined within frame B, but it will continue to masquerade in frame A.

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray): Passing ExecState to toBoolean call.

Source/WebKit2: 

With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
masquerade as undefined within frame B, but it will continue to masquerade in frame A.

* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant): Passing ExecState to toBoolean call.

LayoutTests: 

Added a test that uses a variety of ways of checking whether something is correctly 
masquerading as undefined (or not) in a subframe.

* fast/js/document-all-between-frames-expected.txt: Added.
* fast/js/document-all-between-frames.html: Added.
* fast/js/resources/document-all-between-frames-subframe.html: Added.
* platform/chromium/TestExpectations: Chromium treats document.all differently, so skip our new test.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125687 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=91788

Reviewed by Geoffrey Garen.

Changes property storage to grow to the left, and changes the property storage pointer to point
one 8-byte word (i.e. JSValue) to the right of the first value in the storage.
        
Also improved debug support somewhat, by adding a describe() function to the jsc command-line,
and a slow mode of object access in LLInt.

* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::repatchCompact):
* assembler/MacroAssemblerARMv7.h:
(MacroAssemblerARMv7):
(JSC::MacroAssemblerARMv7::isCompactPtrAlignedAddressOffset):
(JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::isCompactPtrAlignedAddressOffset):
(JSC::MacroAssemblerX86Common::repatchCompact):
* assembler/X86Assembler.h:
(JSC::X86Assembler::repatchCompact):
* bytecode/CodeBlock.cpp:
(JSC::dumpStructure):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::GetByIdStatus):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGRepatch.cpp:
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::emitPutTransitionStub):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
* heap/CopiedSpace.h:
(CopiedSpace):
* heap/CopiedSpaceInlineMethods.h:
(JSC::CopiedSpace::pinIfNecessary):
(JSC):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::compileGetDirectOffset):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::compileGetDirectOffset):
* jit/JITStubs.cpp:
(JSC::JITThunks::tryCacheGetByID):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDescribe):
* llint/LLIntCommon.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSObject.cpp:
(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::growOutOfLineStorage):
* runtime/JSObject.h:
(JSC::JSObject::getDirectLocation):
(JSC::JSObject::offsetForLocation):
* runtime/JSValue.h:
(JSValue):
* runtime/PropertyOffset.h:
(JSC::offsetInOutOfLineStorage):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@123417 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=90924

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
Implements virtual call support in the style of the old JIT, with the
caveat that we still use the same slow path for both InternalFunction
calls and JSFunction calls. Also rationalized the way that our
CodeOrigin indices tie into exception checks (previously it was a
strange one-to-one mapping with fairly limited assertions; now it's a
one-to-many mapping for CodeOrigins to exception checks, respectively).
I also took the opportunity to clean up
CallLinkInfo::callReturnLocation, which previously was either a Call or
a NearCall. Now it's just a NearCall. As well, exceptions during slow
path call resolution are now handled by returning an exception throwing
thunk rather than returning null. And finally, I made a few things
public that were previously private-with-lots-of-friends, because I
truly despise the thought of listing each thunk generating function as
a friend of JSValue and friends.
        
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::unlink):
* bytecode/CallLinkInfo.h:
(CallLinkInfo):
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::CodeOrigin):
(JSC::CodeOrigin::isSet):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::AssemblyHelpers):
* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::CCallHelpers):
* dfg/DFGGPRInfo.h:
(GPRInfo):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITCompiler.h:
(JSC::DFG::CallBeginToken::CallBeginToken):
(JSC::DFG::CallBeginToken::~CallBeginToken):
(CallBeginToken):
(JSC::DFG::CallBeginToken::set):
(JSC::DFG::CallBeginToken::registerWithExceptionCheck):
(JSC::DFG::CallBeginToken::codeOrigin):
(JSC::DFG::CallExceptionRecord::CallExceptionRecord):
(CallExceptionRecord):
(JSC::DFG::JITCompiler::currentCodeOriginIndex):
(JITCompiler):
(JSC::DFG::JITCompiler::beginCall):
(JSC::DFG::JITCompiler::notifyCall):
(JSC::DFG::JITCompiler::prepareForExceptionCheck):
(JSC::DFG::JITCompiler::addExceptionCheck):
(JSC::DFG::JITCompiler::addFastExceptionCheck):
* dfg/DFGOperations.cpp:
* dfg/DFGRepatch.cpp:
(JSC::DFG::dfgLinkFor):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGThunks.cpp:
(JSC::DFG::emitPointerValidation):
(DFG):
(JSC::DFG::throwExceptionFromCallSlowPathGenerator):
(JSC::DFG::slowPathFor):
(JSC::DFG::linkForThunkGenerator):
(JSC::DFG::linkCallThunkGenerator):
(JSC::DFG::linkConstructThunkGenerator):
(JSC::DFG::virtualForThunkGenerator):
(JSC::DFG::virtualCallThunkGenerator):
(JSC::DFG::virtualConstructThunkGenerator):
* dfg/DFGThunks.h:
(DFG):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
(JSC::JIT::linkFor):
* runtime/Executable.h:
(ExecutableBase):
(JSC::ExecutableBase::offsetOfJITCodeFor):
(JSC::ExecutableBase::offsetOfNumParametersFor):
* runtime/JSValue.h:
(JSValue):

LayoutTests: 

Rubber stamped by Oliver Hunt.

This changes which piece of code appears on top of the stack at the point of a stack
overflow. As far as Oliver and I can tell, it doesn't matter, so I just rebased the
test.

* fast/js/stack-trace-expected.txt:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@122392 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=87057

Reviewed by Gavin Barraclough.
        
Merged r118021 from dfgopt.
        
This gives ValueProfile the ability to track singleton values - i.e. profiling
sites that always see the same value.
        
That is then used to profile the structure in op_convert_this.
        
This is then used to optimize op_convert_this into a CheckStructure if the
structure is always the same.
        
That then results in better CSE in inlined code that uses 'this', since
previously we couldn't CSE accesses on 'this' from different inline call frames.
        
Also fixed a bug where we were unnecessarily flushing 'this'.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dump):
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/LazyOperandValueProfile.cpp:
(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
* bytecode/LazyOperandValueProfile.h:
(CompressedLazyOperandValueProfileHolder):
* bytecode/Opcode.h:
(JSC):
(JSC::padOpcodeName):
* bytecode/ValueProfile.h:
(JSC::ValueProfileBase::ValueProfileBase):
(JSC::ValueProfileBase::dump):
(JSC::ValueProfileBase::computeUpdatedPrediction):
(ValueProfileBase):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSValue.h:
(JSValue):
* runtime/Structure.h:
(JSC::JSValue::structureOrUndefined):
(JSC):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118555 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=84553

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
Merged r115512 from dfgopt.

This change gives the DFG the ability to simplify the control flow graph
as part of an optimization fixpoint that includes CSE, CFA, and constant
folding. This required a number of interesting changes including:
        
- Solidifying the set of invariants that the DFG obeys. For example, the
  head and tail of each basic block must advertise the set of live locals
  and the set of available locals, respectively. It must do so by
  referring to the first access to the local in the block (for head) and
  the last one (for tail). This patch introduces the start of a
  validation step that may be turned on even with asserts disabled. To
  ensure that these invariants are preserved, I had to remove the
  redundant phi elimination phase. For now I just remove the call, but in
  the future we will probably remove it entirely unless we find a use for
  it.
        
- Making it easier to get the boolean version of a JSValue. This is a
  pure operation, but we previously did not treat it as such.
        
- Fixing the merging and filtering of AbstractValues that correspond to
  concrete JSValues. This was previously broken and was limiting the
  effect of running constant folding. Fixing this meant that I had to
  change how constant folding eliminates GetLocal nodes, so as to ensure
  that the resulting graph still obeys DFG rules.
        
- Introducing simplified getters for some of the things that DFG phases
  want to know about, like the Nth child of a node (now just
  graph.child(...) if you don't care about performance too much) or
  getting successors of a basic block.
        
The current CFG simplifier can handle almost all of the cases that it
ought to handle; the noteworthy one that is not yet handled is removing
basic blocks that just have jumps. To do this right we need to be able
to remove jump-only blocks that also perform keep-alive on some values.
To make this work, we need to be able to hoist the keep-alive into (or
just above) a Branch. This is not fundamentally difficult but I opted to
let this patch omit this optimization. We can handle this later.
        
This is a big win on programs that include inline functions that are
often called with constant arguments. Of course, SunSpider, V8, and
Kraken don't count. Those benchmarks are completely neutral with this
change.

* API/JSValueRef.cpp:
(JSValueToBoolean):
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
* bytecode/Operands.h:
(JSC::Operands::setOperandFirstTime):
(Operands):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::initialize):
(JSC::DFG::AbstractState::execute):
(JSC::DFG::AbstractState::mergeStateAtTail):
(JSC::DFG::AbstractState::mergeToSuccessors):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::isClear):
(JSC::DFG::AbstractValue::operator!=):
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::validateIgnoringValue):
(AbstractValue):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::child):
(JSC::DFG::AdjacencyList::setChild):
(AdjacencyList):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::~BasicBlock):
(BasicBlock):
(JSC::DFG::BasicBlock::numNodes):
(JSC::DFG::BasicBlock::nodeIndex):
(JSC::DFG::BasicBlock::isPhiIndex):
(JSC::DFG::BasicBlock::isInPhis):
(JSC::DFG::BasicBlock::isInBlock):
* dfg/DFGByteCodeParser.cpp:
(ByteCodeParser):
(DFG):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
(JSC::DFG::CFAPhase::performBlockCFA):
(JSC::DFG::performCFA):
* dfg/DFGCFAPhase.h:
(DFG):
* dfg/DFGCFGSimplificationPhase.cpp: Added.
(DFG):
(CFGSimplificationPhase):
(JSC::DFG::CFGSimplificationPhase::CFGSimplificationPhase):
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::killUnreachable):
(JSC::DFG::CFGSimplificationPhase::findOperandSource):
(JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
(JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
(JSC::DFG::CFGSimplificationPhase::jettisonBlock):
(JSC::DFG::CFGSimplificationPhase::fixPhis):
(JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
(JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
(JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
(OperandSubstitution):
(JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
(JSC::DFG::CFGSimplificationPhase::skipGetLocal):
(JSC::DFG::CFGSimplificationPhase::fixTailOperand):
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
(JSC::DFG::performCFGSimplification):
* dfg/DFGCFGSimplificationPhase.h: Added.
(DFG):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
(CSEPhase):
(JSC::DFG::CSEPhase::impureCSE):
(JSC::DFG::CSEPhase::globalVarLoadElimination):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureLoadElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::performBlockCSE):
(JSC::DFG::performCSE):
* dfg/DFGCSEPhase.h:
(DFG):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::performConstantFolding):
* dfg/DFGConstantFoldingPhase.h:
(DFG):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGEdge.h:
(Edge):
(JSC::DFG::Edge::operator UnspecifiedBoolType*):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupBlock):
(JSC::DFG::performFixup):
* dfg/DFGFixupPhase.h:
(DFG):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::handleSuccessor):
(DFG):
(JSC::DFG::Graph::determineReachability):
(JSC::DFG::Graph::resetReachability):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::deref):
(JSC::DFG::Graph::changeIndex):
(Graph):
(JSC::DFG::Graph::changeEdge):
(JSC::DFG::Graph::numSuccessors):
(JSC::DFG::Graph::successor):
(JSC::DFG::Graph::successorForCondition):
(JSC::DFG::Graph::isPredictedNumerical):
(JSC::DFG::Graph::byValIsPure):
(JSC::DFG::Graph::clobbersWorld):
(JSC::DFG::Graph::numChildren):
(JSC::DFG::Graph::child):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstant):
(JSC::DFG::Node::numSuccessors):
(Node):
(JSC::DFG::Node::successor):
(JSC::DFG::Node::successorForCondition):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOperations.cpp:
* dfg/DFGPhase.cpp:
(JSC::DFG::Phase::endPhase):
* dfg/DFGPhase.h:
(JSC::DFG::runPhase):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::run):
(JSC::DFG::performPredictionPropagation):
* dfg/DFGPredictionPropagationPhase.h:
(DFG):
* dfg/DFGRedundantPhiEliminationPhase.cpp:
(JSC::DFG::RedundantPhiEliminationPhase::run):
(JSC::DFG::performRedundantPhiElimination):
* dfg/DFGRedundantPhiEliminationPhase.h:
(DFG):
* dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::use):
(ScoreBoard):
(JSC::DFG::ScoreBoard::useIfHasResult):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::createOSREntries):
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
(JSC::DFG::SpeculativeJIT::compileRegExpExec):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::nextBlock):
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::jump):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp: Added.
(DFG):
(Validate):
(JSC::DFG::Validate::Validate):
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::reportValidationContext):
(JSC::DFG::Validate::dumpData):
(JSC::DFG::Validate::dumpGraphIfAppropriate):
(JSC::DFG::validate):
* dfg/DFGValidate.h: Added.
(DFG):
(JSC::DFG::validate):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
(JSC::DFG::performVirtualRegisterAllocation):
* dfg/DFGVirtualRegisterAllocationPhase.h:
(DFG):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncSome):
* runtime/BooleanConstructor.cpp:
(JSC::constructBoolean):
(JSC::callBooleanConstructor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSObject.cpp:
(JSC):
* runtime/JSObject.h:
* runtime/JSString.cpp:
(JSC::JSString::toBoolean):
* runtime/JSString.h:
(JSString):
(JSC::JSCell::toBoolean):
(JSC::JSValue::toBoolean):
* runtime/JSValue.h:
* runtime/ObjectConstructor.cpp:
(JSC::toPropertyDescriptor):
* runtime/RegExpConstructor.cpp:
(JSC::setRegExpConstructorMultiline):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncToString):

Source/WebCore: 

Reviewed by Oliver Hunt.

Merged r115512 from dfgopt.

JSValue::toBoolean(ExecState*) -> JSValue::toBoolean()
        
No new tests, because no new behavior.

* bindings/js/JSCustomSQLStatementErrorCallback.cpp:
(WebCore::JSSQLStatementErrorCallback::handleEvent):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener):
* bindings/js/JSDataViewCustom.cpp:
(WebCore::getDataViewMember):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::JSDeviceMotionEvent::initDeviceMotionEvent):
* bindings/js/JSDeviceOrientationEventCustom.cpp:
(WebCore::JSDeviceOrientationEvent::initDeviceOrientationEvent):
* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSDirectoryEntryCustom.cpp:
(WebCore::JSDirectoryEntry::getFile):
(WebCore::JSDirectoryEntry::getDirectory):
* bindings/js/JSDirectoryEntrySyncCustom.cpp:
(WebCore::getFlags):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::getContext):
* bindings/js/JSInspectorFrontendHostCustom.cpp:
(WebCore::JSInspectorFrontendHost::showContextMenu):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::handleInitMessageEvent):
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::dataFunctionMatrix):
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open):
* bindings/js/ScriptDebugServer.cpp:
(WebCore::ScriptDebugServer::hasBreakpoint):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateEventListenerCall):
(GenerateImplementation):
(JSValueToNative):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/jni/jni_jsobject.mm:
(JavaJSObject::convertValueToJObject):

Source/WebKit/mac: 

Reviewed by Oliver Hunt.
        
Merged r115512 from dfgopt.

JSValue::toBoolean(ExecState*) -> JSValue::toBoolean()
        
* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray):

Source/WebKit2: 

Reviewed by Oliver Hunt.

Merged r115512 from dfgopt.

JSValue::toBoolean(ExecState*) -> JSValue::toBoolean()
        
* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117646 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=84004

Reviewed by Gavin Barraclough.
        
Merge r114554 from dfgopt.
        
Changes AbstractValue to be able to hold a "set" of constants, where
the maximum set size is 1 - so merging a value containing constant A
with another value containing constant B where A != B will result in
the AbstractValue claiming that it does not know any constants (i.e.
it'll just have a predicted type and possible a structure).
        
Added a constant folding phase that uses this new information to
replace pure operations known to have constant results with
JSConstants. This is OSR-exit-aware, in that it will prepend a Phantom
that refers to all of the kids of the node we replaced.

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::beginBasicBlock):
(JSC::DFG::AbstractState::endBasicBlock):
(JSC::DFG::AbstractState::execute):
* dfg/DFGAbstractState.h:
(AbstractState):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::clear):
(JSC::DFG::AbstractValue::isClear):
(JSC::DFG::AbstractValue::makeTop):
(JSC::DFG::AbstractValue::clobberValue):
(AbstractValue):
(JSC::DFG::AbstractValue::valueIsTop):
(JSC::DFG::AbstractValue::value):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::operator==):
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::validate):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::dump):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::initialize):
(AdjacencyList):
(JSC::DFG::AdjacencyList::reset):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::BasicBlock):
(BasicBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::constantCSE):
(CSEPhase):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp: Added.
(DFG):
(ConstantFoldingPhase):
(JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::performConstantFolding):
* dfg/DFGConstantFoldingPhase.h: Added.
(DFG):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGGraph.h:
(Graph):
(JSC::DFG::Graph::convertToConstant):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::execute):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstant):
(Node):
* runtime/JSValue.cpp:
(JSC::JSValue::description):
* runtime/JSValue.h:
(JSValue):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117636 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=86241

Reviewed by Geoff Garen.

Replace 'const Identifier&' arguments to functions accessing object properties with a new 'PropertyName' type.
This change paves the way to allow for properties keyed by values that are not Identifiers.

This change is largely a mechanical find & replace.
It also changes JSFunction's constructor to take a UString& instead of an Identifier&
(since in some cases we can no longer guarantee that we'lll have an Identifier), and
unifies Identifier's methods to obtain array indices onto PropertyName.

The new PropertyName class retains the ability to support .impl() and .ustring(), but
in a future patch we may need to rework this, since not all PropertyNames should be
equal based on their string representation.

Source/JavaScriptCore: 

* API/JSCallbackFunction.cpp:
(JSC::JSCallbackFunction::finishCreation):
* API/JSCallbackFunction.h:
(JSCallbackFunction):
(JSC::JSCallbackFunction::create):
* API/JSCallbackObject.h:
(JSCallbackObject):
* API/JSCallbackObjectFunctions.h:
(JSC::::getOwnPropertySlot):
(JSC::::getOwnPropertyDescriptor):
(JSC::::put):
(JSC::::deleteProperty):
(JSC::::getStaticValue):
(JSC::::staticFunctionGetter):
(JSC::::callbackGetter):
* API/JSObjectRef.cpp:
(JSObjectMakeFunctionWithCallback):
* JSCTypedArrayStubs.h:
(JSC):
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/DebuggerActivation.cpp:
(JSC::DebuggerActivation::getOwnPropertySlot):
(JSC::DebuggerActivation::put):
(JSC::DebuggerActivation::putDirectVirtual):
(JSC::DebuggerActivation::deleteProperty):
(JSC::DebuggerActivation::getOwnPropertyDescriptor):
(JSC::DebuggerActivation::defineOwnProperty):
* debugger/DebuggerActivation.h:
(DebuggerActivation):
* jsc.cpp:
(GlobalObject::addFunction):
(GlobalObject::addConstructableFunction):
* runtime/Arguments.cpp:
(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::getOwnPropertyDescriptor):
(JSC::Arguments::put):
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):
* runtime/Arguments.h:
(Arguments):
* runtime/ArrayConstructor.cpp:
(JSC::ArrayConstructor::finishCreation):
(JSC::ArrayConstructor::getOwnPropertySlot):
(JSC::ArrayConstructor::getOwnPropertyDescriptor):
* runtime/ArrayConstructor.h:
(ArrayConstructor):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::getOwnPropertySlot):
(JSC::ArrayPrototype::getOwnPropertyDescriptor):
(JSC::putProperty):
* runtime/ArrayPrototype.h:
(ArrayPrototype):
* runtime/BooleanConstructor.cpp:
(JSC::BooleanConstructor::finishCreation):
* runtime/BooleanPrototype.cpp:
(JSC::BooleanPrototype::getOwnPropertySlot):
(JSC::BooleanPrototype::getOwnPropertyDescriptor):
* runtime/BooleanPrototype.h:
(BooleanPrototype):
* runtime/ClassInfo.h:
(MethodTable):
* runtime/DateConstructor.cpp:
(JSC::DateConstructor::finishCreation):
(JSC::DateConstructor::getOwnPropertySlot):
(JSC::DateConstructor::getOwnPropertyDescriptor):
* runtime/DateConstructor.h:
(DateConstructor):
* runtime/DatePrototype.cpp:
(JSC::DatePrototype::getOwnPropertySlot):
(JSC::DatePrototype::getOwnPropertyDescriptor):
* runtime/DatePrototype.h:
(DatePrototype):
* runtime/Error.h:
(JSC::StrictModeTypeErrorFunction::create):
* runtime/ErrorConstructor.cpp:
(JSC::ErrorConstructor::finishCreation):
* runtime/ErrorPrototype.cpp:
(JSC::ErrorPrototype::getOwnPropertySlot):
(JSC::ErrorPrototype::getOwnPropertyDescriptor):
* runtime/ErrorPrototype.h:
(ErrorPrototype):
* runtime/FunctionConstructor.cpp:
(JSC::FunctionConstructor::finishCreation):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::finishCreation):
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::functionProtoFuncBind):
* runtime/FunctionPrototype.h:
(JSC::FunctionPrototype::create):
(FunctionPrototype):
* runtime/Identifier.cpp:
(JSC):
* runtime/Identifier.h:
(Identifier):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::finishCreation):
* runtime/InternalFunction.h:
(InternalFunction):
* runtime/JSActivation.cpp:
(JSC::JSActivation::symbolTableGet):
(JSC::JSActivation::symbolTablePut):
(JSC::JSActivation::symbolTablePutWithAttributes):
(JSC::JSActivation::getOwnPropertySlot):
(JSC::JSActivation::put):
(JSC::JSActivation::putDirectVirtual):
(JSC::JSActivation::deleteProperty):
(JSC::JSActivation::argumentsGetter):
* runtime/JSActivation.h:
(JSActivation):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::getOwnPropertySlot):
(JSC::JSArray::getOwnPropertyDescriptor):
(JSC::JSArray::put):
(JSC::JSArray::deleteProperty):
* runtime/JSArray.h:
(JSArray):
(JSC):
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::finishCreation):
* runtime/JSBoundFunction.h:
(JSBoundFunction):
* runtime/JSCell.cpp:
(JSC::JSCell::getOwnPropertySlot):
(JSC::JSCell::put):
(JSC::JSCell::deleteProperty):
(JSC::JSCell::putDirectVirtual):
(JSC::JSCell::defineOwnProperty):
(JSC::JSCell::getOwnPropertyDescriptor):
* runtime/JSCell.h:
(JSCell):
* runtime/JSFunction.cpp:
(JSC::JSFunction::create):
(JSC::JSFunction::finishCreation):
(JSC::JSFunction::argumentsGetter):
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::lengthGetter):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnPropertyDescriptor):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::getCalculatedDisplayName):
* runtime/JSFunction.h:
(JSFunction):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
(JSC::JSGlobalObject::putDirectVirtual):
(JSC::JSGlobalObject::defineOwnProperty):
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::createThrowTypeError):
(JSC::JSGlobalObject::getOwnPropertySlot):
(JSC::JSGlobalObject::getOwnPropertyDescriptor):
* runtime/JSGlobalObject.h:
(JSGlobalObject):
(JSC::JSGlobalObject::hasOwnPropertyForWrite):
(JSC::JSGlobalObject::symbolTableHasProperty):
* runtime/JSNotAnObject.cpp:
(JSC::JSNotAnObject::getOwnPropertySlot):
(JSC::JSNotAnObject::getOwnPropertyDescriptor):
(JSC::JSNotAnObject::put):
(JSC::JSNotAnObject::deleteProperty):
* runtime/JSNotAnObject.h:
(JSNotAnObject):
* runtime/JSONObject.cpp:
(JSC::JSONObject::getOwnPropertySlot):
(JSC::JSONObject::getOwnPropertyDescriptor):
* runtime/JSONObject.h:
(JSONObject):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC::JSObject::putDirectVirtual):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::hasProperty):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::hasOwnProperty):
(JSC::callDefaultValueFunction):
(JSC::JSObject::findPropertyHashEntry):
(JSC::JSObject::getPropertySpecificValue):
(JSC::JSObject::removeDirect):
(JSC::JSObject::getOwnPropertyDescriptor):
(JSC::JSObject::getPropertyDescriptor):
(JSC::putDescriptor):
(JSC::JSObject::defineOwnProperty):
* runtime/JSObject.h:
(JSObject):
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectLocation):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSCell::fastGetOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::get):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putDirect):
(JSC::JSObject::putDirectWithoutTransition):
(JSC::JSValue::get):
(JSC::JSValue::put):
* runtime/JSStaticScopeObject.cpp:
(JSC::JSStaticScopeObject::put):
(JSC::JSStaticScopeObject::putDirectVirtual):
(JSC::JSStaticScopeObject::getOwnPropertySlot):
* runtime/JSStaticScopeObject.h:
(JSStaticScopeObject):
* runtime/JSString.cpp:
(JSC::JSString::getOwnPropertySlot):
(JSC::JSString::getStringPropertyDescriptor):
* runtime/JSString.h:
(JSString):
(JSC::JSString::getStringPropertySlot):
* runtime/JSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSValue.h:
(JSC):
(JSValue):
* runtime/JSVariableObject.cpp:
(JSC::JSVariableObject::deleteProperty):
(JSC::JSVariableObject::symbolTableGet):
(JSC::JSVariableObject::putDirectVirtual):
* runtime/JSVariableObject.h:
(JSVariableObject):
(JSC::JSVariableObject::symbolTableGet):
(JSC::JSVariableObject::symbolTablePut):
(JSC::JSVariableObject::symbolTablePutWithAttributes):
* runtime/Lookup.cpp:
(JSC::setUpStaticFunctionSlot):
* runtime/Lookup.h:
(JSC::HashTable::entry):
(JSC):
(JSC::getStaticPropertySlot):
(JSC::getStaticPropertyDescriptor):
(JSC::getStaticFunctionSlot):
(JSC::getStaticFunctionDescriptor):
(JSC::getStaticValueSlot):
(JSC::getStaticValueDescriptor):
(JSC::lookupPut):
* runtime/MathObject.cpp:
(JSC::MathObject::getOwnPropertySlot):
(JSC::MathObject::getOwnPropertyDescriptor):
* runtime/MathObject.h:
(MathObject):
* runtime/NativeErrorConstructor.h:
(JSC::NativeErrorConstructor::finishCreation):
* runtime/NumberConstructor.cpp:
(JSC):
(JSC::NumberConstructor::finishCreation):
(JSC::NumberConstructor::getOwnPropertySlot):
(JSC::NumberConstructor::getOwnPropertyDescriptor):
(JSC::NumberConstructor::put):
(JSC::numberConstructorNaNValue):
(JSC::numberConstructorNegInfinity):
(JSC::numberConstructorPosInfinity):
(JSC::numberConstructorMaxValue):
(JSC::numberConstructorMinValue):
* runtime/NumberConstructor.h:
(NumberConstructor):
* runtime/NumberPrototype.cpp:
(JSC::NumberPrototype::getOwnPropertySlot):
(JSC::NumberPrototype::getOwnPropertyDescriptor):
* runtime/NumberPrototype.h:
(NumberPrototype):
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructor::finishCreation):
(JSC::ObjectConstructor::getOwnPropertySlot):
(JSC::ObjectConstructor::getOwnPropertyDescriptor):
* runtime/ObjectConstructor.h:
(ObjectConstructor):
* runtime/ObjectPrototype.cpp:
(JSC::ObjectPrototype::put):
(JSC::ObjectPrototype::defineOwnProperty):
(JSC::ObjectPrototype::getOwnPropertySlot):
(JSC::ObjectPrototype::getOwnPropertyDescriptor):
* runtime/ObjectPrototype.h:
(ObjectPrototype):
* runtime/PropertySlot.h:
(PropertySlot):
(JSC::PropertySlot::getValue):
* runtime/RegExpConstructor.cpp:
(JSC):
(JSC::RegExpConstructor::finishCreation):
(JSC::RegExpConstructor::getOwnPropertySlot):
(JSC::RegExpConstructor::getOwnPropertyDescriptor):
(JSC::regExpConstructorDollar1):
(JSC::regExpConstructorDollar2):
(JSC::regExpConstructorDollar3):
(JSC::regExpConstructorDollar4):
(JSC::regExpConstructorDollar5):
(JSC::regExpConstructorDollar6):
(JSC::regExpConstructorDollar7):
(JSC::regExpConstructorDollar8):
(JSC::regExpConstructorDollar9):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
(JSC::RegExpConstructor::put):
* runtime/RegExpConstructor.h:
(RegExpConstructor):
* runtime/RegExpMatchesArray.h:
(JSC::RegExpMatchesArray::getOwnPropertySlot):
(JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
(JSC::RegExpMatchesArray::put):
(JSC::RegExpMatchesArray::deleteProperty):
(JSC::RegExpMatchesArray::defineOwnProperty):
* runtime/RegExpObject.cpp:
(JSC):
(JSC::RegExpObject::getOwnPropertySlot):
(JSC::RegExpObject::getOwnPropertyDescriptor):
(JSC::RegExpObject::deleteProperty):
(JSC::RegExpObject::defineOwnProperty):
(JSC::regExpObjectGlobal):
(JSC::regExpObjectIgnoreCase):
(JSC::regExpObjectMultiline):
(JSC::regExpObjectSource):
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
(RegExpObject):
* runtime/RegExpPrototype.cpp:
(JSC::RegExpPrototype::getOwnPropertySlot):
(JSC::RegExpPrototype::getOwnPropertyDescriptor):
* runtime/RegExpPrototype.h:
(RegExpPrototype):
* runtime/StrictEvalActivation.cpp:
(JSC::StrictEvalActivation::deleteProperty):
* runtime/StrictEvalActivation.h:
(StrictEvalActivation):
* runtime/StringConstructor.cpp:
(JSC::StringConstructor::finishCreation):
(JSC::StringConstructor::getOwnPropertySlot):
(JSC::StringConstructor::getOwnPropertyDescriptor):
* runtime/StringConstructor.h:
(StringConstructor):
* runtime/StringObject.cpp:
(JSC::StringObject::getOwnPropertySlot):
(JSC::StringObject::getOwnPropertyDescriptor):
(JSC::StringObject::put):
(JSC::StringObject::defineOwnProperty):
(JSC::StringObject::deleteProperty):
* runtime/StringObject.h:
(StringObject):
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::getOwnPropertySlot):
(JSC::StringPrototype::getOwnPropertyDescriptor):
* runtime/StringPrototype.h:
(StringPrototype):
* runtime/Structure.cpp:
(JSC::Structure::despecifyDictionaryFunction):
(JSC::Structure::addPropertyTransitionToExistingStructure):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::removePropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::get):
(JSC::Structure::despecifyFunction):
(JSC::Structure::putSpecificValue):
(JSC::Structure::remove):
* runtime/Structure.h:
(Structure):
(JSC::Structure::get):

Source/WebCore: 

* WebCore.exp.in:
* bindings/js/JSCSSStyleDeclarationCustom.cpp:
(WebCore::cssPropertyIDForJSCSSPropertyName):
(WebCore::JSCSSStyleDeclaration::getOwnPropertySlotDelegate):
(WebCore::JSCSSStyleDeclaration::getOwnPropertyDescriptorDelegate):
(WebCore::JSCSSStyleDeclaration::putDelegate):
* bindings/js/JSDOMBinding.cpp:
(WebCore::findAtomicString):
(WebCore::objectToStringFunctionGetter):
* bindings/js/JSDOMBinding.h:
(WebCore):
(WebCore::propertyNameToString):
(WebCore::propertyNameToAtomicString):
* bindings/js/JSDOMMimeTypeArrayCustom.cpp:
(WebCore::JSDOMMimeTypeArray::canGetItemsForName):
(WebCore::JSDOMMimeTypeArray::nameGetter):
* bindings/js/JSDOMPluginArrayCustom.cpp:
(WebCore::JSDOMPluginArray::canGetItemsForName):
(WebCore::JSDOMPluginArray::nameGetter):
* bindings/js/JSDOMPluginCustom.cpp:
(WebCore::JSDOMPlugin::canGetItemsForName):
(WebCore::JSDOMPlugin::nameGetter):
* bindings/js/JSDOMStringMapCustom.cpp:
(WebCore::JSDOMStringMap::canGetItemsForName):
(WebCore::JSDOMStringMap::nameGetter):
(WebCore::JSDOMStringMap::deleteProperty):
(WebCore::JSDOMStringMap::putDelegate):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::nonCachingStaticFunctionGetter):
(WebCore::childFrameGetter):
(WebCore::namedItemGetter):
(WebCore::JSDOMWindow::getOwnPropertySlot):
(WebCore::JSDOMWindow::getOwnPropertyDescriptor):
(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::deleteProperty):
(WebCore::JSDOMWindow::defineOwnProperty):
* bindings/js/JSDOMWindowShell.cpp:
(WebCore::JSDOMWindowShell::getOwnPropertySlot):
(WebCore::JSDOMWindowShell::getOwnPropertyDescriptor):
(WebCore::JSDOMWindowShell::put):
(WebCore::JSDOMWindowShell::putDirectVirtual):
(WebCore::JSDOMWindowShell::defineOwnProperty):
(WebCore::JSDOMWindowShell::deleteProperty):
* bindings/js/JSDOMWindowShell.h:
(JSDOMWindowShell):
* bindings/js/JSHTMLAllCollectionCustom.cpp:
(WebCore::getNamedItems):
(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::canGetItemsForName):
(WebCore::JSHTMLAllCollection::nameGetter):
(WebCore::JSHTMLAllCollection::item):
* bindings/js/JSHTMLAppletElementCustom.cpp:
(WebCore::JSHTMLAppletElement::getOwnPropertySlotDelegate):
(WebCore::JSHTMLAppletElement::getOwnPropertyDescriptorDelegate):
(WebCore::JSHTMLAppletElement::putDelegate):
* bindings/js/JSHTMLCollectionCustom.cpp:
(WebCore::getNamedItems):
(WebCore::JSHTMLCollection::canGetItemsForName):
(WebCore::JSHTMLCollection::nameGetter):
* bindings/js/JSHTMLDocumentCustom.cpp:
(WebCore::JSHTMLDocument::canGetItemsForName):
(WebCore::JSHTMLDocument::nameGetter):
* bindings/js/JSHTMLEmbedElementCustom.cpp:
(WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate):
(WebCore::JSHTMLEmbedElement::getOwnPropertyDescriptorDelegate):
(WebCore::JSHTMLEmbedElement::putDelegate):
* bindings/js/JSHTMLFormElementCustom.cpp:
(WebCore::JSHTMLFormElement::canGetItemsForName):
(WebCore::JSHTMLFormElement::nameGetter):
* bindings/js/JSHTMLFrameSetElementCustom.cpp:
(WebCore::JSHTMLFrameSetElement::canGetItemsForName):
(WebCore::JSHTMLFrameSetElement::nameGetter):
* bindings/js/JSHTMLObjectElementCustom.cpp:
(WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate):
(WebCore::JSHTMLObjectElement::getOwnPropertyDescriptorDelegate):
(WebCore::JSHTMLObjectElement::putDelegate):
* bindings/js/JSHistoryCustom.cpp:
(WebCore::nonCachingStaticBackFunctionGetter):
(WebCore::nonCachingStaticForwardFunctionGetter):
(WebCore::nonCachingStaticGoFunctionGetter):
(WebCore::JSHistory::getOwnPropertySlotDelegate):
(WebCore::JSHistory::getOwnPropertyDescriptorDelegate):
(WebCore::JSHistory::putDelegate):
(WebCore::JSHistory::deleteProperty):
* bindings/js/JSLocationCustom.cpp:
(WebCore::nonCachingStaticReplaceFunctionGetter):
(WebCore::nonCachingStaticReloadFunctionGetter):
(WebCore::nonCachingStaticAssignFunctionGetter):
(WebCore::JSLocation::getOwnPropertySlotDelegate):
(WebCore::JSLocation::getOwnPropertyDescriptorDelegate):
(WebCore::JSLocation::putDelegate):
(WebCore::JSLocation::deleteProperty):
(WebCore::JSLocation::defineOwnProperty):
(WebCore::JSLocationPrototype::putDelegate):
(WebCore::JSLocationPrototype::defineOwnProperty):
* bindings/js/JSNamedNodeMapCustom.cpp:
(WebCore::JSNamedNodeMap::canGetItemsForName):
(WebCore::JSNamedNodeMap::nameGetter):
* bindings/js/JSNodeListCustom.cpp:
(WebCore::JSNodeList::canGetItemsForName):
(WebCore::JSNodeList::nameGetter):
* bindings/js/JSPluginElementFunctions.cpp:
(WebCore::runtimeObjectPropertyGetter):
(WebCore::runtimeObjectCustomGetOwnPropertySlot):
(WebCore::runtimeObjectCustomGetOwnPropertyDescriptor):
(WebCore::runtimeObjectCustomPut):
* bindings/js/JSPluginElementFunctions.h:
(WebCore):
* bindings/js/JSStorageCustom.cpp:
(WebCore::JSStorage::canGetItemsForName):
(WebCore::JSStorage::nameGetter):
(WebCore::JSStorage::deleteProperty):
(WebCore::JSStorage::putDelegate):
* bindings/js/JSStyleSheetListCustom.cpp:
(WebCore::JSStyleSheetList::canGetItemsForName):
(WebCore::JSStyleSheetList::nameGetter):
* bindings/js/JSWorkerContextCustom.cpp:
(WebCore::JSWorkerContext::getOwnPropertySlotDelegate):
(WebCore::JSWorkerContext::getOwnPropertyDescriptorDelegate):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateGetOwnPropertySlotBody):
(GenerateGetOwnPropertyDescriptorBody):
(GenerateHeader):
(GenerateImplementation):
(GenerateConstructorDeclaration):
(GenerateConstructorDefinition):
* bridge/c/c_class.cpp:
(JSC::Bindings::CClass::methodsNamed):
(JSC::Bindings::CClass::fieldNamed):
* bridge/c/c_class.h:
(CClass):
* bridge/c/c_instance.cpp:
(JSC::Bindings::CRuntimeMethod::create):
(JSC::Bindings::CRuntimeMethod::finishCreation):
(JSC::Bindings::CInstance::getMethod):
* bridge/c/c_instance.h:
(CInstance):
* bridge/jni/jsc/JavaClassJSC.cpp:
(JavaClass::methodsNamed):
(JavaClass::fieldNamed):
* bridge/jni/jsc/JavaClassJSC.h:
(JavaClass):
* bridge/jni/jsc/JavaInstanceJSC.cpp:
(JavaRuntimeMethod::create):
(JavaRuntimeMethod::finishCreation):
* bridge/jni/jsc/JavaInstanceJSC.h:
(JavaInstance):
* bridge/jsc/BridgeJSC.h:
(Class):
(JSC::Bindings::Class::fallbackObject):
(JSC::Bindings::Instance::setValueOfUndefinedField):
(Instance):
(JSC::Bindings::Instance::getOwnPropertySlot):
(JSC::Bindings::Instance::getOwnPropertyDescriptor):
(JSC::Bindings::Instance::put):
* bridge/objc/objc_class.h:
(ObjcClass):
* bridge/objc/objc_class.mm:
(JSC::Bindings::ObjcClass::methodsNamed):
(JSC::Bindings::ObjcClass::fieldNamed):
(JSC::Bindings::ObjcClass::fallbackObject):
* bridge/objc/objc_instance.h:
(ObjcInstance):
* bridge/objc/objc_instance.mm:
(ObjCRuntimeMethod::create):
(ObjCRuntimeMethod::finishCreation):
(ObjcInstance::setValueOfUndefinedField):
(ObjcInstance::getValueOfUndefinedField):
* bridge/objc/objc_runtime.h:
(JSC::Bindings::ObjcFallbackObjectImp::create):
(JSC::Bindings::ObjcFallbackObjectImp::propertyName):
(ObjcFallbackObjectImp):
* bridge/objc/objc_runtime.mm:
(JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
(JSC::Bindings::ObjcFallbackObjectImp::getOwnPropertySlot):
(JSC::Bindings::ObjcFallbackObjectImp::getOwnPropertyDescriptor):
(JSC::Bindings::ObjcFallbackObjectImp::put):
(JSC::Bindings::callObjCFallbackObject):
(JSC::Bindings::ObjcFallbackObjectImp::deleteProperty):
(JSC::Bindings::ObjcFallbackObjectImp::defaultValue):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::lengthGetter):
(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::getOwnPropertyDescriptor):
(JSC::RuntimeArray::put):
(JSC::RuntimeArray::deleteProperty):
* bridge/runtime_array.h:
(RuntimeArray):
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::finishCreation):
(JSC::RuntimeMethod::lengthGetter):
(JSC::RuntimeMethod::getOwnPropertySlot):
(JSC::RuntimeMethod::getOwnPropertyDescriptor):
* bridge/runtime_method.h:
(JSC::RuntimeMethod::create):
(RuntimeMethod):
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::fallbackObjectGetter):
(JSC::Bindings::RuntimeObject::fieldGetter):
(JSC::Bindings::RuntimeObject::methodGetter):
(JSC::Bindings::RuntimeObject::getOwnPropertySlot):
(JSC::Bindings::RuntimeObject::getOwnPropertyDescriptor):
(JSC::Bindings::RuntimeObject::put):
(JSC::Bindings::RuntimeObject::deleteProperty):
* bridge/runtime_object.h:
(RuntimeObject):

Source/WebKit/mac: 

* Plugins/Hosted/ProxyInstance.h:
(ProxyInstance):
* Plugins/Hosted/ProxyInstance.mm:
(ProxyClass):
(WebKit::ProxyClass::methodsNamed):
(WebKit::ProxyClass::fieldNamed):
(WebKit::ProxyRuntimeMethod::create):
(WebKit::ProxyRuntimeMethod::finishCreation):
(WebKit::ProxyInstance::getMethod):
(WebKit::ProxyInstance::methodsNamed):
(WebKit::ProxyInstance::fieldNamed):

Source/WebKit2: 

* WebProcess/Plugins/Netscape/JSNPMethod.cpp:
(WebKit::JSNPMethod::finishCreation):
* WebProcess/Plugins/Netscape/JSNPMethod.h:
(WebKit::JSNPMethod::create):
(JSNPMethod):
* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::npIdentifierFromIdentifier):
(WebKit::JSNPObject::getOwnPropertySlot):
(WebKit::JSNPObject::getOwnPropertyDescriptor):
(WebKit::JSNPObject::put):
(WebKit::JSNPObject::deleteProperty):
(WebKit::JSNPObject::propertyGetter):
(WebKit::JSNPObject::methodGetter):
* WebProcess/Plugins/Netscape/JSNPObject.h:
(JSNPObject):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116828 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=83243

Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-04-05
Reviewed by Geoffrey Garen.

When making operations on primitive types, we loose some time converting
values to JSString in order to extract the string.

This patch speeds up some basic Array operations by avoiding the creation
of intermediary JSString when possible.

For the cases where we need to convert a lot of JSValue in a tight loop,
an inline conversion is used.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncSort):
* runtime/CommonIdentifiers.h:
* runtime/JSArray.cpp:
(JSC::JSArray::sort):
* runtime/JSString.h:
(JSC::JSValue::toUString):
(JSC):
(JSC::inlineJSValueNotStringtoUString):
(JSC::JSValue::toUStringInline):
* runtime/JSValue.cpp:
(JSC::JSValue::toUStringSlowCase):
(JSC):
* runtime/JSValue.h:
(JSValue):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@113396 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=81935

Reviewed by Geoff Garen.

This would be useful in the WebCore bindings code.
Also, remove asFunction, replace with jsCast<JSFunction*>.

Source/JavaScriptCore: 

* API/JSContextRef.cpp:
* debugger/Debugger.cpp:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::functionName):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::valueOfFunctionConstant):
* dfg/DFGOperations.cpp:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::isInlineCallFrameSlow):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
(JSC::jitCompileFor):
(JSC::lazyLinkFor):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* runtime/Arguments.h:
(JSC::Arguments::finishCreation):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
* runtime/Executable.h:
(JSC::FunctionExecutable::compileFor):
(JSC::FunctionExecutable::compileOptimizedFor):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/JSArray.cpp:
(JSC::JSArray::sort):
* runtime/JSFunction.cpp:
(JSC::JSFunction::argumentsGetter):
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::lengthGetter):
* runtime/JSFunction.h:
(JSC):
(JSC::asJSFunction):
(JSC::JSValue::isFunction):
* runtime/JSGlobalData.cpp:
(WTF::Recompiler::operator()):
(JSC::JSGlobalData::releaseExecutableMemory):
* runtime/JSValue.h:
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):

Source/WebCore: 

* bindings/js/JSInjectedScriptHostCustom.cpp:
(WebCore::JSInjectedScriptHost::functionDetails):
* bindings/js/ScriptCallStackFactory.cpp:
(WebCore::createScriptCallStack):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@111739 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=80335

Reviewed by Filip Pizlo.

Source/JavaScriptCore: 

We'll need to pass an additional parameter.

Part 1 - rename JSValue::put() for integer indices to JSValue::putByIndex()
to match the method in the MethodTable, make this take a parameter indicating
whether the put should throw. This fixes the cases where the base of the put
is a primitive.

* dfg/DFGOperations.cpp:
(DFG):
(JSC::DFG::putByVal):
(JSC::DFG::operationPutByValInternal):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/JSObject.h:
(JSC::JSValue::putByIndex):
* runtime/JSValue.cpp:
(JSC):
* runtime/JSValue.h:
(JSValue):

LayoutTests: 

* fast/js/primitive-property-access-edge-cases-expected.txt:
* fast/js/script-tests/primitive-property-access-edge-cases.js:
(checkNumericGet.Object.defineProperty):
(checkNumericSet.Object.defineProperty):
(checkNumericGetStrict.Object.defineProperty):
(checkNumericSetStrict.Object.defineProperty):
(checkNumericRead):
(checkNumericWrite):
(checkNumericReadStrict):
(checkNumericWriteStrict):
    - Added test cases.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@109824 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=79588

Reviewed by Oliver Hunt.

In the case of [[Get]], this is a pretty trivial bug - just don't wrap
primitives at the point you call a getter.

For setters, this is a little more involved, since we have already wrapped
the value up in a synthesized object. Stop doing so. There is also a further
subtely, that in strict mode all attempts to create a new data property on
the object should throw.

Source/JavaScriptCore: 

* runtime/JSCell.cpp:
(JSC::JSCell::put):
    - [[Put]] to a string primitive should use JSValue::putToPrimitive.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
    - Remove static function called in one place.
* runtime/JSObject.h:
(JSC::JSValue::put):
    - [[Put]] to a non-cell JSValue should use JSValue::putToPrimitive.
* runtime/JSValue.cpp:
(JSC::JSValue::synthesizePrototype):
    - Add support for synthesizing the prototype of strings.
(JSC::JSValue::putToPrimitive):
    - Added, implements [[Put]] for primitive bases, per 8.7.2.
* runtime/JSValue.h:
(JSValue):
    - Add declaration for JSValue::putToPrimitive.
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::functionGetter):
    - Don't call ToObject on primitive this values.

LayoutTests: 

* fast/js/mozilla/strict/15.5.5.1-expected.txt:
* fast/js/primitive-property-access-edge-cases-expected.txt:
* fast/js/read-modify-eval-expected.txt:
* fast/js/script-tests/primitive-property-access-edge-cases.js:
* fast/js/script-tests/read-modify-eval.js:
    - Added new test cases & updated test results.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@109177 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=75812
<rdar://problem/10079694>

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
Implemented an interpreter that uses the JIT's calling convention. This
interpreter is called LLInt, or the Low Level Interpreter. JSC will now
will start by executing code in LLInt and will only tier up to the old
JIT after the code is proven hot.
        
LLInt is written in a modified form of our macro assembly. This new macro
assembly is compiled by an offline assembler (see offlineasm), which
implements many modern conveniences such as a Turing-complete CPS-based
macro language and direct access to relevant C++ type information
(basically offsets of fields and sizes of structs/classes).
        
Code executing in LLInt appears to the rest of the JSC world "as if" it
were executing in the old JIT. Hence, things like exception handling and
cross-execution-engine calls just work and require pretty much no
additional overhead.
        
This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
V8, and Kraken, but appear to get a double-digit improvement on real-world
websites due to a huge reduction in the amount of JIT'ing.
        
* CMakeLists.txt:
* GNUmakefile.am:
* GNUmakefile.list.am:
* JavaScriptCore.pri:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
* JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* assembler/LinkBuffer.h:
* assembler/MacroAssemblerCodeRef.h:
(MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
* bytecode/BytecodeConventions.h: Added.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC):
(JSC::CallLinkStatus::computeFor):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::isSet):
(JSC::CallLinkStatus::operator!):
(CallLinkStatus):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dump):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC):
(JSC::CodeBlock::unlinkCalls):
(JSC::CodeBlock::unlinkIncomingCalls):
(JSC::CodeBlock::bytecodeOffset):
(JSC::ProgramCodeBlock::jettison):
(JSC::EvalCodeBlock::jettison):
(JSC::FunctionCodeBlock::jettison):
(JSC::ProgramCodeBlock::jitCompileImpl):
(JSC::EvalCodeBlock::jitCompileImpl):
(JSC::FunctionCodeBlock::jitCompileImpl):
* bytecode/CodeBlock.h:
(JSC):
(CodeBlock):
(JSC::CodeBlock::baselineVersion):
(JSC::CodeBlock::linkIncomingCall):
(JSC::CodeBlock::bytecodeOffset):
(JSC::CodeBlock::jitCompile):
(JSC::CodeBlock::hasOptimizedReplacement):
(JSC::CodeBlock::addPropertyAccessInstruction):
(JSC::CodeBlock::addGlobalResolveInstruction):
(JSC::CodeBlock::addLLIntCallLinkInfo):
(JSC::CodeBlock::addGlobalResolveInfo):
(JSC::CodeBlock::numberOfMethodCallLinkInfos):
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
(JSC::CodeBlock::likelyToTakeSlowCase):
(JSC::CodeBlock::couldTakeSlowCase):
(JSC::CodeBlock::likelyToTakeSpecialFastCase):
(JSC::CodeBlock::likelyToTakeDeepestSlowCase):
(JSC::CodeBlock::likelyToTakeAnySlowCase):
(JSC::CodeBlock::addFrequentExitSite):
(JSC::CodeBlock::dontJITAnytimeSoon):
(JSC::CodeBlock::jitAfterWarmUp):
(JSC::CodeBlock::jitSoon):
(JSC::CodeBlock::llintExecuteCounter):
(ProgramCodeBlock):
(EvalCodeBlock):
(FunctionCodeBlock):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::GetByIdStatus):
(JSC::GetByIdStatus::wasSeenInJIT):
(GetByIdStatus):
* bytecode/Instruction.h:
(JSC):
(JSC::Instruction::Instruction):
(Instruction):
* bytecode/LLIntCallLinkInfo.h: Added.
(JSC):
(JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
(LLIntCallLinkInfo):
(JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
(JSC::LLIntCallLinkInfo::isLinked):
(JSC::LLIntCallLinkInfo::unlink):
* bytecode/MethodCallLinkStatus.cpp:
(JSC::MethodCallLinkStatus::computeFor):
* bytecode/Opcode.cpp:
(JSC):
* bytecode/Opcode.h:
(JSC):
(JSC::padOpcodeName):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
(PutByIdStatus):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitResolve):
(JSC::BytecodeGenerator::emitResolveWithBase):
(JSC::BytecodeGenerator::emitGetById):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitDirectPutById):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::emitCatch):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.h:
(JSC::DFG::canCompileOpcode):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOperations.cpp:
* heap/Heap.h:
(JSC):
(JSC::Heap::firstAllocatorWithoutDestructors):
(Heap):
* heap/MarkStack.cpp:
(JSC::visitChildren):
* heap/MarkedAllocator.h:
(JSC):
(MarkedAllocator):
* heap/MarkedSpace.h:
(JSC):
(MarkedSpace):
(JSC::MarkedSpace::firstAllocator):
* interpreter/CallFrame.cpp:
(JSC):
(JSC::CallFrame::bytecodeOffsetForNonDFGCode):
(JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
(JSC::CallFrame::currentVPC):
(JSC::CallFrame::setCurrentVPC):
(JSC::CallFrame::trueCallerFrame):
* interpreter/CallFrame.h:
(JSC::ExecState::hasReturnPC):
(JSC::ExecState::clearReturnPC):
(ExecState):
(JSC::ExecState::bytecodeOffsetForNonDFGCode):
(JSC::ExecState::currentVPC):
(JSC::ExecState::setCurrentVPC):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::Interpreter):
(JSC::Interpreter::~Interpreter):
(JSC):
(JSC::Interpreter::initialize):
(JSC::Interpreter::isOpcode):
(JSC::Interpreter::unwindCallFrame):
(JSC::getCallerInfo):
(JSC::Interpreter::privateExecute):
(JSC::Interpreter::retrieveLastCaller):
* interpreter/Interpreter.h:
(JSC):
(Interpreter):
(JSC::Interpreter::getOpcode):
(JSC::Interpreter::getOpcodeID):
(JSC::Interpreter::classicEnabled):
* interpreter/RegisterFile.h:
(JSC):
(RegisterFile):
* jit/ExecutableAllocator.h:
(JSC):
* jit/HostCallReturnValue.cpp: Added.
(JSC):
(JSC::getHostCallReturnValueWithExecState):
* jit/HostCallReturnValue.h: Added.
(JSC):
(JSC::initializeHostCallReturnValue):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::privateCompile):
* jit/JITCode.h:
(JSC::JITCode::isOptimizingJIT):
(JITCode):
(JSC::JITCode::isBaselineCode):
(JSC::JITCode::JITCode):
* jit/JITDriver.h:
(JSC::jitCompileIfAppropriate):
(JSC::jitCompileFunctionIfAppropriate):
* jit/JITExceptions.cpp:
(JSC::jitThrow):
* jit/JITInlineMethods.h:
(JSC::JIT::updateTopCallFrame):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
(JSC):
* jit/JITStubs.h:
(JSC):
* jit/JSInterfaceJIT.h:
* llint: Added.
* llint/LLIntCommon.h: Added.
* llint/LLIntData.cpp: Added.
(LLInt):
(JSC::LLInt::Data::Data):
(JSC::LLInt::Data::performAssertions):
(JSC::LLInt::Data::~Data):
* llint/LLIntData.h: Added.
(JSC):
(LLInt):
(Data):
(JSC::LLInt::Data::exceptionInstructions):
(JSC::LLInt::Data::opcodeMap):
(JSC::LLInt::Data::performAssertions):
* llint/LLIntEntrypoints.cpp: Added.
(LLInt):
(JSC::LLInt::getFunctionEntrypoint):
(JSC::LLInt::getEvalEntrypoint):
(JSC::LLInt::getProgramEntrypoint):
* llint/LLIntEntrypoints.h: Added.
(JSC):
(LLInt):
(JSC::LLInt::getEntrypoint):
* llint/LLIntExceptions.cpp: Added.
(LLInt):
(JSC::LLInt::interpreterThrowInCaller):
(JSC::LLInt::returnToThrowForThrownException):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntExceptions.h: Added.
(JSC):
(LLInt):
* llint/LLIntOfflineAsmConfig.h: Added.
* llint/LLIntOffsetsExtractor.cpp: Added.
(JSC):
(LLIntOffsetsExtractor):
(JSC::LLIntOffsetsExtractor::dummy):
(main):
* llint/LLIntSlowPaths.cpp: Added.
(LLInt):
(JSC::LLInt::llint_trace_operand):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::shouldJIT):
(JSC::LLInt::entryOSR):
(JSC::LLInt::resolveGlobal):
(JSC::LLInt::getByVal):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
(JSC::LLInt::genericCall):
* llint/LLIntSlowPaths.h: Added.
(JSC):
(LLInt):
* llint/LLIntThunks.cpp: Added.
(LLInt):
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
* llint/LLIntThunks.h: Added.
(JSC):
(LLInt):
* llint/LowLevelInterpreter.asm: Added.
* llint/LowLevelInterpreter.cpp: Added.
* llint/LowLevelInterpreter.h: Added.
* offlineasm: Added.
* offlineasm/armv7.rb: Added.
* offlineasm/asm.rb: Added.
* offlineasm/ast.rb: Added.
* offlineasm/backends.rb: Added.
* offlineasm/generate_offset_extractor.rb: Added.
* offlineasm/instructions.rb: Added.
* offlineasm/offset_extractor_constants.rb: Added.
* offlineasm/offsets.rb: Added.
* offlineasm/opt.rb: Added.
* offlineasm/parser.rb: Added.
* offlineasm/registers.rb: Added.
* offlineasm/self_hash.rb: Added.
* offlineasm/settings.rb: Added.
* offlineasm/transform.rb: Added.
* offlineasm/x86.rb: Added.
* runtime/CodeSpecializationKind.h: Added.
(JSC):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
(CommonSlowPaths):
* runtime/Executable.cpp:
(JSC::jettisonCodeBlock):
(JSC):
(JSC::EvalExecutable::jitCompile):
(JSC::samplingDescription):
(JSC::EvalExecutable::compileInternal):
(JSC::ProgramExecutable::jitCompile):
(JSC::ProgramExecutable::compileInternal):
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::jitCompileForCall):
(JSC::FunctionExecutable::jitCompileForConstruct):
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):
* runtime/Executable.h:
(JSC):
(EvalExecutable):
(ProgramExecutable):
(FunctionExecutable):
(JSC::FunctionExecutable::jitCompileFor):
* runtime/ExecutionHarness.h: Added.
(JSC):
(JSC::prepareForExecution):
(JSC::prepareFunctionForExecution):
* runtime/JSArray.h:
(JSC):
(JSArray):
* runtime/JSCell.h:
(JSC):
(JSCell):
* runtime/JSFunction.h:
(JSC):
(JSFunction):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
* runtime/JSGlobalData.h:
(JSC):
(JSGlobalData):
* runtime/JSGlobalObject.h:
(JSC):
(JSGlobalObject):
* runtime/JSObject.h:
(JSC):
(JSObject):
(JSFinalObject):
* runtime/JSPropertyNameIterator.h:
(JSC):
(JSPropertyNameIterator):
* runtime/JSString.h:
(JSC):
(JSString):
* runtime/JSTypeInfo.h:
(JSC):
(TypeInfo):
* runtime/JSValue.cpp:
(JSC::JSValue::description):
* runtime/JSValue.h:
(LLInt):
(JSValue):
* runtime/JSVariableObject.h:
(JSC):
(JSVariableObject):
* runtime/Options.cpp:
(Options):
(JSC::Options::initializeOptions):
* runtime/Options.h:
(Options):
* runtime/ScopeChain.h:
(JSC):
(ScopeChainNode):
* runtime/Structure.cpp:
(JSC::Structure::addPropertyTransition):
* runtime/Structure.h:
(JSC):
(Structure):
* runtime/StructureChain.h:
(JSC):
(StructureChain):
* wtf/InlineASM.h:
* wtf/Platform.h:
* wtf/SentinelLinkedList.h:
(SentinelLinkedList):
(WTF::SentinelLinkedList::isEmpty):
* wtf/text/StringImpl.h:
(JSC):
(StringImpl):

Source/WebCore: 

Reviewed by Gavin Barraclough.
        
No new tests, because there is no change in behavior.

* CMakeLists.txt:

Source/WebKit: 

Reviewed by Gavin Barraclough.

Changed EFL's build system to include a new directory in JavaScriptCore.
        
* CMakeLists.txt:

Tools: 

Reviewed by Gavin Barraclough.

Changed EFL's build system to include a new directory in JavaScriptCore.

* DumpRenderTree/efl/CMakeLists.txt:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108444 268f45cc-cd09-0410-ab3c-d52691b4dbfc

They broke the 32-bit Lion build.

Original bugs is <http://webkit.org/b/75812> <rdar://problem/10079694>.

Source/JavaScriptCore:

* CMakeLists.txt:
* GNUmakefile.am:
* GNUmakefile.list.am:
* JavaScriptCore.pri:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
* JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* assembler/LinkBuffer.h:
* assembler/MacroAssemblerCodeRef.h:
* bytecode/BytecodeConventions.h: Removed.
* bytecode/CallLinkStatus.cpp:
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
* bytecode/GetByIdStatus.cpp:
* bytecode/GetByIdStatus.h:
* bytecode/Instruction.h:
* bytecode/LLIntCallLinkInfo.h: Removed.
* bytecode/MethodCallLinkStatus.cpp:
* bytecode/Opcode.cpp:
* bytecode/Opcode.h:
* bytecode/PutByIdStatus.cpp:
* bytecode/PutByIdStatus.h:
* bytecompiler/BytecodeGenerator.cpp:
* dfg/DFGByteCodeParser.cpp:
* dfg/DFGCapabilities.h:
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOperations.cpp:
* heap/Heap.h:
* heap/MarkStack.cpp:
* heap/MarkedAllocator.h:
* heap/MarkedSpace.h:
* interpreter/CallFrame.cpp:
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
* interpreter/Interpreter.h:
* interpreter/RegisterFile.h:
* jit/ExecutableAllocator.h:
* jit/HostCallReturnValue.cpp: Removed.
* jit/HostCallReturnValue.h: Removed.
* jit/JIT.cpp:
* jit/JITCode.h:
* jit/JITDriver.h:
* jit/JITExceptions.cpp:
* jit/JITInlineMethods.h:
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JSInterfaceJIT.h:
* llint/LLIntCommon.h: Removed.
* llint/LLIntData.cpp: Removed.
* llint/LLIntData.h: Removed.
* llint/LLIntEntrypoints.cpp: Removed.
* llint/LLIntEntrypoints.h: Removed.
* llint/LLIntExceptions.cpp: Removed.
* llint/LLIntExceptions.h: Removed.
* llint/LLIntOfflineAsmConfig.h: Removed.
* llint/LLIntOffsetsExtractor.cpp: Removed.
* llint/LLIntSlowPaths.cpp: Removed.
* llint/LLIntSlowPaths.h: Removed.
* llint/LLIntThunks.cpp: Removed.
* llint/LLIntThunks.h: Removed.
* llint/LowLevelInterpreter.asm: Removed.
* llint/LowLevelInterpreter.cpp: Removed.
* llint/LowLevelInterpreter.h: Removed.
* offlineasm/armv7.rb: Removed.
* offlineasm/asm.rb: Removed.
* offlineasm/ast.rb: Removed.
* offlineasm/backends.rb: Removed.
* offlineasm/generate_offset_extractor.rb: Removed.
* offlineasm/instructions.rb: Removed.
* offlineasm/offset_extractor_constants.rb: Removed.
* offlineasm/offsets.rb: Removed.
* offlineasm/opt.rb: Removed.
* offlineasm/parser.rb: Removed.
* offlineasm/registers.rb: Removed.
* offlineasm/self_hash.rb: Removed.
* offlineasm/settings.rb: Removed.
* offlineasm/transform.rb: Removed.
* offlineasm/x86.rb: Removed.
* runtime/CodeSpecializationKind.h: Removed.
* runtime/CommonSlowPaths.h:
* runtime/Executable.cpp:
* runtime/Executable.h:
* runtime/ExecutionHarness.h: Removed.
* runtime/JSArray.h:
* runtime/JSCell.h:
* runtime/JSFunction.h:
* runtime/JSGlobalData.cpp:
* runtime/JSGlobalData.h:
* runtime/JSGlobalObject.h:
* runtime/JSObject.h:
* runtime/JSPropertyNameIterator.h:
* runtime/JSString.h:
* runtime/JSTypeInfo.h:
* runtime/JSValue.cpp:
* runtime/JSValue.h:
* runtime/JSVariableObject.h:
* runtime/Options.cpp:
* runtime/Options.h:
* runtime/ScopeChain.h:
* runtime/Structure.cpp:
* runtime/Structure.h:
* runtime/StructureChain.h:
* wtf/InlineASM.h:
* wtf/Platform.h:
* wtf/SentinelLinkedList.h:
* wtf/text/StringImpl.h:

Source/WebCore:

* CMakeLists.txt:

Source/WebKit:

* CMakeLists.txt:

Tools:

* DumpRenderTree/efl/CMakeLists.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108358 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=75812
<rdar://problem/10079694>

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
Implemented an interpreter that uses the JIT's calling convention. This
interpreter is called LLInt, or the Low Level Interpreter. JSC will now
will start by executing code in LLInt and will only tier up to the old
JIT after the code is proven hot.
        
LLInt is written in a modified form of our macro assembly. This new macro
assembly is compiled by an offline assembler (see offlineasm), which
implements many modern conveniences such as a Turing-complete CPS-based
macro language and direct access to relevant C++ type information
(basically offsets of fields and sizes of structs/classes).
        
Code executing in LLInt appears to the rest of the JSC world "as if" it
were executing in the old JIT. Hence, things like exception handling and
cross-execution-engine calls just work and require pretty much no
additional overhead.
        
This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
V8, and Kraken, but appear to get a double-digit improvement on real-world
websites due to a huge reduction in the amount of JIT'ing.
        
* CMakeLists.txt:
* GNUmakefile.am:
* GNUmakefile.list.am:
* JavaScriptCore.pri:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
* JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* assembler/LinkBuffer.h:
* assembler/MacroAssemblerCodeRef.h:
(MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
* bytecode/BytecodeConventions.h: Added.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC):
(JSC::CallLinkStatus::computeFor):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::isSet):
(JSC::CallLinkStatus::operator!):
(CallLinkStatus):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dump):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC):
(JSC::CodeBlock::unlinkCalls):
(JSC::CodeBlock::unlinkIncomingCalls):
(JSC::CodeBlock::bytecodeOffset):
(JSC::ProgramCodeBlock::jettison):
(JSC::EvalCodeBlock::jettison):
(JSC::FunctionCodeBlock::jettison):
(JSC::ProgramCodeBlock::jitCompileImpl):
(JSC::EvalCodeBlock::jitCompileImpl):
(JSC::FunctionCodeBlock::jitCompileImpl):
* bytecode/CodeBlock.h:
(JSC):
(CodeBlock):
(JSC::CodeBlock::baselineVersion):
(JSC::CodeBlock::linkIncomingCall):
(JSC::CodeBlock::bytecodeOffset):
(JSC::CodeBlock::jitCompile):
(JSC::CodeBlock::hasOptimizedReplacement):
(JSC::CodeBlock::addPropertyAccessInstruction):
(JSC::CodeBlock::addGlobalResolveInstruction):
(JSC::CodeBlock::addLLIntCallLinkInfo):
(JSC::CodeBlock::addGlobalResolveInfo):
(JSC::CodeBlock::numberOfMethodCallLinkInfos):
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
(JSC::CodeBlock::likelyToTakeSlowCase):
(JSC::CodeBlock::couldTakeSlowCase):
(JSC::CodeBlock::likelyToTakeSpecialFastCase):
(JSC::CodeBlock::likelyToTakeDeepestSlowCase):
(JSC::CodeBlock::likelyToTakeAnySlowCase):
(JSC::CodeBlock::addFrequentExitSite):
(JSC::CodeBlock::dontJITAnytimeSoon):
(JSC::CodeBlock::jitAfterWarmUp):
(JSC::CodeBlock::jitSoon):
(JSC::CodeBlock::llintExecuteCounter):
(ProgramCodeBlock):
(EvalCodeBlock):
(FunctionCodeBlock):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::GetByIdStatus):
(JSC::GetByIdStatus::wasSeenInJIT):
(GetByIdStatus):
* bytecode/Instruction.h:
(JSC):
(JSC::Instruction::Instruction):
(Instruction):
* bytecode/LLIntCallLinkInfo.h: Added.
(JSC):
(JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
(LLIntCallLinkInfo):
(JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
(JSC::LLIntCallLinkInfo::isLinked):
(JSC::LLIntCallLinkInfo::unlink):
* bytecode/MethodCallLinkStatus.cpp:
(JSC::MethodCallLinkStatus::computeFor):
* bytecode/Opcode.cpp:
(JSC):
* bytecode/Opcode.h:
(JSC):
(JSC::padOpcodeName):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
(PutByIdStatus):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitResolve):
(JSC::BytecodeGenerator::emitResolveWithBase):
(JSC::BytecodeGenerator::emitGetById):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitDirectPutById):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::emitCatch):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.h:
(JSC::DFG::canCompileOpcode):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOperations.cpp:
* heap/Heap.h:
(JSC):
(JSC::Heap::firstAllocatorWithoutDestructors):
(Heap):
* heap/MarkStack.cpp:
(JSC::visitChildren):
* heap/MarkedAllocator.h:
(JSC):
(MarkedAllocator):
* heap/MarkedSpace.h:
(JSC):
(MarkedSpace):
(JSC::MarkedSpace::firstAllocator):
* interpreter/CallFrame.cpp:
(JSC):
(JSC::CallFrame::bytecodeOffsetForNonDFGCode):
(JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
(JSC::CallFrame::currentVPC):
(JSC::CallFrame::setCurrentVPC):
(JSC::CallFrame::trueCallerFrame):
* interpreter/CallFrame.h:
(JSC::ExecState::hasReturnPC):
(JSC::ExecState::clearReturnPC):
(ExecState):
(JSC::ExecState::bytecodeOffsetForNonDFGCode):
(JSC::ExecState::currentVPC):
(JSC::ExecState::setCurrentVPC):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::Interpreter):
(JSC::Interpreter::~Interpreter):
(JSC):
(JSC::Interpreter::initialize):
(JSC::Interpreter::isOpcode):
(JSC::Interpreter::unwindCallFrame):
(JSC::getCallerInfo):
(JSC::Interpreter::privateExecute):
(JSC::Interpreter::retrieveLastCaller):
* interpreter/Interpreter.h:
(JSC):
(Interpreter):
(JSC::Interpreter::getOpcode):
(JSC::Interpreter::getOpcodeID):
(JSC::Interpreter::classicEnabled):
* interpreter/RegisterFile.h:
(JSC):
(RegisterFile):
* jit/ExecutableAllocator.h:
(JSC):
* jit/HostCallReturnValue.cpp: Added.
(JSC):
(JSC::getHostCallReturnValueWithExecState):
* jit/HostCallReturnValue.h: Added.
(JSC):
(JSC::initializeHostCallReturnValue):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::privateCompile):
* jit/JITCode.h:
(JSC::JITCode::isOptimizingJIT):
(JITCode):
(JSC::JITCode::isBaselineCode):
(JSC::JITCode::JITCode):
* jit/JITDriver.h:
(JSC::jitCompileIfAppropriate):
(JSC::jitCompileFunctionIfAppropriate):
* jit/JITExceptions.cpp:
(JSC::jitThrow):
* jit/JITInlineMethods.h:
(JSC::JIT::updateTopCallFrame):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
(JSC):
* jit/JITStubs.h:
(JSC):
* jit/JSInterfaceJIT.h:
* llint: Added.
* llint/LLIntCommon.h: Added.
* llint/LLIntData.cpp: Added.
(LLInt):
(JSC::LLInt::Data::Data):
(JSC::LLInt::Data::performAssertions):
(JSC::LLInt::Data::~Data):
* llint/LLIntData.h: Added.
(JSC):
(LLInt):
(Data):
(JSC::LLInt::Data::exceptionInstructions):
(JSC::LLInt::Data::opcodeMap):
(JSC::LLInt::Data::performAssertions):
* llint/LLIntEntrypoints.cpp: Added.
(LLInt):
(JSC::LLInt::getFunctionEntrypoint):
(JSC::LLInt::getEvalEntrypoint):
(JSC::LLInt::getProgramEntrypoint):
* llint/LLIntEntrypoints.h: Added.
(JSC):
(LLInt):
(JSC::LLInt::getEntrypoint):
* llint/LLIntExceptions.cpp: Added.
(LLInt):
(JSC::LLInt::interpreterThrowInCaller):
(JSC::LLInt::returnToThrowForThrownException):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntExceptions.h: Added.
(JSC):
(LLInt):
* llint/LLIntOfflineAsmConfig.h: Added.
* llint/LLIntOffsetsExtractor.cpp: Added.
(JSC):
(LLIntOffsetsExtractor):
(JSC::LLIntOffsetsExtractor::dummy):
(main):
* llint/LLIntSlowPaths.cpp: Added.
(LLInt):
(JSC::LLInt::llint_trace_operand):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::shouldJIT):
(JSC::LLInt::entryOSR):
(JSC::LLInt::resolveGlobal):
(JSC::LLInt::getByVal):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
(JSC::LLInt::genericCall):
* llint/LLIntSlowPaths.h: Added.
(JSC):
(LLInt):
* llint/LLIntThunks.cpp: Added.
(LLInt):
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
* llint/LLIntThunks.h: Added.
(JSC):
(LLInt):
* llint/LowLevelInterpreter.asm: Added.
* llint/LowLevelInterpreter.cpp: Added.
* llint/LowLevelInterpreter.h: Added.
* offlineasm: Added.
* offlineasm/armv7.rb: Added.
* offlineasm/asm.rb: Added.
* offlineasm/ast.rb: Added.
* offlineasm/backends.rb: Added.
* offlineasm/generate_offset_extractor.rb: Added.
* offlineasm/instructions.rb: Added.
* offlineasm/offset_extractor_constants.rb: Added.
* offlineasm/offsets.rb: Added.
* offlineasm/opt.rb: Added.
* offlineasm/parser.rb: Added.
* offlineasm/registers.rb: Added.
* offlineasm/self_hash.rb: Added.
* offlineasm/settings.rb: Added.
* offlineasm/transform.rb: Added.
* offlineasm/x86.rb: Added.
* runtime/CodeSpecializationKind.h: Added.
(JSC):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
(CommonSlowPaths):
* runtime/Executable.cpp:
(JSC::jettisonCodeBlock):
(JSC):
(JSC::EvalExecutable::jitCompile):
(JSC::samplingDescription):
(JSC::EvalExecutable::compileInternal):
(JSC::ProgramExecutable::jitCompile):
(JSC::ProgramExecutable::compileInternal):
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::jitCompileForCall):
(JSC::FunctionExecutable::jitCompileForConstruct):
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):
* runtime/Executable.h:
(JSC):
(EvalExecutable):
(ProgramExecutable):
(FunctionExecutable):
(JSC::FunctionExecutable::jitCompileFor):
* runtime/ExecutionHarness.h: Added.
(JSC):
(JSC::prepareForExecution):
(JSC::prepareFunctionForExecution):
* runtime/JSArray.h:
(JSC):
(JSArray):
* runtime/JSCell.h:
(JSC):
(JSCell):
* runtime/JSFunction.h:
(JSC):
(JSFunction):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
* runtime/JSGlobalData.h:
(JSC):
(JSGlobalData):
* runtime/JSGlobalObject.h:
(JSC):
(JSGlobalObject):
* runtime/JSObject.h:
(JSC):
(JSObject):
(JSFinalObject):
* runtime/JSPropertyNameIterator.h:
(JSC):
(JSPropertyNameIterator):
* runtime/JSString.h:
(JSC):
(JSString):
* runtime/JSTypeInfo.h:
(JSC):
(TypeInfo):
* runtime/JSValue.cpp:
(JSC::JSValue::description):
* runtime/JSValue.h:
(LLInt):
(JSValue):
* runtime/JSVariableObject.h:
(JSC):
(JSVariableObject):
* runtime/Options.cpp:
(Options):
(JSC::Options::initializeOptions):
* runtime/Options.h:
(Options):
* runtime/ScopeChain.h:
(JSC):
(ScopeChainNode):
* runtime/Structure.cpp:
(JSC::Structure::addPropertyTransition):
* runtime/Structure.h:
(JSC):
(Structure):
* runtime/StructureChain.h:
(JSC):
(StructureChain):
* wtf/InlineASM.h:
* wtf/Platform.h:
* wtf/SentinelLinkedList.h:
(SentinelLinkedList):
(WTF::SentinelLinkedList::isEmpty):
* wtf/text/StringImpl.h:
(JSC):
(StringImpl):

Source/WebCore: 

Reviewed by Gavin Barraclough.
        
No new tests, because there is no change in behavior.

* CMakeLists.txt:

Source/WebKit: 

Reviewed by Gavin Barraclough.

Changed EFL's build system to include a new directory in JavaScriptCore.
        
* CMakeLists.txt:

Tools: 

Reviewed by Gavin Barraclough.

Changed EFL's build system to include a new directory in JavaScriptCore.

* DumpRenderTree/efl/CMakeLists.txt:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108309 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=78409

Reviewed by Oliver Hunt.

Re-implement this as a regular accessor property.  This has three key benefits:
1) It makes it possible for objects to be given properties named __proto__.
2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

Source/JavaScriptCore: 

* parser/Parser.cpp:
(JSC::::parseFunctionInfo):
    - No need to prohibit functions named __proto__.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
    - Add __proto__ accessor to Object.prototype.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
    - Definition of the __proto__ accessor functions.
* runtime/JSGlobalObjectFunctions.h:
    - Declaration of the __proto__ accessor functions.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
    - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
(JSC::JSObject::putDirectAccessor):
    - Track on the structure whether an object contains accessors other than one for __proto__.
(JSC::JSObject::defineOwnProperty):
    - No need to prohibit definition of own properties named __proto__.
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
    - Remove the special handling for __proto__.
(JSC::JSValue::get):
    - Remove the special handling for __proto__.
* runtime/JSString.cpp:
(JSC::JSString::getOwnPropertySlot):
    - Remove the special handling for __proto__.
* runtime/JSValue.h:
(JSValue):
    - Made synthesizePrototype public (this may be needed by the __proto__ getter).
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
    - Perform the security check & call prototype() directly.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
* runtime/Structure.h:
(JSC::Structure::hasGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

Source/WebCore: 

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::allowsAccessFrom):
(WebCore):
    - expose allowsAccessFrom check to JSC.
* bindings/js/JSDOMWindowBase.h:
(JSDOMWindowBase):
    - expose allowsAccessFrom check to JSC.

LayoutTests: 

* fast/js/Object-getOwnPropertyNames-expected.txt:
* fast/js/cyclic-prototypes-expected.txt:
* fast/js/parser-syntax-check-expected.txt:
* fast/js/preventExtensions-expected.txt:
* fast/js/prototypes-expected.txt:
    - Update results
* fast/js/script-tests/Object-getOwnPropertyNames.js:
    - __proto__ is now a property of Object Prototype.
* fast/js/script-tests/cyclic-prototypes.js:
    - setting an object's prototype to null removes __proto__ setter, future usage won't set prototype.
* fast/js/script-tests/parser-syntax-check.js:
    - Allow functions named __proto__
* fast/js/script-tests/preventExtensions.js:
    - Setting __proto__ should not throw.
* fast/js/script-tests/prototypes.js:
    - Objects may contained own properties named __proto__, add new test cases.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108259 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.

Source/JavaScriptCore: 

* parser/Parser.cpp:
(JSC::::parseFunctionInfo):
* runtime/ClassInfo.h:
(MethodTable):
(JSC):
* runtime/JSCell.cpp:
(JSC):
* runtime/JSCell.h:
(JSCell):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC):
* runtime/JSGlobalObjectFunctions.h:
(JSC):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::defineOwnProperty):
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSValue::get):
* runtime/JSString.cpp:
(JSC::JSString::getOwnPropertySlot):
* runtime/JSValue.h:
(JSValue):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:
(JSC::Structure::setHasGetterSetterProperties):
(Structure):

Source/WebCore: 

* bindings/js/JSDOMWindowBase.cpp:
(WebCore):
* bindings/js/JSDOMWindowBase.h:
(JSDOMWindowBase):

LayoutTests: 

* fast/js/Object-getOwnPropertyNames-expected.txt:
* fast/js/cyclic-prototypes-expected.txt:
* fast/js/parser-syntax-check-expected.txt:
* fast/js/preventExtensions-expected.txt:
* fast/js/prototypes-expected.txt:
* fast/js/script-tests/Object-getOwnPropertyNames.js:
* fast/js/script-tests/cyclic-prototypes.js:
* fast/js/script-tests/parser-syntax-check.js:
* fast/js/script-tests/preventExtensions.js:
* fast/js/script-tests/prototypes.js:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107544 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=78409

Reviewed by Oliver Hunt.

Re-implement this as a regular accessor property.  This has three key benefits:
1) It makes it possible for objects to be given properties named __proto__.
2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

Source/JavaScriptCore: 

* parser/Parser.cpp:
(JSC::::parseFunctionInfo):
    - No need to prohibit functions named __proto__.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
    - Add __proto__ accessor to Object.prototype.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
    - Definition of the __proto__ accessor functions.
* runtime/JSGlobalObjectFunctions.h:
    - Declaration of the __proto__ accessor functions.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
    - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
(JSC::JSObject::putDirectAccessor):
    - Track on the structure whether an object contains accessors other than one for __proto__.
(JSC::JSObject::defineOwnProperty):
    - No need to prohibit definition of own properties named __proto__.
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
    - Remove the special handling for __proto__.
(JSC::JSValue::get):
    - Remove the special handling for __proto__.
* runtime/JSString.cpp:
(JSC::JSString::getOwnPropertySlot):
    - Remove the special handling for __proto__.
* runtime/JSValue.h:
(JSValue):
    - Made synthesizePrototype public (this may be needed by the __proto__ getter).
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetPrototypeOf):
    - Perform the security check & call prototype() directly.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
* runtime/Structure.h:
(JSC::Structure::hasGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(Structure):
    - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

Source/WebCore: 

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::allowsAccessFrom):
(WebCore):
    - expose allowsAccessFrom check to JSC.
* bindings/js/JSDOMWindowBase.h:
(JSDOMWindowBase):
    - expose allowsAccessFrom check to JSC.

LayoutTests: 

* fast/js/Object-getOwnPropertyNames-expected.txt:
* fast/js/cyclic-prototypes-expected.txt:
* fast/js/parser-syntax-check-expected.txt:
* fast/js/preventExtensions-expected.txt:
* fast/js/prototypes-expected.txt:
    - Update results
* fast/js/script-tests/Object-getOwnPropertyNames.js:
    - __proto__ is now a property of Object Prototype.
* fast/js/script-tests/cyclic-prototypes.js:
    - setting an object's prototype to null removes __proto__ setter, future usage won't set prototype.
* fast/js/script-tests/parser-syntax-check.js:
    - Allow functions named __proto__
* fast/js/script-tests/preventExtensions.js:
    - Setting __proto__ should not throw.
* fast/js/script-tests/prototypes.js:
    - Objects may contained own properties named __proto__, add new test cases.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107498 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=77669

Reviewed by Gavin Barraclough.

* assembler/ARMAssembler.h:
(ARMAssembler):
(JSC::ARMAssembler::debugOffset):
* assembler/ARMv7Assembler.h:
(ARMv7Assembler):
(JSC::ARMv7Assembler::debugOffset):
(ARMInstructionFormatter):
(JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
* assembler/AbstractMacroAssembler.h:
(AbstractMacroAssembler):
(JSC::AbstractMacroAssembler::debugOffset):
* assembler/AssemblerBuffer.h:
(AssemblerBuffer):
(JSC::AssemblerBuffer::debugOffset):
* assembler/LinkBuffer.h:
(LinkBuffer):
(JSC::LinkBuffer::debugSize):
* assembler/MIPSAssembler.h:
(MIPSAssembler):
(JSC::MIPSAssembler::debugOffset):
* assembler/X86Assembler.h:
(X86Assembler):
(JSC::X86Assembler::debugOffset):
(X86InstructionFormatter):
(JSC::X86Assembler::X86InstructionFormatter::debugOffset):
* bytecode/CodeBlock.cpp:
(JSC):
* bytecode/CodeBlock.h:
(CodeBlock):
* bytecode/CodeOrigin.h:
(CodeOrigin):
(JSC):
(JSC::CodeOrigin::inlineStack):
* bytecode/DFGExitProfile.h:
(JSC::DFG::exitKindToString):
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/PredictedType.cpp:
(JSC):
(JSC::predictionToString):
* bytecode/PredictedType.h:
(JSC):
* bytecode/ValueRecovery.h:
(ValueRecovery):
(JSC::ValueRecovery::dump):
* bytecompiler/BytecodeGenerator.cpp:
(JSC):
(JSC::BytecodeGenerator::setDumpsGeneratedCode):
(JSC::BytecodeGenerator::dumpsGeneratedCode):
(JSC::BytecodeGenerator::generate):
* dfg/DFGAbstractValue.h:
(StructureAbstractValue):
(JSC::DFG::StructureAbstractValue::dump):
(AbstractValue):
(JSC::DFG::AbstractValue::dump):
* dfg/DFGAssemblyHelpers.h:
(DFG):
(AssemblyHelpers):
(JSC::DFG::AssemblyHelpers::debugCall):
* dfg/DFGFPRInfo.h:
(FPRInfo):
(JSC::DFG::FPRInfo::debugName):
* dfg/DFGGPRInfo.h:
(GPRInfo):
(JSC::DFG::GPRInfo::debugName):
* dfg/DFGGraph.cpp:
(DFG):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGNode.h:
(DFG):
(JSC::DFG::arithNodeFlagsAsString):
(Node):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::dumpChildren):
* dfg/DFGOSRExit.cpp:
(DFG):
(JSC::DFG::OSRExit::dump):
* dfg/DFGOSRExit.h:
(OSRExit):
* runtime/JSValue.cpp:
(JSC):
(JSC::JSValue::description):
* runtime/JSValue.h:
(JSValue):
* wtf/BitVector.cpp:
(WTF):
(WTF::BitVector::dump):
* wtf/BitVector.h:
(BitVector):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106590 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=77507

Patch by Hajime Morrita <morrita@chromium.org> on 2012-01-31
Reviewed by Kevin Ollivier.

* heap/MarkedSpace.h:
(MarkedSpace):
* interpreter/Interpreter.h:
(Interpreter):
* runtime/JSValue.h:
(JSValue):
* wtf/text/AtomicString.h:
(WTF::AtomicString::add):
* wtf/text/WTFString.h:
(WTF):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106433 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=76861

../JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
This makes the common case -- toString() on a string -- faster and
inline-able. (Not a measureable speedup, but we can now remove a bunch
of duplicate hand-rolled code for this optimization.)
        
This also clarifies the boundary between "C++ strings" and "JS strings".
        
In all cases other than true, false, null, undefined, and multi-digit
numbers, the JS runtime was just retrieving a UString from a JSString,
so returning a JSString* is strictly better. In the other cases, we can
optimize to avoid creating a new JSString if we care to, but it doesn't
seem to be a big deal.

* JavaScriptCore.exp: Export!
        
* jsc.cpp:
(functionPrint):
(functionDebug):
(functionRun):
(functionLoad):
(functionCheckSyntax):
(runWithScripts):
(runInteractive):
* API/JSValueRef.cpp:
(JSValueToStringCopy):
* bytecode/CodeBlock.cpp:
(JSC::valueToSourceString): Call value() after calling toString(), to
convert from "JS string" (JSString*) to "C++ string" (UString), since
toString() no longer returns a "C++ string".

* dfg/DFGOperations.cpp:
(JSC::DFG::operationValueAddNotNumber):
* jit/JITStubs.cpp:
(op_add): Updated for removal of toPrimitiveString():
all '+' operands can use toString(), except for object operands, which
need to take a slow path to call toPrimitive().

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPush):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
* runtime/DateConstructor.cpp:
(JSC::dateParse):
* runtime/DatePrototype.cpp:
(JSC::formatLocaleDate): Call value() after calling toString(), as above.

* runtime/ErrorInstance.h:
(JSC::ErrorInstance::create): Simplified down to one canonical create()
function, to make string handling easier.

* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/ExceptionHelpers.cpp:
(JSC::createInvalidParamError):
(JSC::createNotAConstructorError):
(JSC::createNotAFunctionError):
(JSC::createNotAnObjectError):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncBind):
* runtime/JSArray.cpp:
(JSC::JSArray::sort): Call value() after calling toString(), as above.

* runtime/JSCell.cpp:
* runtime/JSCell.h: Removed JSCell::toString() because JSValue does this
job now. Doing it in JSCell is slower (requires extra type checking), and
creates the misimpression that language-defined toString() behavior is
an implementation detail of JSCell.
        
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::encode):
(JSC::decode):
(JSC::globalFuncEval):
(JSC::globalFuncParseInt):
(JSC::globalFuncParseFloat):
(JSC::globalFuncEscape):
(JSC::globalFuncUnescape): Call value() after calling toString(), as above.

* runtime/JSONObject.cpp:
(JSC::unwrapBoxedPrimitive):
(JSC::Stringifier::Stringifier):
(JSC::JSONProtoFuncParse): Removed some manual optimization that toString()
takes care of.

* runtime/JSObject.cpp:
(JSC::JSObject::toString):
* runtime/JSObject.h: Updated to return JSString*.

* runtime/JSString.cpp:
* runtime/JSString.h:
(JSC::JSValue::toString): Removed, since I removed JSCell::toString().

* runtime/JSValue.cpp:
(JSC::JSValue::toStringSlowCase): Removed toPrimitiveString(), and re-
spawned toStringSlowCase() from its zombie corpse, since toPrimitiveString()
basically did what we want all the time. (Note that the toPrimitive()
preference changes from NoPreference to PreferString, because that's
how ToString is defined in the language. op_add does not want this behavior.)

* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString): A little simpler, now that toString()
returns a JSString*.

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable): More calls to value(), as above.

* runtime/Operations.cpp:
(JSC::jsAddSlowCase): Need to check for object before taking the toString()
fast path becuase adding an object to a string requires calling toPrimitive()
on the object, not toString(). (They differ in their preferred conversion
type.)

* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromArguments): This code gets simpler, now that toString()
does the right thing.

(JSC::jsAdd): Now checks for object, just like jsAddSlowCase().

* runtime/RegExpConstructor.cpp:
(JSC::setRegExpConstructorInput):
(JSC::constructRegExp):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::match):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoFuncToString): More calls to value(), as above.

* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
(JSC::callStringConstructor): This code gets simpler, now that toString()
does the right thing.

* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
(JSC::stringProtoFuncReplace):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::stringProtoFuncMatch):
(JSC::stringProtoFuncSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplit):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString): Some of this code gets simpler, now that toString()
does the right thing. More calls to value(), as above.

../JavaScriptGlue: 

Reviewed by Gavin Barraclough.

* JSUtils.cpp:
(KJSValueToCFTypeInternal):

../WebCore: 

Reviewed by Gavin Barraclough.

Mechanical changes to call value() after calling toString(), to
convert from "JS string" (JSString*) to "C++ string" (UString), since
toString() no longer returns a "C++ string".

* bindings/js/IDBBindingUtilities.cpp:
(WebCore::createIDBKeyFromValue):
* bindings/js/JSCSSStyleDeclarationCustom.cpp:
(WebCore::JSCSSStyleDeclaration::getPropertyCSSValue):
* bindings/js/JSClipboardCustom.cpp:
(WebCore::JSClipboard::clearData):
(WebCore::JSClipboard::getData):
* bindings/js/JSCustomXPathNSResolver.cpp:
(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):
* bindings/js/JSDOMBinding.cpp:
(WebCore::valueToStringWithNullCheck):
(WebCore::valueToStringWithUndefinedOrNullCheck):
(WebCore::reportException):
* bindings/js/JSDOMFormDataCustom.cpp:
(WebCore::JSDOMFormData::append):
* bindings/js/JSDOMStringMapCustom.cpp:
(WebCore::JSDOMStringMap::putDelegate):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::setLocation):
(WebCore::JSDOMWindow::open):
(WebCore::JSDOMWindow::addEventListener):
(WebCore::JSDOMWindow::removeEventListener):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::JSDeviceMotionEvent::initDeviceMotionEvent):
* bindings/js/JSDeviceOrientationEventCustom.cpp:
(WebCore::JSDeviceOrientationEvent::initDeviceOrientationEvent):
* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSDocumentCustom.cpp:
(WebCore::JSDocument::setLocation):
* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::handleEvent):
* bindings/js/JSHTMLAllCollectionCustom.cpp:
(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::item):
(WebCore::JSHTMLAllCollection::namedItem):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::JSHTMLCanvasElement::getContext):
* bindings/js/JSHTMLCollectionCustom.cpp:
(WebCore::JSHTMLCollection::item):
(WebCore::JSHTMLCollection::namedItem):
* bindings/js/JSHTMLDocumentCustom.cpp:
(WebCore::documentWrite):
* bindings/js/JSHTMLInputElementCustom.cpp:
(WebCore::JSHTMLInputElement::setSelectionDirection):
(WebCore::JSHTMLInputElement::setSelectionRange):
* bindings/js/JSInspectorFrontendHostCustom.cpp:
(WebCore::JSInspectorFrontendHost::showContextMenu):
* bindings/js/JSJavaScriptCallFrameCustom.cpp:
(WebCore::JSJavaScriptCallFrame::evaluate):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::setHref):
(WebCore::JSLocation::setProtocol):
(WebCore::JSLocation::setHost):
(WebCore::JSLocation::setHostname):
(WebCore::JSLocation::setPort):
(WebCore::JSLocation::setPathname):
(WebCore::JSLocation::setSearch):
(WebCore::JSLocation::setHash):
(WebCore::JSLocation::replace):
(WebCore::JSLocation::assign):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::handleInitMessageEvent):
* bindings/js/JSSQLTransactionCustom.cpp:
(WebCore::JSSQLTransaction::executeSql):
* bindings/js/JSSQLTransactionSyncCustom.cpp:
(WebCore::JSSQLTransactionSync::executeSql):
* bindings/js/JSSharedWorkerCustom.cpp:
(WebCore::JSSharedWorkerConstructor::constructJSSharedWorker):
* bindings/js/JSStorageCustom.cpp:
(WebCore::JSStorage::putDelegate):
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::JSWebGLRenderingContext::getExtension):
* bindings/js/JSWebSocketCustom.cpp:
(WebCore::JSWebSocketConstructor::constructJSWebSocket):
(WebCore::JSWebSocket::send):
(WebCore::JSWebSocket::close):
* bindings/js/JSWorkerContextCustom.cpp:
(WebCore::JSWorkerContext::importScripts):
* bindings/js/JSWorkerCustom.cpp:
(WebCore::JSWorkerConstructor::constructJSWorker):
* bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::open):
(WebCore::JSXMLHttpRequest::send):
* bindings/js/JSXSLTProcessorCustom.cpp:
(WebCore::JSXSLTProcessor::setParameter):
(WebCore::JSXSLTProcessor::getParameter):
(WebCore::JSXSLTProcessor::removeParameter):
* bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::create):
* bindings/js/ScriptEventListener.cpp:
(WebCore::eventListenerHandlerBody):
* bindings/js/ScriptValue.cpp:
(WebCore::ScriptValue::toString):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateEventListenerCall):
(JSValueToNative):
(GenerateConstructorDefinition):
* bridge/c/c_utility.cpp:
(JSC::Bindings::convertValueToNPVariant):
* bridge/jni/jni_jsobject.mm:
(JavaJSObject::convertValueToJObject):
* bridge/jni/jsc/JNIUtilityPrivate.cpp:
(JSC::Bindings::convertArrayInstanceToJavaArray):
(JSC::Bindings::convertValueToJValue):
* bridge/jni/jsc/JavaFieldJSC.cpp:
(JavaField::dispatchValueFromInstance):
(JavaField::valueFromInstance):
(JavaField::dispatchSetValueToInstance):
(JavaField::setValueToInstance):
* bridge/jni/jsc/JavaInstanceJSC.cpp:
(JavaInstance::invokeMethod):
* testing/js/JSInternalsCustom.cpp:
(WebCore::JSInternals::setUserPreferredLanguages):

../WebKit/mac: 

Reviewed by Gavin Barraclough.

Mechanical changes to call value() after calling toString(), to
convert from "JS string" (JSString*) to "C++ string" (UString), since
toString() no longer returns a "C++ string".

* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::addValueToArray):
* WebView/WebFrame.mm:
(-[WebFrame _stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
(-[WebFrame _stringByEvaluatingJavaScriptFromString:withGlobalObject:inScriptWorld:]):

../WebKit2: 

Reviewed by Gavin Barraclough.

Mechanical changes to call value() after calling toString(), to
convert from "JS string" (JSString*) to "C++ string" (UString), since
toString() no longer returns a "C++ string".

* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105698 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=72855

Reviewed by Darin Adler.

Added WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE based on JavaScriptCore.exp files.
The change is generated by a tool calledListExportables (https://github.com/omo/ListExportables)

* API/OpaqueJSString.h:
* bytecode/CodeBlock.h:
* bytecode/SamplingTool.h:
* debugger/Debugger.h:
* debugger/DebuggerActivation.h:
* debugger/DebuggerCallFrame.h:
* heap/AllocationSpace.h:
* heap/HandleHeap.h:
* heap/Heap.h:
* heap/MachineStackMarker.h:
* heap/MarkStack.h:
* heap/VTableSpectrum.h:
* heap/WriteBarrierSupport.h:
* parser/Nodes.h:
* parser/ParserArena.h:
* profiler/Profile.h:
* runtime/ArgList.h:
* runtime/CallData.h:
* runtime/Completion.h:
* runtime/ConstructData.h:
* runtime/DateInstance.h:
* runtime/Error.h:
* runtime/ExceptionHelpers.h:
* runtime/FunctionConstructor.h:
* runtime/Identifier.h:
* runtime/InitializeThreading.h:
* runtime/InternalFunction.h:
* runtime/JSArray.h:
* runtime/JSByteArray.h:
* runtime/JSCell.h:
* runtime/JSFunction.h:
* runtime/JSGlobalData.cpp:
* runtime/JSGlobalData.h:
* runtime/JSGlobalObject.h:
* runtime/JSGlobalThis.h:
* runtime/JSLock.h:
* runtime/JSObject.h:
* runtime/JSString.h:
* runtime/JSValue.h:
* runtime/JSVariableObject.h:
* runtime/Lookup.h:
* runtime/MemoryStatistics.h:
* runtime/ObjectPrototype.h:
* runtime/Options.h:
* runtime/PropertyDescriptor.h:
* runtime/PropertyNameArray.h:
* runtime/PropertySlot.h:
* runtime/RegExp.h:
* runtime/RegExpObject.h:
* runtime/SamplingCounter.h:
* runtime/SmallStrings.h:
* runtime/StringObject.h:
* runtime/Structure.h:
* runtime/TimeoutChecker.h:
* runtime/UString.h:
* runtime/WriteBarrier.h:
* wtf/ArrayBufferView.h:
* wtf/ByteArray.h:
* wtf/CryptographicallyRandomNumber.h:
* wtf/CurrentTime.h:
* wtf/DateMath.h:
* wtf/DecimalNumber.h:
* wtf/FastMalloc.cpp:
* wtf/FastMalloc.h:
* wtf/MD5.h:
* wtf/MainThread.h:
* wtf/MetaAllocator.h:
* wtf/MetaAllocatorHandle.h:
* wtf/OSAllocator.h:
* wtf/PageBlock.h:
* wtf/RandomNumber.h:
* wtf/RefCountedLeakCounter.h:
* wtf/SHA1.h:
* wtf/Threading.cpp:
* wtf/Threading.h:
* wtf/ThreadingPrimitives.h:
* wtf/WTFThreadData.h:
* wtf/dtoa.h:
* wtf/text/AtomicString.h:
* wtf/text/CString.h:
* wtf/text/StringBuilder.h:
* wtf/text/StringImpl.h:
* wtf/text/WTFString.h:
* wtf/unicode/Collator.h:
* wtf/unicode/UTF8.h:
* yarr/Yarr.h:
* yarr/YarrPattern.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104900 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=76232

Reviewed by Sam Weinig.

putDirect has ambiguous semantics, clean these up a bit.

putDirect generally behaves a bit like a fast defineOwnProperty, but one that
always creates the property, with no checking to validate the put it permitted.

It also encompasses two slightly different behaviors.
(1) a fast form of put for JSActivation, which doesn't have to handle searching
    the prototype chain, getter/setter properties, or the magic __proto__ value.
    Break this out as a new method, 'putOwnDataProperty'.
(2) the version of putDirect on JSValue will also check for overwriting ReadOnly
    values, in strict mode. This is, however, not so smart on a few level, since
    it is only called from op_put_by_id with direct set, which is only used with
    an object as the base, and is only used to put new properties onto objects.

* dfg/DFGOperations.cpp:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSActivation.cpp:
(JSC::JSActivation::put):
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertySlot):
* runtime/JSObject.h:
(JSC::JSObject::putOwnDataProperty):
* runtime/JSValue.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104886 268f45cc-cd09-0410-ab3c-d52691b4dbfc

related to DFG::JITCompiler
https://bugs.webkit.org/show_bug.cgi?id=71787

Reviewed by Gavin Barraclough.
        
Moves the exitSpeculativeWithOSR() method from JITCompiler to
OSRExitCompiler::compileExit().

* CMakeListsEfl.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
* dfg/DFGJITCompiler32_64.cpp: Removed.
* dfg/DFGOSRExitCompiler.h: Added.
(JSC::DFG::OSRExitCompiler::OSRExitCompiler):
* dfg/DFGOSRExitCompiler32_64.cpp: Added.
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp: Added.
(JSC::DFG::OSRExitCompiler::compileExit):
* runtime/JSValue.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@99629 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=71768

Reviewed by Geoffrey Garen.

Also includes a fix to make the newly introduced AssemblyHelpers
friend of JSValue as we need the Tag definitions.

* CMakeListsEfl.txt:
* GNUmakefile.list.am:
* Target.pri:
* runtime/JSValue.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@99532 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=71202

Reviewed by Oliver Hunt.
        
Value profiles now have an extra special slot not used by the old JIT's
profiling, which is reserved for OSR exits.
        
The DFG's OSR exit code now knows which register, node index, and value
profiling site was responsible for the (possibly flawed) information that
led to the OSR failure. This is somewhat opportunistic and imperfect;
if there's a lot of control flow between the value profiling site and the
OSR failure point, then this mechanism simply gives up. It also gives up
if the OSR failure is caused by either known deficiencies in the DFG
(like that we always assume that the index in a strict charCodeAt access
is within bounds) or where the OSR failure would be catalogues and
profiled through other means (like slow case counters).
        
This patch also adds the notion of a JSValueRegs, which is either a
single register in JSVALUE64 or a pair in JSVALUE32_64. We should
probably move the 32_64 DFG towards using this, since it often makes it
easier to share code between 64 and 32_64.
        
Also fixed a number of pathologies that this uncovered. op_method_check 
didn't have a value profiling site on the slow path. GetById should not
always force OSR exit if it never executed in the old JIT; we may be
able to infer its type if it's a array or string length get. Finally,
these changes benefit from a slight tweak to optimization delay
heuristics (profile fullness is now 0.35 instead of 0.25).
        
3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes
and imaging-darkroom.

* bytecode/ValueProfile.cpp:
(JSC::ValueProfile::computeStatistics):
(JSC::ValueProfile::computeUpdatedPrediction):
* bytecode/ValueProfile.h:
(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::specFailBucket):
(JSC::ValueProfile::numberOfSamples):
(JSC::ValueProfile::isLive):
(JSC::ValueProfile::numberOfInt32s):
(JSC::ValueProfile::numberOfDoubles):
(JSC::ValueProfile::numberOfCells):
(JSC::ValueProfile::numberOfObjects):
(JSC::ValueProfile::numberOfFinalObjects):
(JSC::ValueProfile::numberOfStrings):
(JSC::ValueProfile::numberOfArrays):
(JSC::ValueProfile::numberOfBooleans):
(JSC::ValueProfile::dump):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGGPRInfo.h:
(JSC::DFG::JSValueRegs::JSValueRegs):
(JSC::DFG::JSValueRegs::operator!):
(JSC::DFG::JSValueRegs::gpr):
(JSC::DFG::JSValueSource::JSValueSource):
(JSC::DFG::JSValueSource::unboxedCell):
(JSC::DFG::JSValueSource::operator!):
(JSC::DFG::JSValueSource::isAddress):
(JSC::DFG::JSValueSource::offset):
(JSC::DFG::JSValueSource::base):
(JSC::DFG::JSValueSource::gpr):
(JSC::DFG::JSValueSource::asAddress):
(JSC::DFG::JSValueSource::notAddress):
(JSC::DFG::JSValueRegs::tagGPR):
(JSC::DFG::JSValueRegs::payloadGPR):
(JSC::DFG::JSValueSource::tagGPR):
(JSC::DFG::JSValueSource::payloadGPR):
(JSC::DFG::JSValueSource::hasKnownTag):
(JSC::DFG::JSValueSource::tag):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::jsValueRegs):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::valueProfileFor):
* dfg/DFGJITCodeGenerator.h:
(JSC::JSValueOperand::jsValueRegs):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::valueProfileFor):
* dfg/DFGJITCompiler32_64.cpp:
(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
* dfg/DFGPropagator.cpp:
(JSC::DFG::Propagator::propagateNodePredictions):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::OSRExit::OSRExit):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_method_check):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_method_check):
* runtime/Heuristics.cpp:
(JSC::Heuristics::initializeHeuristics):
* runtime/JSValue.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@98912 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=70215

Reviewed by Adam Barth.

Source/JavaScriptCore:

Added a method that judges if a given JSValue is empty.

Tests: transforms/svg-vs-css.xhtml
       transforms/cssmatrix-2d-interface.xhtml
       transforms/cssmatrix-3d-interface.xhtml

* runtime/JSValue.h:
* runtime/JSValueInlineMethods.h:
(JSC::JSValue::isEmpty):

Source/WebCore:

This patch implements [Optional=CallWithNullValue] IDL for JSC.
While a parameter specified as [Optional=CallWithDefaultValue] is
handled as a string "undefined", a parameter specified as
[Optional=CallWithNullValue] is handled as a null string.
(Note: not a string "null", but a null string).

c.f. [Optional=CallWithNullValue] is implemented in V8 in bug 67458.

Tests: fast/dom/global-constructors.html
       transforms/svg-vs-css.xhtml
       transforms/cssmatrix-2d-interface.xhtml
       transforms/cssmatrix-3d-interface.xhtml

* GNUmakefile.list.am: Removed JSWebKitCSSMatrixCustom.cpp.
* UseJSC.cmake: Ditto.
* WebCore.gypi: Ditto.
* WebCore.pro: Ditto.
* WebCore.xcodeproj/project.pbxproj: Ditto.
* bindings/js/JSBindingsAllInOne.cpp: Ditto.
* bindings/js/JSDOMBinding.h: MAYBE_MISSING_PARAMETER(exec, index, policy) returns the index-th parameter, if the parameter exists. It returns an undefined value, if the index-th parameter is missing and the policy is MissingIsUndefined. It returns an empty value, otherwise (i.e. if the index-th parameter is missing and the policy is MissingIsEmpty).
* bindings/js/JSWebKitCSSMatrixCustom.cpp: Removed.
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateParametersCheck): Supported [Optional=CallWithNullValue].
(GenerateConstructorDefinition): Supported [Optional=CallWithNullValue].
* css/WebKitCSSMatrix.idl: Removed [JSCustomConstructor].


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@98679 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=70364

Reviewed by Gavin Barraclough.

~1% SunSpider speedup. Neutral elsewhere. Removes one cause for strings
having C++ destructors.

* heap/MarkStack.cpp:
(JSC::visitChildren): Call the JSString visitChildren function now,
since it's no longer a no-op.

* runtime/JSString.cpp:
(JSC::JSString::~JSString): Moved this destructor out of line because
it's called virtually, so there's no value to inlining.

(JSC::JSString::RopeBuilder::expand): Switched RopeBuilder to be a thin
initializing wrapper around JSString. JSString now represents ropes
directly, rather than relying on an underlying malloc object.

(JSC::JSString::visitChildren): Visit our rope fibers, since they're GC
objects now.

(JSC::JSString::resolveRope):
(JSC::JSString::resolveRopeSlowCase):
(JSC::JSString::outOfMemory): Updated for operating on JSStrings instead
of malloc objects.

(JSC::JSString::replaceCharacter): Removed optimizations for substringing
ropes and replacing subsections of ropes. We want to reimplement versions
of these optimizations in the future, but this patch already has good
performance without them.

* runtime/JSString.h:
(JSC::RopeBuilder::JSString):
(JSC::RopeBuilder::finishCreation):
(JSC::RopeBuilder::createNull):
(JSC::RopeBuilder::create):
(JSC::RopeBuilder::createHasOtherOwner):
(JSC::jsSingleCharacterString):
(JSC::jsSingleCharacterSubstring):
(JSC::jsNontrivialString):
(JSC::jsString):
(JSC::jsSubstring):
(JSC::jsOwnedString): Lots of mechanical changes here. The two important
things are: (1) The fibers in JSString::m_fibers are JSStrings now, not
malloc objects; (2) I simplified the JSString constructor interface to
only accept PassRefPtr<StringImpl>, instead of variations on that like
UString, reducing refcount churn.

* runtime/JSValue.h:
* runtime/JSValue.cpp:
(JSC::JSValue::toPrimitiveString): Updated this function to return a
JSString instead of a UString, since that's what clients want now.

* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
* runtime/Operations.h:
(JSC::jsString):
* runtime/SmallStrings.cpp:
(JSC::SmallStrings::createEmptyString): Updated for interface changes above.

* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
* runtime/StringObject.h:
(JSC::StringObject::create): Don't create a new JSString if we already
have a JSString.

* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncConcat): Updated for interface changes above.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97827 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=70278

Reviewed by Oliver Hunt.
        
The DFG bytecode parser is now capable of parsing multiple code blocks at
once. This remains turned off since not all inlining functionality is
implemented.       
        
This required making a few changes elsewhere in the system. The bytecode
parser now may do some of the same things that the bytecode generator does,
like allocating constants and identifiers. Basic block linking relies on
bytecode indices, which are only meaningful within the context of one basic
block. This is fine, so long as linking is done eagerly whenever switching
from one code block to another.

* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::CodeOrigin):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGBasicBlock.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::set):
(JSC::DFG::ByteCodeParser::getThis):
(JSC::DFG::ByteCodeParser::setThis):
(JSC::DFG::ByteCodeParser::currentCodeOrigin):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
(JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
(JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
(JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::setupPredecessors):
(JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGGraph.h:
(JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
(JSC::DFG::GetBytecodeBeginForBlock::operator()):
(JSC::DFG::Graph::blockIndexForBytecodeOffset):
* dfg/DFGNode.h:
* runtime/Identifier.h:
(JSC::IdentifierMapIndexHashTraits::emptyValue):
* runtime/JSValue.h:
* wtf/StdLibExtras.h:
(WTF::binarySearchWithFunctor):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97675 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=69399

No perf. change.

toJSNumber() used to provide an implicit fast path for immediate numbers,
but those fast paths are all explicit now, so it's just cruft.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSValue.h:
* runtime/JSValueInlineMethods.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96717 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=69320

../JavaScriptCore: 

Reviewed by Darin Adler.
        
No measurable performance change.

Removed some JSValue::get* functions. get* used to be an optimization
when every value operation was a virtual function call: get* would combine
two virtual calls into one. Now, with non-virtual, inlined functions, get*
isn't faster, and may be slightly slower.

Merged getBoolean(bool&) and getBoolean() into asBoolean().

Merged uncheckedGetNumber(), getJSNumber() and getNumber() into
asNumber().

* runtime/JSValue.h:
* runtime/JSValueInlineMethods.h:
(JSC::JSValue::asNumber):
(JSC::JSValue::asBoolean): As promised!

* runtime/NumberPrototype.cpp:
(JSC::toThisNumber):
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString):
(JSC::numberProtoFuncValueOf): Removed a bunch of uses of getJSNumber()
by switching to toThisNumber().

* API/JSCallbackObjectFunctions.h:
(JSC::::toNumber):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::valueOfNumberConstant):
(JSC::DFG::Graph::valueOfBooleanConstant):
* dfg/DFGOperations.cpp:
(JSC::DFG::putByVal):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* runtime/DateInstance.h:
(JSC::DateInstance::internalNumber):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncBind):
* runtime/JSArray.cpp:
(JSC::compareNumbersForQSort): Replaced getNumber() => isNumber() / asNumber().
getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().

* runtime/JSCell.cpp:
* runtime/JSCell.h: Nixed getJSNumber().

* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncParseInt):
* runtime/JSONObject.cpp:
(JSC::gap):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::appendStringifiedValue):
* runtime/NumberObject.cpp:
* runtime/NumberObject.h:
(JSC::NumberObject::createStructure):
* runtime/Operations.h:
(JSC::JSValue::equalSlowCaseInline):
(JSC::JSValue::strictEqual):
(JSC::jsLess):
(JSC::jsLessEq):
(JSC::jsAdd): Replaced getNumber() => isNumber() / asNumber().
getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().

../WebCore: 

Reviewed by Darin Adler.

* bindings/js/JSDOMBinding.cpp:
(WebCore::valueToDate):
* bindings/js/JSErrorHandler.cpp:
(WebCore::JSErrorHandler::handleEvent):
* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::handleEvent):
* bindings/js/JSSQLTransactionCustom.cpp:
(WebCore::JSSQLTransaction::executeSql):
* bindings/js/JSSQLTransactionSyncCustom.cpp:
(WebCore::JSSQLTransactionSync::executeSql):
* bindings/js/ScriptValue.cpp:
(WebCore::jsToInspectorValue):
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpIfTerminal):
* bindings/objc/WebScriptObject.mm:
(+[WebScriptObject _convertValueToObjcValue:originRootObject:rootObject:]):
* bridge/jni/jsc/JNIUtilityPrivate.cpp:
(JSC::Bindings::convertValueToJValue): Updated for JSC changes.

../WebKit/mac: 

Reviewed by Darin Adler.

* WebView/WebView.mm:
(aeDescFromJSValue): Updated for JSC changes.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96673 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=69203

Rubber stamped by Sam Weinig

These are no longer used.

../JavaScriptCore: 

* JavaScriptCore.exp:
* runtime/JSActivation.cpp:
* runtime/JSActivation.h:
* runtime/JSObject.cpp:
* runtime/JSObject.h:
* runtime/JSStaticScopeObject.cpp:
* runtime/JSStaticScopeObject.h:
* runtime/JSValue.h:
* runtime/StrictEvalActivation.cpp:
* runtime/StrictEvalActivation.h:

../WebCore: 

* bindings/js/JSDOMWindowBase.cpp:
* bindings/js/JSDOMWindowBase.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96446 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=68839

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Removed the remaining visitChildrenVirtual methods.  This patch completes the process of
de-virtualizing visitChildren.

* API/JSCallbackObject.h:
* JavaScriptCore.exp:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
* debugger/DebuggerActivation.cpp:
* debugger/DebuggerActivation.h:
* runtime/Arguments.cpp:
* runtime/Arguments.h:
* runtime/Executable.cpp:
* runtime/Executable.h:
* runtime/GetterSetter.cpp:
* runtime/GetterSetter.h:
* runtime/JSActivation.cpp:
* runtime/JSActivation.h:
* runtime/JSArray.cpp:
* runtime/JSArray.h:
* runtime/JSFunction.cpp:
* runtime/JSFunction.h:
* runtime/JSGlobalObject.cpp:
* runtime/JSGlobalObject.h:
* runtime/JSObject.cpp:
* runtime/JSPropertyNameIterator.cpp:
* runtime/JSPropertyNameIterator.h:
* runtime/JSStaticScopeObject.cpp:
* runtime/JSStaticScopeObject.h:
* runtime/JSValue.h:
* runtime/NativeErrorConstructor.cpp:
* runtime/NativeErrorConstructor.h:
* runtime/RegExpObject.cpp:
* runtime/RegExpObject.h:
* runtime/Structure.cpp:
* runtime/Structure.h:
* runtime/StructureChain.cpp:
* runtime/StructureChain.h:

Inlined the method table access and call to the visitChildren function (the only call sites
to visitChildren are here).
* heap/MarkStack.cpp:
(JSC::SlotVisitor::visitChildren):

Changed the field name for the visitChildren function pointer to visitChildren (from
visitChildrenFunctionPtr) to make call sites less verbose.
* runtime/ClassInfo.h:

Discovered JSBoundFunction doesn't have its own ClassInfo (it used JSFunction's ClassInfo) but
overrides visitChildren, so it needs to have its own ClassInfo.
* runtime/JSBoundFunction.cpp:
* runtime/JSBoundFunction.h:

Had to move className up to make sure that the virtual destructor in JSObject wasn't
the first non-inline virtual method in JSObject (as per the comment in the file).
Also moved JSCell::visitChildrenVirtual into JSObject.h in order for it be inline-able
to mitigate the cost of an extra method call.

Also added a convenience accessor function methodTable() to JSCell to return the MethodTable to make
call sites more concise.  Implementation is inline in JSObject.h.
* runtime/JSObject.h:
(JSC::JSCell::methodTable):
* runtime/JSCell.h:

Added an out of line virtual destructor to JSWrapperObject and ScopeChainNode to
appease the vtable gods.  It refused to compile if there were no virtual methods in
both of these classes due to the presence of a weak vtable pointer.
* runtime/JSWrapperObject.cpp:
(JSC::JSWrapperObject::~JSWrapperObject):
* runtime/JSWrapperObject.h:
* runtime/ScopeChain.cpp:
(JSC::ScopeChainNode::~ScopeChainNode):
* runtime/ScopeChain.h:

Source/JavaScriptGlue:

Removed the remaining visitChildrenVirtual methods.  This patch completes the process of
de-virtualizing visitChildren.

* UserObjectImp.cpp:
* UserObjectImp.h:

Source/WebCore:

No new tests.

Removed the remaining visitChildrenVirtual methods.  This patch completes the process of
de-virtualizing visitChildren.

* WebCore.exp.in:
* bindings/js/JSAttrCustom.cpp:
* bindings/js/JSAudioContextCustom.cpp:
* bindings/js/JSCSSRuleCustom.cpp:
* bindings/js/JSCSSStyleDeclarationCustom.cpp:
* bindings/js/JSCanvasRenderingContextCustom.cpp:
* bindings/js/JSDOMGlobalObject.cpp:
(WebCore::JSDOMGlobalObject::~JSDOMGlobalObject):
(WebCore::JSDOMGlobalObject::finishCreation):
* bindings/js/JSDOMGlobalObject.h:
* bindings/js/JSDOMWindowCustom.cpp:
* bindings/js/JSDOMWindowShell.cpp:
* bindings/js/JSDOMWindowShell.h:
* bindings/js/JSJavaScriptAudioNodeCustom.cpp:
* bindings/js/JSMessageChannelCustom.cpp:
* bindings/js/JSMessagePortCustom.cpp:
* bindings/js/JSNamedNodeMapCustom.cpp:
* bindings/js/JSNodeCustom.cpp:
* bindings/js/JSNodeFilterCustom.cpp:
* bindings/js/JSNodeIteratorCustom.cpp:
* bindings/js/JSSVGElementInstanceCustom.cpp:
* bindings/js/JSSharedWorkerCustom.cpp:
* bindings/js/JSStyleSheetCustom.cpp:
* bindings/js/JSTreeWalkerCustom.cpp:
* bindings/js/JSWebGLRenderingContextCustom.cpp:
* bindings/js/JSWorkerContextCustom.cpp:
* bindings/js/JSXMLHttpRequestCustom.cpp:
* bindings/js/JSXPathResultCustom.cpp:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
(GenerateImplementation):
* bridge/qt/qt_instance.cpp:
* bridge/qt/qt_runtime.cpp:
* bridge/qt/qt_runtime.h:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96346 268f45cc-cd09-0410-ab3c-d52691b4dbfc